2 * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include <krb5_locl.h>
36 RCSID("$Id: changepw.c,v 1.38.2.1 2004/06/21 08:38:10 lha Exp $");
39 str2data (krb5_data
*d
,
41 ...) __attribute__ ((format (printf
, 2, 3)));
44 str2data (krb5_data
*d
,
51 d
->length
= vasprintf ((char **)&d
->data
, fmt
, args
);
56 * Change password protocol defined by
57 * draft-ietf-cat-kerb-chg-password-02.txt
59 * Share the response part of the protocol with MS set password
63 static krb5_error_code
64 chgpw_send_request (krb5_context context
,
65 krb5_auth_context
*auth_context
,
67 krb5_principal targprinc
,
74 krb5_data ap_req_data
;
75 krb5_data krb_priv_data
;
76 krb5_data passwd_data
;
84 return KRB5_KPASSWD_MALFORMED
;
87 krb5_principal_compare(context
, creds
->client
, targprinc
) != TRUE
)
88 return KRB5_KPASSWD_MALFORMED
;
90 krb5_data_zero (&ap_req_data
);
92 ret
= krb5_mk_req_extended (context
,
94 AP_OPTS_MUTUAL_REQUIRED
| AP_OPTS_USE_SUBKEY
,
101 passwd_data
.data
= passwd
;
102 passwd_data
.length
= strlen(passwd
);
104 krb5_data_zero (&krb_priv_data
);
106 ret
= krb5_mk_priv (context
,
114 len
= 6 + ap_req_data
.length
+ krb_priv_data
.length
;
116 *p
++ = (len
>> 8) & 0xFF;
117 *p
++ = (len
>> 0) & 0xFF;
120 *p
++ = (ap_req_data
.length
>> 8) & 0xFF;
121 *p
++ = (ap_req_data
.length
>> 0) & 0xFF;
123 memset(&msghdr
, 0, sizeof(msghdr
));
124 msghdr
.msg_name
= NULL
;
125 msghdr
.msg_namelen
= 0;
126 msghdr
.msg_iov
= iov
;
127 msghdr
.msg_iovlen
= sizeof(iov
)/sizeof(*iov
);
129 msghdr
.msg_control
= NULL
;
130 msghdr
.msg_controllen
= 0;
133 iov
[0].iov_base
= (void*)header
;
135 iov
[1].iov_base
= ap_req_data
.data
;
136 iov
[1].iov_len
= ap_req_data
.length
;
137 iov
[2].iov_base
= krb_priv_data
.data
;
138 iov
[2].iov_len
= krb_priv_data
.length
;
140 if (sendmsg (sock
, &msghdr
, 0) < 0) {
142 krb5_set_error_string(context
, "sendmsg %s: %s", host
, strerror(ret
));
145 krb5_data_free (&krb_priv_data
);
147 krb5_data_free (&ap_req_data
);
152 * Set password protocol as defined by RFC3244 --
153 * Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols
156 static krb5_error_code
157 setpw_send_request (krb5_context context
,
158 krb5_auth_context
*auth_context
,
160 krb5_principal targprinc
,
167 krb5_data ap_req_data
;
168 krb5_data krb_priv_data
;
170 ChangePasswdDataMS chpw
;
172 u_char header
[4 + 6];
175 struct msghdr msghdr
;
177 krb5_data_zero (&ap_req_data
);
179 ret
= krb5_mk_req_extended (context
,
181 AP_OPTS_MUTUAL_REQUIRED
| AP_OPTS_USE_SUBKEY
,
188 chpw
.newpasswd
.length
= strlen(passwd
);
189 chpw
.newpasswd
.data
= passwd
;
191 chpw
.targname
= &targprinc
->name
;
192 chpw
.targrealm
= &targprinc
->realm
;
194 chpw
.targname
= NULL
;
195 chpw
.targrealm
= NULL
;
198 ASN1_MALLOC_ENCODE(ChangePasswdDataMS
, pwd_data
.data
, pwd_data
.length
,
201 krb5_data_free (&ap_req_data
);
205 if(pwd_data
.length
!= len
)
206 krb5_abortx(context
, "internal error in ASN.1 encoder");
208 ret
= krb5_mk_priv (context
,
216 len
= 6 + ap_req_data
.length
+ krb_priv_data
.length
;
219 _krb5_put_int(p
, len
, 4);
222 *p
++ = (len
>> 8) & 0xFF;
223 *p
++ = (len
>> 0) & 0xFF;
226 *p
++ = (ap_req_data
.length
>> 8) & 0xFF;
227 *p
++ = (ap_req_data
.length
>> 0) & 0xFF;
229 memset(&msghdr
, 0, sizeof(msghdr
));
230 msghdr
.msg_name
= NULL
;
231 msghdr
.msg_namelen
= 0;
232 msghdr
.msg_iov
