2 * Copyright (c) 2005, PADL Software Pty Ltd.
5 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of PADL Software nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
39 kcm_drop_default_cache(krb5_context context
, kcm_client
*client
, char *name
);
43 kcm_is_same_session(kcm_client
*client
, uid_t uid
, pid_t session
)
45 #if 0 /* XXX pppd is running in diffrent session the user */
47 return (client
->session
== session
);
50 return (client
->uid
== uid
);
53 static krb5_error_code
54 kcm_op_noop(krb5_context context
,
57 krb5_storage
*request
,
58 krb5_storage
*response
)
60 KCM_LOG_REQUEST(context
, client
, opcode
);
72 static krb5_error_code
73 kcm_op_get_name(krb5_context context
,
76 krb5_storage
*request
,
77 krb5_storage
*response
)
84 ret
= krb5_ret_stringz(request
, &name
);
88 KCM_LOG_REQUEST_NAME(context
, client
, opcode
, name
);
90 ret
= kcm_ccache_resolve_client(context
, client
, opcode
,
97 ret
= krb5_store_stringz(response
, ccache
->name
);
99 kcm_release_ccache(context
, ccache
);
105 kcm_release_ccache(context
, ccache
);
115 static krb5_error_code
116 kcm_op_gen_new(krb5_context context
,
118 kcm_operation opcode
,
119 krb5_storage
*request
,
120 krb5_storage
*response
)
125 KCM_LOG_REQUEST(context
, client
, opcode
);
127 name
= kcm_ccache_nextid(client
->pid
, client
->uid
, client
->gid
);
129 return KRB5_CC_NOMEM
;
132 ret
= krb5_store_stringz(response
, name
);
146 static krb5_error_code
147 kcm_op_initialize(krb5_context context
,
149 kcm_operation opcode
,
150 krb5_storage
*request
,
151 krb5_storage
*response
)
154 krb5_principal principal
;
161 KCM_LOG_REQUEST(context
, client
, opcode
);
163 ret
= krb5_ret_stringz(request
, &name
);
167 ret
= krb5_ret_principal(request
, &principal
);
173 ret
= kcm_ccache_new_client(context
, client
, name
, &ccache
);
176 krb5_free_principal(context
, principal
);
180 ccache
->client
= principal
;
186 * Create a new credentials cache. To mitigate DoS attacks we will
187 * expire it in 30 minutes unless it has some credentials added
191 event
.fire_time
= 30 * 60;
192 event
.expire_time
= 0;
193 event
.backoff_time
= 0;
194 event
.action
= KCM_EVENT_DESTROY_EMPTY_CACHE
;
195 event
.ccache
= ccache
;
197 ret
= kcm_enqueue_event_relative(context
, &event
);
200 kcm_release_ccache(context
, ccache
);
212 static krb5_error_code
213 kcm_op_destroy(krb5_context context
,
215 kcm_operation opcode
,
216 krb5_storage
*request
,
217 krb5_storage
*response
)
222 ret
= krb5_ret_stringz(request
, &name
);
226 KCM_LOG_REQUEST_NAME(context
, client
, opcode
, name
);
228 ret
= kcm_ccache_destroy_client(context
, client
, name
);
230 kcm_drop_default_cache(context
, client
, name
);
245 static krb5_error_code
246 kcm_op_store(krb5_context context
,
248 kcm_operation opcode
,
249 krb5_storage
*request
,
250 krb5_storage
*response
)
257 ret
= krb5_ret_stringz(request
, &name
);
261 KCM_LOG_REQUEST_NAME(context
, client
, opcode
, name
);
263 ret
= krb5_ret_creds(request
, &creds
);
269 ret
= kcm_ccache_resolve_client(context
, client
, opcode
,
273 krb5_free_cred_contents(context
, &creds
);
277 ret
= kcm_ccache_store_cred(context
, ccache
, &creds
, 0);
280 krb5_free_cred_contents(context
, &creds
);
281 kcm_release_ccache(context
, ccache
);
285 kcm_ccache_enqueue_default(context
, ccache
, &creds
);
288 kcm_release_ccache(context
, ccache
);
303 static krb5_error_code
