1 /*        $NetBSD: kpasswdd.c,v 1.5 2023/06/19 21:41:42 christos Exp $          */
2 
3 /*
4  * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
5  * (Royal Institute of Technology, Stockholm, Sweden).
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * 3. Neither the name of the Institute nor the names of its contributors
20  *    may be used to endorse or promote products derived from this software
21  *    without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33  * SUCH DAMAGE.
34  */
35 
36 #include "kpasswd_locl.h"
37 __RCSID("$NetBSD: kpasswdd.c,v 1.5 2023/06/19 21:41:42 christos Exp $");
38 
39 #include <kadm5/admin.h>
40 #ifdef HAVE_SYS_UN_H
41 #include <sys/un.h>
42 #endif
43 #include <krb5/hdb.h>
44 #include <kadm5/private.h>
45 
46 static krb5_context context;
47 static krb5_log_facility *log_facility;
48 
49 static struct getarg_strings addresses_str;
50 krb5_addresses explicit_addresses;
51 
52 static sig_atomic_t exit_flag = 0;
53 
54 static void
add_one_address(const char * str,int first)55 add_one_address (const char *str, int first)
56 {
57     krb5_error_code ret;
58     krb5_addresses tmp;
59 
60     ret = krb5_parse_address (context, str, &tmp);
61     if (ret)
62           krb5_err (context, 1, ret, "parse_address `%s'", str);
63     if (first)
64           krb5_copy_addresses(context, &tmp, &explicit_addresses);
65     else
66           krb5_append_addresses(context, &explicit_addresses, &tmp);
67     krb5_free_addresses (context, &tmp);
68 }
69 
70 static void
send_reply(int s,struct sockaddr * sa,int sa_size,krb5_data * ap_rep,krb5_data * rest)71 send_reply (int s,
72               struct sockaddr *sa,
73               int sa_size,
74               krb5_data *ap_rep,
75               krb5_data *rest)
76 {
77     struct msghdr msghdr;
78     struct iovec iov[3];
79     uint16_t len, ap_rep_len;
80     u_char header[6];
81     u_char *p;
82 
83     if (ap_rep)
84           ap_rep_len = ap_rep->length;
85     else
86           ap_rep_len = 0;
87 
88     len = 6 + ap_rep_len + rest->length;
89     p = header;
90     *p++ = (len >> 8) & 0xFF;
91     *p++ = (len >> 0) & 0xFF;
92     *p++ = 0;
93     *p++ = 1;
94     *p++ = (ap_rep_len >> 8) & 0xFF;
95     *p++ = (ap_rep_len >> 0) & 0xFF;
96 
97     memset (&msghdr, 0, sizeof(msghdr));
98     msghdr.msg_name       = (void *)sa;
99     msghdr.msg_namelen    = sa_size;
100     msghdr.msg_iov        = iov;
101     msghdr.msg_iovlen     = sizeof(iov)/sizeof(*iov);
102 #if 0
103     msghdr.msg_control    = NULL;
104     msghdr.msg_controllen = 0;
105 #endif
106 
107     iov[0].iov_base       = (char *)header;
108     iov[0].iov_len        = 6;
109     if (ap_rep_len) {
110           iov[1].iov_base   = ap_rep->data;
111           iov[1].iov_len    = ap_rep->length;
112     } else {
113           iov[1].iov_base   = NULL;
114           iov[1].iov_len    = 0;
115     }
116     iov[2].iov_base       = rest->data;
117     iov[2].iov_len        = rest->length;
118 
119     if (sendmsg (s, &msghdr, 0) < 0)
120           krb5_warn (context, errno, "sendmsg");
121 }
122 
123 static int
make_result(krb5_data * data,uint16_t result_code,const char * expl)124 make_result (krb5_data *data,
125                uint16_t result_code,
126                const char *expl)
127 {
128     krb5_error_code ret;
129     krb5_storage *sp;
130 
131     sp = krb5_storage_emem();
132     if (sp == NULL) goto out;
133     ret = krb5_store_uint16(sp, result_code);
134     if (ret) goto out;
135     ret = krb5_store_stringz(sp, expl);
136     if (ret) goto out;
137     ret = krb5_storage_to_data(sp, data);
138     if (ret) goto out;
139     krb5_storage_free(sp);
140 
141     return 0;
142  out:
143     if (sp)
144           krb5_storage_free(sp);
145 
146     krb5_warnx (context, "Out of memory generating error reply");
147     return 1;
148 }
149 
150 static void
reply_error(krb5_realm realm,int s,struct sockaddr * sa,int sa_size,krb5_error_code error_code,uint16_t result_code,const char * expl)151 reply_error (krb5_realm realm,
152                int s,
153                struct sockaddr *sa,
154                int sa_size,
155                krb5_error_code error_code,
156                uint16_t result_code,
157                const char *expl)
158 {
159     krb5_error_code ret;
160     krb5_data error_data;
161     krb5_data e_data;
162     krb5_principal server = NULL;
163 
164     if (make_result(&e_data, result_code, expl))
165           return;
166 
167     if (realm) {
168           ret = krb5_make_principal (context, &server, realm,
169                                            "kadmin", "changepw", NULL);
170           if (ret) {
171               krb5_data_free (&e_data);
172               return;
173           }
174     }