= iov
;
233 msghdr
.msg_iovlen
= sizeof(iov
)/sizeof(*iov
);
235 msghdr
.msg_control
= NULL
;
236 msghdr
.msg_controllen
= 0;
239 iov
[0].iov_base
= (void*)header
;
244 iov
[1].iov_base
= ap_req_data
.data
;
245 iov
[1].iov_len
= ap_req_data
.length
;
246 iov
[2].iov_base
= krb_priv_data
.data
;
247 iov
[2].iov_len
= krb_priv_data
.length
;
249 if (sendmsg (sock
, &msghdr
, 0) < 0) {
251 krb5_set_error_string(context
, "sendmsg %s: %s", host
, strerror(ret
));
254 krb5_data_free (&krb_priv_data
);
256 krb5_data_free (&ap_req_data
);
257 krb5_data_free (&pwd_data
);
261 static krb5_error_code
262 process_reply (krb5_context context
,
263 krb5_auth_context auth_context
,
267 krb5_data
*result_code_string
,
268 krb5_data
*result_string
,
272 u_char reply
[1024 * 3];
274 u_int16_t pkt_len
, pkt_ver
;
275 krb5_data ap_rep_data
;
280 while (len
< sizeof(reply
)) {
283 ret
= recvfrom (sock
, reply
+ len
, sizeof(reply
) - len
,
287 krb5_set_error_string(context
, "recvfrom %s: %s",
288 host
, strerror(save_errno
));
290 } else if (ret
== 0) {
291 krb5_set_error_string(context
, "recvfrom timeout %s", host
);
297 _krb5_get_int(reply
, &size
, 4);
300 memmove(reply
, reply
+ 4, size
);
304 if (len
== sizeof(reply
)) {
305 krb5_set_error_string(context
, "message too large from %s",
310 ret
= recvfrom (sock
, reply
, sizeof(reply
), 0, NULL
, NULL
);
313 krb5_set_error_string(context
, "recvfrom %s: %s",
314 host
, strerror(save_errno
));
321 str2data (result_string
, "server %s sent to too short message "
322 "(%d bytes)", host
, len
);
323 *result_code
= KRB5_KPASSWD_MALFORMED
;
327 pkt_len
= (reply
[0] << 8) | (reply
[1]);
328 pkt_ver
= (reply
[2] << 8) | (reply
[3]);
330 if ((pkt_len
!= len
) || (reply
[1] == 0x7e || reply
[1] == 0x5e)) {
335 memset(&error
, 0, sizeof(error
));
337 ret
= decode_KRB_ERROR(reply
, len
, &error
, &size
);
341 if (error
.e_data
->length
< 2) {
342 str2data(result_string
, "server %s sent too short "
343 "e_data to print anything usable", host
);
344 free_KRB_ERROR(&error
);
345 *result_code
= KRB5_KPASSWD_MALFORMED
;
349 p
= error
.e_data
->data
;
350 *result_code
= (p
[0] << 8) | p
[1];
351 if (error
.e_data
->length
== 2)
352 str2data(result_string
, "server only sent error code");
354 krb5_data_copy (result_string
,
356 error
.e_data
->length
- 2);
357 free_KRB_ERROR(&error
);
361 if (pkt_len
!= len
) {
362 str2data (result_string
, "client: wrong len in reply");
363 *result_code
= KRB5_KPASSWD_MALFORMED
;
366 if (pkt_ver
!= KRB5_KPASSWD_VERS_CHANGEPW
) {
367 str2data (result_string
,
368 "client: wrong version number (%d)", pkt_ver
);
369 *result_code
= KRB5_KPASSWD_MALFORMED
;
373 ap_rep_data
.data
= reply
+ 6;
374 ap_rep_data
.length
= (reply
[4] << 8) | (reply
[5]);
376 if (reply
+ len
< (u_char
*)ap_rep_data
.data
+ ap_rep_data
.length
) {
377 str2data (result_string
, "client: wrong AP len in reply");
378 *result_code
= KRB5_KPASSWD_MALFORMED
;
382 if (ap_rep_data
.length
) {
383 krb5_ap_rep_enc_part
*ap_rep
;
387 priv_data
.data
= (u_char
*)ap_rep_data
.data
+ ap_rep_data
.length
;
388 priv_data
.length
= len
- ap_rep_data
.length
- 6;
390 ret
= krb5_rd_rep (context
,
397 krb5_free_ap_rep_enc_part (context
, ap_rep
);
399 ret
= krb5_rd_priv (context
,
405 krb5_data_free (result_code_string
);
409 if (result_code_string
->length
< 2) {
410 *result_code
