xref: /illumos-gate/usr/src/lib/krb5/kadm5/clnt/changepw.c (revision 159d09a2)
1 /*
2  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 
7 /*
8  * lib/krb5/os/changepw.c
9  *
10  * Copyright 1990,1999 by the Massachusetts Institute of Technology.
11  * All Rights Reserved.
12  *
13  * Export of this software from the United States of America may
14  *   require a specific license from the United States Government.
15  *   It is the responsibility of any person or organization contemplating
16  *   export to obtain such a license before exporting.
17  *
18  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
19  * distribute this software and its documentation for any purpose and
20  * without fee is hereby granted, provided that the above copyright
21  * notice appear in all copies and that both that copyright notice and
22  * this permission notice appear in supporting documentation, and that
23  * the name of M.I.T. not be used in advertising or publicity pertaining
24  * to distribution of the software without specific, written prior
25  * permission.  Furthermore if you modify this software you must label
26  * your software as modified software and not distribute it in such a
27  * fashion that it might be confused with the original M.I.T. software.
28  * M.I.T. makes no representations about the suitability of
29  * this software for any purpose.  It is provided "as is" without express
30  * or implied warranty.
31  *
32  */
33 
34 #define	NEED_SOCKETS
35 #include <k5-int.h>
36 #include <kadm5/admin.h>
37 #include <client_internal.h>
38 #include <gssapi/gssapi.h>
39 #include <gssapi_krb5.h>
40 #include <gssapiP_krb5.h>
41 #include <krb5.h>
42 
43 /* #include "adm_err.h" */
44 #include <stdio.h>
45 #include <errno.h>
46 
47 extern krb5_error_code krb5int_mk_chpw_req(krb5_context  context,
48 					krb5_auth_context auth_context,
49 					krb5_data *ap_req, char *passwd,
50 					krb5_data *packet);
51 
52 extern krb5_error_code krb5int_rd_chpw_rep(krb5_context context,
53 					krb5_auth_context auth_context,
54 					krb5_data *packet, int *result_code,
55 					krb5_data *result_data);
56 
57 /*
58  * _kadm5_get_kpasswd_protocol
59  *
60  * returns the password change protocol value to the caller.
61  * Since the 'handle' is an opaque value to higher up callers,
62  * this method is needed to provide a way for them to get a peek
63  * at the protocol being used without having to expose the entire
64  * handle structure.
65  */
66 krb5_chgpwd_prot
_kadm5_get_kpasswd_protocol(void * handle)67 _kadm5_get_kpasswd_protocol(void *handle)
68 {
69 	kadm5_server_handle_t srvrhdl = (kadm5_server_handle_t)handle;
70 
71 	return (srvrhdl->params.kpasswd_protocol);
72 }
73 
74 /*
75  * krb5_change_password
76  *
77  * Prepare and send a CHANGEPW request to a password server
78  * using UDP datagrams.  This is only used for sending to
79  * non-SEAM servers which support the Marc Horowitz defined
80  * protocol (1998) for password changing.
81  *
82  * SUNW14resync - added _local as it conflicts with one in krb5.h
83  */
84 static krb5_error_code
krb5_change_password_local(context,params,creds,newpw,srvr_rsp_code,srvr_msg)85 krb5_change_password_local(context, params, creds, newpw, srvr_rsp_code,
86 		    srvr_msg)
87 krb5_context context;
88 kadm5_config_params *params;
89 krb5_creds *creds;
90 char *newpw;
91 kadm5_ret_t *srvr_rsp_code;
92 krb5_data *srvr_msg;
93 {
94 	krb5_auth_context auth_context;
95 	krb5_data ap_req, chpw_req, chpw_rep;
96 	krb5_address local_kaddr, remote_kaddr;
97 	krb5_error_code code = 0;
98 	int i, addrlen;
99 	struct sockaddr *addr_p, local_addr, remote_addr, tmp_addr;
100 	struct sockaddr_in *sin_p;
101 	struct hostent *hp;
102 	int naddr_p;
103 	int cc, local_result_code, tmp_len;
104 	SOCKET s1 = INVALID_SOCKET;
105 	SOCKET s2 = INVALID_SOCKET;
106 
107 
108 	/* Initialize values so that cleanup call can safely check for NULL */
109 	auth_context = NULL;
110 	addr_p = NULL;
111 	memset(&chpw_req, 0, sizeof (krb5_data));
112 	memset(&chpw_rep, 0, sizeof (krb5_data));
113 	memset(&ap_req, 0, sizeof (krb5_data));
114 
115 	/* initialize auth_context so that we know we have to free it */
116 	if ((code = krb5_auth_con_init(context, &auth_context)))
117 		goto cleanup;
118 
119 	if (code = krb5_mk_req_extended(context, &auth_context,
120 					AP_OPTS_USE_SUBKEY,
121 					NULL, creds, &ap_req))
122 		goto cleanup;
123 
124 	/*
125 	 * find the address of the kpasswd_server.