175 
176     ret = krb5_mk_error (context,
177                                error_code,
178                                NULL,
179                                &e_data,
180                                NULL,
181                                server,
182                                NULL,
183                                NULL,
184                                &error_data);
185     if (server)
186           krb5_free_principal(context, server);
187     krb5_data_free (&e_data);
188     if (ret) {
189           krb5_warn (context, ret, "Could not even generate error reply");
190           return;
191     }
192     send_reply (s, sa, sa_size, NULL, &error_data);
193     krb5_data_free (&error_data);
194 }
195 
196 static void
reply_priv(krb5_auth_context auth_context,int s,struct sockaddr * sa,int sa_size,uint16_t result_code,const char * expl)197 reply_priv (krb5_auth_context auth_context,
198               int s,
199               struct sockaddr *sa,
200               int sa_size,
201               uint16_t result_code,
202               const char *expl)
203 {
204     krb5_error_code ret;
205     krb5_data krb_priv_data;
206     krb5_data ap_rep_data;
207     krb5_data e_data;
208 
209     ret = krb5_mk_rep (context,
210                            auth_context,
211                            &ap_rep_data);
212     if (ret) {
213           krb5_warn (context, ret, "Could not even generate error reply");
214           return;
215     }
216 
217     if (make_result(&e_data, result_code, expl))
218           return;
219 
220     ret = krb5_mk_priv (context,
221                               auth_context,
222                               &e_data,
223                               &krb_priv_data,
224                               NULL);
225     krb5_data_free (&e_data);
226     if (ret) {
227           krb5_warn (context, ret, "Could not even generate error reply");
228           return;
229     }
230     send_reply (s, sa, sa_size, &ap_rep_data, &krb_priv_data);
231     krb5_data_free (&ap_rep_data);
232     krb5_data_free (&krb_priv_data);
233 }
234 
235 /*
236  * Change the password for `principal', sending the reply back on `s'
237  * (`sa', `sa_size') to `pwd_data'.
238  */
239 
240 static void
change(krb5_auth_context auth_context,krb5_principal admin_principal,uint16_t version,int s,struct sockaddr * sa,int sa_size,krb5_data * in_data)241 change (krb5_auth_context auth_context,
242           krb5_principal admin_principal,
243           uint16_t version,
244           int s,
245           struct sockaddr *sa,
246           int sa_size,
247           krb5_data *in_data)
248 {
249     krb5_error_code ret;
250     char *client = NULL, *admin = NULL;
251     const char *pwd_reason;
252     kadm5_config_params conf;
253     void *kadm5_handle = NULL;
254     krb5_principal principal = NULL;
255     krb5_data *pwd_data = NULL;
256     char *tmp;
257     ChangePasswdDataMS chpw;
258 
259     memset (&conf, 0, sizeof(conf));
260     memset(&chpw, 0, sizeof(chpw));
261 
262     if (version == KRB5_KPASSWD_VERS_CHANGEPW) {
263           ret = krb5_copy_data(context, in_data, &pwd_data);
264           if (ret) {
265               krb5_warn (context, ret, "krb5_copy_data");
266               reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED,
267                               "out out memory copying password");
268               return;
269           }
270           principal = admin_principal;
271     } else if (version == KRB5_KPASSWD_VERS_SETPW) {
272           size_t len;
273 
274           ret = decode_ChangePasswdDataMS(in_data->data, in_data->length,
275                                                   &chpw, &len);
276           if (ret) {
277               krb5_warn (context, ret, "decode_ChangePasswdDataMS");
278               reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED,
279                               "malformed ChangePasswdData");
280               return;
281           }
282 
283 
284           ret = krb5_copy_data(context, &chpw.newpasswd, &pwd_data);
285           if (ret) {
286               krb5_warn (context, ret, "krb5_copy_data");
287               reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED,
288                               "out out memory copying password");
289               goto out;
290           }
291 
292           if (chpw.targname == NULL && chpw.targrealm != NULL) {
293               krb5_warn (context, ret, "kadm5_init_with_password_ctx");
294               reply_priv (auth_context, s, sa, sa_size,
295                               KRB5_KPASSWD_MALFORMED,
296                               "targrealm but not targname");
297               goto out;
298           }
299 
300           if (chpw.targname) {
