summaryrefslogtreecommitdiff
path: root/crypto/heimdal/kpasswd/kpasswdd.c
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/heimdal/kpasswd/kpasswdd.c')
-rw-r--r--crypto/heimdal/kpasswd/kpasswdd.c634
1 files changed, 634 insertions, 0 deletions
diff --git a/crypto/heimdal/kpasswd/kpasswdd.c b/crypto/heimdal/kpasswd/kpasswdd.c
new file mode 100644
index 000000000000..04b8ea391d00
--- /dev/null
+++ b/crypto/heimdal/kpasswd/kpasswdd.c
@@ -0,0 +1,634 @@
+/*
+ * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kpasswd_locl.h"
+RCSID("$Id: kpasswdd.c,v 1.41 1999/12/02 17:05:00 joda Exp $");
+
+#include <kadm5/admin.h>
+#ifdef HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <hdb.h>
+
+static krb5_context context;
+static krb5_log_facility *log_facility;
+
+static sig_atomic_t exit_flag = 0;
+
+static void
+send_reply (int s,
+ struct sockaddr *sa,
+ int sa_size,
+ krb5_data *ap_rep,
+ krb5_data *rest)
+{
+ struct msghdr msghdr;
+ struct iovec iov[3];
+ u_int16_t len, ap_rep_len;
+ u_char header[6];
+ u_char *p;
+
+ if (ap_rep)
+ ap_rep_len = ap_rep->length;
+ else
+ ap_rep_len = 0;
+
+ len = 6 + ap_rep_len + rest->length;
+ p = header;
+ *p++ = (len >> 8) & 0xFF;
+ *p++ = (len >> 0) & 0xFF;
+ *p++ = 0;
+ *p++ = 1;
+ *p++ = (ap_rep_len >> 8) & 0xFF;
+ *p++ = (ap_rep_len >> 0) & 0xFF;
+
+ memset (&msghdr, 0, sizeof(msghdr));
+ msghdr.msg_name = (void *)sa;
+ msghdr.msg_namelen = sa_size;
+ msghdr.msg_iov = iov;
+ msghdr.msg_iovlen = sizeof(iov)/sizeof(*iov);
+#if 0
+ msghdr.msg_control = NULL;
+ msghdr.msg_controllen = 0;
+#endif
+
+ iov[0].iov_base = (char *)header;
+ iov[0].iov_len = 6;
+ if (ap_rep_len) {
+ iov[1].iov_base = ap_rep->data;
+ iov[1].iov_len = ap_rep->length;
+ } else {
+ iov[1].iov_base = NULL;
+ iov[1].iov_len = 0;
+ }
+ iov[2].iov_base = rest->data;
+ iov[2].iov_len = rest->length;
+
+ if (sendmsg (s, &msghdr, 0) < 0)
+ krb5_warn (context, errno, "sendmsg");
+}
+
+static int
+make_result (krb5_data *data,
+ u_int16_t result_code,
+ const char *expl)
+{
+ krb5_data_zero (data);
+
+ data->length = asprintf ((char **)&data->data,
+ "%c%c%s",
+ (result_code >> 8) & 0xFF,
+ result_code & 0xFF,
+ expl);
+
+ if (data->data == NULL) {
+ krb5_warnx (context, "Out of memory generating error reply");
+ return 1;
+ }
+ return 0;
+}
+
+static void
+reply_error (krb5_principal server,
+ int s,
+ struct sockaddr *sa,
+ int sa_size,
+ krb5_error_code error_code,
+ u_int16_t result_code,
+ const char *expl)
+{
+ krb5_error_code ret;
+ krb5_data error_data;
+ krb5_data e_data;
+
+ if (make_result(&e_data, result_code, expl))
+ return;
+
+ ret = krb5_mk_error (context,
+ error_code,
+ NULL,
+ &e_data,
+ NULL,
+ server,
+ 0,
+ &error_data);
+ krb5_data_free (&e_data);
+ if (ret) {
+ krb5_warn (context, ret, "Could not even generate error reply");
+ return;
+ }
+ send_reply (s, sa, sa_size, NULL, &error_data);
+ krb5_data_free (&error_data);
+}
+
+static void
+reply_priv (krb5_auth_context auth_context,
+ int s,
+ struct sockaddr *sa,
+ int sa_size,
+ u_int16_t result_code,
+ const char *expl)
+{
+ krb5_error_code ret;
+ krb5_data krb_priv_data;
+ krb5_data ap_rep_data;
+ krb5_data e_data;
+
+ ret = krb5_mk_rep (context,
+ &auth_context,
+ &ap_rep_data);
+ if (ret) {
+ krb5_warn (context, ret, "Could not even generate error reply");
+ return;
+ }
+
+ if (make_result(&e_data, result_code, expl))
+ return;
+
+ ret = krb5_mk_priv (context,
+ auth_context,
+ &e_data,
+ &krb_priv_data,
+ NULL);
+ krb5_data_free (&e_data);
+ if (ret) {
+ krb5_warn (context, ret, "Could not even generate error reply");
+ return;
+ }
+ send_reply (s, sa, sa_size, &ap_rep_data, &krb_priv_data);
+ krb5_data_free (&ap_rep_data);
+ krb5_data_free (&krb_priv_data);
+}
+
+/*
+ * Change the password for `principal', sending the reply back on `s'
+ * (`sa', `sa_size') to `pwd_data'.
