[910] in Zephyr_Bugs
sync of current interrealm code for server
daemon@ATHENA.MIT.EDU (Derrick J Brashear)
Tue Feb 17 16:10:11 1998
Date: Tue, 17 Feb 1998 16:09:56 -0500 (EST)
From: Derrick J Brashear <shadow@DEMENTIA.ORG>
Reply-To: Derrick J Brashear <shadow@DEMENTIA.ORG>
To: zephyr-bugs@MIT.EDU
---559023410-684387517-887749797=:14554
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
This *should* be what is needed to bring the current source up to what we're
using.
Let me know if anything is confusing, I'll be happy to explain why any of it
was needed, if I still remember
-D
---559023410-684387517-887749797=:14554
Content-Type: TEXT/plain; CHARSET=US-ASCII
Content-Description: realmpatch
*** server/bdump.c Wed Dec 4 13:23:50 1996
--- /usr/tmp/bdump.c Tue Feb 17 14:52:26 1998
***************
*** 703,710 ****
}
}
/* have they expired ? */
! if (ticket_time < NOW - tkt_lifetime(TKTLIFETIME) + 15L) {
! /* +15 for leeway */
#if 0
zdbug((LOG_DEBUG,"get new tickets: %d %d %d", ticket_time, NOW,
NOW - tkt_lifetime(TKTLIFETIME) + 15L));
--- 703,710 ----
}
}
/* have they expired ? */
! if (ticket_time < NOW - tkt_lifetime(TKTLIFETIME) + 5 * 60L) {
! /* +5min for leeway */
#if 0
zdbug((LOG_DEBUG,"get new tickets: %d %d %d", ticket_time, NOW,
NOW - tkt_lifetime(TKTLIFETIME) + 15L));
*** server/kstuff.c Wed Apr 3 17:59:19 1996
--- /afs/andrew/system/src/local/zephyr/047/zephyr-2.0.2/server//kstuff.c Mon Feb 16 17:11:51 1998
***************
*** 122,128 ****
{
int rem;
char p[32];
- char krb_realm[REALM_SZ];
int written;
int size_to_write;
--- 122,127 ----
***************
*** 196,201 ****
--- 195,210 ----
* ticket isn't cached after a checksum failure), so don't worry
* about the extra des_quad_cksum() call. */
if (checksum == notice->z_checksum) {
+ (void) memcpy((char *)__Zephyr_session, (char *)session_key,
+ sizeof(C_Block)); /* For control_dispatch() */
+ return ZAUTH_YES;
+ }
+
+ /* Try again. This way we can switch to the same checksums
+ * that the rest of Zephyr uses at a future date, but for now
+ * we need to be compatible */
+ checksum = compute_checksum(notice, session_key);
+ if (checksum == notice->z_checksum) {
memcpy(__Zephyr_session, session_key, sizeof(C_Block));
return ZAUTH_YES;
}
***************
*** 215,231 ****
/* Check the cryptographic checksum. */
#ifdef NOENCRYPTION
! our_checksum = 0;
#else
checksum = compute_rlm_checksum(notice, dat.session);
#endif
if (checksum != notice->z_checksum)
return ZAUTH_CKSUM_FAILED;
/* Record the session key, expiry time, and source principal in the
* hash table, so we can do a fast check next time. */
add_session_key(&ticket, dat.session, srcprincipal,
(time_t)(dat.time_sec + dat.life * 5 * 60));
return ZAUTH_YES;
--- 224,245 ----
/* Check the cryptographic checksum. */
#ifdef NOENCRYPTION
! checksum = 0;
#else
checksum = compute_rlm_checksum(notice, dat.session);
#endif
+ if (checksum != notice->z_checksum) {
+ #ifndef NOENCRYPTION
+ checksum = compute_checksum(notice, dat.session);
if (checksum != notice->z_checksum)
+ #endif
return ZAUTH_CKSUM_FAILED;
+ }
/* Record the session key, expiry time, and source principal in the
* hash table, so we can do a fast check next time. */
add_session_key(&ticket, dat.session, srcprincipal,
(time_t)(dat.time_sec + dat.life * 5 * 60));
return ZAUTH_YES;
***************
*** 301,307 ****
/* Check the cryptographic checksum. */
#ifdef NOENCRYPTION
! our_checksum = 0;
#else
checksum = compute_checksum(notice, dat.session);
#endif
--- 321,327 ----
/* Check the cryptographic checksum. */
#ifdef NOENCRYPTION
! checksum = 0;
#else
checksum = compute_checksum(notice, dat.session);
#endif
*** server/subscr.c Tue Sep 24 14:17:58 1996
--- /usr/tmp/subscr.c Tue Feb 17 15:36:30 1998
***************
*** 185,190 ****
--- 185,193 ----
if (realm) {
