#include "kpasswd_locl.h"
#include <kadm5/admin.h>
#ifdef HAVE_SYS_UN_H
#include <sys/un.h>
#endif
#include <hdb.h>
#include <heim-ipc.h>
#include <kadm5/private.h>
static void terminated(void *) __attribute__((__noreturn__));
static void usage(int) __attribute__((__noreturn__));
static void doit(int) __attribute__((__noreturn__));
static krb5_context context;
static krb5_log_facility *log_facility;
static struct getarg_strings addresses_str;
krb5_addresses explicit_addresses;
static krb5_keytab global_keytab = NULL;
static void
add_one_address (const char *str, int first)
{
krb5_error_code ret;
krb5_addresses tmp;
ret = krb5_parse_address (context, str, &tmp);
if (ret)
krb5_err (context, 1, ret, "parse_address `%s'", str);
if (first)
krb5_copy_addresses(context, &tmp, &explicit_addresses);
else
krb5_append_addresses(context, &explicit_addresses, &tmp);
krb5_free_addresses (context, &tmp);
}
static void
send_reply(krb5_data *ap_rep, krb5_data *rest,
krb5_data *out_data)
{
uint16_t ap_rep_len;
u_char *p;
if (ap_rep)
ap_rep_len = ap_rep->length;
else
ap_rep_len = 0;
if (krb5_data_alloc(out_data, 6 + ap_rep_len + rest->length))
return;
p = out_data->data;
*p++ = (out_data->length >> 8) & 0xFF;
*p++ = (out_data->length >> 0) & 0xFF;
*p++ = 0;
*p++ = 1;
*p++ = (ap_rep_len >> 8) & 0xFF;
*p++ = (ap_rep_len >> 0) & 0xFF;
if (ap_rep_len) {
memcpy(p, ap_rep->data, ap_rep->length);
p += ap_rep->length;
}
memcpy(p, rest->data, rest->length);
}
static int
make_result (krb5_data *data,
uint16_t result_code,
const char *expl)
{
char *str;
krb5_data_zero (data);
data->length = asprintf (&str,
"%c%c%s",
(result_code >> 8) & 0xFF,
result_code & 0xFF,
expl);
if (str == NULL) {
krb5_warnx (context, "Out of memory generating error reply");
return 1;
}
data->data = str;
return 0;
}
static void
reply_error(krb5_realm realm,
krb5_error_code error_code,
uint16_t result_code,
const char *expl,
krb5_data *out_data)
{
krb5_error_code ret;
krb5_data error_data;
krb5_data e_data;
krb5_principal server = NULL;
if (make_result(&e_data, result_code, expl))
return;
if (realm) {
ret = krb5_make_principal (context, &server, realm,
"kadmin", "changepw", NULL);
if (ret) {
krb5_data_free (&e_data);
return;
}
}
ret = krb5_mk_error (context,
error_code,
NULL,
&e_data,
NULL,
server,
NULL,
NULL,
&error_data);
if (server)
krb5_free_principal(context, server);
krb5_data_free (&e_data);
if (ret) {
krb5_warn (context, ret, "Could not even generate error reply");
return;
}
send_reply(NULL, &error_data, out_data);
krb5_data_free (&error_data);
}
static void
reply_priv(krb5_auth_context auth_context,
uint16_t result_code,
const char *expl,
krb5_data *out_data)
{
krb5_error_code ret;
krb5_data krb_priv_data;
krb5_data ap_rep_data;
krb5_data e_data;
ret = krb5_mk_rep (context,
auth_context,
&ap_rep_data);
if (ret) {
krb5_warn (context, ret, "Could not even generate error reply");
return;
}
if (make_result(&e_data, result_code, expl))
return;
ret = krb5_mk_priv (context,
auth_context,
&e_data,
&krb_priv_data,
NULL);
krb5_data_free (&e_data);
if (ret) {
krb5_warn (context, ret, "Could not even generate error reply");
return;
}
send_reply(&ap_rep_data, &krb_priv_data, out_data);
krb5_data_free (&ap_rep_data);
krb5_data_free (&krb_priv_data);
