2 * Copyright (c) 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "kadmin_locl.h"
36 #include <gssapi/gssapi.h>
37 //#include <gssapi_krb5.h>
38 //#include <gssapi_spnego.h>
40 static gss_OID_desc krb5_mechanism =
41 {9, (void *)(uintptr_t) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"};
42 #define GSS_KRB5_MECHANISM (&krb5_mechanism)
48 krb5_errx(dcontext, 1, "Failed (%d) on %s:%d", \
49 __r, __FILE__, __LINE__); \
53 static krb5_context dcontext;
55 #define INSIST(x) CHECK(!(x))
57 #define VERSION2 0x12345702
59 #define LAST_FRAGMENT 0x80000000
62 #define KADM_SERVER 2112
65 #define FLAVOR_GSS_VERSION 1
78 struct opaque_auth cred;
79 struct opaque_auth verf;
85 RPG_CONTINUE_INIT = 2,
95 krb5_ui_4 api_version;
112 parse_name(const unsigned char *p, size_t len,
113 const gss_OID oid, char **name)
121 if (memcmp(p, "\x04\x01", 2) != 0)
127 l = (p[0] << 8) | p[1];
130 if (l < 2 || len < l)
134 if (p[0] != 6 || p[1] != l - 2)
141 if (l != oid->length || memcmp(p, oid->elements, oid->length) != 0)
149 l = p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3];
157 *name = malloc(l + 1);
158 INSIST(*name != NULL);
168 gss_error(krb5_context contextp,
169 gss_OID mech, OM_uint32 type, OM_uint32 error)
172 OM_uint32 msg_ctx = 0;
173 gss_buffer_desc status_string;
177 ret = gss_display_status (&new_stat,
183 krb5_warnx(contextp, "%.*s",
184 (int)status_string.length,
185 (char *)status_string.value);
186 gss_release_buffer (&new_stat, &status_string);
187 } while (!GSS_ERROR(ret) && msg_ctx != 0);
191 gss_print_errors (krb5_context contextp,
192 OM_uint32 maj_stat, OM_uint32 min_stat)
194 gss_error(contextp, GSS_C_NO_OID, GSS_C_GSS_CODE, maj_stat);
195 gss_error(contextp, GSS_C_NO_OID, GSS_C_MECH_CODE, min_stat);
199 read_data(krb5_storage *sp, krb5_storage *msg, size_t len)
207 if (tlen > sizeof(buf))
210 slen = krb5_storage_read(sp, buf, tlen);
211 INSIST((size_t)slen == tlen);
213 slen = krb5_storage_write(msg, buf, tlen);
214 INSIST((size_t)slen == tlen);
222 collect_framents(krb5_storage *sp, krb5_storage *msg)
227 size_t total_len = 0;
230 ret = krb5_ret_uint32(sp, &len);
234 last_fragment = (len & LAST_FRAGMENT);
235 len &= ~LAST_FRAGMENT;
237 CHECK(read_data(sp, msg, len));
240 } while(!last_fragment || total_len == 0);
245 static krb5_error_code
246 store_data_xdr(krb5_storage *sp, krb5_data data)
251 ret = krb5_store_data(sp, data);
254 res = 4 - (data.length % 4);
256 static const char zero[4] = { 0, 0, 0, 0 };
258 ret = krb5_storage_write(sp, zero, res);
259 if((size_t)ret != res)
260 return (ret < 0)? errno : krb5_storage_get_eof_code(sp);
265 static krb5_error_code
266 ret_data_xdr(krb5_storage *sp, krb5_data *data)
269 ret = krb5_ret_data(sp, data);
273 if ((data->length % 4) != 0) {
277 res = 4 - (data->length % 4);
279 ret = krb5_storage_read(sp, buf, res);
280 if((size_t)ret != res)
