1 /* $NetBSD: changepw.c,v 1.1.1.2 2014/04/24 12:45:49 pettai Exp $ */
4 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
5 * (Royal Institute of Technology, Stockholm, Sweden).
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include "krb5_locl.h"
39 #define __attribute__(X)
43 str2data (krb5_data
*d
,
45 ...) __attribute__ ((format (printf
, 2, 3)));
48 str2data (krb5_data
*d
,
56 d
->length
= vasprintf (&str
, fmt
, args
);
62 * Change password protocol defined by
63 * draft-ietf-cat-kerb-chg-password-02.txt
65 * Share the response part of the protocol with MS set password
69 static krb5_error_code
70 chgpw_send_request (krb5_context context
,
71 krb5_auth_context
*auth_context
,
73 krb5_principal targprinc
,
80 krb5_data ap_req_data
;
81 krb5_data krb_priv_data
;
82 krb5_data passwd_data
;
89 return KRB5_KPASSWD_MALFORMED
;
92 krb5_principal_compare(context
, creds
->client
, targprinc
) != TRUE
)
93 return KRB5_KPASSWD_MALFORMED
;
95 krb5_data_zero (&ap_req_data
);
97 ret
= krb5_mk_req_extended (context
,
99 AP_OPTS_MUTUAL_REQUIRED
| AP_OPTS_USE_SUBKEY
,
106 passwd_data
.data
= rk_UNCONST(passwd
);
107 passwd_data
.length
= strlen(passwd
);
109 krb5_data_zero (&krb_priv_data
);
111 ret
= krb5_mk_priv (context
,
119 len
= 6 + ap_req_data
.length
+ krb_priv_data
.length
;
120 header
[0] = (len
>> 8) & 0xFF;
121 header
[1] = (len
>> 0) & 0xFF;
124 header
[4] = (ap_req_data
.length
>> 8) & 0xFF;
125 header
[5] = (ap_req_data
.length
>> 0) & 0xFF;
127 memset(&msghdr
, 0, sizeof(msghdr
));
128 msghdr
.msg_name
= NULL
;
129 msghdr
.msg_namelen
= 0;
130 msghdr
.msg_iov
= iov
;
131 msghdr
.msg_iovlen
= sizeof(iov
)/sizeof(*iov
);
133 msghdr
.msg_control
= NULL
;
134 msghdr
.msg_controllen
= 0;
137 iov
[0].iov_base
= (void*)header
;
139 iov
[1].iov_base
= ap_req_data
.data
;
140 iov
[1].iov_len
= ap_req_data
.length
;
141 iov
[2].iov_base
= krb_priv_data
.data
;
142 iov
[2].iov_len
= krb_priv_data
.length
;
144 if (rk_IS_SOCKET_ERROR( sendmsg (sock
, &msghdr
, 0) )) {
146 krb5_set_error_message(context
, ret
, "sendmsg %s: %s",
147 host
, strerror(ret
));
150 krb5_data_free (&krb_priv_data
);
152 krb5_data_free (&ap_req_data
);
157 * Set password protocol as defined by RFC3244 --
158 * Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols
161 static krb5_error_code
162 setpw_send_request (krb5_context context
,
163 krb5_auth_context
*auth_context
,
165 krb5_principal targprinc
,
172 krb5_data ap_req_data
;
173 krb5_data krb_priv_data
;
175 ChangePasswdDataMS chpw
;
177 u_char header
[4 + 6];
180 struct msghdr msghdr
;
182 krb5_data_zero (&ap_req_data
);
184 ret
= krb5_mk_req_extended (context
,
186 AP_OPTS_MUTUAL_REQUIRED
| AP_OPTS_USE_SUBKEY
,
193 chpw
.newpasswd
.length
= strlen(passwd
);
194 chpw
.newpasswd
.data
= rk_UNCONST(passwd
);
196 chpw
.targname
= &targprinc
->name
;
197 chpw
.targrealm
= &targprinc
->realm
;
199 chpw
.targname
= NULL
;
200 chpw
.targrealm
= NULL
;
203 ASN1_MALLOC_ENCODE(ChangePasswdDataMS
, pwd_data
.data
, pwd_data
.length
,
206 krb5_data_free (&ap_req_data
);
210 if(pwd_data
.length
!= len
)
211 krb5_abortx(context
, "internal error in ASN.1 encoder");
213 ret
= krb5_mk_priv (context
,
221 len
= 6 + ap_req_data
.length
+ krb_priv_data
.length
;
224 _krb5_put_int(p
, len
, 4);
227 *p
++ = (len
>> 8) & 0xFF;
228 *p
++ = (len
>> 0) & 0xFF;
231 *p
++ = (ap_req_data
.length
>> 8) & 0xFF;
232 *p
= (ap_req_data
.length
>> 0) & 0xFF;
234 memset(&msghdr
, 0, sizeof(msghdr
));
235 msghdr
.msg_name
= NULL
;
236 msghdr
.msg_namelen
= 0;
237 msghdr
.msg_iov
= iov
;
238 msghdr
.msg_iovlen
= sizeof(iov
)/sizeof(*iov
);
240 msghdr
.msg_control
= NULL
;
241 msghdr
.msg_controllen
= 0;
244 iov
[0].iov_base
= (void*)header
;
249 iov
[1].iov_base
= ap_req_data
.data
;
250 iov
[1].iov_len
= ap_req_data
.length
;
251 iov
[2].iov_base
= krb_priv_data
.data
;
252 iov
[2].iov_len
= krb_priv_data
.length
;
254 if (rk_IS_SOCKET_ERROR( sendmsg (sock
, &msghdr