}
static void
change(krb5_auth_context auth_context,
krb5_principal admin_principal,
uint16_t version,
krb5_data *in_data,
krb5_data *out_data)
{
krb5_error_code ret;
char *client = NULL, *admin = NULL;
const char *pwd_reason;
kadm5_config_params conf;
void *kadm5_handle = NULL;
krb5_principal principal = NULL;
krb5_data *pwd_data = NULL;
char *tmp;
ChangePasswdDataMS chpw;
memset (&conf, 0, sizeof(conf));
memset(&chpw, 0, sizeof(chpw));
if (version == KRB5_KPASSWD_VERS_CHANGEPW) {
ret = krb5_copy_data(context, in_data, &pwd_data);
if (ret) {
krb5_warn (context, ret, "krb5_copy_data");
reply_priv(auth_context, KRB5_KPASSWD_MALFORMED,
"out out memory copying password", out_data);
return;
}
principal = admin_principal;
} else if (version == KRB5_KPASSWD_VERS_SETPW) {
size_t len;
ret = decode_ChangePasswdDataMS(in_data->data, in_data->length,
&chpw, &len);
if (ret) {
krb5_warn (context, ret, "decode_ChangePasswdDataMS");
reply_priv(auth_context, KRB5_KPASSWD_MALFORMED,
"malformed ChangePasswdData", out_data);
return;
}
ret = krb5_copy_data(context, &chpw.newpasswd, &pwd_data);
if (ret) {
krb5_warn (context, ret, "krb5_copy_data");
reply_priv(auth_context, KRB5_KPASSWD_MALFORMED,
"out out memory copying password", out_data);
goto out;
}
if (chpw.targname == NULL && chpw.targrealm != NULL) {
krb5_warn (context, ret, "kadm5_init_with_password_ctx");
reply_priv(auth_context, KRB5_KPASSWD_MALFORMED,
"targrealm but not targname", out_data);
goto out;
}
if (chpw.targname) {
krb5_principal_data princ;
princ.name = *chpw.targname;
princ.realm = *chpw.targrealm;
if (princ.realm == NULL) {
ret = krb5_get_default_realm(context, &princ.realm);
if (ret) {
krb5_warnx (context,
"kadm5_init_with_password_ctx: "
"failed to allocate realm");
reply_priv(auth_context, KRB5_KPASSWD_SOFTERROR,
"failed to allocate realm", out_data);
goto out;
}
}
ret = krb5_copy_principal(context, &princ, &principal);
if (*chpw.targrealm == NULL)
free(princ.realm);
if (ret) {
krb5_warn(context, ret, "krb5_copy_principal");
reply_priv(auth_context, KRB5_KPASSWD_HARDERROR,
"failed to allocate principal", out_data);
goto out;
}
} else
principal = admin_principal;
} else {
krb5_warnx (context, "kadm5_init_with_password_ctx: unknown proto");
reply_priv(auth_context, KRB5_KPASSWD_HARDERROR,
"Unknown protocol used", out_data);
return;
}
ret = krb5_unparse_name (context, admin_principal, &admin);
if (ret) {
krb5_warn (context, ret, "unparse_name failed");
reply_priv(auth_context, KRB5_KPASSWD_HARDERROR, "out of memory error", out_data);
goto out;
}
conf.realm = principal->realm;
conf.mask |= KADM5_CONFIG_REALM;
ret = kadm5_s_init_with_password_ctx(context,
admin,
NULL,
KADM5_ADMIN_SERVICE,
&conf, 0, 0,
&kadm5_handle);
if (ret) {
krb5_warn (context, ret, "kadm5_init_with_password_ctx");
reply_priv(auth_context, 2, "Internal error", out_data);
goto out;
}
ret = krb5_unparse_name(context, principal, &client);
if (ret) {
krb5_warn (context, ret, "unparse_name failed");
reply_priv(auth_context, KRB5_KPASSWD_HARDERROR, "out of memory error", out_data);
goto out;
}
if (krb5_principal_compare(context, admin_principal, principal) == TRUE) {
pwd_reason = kadm5_check_password_quality (context, principal,
pwd_data);