126 	 */
127 	addr_p = (struct sockaddr *)malloc(sizeof (struct sockaddr));
128 	if (!addr_p)
129 		goto cleanup;
130 	memset(addr_p, 0, sizeof (struct sockaddr));
131 	if ((hp = gethostbyname(params->kpasswd_server)) == NULL) {
132 		code = KRB5_REALM_CANT_RESOLVE;
133 		goto cleanup;
134 	}
135 	sin_p = (struct sockaddr_in *)addr_p;
136 	memset((char *)sin_p, 0, sizeof (struct sockaddr));
137 	sin_p->sin_family = hp->h_addrtype;
138 	sin_p->sin_port = htons(params->kpasswd_port);
139 	memcpy((char *)&sin_p->sin_addr, (char *)hp->h_addr, hp->h_length);
140 	naddr_p = 1;
141 
142 
143 	/*
144 	 * this is really obscure.  s1 is used for all communications.  it
145 	 * is left unconnected in case the server is multihomed and routes
146 	 * are asymmetric.  s2 is connected to resolve routes and get
147 	 * addresses.  this is the *only* way to get proper addresses for
148 	 * multihomed hosts if routing is asymmetric.
149 	 *
150 	 * A related problem in the server, but not the client, is that
151 	 * many os's have no way to disconnect a connected udp socket, so
152 	 * the s2 socket needs to be closed and recreated for each
153 	 * request.  The s1 socket must not be closed, or else queued
154 	 * requests will be lost.
155 	 *
156 	 * A "naive" client implementation (one socket, no connect,
157 	 * hostname resolution to get the local ip addr) will work and
158 	 * interoperate if the client is single-homed.
159 	 */
160 
161 	if ((s1 = socket(AF_INET, SOCK_DGRAM, 0)) == INVALID_SOCKET)
162 	{
163 		code = errno;
164 		goto cleanup;
165 	}
166 
167 	if ((s2 = socket(AF_INET, SOCK_DGRAM, 0)) == INVALID_SOCKET)
168 	{
169 		code = errno;
170 		goto cleanup;
171 	}
172 
173 	for (i = 0; i < naddr_p; i++)
174 	{
175 		fd_set fdset;
176 		struct timeval timeout;
177 
178 		if (connect(s2, &addr_p[i], sizeof (addr_p[i])) ==
179 		    SOCKET_ERROR)
180 		{
181 			if ((errno == ECONNREFUSED) ||
182 			    (errno == EHOSTUNREACH))
183 				continue; /* try the next addr */
184 
185 			code = errno;
186 			goto cleanup;
187 		}
188 
189 		addrlen = sizeof (local_addr);
190 
191 		if (getsockname(s2, &local_addr, &addrlen) < 0)
192 		{
193 			if ((errno == ECONNREFUSED) ||
194 			    (errno == EHOSTUNREACH))
195 				continue; /* try the next addr */
196 
197 			code = errno;
198 			goto cleanup;
199 		}
200 
201 		/*
202 		 * some brain-dead OS's don't return useful information from
203 		 * the getsockname call.  Namely, windows and solaris.