+ */
+
+static void
+change (krb5_auth_context auth_context,
+ krb5_principal principal,
+ int s,
+ struct sockaddr *sa,
+ int sa_size,
+ krb5_data *pwd_data)
+{
+ krb5_error_code ret;
+ char *client;
+ kadm5_principal_ent_rec ent;
+ krb5_key_data *kd;
+ krb5_salt salt;
+ krb5_keyblock new_keyblock;
+ const char *pwd_reason;
+ int unchanged;
+ kadm5_config_params conf;
+ void *kadm5_handle;
+
+ memset (&conf, 0, sizeof(conf));
+
+ krb5_unparse_name (context, principal, &client);
+
+ ret = kadm5_init_with_password_ctx(context,
+ client,
+ NULL,
+ KADM5_ADMIN_SERVICE,
+ &conf, 0, 0,
+ &kadm5_handle);
+ if (ret) {
+ free (client);
+ krb5_warn (context, ret, "kadm5_init_with_password_ctx");
+ reply_priv (auth_context, s, sa, sa_size, 2,
+ "Internal error");
+ return;
+ }
+
+ krb5_warnx (context, "Changing password for %s", client);
+ free (client);
+
+ pwd_reason = kadm5_check_password_quality (context, principal, pwd_data);
+ if (pwd_reason != NULL ) {
+ krb5_warnx (context, "%s", pwd_reason);
+ reply_priv (auth_context, s, sa, sa_size, 4, pwd_reason);
+ kadm5_destroy (kadm5_handle);
+ return;
+ }
+
+ ret = kadm5_get_principal (kadm5_handle,
+ principal,
+ &ent,
+ KADM5_KEY_DATA);
+ if (ret) {
+ krb5_warn (context, ret, "kadm5_get_principal");
+ reply_priv (auth_context, s, sa, sa_size, 2,
+ "Internal error");
+ kadm5_destroy (kadm5_handle);
+ return;
+ }
+
+ /*
+ * Compare with the first key to see if it already has been
+ * changed. If it hasn't, store the new key in the database and
+ * string2key all the rest of them.
+ */
+
+ kd = &ent.key_data[0];
+
+ salt.salttype = kd->key_data_type[1];
+ salt.saltvalue.length = kd->key_data_length[1];
+ salt.saltvalue.data = kd->key_data_contents[1];
+
+ memset (&new_keyblock, 0, sizeof(new_keyblock));
+ krb5_string_to_key_data_salt (context,
+ kd->key_data_type[0],
+ *pwd_data,
+ salt,
+ &new_keyblock);
+
+ unchanged = new_keyblock.keytype == kd->key_data_type[0]
+ && new_keyblock.keyvalue.length == kd->key_data_length[0]
+ && memcmp(new_keyblock.keyvalue.data,
+ kd->key_data_contents[0],
+ new_keyblock.keyvalue.length) == 0;
+
+ krb5_free_keyblock_contents (context, &new_keyblock);
+
+ if (unchanged) {
+ ret = 0;
+ } else {
+ char *tmp;
+
+ tmp = malloc (pwd_data->length + 1);
+ if (tmp == NULL) {
+ krb5_warnx (context, "malloc: out of memory");
+ reply_priv (auth_context, s, sa, sa_size, 2,
+ "Internal error");
+ goto out;
+ }
+ memcpy (tmp, pwd_data->data, pwd_data->length);
+ tmp[pwd_data->length] = '\0';
+
+ ret = kadm5_chpass_principal (kadm5_handle,
+ principal,
+ tmp);
+ memset (tmp, 0, pwd_data->length);
+ free (tmp);
+ if (ret) {
+ krb5_warn (context, ret, "kadm5_s_chpass_principal");
+ reply_priv (auth_context, s, sa, sa_size, 2,
+ "Internal error");
+ goto out;
+ }
+ }
+ reply_priv (auth_context, s, sa, sa_size, 0, "Password changed");
+out:
+ kadm5_free_principal_ent (kadm5_handle, &ent);
+ kadm5_destroy (kadm5_handle);
+}
+
+static int
+verify (krb5_auth_context *auth_context,
+ krb5_principal server,
+ krb5_keytab keytab,
+ krb5_ticket **ticket,
+ krb5_data *out_data,
+ int s,
+ struct sockaddr *sa,
+ int sa_size,
+ u_char *msg,
+ size_t len)
+{
+ krb5_error_code ret;
+ u_int16_t pkt_len, pkt_ver, ap_req_len;
+ krb5_data ap_req_data;
+ krb5_data krb_priv_data;
+
+ pkt_len = (msg[0] << 8) | (msg[1]);
+ pkt_ver = (msg[2] << 8) | (msg[3]);