if (pwd_reason != NULL ) {
krb5_warnx (context,
"%s didn't pass password quality check with error: %s",
client, pwd_reason);
reply_priv(auth_context, KRB5_KPASSWD_SOFTERROR, pwd_reason, out_data);
goto out;
}
krb5_warnx (context, "Changing password for %s", client);
} else {
ret = _kadm5_acl_check_permission(kadm5_handle, KADM5_PRIV_CPW,
principal);
if (ret) {
krb5_warn (context, ret,
"Check ACL failed for %s for changing %s password",
admin, client);
reply_priv(auth_context, KRB5_KPASSWD_HARDERROR, "permission denied", out_data);
goto out;
}
krb5_warnx (context, "%s is changing password for %s", admin, client);
}
ret = krb5_data_realloc(pwd_data, pwd_data->length + 1);
if (ret) {
krb5_warn (context, ret, "malloc: out of memory");
reply_priv(auth_context, KRB5_KPASSWD_HARDERROR,
"Internal error", out_data);
goto out;
}
tmp = pwd_data->data;
tmp[pwd_data->length - 1] = '\0';
ret = kadm5_s_chpass_principal_cond (kadm5_handle, principal, 1, tmp, 0, NULL);
krb5_free_data (context, pwd_data);
pwd_data = NULL;
if (ret) {
const char *str = krb5_get_error_message(context, ret);
krb5_warnx(context, "kadm5_s_chpass_principal_cond: %s", str);
reply_priv(auth_context, KRB5_KPASSWD_SOFTERROR,
str ? str : "Internal error", out_data);
krb5_free_error_message(context, str);
goto out;
}
reply_priv(auth_context, KRB5_KPASSWD_SUCCESS,
"Password changed", out_data);
out:
free_ChangePasswdDataMS(&chpw);
if (principal != admin_principal)
krb5_free_principal(context, principal);
if (admin)
free(admin);
if (client)
free(client);
if (pwd_data)
krb5_free_data(context, pwd_data);
if (kadm5_handle)
kadm5_s_destroy (kadm5_handle);
}
static int
verify(krb5_auth_context *auth_context,
krb5_realm *realms,
krb5_keytab keytab,
krb5_ticket **ticket,
uint16_t *version,
int s,
struct sockaddr *sa,
int sa_size,
u_char *msg,
size_t len,
krb5_data *out_data)
{
krb5_error_code ret;
uint16_t pkt_len, pkt_ver, ap_req_len;
krb5_data ap_req_data;
krb5_data krb_priv_data;
krb5_realm *r;
pkt_len = (msg[0] << 8) | (msg[1]);
pkt_ver = (msg[2] << 8) | (msg[3]);
ap_req_len = (msg[4] << 8) | (msg[5]);
if (pkt_len != len) {
krb5_warnx (context, "Strange len: %ld != %ld",
(long)pkt_len, (long)len);
return 1;
}
if (ap_req_len == 0) {
krb5_warnx (context, "Request is error packet (ap_req_len == 0)");
return 1;
}
if (pkt_ver != KRB5_KPASSWD_VERS_CHANGEPW &&
pkt_ver != KRB5_KPASSWD_VERS_SETPW) {
krb5_warnx (context, "Bad version (%d)", pkt_ver);
reply_error (NULL, 0, 1, "Wrong program version", out_data);
return 1;
}
*version = pkt_ver;
ap_req_data.data = msg + 6;
ap_req_data.length = ap_req_len;
ret = krb5_rd_req (context,
auth_context,
&ap_req_data,
NULL,
keytab,
NULL,
ticket);
if (ret) {
krb5_warn (context, ret, "krb5_rd_req");
reply_error (NULL, ret, 3, "Authentication failed", out_data);
return 1;
}
for (r = realms; *r != NULL; r++) {
krb5_principal principal;
krb5_boolean same;
ret = krb5_make_principal (context,
&principal,
*r,
"kadmin",
"changepw",
NULL);
if (ret)
krb5_err (context, 1, ret, "krb5_make_principal");
same = krb5_principal_compare(context, principal, (*ticket)->server);
krb5_free_principal(context, principal);
if (same == TRUE)
break;
}
if (*r == NULL) {
char *str;
krb5_unparse_name(context, (*ticket)->server, &str);