= KRB5_KPASSWD_MALFORMED
;
411 str2data (result_string
,
412 "client: bad length in result");
416 p
= result_code_string
->data
;
418 *result_code
= (p
[0] << 8) | p
[1];
419 krb5_data_copy (result_string
,
420 (unsigned char*)result_code_string
->data
+ 2,
421 result_code_string
->length
- 2);
428 ret
= decode_KRB_ERROR(reply
+ 6, len
- 6, &error
, &size
);
432 if (error
.e_data
->length
< 2) {
433 krb5_warnx (context
, "too short e_data to print anything usable");
437 p
= error
.e_data
->data
;
438 *result_code
= (p
[0] << 8) | p
[1];
439 krb5_data_copy (result_string
,
441 error
.e_data
->length
- 2);
448 * change the password using the credentials in `creds' (for the
449 * principal indicated in them) to `newpw', storing the result of
450 * the operation in `result_*' and an error code or 0.
453 typedef krb5_error_code (*kpwd_send_request
) (krb5_context
,
461 typedef krb5_error_code (*kpwd_process_reply
) (krb5_context
,
473 #define SUPPORT_TCP 1
474 #define SUPPORT_UDP 2
475 kpwd_send_request send_req
;
476 kpwd_process_reply process_rep
;
480 SUPPORT_TCP
|SUPPORT_UDP
,
493 static struct kpwd_proc
*
494 find_chpw_proto(const char *name
)
497 for (p
= procs
; p
->name
!= NULL
; p
++) {
498 if (strcmp(p
->name
, name
) == 0)
508 static krb5_error_code
509 change_password_loop (krb5_context context
,
511 krb5_principal targprinc
,
514 krb5_data
*result_code_string
,
515 krb5_data
*result_string
,
516 struct kpwd_proc
*proc
)
519 krb5_auth_context auth_context
= NULL
;
520 krb5_krbhst_handle handle
= NULL
;
521 krb5_krbhst_info
*hi
;
525 krb5_realm realm
= creds
->client
->realm
;
527 ret
= krb5_auth_con_init (context
, &auth_context
);
531 krb5_auth_con_setflags (context
, auth_context
,
532 KRB5_AUTH_CONTEXT_DO_SEQUENCE
);
534 ret
= krb5_krbhst_init (context
, realm
, KRB5_KRBHST_CHANGEPW
, &handle
);
538 while (!done
&& (ret
= krb5_krbhst_next(context
, handle
, &hi
)) == 0) {
539 struct addrinfo
*ai
, *a
;
543 case KRB5_KRBHST_UDP
:
544 if ((proc
->flags
& SUPPORT_UDP
) == 0)
548 case KRB5_KRBHST_TCP
:
549 if ((proc
->flags
& SUPPORT_TCP
) == 0)
557 ret
= krb5_krbhst_get_addrinfo(context
, hi
, &ai
);
561 for (a
= ai
; !done
&& a
!= NULL
; a
= a
->ai_next
) {
564 sock
= socket (a
->ai_family
, a
->ai_socktype
, a
->ai_protocol
);
568 ret
= connect(sock
, a
->ai_addr
, a
->ai_addrlen
);
574 ret
= krb5_auth_con_genaddrs (context
, auth_context
, sock
,
575 KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR
);
581 for (i
= 0; !done
&& i
< 5; ++i
) {
588 ret
= (*proc
->send_req
) (context
,
602 if (sock
>= FD_SETSIZE
) {
603 krb5_set_error_string(context
, "fd %d too large", sock
);
610 FD_SET(sock
, &fdset
);
612 tv
.tv_sec
= 1 + (1 << i
);
614 ret
= select (sock
+ 1, &fdset
, NULL
, NULL
, &tv
);
615 if (ret
< 0 && errno
!= EINTR
) {
620 ret
= (*proc
->process_rep
) (context
,
630 else if (i
> 0 && ret
== KRB5KRB_AP_ERR_MUT_FAIL
)
633 ret
= KRB5_KDC_UNREACH
;
641 krb5_krbhst_free (context
, handle
);
642 krb5_auth_con_free (context
, auth_context
);
646 if (ret
== KRB5_KDC_UNREACH
)
647 krb5_set_error_string(context
,
648 "unable to reach any changepw server "
649 " in realm %s", realm
);
656 * change the password using the credentials in `creds' (for the
657 * principal indicated in them) to `newpw', storing the result of
658 * the operation in `result_*' and an error code or 0.