, 0) )) {
256 krb5_set_error_message(context
, ret
, "sendmsg %s: %s",
257 host
, strerror(ret
));
260 krb5_data_free (&krb_priv_data
);
262 krb5_data_free (&ap_req_data
);
263 krb5_data_free (&pwd_data
);
267 static krb5_error_code
268 process_reply (krb5_context context
,
269 krb5_auth_context auth_context
,
273 krb5_data
*result_code_string
,
274 krb5_data
*result_string
,
278 u_char reply
[1024 * 3];
280 uint16_t pkt_len
, pkt_ver
;
281 krb5_data ap_rep_data
;
286 while (len
< sizeof(reply
)) {
289 ret
= recvfrom (sock
, reply
+ len
, sizeof(reply
) - len
,
291 if (rk_IS_SOCKET_ERROR(ret
)) {
292 save_errno
= rk_SOCK_ERRNO
;
293 krb5_set_error_message(context
, save_errno
,
295 host
, strerror(save_errno
));
297 } else if (ret
== 0) {
298 krb5_set_error_message(context
, 1,"recvfrom timeout %s", host
);
304 _krb5_get_int(reply
, &size
, 4);
307 memmove(reply
, reply
+ 4, size
);
311 if (len
== sizeof(reply
)) {
312 krb5_set_error_message(context
, ENOMEM
,
313 N_("Message too large from %s", "host"),
318 ret
= recvfrom (sock
, reply
, sizeof(reply
), 0, NULL
, NULL
);
319 if (rk_IS_SOCKET_ERROR(ret
)) {
320 save_errno
= rk_SOCK_ERRNO
;
321 krb5_set_error_message(context
, save_errno
,
323 host
, strerror(save_errno
));
330 str2data (result_string
, "server %s sent to too short message "
331 "(%zu bytes)", host
, len
);
332 *result_code
= KRB5_KPASSWD_MALFORMED
;
336 pkt_len
= (reply
[0] << 8) | (reply
[1]);
337 pkt_ver
= (reply
[2] << 8) | (reply
[3]);
339 if ((pkt_len
!= len
) || (reply
[1] == 0x7e || reply
[1] == 0x5e)) {
344 memset(&error
, 0, sizeof(error
));
346 ret
= decode_KRB_ERROR(reply
, len
, &error
, &size
);
350 if (error
.e_data
->length
< 2) {
351 str2data(result_string
, "server %s sent too short "
352 "e_data to print anything usable", host
);
353 free_KRB_ERROR(&error
);
354 *result_code
= KRB5_KPASSWD_MALFORMED
;
358 p
= error
.e_data
->data
;
359 *result_code
= (p
[0] << 8) | p
[1];
360 if (error
.e_data
->length
== 2)
361 str2data(result_string
, "server only sent error code");
363 krb5_data_copy (result_string
,
365 error
.e_data
->length
- 2);
366 free_KRB_ERROR(&error
);
370 if (pkt_len
!= len
) {
371 str2data (result_string
, "client: wrong len in reply");
372 *result_code
= KRB5_KPASSWD_MALFORMED
;
375 if (pkt_ver
!= KRB5_KPASSWD_VERS_CHANGEPW
) {
376 str2data (result_string
,
377 "client: wrong version number (%d)", pkt_ver
);
378 *result_code
= KRB5_KPASSWD_MALFORMED
;
382 ap_rep_data
.data
= reply
+ 6;
383 ap_rep_data
.length
= (reply
[4] << 8) | (reply
[5]);
385 if (reply
+ len
< (u_char
*)ap_rep_data
.data
+ ap_rep_data
.length
) {
386 str2data (result_string
, "client: wrong AP len in reply");
387 *result_code
= KRB5_KPASSWD_MALFORMED
;
391 if (ap_rep_data
.length
) {
392 krb5_ap_rep_enc_part
*ap_rep
;
396 priv_data
.data
= (u_char
*)ap_rep_data
.data
+ ap_rep_data
.length
;
397 priv_data
.length
= len
- ap_rep_data
.length
- 6;
399 ret
= krb5_rd_rep (context
,
406 krb5_free_ap_rep_enc_part (context
, ap_rep
);
408 ret
= krb5_rd_priv (context
,
414 krb5_data_free (result_code_string
);
418 if (result_code_string
->length
< 2) {
419 *result_code
= KRB5_KPASSWD_MALFORMED
;
420 str2data (result_string
,
421 "client: bad length in result");
425 p
= result_code_string
->data
;
427 *result_code
= (p
[0] << 8) | p
[1];
428 krb5_data_copy (result_string
,
429 (unsigned char*)result_code_string
->data
+ 2,
430 result_code_string
->length
- 2);
437 ret
= decode_KRB_ERROR(reply
+ 6, len
- 6, &error
, &size
);
441 if (error
.e_data
->length
< 2) {
442 krb5_warnx (context
, "too short e_data to print anything usable");
446 p
= error
.e_data
->data
;
447 *result_code
= (p
[0] << 8) | p
[1];
448 krb5_data_copy (result_string
,
450 error
.e_data
->length
- 2);
457 * change the password using the credentials in `creds' (for the
458 * principal indicated in them) to `newpw', storing the result of
459 * the operation in `result_*' and an error code or 0.