retval = subscr_realm_sendit(who, subs, notice, realm);
if (retval != ZERR_NONE) {
+ free_string(subs->dest.classname);
+ free_string(subs->dest.inst);
+ free_string(subs->dest.recip);
free(subs);
return(retval);
}
***************
*** 191,196 ****
--- 194,202 ----
}
retval = triplet_register(who, &subs->dest, realm);
if (retval != ZERR_NONE) {
+ free_string(subs->dest.classname);
+ free_string(subs->dest.inst);
+ free_string(subs->dest.recip);
free(subs);
if (retval == ZSRV_CLASSXISTS) {
continue;
***************
*** 1165,1170 ****
--- 1171,1179 ----
#endif
retval = triplet_register(client, &subs->dest, realm);
if (retval != ZERR_NONE) {
+ free_string(subs->dest.classname);
+ free_string(subs->dest.inst);
+ free_string(subs->dest.recip);
free(subs);
if (retval == ZSRV_CLASSXISTS) {
continue;
*** server/dispatch.c Fri Sep 5 15:52:04 1997
--- /usr/tmp//dispatch.c Tue Feb 17 15:48:04 1998
***************
*** 191,213 ****
input_sin.sin_addr.s_addr = new_notice.z_sender_addr.s_addr;
input_sin.sin_port = new_notice.z_port;
input_sin.sin_family = AF_INET;
! realm = realm_which_realm(&input_sin);
! if (realm) {
! authentic = ZCheckRealmAuthentication(&new_notice, &input_sin,
! realm->name);
} else {
authentic = ZCheckAuthentication(&new_notice, &input_sin);
}
from_server = 1;
} else {
! from_server = 0;
! realm = realm_which_realm(&whoisit);
! if (realm) {
! authentic = ZCheckRealmAuthentication(&new_notice, &whoisit,
! realm->name);
! } else {
! authentic = ZCheckAuthentication(&new_notice, &whoisit);
! }
}
if (whoisit.sin_port != hm_port && whoisit.sin_port != hm_srv_port &&
--- 191,225 ----
input_sin.sin_addr.s_addr = new_notice.z_sender_addr.s_addr;
input_sin.sin_port = new_notice.z_port;
input_sin.sin_family = AF_INET;
! /* Should check to see if packet is from another realm's server,
! or a client */
! /* Clients don't check auth of acks, nor do we make it so they
! can in general, so this is safe. */
! if (new_notice.z_kind == SERVACK || new_notice.z_kind == SERVNAK) {
! authentic = ZAUTH_YES;
} else {
+ if (realm = realm_which_realm(&input_sin)) {
+ authentic = ZCheckRealmAuthentication(&new_notice,
+ &input_sin,
+ realm->name);
+ } else
authentic = ZCheckAuthentication(&new_notice, &input_sin);
}
from_server = 1;
} else {
! from_server = 0;
! /* Clients don't check auth of acks, nor do we make it so they
! can in general, so this is safe. */
! if (new_notice.z_kind == SERVACK || new_notice.z_kind == SERVNAK) {
! authentic = ZAUTH_YES;
! } else {
! if (realm = realm_which_realm(&whoisit)) {
! authentic = ZCheckRealmAuthentication(&new_notice,
! &whoisit,
! realm->name);
! } else
! authentic = ZCheckAuthentication(&new_notice, &whoisit);
! }
}
if (whoisit.sin_port != hm_port && whoisit.sin_port != hm_srv_port &&
***************
*** 474,485 ****
if ((*clientp)->last_send == send_counter)
continue;
(*clientp)->last_send = send_counter;
! if ((*clientp)->realm && external)
realm_handoff(notice, auth, &clientp[0]->addr, clientp[0]->realm,
1);
! else
xmit(notice, &((*clientp)->addr), auth, *clientp);
! any = 1;
}
return any;
--- 486,500 ----
if ((*clientp)->last_send == send_counter)
continue;
(*clientp)->last_send = send_counter;
! if ((*clientp)->realm && external) {
realm_handoff(notice, auth, &clientp[0]->addr, clientp[0]->realm,
1);
! any = 1;
! }
! else if (!(*clientp)->realm) {
xmit(notice, &((*clientp)->addr), auth, *clientp);
! any = 1;
! }
}
return any;
***************
*** 621,626 ****
--- 636,748 ----
notice->z_authent_len = 0;
notice->z_ascii_authent = (char *)"";
retval = ZFormatSmallRawNotice(notice, noticepack, &packlen);
+
+
+ /* This code is needed because a Zephyr can "grow" when a remote
+ * realm name is inserted into the Zephyr before being resent out
+ * locally. It essentially matches the code in realm.c to do the
+ * same thing with authentic Zephyrs.
