xref: /freebsd/crypto/heimdal/kpasswd/kpasswdd.c (revision 3ff369fed2a08f32dda232c10470b949bef9489f)
1 /*
2  * Copyright (c) 1997-2001 Kungliga Tekniska H�gskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "kpasswd_locl.h"
35 RCSID("$Id: kpasswdd.c,v 1.52 2001/07/02 16:27:09 assar Exp $");
36 
37 #include <kadm5/admin.h>
38 
39 #include <hdb.h>
40 
41 static krb5_context context;
42 static krb5_log_facility *log_facility;
43 
44 static sig_atomic_t exit_flag = 0;
45 
46 static void
47 send_reply (int s,
48 	    struct sockaddr *sa,
49 	    int sa_size,
50 	    krb5_data *ap_rep,
51 	    krb5_data *rest)
52 {
53     struct msghdr msghdr;
54     struct iovec iov[3];
55     u_int16_t len, ap_rep_len;
56     u_char header[6];
57     u_char *p;
58 
59     if (ap_rep)
60 	ap_rep_len = ap_rep->length;
61     else
62 	ap_rep_len = 0;
63 
64     len = 6 + ap_rep_len + rest->length;
65     p = header;
66     *p++ = (len >> 8) & 0xFF;
67     *p++ = (len >> 0) & 0xFF;
68     *p++ = 0;
69     *p++ = 1;
70     *p++ = (ap_rep_len >> 8) & 0xFF;
71     *p++ = (ap_rep_len >> 0) & 0xFF;
72 
73     memset (&msghdr, 0, sizeof(msghdr));
74     msghdr.msg_name       = (void *)sa;
75     msghdr.msg_namelen    = sa_size;
76     msghdr.msg_iov        = iov;
77     msghdr.msg_iovlen     = sizeof(iov)/sizeof(*iov);
78 #if 0
79     msghdr.msg_control    = NULL;
80     msghdr.msg_controllen = 0;
81 #endif
82 
83     iov[0].iov_base       = (char *)header;
84     iov[0].iov_len        = 6;
85     if (ap_rep_len) {
86 	iov[1].iov_base   = ap_rep->data;
87 	iov[1].iov_len    = ap_rep->length;
88     } else {
89 	iov[1].iov_base   = NULL;
90 	iov[1].iov_len    = 0;
91     }
92     iov[2].iov_base       = rest->data;
93     iov[2].iov_len        = rest->length;
94 
95     if (sendmsg (s, &msghdr, 0) < 0)
96 	krb5_warn (context, errno, "sendmsg");
97 }
98 
99 static int
100 make_result (krb5_data *data,
101 	     u_int16_t result_code,
102 	     const char *expl)
103 {
104     krb5_data_zero (data);
105 
106     data->length = asprintf ((char **)&data->data,
107 			     "%c%c%s",
108 			     (result_code >> 8) & 0xFF,
109 			     result_code & 0xFF,
110 			     expl);
111 
112     if (data->data == NULL) {
113 	krb5_warnx (context, "Out of memory generating error reply");
114 	return 1;
115     }
116     return 0;
117 }
118 
119 static void
120 reply_error (krb5_principal server,
121 	     int s,
122 	     struct sockaddr *sa,
123 	     int sa_size,
124 	     krb5_error_code error_code,
125 	     u_int16_t result_code,
126 	     const char *expl)
127 {
128     krb5_error_code ret;
129     krb5_data error_data;
130     krb5_data e_data;
131 
132     if (make_result(&e_data, result_code, expl))
133 	return;
134 
135     ret = krb5_mk_error (context,
136 			 error_code,
137 			 NULL,
138 			 &e_data,
139 			 NULL,
140 			 server,
141 			 NULL,
142 			 NULL,
143 			 &error_data);
144     krb5_data_free (&e_data);
145     if (ret) {
146 	krb5_warn (context, ret, "Could not even generate error reply");
147 	return;
148     }
149     send_reply (s, sa, sa_size, NULL, &error_data);
150     krb5_data_free (&error_data);
151 }
152 
153 static void