301               krb5_principal_data princ;
302 
303               memset(&princ, 0, sizeof (princ));
304               princ.name = *chpw.targname;
305               princ.realm = *chpw.targrealm;
306               if (princ.realm == NULL) {
307                     ret = krb5_get_default_realm(context, &princ.realm);
308 
309                     if (ret) {
310                         krb5_warnx (context,
311                                         "kadm5_init_with_password_ctx: "
312                                         "failed to allocate realm");
313                         reply_priv (auth_context, s, sa, sa_size,
314                                         KRB5_KPASSWD_SOFTERROR,
315                                         "failed to allocate realm");
316                         goto out;
317                     }
318               }
319               ret = krb5_copy_principal(context, &princ, &principal);
320               if (*chpw.targrealm == NULL)
321                     free(princ.realm);
322               if (ret) {
323                     krb5_warn(context, ret, "krb5_copy_principal");
324                     reply_priv(auth_context, s, sa, sa_size,
325                                  KRB5_KPASSWD_HARDERROR,
326                                  "failed to allocate principal");
327                     goto out;
328               }
329           } else
330               principal = admin_principal;
331     } else {
332           krb5_warnx (context, "kadm5_init_with_password_ctx: unknown proto");
333           reply_priv (auth_context, s, sa, sa_size,
334                         KRB5_KPASSWD_HARDERROR,
335                         "Unknown protocol used");
336           return;
337     }
338 
339     ret = krb5_unparse_name (context, admin_principal, &admin);
340     if (ret) {
341           krb5_warn (context, ret, "unparse_name failed");
342           reply_priv (auth_context, s, sa, sa_size,
343                         KRB5_KPASSWD_HARDERROR, "out of memory error");
344           goto out;
345     }
346 
347     conf.realm = principal->realm;
348     conf.mask |= KADM5_CONFIG_REALM;
349 
350     ret = kadm5_init_with_password_ctx(context,
351                                                admin,
352                                                NULL,
353                                                KADM5_ADMIN_SERVICE,
354                                                &conf, 0, 0,
355                                                &kadm5_handle);
356     if (ret) {
357           krb5_warn (context, ret, "kadm5_init_with_password_ctx");
358           reply_priv (auth_context, s, sa, sa_size, 2,
359                         "Internal error");
360           goto out;
361     }
362 
363     ret = krb5_unparse_name(context, principal, &client);
364     if (ret) {
365           krb5_warn (context, ret, "unparse_name failed");
366           reply_priv (auth_context, s, sa, sa_size,
367                         KRB5_KPASSWD_HARDERROR, "out of memory error");
368           goto out;
369     }
370 
371     /*
372      * Check password quality if not changing as administrator
373      */
374 
375     if (krb5_principal_compare(context, admin_principal, principal) == TRUE) {
376 
377           pwd_reason = kadm5_check_password_quality (context, principal,
378                                                                pwd_data);
379           if (pwd_reason != NULL ) {
380               krb5_warnx (context,
381                               "%s didn't pass password quality check with error: %s",
382                               client, pwd_reason);
383               reply_priv (auth_context, s, sa, sa_size,
384                               KRB5_KPASSWD_SOFTERROR, pwd_reason);
385               goto out;
386           }
387           krb5_warnx (context, "Changing password for %s", client);
388     } else {
389           ret = _kadm5_acl_check_permission(kadm5_handle, KADM5_PRIV_CPW,
390                                                     principal);
391           if (ret) {
392               krb5_warn (context, ret,
393                            "Check ACL failed for %s for changing %s password",
394                            admin, client);
395               reply_priv (auth_context, s, sa, sa_size,
396                               KRB5_KPASSWD_HARDERROR, "permission denied");
397               goto out;
398           }
399           krb5_warnx (context, "%s is changing password for %s", admin, client);
400     }
401 
402     ret = krb5_data_realloc(pwd_data, pwd_data->length + 1);
403     if (ret) {
404           krb5_warn (context, ret, "malloc: out of memory");
405           reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_HARDERROR,
406                         "Internal error");