662 krb5_change_password (krb5_context context
,
666 krb5_data
*result_code_string
,
667 krb5_data
*result_string
)
669 struct kpwd_proc
*p
= find_chpw_proto("change password");
671 *result_code
= KRB5_KPASSWD_MALFORMED
;
672 result_code_string
->data
= result_string
->data
= NULL
;
673 result_code_string
->length
= result_string
->length
= 0;
676 return KRB5_KPASSWD_MALFORMED
;
678 return change_password_loop(context
, creds
, NULL
, newpw
,
679 result_code
, result_code_string
,
688 krb5_set_password(krb5_context context
,
691 krb5_principal targprinc
,
693 krb5_data
*result_code_string
,
694 krb5_data
*result_string
)
696 krb5_principal principal
= NULL
;
697 krb5_error_code ret
= 0;
700 *result_code
= KRB5_KPASSWD_MALFORMED
;
701 result_code_string
->data
= result_string
->data
= NULL
;
702 result_code_string
->length
= result_string
->length
= 0;
704 if (targprinc
== NULL
) {
705 ret
= krb5_get_default_principal(context
, &principal
);
709 principal
= targprinc
;
711 for (i
= 0; procs
[i
].name
!= NULL
; i
++) {
713 ret
= change_password_loop(context
, creds
, targprinc
, newpw
,
714 result_code
, result_code_string
,
717 if (ret
== 0 && *result_code
== 0)
721 if (targprinc
== NULL
)
722 krb5_free_principal(context
, principal
);
731 krb5_set_password_using_ccache(krb5_context context
,
734 krb5_principal targprinc
,
736 krb5_data
*result_code_string
,
737 krb5_data
*result_string
)
739 krb5_creds creds
, *credsp
;
741 krb5_principal principal
= NULL
;
743 *result_code
= KRB5_KPASSWD_MALFORMED
;
744 result_code_string
->data
= result_string
->data
= NULL
;
745 result_code_string
->length
= result_string
->length
= 0;
747 memset(&creds
, 0, sizeof(creds
));
749 if (targprinc
== NULL
) {
750 ret
= krb5_cc_get_principal(context
, ccache
, &principal
);
754 principal
= targprinc
;
756 ret
= krb5_make_principal(context
, &creds
.server
,
757 krb5_principal_get_realm(context
, principal
),
758 "kadmin", "changepw", NULL
);
762 ret
= krb5_cc_get_principal(context
, ccache
, &creds
.client
);
764 krb5_free_principal(context
, creds
.server
);
768 ret
= krb5_get_credentials(context
, 0, ccache
, &creds
, &credsp
);
769 krb5_free_principal(context
, creds
.server
);
770 krb5_free_principal(context
, creds
.client
);
774 ret
= krb5_set_password(context
,
782 krb5_free_creds(context
, credsp
);
786 if (targprinc
== NULL
)
787 krb5_free_principal(context
, principal
);
796 krb5_passwd_result_to_string (krb5_context context
,
799 static const char *strings
[] = {
807 "Initial flag needed"
810 if (result
< 0 || result
> KRB5_KPASSWD_INITIAL_FLAG_NEEDED
)
811 return "unknown result code";
813 return strings
[result
];