304 kcm_op_retrieve(krb5_context context
,
306 kcm_operation opcode
,
307 krb5_storage
*request
,
308 krb5_storage
*response
)
318 ret
= krb5_ret_stringz(request
, &name
);
322 KCM_LOG_REQUEST_NAME(context
, client
, opcode
, name
);
324 ret
= krb5_ret_uint32(request
, &flags
);
330 ret
= krb5_ret_creds_tag(request
, &mcreds
);
336 if (disallow_getting_krbtgt
&& krb5_principal_is_krbtgt(context
, mcreds
.server
))
339 krb5_free_cred_contents(context
, &mcreds
);
340 return KRB5_FCC_PERM
;
343 ret
= kcm_ccache_resolve_client(context
, client
, opcode
,
347 krb5_free_cred_contents(context
, &mcreds
);
351 ret
= kcm_ccache_retrieve_cred(context
, ccache
, flags
,
353 if (ret
&& ((flags
& KRB5_GC_CACHED
) == 0) &&
354 !krb5_is_config_principal(context
, mcreds
.server
)) {
355 krb5_ccache_data ccdata
;
357 /* try and acquire */
358 HEIMDAL_MUTEX_lock(&ccache
->mutex
);
360 /* Fake up an internal ccache */
361 kcm_internal_ccache(context
, ccache
, &ccdata
);
363 /* glue cc layer will store creds */
364 ret
= krb5_get_credentials(context
, 0, &ccdata
, &mcreds
, &credp
);
368 HEIMDAL_MUTEX_unlock(&ccache
->mutex
);
372 ret
= krb5_store_creds(response
, credp
);
376 krb5_free_cred_contents(context
, &mcreds
);
377 kcm_release_ccache(context
, ccache
);
380 krb5_free_cred_contents(context
, credp
);
392 static krb5_error_code
393 kcm_op_get_principal(krb5_context context
,
395 kcm_operation opcode
,
396 krb5_storage
*request
,
397 krb5_storage
*response
)
403 ret
= krb5_ret_stringz(request
, &name
);
407 KCM_LOG_REQUEST_NAME(context
, client
, opcode
, name
);
409 ret
= kcm_ccache_resolve_client(context
, client
, opcode
,
416 if (ccache
->client
== NULL
)
417 ret
= KRB5_CC_NOTFOUND
;
419 ret
= krb5_store_principal(response
, ccache
->client
);
422 kcm_release_ccache(context
, ccache
);
435 static krb5_error_code
436 kcm_op_get_cred_uuid_list(krb5_context context
,
438 kcm_operation opcode
,
439 krb5_storage
*request
,
440 krb5_storage
*response
)
442 struct kcm_creds
*creds
;
447 ret
= krb5_ret_stringz(request
, &name
);
451 KCM_LOG_REQUEST_NAME(context
, client
, opcode
, name
);
453 ret
= kcm_ccache_resolve_client(context
, client
, opcode
,
459 for (creds
= ccache
->creds
; creds
; creds
= creds
->next
) {
461 sret
= krb5_storage_write(response
, &creds
->uuid
, sizeof(creds
->uuid
));
462 if (sret
!= sizeof(creds
->uuid
)) {
468 kcm_release_ccache(context
, ccache
);
481 static krb5_error_code
482 kcm_op_get_cred_by_uuid(krb5_context context
,
484 kcm_operation opcode
,
485 krb5_storage
*request
,
486 krb5_storage
*response
)
495 ret
= krb5_ret_stringz(request
, &name
);
499 KCM_LOG_REQUEST_NAME(context
, client
, opcode
, name
);
501 ret
= kcm_ccache_resolve_client(context
, client
, opcode
,
507 sret
= krb5_storage_read(request
, &uuid
, sizeof(uuid
));
508 if (sret
!= sizeof(uuid
)) {
509 kcm_release_ccache(context
, ccache
);
510 krb5_clear_error_message(context
);
514 c
= kcm_ccache_find_cred_uuid(context
, ccache
, uuid
);
516 kcm_release_ccache(context
, ccache
);
520 HEIMDAL_MUTEX_lock(&ccache
->mutex
);
521 ret
= krb5_store_creds(response
, &c
->cred
);
522 HEIMDAL_MUTEX_unlock(&ccache
->mutex
);
524 kcm_release_ccache(context
, ccache
);
538 static krb5_error_code
539 kcm_op_remove_cred(krb5_context context
,
541 kcm_operation opcode
,
542 krb5_storage
*request
,
543 krb5_storage
*response
)
545 uint32_t whichfields
;
551 ret
= krb5_ret_stringz(request