krb5_warnx (context, "client used not valid principal %s", str);
free(str);
reply_error (NULL, ret, 1,
"Bad request", out_data);
goto out;
}
if (strcmp((*ticket)->server->realm, (*ticket)->client->realm) != 0) {
krb5_warnx (context, "server realm (%s) not same a client realm (%s)",
(*ticket)->server->realm, (*ticket)->client->realm);
reply_error ((*ticket)->server->realm, ret, 1,
"Bad request", out_data);
goto out;
}
if (!(*ticket)->ticket.flags.initial) {
krb5_warnx (context, "initial flag not set");
reply_error ((*ticket)->server->realm, ret, 1,
"Bad request", out_data);
goto out;
}
krb_priv_data.data = msg + 6 + ap_req_len;
krb_priv_data.length = len - 6 - ap_req_len;
ret = krb5_rd_priv (context,
*auth_context,
&krb_priv_data,
out_data,
NULL);
if (ret) {
krb5_warn (context, ret, "krb5_rd_priv");
reply_error ((*ticket)->server->realm, ret, 3,
"Bad request", out_data);
goto out;
}
return 0;
out:
krb5_free_ticket (context, *ticket);
ticket = NULL;
return 1;
}
static krb5_error_code
process(int s,
struct sockaddr *server,
int server_size,
struct sockaddr *client,
int client_size,
u_char *msg,
size_t len,
heim_idata *out_data)
{
krb5_error_code ret;
krb5_auth_context auth_context = NULL;
krb5_ticket *ticket;
uint16_t version;
krb5_realm *realms = NULL;
krb5_data clear_data;
krb5_address client_addr, server_addr;
krb5_data_zero(&clear_data);
memset(&client_addr, 0, sizeof(client_addr));
memset(&server_addr, 0, sizeof(server_addr));
ret = krb5_sockaddr2address(context, client, &client_addr);
if (ret) {
krb5_warn(context, ret, "krb5_sockaddr2address");
goto out;
}
ret = krb5_sockaddr2address(context, server, &server_addr);
if (ret) {
krb5_warn(context, ret, "krb5_sockaddr2address");
goto out;
}
{
char cstr[200];
size_t ss;
krb5_print_address(&client_addr, cstr, sizeof(cstr), &ss);
krb5_warnx(context, "request from client: %s", cstr);
}
ret = krb5_get_default_realms(context, &realms);
if (ret) {
krb5_warn(context, ret, "krb5_get_default_realms");
return ret;
}
ret = krb5_auth_con_init(context, &auth_context);
if (ret) {
krb5_warn (context, ret, "krb5_auth_con_init");
goto out;
}
krb5_auth_con_setflags(context, auth_context,
KRB5_AUTH_CONTEXT_DO_SEQUENCE);
if (verify(&auth_context, realms, global_keytab, &ticket,
&version, s, client, client_size, msg, len, &clear_data) == 0)
{
ret = krb5_auth_con_setaddrs(context,
auth_context,
&server_addr,
&client_addr);
if (ret) {
krb5_warn(context, ret, "krb5_sockaddr2address");
goto out;
}
change(auth_context, ticket->client,
version, &clear_data, out_data);
krb5_free_ticket(context, ticket);
}
out:
krb5_free_address(context, &client_addr);
krb5_free_address(context, &server_addr);
if (clear_data.data)
memset(clear_data.data, 0, clear_data.length);
krb5_data_free(&clear_data);
krb5_auth_con_free(context, auth_context);
if (realms)
krb5_free_host_realm(context, realms);
return ret;
}
struct data {
rk_socket_t s;
struct sockaddr *sa;
struct sockaddr_storage __ss;
krb5_socklen_t sa_size;
heim_sipc service;
struct data *next;
};
static struct data *head_data = NULL;
static void
passwd_service(void *ctx, const heim_idata *req,
const heim_icred cred,
heim_ipc_complete complete,
heim_sipc_call cctx)
{
struct data *data = ctx;
heim_idata out_data;