154 reply_priv (krb5_auth_context auth_context,
155 	    int s,
156 	    struct sockaddr *sa,
157 	    int sa_size,
158 	    u_int16_t result_code,
159 	    const char *expl)
160 {
161     krb5_error_code ret;
162     krb5_data krb_priv_data;
163     krb5_data ap_rep_data;
164     krb5_data e_data;
165 
166     ret = krb5_mk_rep (context,
167 		       auth_context,
168 		       &ap_rep_data);
169     if (ret) {
170 	krb5_warn (context, ret, "Could not even generate error reply");
171 	return;
172     }
173 
174     if (make_result(&e_data, result_code, expl))
175 	return;
176 
177     ret = krb5_mk_priv (context,
178 			auth_context,
179 			&e_data,
180 			&krb_priv_data,
181 			NULL);
182     krb5_data_free (&e_data);
183     if (ret) {
184 	krb5_warn (context, ret, "Could not even generate error reply");
185 	return;
186     }
187     send_reply (s, sa, sa_size, &ap_rep_data, &krb_priv_data);
188     krb5_data_free (&ap_rep_data);
189     krb5_data_free (&krb_priv_data);
190 }
191 
192 /*
193  * Change the password for `principal', sending the reply back on `s'
194  * (`sa', `sa_size') to `pwd_data'.
195  */
196 
197 static void
198 change (krb5_auth_context auth_context,
199 	krb5_principal principal,
200 	int s,
201 	struct sockaddr *sa,
202 	int sa_size,
203 	krb5_data *pwd_data)
204 {
205     krb5_error_code ret;
206     char *client;
207     const char *pwd_reason;
208     kadm5_config_params conf;
209     void *kadm5_handle;
210     char *tmp;
211 
212     memset (&conf, 0, sizeof(conf));
213 
214     krb5_unparse_name (context, principal, &client);
215 
216     ret = kadm5_init_with_password_ctx(context,
217 				       client,
218 				       NULL,
219 				       KADM5_ADMIN_SERVICE,
220 				       &conf, 0, 0,
221 				       &kadm5_handle);
222     if (ret) {
223 	free (client);
224 	krb5_warn (context, ret, "kadm5_init_with_password_ctx");
225 	reply_priv (auth_context, s, sa, sa_size, 2,
226 		    "Internal error");
227 	return;
228     }
229 
230     krb5_warnx (context, "Changing password for %s", client);
231     free (client);
232 
233     pwd_reason = kadm5_check_password_quality (context, principal, pwd_data);
234     if (pwd_reason != NULL ) {
235 	krb5_warnx (context, "%s", pwd_reason);
236 	reply_priv (auth_context, s, sa, sa_size, 4, pwd_reason);
237 	kadm5_destroy (kadm5_handle);
238 	return;
239     }
240 
241     tmp = malloc (pwd_data->length + 1);
242     if (tmp == NULL) {
243 	krb5_warnx (context, "malloc: out of memory");
244 	reply_priv (auth_context, s, sa, sa_size, 2,
245 		    "Internal error");
246 	goto out;
247     }
248     memcpy (tmp, pwd_data->data, pwd_data->length);
249     tmp[pwd_data->length] = '\0';
250 
251     ret = kadm5_s_chpass_principal_cond (kadm5_handle, principal, tmp);
252     memset (tmp, 0, pwd_data->length);
253     free (tmp);
254     if (ret) {
255 	krb5_warn (context, ret, "kadm5_s_chpass_principal_cond");
256 	reply_priv (auth_context, s, sa, sa_size, 2,
257 		    "Internal error");
258 	goto out;
259     }
260     reply_priv (auth_context, s, sa, sa_size, 0, "Password changed");
261 out:
262     kadm5_destroy (kadm5_handle);
263 }
264 
265 static int
