1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* lib/krb5/os/locate_kdc.c - Get addresses for realm KDCs and other servers */
4 * Copyright 1990,2000,2001,2002,2003,2004,2006,2008 Massachusetts Institute of
5 * Technology. All Rights Reserved.
7 * Export of this software from the United States of America may
8 * require a specific license from the United States Government.
9 * It is the responsibility of any person or organization contemplating
10 * export to obtain such a license before exporting.
12 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13 * distribute this software and its documentation for any purpose and
14 * without fee is hereby granted, provided that the above copyright
15 * notice appear in all copies and that both that copyright notice and
16 * this permission notice appear in supporting documentation, and that
17 * the name of M.I.T. not be used in advertising or publicity pertaining
18 * to distribution of the software without specific, written prior
19 * permission. Furthermore if you modify this software you must label
20 * your software as modified software and not distribute it in such a
21 * fashion that it might be confused with the original M.I.T. software.
22 * M.I.T. makes no representations about the suitability of
23 * this software for any purpose. It is provided "as is" without express
24 * or implied warranty.
28 #include "fake-addrinfo.h"
31 #ifdef KRB5_DNS_LOOKUP
33 #define DEFAULT_LOOKUP_KDC 1
34 #if KRB5_DNS_LOOKUP_REALM
35 #define DEFAULT_LOOKUP_REALM 1
37 #define DEFAULT_LOOKUP_REALM 0
39 #define DEFAULT_URI_LOOKUP TRUE
42 maybe_use_dns (krb5_context context, const char *name, int defalt)
48 code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
50 if (value == 0 && code == 0) {
51 code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
52 KRB5_CONF_DNS_FALLBACK, 0, 0, &value);
60 use_dns = _krb5_conf_boolean(value);
61 profile_release_string(value);
66 use_dns_uri(krb5_context ctx)
71 ret = profile_get_boolean(ctx->profile, KRB5_CONF_LIBDEFAULTS,
72 KRB5_CONF_DNS_URI_LOOKUP, NULL,
73 DEFAULT_URI_LOOKUP, &use);
74 return ret ? DEFAULT_URI_LOOKUP : use;
78 _krb5_use_dns_kdc(krb5_context context)
80 return maybe_use_dns(context, KRB5_CONF_DNS_LOOKUP_KDC,
85 _krb5_use_dns_realm(krb5_context context)
87 return maybe_use_dns(context, KRB5_CONF_DNS_LOOKUP_REALM,
88 DEFAULT_LOOKUP_REALM);
91 #endif /* KRB5_DNS_LOOKUP */
93 /* Free up everything pointed to by the serverlist structure, but don't
94 * free the structure itself. */
96 k5_free_serverlist (struct serverlist *list)
100 for (i = 0; i < list->nservers; i++) {
101 free(list->servers[i].hostname);
102 free(list->servers[i].uri_path);
105 list->servers = NULL;
111 Tprintf(const char *fmt, ...)
116 vfprintf(stderr, fmt, ap);
121 /* Make room for a new server entry in list and return a pointer to the new
122 * entry. (Do not increment list->nservers.) */
123 static struct server_entry *
124 new_server_entry(struct serverlist *list)
126 struct server_entry *newservers, *entry;
127 size_t newspace = (list->nservers + 1) * sizeof(struct server_entry);
129 newservers = realloc(list->servers, newspace);
130 if (newservers == NULL)
132 list->servers = newservers;
133 entry = &newservers[list->nservers];
134 memset(entry, 0, sizeof(*entry));
139 /* Add an address entry to list. */
141 add_addr_to_list(struct serverlist *list, k5_transport transport, int family,
142 size_t addrlen, struct sockaddr *addr)
144 struct server_entry *entry;
146 entry = new_server_entry(list);
149 entry->transport = transport;
150 entry->family = family;
151 entry->hostname = NULL;
152 entry->uri_path = NULL;
153 entry->addrlen = addrlen;
154 memcpy(&entry->addr, addr, addrlen);