, &name
);
555 KCM_LOG_REQUEST_NAME(context
, client
, opcode
, name
);
557 ret
= krb5_ret_uint32(request
, &whichfields
);
563 ret
= krb5_ret_creds_tag(request
, &mcreds
);
569 ret
= kcm_ccache_resolve_client(context
, client
, opcode
,
573 krb5_free_cred_contents(context
, &mcreds
);
577 ret
= kcm_ccache_remove_cred(context
, ccache
, whichfields
, &mcreds
);
579 /* XXX need to remove any events that match */
582 krb5_free_cred_contents(context
, &mcreds
);
583 kcm_release_ccache(context
, ccache
);
596 static krb5_error_code
597 kcm_op_set_flags(krb5_context context
,
599 kcm_operation opcode
,
600 krb5_storage
*request
,
601 krb5_storage
*response
)
608 ret
= krb5_ret_stringz(request
, &name
);
612 KCM_LOG_REQUEST_NAME(context
, client
, opcode
, name
);
614 ret
= krb5_ret_uint32(request
, &flags
);
620 ret
= kcm_ccache_resolve_client(context
, client
, opcode
,
627 /* we don't really support any flags yet */
629 kcm_release_ccache(context
, ccache
);
643 static krb5_error_code
644 kcm_op_chown(krb5_context context
,
646 kcm_operation opcode
,
647 krb5_storage
*request
,
648 krb5_storage
*response
)
656 ret
= krb5_ret_stringz(request
, &name
);
660 KCM_LOG_REQUEST_NAME(context
, client
, opcode
, name
);
662 ret
= krb5_ret_uint32(request
, &uid
);
668 ret
= krb5_ret_uint32(request
, &gid
);
674 ret
= kcm_ccache_resolve_client(context
, client
, opcode
,
681 ret
= kcm_chown(context
, client
, ccache
, uid
, gid
);
684 kcm_release_ccache(context
, ccache
);
697 static krb5_error_code
698 kcm_op_chmod(krb5_context context
,
700 kcm_operation opcode
,
701 krb5_storage
*request
,
702 krb5_storage
*response
)
709 ret
= krb5_ret_stringz(request
, &name
);
713 KCM_LOG_REQUEST_NAME(context
, client
, opcode
, name
);
715 ret
= krb5_ret_uint16(request
, &mode
);
721 ret
= kcm_ccache_resolve_client(context
, client
, opcode
,
728 ret
= kcm_chmod(context
, client
, ccache
, mode
);
731 kcm_release_ccache(context
, ccache
);
737 * Protocol extensions for moving ticket acquisition responsibility
738 * from client to KCM follow.
744 * ServerPrincipalPresent
745 * ServerPrincipal OPTIONAL
751 static krb5_error_code
752 kcm_op_get_initial_ticket(krb5_context context
,
754 kcm_operation opcode
,
755 krb5_storage
*request
,
756 krb5_storage
*response
)
762 krb5_principal server
= NULL
;
765 krb5_keyblock_zero(&key
);
767 ret
= krb5_ret_stringz(request
, &name
);
771 KCM_LOG_REQUEST_NAME(context
, client
, opcode
, name
);
773 ret
= krb5_ret_int8(request
, ¬_tgt
);
780 ret
= krb5_ret_principal(request
, &server
);
787 ret
= krb5_ret_keyblock(request
, &key
);
791 krb5_free_principal(context
, server
);
795 ret
= kcm_ccache_resolve_client(context
, client
, opcode
,
798 HEIMDAL_MUTEX_lock(&ccache
->mutex
);
800 if (ccache
->server
!= NULL
) {
801 krb5_free_principal(context
, ccache
->server
);
802 ccache
->server
= NULL
;
805 krb5_free_keyblock(context
, &ccache
->key
.keyblock
);
807 ccache
->server
= server
;
808 ccache
->key
.keyblock
= key
;
809 ccache
->flags
|= KCM_FLAGS_USE_CACHED_KEY
;
811 ret
= kcm_ccache_enqueue_default(context
, ccache
, NULL
);
813 ccache
->server
= NULL
;
814 krb5_keyblock_zero(&ccache
->key
.keyblock
);
815 ccache
->flags
&= ~(KCM_FLAGS_USE_CACHED_KEY
);
818 HEIMDAL_MUTEX_unlock(&ccache
->mutex
);
824 krb5_free_principal(context
, server
);
825 krb5_free_keyblock_contents(context
, &key
);
828 kcm_release_ccache(context
, ccache
);
