search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
handle the case of a specific keytype
[heimdal.git] / kpasswd / kpasswdd.c
blob9917e661d49d451fe061ae742acf179b05ddac06
1 /*
2 * Copyright (c) 1997 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this software
18 * must display the following acknowledgement:
19 * This product includes software developed by Kungliga Tekniska
20 * Högskolan and its contributors.
21 *
22 * 4. Neither the name of the Institute nor the names of its contributors
23 * may be used to endorse or promote products derived from this software
24 * without specific prior written permission.
25 *
26 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 * SUCH DAMAGE.
37 */
38
39 #include "kpasswd_locl.h"
40 #include <hdb.h>
41 RCSID("$Id$");
42
43 static krb5_context context;
44 static krb5_log_facility *log_facility;
45
46 static sig_atomic_t exit_flag = 0;
47
48 #define KPASSWDD_LOG_ERR 0
49 #define KPASSWDD_LOG_INFO 1
50
51 static void
52 syslog_and_die (const char *m, ...)
53 {
54 va_list args;
55
56 va_start(args, m);
57 krb5_vlog (context, log_facility, KPASSWDD_LOG_ERR, m, args);
58 va_end(args);
59 exit (1);
60 }
61
62 static char *database = HDB_DEFAULT_DB;
63 static HDB *db;
64
65 static void
66 send_reply (int s,
67 struct sockaddr *sa,
68 int sa_size,
69 krb5_data *ap_rep,
70 krb5_data *rest)
71 {
72 struct msghdr msghdr;
73 struct iovec iov[3];
74 u_int16_t len, ap_rep_len;
75 u_char header[6];
76 u_char *p;
77
78 if (ap_rep)
79 ap_rep_len = ap_rep->length;
80 else
81 ap_rep_len = 0;
82
83 len = 6 + ap_rep_len + rest->length;
84 p = header;
85 *p++ = (len >> 8) & 0xFF;
86 *p++ = (len >> 0) & 0xFF;
87 *p++ = 0;
88 *p++ = 1;
89 *p++ = (ap_rep_len >> 8) & 0xFF;
90 *p++ = (ap_rep_len >> 0) & 0xFF;
91
92 memset (&msghdr, 0, sizeof(msghdr));
93 msghdr.msg_name = (void *)sa;
94 msghdr.msg_namelen = sa_size;
95 msghdr.msg_iov = iov;
96 msghdr.msg_iovlen = sizeof(iov)/sizeof(*iov);
97 #if 0
98 msghdr.msg_control = NULL;
99 msghdr.msg_controllen = 0;
100 #endif
101
102 iov[0].iov_base = (char *)header;
103 iov[0].iov_len = 6;
104 if (ap_rep_len) {
105 iov[1].iov_base = ap_rep->data;
106 iov[1].iov_len = ap_rep->length;
107 } else {
108 iov[1].iov_base = NULL;
109 iov[1].iov_len = 0;
110 }
111 iov[2].iov_base = rest->data;
112 iov[2].iov_len = rest->length;
113
114 if (sendmsg (s, &msghdr, 0) < 0)
115 krb5_log (context, log_facility, KPASSWDD_LOG_ERR,
116 "sendmsg: %s",
117 strerror(errno));
118 }
119
120 static int
121 make_result (krb5_data *data,
122 u_int16_t result_code,
123 const char *expl)
124 {
125 krb5_data_zero (data);
126
127 data->length = asprintf ((char **)&data->data,
128 "%c%c%s",
129 (result_code >> 8) & 0xFF,
130 result_code & 0xFF,
131 expl);
132
133 if (data->data == NULL) {
134 krb5_log (context, log_facility, KPASSWDD_LOG_ERR,
135 "Out of memory generating error reply");
136 return 1;
137 }
138 return 0;
139 }
140
141 static void
142 reply_error (krb5_principal server,
143 int s,
144 struct sockaddr *sa,
145 int sa_size,
146 krb5_error_code error_code,
147 u_int16_t result_code,
148 const char *expl)
149 {
150 krb5_error_code ret;
151 krb5_data error_data;
152 krb5_data e_data;
153
154 if (make_result(&e_data, result_code, expl))
155 return;
156
157 ret = krb5_mk_error (context,
158 error_code,
