1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345
|
/* -*- mode: c; c-file-style: "bsd"; indent-tabs-mode: t -*- */
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
*
*/
#include <k5-int.h>
#include <gssrpc/rpc.h>
#include <gssapi/gssapi_krb5.h> /* for gss_nt_krb5_name */
#include <syslog.h>
#include <kadm5/kadm_rpc.h>
#include <krb5.h>
#include <kadm5/admin.h>
#include <adm_proto.h>
#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
#include "misc.h"
#include "kadm5/server_internal.h"
extern void *global_server_handle;
static int check_rpcsec_auth(struct svc_req *);
/*
* Function: kadm_1
*
* Purpose: RPC proccessing procedure.
* originally generated from rpcgen
*
* Arguments:
* rqstp (input) rpc request structure
* transp (input) rpc transport structure
* (input/output)
* <return value>
*
* Requires:
* Effects:
* Modifies:
*/
void kadm_1(rqstp, transp)
struct svc_req *rqstp;
register SVCXPRT *transp;
{
union {
cprinc_arg create_principal_2_arg;
dprinc_arg delete_principal_2_arg;
mprinc_arg modify_principal_2_arg;
rprinc_arg rename_principal_2_arg;
gprinc_arg get_principal_2_arg;
chpass_arg chpass_principal_2_arg;
chrand_arg chrand_principal_2_arg;
cpol_arg create_policy_2_arg;
dpol_arg delete_policy_2_arg;
mpol_arg modify_policy_2_arg;
gpol_arg get_policy_2_arg;
setkey_arg setkey_principal_2_arg;
setv4key_arg setv4key_principal_2_arg;
cprinc3_arg create_principal3_2_arg;
chpass3_arg chpass_principal3_2_arg;
chrand3_arg chrand_principal3_2_arg;
setkey3_arg setkey_principal3_2_arg;
} argument;
char *result;
bool_t (*xdr_argument)(), (*xdr_result)();
char *(*local)();
if (rqstp->rq_cred.oa_flavor != AUTH_GSSAPI &&
!check_rpcsec_auth(rqstp)) {
krb5_klog_syslog(LOG_ERR, "Authentication attempt failed: %s, "
"RPC authentication flavor %d",
inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr),
rqstp->rq_cred.oa_flavor);
svcerr_weakauth(transp);
return;
}
switch (rqstp->rq_proc) {
case NULLPROC:
(void) svc_sendreply(transp, xdr_void, (char *)NULL);
return;
case CREATE_PRINCIPAL:
xdr_argument = xdr_cprinc_arg;
xdr_result = xdr_generic_ret;
local = (char *(*)()) create_principal_2_svc;
break;
case DELETE_PRINCIPAL:
xdr_argument = xdr_dprinc_arg;
xdr_result = xdr_generic_ret;
local = (char *(*)()) delete_principal_2_svc;
break;
case MODIFY_PRINCIPAL:
xdr_argument = xdr_mprinc_arg;
xdr_result = xdr_generic_ret;
local = (char *(*)()) modify_principal_2_svc;
break;
case RENAME_PRINCIPAL:
xdr_argument = xdr_rprinc_arg;
xdr_result = xdr_generic_ret;
local = (char *(*)()) rename_principal_2_svc;
break;
case GET_PRINCIPAL:
xdr_argument = xdr_gprinc_arg;
xdr_result = xdr_gprinc_ret;
local = (char *(*)()) get_principal_2_svc;
break;
case GET_PRINCS:
xdr_argument = xdr_gprincs_arg;
xdr_result = xdr_gprincs_ret;
local = (char *(*)()) get_princs_2_svc;
break;
case CHPASS_PRINCIPAL:
xdr_argument = xdr_chpass_arg;
xdr_result = xdr_generic_ret;
local = (char *(*)()) chpass_principal_2_svc;
break;
case SETV4KEY_PRINCIPAL:
xdr_argument = xdr_setv4key_arg;
xdr_result = xdr_generic_ret;
local = (char *(*)()) setv4key_principal_2_svc;
break;
case SETKEY_PRINCIPAL:
xdr_argument = xdr_setkey_arg;
xdr_result = xdr_generic_ret;
local = (char *(*)()) setkey_principal_2_svc;
break;
case CHRAND_PRINCIPAL:
xdr_argument = xdr_chrand_arg;
xdr_result = xdr_chrand_ret;
local = (char *(*)()) chrand_principal_2_svc;
break;
case CREATE_POLICY:
xdr_argument = xdr_cpol_arg;
xdr_result = xdr_generic_ret;
local = (char *(*)()) create_policy_2_svc;
break;
case DELETE_POLICY:
xdr_argument = xdr_dpol_arg;
xdr_result = xdr_generic_ret;
local = (char *(*)()) delete_policy_2_svc;
break;
case MODIFY_POLICY:
xdr_argument = xdr_mpol_arg;
xdr_result = xdr_generic_ret;
local = (char *(*)()) modify_policy_2_svc;
break;
case GET_POLICY:
xdr_argument = xdr_gpol_arg;
xdr_result = xdr_gpol_ret;
local = (char *(*)()) get_policy_2_svc;
break;
case GET_POLS:
xdr_argument = xdr_gpols_arg;
xdr_result = xdr_gpols_ret;
local = (char *(*)()) get_pols_2_svc;
break;
case GET_PRIVS:
xdr_argument = xdr_u_int32;
xdr_result = xdr_getprivs_ret;
local = (char *(*)()) get_privs_2_svc;