462 typedef krb5_error_code (*kpwd_send_request
) (krb5_context
,
470 typedef krb5_error_code (*kpwd_process_reply
) (krb5_context
,
479 static struct kpwd_proc
{
482 #define SUPPORT_TCP 1
483 #define SUPPORT_UDP 2
484 kpwd_send_request send_req
;
485 kpwd_process_reply process_rep
;
489 SUPPORT_TCP
|SUPPORT_UDP
,
499 { NULL
, 0, NULL
, NULL
}
506 static krb5_error_code
507 change_password_loop (krb5_context context
,
509 krb5_principal targprinc
,
512 krb5_data
*result_code_string
,
513 krb5_data
*result_string
,
514 struct kpwd_proc
*proc
)
517 krb5_auth_context auth_context
= NULL
;
518 krb5_krbhst_handle handle
= NULL
;
519 krb5_krbhst_info
*hi
;
526 realm
= targprinc
->realm
;
528 realm
= creds
->client
->realm
;
530 ret
= krb5_auth_con_init (context
, &auth_context
);
534 krb5_auth_con_setflags (context
, auth_context
,
535 KRB5_AUTH_CONTEXT_DO_SEQUENCE
);
537 ret
= krb5_krbhst_init (context
, realm
, KRB5_KRBHST_CHANGEPW
, &handle
);
541 while (!done
&& (ret
= krb5_krbhst_next(context
, handle
, &hi
)) == 0) {
542 struct addrinfo
*ai
, *a
;
546 case KRB5_KRBHST_UDP
:
547 if ((proc
->flags
& SUPPORT_UDP
) == 0)
551 case KRB5_KRBHST_TCP
:
552 if ((proc
->flags
& SUPPORT_TCP
) == 0)
560 ret
= krb5_krbhst_get_addrinfo(context
, hi
, &ai
);
564 for (a
= ai
; !done
&& a
!= NULL
; a
= a
->ai_next
) {
567 sock
= socket (a
->ai_family
, a
->ai_socktype
| SOCK_CLOEXEC
, a
->ai_protocol
);
568 if (rk_IS_BAD_SOCKET(sock
))
572 ret
= connect(sock
, a
->ai_addr
, a
->ai_addrlen
);
573 if (rk_IS_SOCKET_ERROR(ret
)) {
574 rk_closesocket (sock
);
578 ret
= krb5_auth_con_genaddrs (context
, auth_context
, sock
,
579 KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR
);
581 rk_closesocket (sock
);
585 for (i
= 0; !done
&& i
< 5; ++i
) {
592 ret
= (*proc
->send_req
) (context
,
601 rk_closesocket(sock
);
606 #ifndef NO_LIMIT_FD_SETSIZE
607 if (sock
>= FD_SETSIZE
) {
609 krb5_set_error_message(context
, ret
,
610 "fd %d too large", sock
);
611 rk_closesocket (sock
);
617 FD_SET(sock
, &fdset
);
619 tv
.tv_sec
= 1 + (1 << i
);
621 ret
= select (sock
+ 1, &fdset
, NULL
, NULL
, &tv
);
622 if (rk_IS_SOCKET_ERROR(ret
) && rk_SOCK_ERRNO
!= EINTR
) {
623 rk_closesocket(sock
);
627 ret
= (*proc
->process_rep
) (context
,
637 else if (i
> 0 && ret
== KRB5KRB_AP_ERR_MUT_FAIL
)
640 ret
= KRB5_KDC_UNREACH
;
643 rk_closesocket (sock
);
648 krb5_krbhst_free (context
, handle
);
649 krb5_auth_con_free (context
, auth_context
);
651 if (ret
== KRB5_KDC_UNREACH
) {
652 krb5_set_error_message(context
,
654 N_("Unable to reach any changepw server "
655 " in realm %s", "realm"), realm
);
656 *result_code
= KRB5_KPASSWD_HARDERROR
;
661 #ifndef HEIMDAL_SMALLER
663 static struct kpwd_proc
*
664 find_chpw_proto(const char *name
)
667 for (p
= procs
; p
->name
!= NULL
; p
++) {
668 if (strcmp(p
->name
, name
) == 0)
675 * Deprecated: krb5_change_password() is deprecated, use krb5_set_password().