843 static krb5_error_code
844 kcm_op_get_ticket(krb5_context context
,
846 kcm_operation opcode
,
847 krb5_storage
*request
,
848 krb5_storage
*response
)
853 krb5_principal server
= NULL
;
854 krb5_ccache_data ccdata
;
856 krb5_kdc_flags flags
;
858 memset(&in
, 0, sizeof(in
));
860 ret
= krb5_ret_stringz(request
, &name
);
864 KCM_LOG_REQUEST_NAME(context
, client
, opcode
, name
);
866 ret
= krb5_ret_uint32(request
, &flags
.i
);
872 ret
= krb5_ret_int32(request
, &in
.session
.keytype
);
878 ret
= krb5_ret_principal(request
, &server
);
884 ret
= kcm_ccache_resolve_client(context
, client
, opcode
,
887 krb5_free_principal(context
, server
);
892 HEIMDAL_MUTEX_lock(&ccache
->mutex
);
894 /* Fake up an internal ccache */
895 kcm_internal_ccache(context
, ccache
, &ccdata
);
897 in
.client
= ccache
->client
;
899 in
.times
.endtime
= 0;
901 /* glue cc layer will store creds */
902 ret
= krb5_get_credentials_with_flags(context
, 0, flags
,
905 HEIMDAL_MUTEX_unlock(&ccache
->mutex
);
907 krb5_free_principal(context
, server
);
910 krb5_free_cred_contents(context
, out
);
912 kcm_release_ccache(context
, ccache
);
926 static krb5_error_code
927 kcm_op_move_cache(krb5_context context
,
929 kcm_operation opcode
,
930 krb5_storage
*request
,
931 krb5_storage
*response
)
934 kcm_ccache oldid
, newid
;
935 char *oldname
, *newname
;
937 ret
= krb5_ret_stringz(request
, &oldname
);
941 KCM_LOG_REQUEST_NAME(context
, client
, opcode
, oldname
);
943 ret
= krb5_ret_stringz(request
, &newname
);
949 /* move to ourself is simple, done! */
950 if (strcmp(oldname
, newname
) == 0) {
956 ret
= kcm_ccache_resolve_client(context
, client
, opcode
, oldname
, &oldid
);
963 /* Check if new credential cache exists, if not create one. */
964 ret
= kcm_ccache_resolve_client(context
, client
, opcode
, newname
, &newid
);
965 if (ret
== KRB5_FCC_NOFILE
)
966 ret
= kcm_ccache_new_client(context
, client
, newname
, &newid
);
971 kcm_release_ccache(context
, oldid
);
975 HEIMDAL_MUTEX_lock(&oldid
->mutex
);
976 HEIMDAL_MUTEX_lock(&newid
->mutex
);
982 #define MOVE(n,o,f) { tmp.f = n->f ; n->f = o->f; o->f = tmp.f; }
984 MOVE(newid
, oldid
, flags
);
985 MOVE(newid
, oldid
, client
);
986 MOVE(newid
, oldid
, server
);
987 MOVE(newid
, oldid
, creds
);
988 MOVE(newid
, oldid
, tkt_life
);
989 MOVE(newid
, oldid
, renew_life
);
990 MOVE(newid
, oldid
, key
);
991 MOVE(newid
, oldid
, kdc_offset
);
995 HEIMDAL_MUTEX_unlock(&oldid
->mutex
);
996 HEIMDAL_MUTEX_unlock(&newid
->mutex
);
998 kcm_release_ccache(context
, oldid
);
999 kcm_release_ccache(context
, newid
);
1001 ret
= kcm_ccache_destroy_client(context
, client
, oldname
);
1003 kcm_drop_default_cache(context
, client
, oldname
);
1010 static krb5_error_code
1011 kcm_op_get_cache_uuid_list(krb5_context context
,
1013 kcm_operation opcode
,
1014 krb5_storage
*request
,
1015 krb5_storage
*response
)
1017 KCM_LOG_REQUEST(context
, client
, opcode
);
1019 return kcm_ccache_get_uuids(context
, client
, opcode
, response
);
1022 static krb5_error_code
1023 kcm_op_get_cache_by_uuid(krb5_context context
,
1025 kcm_operation opcode
,
1026 krb5_storage
*request
,
1027 krb5_storage
*response
)
1029 krb5_error_code ret
;
1034 KCM_LOG_REQUEST(context
, client
, opcode
);
1036 sret
= krb5_storage_read(request
, &uuid
, sizeof(uuid
));
1037 if (sret
!= sizeof(uuid
)) {
1038 krb5_clear_error_message(context
);
1042 ret