krb5_error_code ret;
struct sockaddr *client, *server;
krb5_socklen_t client_size, server_size;
client = heim_ipc_cred_get_client_address(cred, &client_size);
heim_assert(client != NULL, "no address from client");
server = heim_ipc_cred_get_server_address(cred, &server_size);
heim_assert(server != NULL, "no address from server");
krb5_data_zero(&out_data);
ret = process(data->s,
server, server_size,
client, client_size,
req->data, req->length, &out_data);
complete(cctx, ret, &out_data);
memset (out_data.data, 0, out_data.length);
krb5_data_free(&out_data);
}
static void
listen_on(krb5_address *addr, int type, int port)
{
krb5_error_code ret;
struct data *data;
data = calloc(1, sizeof(*data));
if (data == NULL)
krb5_errx(context, 1, "out of memory");
data->sa = (struct sockaddr *)&data->__ss;
data->sa_size = sizeof(data->__ss);
krb5_addr2sockaddr(context, addr, data->sa, &data->sa_size, port);
data->s = socket(data->sa->sa_family, type, 0);
if (data->s < 0) {
krb5_warn(context, errno, "socket");
free(data);
return;
}
socket_set_nopipe(data->s, 1);
socket_set_reuseaddr(data->s, 1);
#ifdef HAVE_IPV6
if (data->sa->sa_family == AF_INET6)
socket_set_ipv6only(data->s, 1);
#endif
socket_set_ipv6only(data->s, 1);
socket_set_reuseaddr(data->s, 1);
if (bind(data->s, data->sa, data->sa_size) < 0) {
char str[128];
size_t len;
int save_errno = errno;
ret = krb5_print_address (addr, str, sizeof(str), &len);
if (ret)
strlcpy(str, "unknown address", sizeof(str));
krb5_warn (context, save_errno, "bind(%s/%d)", str, ntohs(port));
rk_closesocket(data->s);
free(data);
return;
}
if(type == SOCK_STREAM) {
if (listen(data->s, SOMAXCONN) < 0){
char a_str[256];
size_t len;
krb5_print_address(addr, a_str, sizeof(a_str), &len);
krb5_warn(context, errno, "listen %s/%d", a_str, ntohs(port));
rk_closesocket(data->s);
free(data);
return;
}
ret = heim_sipc_stream_listener(data->s,
HEIM_SIPC_TYPE_UINT32 | HEIM_SIPC_TYPE_ONE_REQUEST,
passwd_service, data, &data->service);
if (ret)
errx(1, "heim_sipc_stream_listener: %d", ret);
} else {
ret = heim_sipc_service_dgram(data->s, 0,
passwd_service, data, &data->service);
if (ret)
errx(1, "heim_sipc_service_dgram: %d", ret);
}
data->next = head_data;
head_data = data;
}
static void
doit(int port)
{
krb5_error_code ret;
krb5_addresses addrs;
unsigned i;
if (explicit_addresses.len) {
addrs = explicit_addresses;
} else {
#if defined(IPV6_PKTINFO) && defined(IP_PKTINFO)
ret = krb5_get_all_any_addrs(context, &addrs);
#else
ret = krb5_get_all_server_addrs(context, &addrs);
#endif
if (ret)
krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
}
for (i = 0; i < addrs.len; ++i) {
listen_on(&addrs.val[i], SOCK_STREAM, port);
listen_on(&addrs.val[i], SOCK_DGRAM, port);
}
heim_ipc_main();
}
static void
terminated(void *ctx)
{
exit(1);
}
static const char *check_library = NULL;
static const char *check_function = NULL;
static getarg_strings policy_libraries = { 0, NULL };
static char sHDB[] = "HDB:";
static char *keytab_str = sHDB;
static char *realm_str;
static int version_flag;
static int help_flag;
static char *port_str;
static char *config_file;
struct getargs args[] = {
#ifdef HAVE_DLOPEN
{ "check-library", 0, arg_string, &check_library,
"library to load password check function from", "library" },