281 return (ret < 0)? errno : krb5_storage_get_eof_code(sp);
287 static krb5_error_code
288 ret_auth_opaque(krb5_storage *msg, struct opaque_auth *ao)
291 ret = krb5_ret_uint32(msg, &ao->flavor);
293 ret = ret_data_xdr(msg, &ao->data);
298 ret_gcred(krb5_data *data, struct gcred *gcred)
302 memset(gcred, 0, sizeof(*gcred));
304 sp = krb5_storage_from_data(data);
307 CHECK(krb5_ret_uint32(sp, &gcred->version));
308 CHECK(krb5_ret_uint32(sp, &gcred->proc));
309 CHECK(krb5_ret_uint32(sp, &gcred->seq_num));
310 CHECK(krb5_ret_uint32(sp, &gcred->service));
311 CHECK(ret_data_xdr(sp, &gcred->handle));
313 krb5_storage_free(sp);
318 static krb5_error_code
319 store_gss_init_res(krb5_storage *sp, krb5_data handle,
320 OM_uint32 maj_stat, OM_uint32 min_stat,
321 uint32_t seq_window, gss_buffer_t gout)
326 out.data = gout->value;
327 out.length = gout->length;
329 ret = store_data_xdr(sp, handle);
331 ret = krb5_store_uint32(sp, maj_stat);
333 ret = krb5_store_uint32(sp, min_stat);
335 ret = store_data_xdr(sp, out);
340 store_string_xdr(krb5_storage *sp, const char *str)
344 c.data = rk_UNCONST(str);
345 c.length = strlen(str) + 1;
349 return store_data_xdr(sp, c);
353 ret_string_xdr(krb5_storage *sp, char **str)
357 CHECK(ret_data_xdr(sp, &c));
359 *str = malloc(c.length + 1);
360 INSIST(*str != NULL);
361 memcpy(*str, c.data, c.length);
362 (*str)[c.length] = '\0';
369 store_principal_xdr(krb5_context contextp,
374 CHECK(krb5_unparse_name(contextp, p, &str));
375 CHECK(store_string_xdr(sp, str));
381 ret_principal_xdr(krb5_context contextp,
387 CHECK(ret_string_xdr(sp, &str));
389 CHECK(krb5_parse_name(contextp, str, p));
396 store_principal_ent(krb5_context contextp,
398 kadm5_principal_ent_rec *ent)
402 CHECK(store_principal_xdr(contextp, sp, ent->principal));
403 CHECK(krb5_store_uint32(sp, ent->princ_expire_time));
404 CHECK(krb5_store_uint32(sp, ent->pw_expiration));
405 CHECK(krb5_store_uint32(sp, ent->last_pwd_change));
406 CHECK(krb5_store_uint32(sp, ent->max_life));
407 CHECK(krb5_store_int32(sp, ent->mod_name == NULL));
409 CHECK(store_principal_xdr(contextp, sp, ent->mod_name));
410 CHECK(krb5_store_uint32(sp, ent->mod_date));
411 CHECK(krb5_store_uint32(sp, ent->attributes));
412 CHECK(krb5_store_uint32(sp, ent->kvno));
413 CHECK(krb5_store_uint32(sp, ent->mkvno));
414 CHECK(store_string_xdr(sp, ent->policy));
415 CHECK(krb5_store_int32(sp, ent->aux_attributes));
416 CHECK(krb5_store_int32(sp, ent->max_renewable_life));
417 CHECK(krb5_store_int32(sp, ent->last_success));
418 CHECK(krb5_store_int32(sp, ent->last_failed));
419 CHECK(krb5_store_int32(sp, ent->fail_auth_count));
420 CHECK(krb5_store_int32(sp, ent->n_key_data));
421 CHECK(krb5_store_int32(sp, ent->n_tl_data));
422 CHECK(krb5_store_int32(sp, ent->n_tl_data == 0));
423 if (ent->n_tl_data) {
426 for (tp = ent->tl_data; tp; tp = tp->tl_data_next) {
428 c.length = tp->tl_data_length;