677 * @param context a Keberos context
681 * @param result_code_string
682 * @param result_string
684 * @return On sucess password is changed.
686 * @ingroup @krb5_deprecated
689 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
690 krb5_change_password (krb5_context context
,
694 krb5_data
*result_code_string
,
695 krb5_data
*result_string
)
696 KRB5_DEPRECATED_FUNCTION("Use X instead")
698 struct kpwd_proc
*p
= find_chpw_proto("change password");
700 *result_code
= KRB5_KPASSWD_MALFORMED
;
701 result_code_string
->data
= result_string
->data
= NULL
;
702 result_code_string
->length
= result_string
->length
= 0;
705 return KRB5_KPASSWD_MALFORMED
;
707 return change_password_loop(context
, creds
, NULL
, newpw
,
708 result_code
, result_code_string
,
711 #endif /* HEIMDAL_SMALLER */
714 * Change password using creds.
716 * @param context a Keberos context
717 * @param creds The initial kadmin/passwd for the principal or an admin principal
718 * @param newpw The new password to set
719 * @param targprinc if unset, the default principal is used.
720 * @param result_code Result code, KRB5_KPASSWD_SUCCESS is when password is changed.
721 * @param result_code_string binary message from the server, contains
722 * at least the result_code.
723 * @param result_string A message from the kpasswd service or the
724 * library in human printable form. The string is NUL terminated.
726 * @return On sucess and *result_code is KRB5_KPASSWD_SUCCESS, the password is changed.
731 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
732 krb5_set_password(krb5_context context
,
735 krb5_principal targprinc
,
737 krb5_data
*result_code_string
,
738 krb5_data
*result_string
)
740 krb5_principal principal
= NULL
;
741 krb5_error_code ret
= 0;
744 *result_code
= KRB5_KPASSWD_MALFORMED
;
745 krb5_data_zero(result_code_string
);
746 krb5_data_zero(result_string
);
748 if (targprinc
== NULL
) {
749 ret
= krb5_get_default_principal(context
, &principal
);
753 principal
= targprinc
;
755 for (i
= 0; procs
[i
].name
!= NULL
; i
++) {
757 ret
= change_password_loop(context
, creds
, principal
, newpw
,
758 result_code
, result_code_string
,
761 if (ret
== 0 && *result_code
== 0)
765 if (targprinc
== NULL
)
766 krb5_free_principal(context
, principal
);
774 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
775 krb5_set_password_using_ccache(krb5_context context
,
778 krb5_principal targprinc
,
780 krb5_data
*result_code_string
,
781 krb5_data
*result_string
)
783 krb5_creds creds
, *credsp
;
785 krb5_principal principal
= NULL
;
787 *result_code
= KRB5_KPASSWD_MALFORMED
;
788 result_code_string
->data
= result_string
->data
= NULL
;
789 result_code_string
->length
= result_string
->length
= 0;
791 memset(&creds
, 0, sizeof(creds
));
793 if (targprinc
== NULL
) {
794 ret
= krb5_cc_get_principal(context
, ccache
, &principal
);
798 principal
= targprinc
;
800 ret
= krb5_make_principal(context
, &creds
.server
,
801 krb5_principal_get_realm(context
, principal
),
802 "kadmin", "changepw", NULL
);
806 ret
= krb5_cc_get_principal(context
, ccache
, &creds
.client
);
808 krb5_free_principal(context
, creds
.server
);
812 ret
= krb5_get_credentials(context
, 0, ccache
, &creds
, &credsp
);
813 krb5_free_principal(context
, creds
.server
);
814 krb5_free_principal(context
, creds
.client
);
818 ret
= krb5_set_password(context
,
826 krb5_free_creds(context
, credsp
);
830 if (targprinc
== NULL
)
831 krb5_free_principal(context
, principal
);
839 KRB5_LIB_FUNCTION
const char* KRB5_LIB_CALL
840 krb5_passwd_result_to_string (krb5_context context
,
843 static const char *strings
[] = {
851 "Initial flag needed"
854 if (result
< 0 || result
> KRB5_KPASSWD_INITIAL_FLAG_NEEDED
)
855 return "unknown result code";
857 return strings
[result
];