break;
case INIT:
xdr_argument = xdr_u_int32;
xdr_result = xdr_generic_ret;
local = (char *(*)()) init_2_svc;
break;
case CREATE_PRINCIPAL3:
xdr_argument = xdr_cprinc3_arg;
xdr_result = xdr_generic_ret;
local = (char *(*)()) create_principal3_2_svc;
break;
case CHPASS_PRINCIPAL3:
xdr_argument = xdr_chpass3_arg;
xdr_result = xdr_generic_ret;
local = (char *(*)()) chpass_principal3_2_svc;
break;
case CHRAND_PRINCIPAL3:
xdr_argument = xdr_chrand3_arg;
xdr_result = xdr_chrand_ret;
local = (char *(*)()) chrand_principal3_2_svc;
break;
case SETKEY_PRINCIPAL3:
xdr_argument = xdr_setkey3_arg;
xdr_result = xdr_generic_ret;
local = (char *(*)()) setkey_principal3_2_svc;
break;
case PURGEKEYS:
xdr_argument = xdr_purgekeys_arg;
xdr_result = xdr_generic_ret;
local = (char *(*)()) purgekeys_2_svc;
break;
case GET_STRINGS:
xdr_argument = xdr_gstrings_arg;
xdr_result = xdr_gstrings_ret;
local = (char *(*)()) get_strings_2_svc;
break;
case SET_STRING:
xdr_argument = xdr_sstring_arg;
xdr_result = xdr_generic_ret;
local = (char *(*)()) set_string_2_svc;
break;
default:
krb5_klog_syslog(LOG_ERR, "Invalid KADM5 procedure number: %s, %d",
inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr),
rqstp->rq_proc);
svcerr_noproc(transp);
return;
}
memset(&argument, 0, sizeof(argument));
if (!svc_getargs(transp, xdr_argument, &argument)) {
svcerr_decode(transp);
return;
}
result = (*local)(&argument, rqstp);
if (result != NULL && !svc_sendreply(transp, xdr_result, result)) {
krb5_klog_syslog(LOG_ERR, "WARNING! Unable to send function results, "
"continuing.");
svcerr_systemerr(transp);
}
if (!svc_freeargs(transp, xdr_argument, &argument)) {
krb5_klog_syslog(LOG_ERR, "WARNING! Unable to free arguments, "
"continuing.");
}
return;
}
static int
check_rpcsec_auth(struct svc_req *rqstp)
{
gss_ctx_id_t ctx;
krb5_context kctx;
OM_uint32 maj_stat, min_stat;
gss_name_t name;
krb5_principal princ;
int ret, success;
krb5_data *c1, *c2, *realm;
gss_buffer_desc gss_str;
kadm5_server_handle_t handle;
size_t slen;
char *sdots;
success = 0;
handle = (kadm5_server_handle_t)global_server_handle;
if (rqstp->rq_cred.oa_flavor != RPCSEC_GSS)
return 0;
ctx = rqstp->rq_svccred;
maj_stat = gss_inquire_context(&min_stat, ctx, NULL, &name,
NULL, NULL, NULL, NULL, NULL);
if (maj_stat != GSS_S_COMPLETE) {
krb5_klog_syslog(LOG_ERR, _("check_rpcsec_auth: failed "
"inquire_context, stat=%u"), maj_stat);
log_badauth(maj_stat, min_stat,
&rqstp->rq_xprt->xp_raddr, NULL);
goto fail_name;
}
kctx = handle->context;
ret = gss_to_krb5_name_1(rqstp, kctx, name, &princ, &gss_str);
if (ret == 0)
goto fail_name;
slen = gss_str.length;
trunc_name(&slen, &sdots);
/*
* Since we accept with GSS_C_NO_NAME, the client can authenticate
* against the entire kdb. Therefore, ensure that the service
* name is something reasonable.
*/
if (krb5_princ_size(kctx, princ) != 2)
goto fail_princ;
c1 = krb5_princ_component(kctx, princ, 0);
c2 = krb5_princ_component(kctx, princ, 1);
realm = krb5_princ_realm(kctx, princ);
success = data_eq_string(*realm, handle->params.realm) &&
data_eq_string(*c1, "kadmin") && !data_eq_string(*c2, "history");
fail_princ:
if (!success) {
krb5_klog_syslog(LOG_ERR, _("bad service principal %.*s%s"),
(int) slen, (char *) gss_str.value, sdots);
}
gss_release_buffer(&min_stat, &gss_str);
krb5_free_principal(kctx, princ);
fail_name:
gss_release_name(&min_stat, &name);
return success;
}
int
gss_to_krb5_name_1(struct svc_req *rqstp, krb5_context ctx, gss_name_t gss_name,
krb5_principal *princ, gss_buffer_t gss_str)
{
OM_uint32 status, minor_stat;
gss_OID gss_type;
char *str;
int success;
status = gss_display_name(&minor_stat, gss_name, gss_str, &gss_type);
if ((status != GSS_S_COMPLETE) || (gss_type != gss_nt_krb5_name)) {
krb5_klog_syslog(LOG_ERR, _("gss_to_krb5_name: failed display_name "
"status %d"), status);
log_badauth(status, minor_stat,
&rqstp->rq_xprt->xp_raddr, NULL);
return 0;
}
str = malloc(gss_str->length +1);
if (str == NULL)
return 0;
*str = '\0';
strncat(str, gss_str->value, gss_str->length);
success = (krb5_parse_name(ctx, str, princ) == 0);
free(str);
return success;
}
|