407           goto out;
408     }
409     tmp = pwd_data->data;
410     tmp[pwd_data->length - 1] = '\0';
411 
412     ret = kadm5_s_chpass_principal_cond (kadm5_handle, principal, 1, tmp);
413     krb5_free_data (context, pwd_data);
414     pwd_data = NULL;
415     if (ret) {
416           const char *str = krb5_get_error_message(context, ret);
417           krb5_warnx(context, "kadm5_s_chpass_principal_cond: %s", str);
418           reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_SOFTERROR,
419                         str ? str : "Internal error");
420           krb5_free_error_message(context, str);
421           goto out;
422     }
423     reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_SUCCESS,
424                     "Password changed");
425 out:
426     free_ChangePasswdDataMS(&chpw);
427     if (principal != admin_principal)
428           krb5_free_principal(context, principal);
429     if (admin)
430           free(admin);
431     if (client)
432           free(client);
433     if (pwd_data)
434           krb5_free_data(context, pwd_data);
435     if (kadm5_handle)
436           kadm5_destroy (kadm5_handle);
437 }
438 
439 static int
verify(krb5_auth_context * auth_context,krb5_keytab keytab,krb5_ticket ** ticket,krb5_data * out_data,uint16_t * version,int s,struct sockaddr * sa,int sa_size,u_char * msg,size_t len,krb5_address * client_addr)440 verify (krb5_auth_context *auth_context,
441           krb5_keytab keytab,
442           krb5_ticket **ticket,
443           krb5_data *out_data,
444           uint16_t *version,
445           int s,
446           struct sockaddr *sa,
447           int sa_size,
448           u_char *msg,
449           size_t len,
450           krb5_address *client_addr)
451 {
452     krb5_error_code ret;
453     uint16_t pkt_len, pkt_ver, ap_req_len;
454     krb5_data ap_req_data;
455     krb5_data krb_priv_data;
456     krb5_const_realm client_realm;
457     krb5_principal sprinc;
458     int same;
459 
460     /*
461      * Only send an error reply if the request passes basic length
462      * verification.  Otherwise, kpasswdd would reply to every UDP packet,
463      * allowing an attacker to set up a ping-pong DoS attack via a spoofed UDP
464      * packet with a source address of another UDP service that also replies
465      * to every packet.
466      *
467      * Also suppress the error reply if ap_req_len is 0, which indicates
468      * either an invalid request or an error packet.  An error packet may be
469      * the result of a ping-pong attacker pointing us at another kpasswdd.
470      */
471     pkt_len = (msg[0] << 8) | (msg[1]);
472     pkt_ver = (msg[2] << 8) | (msg[3]);
473     ap_req_len = (msg[4] << 8) | (msg[5]);
474     if (pkt_len != len) {
475           krb5_warnx (context, "Strange len: %ld != %ld",
476                         (long)pkt_len, (long)len);
477           return 1;
478     }
479     if (ap_req_len == 0) {
480           krb5_warnx (context, "Request is error packet (ap_req_len == 0)");
481           return 1;
482     }
483     if (pkt_ver != KRB5_KPASSWD_VERS_CHANGEPW &&
484           pkt_ver != KRB5_KPASSWD_VERS_SETPW) {
485           krb5_warnx (context, "Bad version (%d)", pkt_ver);
486           reply_error (NULL, s, sa, sa_size, 0, 1, "Wrong program version");
487           return 1;
488     }
489     *version = pkt_ver;
490 
491     ap_req_data.data   = msg + 6;
492     ap_req_data.length = ap_req_len;
493 
494     ret = krb5_rd_req (context,
495                            auth_context,
496                            &ap_req_data,
497                            NULL,
498                            keytab,
499                            NULL,
500                            ticket);
501     if (ret) {
502           krb5_warn (context, ret, "krb5_rd_req");
503           reply_error (NULL, s, sa, sa_size, ret, 3, "Authentication failed");
504           return 1;
505     }
506 
507     if (!(*ticket)->ticket.flags.initial) {
508           krb5_warnx(context, "initial flag not set");
509           reply_error((*ticket)->server->realm, s, sa, sa_size, ret, 1,
510                         "Bad request");
511           goto out;
512     }
513 
514     /*
515      * The service principal must be kadmin/changepw@CLIENT-REALM, there
516      * is no reason to require the KDC's default realm(s) to be the same
517      * as the realm(s) it serves. The only potential issue is when a KDC
518      * is a master for realm A and a slave for realm B, in which case it
519      * should not accept requests to change passwords for realm B, these
520      * should be sent to realm B's master. This same issue is present in
521      * the checks that only accepted local realms, there is no new risk.