+ */
+ if (retval == ZERR_PKTLEN) {
+ ZNotice_t partnotice, newnotice;
+ char multi[64];
+ char *buffer, *ptr;
+ int buffer_len, hdrlen, offset, fragsize, ret_len, message_len;
+ int origoffset, origlen;
+
+ free(noticepack);
+
+ retval = ZSetDestAddr(dest);
+ if (retval != ZERR_NONE) {
+ syslog(LOG_WARNING, "xmit set addr: %s", error_message(retval));
+ return;
+ }
+
+ partnotice = *notice;
+
+ partnotice.z_auth = 0;
+ partnotice.z_authent_len = 0;
+ partnotice.z_ascii_authent = (char *)"";
+
+ origoffset = offset = fragsize = 0;
+ origlen = notice->z_message_len;
+
+ buffer = (char *) malloc(sizeof(ZPacket_t));
+ if (!buffer) {
+ syslog(LOG_ERR, "xmit unauth refrag malloc");
+ return; /* DON'T put on nack list */
+ }
+ buffer_len = sizeof(ZPacket_t);
+
+ retval = Z_FormatRawHeader(&partnotice, buffer, buffer_len,
+ &hdrlen, NULL, NULL);
+ if (retval != ZERR_NONE) {
+ syslog(LOG_ERR, "xmit unauth refrag fmt: failed");
+ free(buffer);
+ return;
+ }
+
+ if (notice->z_multinotice && strcmp(notice->z_multinotice, ""))
+ if (sscanf(notice->z_multinotice, "%d/%d", &origoffset, &origlen)
+ != 2)
+ {
+ syslog(LOG_WARNING, "xmit unauth refrag: parse failed");
+ free(buffer);
+ return;
+ }
+
+ fragsize = Z_MAXPKTLEN-hdrlen-Z_FRAGFUDGE;
+
+ while (offset < notice->z_message_len || !notice->z_message_len) {
+ (void) sprintf(multi, "%d/%d", offset+origoffset, origlen);
+ partnotice.z_multinotice = multi;
+ if (offset > 0) {
+ (void) gettimeofday(&partnotice.z_uid.tv, (struct timezone *)0);
+ partnotice.z_uid.tv.tv_sec = htonl((u_long)
+ partnotice.z_uid.tv.tv_sec);
+ partnotice.z_uid.tv.tv_usec = htonl((u_long)
+ partnotice.z_uid.tv.tv_usec);
+ if ((retval = Z_GetMyAddr()) != ZERR_NONE) {
+ syslog(LOG_WARNING, "xmit unauth refrag: %s",
+ error_message(retval));
+ free(buffer);
+ return;
+ }
+ (void) memcpy((char *)&partnotice.z_uid.zuid_addr, __My_addr,
+ __My_length);
+ }
+ partnotice.z_message = notice->z_message+offset;
+ message_len = min(notice->z_message_len-offset, fragsize);
+ partnotice.z_message_len = message_len;
+
+ retval = Z_FormatRawHeader(&partnotice, buffer, buffer_len,
+ &hdrlen, &ptr, NULL);
+ if (retval != ZERR_NONE) {
+ syslog(LOG_WARNING, "xmit unauth refrag raw: %s",
+ error_message(retval));
+ free(buffer);
+ return;
+ }
+
+ ptr = buffer+hdrlen;
+
+ (void) memcpy(ptr, partnotice.z_message, partnotice.z_message_len);
+
+ buffer_len = hdrlen+partnotice.z_message_len;
+
+ xmit_frag(&partnotice, buffer, buffer_len, 0);
+
+ offset += fragsize;
+
+ if (!notice->z_message_len)
+ break;
+ }
+ free(buffer);
+ return;
+ }
+ /* End of refrag code */
+
+
if (retval != ZERR_NONE) {
syslog(LOG_ERR, "xmit format: %s", error_message(retval));
free(noticepack);
*** server/realm.c Fri Sep 5 15:52:05 1997
--- /usr/tmp/realm.c Tue Feb 17 16:00:29 1998
***************
*** 1,9 ****
#include "zserver.h"
#include <sys/socket.h>
- extern int __My_length;
- extern char *__My_addr;
-
Unacked *rlm_nacklist = NULL; /* not acked list for realm-realm
packets */