= kcm_ccache_resolve_by_uuid(context
, uuid
, &cache
);
1046 ret
= kcm_access(context
, client
, opcode
, cache
);
1048 ret
= KRB5_FCC_NOFILE
;
1051 ret
= krb5_store_stringz(response
, cache
->name
);
1053 kcm_release_ccache(context
, cache
);
1058 struct kcm_default_cache
*default_caches
;
1060 static krb5_error_code
1061 kcm_op_get_default_cache(krb5_context context
,
1063 kcm_operation opcode
,
1064 krb5_storage
*request
,
1065 krb5_storage
*response
)
1067 struct kcm_default_cache
*c
;
1068 krb5_error_code ret
;
1069 const char *name
= NULL
;
1073 KCM_LOG_REQUEST(context
, client
, opcode
);
1075 for (c
= default_caches
; c
!= NULL
; c
= c
->next
) {
1076 if (kcm_is_same_session(client
, c
->uid
, c
->session
)) {
1082 name
= n
= kcm_ccache_first_name(client
);
1085 aret
= asprintf(&n
, "%d", (int)client
->uid
);
1091 ret
= krb5_store_stringz(response
, name
);
1098 kcm_drop_default_cache(krb5_context context
, kcm_client
*client
, char *name
)
1100 struct kcm_default_cache
**c
;
1102 for (c
= &default_caches
; *c
!= NULL
; c
= &(*c
)->next
) {
1103 if (!kcm_is_same_session(client
, (*c
)->uid
, (*c
)->session
))
1105 if (strcmp((*c
)->name
, name
) == 0) {
1106 struct kcm_default_cache
*h
= *c
;
1115 static krb5_error_code
1116 kcm_op_set_default_cache(krb5_context context
,
1118 kcm_operation opcode
,
1119 krb5_storage
*request
,
1120 krb5_storage
*response
)
1122 struct kcm_default_cache
*c
;
1123 krb5_error_code ret
;
1126 ret
= krb5_ret_stringz(request
, &name
);
1130 KCM_LOG_REQUEST_NAME(context
, client
, opcode
, name
);
1132 for (c
= default_caches
; c
!= NULL
; c
= c
->next
) {
1133 if (kcm_is_same_session(client
, c
->uid
, c
->session
))
1137 c
= malloc(sizeof(*c
));
1142 c
->session
= client
->session
;
1143 c
->uid
= client
->uid
;
1146 c
->next
= default_caches
;
1156 static krb5_error_code
1157 kcm_op_get_kdc_offset(krb5_context context
,
1159 kcm_operation opcode
,
1160 krb5_storage
*request
,
1161 krb5_storage
*response
)
1163 krb5_error_code ret
;
1167 ret
= krb5_ret_stringz(request
, &name
);
1171 KCM_LOG_REQUEST_NAME(context
, client
, opcode
, name
);
1173 ret
= kcm_ccache_resolve_client(context
, client
, opcode
, name
, &ccache
);
1178 HEIMDAL_MUTEX_lock(&ccache
->mutex
);
1179 ret
= krb5_store_int32(response
, ccache
->kdc_offset
);
1180 HEIMDAL_MUTEX_unlock(&ccache
->mutex
);
1182 kcm_release_ccache(context
, ccache
);
1187 static krb5_error_code
1188 kcm_op_set_kdc_offset(krb5_context context
,
1190 kcm_operation opcode
,
1191 krb5_storage
*request
,
1192 krb5_storage
*response
)
1194 krb5_error_code ret
;
1199 ret
= krb5_ret_stringz(request
, &name
);
1203 KCM_LOG_REQUEST_NAME(context
, client
, opcode
, name
);
1205 ret
= krb5_ret_int32(request
, &offset
);
1211 ret
= kcm_ccache_resolve_client(context
, client
, opcode
, name
, &ccache
);
1216 HEIMDAL_MUTEX_lock(&ccache
->mutex
);
1217 ccache
->kdc_offset
= offset
;
1218 HEIMDAL_MUTEX_unlock(&ccache
->mutex
);
1220 kcm_release_ccache(context
, ccache
);
1225 struct kcm_ntlm_cred
{
1232 struct kcm_ntlm_cred
*next
;
1235 static struct kcm_ntlm_cred
*ntlm_head
;
1238 free_cred(struct kcm_ntlm_cred
*cred
)
1242 krb5_data_free(&cred
->nthash
);
1256 static struct kcm_ntlm_cred
*
1257 find_ntlm_cred(const char *user
, const char *domain
, kcm_client
*client
)
1259 struct kcm_ntlm_cred
*c
;
1261 for (c
= ntlm_head
; c
!= NULL
; c
= c
->next
)
1262 if ((user
[0] == '\0' || strcmp(user