522      */
523 
524     client_realm = krb5_principal_get_realm(context, (*ticket)->client);
525     ret = krb5_make_principal(context, &sprinc, client_realm,
526                                     "kadmin", "changepw", NULL);
527     if (ret)
528           goto out;
529     same = krb5_principal_compare(context, sprinc, (*ticket)->server);
530     krb5_free_principal(context, sprinc);
531 
532     if (!same) {
533           char *sname;
534 
535           if (krb5_unparse_name(context, (*ticket)->server, &sname) != 0)
536               sname = NULL;
537           krb5_warnx(context, "Invalid kpasswd service principal %s",
538                        sname ? sname : "<enomem>");
539           free(sname);
540           reply_error(NULL, s, sa, sa_size, ret, 1, "Bad request");
541           goto out;
542     }
543     krb_priv_data.data   = msg + 6 + ap_req_len;
544     krb_priv_data.length = len - 6 - ap_req_len;
545 
546     /*
547      * Only enforce client addresses on on tickets with addresses.  If
548      * its addressless, we are guessing its behind NAT and really
549      * can't know this information.
550      */
551 
552     if ((*ticket)->ticket.caddr && (*ticket)->ticket.caddr->len > 0) {
553           ret = krb5_auth_con_setaddrs (context, *auth_context,
554                                               NULL, client_addr);
555           if (ret) {
556               krb5_warn (context, ret, "krb5_auth_con_setaddr(this)");
557               goto out;
558           }
559     }
560 
561     ret = krb5_rd_priv (context,
562                               *auth_context,
563                               &krb_priv_data,
564                               out_data,
565                               NULL);
566 
567     if (ret) {
568           krb5_warn (context, ret, "krb5_rd_priv");
569           reply_error ((*ticket)->server->realm, s, sa, sa_size, ret, 3,
570                          "Bad request");
571           goto out;
572     }
573     return 0;
574 out:
575     krb5_free_ticket (context, *ticket);
576     ticket = NULL;
577     return 1;
578 }
579 
580 static void
process(krb5_keytab keytab,int s,krb5_address * this_addr,struct sockaddr * sa,int sa_size,u_char * msg,int len)581 process (krb5_keytab keytab,
582            int s,
583            krb5_address *this_addr,
584            struct sockaddr *sa,
585            int sa_size,
586            u_char *msg,
587            int len)
588 {
589     krb5_error_code ret;
590     krb5_auth_context auth_context = NULL;
591     krb5_data out_data;
592     krb5_ticket *ticket;
593     krb5_address other_addr;
594     uint16_t version;
595 
596     memset(&other_addr, 0, sizeof(other_addr));
597     krb5_data_zero (&out_data);
598 
599     ret = krb5_auth_con_init (context, &auth_context);
600     if (ret) {
601           krb5_warn (context, ret, "krb5_auth_con_init");
602           return;
603     }
604 
605     krb5_auth_con_setflags (context, auth_context,
606                                   KRB5_AUTH_CONTEXT_DO_SEQUENCE);
607 
608     ret = krb5_sockaddr2address (context, sa, &other_addr);
609     if (ret) {
610           krb5_warn (context, ret, "krb5_sockaddr2address");
611           goto out;
612     }
613 
614     ret = krb5_auth_con_setaddrs (context, auth_context, this_addr, NULL);
615     if (ret) {
616           krb5_warn (context, ret, "krb5_auth_con_setaddr(this)");
617           goto out;
618     }
619 
620     if (verify (&auth_context, keytab, &ticket, &out_data,
621                     &version, s, sa, sa_size, msg, len, &other_addr) == 0)
622     {
623           /*
624            * We always set the client_addr, to assume that the client
625            * can ignore it if it choose to do so (just the server does
626            * so for addressless tickets).