Realm *otherrealms; /* points to an array of the known
--- 1,6 ----
***************
*** 16,22 ****
static void rlm_ack __P((ZNotice_t *notice, Unacked *nacked));
static void rlm_nack_cancel __P((ZNotice_t *notice, struct sockaddr_in *who));
static void rlm_new_ticket __P(());
! static void rlm_rexmit __P((void *arg));
static Code_t realm_ulocate_dispatch __P((ZNotice_t *notice,int auth,struct sockaddr_in *who,Server *server,Realm *realm));
#ifdef ZEPHYR_USES_KERBEROS
static Code_t ticket_retrieve __P((Realm *realm));
--- 13,19 ----
static void rlm_ack __P((ZNotice_t *notice, Unacked *nacked));
static void rlm_nack_cancel __P((ZNotice_t *notice, struct sockaddr_in *who));
static void rlm_new_ticket __P(());
! void rlm_rexmit __P((void *arg));
static Code_t realm_ulocate_dispatch __P((ZNotice_t *notice,int auth,struct sockaddr_in *who,Server *server,Realm *realm));
#ifdef ZEPHYR_USES_KERBEROS
static Code_t ticket_retrieve __P((Realm *realm));
***************
*** 463,469 ****
client->addr.sin_addr.s_addr = 0;
rlm->client = client;
! rlm->idx = random() % rlm->count;
rlm->subs = NULL;
rlm->tkt_try = 0;
free(rlmnames[ii].servers);
--- 460,466 ----
client->addr.sin_addr.s_addr = 0;
rlm->client = client;
! rlm->idx = (rlm->count) ? random() % rlm->count;
rlm->subs = NULL;
rlm->tkt_try = 0;
free(rlmnames[ii].servers);
***************
*** 572,582 ****
if (!auth) {
zdbug((LOG_DEBUG, "realm_sendit unauthentic to realm %s", realm->name))
realm_sendit(notice, who, auth, realm, ack_to_sender);
}
if (!ticket_lookup(realm->name))
if ((retval = ticket_retrieve(realm)) != ZERR_NONE) {
! syslog(LOG_WARNING, "rlm_handoff failed: %s", error_message(retval));
return;
}
--- 569,582 ----
if (!auth) {
zdbug((LOG_DEBUG, "realm_sendit unauthentic to realm %s", realm->name))
realm_sendit(notice, who, auth, realm, ack_to_sender);
+ return;
}
if (!ticket_lookup(realm->name))
if ((retval = ticket_retrieve(realm)) != ZERR_NONE) {
! syslog(LOG_WARNING, "tkt_rtrv failed: %s, falling back",
! error_message(retval));
! realm_sendit(notice, who, auth, realm, ack_to_sender);
return;
}
***************
*** 661,667 ****
nack(¬ice, &nackpacket->ack_addr);
}
! static void
rlm_rexmit(arg)
void *arg;
{
--- 661,667 ----
nack(¬ice, &nackpacket->ack_addr);
}
! void
rlm_rexmit(arg)
void *arg;
{
***************
*** 676,681 ****
--- 676,684 ----
zdbug((LOG_DEBUG, "rlm_rexmit: sending to %s", realm->name));
+ if (realm->count == 0)
+ return;
+
if (rexmit_times[(nackpacket->rexmits + 1)/(realm->count)] == -1) {
/* give a server ack that the packet is lost/realm dead */
packet_ctl_nack(nackpacket);
***************
*** 730,736 ****
}
}
-
#ifdef ZEPHYR_USES_KERBEROS
static void
realm_sendit_auth(notice, who, auth, realm, ack_to_sender)
--- 733,738 ----
***************
*** 754,760 ****
offset = 0;
/* first, build an authent */
! retval = krb_get_cred(SERVER_SERVICE, SERVER_INSTANCE, realm, &cred);
if (retval != GC_OK) {
syslog(LOG_WARNING, "rlm_sendit_auth get_cred: %s",
error_message(retval+krb_err_base));
--- 756,762 ----
offset = 0;