429 c.data = tp->tl_data_contents;
431 CHECK(krb5_store_int32(sp, 0)); /* last item */
432 CHECK(krb5_store_int32(sp, tp->tl_data_type));
433 CHECK(store_data_xdr(sp, c));
435 CHECK(krb5_store_int32(sp, 1)); /* last item */
438 CHECK(krb5_store_int32(sp, ent->n_key_data));
439 for (i = 0; i < ent->n_key_data; i++) {
440 CHECK(krb5_store_uint32(sp, 2));
441 CHECK(krb5_store_uint32(sp, ent->kvno));
442 CHECK(krb5_store_uint32(sp, ent->key_data[i].key_data_type[0]));
443 CHECK(krb5_store_uint32(sp, ent->key_data[i].key_data_type[1]));
450 ret_principal_ent(krb5_context contextp,
452 kadm5_principal_ent_rec *ent)
457 memset(ent, 0, sizeof(*ent));
459 CHECK(ret_principal_xdr(contextp, sp, &ent->principal));
460 CHECK(krb5_ret_uint32(sp, &flag));
461 ent->princ_expire_time = flag;
462 CHECK(krb5_ret_uint32(sp, &flag));
463 ent->pw_expiration = flag;
464 CHECK(krb5_ret_uint32(sp, &flag));
465 ent->last_pwd_change = flag;
466 CHECK(krb5_ret_uint32(sp, &flag));
467 ent->max_life = flag;
468 CHECK(krb5_ret_uint32(sp, &flag));
470 ret_principal_xdr(contextp, sp, &ent->mod_name);
471 CHECK(krb5_ret_uint32(sp, &flag));
472 ent->mod_date = flag;
473 CHECK(krb5_ret_uint32(sp, &flag));
474 ent->attributes = flag;
475 CHECK(krb5_ret_uint32(sp, &flag));
477 CHECK(krb5_ret_uint32(sp, &flag));
479 CHECK(ret_string_xdr(sp, &ent->policy));
480 CHECK(krb5_ret_uint32(sp, &flag));
481 ent->aux_attributes = flag;
482 CHECK(krb5_ret_uint32(sp, &flag));
483 ent->max_renewable_life = flag;
484 CHECK(krb5_ret_uint32(sp, &flag));
485 ent->last_success = flag;
486 CHECK(krb5_ret_uint32(sp, &flag));
487 ent->last_failed = flag;
488 CHECK(krb5_ret_uint32(sp, &flag));
489 ent->fail_auth_count = flag;
490 CHECK(krb5_ret_uint32(sp, &flag));
491 ent->n_key_data = flag;
492 CHECK(krb5_ret_uint32(sp, &flag));
493 ent->n_tl_data = flag;
494 CHECK(krb5_ret_uint32(sp, &flag));
496 krb5_tl_data **tp = &ent->tl_data;
501 CHECK(krb5_ret_uint32(sp, &flag)); /* last item */
504 *tp = calloc(1, sizeof(**tp));
506 CHECK(krb5_ret_uint32(sp, &flag));
507 (*tp)->tl_data_type = flag;
508 CHECK(ret_data_xdr(sp, &c));
509 (*tp)->tl_data_length = c.length;
510 (*tp)->tl_data_contents = c.data;
511 tp = &(*tp)->tl_data_next;
515 INSIST((size_t)ent->n_tl_data == count);
517 INSIST(ent->n_tl_data == 0);
520 CHECK(krb5_ret_uint32(sp, &num));
521 INSIST(num == (uint32_t)ent->n_key_data);
523 ent->key_data = calloc(num, sizeof(ent->key_data[0]));
524 INSIST(ent->key_data != NULL);
526 for (i = 0; i < num; i++) {
527 CHECK(krb5_ret_uint32(sp, &flag)); /* data version */
529 CHECK(krb5_ret_uint32(sp, &flag));
531 CHECK(krb5_ret_uint32(sp, &flag));
532 ent->key_data[i].key_data_type[0] = flag;
533 CHECK(krb5_ret_uint32(sp, &flag));
534 ent->key_data[i].key_data_type[1] = flag;
545 proc_create_principal(kadm5_server_context *contextp,
549 uint32_t version, mask;
550 kadm5_principal_ent_rec ent;