+ ap_req_len = (msg[4] << 8) | (msg[5]);
+ if (pkt_len != len) {
+ krb5_warnx (context, "Strange len: %ld != %ld",
+ (long)pkt_len, (long)len);
+ reply_error (server, s, sa, sa_size, 0, 1, "Bad request");
+ return 1;
+ }
+ if (pkt_ver != 0x0001) {
+ krb5_warnx (context, "Bad version (%d)", pkt_ver);
+ reply_error (server, s, sa, sa_size, 0, 1, "Wrong program version");
+ return 1;
+ }
+
+ ap_req_data.data = msg + 6;
+ ap_req_data.length = ap_req_len;
+
+ ret = krb5_rd_req (context,
+ auth_context,
+ &ap_req_data,
+ server,
+ keytab,
+ NULL,
+ ticket);
+ if (ret) {
+ if(ret == KRB5_KT_NOTFOUND) {
+ char *name;
+ krb5_unparse_name(context, server, &name);
+ krb5_warnx (context, "krb5_rd_req: %s (%s)",
+ krb5_get_err_text(context, ret), name);
+ free(name);
+ } else
+ krb5_warn (context, ret, "krb5_rd_req");
+ reply_error (server, s, sa, sa_size, ret, 3, "Authentication failed");
+ return 1;
+ }
+
+ if (!(*ticket)->ticket.flags.initial) {
+ krb5_warnx (context, "initial flag not set");
+ reply_error (server, s, sa, sa_size, ret, 1,
+ "Bad request");
+ goto out;
+ }
+ krb_priv_data.data = msg + 6 + ap_req_len;
+ krb_priv_data.length = len - 6 - ap_req_len;
+
+ ret = krb5_rd_priv (context,
+ *auth_context,
+ &krb_priv_data,
+ out_data,
+ NULL);
+
+ if (ret) {
+ krb5_warn (context, ret, "krb5_rd_priv");
+ reply_error (server, s, sa, sa_size, ret, 3, "Bad request");
+ goto out;
+ }
+ return 0;
+out:
+ krb5_free_ticket (context, *ticket);
+ return 1;
+}
+
+static void
+process (krb5_principal server,
+ krb5_keytab keytab,
+ int s,
+ krb5_address *this_addr,
+ struct sockaddr *sa,
+ int sa_size,
+ u_char *msg,
+ int len)
+{
+ krb5_error_code ret;
+ krb5_auth_context auth_context = NULL;
+ krb5_data out_data;
+ krb5_ticket *ticket;
+ krb5_address other_addr;
+
+ krb5_data_zero (&out_data);
+
+ ret = krb5_auth_con_init (context, &auth_context);
+ if (ret) {
+ krb5_warn (context, ret, "krb5_auth_con_init");
+ return;
+ }
+
+ krb5_auth_con_setflags (context, auth_context,
+ KRB5_AUTH_CONTEXT_DO_SEQUENCE);
+
+ ret = krb5_sockaddr2address (sa, &other_addr);
+ if (ret) {
+ krb5_warn (context, ret, "krb5_sockaddr2address");
+ goto out;
+ }
+
+ ret = krb5_auth_con_setaddrs (context,
+ auth_context,
+ this_addr,
+ &other_addr);
+ krb5_free_address (context, &other_addr);
+ if (ret) {
+ krb5_warn (context, ret, "krb5_auth_con_setaddr");
+ goto out;
+ }
+
+ if (verify (&auth_context, server, keytab, &ticket, &out_data,
+ s, sa, sa_size, msg, len) == 0) {
+ change (auth_context,
+ ticket->client,
+ s,
+ sa, sa_size,
+ &out_data);
+ krb5_free_ticket (context, ticket);
+ free (ticket);
+ }
+
+out:
+ krb5_data_free (&out_data);
+ krb5_auth_con_free (context, auth_context);
+}
+
+static int
+doit (krb5_keytab keytab,
+ int port)
+{
+ krb5_error_code ret;
+ krb5_principal server;
+ int *sockets;
+ int maxfd;
+ char *realm;
+ krb5_addresses addrs;
+ unsigned n, i;
+ fd_set real_fdset;
+ struct sockaddr_storage __ss;
+ struct sockaddr *sa = (struct sockaddr *)&__ss;
+
+ ret = krb5_get_default_realm (context, &realm);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_get_default_realm");
+
+ ret = krb5_build_principal (context,
+ &server,
+ strlen(realm),
+ realm,
+ "kadmin",
+ "changepw",
+ NULL);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_build_principal");
+
+ free (realm);
+