{ "check-function", 0, arg_string, &check_function,
"password check function to load", "function" },
{ "policy-libraries", 0, arg_strings, &policy_libraries,
"password check function to load", "function" },
#endif
{ "addresses", 0, arg_strings, &addresses_str,
"addresses to listen on", "list of addresses" },
{ "keytab", 'k', arg_string, &keytab_str,
"keytab to get authentication key from", "kspec" },
{ "config-file", 'c', arg_string, &config_file, NULL, NULL },
{ "realm", 'r', arg_string, &realm_str, "default realm", "realm" },
{ "port", 'p', arg_string, &port_str, "port", NULL },
{ "version", 0, arg_flag, &version_flag, NULL, NULL },
{ "help", 0, arg_flag, &help_flag, NULL, NULL }
};
int num_args = sizeof(args) / sizeof(args[0]);
static void
usage(int ret)
{
arg_printusage (args, num_args, NULL, "");
exit (ret);
}
int
main (int argc, char **argv)
{
int optidx = 0;
krb5_error_code ret;
char **files;
int port, i;
setprogname (argv[0]);
ret = krb5_init_context (&context);
if (ret)
errx(1, "krb5_init_context failed: %d", ret);
if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
if(version_flag) {
print_version(NULL);
exit(0);
}
if (config_file == NULL) {
asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
if (config_file == NULL)
errx(1, "out of memory");
}
ret = krb5_prepend_config_files_default(config_file, &files);
if (ret)
krb5_err(context, 1, ret, "getting configuration files");
ret = krb5_set_config_files(context, files);
krb5_free_config_files(files);
if (ret)
krb5_err(context, 1, ret, "reading configuration files");
if(realm_str)
krb5_set_default_realm(context, realm_str);
krb5_openlog (context, "kpasswdd", &log_facility);
krb5_set_warn_dest(context, log_facility);
if (port_str != NULL) {
struct servent *s = roken_getservbyname (port_str, "udp");
if (s != NULL)
port = s->s_port;
else {
char *ptr;
port = (int)strtol (port_str, &ptr, 10);
if (port == 0 && ptr == port_str)
krb5_errx (context, 1, "bad port `%s'", port_str);
port = htons(port);
}
} else
port = krb5_getportbyname (context, "kpasswd", "udp", KPASSWD_PORT);
ret = krb5_kt_register(context, &hdb_kt_ops);
if(ret)
krb5_err(context, 1, ret, "krb5_kt_register");
ret = krb5_kt_resolve(context, keytab_str, &global_keytab);
if(ret)
krb5_err(context, 1, ret, "%s", keytab_str);
kadm5_setup_passwd_quality_check (context, check_library, check_function);
for (i = 0; i < policy_libraries.num_strings; i++) {
ret = kadm5_add_passwd_quality_verifier(context,
policy_libraries.strings[i]);
if (ret)
krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");
}
ret = kadm5_add_passwd_quality_verifier(context, NULL);
if (ret)
krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");
explicit_addresses.len = 0;
if (addresses_str.num_strings) {
int j;
for (j = 0; j < addresses_str.num_strings; ++j)
add_one_address (addresses_str.strings[j], j == 0);
free_getarg_strings (&addresses_str);
} else {
char **foo = krb5_config_get_strings (context, NULL,
"kdc", "addresses", NULL);
if (foo != NULL) {
add_one_address (*foo++, TRUE);
while (*foo)
add_one_address (*foo++, FALSE);
}
}
heim_sipc_signal_handler(SIGINT, terminated, "SIGINT");
heim_sipc_signal_handler(SIGTERM, terminated, "SIGTERM");
pidfile(NULL);
doit(port);
}