266 verify (krb5_auth_context *auth_context,
267 	krb5_principal server,
268 	krb5_keytab keytab,
269 	krb5_ticket **ticket,
270 	krb5_data *out_data,
271 	int s,
272 	struct sockaddr *sa,
273 	int sa_size,
274 	u_char *msg,
275 	size_t len)
276 {
277     krb5_error_code ret;
278     u_int16_t pkt_len, pkt_ver, ap_req_len;
279     krb5_data ap_req_data;
280     krb5_data krb_priv_data;
281 
282     pkt_len = (msg[0] << 8) | (msg[1]);
283     pkt_ver = (msg[2] << 8) | (msg[3]);
284     ap_req_len = (msg[4] << 8) | (msg[5]);
285     if (pkt_len != len) {
286 	krb5_warnx (context, "Strange len: %ld != %ld",
287 		    (long)pkt_len, (long)len);
288 	reply_error (server, s, sa, sa_size, 0, 1, "Bad request");
289 	return 1;
290     }
291     if (pkt_ver != 0x0001) {
292 	krb5_warnx (context, "Bad version (%d)", pkt_ver);
293 	reply_error (server, s, sa, sa_size, 0, 1, "Wrong program version");
294 	return 1;
295     }
296 
297     ap_req_data.data   = msg + 6;
298     ap_req_data.length = ap_req_len;
299 
300     ret = krb5_rd_req (context,
301 		       auth_context,
302 		       &ap_req_data,
303 		       server,
304 		       keytab,
305 		       NULL,
306 		       ticket);
307     if (ret) {
308 	if(ret == KRB5_KT_NOTFOUND) {
309 	    char *name;
310 	    krb5_unparse_name(context, server, &name);
311 	    krb5_warnx (context, "krb5_rd_req: %s (%s)",
312 			krb5_get_err_text(context, ret), name);
313 	    free(name);
314 	} else
315 	    krb5_warn (context, ret, "krb5_rd_req");
316 	reply_error (server, s, sa, sa_size, ret, 3, "Authentication failed");
317 	return 1;
318     }
319 
320     if (!(*ticket)->ticket.flags.initial) {
321 	krb5_warnx (context, "initial flag not set");
322 	reply_error (server, s, sa, sa_size, ret, 1,
323 		     "Bad request");
324 	goto out;
325     }
326     krb_priv_data.data   = msg + 6 + ap_req_len;
327     krb_priv_data.length = len - 6 - ap_req_len;
328 
329     ret = krb5_rd_priv (context,
330 			*auth_context,
331 			&krb_priv_data,
332 			out_data,
333 			NULL);
334 
335     if (ret) {
336 	krb5_warn (context, ret, "krb5_rd_priv");
337 	reply_error (server, s, sa, sa_size, ret, 3, "Bad request");
338 	goto out;
339     }
340     return 0;
341 out:
342     krb5_free_ticket (context, *ticket);
343     return 1;
344 }
345 
346 static void
347 process (krb5_principal server,
348 	 krb5_keytab keytab,
349 	 int s,
350 	 krb5_address *this_addr,
351 	 struct sockaddr *sa,
352 	 int sa_size,
353 	 u_char *msg,
354 	 int len)
355 {
356     krb5_error_code ret;
357     krb5_auth_context auth_context = NULL;
358     krb5_data out_data;
359     krb5_ticket *ticket;
360     krb5_address other_addr;
361 
362     krb5_data_zero (&out_data);
363 
364     ret = krb5_auth_con_init (context, &auth_context);
365     if (ret) {
366 	krb5_warn (context, ret, "krb5_auth_con_init");
367 	return;
368     }
369 
370     krb5_auth_con_setflags (context, auth_context,
371 			    KRB5_AUTH_CONTEXT_DO_SEQUENCE);
372 
373     ret = krb5_sockaddr2address (context, sa, &other_addr);
374     if (ret) {
375 	krb5_warn (context, ret, "krb5_sockaddr2address");
376 	goto out;
377     }
378 