+ ret = krb5_get_all_server_addrs (context, &addrs);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
+
+ n = addrs.len;
+
+ sockets = malloc (n * sizeof(*sockets));
+ if (sockets == NULL)
+ krb5_errx (context, 1, "out of memory");
+ maxfd = 0;
+ FD_ZERO(&real_fdset);
+ for (i = 0; i < n; ++i) {
+ int sa_size;
+
+ krb5_addr2sockaddr (&addrs.val[i], sa, &sa_size, port);
+
+
+ sockets[i] = socket (sa->sa_family, SOCK_DGRAM, 0);
+ if (sockets[i] < 0)
+ krb5_err (context, 1, errno, "socket");
+ if (bind (sockets[i], sa, sa_size) < 0) {
+ char str[128];
+ size_t len;
+ ret = krb5_print_address (&addrs.val[i], str, sizeof(str), &len);
+ krb5_err (context, 1, errno, "bind(%s)", str);
+ }
+ maxfd = max (maxfd, sockets[i]);
+ FD_SET(sockets[i], &real_fdset);
+ }
+
+ while(exit_flag == 0) {
+ int ret;
+ fd_set fdset = real_fdset;
+
+ ret = select (maxfd + 1, &fdset, NULL, NULL, NULL);
+ if (ret < 0) {
+ if (errno == EINTR)
+ continue;
+ else
+ krb5_err (context, 1, errno, "select");
+ }
+ for (i = 0; i < n; ++i)
+ if (FD_ISSET(sockets[i], &fdset)) {
+ u_char buf[BUFSIZ];
+ int addrlen = sizeof(__ss);
+
+ ret = recvfrom (sockets[i], buf, sizeof(buf), 0,
+ sa, &addrlen);
+ if (ret < 0) {
+ if(errno == EINTR)
+ break;
+ else
+ krb5_err (context, 1, errno, "recvfrom");
+ }
+
+ process (server, keytab, sockets[i],
+ &addrs.val[i],
+ sa, addrlen,
+ buf, ret);
+ }
+ }
+ krb5_free_addresses (context, &addrs);
+ krb5_free_principal (context, server);
+ krb5_free_context (context);
+ return 0;
+}
+
+static RETSIGTYPE
+sigterm(int sig)
+{
+ exit_flag = 1;
+}
+
+const char *check_library = NULL;
+const char *check_function = NULL;
+char *keytab_str = "HDB:";
+char *realm_str;
+int version_flag;
+int help_flag;
+
+struct getargs args[] = {
+#ifdef HAVE_DLOPEN
+ { "check-library", 0, arg_string, &check_library,
+ "library to load password check function from", "library" },
+ { "check-function", 0, arg_string, &check_function,
+ "password check function to load", "function" },
+#endif
+ { "keytab", 'k', arg_string, &keytab_str,
+ "keytab to get authentication key from", "kspec" },
+ { "realm", 'r', arg_string, &realm_str, "default realm", "realm" },
+ { "version", 0, arg_flag, &version_flag },
+ { "help", 0, arg_flag, &help_flag }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+int
+main (int argc, char **argv)
+{
+ int optind;
+ krb5_keytab keytab;
+ krb5_error_code ret;
+
+ optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL);
+
+ if(help_flag)
+ krb5_std_usage(0, args, num_args);
+ if(version_flag) {
+ print_version(NULL);
+ exit(0);
+ }
+
+ if(realm_str)
+ krb5_set_default_realm(context, realm_str);
+
+ krb5_openlog (context, "kpasswdd", &log_facility);
+ krb5_set_warn_dest(context, log_facility);
+
+ ret = krb5_kt_register(context, &hdb_kt_ops);
+ if(ret)
+ krb5_err(context, 1, ret, "krb5_kt_register");
+
+ ret = krb5_kt_resolve(context, keytab_str, &keytab);
+ if(ret)
+ krb5_err(context, 1, ret, "%s", keytab_str);
+
+ kadm5_setup_passwd_quality_check (context, check_library, check_function);
+
+#ifdef HAVE_SIGACTION
+ {
+ struct sigaction sa;
+
+ sa.sa_flags = 0;
+ sa.sa_handler = sigterm;
+ sigemptyset(&sa.sa_mask);
+
+ sigaction(SIGINT, &sa, NULL);
+ }
+#else
+ signal(SIGINT, sigterm);
+#endif
+
+ return doit (keytab,
+ krb5_getportbyname (context, "kpasswd",
+ "udp", KPASSWD_PORT));
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-30 01:42:12 +0000