159 /* Add a hostname entry to list. */
161 add_host_to_list(struct serverlist *list, const char *hostname, int port,
162 k5_transport transport, int family, const char *uri_path,
165 struct server_entry *entry;
167 entry = new_server_entry(list);
170 entry->transport = transport;
171 entry->family = family;
172 entry->hostname = strdup(hostname);
173 if (entry->hostname == NULL)
175 if (uri_path != NULL) {
176 entry->uri_path = strdup(uri_path);
177 if (entry->uri_path == NULL)
181 entry->master = master;
185 free(entry->hostname);
186 entry->hostname = NULL;
191 parse_uri_if_https(const char *host_or_uri, k5_transport *transport,
192 const char **host, const char **uri_path)
196 if (strncmp(host_or_uri, "https://", 8) == 0) {
198 *host = host_or_uri + 8;
200 cp = strchr(*host, '/');
208 /* Return true if server is identical to an entry in list. */
210 server_list_contains(struct serverlist *list, struct server_entry *server)
212 struct server_entry *ent;
214 for (ent = list->servers; ent < list->servers + list->nservers; ent++) {
215 if (server->hostname != NULL && ent->hostname != NULL &&
216 strcmp(server->hostname, ent->hostname) == 0)
218 if (server->hostname == NULL && ent->hostname == NULL &&
219 server->addrlen == ent->addrlen &&
220 memcmp(&server->addr, &ent->addr, server->addrlen) == 0)
226 static krb5_error_code
227 locate_srv_conf_1(krb5_context context, const krb5_data *realm,
228 const char * name, struct serverlist *serverlist,
229 k5_transport transport, int udpport)
231 const char *realm_srv_names[4];
232 char **hostlist = NULL, *realmstr = NULL, *host = NULL;
233 const char *hostspec;
234 krb5_error_code code;
237 Tprintf("looking in krb5.conf for realm %s entry %s; ports %d,%d\n",
238 realm->data, name, udpport);
240 realmstr = k5memdup0(realm->data, realm->length, &code);
241 if (realmstr == NULL)
244 realm_srv_names[0] = KRB5_CONF_REALMS;
245 realm_srv_names[1] = realmstr;
246 realm_srv_names[2] = name;
247 realm_srv_names[3] = 0;
248 code = profile_get_values(context->profile, realm_srv_names, &hostlist);
250 Tprintf("config file lookup failed: %s\n", error_message(code));
251 if (code == PROF_NO_SECTION || code == PROF_NO_RELATION)
256 for (i = 0; hostlist[i]; i++) {
258 k5_transport this_transport = transport;
259 const char *uri_path = NULL;
261 hostspec = hostlist[i];
262 Tprintf("entry %d is '%s'\n", i, hostspec);
264 parse_uri_if_https(hostspec, &this_transport, &hostspec, &uri_path);
266 default_port = (this_transport == HTTPS) ? 443 : udpport;
267 code = k5_parse_host_string(hostspec, default_port, &host, &port_num);
268 if (code == 0 && host == NULL)
273 code = add_host_to_list(serverlist, host, port_num, this_transport,
274 AF_UNSPEC, uri_path, -1);
285 profile_free_list(hostlist);
290 static krb5_error_code
291 krb5_locate_srv_conf(krb5_context context, const krb5_data *realm,
292 const char *name, struct serverlist *al, int udpport)
296 ret = locate_srv_conf_1(context, realm, name, al, TCP_OR_UDP, udpport);
299 if (al->nservers == 0) /* Couldn't resolve any KDC names */
300 return KRB5_REALM_CANT_RESOLVE;
305 #ifdef KRB5_DNS_LOOKUP
306 static krb5_error_code
307 locate_srv_dns_1(krb5_context context, const krb5_data *realm,
308 const char *service, const char *protocol,
309 struct serverlist *serverlist)
311 struct srv_dns_entry *head = NULL, *entry = NULL;
312 krb5_error_code code = 0;
313 k5_transport transport;
315 code = krb5int_make_srv_query_realm(context, realm, service, protocol,
323 /* Check for the "." case indicating no support. */
324 if (head->next == NULL && head->host[0] == '\0') {
325 code = KRB5_ERR_NO_SERVICE;
329 for (entry = head; entry != NULL; entry = entry->next) {