554 memset(&ent, 0, sizeof(ent));
556 CHECK(krb5_ret_uint32(in, &version));
557 INSIST(version == VERSION2);
558 CHECK(ret_principal_ent(contextp->context, in, &ent));
559 CHECK(krb5_ret_uint32(in, &mask));
560 CHECK(ret_string_xdr(in, &password));
562 INSIST(ent.principal);
565 ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_ADD, ent.principal);
569 ret = kadm5_create_principal(contextp, &ent, mask, password);
572 krb5_warn(contextp->context, ret, "create principal");
573 CHECK(krb5_store_uint32(out, VERSION2)); /* api version */
574 CHECK(krb5_store_uint32(out, ret)); /* code */
577 kadm5_free_principal_ent(contextp, &ent);
581 proc_delete_principal(kadm5_server_context *contextp,
586 krb5_principal princ;
589 CHECK(krb5_ret_uint32(in, &version));
590 INSIST(version == VERSION2);
591 CHECK(ret_principal_xdr(contextp->context, in, &princ));
593 ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_DELETE, princ);
597 ret = kadm5_delete_principal(contextp, princ);
600 krb5_warn(contextp->context, ret, "delete principal");
601 CHECK(krb5_store_uint32(out, VERSION2)); /* api version */
602 CHECK(krb5_store_uint32(out, ret)); /* code */
604 krb5_free_principal(contextp->context, princ);
608 proc_get_principal(kadm5_server_context *contextp,
612 uint32_t version, mask;
613 krb5_principal princ;
614 kadm5_principal_ent_rec ent;
617 memset(&ent, 0, sizeof(ent));
619 CHECK(krb5_ret_uint32(in, &version));
620 INSIST(version == VERSION2);
621 CHECK(ret_principal_xdr(contextp->context, in, &princ));
622 CHECK(krb5_ret_uint32(in, &mask));
624 ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_GET, princ);
628 ret = kadm5_get_principal(contextp, princ, &ent, mask);
631 krb5_warn(contextp->context, ret, "get principal principal");
633 CHECK(krb5_store_uint32(out, VERSION2)); /* api version */
634 CHECK(krb5_store_uint32(out, ret)); /* code */
636 CHECK(store_principal_ent(contextp->context, out, &ent));
638 krb5_free_principal(contextp->context, princ);
639 kadm5_free_principal_ent(contextp, &ent);
643 proc_chrand_principal_v2(kadm5_server_context *contextp,
648 krb5_principal princ;
650 krb5_keyblock *new_keys;
653 CHECK(krb5_ret_uint32(in, &version));
654 INSIST(version == VERSION2);
655 CHECK(ret_principal_xdr(contextp->context, in, &princ));
657 ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_CPW, princ);
661 ret = kadm5_randkey_principal(contextp, princ,
665 krb5_warn(contextp->context, ret, "rand key principal");
667 CHECK(krb5_store_uint32(out, VERSION2)); /* api version */
668 CHECK(krb5_store_uint32(out, ret));
671 CHECK(krb5_store_int32(out, n_keys));
673 for(i = 0; i < n_keys; i++){
674 CHECK(krb5_store_uint32(out, new_keys[i].keytype));
675 CHECK(store_data_xdr(out, new_keys[i].keyvalue));
676 krb5_free_keyblock_contents(contextp->context, &new_keys[i]);
680 krb5_free_principal(contextp->context, princ);