159 NULL,
160 &e_data,
161 NULL,
162 server,
163 0,
164 &error_data);
165 krb5_data_free (&e_data);
166 if (ret) {
167 krb5_log (context, log_facility, KPASSWDD_LOG_ERR,
168 "Could not even generate error reply: %s",
169 krb5_get_err_text (context, ret));
170 return;
171 }
172 send_reply (s, sa, sa_size, NULL, &error_data);
173 krb5_data_free (&error_data);
174 }
175
176 static void
177 reply_priv (krb5_auth_context auth_context,
178 int s,
179 struct sockaddr *sa,
180 int sa_size,
181 u_int16_t result_code,
182 const char *expl)
183 {
184 krb5_error_code ret;
185 krb5_data krb_priv_data;
186 krb5_data ap_rep_data;
187 krb5_data e_data;
188
189 ret = krb5_mk_rep (context,
190 &auth_context,
191 &ap_rep_data);
192 if (ret) {
193 krb5_log (context, log_facility, KPASSWDD_LOG_ERR,
194 "Could not even generate error reply: %s",
195 krb5_get_err_text (context, ret));
196 return;
197 }
198
199 if (make_result(&e_data, result_code, expl))
200 return;
201
202 ret = krb5_mk_priv (context,
203 auth_context,
204 &e_data,
205 &krb_priv_data,
206 NULL);
207 krb5_data_free (&e_data);
208 if (ret) {
209 krb5_log (context, log_facility, KPASSWDD_LOG_ERR,
210 "Could not even generate error reply: %s",
211 krb5_get_err_text (context, ret));
212 return;
213 }
214 send_reply (s, sa, sa_size, &ap_rep_data, &krb_priv_data);
215 krb5_data_free (&ap_rep_data);
216 krb5_data_free (&krb_priv_data);
217 }
218
219 static char *
220 passwd_quality_check (krb5_data *pwd)
221 {
222 if (pwd->length < 6)
223 return "Password too short";
224 else
225 return NULL;
226 }
227
228 static void
229 change (krb5_auth_context auth_context,
230 krb5_principal principal,
231 int s,
232 struct sockaddr *sa,
233 int sa_size,
234 krb5_data *pwd_data)
235 {
236 krb5_error_code ret;
237 char *c;
238 hdb_entry ent;
239 krb5_data salt;
240 krb5_keyblock new_keyblock, *old_keyblock;
241 char *pwd_reason;
242
243 krb5_unparse_name (context, principal, &c);
244
245 krb5_log (context, log_facility, KPASSWDD_LOG_INFO,
246 "Changing password for %s", c);
247 free (c);
248
249 pwd_reason = passwd_quality_check (pwd_data);
250 if (pwd_reason != NULL ) {
251 krb5_log (context, log_facility,
252 KPASSWDD_LOG_ERR, pwd_reason);
253 reply_priv (auth_context, s, sa, sa_size, 4, pwd_reason);
254 return;
255 }
256
257 ret = db->open(context, db, O_RDWR, 0600);
258 if (ret) {
259 krb5_log (context, log_facility, KPASSWDD_LOG_ERR,
260 "hdb_open: %s", krb5_get_err_text(context, ret));
261 reply_priv (auth_context, s, sa, sa_size, 2, "hdb_open failed");
262 return;
263 }
264
265 krb5_copy_principal (context, principal, &ent.principal);
266
267 ret = db->fetch (context, db, &ent);
268
269 switch (ret) {
270 case HDB_ERR_NOENTRY:
271 krb5_log (context, log_facility, KPASSWDD_LOG_ERR,
272 "not found in database");
273 reply_priv (auth_context, s, sa, sa_size, 2,
274 "entry not found in database");
275 goto out;
276 case 0:
277 break;
278 default :
279 krb5_log (context, log_facility, KPASSWDD_LOG_ERR,
280 "dbfetch: %s", krb5_get_err_text(context, ret));
281 reply_priv (auth_context, s, sa, sa_size, 2,
282 "db_fetch failed");
283 goto out;
284 }
285
286 /*
287 * Compare with the first key to see if it already has been
288 * changed. If it hasn't, store the new key in the database and
289 * string2key all the rest of them.