330 transport = (strcmp(protocol, "_tcp") == 0) ? TCP : UDP;
331 code = add_host_to_list(serverlist, entry->host, entry->port,
332 transport, AF_UNSPEC, NULL, -1);
338 krb5int_free_srv_dns_data(head);
343 #include <krb5/locate_plugin.h>
346 static const char *objdirs[] = { KRB5_PLUGIN_BUNDLE_DIR,
347 LIBDIR "/krb5/plugins/libkrb5",
348 NULL }; /* should be a list */
350 static const char *objdirs[] = { LIBDIR "/krb5/plugins/libkrb5", NULL };
353 struct module_callback_data {
355 struct serverlist *list;
359 module_callback(void *cbdata, int socktype, struct sockaddr *sa)
361 struct module_callback_data *d = cbdata;
363 k5_transport transport;
365 if (socktype != SOCK_STREAM && socktype != SOCK_DGRAM)
367 if (sa->sa_family == AF_INET)
368 addrlen = sizeof(struct sockaddr_in);
369 else if (sa->sa_family == AF_INET6)
370 addrlen = sizeof(struct sockaddr_in6);
373 transport = (socktype == SOCK_STREAM) ? TCP : UDP;
374 if (add_addr_to_list(d->list, transport, sa->sa_family, addrlen,
376 /* Assumes only error is ENOMEM. */
383 static krb5_error_code
384 module_locate_server(krb5_context ctx, const krb5_data *realm,
385 struct serverlist *serverlist,
386 enum locate_service_type svc, k5_transport transport)
388 struct krb5plugin_service_locate_result *res = NULL;
389 krb5_error_code code;
390 struct krb5plugin_service_locate_ftable *vtbl = NULL;
392 char *realmz; /* NUL-terminated realm */
394 struct module_callback_data cbdata = { 0, };
397 Tprintf("in module_locate_server\n");
398 cbdata.list = serverlist;
399 if (!PLUGIN_DIR_OPEN(&ctx->libkrb5_plugins)) {
401 code = krb5int_open_plugin_dirs(objdirs, NULL, &ctx->libkrb5_plugins,
404 return KRB5_PLUGIN_NO_HANDLE;
407 code = krb5int_get_plugin_dir_data(&ctx->libkrb5_plugins,
408 "service_locator", &ptrs, &ctx->err);
410 Tprintf("error looking up plugin symbols: %s\n",
411 (msg = krb5_get_error_message(ctx, code)));
412 krb5_free_error_message(ctx, msg);
413 return KRB5_PLUGIN_NO_HANDLE;
416 if (realm->length >= UINT_MAX) {
417 krb5int_free_plugin_dir_data(ptrs);
420 realmz = k5memdup0(realm->data, realm->length, &code);
421 if (realmz == NULL) {
422 krb5int_free_plugin_dir_data(ptrs);
425 for (i = 0; ptrs[i]; i++) {
429 Tprintf("element %d is %p\n", i, ptrs[i]);
431 /* For now, don't keep the plugin data alive. For long-lived
432 * contexts, it may be desirable to change that later. */
433 code = vtbl->init(ctx, &blob);
437 socktype = (transport == TCP) ? SOCK_STREAM : SOCK_DGRAM;
438 code = vtbl->lookup(blob, svc, realmz, socktype, AF_UNSPEC,
439 module_callback, &cbdata);
440 /* Also ask for TCP addresses if we got UDP addresses and want both. */
441 if (code == 0 && transport == TCP_OR_UDP) {
442 code = vtbl->lookup(blob, svc, realmz, SOCK_STREAM, AF_UNSPEC,
443 module_callback, &cbdata);
444 if (code == KRB5_PLUGIN_NO_HANDLE)
448 if (code == KRB5_PLUGIN_NO_HANDLE) {
449 /* Module passes, keep going. */
451 Tprintf("plugin doesn't handle this realm (KRB5_PLUGIN_NO_HANDLE)"
456 /* Module encountered an actual error. */
457 Tprintf("plugin lookup routine returned error %d: %s\n",
458 code, error_message(code));
460 krb5int_free_plugin_dir_data(ptrs);
465 if (ptrs[i] == NULL) {
466 Tprintf("ran off end of plugin list\n");
468 krb5int_free_plugin_dir_data(ptrs);
469 return KRB5_PLUGIN_NO_HANDLE;
471 Tprintf("stopped with plugin #%d, res=%p\n", i, res);
473 /* Got something back, yippee. */
474 Tprintf("now have %lu addrs in list %p\n",
475 (unsigned long)serverlist->nservers, serverlist);
477 krb5int_free_plugin_dir_data(ptrs);
481 static krb5_error_code
482 prof_locate_server(krb5_context context, const krb5_data *realm,
483 struct serverlist *serverlist, enum locate_service_type svc,
484 k5_transport transport)
486 const char *profname;