684 proc_init(kadm5_server_context *contextp,
688 CHECK(krb5_store_uint32(out, VERSION2)); /* api version */
689 CHECK(krb5_store_uint32(out, 0)); /* code */
690 CHECK(krb5_store_uint32(out, 0)); /* code */
695 void (*func)(kadm5_server_context *, krb5_storage *, krb5_storage *);
698 { "create principal", proc_create_principal },
699 { "delete principal", proc_delete_principal },
700 { "modify principal", NULL },
701 { "rename principal", NULL },
702 { "get principal", proc_get_principal },
703 { "chpass principal", NULL },
704 { "chrand principal", proc_chrand_principal_v2 },
705 { "create policy", NULL },
706 { "delete policy", NULL },
707 { "modify policy", NULL },
708 { "get policy", NULL },
709 { "get privs", NULL },
710 { "init", proc_init },
711 { "get principals", NULL },
712 { "get polices", NULL },
713 { "setkey principal", NULL },
714 { "setkey principal v4", NULL },
715 { "create principal v3", NULL },
716 { "chpass principal v3", NULL },
717 { "chrand principal v3", NULL },
718 { "setkey principal v3", NULL }
721 static krb5_error_code
722 copyheader(krb5_storage *sp, krb5_data *data)
727 off = krb5_storage_seek(sp, 0, SEEK_CUR);
729 CHECK(krb5_data_alloc(data, off));
730 INSIST((size_t)off == data->length);
731 krb5_storage_seek(sp, 0, SEEK_SET);
732 sret = krb5_storage_read(sp, data->data, data->length);
734 INSIST(off == krb5_storage_seek(sp, 0, SEEK_CUR));
748 process_stream(krb5_context contextp,
749 unsigned char *buf, size_t ilen,
753 krb5_storage *msg, *reply, *dreply;
754 OM_uint32 maj_stat, min_stat;
755 gss_buffer_desc gin, gout;
757 void *server_handle = NULL;
759 memset(&gctx, 0, sizeof(gctx));
761 msg = krb5_storage_emem();
762 reply = krb5_storage_emem();
763 dreply = krb5_storage_emem();
766 * First packet comes partly from the caller
772 struct call_header chdr;
775 krb5_data headercopy;
777 krb5_storage_truncate(dreply, 0);
778 krb5_storage_truncate(reply, 0);
779 krb5_storage_truncate(msg, 0);
781 krb5_data_zero(&headercopy);
782 memset(&chdr, 0, sizeof(chdr));
783 memset(&gcred, 0, sizeof(gcred));
786 * This is very icky to handle the the auto-detection between
787 * the Heimdal protocol and the MIT ONC-RPC based protocol.
794 unsigned char tmp[4];
797 memcpy(tmp, buf, ilen);
798 slen = krb5_storage_read(sp, tmp + ilen, sizeof(tmp) - ilen);
799 INSIST((size_t)slen == sizeof(tmp) - ilen);
806 _krb5_get_int(buf, &len, 4);
807 last_fragment = (len & LAST_FRAGMENT) != 0;
808 len &= ~LAST_FRAGMENT;
815 slen = krb5_storage_write(msg, buf, len);
816 INSIST((size_t)slen == len);
820 slen = krb5_storage_write(msg, buf, ilen);
821 INSIST((size_t)slen == ilen);
826 CHECK(read_data(sp, msg, len));
828 if (!last_fragment) {
829 ret = collect_framents(sp, msg);
830 if (ret == HEIM_ERR_EOF)
831 krb5_errx(contextp, 0, "client disconnected");
836 ret = collect_framents(sp, msg);
837 if (ret == HEIM_ERR_EOF)