627            */
628           ret = krb5_auth_con_setaddrs (context, auth_context,
629                                               this_addr, &other_addr);
630           if (ret) {
631               krb5_warn (context, ret, "krb5_auth_con_setaddr(other)");
632               goto out;
633           }
634 
635           change (auth_context,
636                     ticket->client,
637                     version,
638                     s,
639                     sa, sa_size,
640                     &out_data);
641           memset (out_data.data, 0, out_data.length);
642           krb5_free_ticket (context, ticket);
643     }
644 
645 out:
646     krb5_free_address(context, &other_addr);
647     krb5_data_free(&out_data);
648     krb5_auth_con_free(context, auth_context);
649 }
650 
651 #ifdef INETD_SUPPORT
652 /*
653  * XXX this code relies on getsockname() returning a valid local
654  * address for a "connected" DGRAM socket. This is true for most, but
655  * probably not all systems. For some systems, this could be done
656  * cleaner by using the IP_RECVDSTADDR option + recvmsg().
657  */
658 static int
get_local_addr(struct sockaddr * remote,int remlen,struct sockaddr * local,socklen_t * loclen)659 get_local_addr(struct sockaddr *remote, int remlen,
660                  struct sockaddr *local, socklen_t *loclen)
661 {
662           int s, ret;
663 
664           s = socket(remote->sa_family, SOCK_DGRAM, 0);
665           if (s < 0)
666                     return -1;
667 
668           if (connect(s, remote, remlen) < 0) {
669                     close(s);
670                     return -1;
671           }
672 
673           ret = getsockname(s, local, loclen);
674           close(s);
675           return ret;
676 }
677 #endif
678 
679 static const char *check_library  = NULL;
680 static const char *check_function = NULL;
681 static getarg_strings policy_libraries = { 0, NULL };
682 static char sHDB[] = "HDBGET:";
683 static char *keytab_str = sHDB;
684 static char *realm_str;
685 static int version_flag;
686 static int help_flag;
687 static int detach_from_console;
688 static int daemon_child = -1;
689 static char *port_str;
690 static char *config_file;
691 
692 struct getargs args[] = {
693 #ifdef HAVE_DLOPEN
694     { "check-library", 0, arg_string, &check_library,
695       "library to load password check function from", "library" },
696     { "check-function", 0, arg_string, &check_function,
697       "password check function to load", "function" },
698     { "policy-libraries", 0, arg_strings, &policy_libraries,
699       "password check function to load", "function" },
700 #endif
701     { "addresses", 0, arg_strings, &addresses_str,
702       "addresses to listen on", "list of addresses" },
703     { "detach", 0, arg_flag, &detach_from_console,
704       "detach from console", NULL },
705     { "daemon-child",       0 ,      arg_integer, &daemon_child,
706       "private argument, do not use", NULL },
707     { "keytab", 'k', arg_string, &keytab_str,
708       "keytab to get authentication key from", "kspec" },
709     { "config-file", 'c', arg_string, &config_file, NULL, NULL },
710     { "realm", 'r', arg_string, &realm_str, "default realm", "realm" },
711     { "port",  'p', arg_string, &port_str, "port", NULL },
712     { "version", 0, arg_flag, &version_flag, NULL, NULL },
713     { "help", 0, arg_flag, &help_flag, NULL, NULL }
714 };
715 int num_args = sizeof(args) / sizeof(args[0]);
716 
717 static int
doit(krb5_keytab keytab,int port)718 doit(krb5_keytab keytab, int port)
719 {
720     krb5_error_code ret;
721     int *sockets;
722     int maxfd;
723     krb5_addresses addrs;
724     krb5_address *my_addrp;
725     unsigned n, i;
726     fd_set real_fdset;
727     struct sockaddr_storage __ss;
728     struct sockaddr *sa = (struct sockaddr *)&__ss;
729 #ifdef INETD_SUPPORT
730     int fdz;
731     int from_inetd;
732     socklen_t fromlen;
733     krb5_address my_addr;
734     struct sockaddr_storage __local;
735     struct sockaddr *localsa = (struct sockaddr *)&__local;
736 #endif
737 
738 #ifdef INETD_SUPPORT
739     fromlen = sizeof __ss;
740     from_inetd = (getsockname(0, sa, &fromlen) == 0);
741 
742     if (!from_inetd) {