204 		 */
205 		if (((struct sockaddr_in *)&local_addr)->sin_addr.s_addr != 0)
206 		{
207 			local_kaddr.addrtype = ADDRTYPE_INET;
208 			local_kaddr.length = sizeof (((struct sockaddr_in *)
209 						    &local_addr)->sin_addr);
210 			local_kaddr.contents = (krb5_octet *)
211 				&(((struct sockaddr_in *)
212 				&local_addr)->sin_addr);
213 		}
214 		else
215 		{
216 			krb5_address **addrs;
217 
218 			krb5_os_localaddr(context, &addrs);
219 
220 			local_kaddr.magic = addrs[0]->magic;
221 			local_kaddr.addrtype = addrs[0]->addrtype;
222 			local_kaddr.length = addrs[0]->length;
223 			local_kaddr.contents = malloc(addrs[0]->length);
224 			memcpy(local_kaddr.contents, addrs[0]->contents,
225 			    addrs[0]->length);
226 
227 			krb5_free_addresses(context, addrs);
228 		}
229 
230 		addrlen = sizeof (remote_addr);
231 		if (getpeername(s2, &remote_addr, &addrlen) < 0)
232 		{
233 			if ((errno == ECONNREFUSED) ||
234 			    (errno == EHOSTUNREACH))
235 				continue; /* try the next addr */
236 
237 			code = errno;
238 			goto cleanup;
239 		}
240 
241 		remote_kaddr.addrtype = ADDRTYPE_INET;
242 		remote_kaddr.length = sizeof (((struct sockaddr_in *)
243 					    &remote_addr)->sin_addr);
244 		remote_kaddr.contents = (krb5_octet *)
245 			&(((struct sockaddr_in *)&remote_addr)->sin_addr);
246 
247 		/*
248 		 * mk_priv requires that the local address be set.
249 		 * getsockname is used for this.  rd_priv requires that the
250 		 * remote address be set.  recvfrom is used for this.  If
251 		 * rd_priv is given a local address, and the message has the
252 		 * recipient addr in it, this will be checked.  However, there
253 		 * is simply no way to know ahead of time what address the
254 		 * message will be delivered *to*.  Therefore, it is important
255 		 * that either no recipient address is in the messages when
256 		 * mk_priv is called, or that no local address is passed to
257 		 * rd_priv.  Both is a better idea, and I have done that.  In
258 		 * summary, when mk_priv is called, *only* a local address is
259 		 * specified.  when rd_priv is called, *only* a remote address
260 		 * is specified.  Are we having fun yet?
261 		 */
262 
263 		if (code = krb5_auth_con_setaddrs(context, auth_context,
264 						&local_kaddr, NULL))
265 		{
266 			code = errno;
267 			goto cleanup;
268 		}
269 
270 		if (code = krb5int_mk_chpw_req(context, auth_context,
271 					    &ap_req, newpw, &chpw_req))
272 		{
273 			code = errno;
274 			goto cleanup;
275 		}
276 
277 		if ((cc = sendto(s1, chpw_req.data, chpw_req.length, 0,
278 		    (struct sockaddr *)&addr_p[i],
279 		    sizeof (addr_p[i]))) != chpw_req.length)
280 		{
281 			if ((cc < 0) && ((errno == ECONNREFUSED) ||
282 					(errno == EHOSTUNREACH)))
283 				continue; /* try the next addr */
284 
285 			code = (cc < 0) ? errno : ECONNABORTED;
286 			goto cleanup;
287 		}
288 
289 		chpw_rep.length = 1500;
290 		chpw_rep.data = (char *)malloc(chpw_rep.length);
291 
292 		/* XXX need a timeout/retry loop here */
293 		FD_ZERO(&fdset);
294 		FD_SET(s1, &fdset);
295 		timeout.tv_sec = 120;
296 		timeout.tv_usec = 0;
297 		switch (select(s1 + 1, &fdset, 0, 0, &timeout)) {
298 		case -1:
299 			code = errno;
300 			goto cleanup;
301 		case 0:
302 			code = ETIMEDOUT;
303 			goto cleanup;
304 		default:
305 			/* fall through */
306 			;
307 		}
308 
309 		tmp_len = sizeof (tmp_addr);
310 		if ((cc = recvfrom(s1, chpw_rep.data, chpw_rep.length,
311 				0, &tmp_addr, &tmp_len)) < 0)
312 		{
313 			code = errno;