290 */
291
292 krb5_data_zero (&salt);
293 krb5_get_salt (principal, &salt);
294 memset (&new_keyblock, 0, sizeof(new_keyblock));
295 old_keyblock = &ent.keys.val[0].key;
296 krb5_string_to_key_data (pwd_data, &salt,
297 old_keyblock->keytype, /* XXX */
298 &new_keyblock);
299
300 if (new_keyblock.keytype == old_keyblock->keytype
301 && new_keyblock.keyvalue.length == old_keyblock->keyvalue.length
302 && memcmp (new_keyblock.keyvalue.data,
303 old_keyblock->keyvalue.data,
304 new_keyblock.keyvalue.length) == 0) {
305 ret = 0;
306 } else {
307 Event *e;
308 int i;
309
310 free_EncryptionKey (old_keyblock);
311 memset (old_keyblock, 0, sizeof(*old_keyblock));
312 old_keyblock->keytype = new_keyblock.keytype;
313 krb5_data_copy (&old_keyblock->keyvalue,
314 new_keyblock.keyvalue.data,
315 new_keyblock.keyvalue.length);
316
317 for(i = 1; i < ent.keys.len; ++i) {
318 free_Key (&ent.keys.val[i]);
319 krb5_string_to_key_data (pwd_data,
320 &salt,
321 ent.keys.val[i].key.keytype,
322 &ent.keys.val[i].key);
323 }
324
325 ent.kvno++;
326 e = malloc(sizeof(*e));
327 e->time = time(NULL);
328 krb5_copy_principal (context, principal, &e->principal);
329 if (ent.modified_by) {
330 free_Event (ent.modified_by);
331 free (ent.modified_by);
332 }
333 ent.modified_by = e;
334 if (ent.pw_end){
335 int t = krb5_config_get_time(context->cf,
336 "libdefaults",
337 "pw_expiration", NULL);
338 if(t > 0)
339 *ent.pw_end = e->time + t;
340 else{
341 free(ent.pw_end);
342 ent.pw_end = NULL;
343 }
344 }
345 ret = db->store (context, db, 1, &ent);
346 }
347 krb5_data_free (&salt);
348 krb5_free_keyblock_contents (context, &new_keyblock);
349
350 if (ret) {
351 krb5_log (context, log_facility, KPASSWDD_LOG_ERR,
352 "dbstore: %s", krb5_get_err_text (context, ret));
353 reply_priv (auth_context, s, sa, sa_size, 2,
354 "db_store failed");
355 } else {
356 reply_priv (auth_context, s, sa, sa_size, 0, "password changed");
357 }
358 out:
359 hdb_free_entry (context, &ent);
360 db->close (context, db);
361 }
362
363 static int
364 verify (krb5_auth_context *auth_context,
365 krb5_principal server,
366 krb5_ticket **ticket,
367 krb5_data *out_data,
368 int s,
369 struct sockaddr *sa,
370 int sa_size,
371 u_char *msg,
372 size_t len)
373 {
374 krb5_error_code ret;
375 u_int16_t pkt_len, pkt_ver, ap_req_len;
376 krb5_data ap_req_data;
377 krb5_data krb_priv_data;
378
379 pkt_len = (msg[0] << 8) | (msg[1]);
380 pkt_ver = (msg[2] << 8) | (msg[3]);
381 ap_req_len = (msg[4] << 8) | (msg[5]);
382 if (pkt_len != len) {
383 krb5_log (context, log_facility, KPASSWDD_LOG_ERR,
384 "Strange len: %d != %d", pkt_len, len);
385 reply_error (server, s, sa, sa_size, 0, 1, "bad length");
386 return 1;
387 }
388 if (pkt_ver != 0x0001) {
389 krb5_log (context, log_facility, KPASSWDD_LOG_ERR,
390 "Bad version (%d)", pkt_ver);
391 reply_error (server, s, sa, sa_size, 0, 1, "bad version");
392 return 1;
393 }
394
395 ap_req_data.data = msg + 6;