838 krb5_errx(contextp, 0, "client disconnected");
841 krb5_storage_seek(msg, 0, SEEK_SET);
843 CHECK(krb5_ret_uint32(msg, &chdr.xid));
844 CHECK(krb5_ret_uint32(msg, &mtype));
845 CHECK(krb5_ret_uint32(msg, &chdr.rpcvers));
846 CHECK(krb5_ret_uint32(msg, &chdr.prog));
847 CHECK(krb5_ret_uint32(msg, &chdr.vers));
848 CHECK(krb5_ret_uint32(msg, &chdr.proc));
849 CHECK(ret_auth_opaque(msg, &chdr.cred));
850 CHECK(copyheader(msg, &headercopy));
851 CHECK(ret_auth_opaque(msg, &chdr.verf));
853 INSIST(chdr.rpcvers == RPC_VERSION);
854 INSIST(chdr.prog == KADM_SERVER);
855 INSIST(chdr.vers == VVERSION);
856 INSIST(chdr.cred.flavor == FLAVOR_GSS);
858 CHECK(ret_gcred(&chdr.cred.data, &gcred));
860 INSIST(gcred.version == FLAVOR_GSS_VERSION);
863 INSIST(chdr.verf.flavor == FLAVOR_GSS);
865 /* from first byte to last of credential */
866 gin.value = headercopy.data;
867 gin.length = headercopy.length;
868 gout.value = chdr.verf.data.data;
869 gout.length = chdr.verf.data.length;
871 maj_stat = gss_verify_mic(&min_stat, gctx.ctx, &gin, &gout, NULL);
872 INSIST(maj_stat == GSS_S_COMPLETE);
882 INSIST(gcred.service == rpg_privacy);
886 INSIST(krb5_data_cmp(&gcred.handle, &gctx.handle) == 0);
888 CHECK(ret_data_xdr(msg, &data));
890 gin.value = data.data;
891 gin.length = data.length;
893 maj_stat = gss_unwrap(&min_stat, gctx.ctx, &gin, &gout,
895 krb5_data_free(&data);
896 INSIST(maj_stat == GSS_S_COMPLETE);
897 INSIST(conf_state != 0);
899 sp1 = krb5_storage_from_mem(gout.value, gout.length);
902 CHECK(krb5_ret_uint32(sp1, &seq));
903 INSIST (seq == gcred.seq_num);
906 * Check sequence number
908 INSIST(seq > gctx.seq_num);
912 * If contextp is setup, priv data have the seq_num stored
913 * first in the block, so add it here before users data is
916 CHECK(krb5_store_uint32(dreply, gctx.seq_num));
918 if (chdr.proc >= sizeof(procs)/sizeof(procs[0])) {
919 krb5_warnx(contextp, "proc number out of array");
920 } else if (procs[chdr.proc].func == NULL) {
921 krb5_warnx(contextp, "proc '%s' never implemented",
922 procs[chdr.proc].name);
924 krb5_warnx(contextp, "proc %s", procs[chdr.proc].name);
925 INSIST(server_handle != NULL);
926 (*procs[chdr.proc].func)(server_handle, sp, dreply);
928 krb5_storage_free(sp);
929 gss_release_buffer(&min_stat, &gout);
934 INSIST(gctx.inprogress == 0);
935 INSIST(gctx.ctx == NULL);
939 case RPG_CONTINUE_INIT: {
940 gss_name_t src_name = GSS_C_NO_NAME;
943 INSIST(gctx.inprogress);
945 CHECK(ret_data_xdr(msg, &in));
948 gin.length = in.length;
952 maj_stat = gss_accept_sec_context(&min_stat,
956 GSS_C_NO_CHANNEL_BINDINGS,
963 if (GSS_ERROR(maj_stat)) {
964 gss_print_errors(contextp, maj_stat, min_stat);
965 krb5_errx(contextp, 1, "gss error, exit");
967 if ((maj_stat & GSS_S_CONTINUE_NEEDED) == 0) {
968 kadm5_config_params realm_params;
969 gss_buffer_desc bufp;
974 memset(&realm_params, 0, sizeof(realm_params));