314 			goto cleanup;
315 		}
316 
317 		closesocket(s1);
318 		s1 = INVALID_SOCKET;
319 		closesocket(s2);
320 		s2 = INVALID_SOCKET;
321 
322 		chpw_rep.length = cc;
323 
324 		if (code = krb5_auth_con_setaddrs(context, auth_context,
325 						NULL, &remote_kaddr))
326 			goto cleanup;
327 
328 		if (code = krb5int_rd_chpw_rep(context, auth_context, &chpw_rep,
329 					&local_result_code, srvr_msg))
330 			goto cleanup;
331 
332 		if (srvr_rsp_code)
333 			*srvr_rsp_code = local_result_code;
334 
335 		code = 0;
336 		goto cleanup;
337 	}
338 
339 	code = errno;
340 
341 cleanup:
342 	if (auth_context != NULL)
343 		krb5_auth_con_free(context, auth_context);
344 
345 	if (addr_p != NULL)
346 		krb5_xfree(addr_p);
347 
348 	if (s1 != INVALID_SOCKET)
349 		closesocket(s1);
350 
351 	if (s2 != INVALID_SOCKET)
352 		closesocket(s2);
353 
354 	krb5_xfree(chpw_req.data);
355 	krb5_xfree(chpw_rep.data);
356 	krb5_xfree(ap_req.data);
357 
358 	return (code);
359 }
360 
361 
362 /*
363  * kadm5_chpass_principal_v2
364  *
365  * New function used to prepare to make the change password request to a
366  * non-SEAM admin server.  The protocol used in this case is not based on
367  * RPCSEC_GSS, it simply makes the request to port 464 (udp and tcp).
368  * This is the same way that MIT KRB5 1.2.1 changes passwords.
369  */
370 kadm5_ret_t
kadm5_chpass_principal_v2(void * server_handle,krb5_principal princ,char * newpw,kadm5_ret_t * srvr_rsp_code,krb5_data * srvr_msg)371 kadm5_chpass_principal_v2(void *server_handle,
372 			krb5_principal princ,
373 			char *newpw,
374 			kadm5_ret_t *srvr_rsp_code,
375 			krb5_data *srvr_msg)
376 {
377 	kadm5_ret_t code;
378 	kadm5_server_handle_t handle  = (kadm5_server_handle_t)server_handle;
379 	krb5_error_code result;
380 	krb5_creds mcreds;
381 	krb5_creds ncreds;
382 	krb5_ccache ccache;
383 	int cpwlen;
384 	char *cpw_service = NULL;
385 
386 	/*
387 	 * The credentials have already been stored in the cache in the
388 	 * initialization step earlier, but we dont have direct access to it
389 	 * at this level. Derive the cache and fetch the credentials to use for
390 	 * sending the request.
391 	 */
392 	memset(&mcreds, 0, sizeof (krb5_creds));
393 	if ((code = krb5_cc_resolve(handle->context, handle->cache_name,
394 				    &ccache)))
395 		return (code);
396 
397 	/* set the client principal in the credential match structure */
398 	mcreds.client = princ;
399 
400 	/*
401 	 * set the server principal (kadmin/changepw@REALM) in the credential
402 	 * match struct
403 	 */
404 	cpwlen = strlen(KADM5_CHANGEPW_SERVICE) +
405 		strlen(handle->params.realm) + 2;
406 	cpw_service = malloc(cpwlen);
407 	if (cpw_service == NULL) {
408 		return (ENOMEM);
409 	}
410 
411 	snprintf(cpw_service, cpwlen, "%s@%s",
412 		KADM5_CHANGEPW_SERVICE,	handle->params.realm);
413 
414 	/* generate the server principal from the name string we generated */
415 	if ((code = krb5_parse_name(handle->context, cpw_service,
416 		&mcreds.server))) {
417 		free(cpw_service);
418 		return (code);
419 	}
420 
421 	/* Find the credentials in the cache */
422 	if ((code = krb5_cc_retrieve_cred(handle->context, ccache, 0, &mcreds,
423 					&ncreds))) {
424 		free(cpw_service);
425 		return (code);
426 	}
427 
428 	/* Now we have all we need to make the change request. */
429 	result = krb5_change_password_local(handle->context, &handle->params,
430 				    &ncreds, newpw,
431 				    srvr_rsp_code,
432 				    srvr_msg);
433 
434 	free(cpw_service);
435 	return (result);
436 }
437