396 ap_req_data.length = ap_req_len;
397
398 ret = krb5_rd_req (context,
399 auth_context,
400 &ap_req_data,
401 server,
402 NULL,
403 NULL,
404 ticket);
405 if (ret) {
406 krb5_log (context, log_facility, KPASSWDD_LOG_ERR, "krb5_rd_req: %s",
407 krb5_get_err_text(context, ret));
408 reply_error (server, s, sa, sa_size, ret, 3, "rd_req failed");
409 return 1;
410 }
411
412 if (!(*ticket)->ticket.flags.initial) {
413 krb5_log (context, log_facility, KPASSWDD_LOG_ERR,
414 "initial flag not set");
415 reply_error (server, s, sa, sa_size, ret, 1,
416 "initial flag not set");
417 goto out;
418 }
419 krb_priv_data.data = msg + 6 + ap_req_len;
420 krb_priv_data.length = len - 6 - ap_req_len;
421
422 ret = krb5_rd_priv (context,
423 *auth_context,
424 &krb_priv_data,
425 out_data,
426 NULL);
427
428 if (ret) {
429 krb5_log (context, log_facility, KPASSWDD_LOG_ERR, "krb5_rd_priv: %s",
430 krb5_get_err_text(context, ret));
431 reply_error (server, s, sa, sa_size, ret, 3, "rd_priv failed");
432 goto out;
433 }
434 return 0;
435 out:
436 krb5_free_ticket (context, *ticket);
437 return 1;
438 }
439
440 static void
441 process (krb5_principal server,
442 int s,
443 krb5_address *this_addr,
444 struct sockaddr *sa,
445 int sa_size,
446 u_char *msg,
447 int len)
448 {
449 krb5_error_code ret;
450 krb5_auth_context auth_context = NULL;
451 krb5_data out_data;
452 krb5_ticket *ticket;
453 krb5_address other_addr;
454
455 krb5_data_zero (&out_data);
456
457 ret = krb5_auth_con_init (context, &auth_context);
458 if (ret) {
459 krb5_log (context, log_facility, KPASSWDD_LOG_ERR,
460 "krb5_auth_con_init: %s",
461 krb5_get_err_text(context, ret));
462 return;
463 }
464
465 krb5_auth_con_setflags (context, auth_context,
466 KRB5_AUTH_CONTEXT_DO_SEQUENCE);
467
468 ret = krb5_sockaddr2address (sa, &other_addr);
469 if (ret) {
470 krb5_log (context, log_facility, KPASSWDD_LOG_ERR,
471 "krb5_sockaddr2address: %s",
472 krb5_get_err_text(context, ret));
473 goto out;
474 }
475
476 ret = krb5_auth_con_setaddrs (context,
477 auth_context,
478 this_addr,
479 &other_addr);
480 krb5_free_address (context, &other_addr);
481 if (ret) {
482 krb5_log (context, log_facility, KPASSWDD_LOG_ERR,
483 "krb5_auth_con_setaddr: %s",
484 krb5_get_err_text(context, ret));
485 goto out;
486 }
487
488 if (verify (&auth_context, server, &ticket, &out_data,
489 s, sa, sa_size, msg, len) == 0) {
490 change (auth_context,
491 ticket->client,
492 s,
493 sa, sa_size,
494 &out_data);
495 krb5_free_ticket (context, ticket);
496 free (ticket);
497 }
498
499 out:
500 krb5_data_free (&out_data);
501 krb5_auth_con_free (context, auth_context);
502 }
503
504 static int
505 doit (int port)
506 {
507 krb5_error_code ret;
508 krb5_principal server;
509 int *sockets;
510 int maxfd;
511 char *realm;
512 krb5_addresses addrs;
513 unsigned n, i;
514 fd_set real_fdset;
515 void *sa_buf;
516 int sa_max_size;
517 struct sockaddr *sa;
518
519 sa_max_size = krb5_max_sockaddr_size ();