743 #endif
744     if (explicit_addresses.len) {
745           addrs = explicit_addresses;
746     } else {
747           ret = krb5_get_all_server_addrs(context, &addrs);
748           if (ret)
749               krb5_err(context, 1, ret, "krb5_get_all_server_addrs");
750     }
751     n = addrs.len;
752 
753     sockets = malloc(n * sizeof(*sockets));
754     if (sockets == NULL)
755           krb5_errx(context, 1, "out of memory");
756     maxfd = -1;
757     FD_ZERO(&real_fdset);
758     for (i = 0; i < n; ++i) {
759           krb5_socklen_t sa_size = sizeof(__ss);
760 
761           krb5_addr2sockaddr(context, &addrs.val[i], sa, &sa_size, port);
762 
763           sockets[i] = socket(__ss.ss_family, SOCK_DGRAM, 0);
764           if (sockets[i] < 0)
765               krb5_err(context, 1, errno, "socket");
766           if (bind(sockets[i], sa, sa_size) < 0) {
767               char str[128];
768               size_t len;
769               int save_errno = errno;
770 
771               ret = krb5_print_address(&addrs.val[i], str, sizeof(str), &len);
772               if (ret)
773                     strlcpy(str, "unknown address", sizeof(str));
774               krb5_warn(context, save_errno, "bind(%s)", str);
775               continue;
776           }
777           maxfd = max(maxfd, sockets[i]);
778           if (maxfd >= FD_SETSIZE)
779               krb5_errx(context, 1, "fd too large");
780           FD_SET(sockets[i], &real_fdset);
781     }
782 #ifdef INETD_SUPPORT
783     } else {
784         n = 1;
785         maxfd = 0;
786           fdz = 0;
787         sockets = &fdz;
788         FD_ZERO(&real_fdset);
789         FD_SET(0, &real_fdset);
790     }
791 #endif
792     if (maxfd == -1)
793           krb5_errx(context, 1, "No sockets!");
794 
795     roken_detach_finish(NULL, daemon_child);
796 
797     while (exit_flag == 0) {
798           krb5_ssize_t retx;
799           fd_set fdset = real_fdset;
800 
801           retx = select(maxfd + 1, &fdset, NULL, NULL, NULL);
802           if (retx < 0) {
803               if (errno == EINTR)
804                     continue;
805               else
806                     krb5_err(context, 1, errno, "select");
807           }
808           for (i = 0; i < n; ++i)
809               if (FD_ISSET(sockets[i], &fdset)) {
810                     u_char buf[BUFSIZ];
811                     socklen_t addrlen = sizeof(__ss);
812 
813                     retx = recvfrom(sockets[i], buf, sizeof(buf), 0,
814                                         sa, &addrlen);
815                     if (retx < 0) {
816                         if (errno == EINTR)
817                               break;
818                         else
819                               krb5_err(context, 1, errno, "recvfrom");
820                     }
821 #ifdef INETD_SUPPORT
822                     if (from_inetd) {
823                               socklen_t loclen = sizeof(__local);
824                               int ret2;
825 
826                               ret2 = get_local_addr(sa, addrlen, localsa, &loclen);
827                               if (ret2 < 0)
828                                         krb5_errx (context, errno, "get_local_addr");
829                               ret2 = krb5_sockaddr2address(context, localsa,
830                                   &my_addr);
831                               if (ret2)
832                                         krb5_errx (context, ret2,
833                                             "krb5_sockaddr2address");
834                               my_addrp = &my_addr;
835                     } else
836 #endif
837                     my_addrp = &addrs.val[i];
838 
839                     process(keytab, sockets[i],
840                                my_addrp,
841                                sa, addrlen,
842                                buf, retx);
843 #ifdef INETD_SUPPORT
844                     if (from_inetd) {
845                         krb5_free_address(context, &my_addr);
846                     }
847 #endif
848               }
849 #ifdef INETD_SUPPORT
850           if (from_inetd)
851               break;
852 #endif
853     }
854 
855     for (i = 0; i < n; ++i)