, c
->user
) == 0) &&
1263 (domain
== NULL
|| strcmp(domain
, c
->domain
) == 0) &&
1264 kcm_is_same_session(client
, c
->uid
, c
->session
))
1270 static krb5_error_code
1271 kcm_op_add_ntlm_cred(krb5_context context
,
1273 kcm_operation opcode
,
1274 krb5_storage
*request
,
1275 krb5_storage
*response
)
1277 struct kcm_ntlm_cred
*cred
, *c
;
1278 krb5_error_code ret
;
1280 cred
= calloc(1, sizeof(*cred
));
1284 RAND_bytes(cred
->uuid
, sizeof(cred
->uuid
));
1286 ret
= krb5_ret_stringz(request
, &cred
->user
);
1290 ret
= krb5_ret_stringz(request
, &cred
->domain
);
1294 ret
= krb5_ret_data(request
, &cred
->nthash
);
1298 /* search for dups */
1299 c
= find_ntlm_cred(cred
->user
, cred
->domain
, client
);
1301 krb5_data hash
= c
->nthash
;
1302 c
->nthash
= cred
->nthash
;
1303 cred
->nthash
= hash
;
1307 cred
->next
= ntlm_head
;
1311 cred
->uid
= client
->uid
;
1312 cred
->session
= client
->session
;
1314 /* write response */
1315 (void)krb5_storage_write(response
, &cred
->uuid
, sizeof(cred
->uuid
));
1326 * { "HAVE_NTLM_CRED", NULL },
1333 static krb5_error_code
1334 kcm_op_have_ntlm_cred(krb5_context context
,
1336 kcm_operation opcode
,
1337 krb5_storage
*request
,
1338 krb5_storage
*response
)
1340 struct kcm_ntlm_cred
*c
;
1341 char *user
= NULL
, *domain
= NULL
;
1342 krb5_error_code ret
;
1344 ret
= krb5_ret_stringz(request
, &user
);
1348 ret
= krb5_ret_stringz(request
, &domain
);
1352 if (domain
[0] == '\0') {
1357 c
= find_ntlm_cred(user
, domain
, client
);
1370 * { "DEL_NTLM_CRED", NULL },
1377 static krb5_error_code
1378 kcm_op_del_ntlm_cred(krb5_context context
,
1380 kcm_operation opcode
,
1381 krb5_storage
*request
,
1382 krb5_storage
*response
)
1384 struct kcm_ntlm_cred
**cp
, *c
;
1385 char *user
= NULL
, *domain
= NULL
;
1386 krb5_error_code ret
;
1388 ret
= krb5_ret_stringz(request
, &user
);
1392 ret
= krb5_ret_stringz(request
, &domain
);
1396 for (cp
= &ntlm_head
; *cp
!= NULL
; cp
= &(*cp
)->next
) {
1397 if (strcmp(user
, (*cp
)->user
) == 0 && strcmp(domain
, (*cp
)->domain
) == 0 &&
1398 kcm_is_same_session(client
, (*cp
)->uid
, (*cp
)->session
))
1416 * { "DO_NTLM_AUTH", NULL },
1429 #define NTLM_FLAG_SESSIONKEY 1
1430 #define NTLM_FLAG_NTLM2_SESSION 2
1431 #define NTLM_FLAG_KEYEX 4
1433 static krb5_error_code
1434 kcm_op_do_ntlm(krb5_context context
,
1436 kcm_operation opcode
,
1437 krb5_storage
*request
,
1438 krb5_storage
*response
)
1440 struct kcm_ntlm_cred
*c
;
1441 struct ntlm_type2 type2
;
1442 struct ntlm_type3 type3
;
1443 char *user
= NULL
, *domain
= NULL
;
1444 struct ntlm_buf ndata
, sessionkey
;
1446 krb5_error_code ret
;
1449 memset(&type2
, 0, sizeof(type2
));
1450 memset(&type3
, 0, sizeof(type3
));
1451 sessionkey
.data
= NULL
;
1452 sessionkey
.length
= 0;
1454 ret
= krb5_ret_stringz(request
, &user
);
1458 ret
= krb5_ret_stringz(request
, &domain
);
1462 if (domain
[0] == '\0') {
1467 c
= find_ntlm_cred(user
, domain
, client
);
1473 ret
= krb5_ret_data(request
, &data
);
1477 ndata
.data
= data
.data
;
1478 ndata
.length
= data
.length
;
1480 ret
= heim_ntlm_decode_type2(&ndata
, &type2
);
1481 krb5_data_free(&data
);
1485 if (domain
&& strcmp(domain
, type2
.targetname
) == 0) {
1490 type3
.username
= c
->user
;
1491 type3
.flags
= type2
.flags
;
1492 type3
.targetname
= type2
.targetname
;
1493 type3
.ws
= rk_UNCONST("workstation");
1496 * NTLM Version 1 if no targetinfo buffer.