/* first, build an authent */
! retval = krb_get_cred(SERVER_SERVICE, SERVER_INSTANCE, realm->name, &cred);
if (retval != GC_OK) {
syslog(LOG_WARNING, "rlm_sendit_auth get_cred: %s",
error_message(retval+krb_err_base));
***************
*** 761,767 ****
return;
}
! retval = krb_mk_req(&authent, SERVER_SERVICE, SERVER_INSTANCE, realm, 1);
if (retval != MK_AP_OK) {
syslog(LOG_WARNING, "rlm_sendit_auth mk_req: %s",
error_message(retval+krb_err_base));
--- 763,769 ----
return;
}
! retval = krb_mk_req(&authent, SERVER_SERVICE, SERVER_INSTANCE, realm->name, 1);
if (retval != MK_AP_OK) {
syslog(LOG_WARNING, "rlm_sendit_auth mk_req: %s",
error_message(retval+krb_err_base));
***************
*** 921,928 ****
return;
}
- offset += fragsize;
-
if (!(nacked = (Unacked *)malloc(sizeof(Unacked)))) {
/* no space: just punt */
syslog(LOG_ERR, "rlm_sendit_auth nack malloc");
--- 923,928 ----
***************
*** 949,954 ****
--- 949,956 ----
/* chain in */
LIST_INSERT(&rlm_nacklist, nacked);
+ offset += fragsize;
+
if (!notice->z_message_len)
break;
}
***************
*** 1011,1022 ****
ticket_expired(cred)
CREDENTIALS *cred;
{
! /* extra 15 minutes for safety margin */
! #ifdef AFS_LIFETIMES
! return (krb_life_to_time(cred->issue_date, cred->lifetime) < NOW + 15*60);
! #else /* AFS_LIFETIMES */
! return (cred->issue_date + cred->lifetime*5*60 < NOW + 15*60);
! #endif /* AFS_LIFETIMES */
}
int
--- 1013,1023 ----
ticket_expired(cred)
CREDENTIALS *cred;
{
! #ifdef HAVE_KRB_LIFE_TO_TIME
! return (krb_life_to_time(cred->issue_date, cred->lifetime) < NOW);
! #else
! return (cred->issue_date + cred->lifetime*5*60 < NOW);
! #endif
}
int
***************
*** 1068,1084 ****
authent.mbz=0;
/* Don't lose by trying too often. */
! if (NOW - realm->tkt_try > 5 * 60) {
retval = krb_mk_req(&authent, SERVER_SERVICE, SERVER_INSTANCE,
realm->name, 0);
realm->tkt_try = NOW;
if (retval != KSUCCESS) {
! syslog(LOG_WARNING, "tkt_rtrv: %s: %s", realm,
krb_err_txt[retval]);
return (retval+krb_err_base);
}
return (0);
} else {
return (1);
}
}
--- 1069,1087 ----
authent.mbz=0;
/* Don't lose by trying too often. */
! if (NOW - realm->tkt_try > 3 * 60) {
retval = krb_mk_req(&authent, SERVER_SERVICE, SERVER_INSTANCE,
realm->name, 0);
realm->tkt_try = NOW;
if (retval != KSUCCESS) {
! syslog(LOG_WARNING, "tkt_rtrv: %s: %s", realm->name,
krb_err_txt[retval]);
return (retval+krb_err_base);
}
return (0);
} else {
+ syslog(LOG_WARNING, "tkt_rtrv: not trying, last try was %d sec ago", NOW -
+ realm->tkt_try);
return (1);
}
}
*** server/zserver.h Fri Sep 5 15:52:06 1997
--- /usr/tmp/zserver.h Tue Feb 17 16:03:52 1998
***************
*** 364,369 ****
--- 364,373 ----
extern struct in_addr my_addr; /* my inet address */
+ /* found "elsewhere" */
+ extern int __My_length;
+ extern char *__My_addr;
+
#define class_is_control(classname) (classname == class_control)
#define class_is_admin(classname) (classname == class_admin)
#define class_is_hm(classname) (classname == class_hm)
---559023410-684387517-887749797=:14554--