488 struct servent *serv;
491 case locate_service_kdc:
492 profname = KRB5_CONF_KDC;
493 /* We used to use /etc/services for these, but enough systems have old,
494 * crufty, wrong settings that this is probably better. */
496 dflport = KRB5_DEFAULT_PORT;
498 case locate_service_master_kdc:
499 profname = KRB5_CONF_MASTER_KDC;
501 case locate_service_kadmin:
502 profname = KRB5_CONF_ADMIN_SERVER;
503 dflport = DEFAULT_KADM5_PORT;
505 case locate_service_krb524:
506 profname = KRB5_CONF_KRB524_SERVER;
507 serv = getservbyname("krb524", "udp");
508 dflport = serv ? serv->s_port : 4444;
510 case locate_service_kpasswd:
511 profname = KRB5_CONF_KPASSWD_SERVER;
512 dflport = DEFAULT_KPASSWD_PORT;
515 return EBUSY; /* XXX */
518 return locate_srv_conf_1(context, realm, profname, serverlist, transport,
522 #ifdef KRB5_DNS_LOOKUP
525 * Parse the initial part of the URI, first confirming the scheme name. Get
526 * the transport, flags (indicating master status), and host. The host is
527 * either an address or hostname with an optional port, or an HTTPS URL.
528 * The format is krb5srv:flags:udp|tcp|kkdcp:host
530 * Return a NULL *host_out if there are any problems parsing the URI.
533 parse_uri_fields(const char *uri, k5_transport *transport_out,
534 const char **host_out, int *master_out)
537 k5_transport transport;
544 /* Confirm the scheme name. */
545 if (strncasecmp(uri, "krb5srv", 7) != 0)
556 /* Check the flags field for supported flags. */
557 for (; *uri != ':' && *uri != '\0'; uri++) {
558 if (*uri == 'm' || *uri == 'M')
564 /* Look for the transport type. */
566 if (strncasecmp(uri, "udp", 3) == 0) {
569 } else if (strncasecmp(uri, "tcp", 3) == 0) {
572 } else if (strncasecmp(uri, "kkdcp", 5) == 0) {
573 /* Currently the only MS-KKDCP transport type is HTTPS. */
583 /* The rest of the URI is the host (with optional port) or URI. */
585 *transport_out = transport;
586 *master_out = master;
590 * Collect a list of servers from DNS URI records, for the requested service
591 * and transport type. Problematic entries are skipped.
593 static krb5_error_code
594 locate_uri(krb5_context context, const krb5_data *realm,
595 const char *req_service, struct serverlist *serverlist,
596 k5_transport req_transport, int default_port,
597 krb5_boolean master_only)
600 k5_transport transport, host_trans;
601 struct srv_dns_entry *answers, *entry;
603 const char *host_field, *path;
604 int port, def_port, master;
606 ret = k5_make_uri_query(context, realm, req_service, &answers);
607 if (ret || answers == NULL)
610 for (entry = answers; entry != NULL; entry = entry->next) {
611 def_port = default_port;
614 parse_uri_fields(entry->host, &transport, &host_field, &master);
615 if (host_field == NULL)
618 /* TCP_OR_UDP allows entries of any transport type; otherwise
619 * we're asking for a match. */
620 if (req_transport != TCP_OR_UDP && req_transport != transport)
623 /* Process a MS-KKDCP target. */
624 if (transport == HTTPS) {
627 parse_uri_if_https(host_field, &host_trans, &host_field, &path);
628 if (host_trans != HTTPS)
632 ret = k5_parse_host_string(host_field, def_port, &host, &port);
636 if (ret || host == NULL) {
641 ret = add_host_to_list(serverlist, host, port, transport, AF_UNSPEC,
648 krb5int_free_srv_dns_data(answers);
652 static krb5_error_code
653 dns_locate_server_uri(krb5_context context, const krb5_data *realm,
654 struct serverlist *serverlist,
655 enum locate_service_type svc, k5_transport transport)
660 krb5_boolean find_master = FALSE;
662 if (!_krb5_use_dns_kdc(context) || !use_dns_uri(context))
666 case locate_service_master_kdc:
669 case locate_service_kdc:
670 svcname = "_kerberos";
673 case locate_service_kadmin:
674 svcname = "_kerberos-adm";