1499 if (1 || type2
.targetinfo
.length
== 0) {
1500 struct ntlm_buf tmpsesskey
;
1502 if (type2
.flags
& NTLM_NEG_NTLM2_SESSION
) {
1503 unsigned char nonce
[8];
1505 if (RAND_bytes(nonce
, sizeof(nonce
)) != 1) {
1510 ret
= heim_ntlm_calculate_ntlm2_sess(nonce
,
1516 ret
= heim_ntlm_calculate_ntlm1(c
->nthash
.data
,
1525 ret
= heim_ntlm_build_ntlm1_master(c
->nthash
.data
,
1531 free(type3
.lm
.data
);
1532 if (type3
.ntlm
.data
)
1533 free(type3
.ntlm
.data
);
1537 free(tmpsesskey
.data
);
1538 flags
|= NTLM_FLAG_SESSIONKEY
;
1541 struct ntlm_buf sessionkey
;
1542 unsigned char ntlmv2
[16];
1543 struct ntlm_targetinfo ti
;
1545 /* verify infotarget */
1547 ret
= heim_ntlm_decode_targetinfo(&type2
.targetinfo
, 1, &ti
);
1549 _gss_ntlm_delete_sec_context(minor_status
,
1550 context_handle
, NULL
);
1551 *minor_status
= ret
;
1552 return GSS_S_FAILURE
;
1555 if (ti
.domainname
&& strcmp(ti
.domainname
, name
->domain
) != 0) {
1556 _gss_ntlm_delete_sec_context(minor_status
,
1557 context_handle
, NULL
);
1558 *minor_status
= EINVAL
;
1559 return GSS_S_FAILURE
;
1562 ret
= heim_ntlm_calculate_ntlm2(ctx
->client
->key
.data
,
1563 ctx
->client
->key
.length
,
1571 _gss_ntlm_delete_sec_context(minor_status
,
1572 context_handle
, NULL
);
1573 *minor_status
= ret
;
1574 return GSS_S_FAILURE
;
1577 ret
= heim_ntlm_build_ntlm1_master(ntlmv2
, sizeof(ntlmv2
),
1580 memset(ntlmv2
, 0, sizeof(ntlmv2
));
1582 _gss_ntlm_delete_sec_context(minor_status
,
1583 context_handle
, NULL
);
1584 *minor_status
= ret
;
1585 return GSS_S_FAILURE
;
1588 flags
|= NTLM_FLAG_NTLM2_SESSION
|
1591 if (type3
.flags
& NTLM_NEG_KEYEX
)
1592 flags
|= NTLM_FLAG_KEYEX
;
1594 ret
= krb5_data_copy(&ctx
->sessionkey
,
1595 sessionkey
.data
, sessionkey
.length
);
1596 free(sessionkey
.data
);
1598 _gss_ntlm_delete_sec_context(minor_status
,
1599 context_handle
, NULL
);
1600 *minor_status
= ret
;
1601 return GSS_S_FAILURE
;
1607 if (flags
& NTLM_FLAG_NTLM2_SESSION
) {
1608 _gss_ntlm_set_key(&ctx
->u
.v2
.send
, 0, (ctx
->flags
& NTLM_NEG_KEYEX
),
1609 ctx
->sessionkey
.data
,
1610 ctx
->sessionkey
.length
);
1611 _gss_ntlm_set_key(&ctx
->u
.v2
.recv
, 1, (ctx
->flags
& NTLM_NEG_KEYEX
),
1612 ctx
->sessionkey
.data
,
1613 ctx
->sessionkey
.length
);
1615 flags
|= NTLM_FLAG_SESSION
;
1616 RC4_set_key(&ctx
->u
.v1
.crypto_recv
.key
,
1617 ctx
->sessionkey
.length
,
1618 ctx
->sessionkey
.data
);
1619 RC4_set_key(&ctx
->u
.v1
.crypto_send
.key
,
1620 ctx
->sessionkey
.length
,
1621 ctx
->sessionkey
.data
);
1625 ret
= heim_ntlm_encode_type3(&type3
, &ndata
, NULL
);
1629 data
.data
= ndata
.data
;
1630 data
.length
= ndata
.length
;
1631 ret
= krb5_store_data(response
, data
);
1632 heim_ntlm_free_buf(&ndata
);
1633 if (ret
) goto error
;
1635 ret
= krb5_store_int32(response
, flags
);
1636 if (ret
) goto error
;
1638 data
.data
= sessionkey
.data
;
1639 data
.length
= sessionkey
.length
;
1641 ret
= krb5_store_data(response
, data
);
1642 if (ret
) goto error
;
1645 free(type3
.username
);
1646 heim_ntlm_free_type2(&type2
);
1656 * { "GET_NTLM_UUID_LIST", NULL }
1663 static krb5_error_code
1664 kcm_op_get_ntlm_user_list(krb5_context context
,
1666 kcm_operation opcode
,
1667 krb5_storage
*request
,
1668 krb5_storage
*response
)
1670 struct kcm_ntlm_cred
*c
;
1671 krb5_error_code ret
;
1673 for (c
