search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
smbd: Fix CID 1504457 Resource leak
[Samba.git] / source4 / kdc / kpasswd-service-heimdal.c
blob21596d8d8a42071f1437fc19734af246124486b4
1 /*
2 Unix SMB/CIFS implementation.
3
4 Samba kpasswd implementation
5
6 Copyright (c) 2016 Andreas Schneider <asn@samba.org>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "samba/service_task.h"
24 #include "param/param.h"
25 #include "auth/auth.h"
26 #include "auth/gensec/gensec.h"
27 #include "kdc/kdc-server.h"
28 #include "kdc/kpasswd_glue.h"
29 #include "kdc/kpasswd-service.h"
30 #include "kdc/kpasswd-helper.h"
31
32 static krb5_error_code kpasswd_change_password(struct kdc_server *kdc,
33 TALLOC_CTX *mem_ctx,
34 struct auth_session_info *session_info,
35 DATA_BLOB *password,
36 DATA_BLOB *kpasswd_reply,
37 const char **error_string)
38 {
39 NTSTATUS status;
40 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
41 enum samPwdChangeReason reject_reason;
42 const char *reject_string = NULL;
43 struct samr_DomInfo1 *dominfo;
44 bool ok;
45
46 status = samdb_kpasswd_change_password(mem_ctx,
47 kdc->task->lp_ctx,
48 kdc->task->event_ctx,
49 session_info,
50 password,
51 &reject_reason,
52 &dominfo,
53 &reject_string,
54 &result);
55 if (!NT_STATUS_IS_OK(status)) {
56 ok = kpasswd_make_error_reply(mem_ctx,
57 KRB5_KPASSWD_ACCESSDENIED,
58 reject_string,
59 kpasswd_reply);
60 if (!ok) {
61 *error_string = "Failed to create reply";
62 return KRB5_KPASSWD_HARDERROR;
63 }
64 /* We want to send an an authenticated packet. */
65 return 0;
66 }
67
68 ok = kpasswd_make_pwchange_reply(mem_ctx,
69 result,
70 reject_reason,
71 dominfo,
72 kpasswd_reply);
73 if (!ok) {
74 *error_string = "Failed to create reply";
75 return KRB5_KPASSWD_HARDERROR;
76 }
77
78 return 0;
79 }
80
81 static krb5_error_code kpasswd_set_password(struct kdc_server *kdc,
82 TALLOC_CTX *mem_ctx,
83 struct auth_session_info *session_info,
84 DATA_BLOB *decoded_data,
85 DATA_BLOB *kpasswd_reply,
86 const char **error_string)
87 {
88 krb5_context context = kdc->smb_krb5_context->krb5_context;
89 krb5_error_code code;
90 krb5_principal target_principal;
91 ChangePasswdDataMS chpw = {};
92 size_t chpw_len = 0;
93 DATA_BLOB password = data_blob_null;
94 enum samPwdChangeReason reject_reason = SAM_PWD_CHANGE_NO_ERROR;
95 struct samr_DomInfo1 *dominfo = NULL;
96 char *target_principal_string = NULL;
97 bool is_service_principal = false;
98 NTSTATUS status;
99 bool ok;
100
101 code = decode_ChangePasswdDataMS(decoded_data->data,
102 decoded_data->length,
103 &chpw,
104 &chpw_len);
105 if (code != 0) {
106 DBG_WARNING("decode_ChangePasswdDataMS failed\n");
107 ok = kpasswd_make_error_reply(mem_ctx,
108 KRB5_KPASSWD_MALFORMED,
109 "Failed to decode packet",
110 kpasswd_reply);
111 if (!ok) {
112 *error_string = "Failed to create reply";
113 return KRB5_KPASSWD_HARDERROR;
114 }
115 return 0;
116 }
117
118 ok = convert_string_talloc_handle(mem_ctx,
119 lpcfg_iconv_handle(kdc->task->lp_ctx),
120 CH_UTF8,
121 CH_UTF16,
122 (const char *)chpw.newpasswd.data,
123 chpw.newpasswd.length,
124 (void **)&password.data,
125 &password.length);
126 if (!ok) {
127 free_ChangePasswdDataMS(&chpw);
128 DBG_WARNING("String conversion failed\n");
129 *error_string = "String conversion failed";
130 return KRB5_KPASSWD_HARDERROR;
131 }
132
133 if ((chpw.targname != NULL && chpw.targrealm == NULL) ||
134 (chpw.targname == NULL && chpw.targrealm != NULL)) {
135 free_ChangePasswdDataMS(&chpw);
136 ok = kpasswd_make_error_reply(mem_ctx,
137 KRB5_KPASSWD_MALFORMED,
138 "Realm and principal must be "
139 "both present, or neither present",
140 kpasswd_reply);
141 if (!ok) {
142 *error_string = "Failed to create reply";
143 return KRB5_KPASSWD_HARDERROR;