520 sa_buf = malloc (sa_max_size);
521 if (sa_buf == NULL)
522 syslog_and_die ("out of memory");
523 sa = (struct sockaddr *)sa_buf;
524
525 ret = krb5_get_default_realm (context, &realm);
526 if (ret)
527 syslog_and_die ("krb5_get_default_realm: %s",
528 krb5_get_err_text(context, ret));
529
530 ret = krb5_build_principal (context,
531 &server,
532 strlen(realm),
533 realm,
534 "kadmin",
535 "changepw",
536 NULL);
537 if (ret)
538 syslog_and_die ("krb5_build_principal_ext: %s",
539 krb5_get_err_text(context, ret));
540
541 free (realm);
542
543 ret = krb5_get_all_client_addrs (&addrs);
544 if (ret)
545 syslog_and_die ("krb5_get_all_clients_addrs: %s",
546 krb5_get_err_text(context, ret));
547
548 n = addrs.len;
549
550 sockets = malloc (n * sizeof(*sockets));
551 maxfd = 0;
552 FD_ZERO(&real_fdset);
553 for (i = 0; i < n; ++i) {
554 int sa_size;
555
556 krb5_addr2sockaddr (&addrs.val[i], sa, &sa_size, port);
557
558 sockets[i] = socket (sa->sa_family, SOCK_DGRAM, 0);
559 if (sockets[i] < 0)
560 syslog_and_die ("socket: %m");
561
562 if (bind (sockets[i], sa, sa_size) < 0)
563 syslog_and_die ("bind: %m");
564 maxfd = max (maxfd, sockets[i]);
565 FD_SET(sockets[i], &real_fdset);
566 }
567
568 while(exit_flag == 0) {
569 int ret;
570 struct fd_set fdset = real_fdset;
571
572 ret = select (maxfd + 1, &fdset, NULL, NULL, NULL);
573 if (ret < 0)
574 if (errno == EINTR)
575 continue;
576 else
577 syslog_and_die ("select: %m");
578 for (i = 0; i < n; ++i)
579 if (FD_ISSET(sockets[i], &fdset)) {
580 u_char buf[BUFSIZ];
581 int addrlen = sa_max_size;
582
583 ret = recvfrom (sockets[i], buf, sizeof(buf), 0,
584 sa, &addrlen);
585 if (ret < 0)
586 if(errno == EINTR)
587 break;
588 else
589 syslog_and_die ("recvfrom: %m");
590
591 process (server, sockets[i],
592 &addrs.val[i],
593 sa, addrlen,
594 buf, ret);
595 }
596 }
597 krb5_free_addresses (context, &addrs);
598 krb5_free_principal (context, server);
599 krb5_free_context (context);
600 free (sa_buf);
601 return 0;
602 }
603
604 static RETSIGTYPE
605 sigterm(int sig)
606 {
607 exit_flag = 1;
608 }
609
610 int
611 main (int argc, char **argv)
612 {
613 krb5_error_code ret;
614 char *keyfile = NULL;
615
616 krb5_init_context (&context);
617
618 set_progname (argv[0]);
619 krb5_openlog (context, "kpasswdd", &log_facility);
620
621 ret = hdb_create (context, &db, database);
622 if (ret)
623 syslog_and_die ("Failed to open database %s: %s",
624 database, krb5_get_err_text(context, ret));
625 ret = hdb_set_master_key(context, db, keyfile);
626 if (ret)
627 syslog_and_die ("Failed to set master key: %s",
628 krb5_get_err_text(context, ret));
629
630 #ifdef HAVE_SIGACTION
631 {
632 struct sigaction sa;
633
634 sa.sa_flags = 0;
635 sa.sa_handler = sigterm;
636 sigemptyset(&sa.sa_mask);
637
638 sigaction(SIGINT, &sa, NULL);
639 }
640 #else
641 signal(SIGINT, sigterm);
642 #endif
643
644 return doit (krb5_getportbyname (context, "kpasswd", "udp", KPASSWD_PORT));
645 }
Heimdal