= ntlm_head
; c
!= NULL
; c
= c
->next
) {
1674 if (!kcm_is_same_session(client
, c
->uid
, c
->session
))
1677 ret
= krb5_store_uint32(response
, 1);
1680 ret
= krb5_store_stringz(response
, c
->user
);
1683 ret
= krb5_store_stringz(response
, c
->domain
);
1687 return krb5_store_uint32(response
, 0);
1694 static struct kcm_op kcm_ops
[] = {
1695 { "NOOP", kcm_op_noop
},
1696 { "GET_NAME", kcm_op_get_name
},
1697 { "RESOLVE", kcm_op_noop
},
1698 { "GEN_NEW", kcm_op_gen_new
},
1699 { "INITIALIZE", kcm_op_initialize
},
1700 { "DESTROY", kcm_op_destroy
},
1701 { "STORE", kcm_op_store
},
1702 { "RETRIEVE", kcm_op_retrieve
},
1703 { "GET_PRINCIPAL", kcm_op_get_principal
},
1704 { "GET_CRED_UUID_LIST", kcm_op_get_cred_uuid_list
},
1705 { "GET_CRED_BY_UUID", kcm_op_get_cred_by_uuid
},
1706 { "REMOVE_CRED", kcm_op_remove_cred
},
1707 { "SET_FLAGS", kcm_op_set_flags
},
1708 { "CHOWN", kcm_op_chown
},
1709 { "CHMOD", kcm_op_chmod
},
1710 { "GET_INITIAL_TICKET", kcm_op_get_initial_ticket
},
1711 { "GET_TICKET", kcm_op_get_ticket
},
1712 { "MOVE_CACHE", kcm_op_move_cache
},
1713 { "GET_CACHE_UUID_LIST", kcm_op_get_cache_uuid_list
},
1714 { "GET_CACHE_BY_UUID", kcm_op_get_cache_by_uuid
},
1715 { "GET_DEFAULT_CACHE", kcm_op_get_default_cache
},
1716 { "SET_DEFAULT_CACHE", kcm_op_set_default_cache
},
1717 { "GET_KDC_OFFSET", kcm_op_get_kdc_offset
},
1718 { "SET_KDC_OFFSET", kcm_op_set_kdc_offset
},
1719 { "ADD_NTLM_CRED", kcm_op_add_ntlm_cred
},
1720 { "HAVE_USER_CRED", kcm_op_have_ntlm_cred
},
1721 { "DEL_NTLM_CRED", kcm_op_del_ntlm_cred
},
1722 { "DO_NTLM_AUTH", kcm_op_do_ntlm
},
1723 { "GET_NTLM_USER_LIST", kcm_op_get_ntlm_user_list
}
1728 kcm_op2string(kcm_operation opcode
)
1730 if (opcode
>= sizeof(kcm_ops
)/sizeof(kcm_ops
[0]))
1731 return "Unknown operation";
1733 return kcm_ops
[opcode
].name
;
1737 kcm_dispatch(krb5_context context
,
1739 krb5_data
*req_data
,
1740 krb5_data
*resp_data
)
1742 krb5_error_code ret
;
1744 krb5_storage
*req_sp
= NULL
;
1745 krb5_storage
*resp_sp
= NULL
;
1748 krb5_data_zero(resp_data
);
1749 resp_sp
= krb5_storage_emem();
1750 if (resp_sp
== NULL
) {
1754 if (client
->pid
== -1) {
1755 kcm_log(0, "Client had invalid process number");
1756 ret
= KRB5_FCC_INTERNAL
;
1760 req_sp
= krb5_storage_from_data(req_data
);
1761 if (req_sp
== NULL
) {
1762 kcm_log(0, "Process %d: failed to initialize storage from data",
1768 ret
= krb5_ret_uint16(req_sp
, &opcode
);
1770 kcm_log(0, "Process %d: didn't send a message", client
->pid
);
1774 if (opcode
>= sizeof(kcm_ops
)/sizeof(kcm_ops
[0])) {
1775 kcm_log(0, "Process %d: invalid operation code %d",
1776 client
->pid
, opcode
);
1777 ret
= KRB5_FCC_INTERNAL
;
1780 method
= kcm_ops
[opcode
].method
;
1781 if (method
== NULL
) {
1782 kcm_log(0, "Process %d: operation code %s not implemented",
1783 client
->pid
, kcm_op2string(opcode
));
1784 ret
= KRB5_FCC_INTERNAL
;
1788 /* seek past place for status code */
1789 krb5_storage_seek(resp_sp
, 4, SEEK_SET
);
1791 ret
= (*method
)(context
, client
, opcode
, req_sp
, resp_sp
);
1794 if (req_sp
!= NULL
) {
1795 krb5_storage_free(req_sp
);
1799 krb5_error_code ret2
;
1801 krb5_storage_seek(resp_sp
, 0, SEEK_SET
);
1802 ret2
= krb5_store_int32(resp_sp
, ret
);
1804 ret2
= krb5_storage_to_data(resp_sp
, resp_data
);
1805 krb5_storage_free(resp_sp
);