144 }
145 return 0;
146 }
147
148 if (chpw.targname != NULL && chpw.targrealm != NULL) {
149 code = krb5_build_principal_ext(context,
150 &target_principal,
151 strlen(*chpw.targrealm),
152 *chpw.targrealm,
153 0);
154 if (code != 0) {
155 free_ChangePasswdDataMS(&chpw);
156 return kpasswd_make_error_reply(mem_ctx,
157 KRB5_KPASSWD_MALFORMED,
158 "Failed to parse principal",
159 kpasswd_reply);
160 }
161 code = copy_PrincipalName(chpw.targname,
162 &target_principal->name);
163 if (code != 0) {
164 free_ChangePasswdDataMS(&chpw);
165 krb5_free_principal(context, target_principal);
166 return kpasswd_make_error_reply(mem_ctx,
167 KRB5_KPASSWD_MALFORMED,
168 "Failed to parse principal",
169 kpasswd_reply);
170 }
171 } else {
172 free_ChangePasswdDataMS(&chpw);
173 return kpasswd_change_password(kdc,
174 mem_ctx,
175 session_info,
176 &password,
177 kpasswd_reply,
178 error_string);
179 }
180 free_ChangePasswdDataMS(&chpw);
181
182 if (target_principal->name.name_string.len >= 2) {
183 is_service_principal = true;
184
185 code = krb5_unparse_name_short(context,
186 target_principal,
187 &target_principal_string);
188 } else {
189 code = krb5_unparse_name(context,
190 target_principal,
191 &target_principal_string);
192 }
193 krb5_free_principal(context, target_principal);
194 if (code != 0) {
195 ok = kpasswd_make_error_reply(mem_ctx,
196 KRB5_KPASSWD_MALFORMED,
197 "Failed to parse principal",
198 kpasswd_reply);
199 if (!ok) {
200 *error_string = "Failed to create reply";
201 return KRB5_KPASSWD_HARDERROR;
202 }
203 }
204
205 status = kpasswd_samdb_set_password(mem_ctx,
206 kdc->task->event_ctx,
207 kdc->task->lp_ctx,
208 session_info,
209 is_service_principal,
210 target_principal_string,
211 &password,
212 &reject_reason,
213 &dominfo);
214 if (!NT_STATUS_IS_OK(status)) {
215 DBG_ERR("kpasswd_samdb_set_password failed - %s\n",
216 nt_errstr(status));
217 }
218
219 ok = kpasswd_make_pwchange_reply(mem_ctx,
220 status,
221 reject_reason,
222 dominfo,
223 kpasswd_reply);
224 if (!ok) {
225 *error_string = "Failed to create reply";
226 return KRB5_KPASSWD_HARDERROR;
227 }
228
229 return 0;
230 }
231
232 krb5_error_code kpasswd_handle_request(struct kdc_server *kdc,
233 TALLOC_CTX *mem_ctx,
234 struct gensec_security *gensec_security,
235 uint16_t verno,
236 DATA_BLOB *decoded_data,
237 DATA_BLOB *kpasswd_reply,
238 const char **error_string)
239 {
240 struct auth_session_info *session_info;
241 NTSTATUS status;
242
243 status = gensec_session_info(gensec_security,
244 mem_ctx,
245 &session_info);
246 if (!NT_STATUS_IS_OK(status)) {
247 *error_string = talloc_asprintf(mem_ctx,
248 "gensec_session_info failed - %s",
249 nt_errstr(status));
250 return KRB5_KPASSWD_HARDERROR;
251 }
252
253 switch(verno) {
254 case KRB5_KPASSWD_VERS_CHANGEPW: {
255 DATA_BLOB password = data_blob_null;
256 bool ok;
257
258 ok = convert_string_talloc_handle(mem_ctx,
259 lpcfg_iconv_handle(kdc->task->lp_ctx),
260 CH_UTF8,
261 CH_UTF16,
262 (const char *)decoded_data->data,
263 decoded_data->length,
264 (void **)&password.data,
265 &password.length);
266 if (!ok) {
267 *error_string = "String conversion failed!";
268 DBG_WARNING("%s\n", *error_string);
269 return KRB5_KPASSWD_HARDERROR;
270 }
271
272 return kpasswd_change_password(kdc,
273 mem_ctx,
274 session_info,
275 &password,
276 kpasswd_reply,
277 error_string);
278 }
279 case KRB5_KPASSWD_VERS_SETPW: {
280 return kpasswd_set_password(kdc,
281 mem_ctx,
282 session_info,
283 decoded_data,
284 kpasswd_reply,
285 error_string);
286 }
287 default:
288 *error_string = talloc_asprintf(mem_ctx,
289 "Protocol version %u not supported",
290 verno);
291 return KRB5_KPASSWD_BAD_VERSION;
292 }
293
294 return 0;
295 }
Samba GIT mirror