379     ret = krb5_auth_con_setaddrs (context,
380 				  auth_context,
381 				  this_addr,
382 				  &other_addr);
383     krb5_free_address (context, &other_addr);
384     if (ret) {
385 	krb5_warn (context, ret, "krb5_auth_con_setaddr");
386 	goto out;
387     }
388 
389     if (verify (&auth_context, server, keytab, &ticket, &out_data,
390 		s, sa, sa_size, msg, len) == 0) {
391 	change (auth_context,
392 		ticket->client,
393 		s,
394 		sa, sa_size,
395 		&out_data);
396 	memset (out_data.data, 0, out_data.length);
397 	krb5_free_ticket (context, ticket);
398 	free (ticket);
399     }
400 
401 out:
402     krb5_data_free (&out_data);
403     krb5_auth_con_free (context, auth_context);
404 }
405 
406 static int
407 doit (krb5_keytab keytab, int port)
408 {
409     krb5_error_code ret;
410     krb5_principal server;
411     int *sockets;
412     int maxfd;
413     char *realm;
414     krb5_addresses addrs;
415     unsigned n, i;
416     fd_set real_fdset;
417     struct sockaddr_storage __ss;
418     struct sockaddr *sa = (struct sockaddr *)&__ss;
419 
420     ret = krb5_get_default_realm (context, &realm);
421     if (ret)
422 	krb5_err (context, 1, ret, "krb5_get_default_realm");
423 
424     ret = krb5_build_principal (context,
425 				&server,
426 				strlen(realm),
427 				realm,
428 				"kadmin",
429 				"changepw",
430 				NULL);
431     if (ret)
432 	krb5_err (context, 1, ret, "krb5_build_principal");
433 
434     free (realm);
435 
436     ret = krb5_get_all_server_addrs (context, &addrs);
437     if (ret)
438 	krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
439 
440     n = addrs.len;
441 
442     sockets = malloc (n * sizeof(*sockets));
443     if (sockets == NULL)
444 	krb5_errx (context, 1, "out of memory");
445     maxfd = -1;
446     FD_ZERO(&real_fdset);
447     for (i = 0; i < n; ++i) {
448 	int sa_size;
449 
450 	krb5_addr2sockaddr (context, &addrs.val[i], sa, &sa_size, port);
451 
452 	sockets[i] = socket (sa->sa_family, SOCK_DGRAM, 0);
453 	if (sockets[i] < 0)
454 	    krb5_err (context, 1, errno, "socket");
455 	if (bind (sockets[i], sa, sa_size) < 0) {
456 	    char str[128];
457 	    size_t len;
458 	    int save_errno = errno;
459 
460 	    ret = krb5_print_address (&addrs.val[i], str, sizeof(str), &len);
461 	    if (ret)
462 		strlcpy(str, "unknown address", sizeof(str));
463 	    krb5_warn (context, save_errno, "bind(%s)", str);
464 	    continue;
465 	}
466 	maxfd = max (maxfd, sockets[i]);
467 	if (maxfd >= FD_SETSIZE)
468 	    krb5_errx (context, 1, "fd too large");
469 	FD_SET(sockets[i], &real_fdset);
470     }
471     if (maxfd == -1)
472 	krb5_errx (context, 1, "No sockets!");
473 
474     while(exit_flag == 0) {
475 	int ret;
476 	fd_set fdset = real_fdset;
477 
478 	ret = select (maxfd + 1, &fdset, NULL, NULL, NULL);
479 	if (ret < 0) {
480 	    if (errno == EINTR)
481 		continue;
482 	    else
483 		krb5_err (context, 1, errno, "select");
484 	}
485 	for (i = 0; i < n; ++i)
486 	    if (FD_ISSET(sockets[i], &fdset)) {
487 		u_char buf[BUFSIZ];
488 		socklen_t addrlen = sizeof(__ss);
489 
490 		ret = recvfrom (sockets[i], buf, sizeof(buf), 0,
491 				sa, &addrlen);
492 		if (ret < 0) {
