1*0a6a1f1dSLionel Sambuc /* $NetBSD: changepw.c,v 1.1.1.2 2014/04/24 12:45:49 pettai Exp $ */
2ebfedea0SLionel Sambuc
3ebfedea0SLionel Sambuc /*
4ebfedea0SLionel Sambuc * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
5ebfedea0SLionel Sambuc * (Royal Institute of Technology, Stockholm, Sweden).
6ebfedea0SLionel Sambuc * All rights reserved.
7ebfedea0SLionel Sambuc *
8ebfedea0SLionel Sambuc * Redistribution and use in source and binary forms, with or without
9ebfedea0SLionel Sambuc * modification, are permitted provided that the following conditions
10ebfedea0SLionel Sambuc * are met:
11ebfedea0SLionel Sambuc *
12ebfedea0SLionel Sambuc * 1. Redistributions of source code must retain the above copyright
13ebfedea0SLionel Sambuc * notice, this list of conditions and the following disclaimer.
14ebfedea0SLionel Sambuc *
15ebfedea0SLionel Sambuc * 2. Redistributions in binary form must reproduce the above copyright
16ebfedea0SLionel Sambuc * notice, this list of conditions and the following disclaimer in the
17ebfedea0SLionel Sambuc * documentation and/or other materials provided with the distribution.
18ebfedea0SLionel Sambuc *
19ebfedea0SLionel Sambuc * 3. Neither the name of the Institute nor the names of its contributors
20ebfedea0SLionel Sambuc * may be used to endorse or promote products derived from this software
21ebfedea0SLionel Sambuc * without specific prior written permission.
22ebfedea0SLionel Sambuc *
23ebfedea0SLionel Sambuc * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24ebfedea0SLionel Sambuc * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25ebfedea0SLionel Sambuc * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26ebfedea0SLionel Sambuc * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27ebfedea0SLionel Sambuc * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28ebfedea0SLionel Sambuc * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29ebfedea0SLionel Sambuc * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30ebfedea0SLionel Sambuc * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31ebfedea0SLionel Sambuc * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32ebfedea0SLionel Sambuc * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33ebfedea0SLionel Sambuc * SUCH DAMAGE.
34ebfedea0SLionel Sambuc */
35ebfedea0SLionel Sambuc
36ebfedea0SLionel Sambuc #include "krb5_locl.h"
37ebfedea0SLionel Sambuc
38ebfedea0SLionel Sambuc #undef __attribute__
39ebfedea0SLionel Sambuc #define __attribute__(X)
40ebfedea0SLionel Sambuc
41ebfedea0SLionel Sambuc
42ebfedea0SLionel Sambuc static void
43ebfedea0SLionel Sambuc str2data (krb5_data *d,
44ebfedea0SLionel Sambuc const char *fmt,
45ebfedea0SLionel Sambuc ...) __attribute__ ((format (printf, 2, 3)));
46ebfedea0SLionel Sambuc
47ebfedea0SLionel Sambuc static void
str2data(krb5_data * d,const char * fmt,...)48ebfedea0SLionel Sambuc str2data (krb5_data *d,
49ebfedea0SLionel Sambuc const char *fmt,
50ebfedea0SLionel Sambuc ...)