677 case locate_service_kpasswd:
678 svcname = "_kpasswd";
685 ret = locate_uri(context, realm, svcname, serverlist, transport, def_port,
688 if (serverlist->nservers == 0)
689 TRACE_DNS_URI_NOTFOUND(context);
694 static krb5_error_code
695 dns_locate_server_srv(krb5_context context, const krb5_data *realm,
696 struct serverlist *serverlist,
697 enum locate_service_type svc, k5_transport transport)
700 int use_dns = _krb5_use_dns_kdc(context);
701 krb5_error_code code;
707 case locate_service_kdc:
708 dnsname = "_kerberos";
710 case locate_service_master_kdc:
711 dnsname = "_kerberos-master";
713 case locate_service_kadmin:
714 dnsname = "_kerberos-adm";
716 case locate_service_krb524:
719 case locate_service_kpasswd:
720 dnsname = "_kpasswd";
727 if (transport == UDP || transport == TCP_OR_UDP)
728 code = locate_srv_dns_1(context, realm, dnsname, "_udp", serverlist);
730 if ((transport == TCP || transport == TCP_OR_UDP) && code == 0)
731 code = locate_srv_dns_1(context, realm, dnsname, "_tcp", serverlist);
733 if (serverlist->nservers == 0)
734 TRACE_DNS_SRV_NOTFOUND(context);
738 #endif /* KRB5_DNS_LOOKUP */
741 * Try all of the server location methods in sequence. transport must be
742 * TCP_OR_UDP, TCP, or UDP. It is applied to hostname entries in the profile
743 * and affects whether we query modules or DNS for UDP or TCP or both, but does
744 * not restrict a method from returning entries of other transports.
746 static krb5_error_code
747 locate_server(krb5_context context, const krb5_data *realm,
748 struct serverlist *serverlist, enum locate_service_type svc,
749 k5_transport transport)
752 struct serverlist list = SERVERLIST_INIT;
756 /* Try modules. If a module returns 0 but leaves the list empty, return an
758 ret = module_locate_server(context, realm, &list, svc, transport);
759 if (ret != KRB5_PLUGIN_NO_HANDLE)
762 /* Try the profile. Fall back to DNS if it returns an empty list. */
763 ret = prof_locate_server(context, realm, &list, svc, transport);
767 #ifdef KRB5_DNS_LOOKUP
768 if (list.nservers == 0) {
769 ret = dns_locate_server_uri(context, realm, &list, svc, transport);
774 if (list.nservers == 0)
775 ret = dns_locate_server_srv(context, realm, &list, svc, transport);
780 k5_free_serverlist(&list);
788 * Wrapper function for the various backends
792 k5_locate_server(krb5_context context, const krb5_data *realm,
793 struct serverlist *serverlist, enum locate_service_type svc,
797 k5_transport transport = no_udp ? TCP : TCP_OR_UDP;
799 memset(serverlist, 0, sizeof(*serverlist));
800 if (realm == NULL || realm->data == NULL || realm->data[0] == 0) {
801 k5_setmsg(context, KRB5_REALM_CANT_RESOLVE,
802 "Cannot find KDC for invalid realm name \"\"");
803 return KRB5_REALM_CANT_RESOLVE;
806 ret = locate_server(context, realm, serverlist, svc, transport);
810 if (serverlist->nservers == 0) {
811 k5_free_serverlist(serverlist);
812 k5_setmsg(context, KRB5_REALM_UNKNOWN,
813 _("Cannot find KDC for realm \"%.*s\""),
814 realm->length, realm->data);
815 return KRB5_REALM_UNKNOWN;
821 k5_locate_kdc(krb5_context context, const krb5_data *realm,
822 struct serverlist *serverlist, krb5_boolean get_masters,
825 enum locate_service_type stype;
827 stype = get_masters ? locate_service_master_kdc : locate_service_kdc;
828 return k5_locate_server(context, realm, serverlist, stype, no_udp);
832 k5_kdc_is_master(krb5_context context, const krb5_data *realm,
833 struct server_entry *server)
835 struct serverlist list;
838 if (server->master != -1)
839 return server->master;
841 if (locate_server(context, realm, &list, locate_service_master_kdc,
842 server->transport) != 0)
844 found = server_list_contains(&list, server);
845 k5_free_serverlist(&list);