493 		    if(errno == EINTR)
494 			break;
495 		    else
496 			krb5_err (context, 1, errno, "recvfrom");
497 		}
498 
499 		process (server, keytab, sockets[i],
500 			 &addrs.val[i],
501 			 sa, addrlen,
502 			 buf, ret);
503 	    }
504     }
505     krb5_free_addresses (context, &addrs);
506     krb5_free_principal (context, server);
507     krb5_free_context (context);
508     return 0;
509 }
510 
511 static RETSIGTYPE
512 sigterm(int sig)
513 {
514     exit_flag = 1;
515 }
516 
517 const char *check_library  = NULL;
518 const char *check_function = NULL;
519 char *keytab_str = "HDB:";
520 char *realm_str;
521 int version_flag;
522 int help_flag;
523 char *port_str;
524 
525 struct getargs args[] = {
526 #ifdef HAVE_DLOPEN
527     { "check-library", 0, arg_string, &check_library,
528       "library to load password check function from", "library" },
529     { "check-function", 0, arg_string, &check_function,
530       "password check function to load", "function" },
531 #endif
532     { "keytab", 'k', arg_string, &keytab_str,
533       "keytab to get authentication key from", "kspec" },
534     { "realm", 'r', arg_string, &realm_str, "default realm", "realm" },
535     { "port",  'p', arg_string, &port_str, "port" },
536     { "version", 0, arg_flag, &version_flag },
537     { "help", 0, arg_flag, &help_flag }
538 };
539 int num_args = sizeof(args) / sizeof(args[0]);
540 
541 int
542 main (int argc, char **argv)
543 {
544     int optind;
545     krb5_keytab keytab;
546     krb5_error_code ret;
547     int port;
548 
549     optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL);
550 
551     if(help_flag)
552 	krb5_std_usage(0, args, num_args);
553     if(version_flag) {
554 	print_version(NULL);
555 	exit(0);
556     }
557 
558     if(realm_str)
559 	krb5_set_default_realm(context, realm_str);
560 
561     krb5_openlog (context, "kpasswdd", &log_facility);
562     krb5_set_warn_dest(context, log_facility);
563 
564     if (port_str != NULL) {
565 	struct servent *s = roken_getservbyname (port_str, "udp");
566 
567 	if (s != NULL)
568 	    port = s->s_port;
569 	else {
570 	    char *ptr;
571 
572 	    port = strtol (port_str, &ptr, 10);
573 	    if (port == 0 && ptr == port_str)
574 		krb5_errx (context, 1, "bad port `%s'", port_str);
575 	    port = htons(port);
576 	}
577     } else
578 	port = krb5_getportbyname (context, "kpasswd", "udp", KPASSWD_PORT);
579 
580     ret = krb5_kt_register(context, &hdb_kt_ops);
581     if(ret)
582 	krb5_err(context, 1, ret, "krb5_kt_register");
583 
584     ret = krb5_kt_resolve(context, keytab_str, &keytab);
585     if(ret)
586 	krb5_err(context, 1, ret, "%s", keytab_str);
587 
588     kadm5_setup_passwd_quality_check (context, check_library, check_function);
589 
590 #ifdef HAVE_SIGACTION
591     {
592 	struct sigaction sa;
593 
594 	sa.sa_flags = 0;
595 	sa.sa_handler = sigterm;
596 	sigemptyset(&sa.sa_mask);
597 
598 	sigaction(SIGINT,  &sa, NULL);
599 	sigaction(SIGTERM, &sa, NULL);
600     }
601 #else
602     signal(SIGINT,  sigterm);
603     signal(SIGTERM, sigterm);
604 #endif
605 
606     pidfile(NULL);
607 
608     return doit (keytab, port);
609 }
610