976 maj_stat = gss_export_name(&min_stat, src_name, &bufp);
977 INSIST(maj_stat == GSS_S_COMPLETE);
979 CHECK(parse_name(bufp.value, bufp.length,
980 GSS_KRB5_MECHANISM, &client));
982 gss_release_buffer(&min_stat, &bufp);
984 krb5_warnx(contextp, "%s connected", client);
986 ret = kadm5_s_init_with_password_ctx(contextp,
996 INSIST(gctx.ctx != GSS_C_NO_CONTEXT);
998 CHECK(krb5_store_uint32(dreply, 0));
999 CHECK(store_gss_init_res(dreply, gctx.handle,
1000 maj_stat, min_stat, 1, &gout));
1002 gss_release_buffer(&min_stat, &gout);
1004 gss_release_name(&min_stat, &src_name);
1009 krb5_errx(contextp, 1, "client destroyed gss contextp");
1011 krb5_errx(contextp, 1, "client sent unknown gsscode %d",
1015 krb5_data_free(&gcred.handle);
1016 krb5_data_free(&chdr.cred.data);
1017 krb5_data_free(&chdr.verf.data);
1018 krb5_data_free(&headercopy);
1020 CHECK(krb5_store_uint32(reply, chdr.xid));
1021 CHECK(krb5_store_uint32(reply, 1)); /* REPLY */
1022 CHECK(krb5_store_uint32(reply, 0)); /* MSG_ACCEPTED */
1027 CHECK(krb5_store_uint32(reply, 0)); /* flavor_none */
1028 CHECK(krb5_store_uint32(reply, 0)); /* length */
1030 CHECK(krb5_store_uint32(reply, 0)); /* SUCCESS */
1032 CHECK(krb5_storage_to_data(dreply, &data));
1033 INSIST((size_t)krb5_storage_write(reply, data.data, data.length) == data.length);
1034 krb5_data_free(&data);
1037 uint32_t seqnum = htonl(gctx.seq_num);
1040 gin.value = &seqnum;
1041 gin.length = sizeof(seqnum);
1043 maj_stat = gss_get_mic(&min_stat, gctx.ctx, 0, &gin, &gout);
1044 INSIST(maj_stat == GSS_S_COMPLETE);
1046 data.data = gout.value;
1047 data.length = gout.length;
1049 CHECK(krb5_store_uint32(reply, FLAVOR_GSS));
1050 CHECK(store_data_xdr(reply, data));
1051 gss_release_buffer(&min_stat, &gout);
1053 CHECK(krb5_store_uint32(reply, 0)); /* SUCCESS */
1055 CHECK(krb5_storage_to_data(dreply, &data));
1057 if (gctx.inprogress) {
1059 gctx.inprogress = 0;
1060 sret = krb5_storage_write(reply, data.data, data.length);
1061 INSIST((size_t)sret == data.length);
1062 krb5_data_free(&data);
1066 gin.value = data.data;
1067 gin.length = data.length;
1069 maj_stat = gss_wrap(&min_stat, gctx.ctx, 1, 0,
1070 &gin, &conf_state, &gout);
1071 INSIST(maj_stat == GSS_S_COMPLETE);
1072 INSIST(conf_state != 0);
1073 krb5_data_free(&data);
1075 data.data = gout.value;
1076 data.length = gout.length;
1078 store_data_xdr(reply, data);
1079 gss_release_buffer(&min_stat, &gout);
1086 CHECK(krb5_storage_to_data(reply, &data));
1087 CHECK(krb5_store_uint32(sp, data.length | LAST_FRAGMENT));
1088 sret = krb5_storage_write(sp, data.data, data.length);
1089 INSIST((size_t)sret == data.length);
1090 krb5_data_free(&data);
1098 handle_mit(krb5_context contextp, void *buf, size_t len, krb5_socket_t sock)
1102 dcontext = contextp;
1104 sp = krb5_storage_from_fd(sock);
1107 process_stream(contextp, buf, len, sp);