856           close(sockets[i]);
857     free(sockets);
858 
859 #ifdef INETD_SUPPORT
860     if (!from_inetd)
861 #endif
862     krb5_free_addresses (context, &addrs);
863     krb5_free_context (context);
864     return 0;
865 }
866 
867 static RETSIGTYPE
sigterm(int sig)868 sigterm(int sig)
869 {
870     exit_flag = 1;
871 }
872 
873 int
main(int argc,char ** argv)874 main(int argc, char **argv)
875 {
876     krb5_keytab keytab;
877     krb5_error_code ret;
878     char **files;
879     int port, i;
880     int aret;
881 
882     krb5_program_setup(&context, argc, argv, args, num_args, NULL);
883 
884     if (help_flag)
885           krb5_std_usage(0, args, num_args);
886 
887     if (version_flag) {
888           print_version(NULL);
889           exit(0);
890     }
891 
892     if (detach_from_console > 0 && daemon_child == -1)
893         roken_detach_prep(argc, argv, "--daemon-child");
894 
895     if (config_file == NULL) {
896           aret = asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
897           if (aret == -1)
898               errx(1, "out of memory");
899     }
900 
901     ret = krb5_prepend_config_files_default(config_file, &files);
902     if (ret)
903           krb5_err(context, 1, ret, "getting configuration files");
904 
905     ret = krb5_set_config_files(context, files);
906     krb5_free_config_files(files);
907     if (ret)
908           krb5_err(context, 1, ret, "reading configuration files");
909 
910     if (realm_str)
911           krb5_set_default_realm(context, realm_str);
912 
913     krb5_openlog(context, "kpasswdd", &log_facility);
914     krb5_set_warn_dest(context, log_facility);
915 
916     if (port_str != NULL) {
917           struct servent *s = roken_getservbyname(port_str, "udp");
918 
919           if (s != NULL)
920               port = s->s_port;
921           else {
922               char *ptr;
923 
924               port = strtol(port_str, &ptr, 10);
925               if (port == 0 && ptr == port_str)
926                     krb5_errx(context, 1, "bad port `%s'", port_str);
927               port = htons(port);
928           }
929     } else
930           port = krb5_getportbyname(context, "kpasswd", "udp", KPASSWD_PORT);
931 
932     ret = krb5_kt_register(context, &hdb_get_kt_ops);
933     if (ret)
934           krb5_err(context, 1, ret, "krb5_kt_register");
935 
936     ret = krb5_kt_resolve(context, keytab_str, &keytab);
937     if (ret)
938           krb5_err(context, 1, ret, "%s", keytab_str);
939 
940     kadm5_setup_passwd_quality_check(context, check_library, check_function);
941 
942     for (i = 0; i < policy_libraries.num_strings; i++) {
943           ret = kadm5_add_passwd_quality_verifier(context,
944                                                             policy_libraries.strings[i]);
945           if (ret)
946               krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");
947     }
948     ret = kadm5_add_passwd_quality_verifier(context, NULL);
949     if (ret)
950           krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");
951 
952 
953     explicit_addresses.len = 0;
954 
955     if (addresses_str.num_strings) {
956           int j;
957 
958           for (j = 0; j < addresses_str.num_strings; ++j)
959               add_one_address(addresses_str.strings[j], j == 0);
960           free_getarg_strings(&addresses_str);
961     } else {
962           char **foo = krb5_config_get_strings(context, NULL,
963                                                         "kdc", "addresses", NULL);
964 
965           if (foo != NULL) {
966               add_one_address(*foo++, TRUE);
967               while (*foo)
968                     add_one_address(*foo++, FALSE);
969           }
970     }
971 
972 #ifdef HAVE_SIGACTION
973     {
974           struct sigaction sa;
975 
976           sa.sa_flags = 0;
977           sa.sa_handler = sigterm;
978           sigemptyset(&sa.sa_mask);
979 
980           sigaction(SIGINT,  &sa, NULL);
981           sigaction(SIGTERM, &sa, NULL);
982     }
983 #else
984     signal(SIGINT,  sigterm);
985     signal(SIGTERM, sigterm);
986 #endif
987 
988     rk_pidfile(NULL);
989 
990     return doit(keytab, port);
991 }
992