51ebfedea0SLionel Sambuc {
52ebfedea0SLionel Sambuc va_list args;
53ebfedea0SLionel Sambuc char *str;
54ebfedea0SLionel Sambuc
55ebfedea0SLionel Sambuc va_start(args, fmt);
56ebfedea0SLionel Sambuc d->length = vasprintf (&str, fmt, args);
57ebfedea0SLionel Sambuc va_end(args);
58ebfedea0SLionel Sambuc d->data = str;
59ebfedea0SLionel Sambuc }
60ebfedea0SLionel Sambuc
61ebfedea0SLionel Sambuc /*
62ebfedea0SLionel Sambuc * Change password protocol defined by
63ebfedea0SLionel Sambuc * draft-ietf-cat-kerb-chg-password-02.txt
64ebfedea0SLionel Sambuc *
65ebfedea0SLionel Sambuc * Share the response part of the protocol with MS set password
66ebfedea0SLionel Sambuc * (RFC3244)
67ebfedea0SLionel Sambuc */
68ebfedea0SLionel Sambuc
69ebfedea0SLionel Sambuc static krb5_error_code
chgpw_send_request(krb5_context context,krb5_auth_context * auth_context,krb5_creds * creds,krb5_principal targprinc,int is_stream,rk_socket_t sock,const char * passwd,const char * host)70ebfedea0SLionel Sambuc chgpw_send_request (krb5_context context,
71ebfedea0SLionel Sambuc krb5_auth_context *auth_context,
72ebfedea0SLionel Sambuc krb5_creds *creds,
73ebfedea0SLionel Sambuc krb5_principal targprinc,
74ebfedea0SLionel Sambuc int is_stream,
75ebfedea0SLionel Sambuc rk_socket_t sock,
76ebfedea0SLionel Sambuc const char *passwd,
77ebfedea0SLionel Sambuc const char *host)
78ebfedea0SLionel Sambuc {
79ebfedea0SLionel Sambuc krb5_error_code ret;
80ebfedea0SLionel Sambuc krb5_data ap_req_data;
81ebfedea0SLionel Sambuc krb5_data krb_priv_data;
82ebfedea0SLionel Sambuc krb5_data passwd_data;
83ebfedea0SLionel Sambuc size_t len;
84ebfedea0SLionel Sambuc u_char header[6];
85ebfedea0SLionel Sambuc struct iovec iov[3];
86ebfedea0SLionel Sambuc struct msghdr msghdr;
87ebfedea0SLionel Sambuc
88ebfedea0SLionel Sambuc if (is_stream)
89ebfedea0SLionel Sambuc return KRB5_KPASSWD_MALFORMED;
90ebfedea0SLionel Sambuc
91ebfedea0SLionel Sambuc if (targprinc &&
92ebfedea0SLionel Sambuc krb5_principal_compare(context, creds->client, targprinc) != TRUE)
93ebfedea0SLionel Sambuc return KRB5_KPASSWD_MALFORMED;
94ebfedea0SLionel Sambuc
95ebfedea0SLionel Sambuc krb5_data_zero (&ap_req_data);
96ebfedea0SLionel Sambuc
97ebfedea0SLionel Sambuc ret = krb5_mk_req_extended (context,
98ebfedea0SLionel Sambuc auth_context,
99ebfedea0SLionel Sambuc AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY,
100ebfedea0SLionel Sambuc NULL, /* in_data */
101ebfedea0SLionel Sambuc creds,
102ebfedea0SLionel Sambuc &ap_req_data);
103ebfedea0SLionel Sambuc if (ret)
104ebfedea0SLionel Sambuc return ret;
105ebfedea0SLionel Sambuc
106ebfedea0SLionel Sambuc passwd_data.data = rk_UNCONST(passwd);
107ebfedea0SLionel Sambuc passwd_data.length = strlen(passwd);
108ebfedea0SLionel Sambuc
109ebfedea0SLionel Sambuc krb5_data_zero (&krb_priv_data);
110ebfedea0SLionel Sambuc
111ebfedea0SLionel Sambuc ret = krb5_mk_priv (context,
112ebfedea0SLionel Sambuc *auth_context,
113ebfedea0SLionel Sambuc &passwd_data,
114ebfedea0SLionel Sambuc &krb_priv_data,
115ebfedea0SLionel Sambuc NULL);
116ebfedea0SLionel Sambuc if (ret)
117ebfedea0SLionel Sambuc goto out2;
118ebfedea0SLionel Sambuc
119ebfedea0SLionel Sambuc len = 6 + ap_req_data.length + krb_priv_data.length;
120ebfedea0SLionel Sambuc header[0] = (len >> 8) & 0xFF;
121ebfedea0SLionel Sambuc header[1] = (len >> 0) & 0xFF;
122ebfedea0SLionel Sambuc header[2] = 0;
123ebfedea0SLionel Sambuc header[3] = 1;
124ebfedea0SLionel Sambuc header[4] = (ap_req_data.length >> 8) & 0xFF;
125ebfedea0SLionel Sambuc header[5] = (ap_req_data.length >> 0) & 0xFF;
126ebfedea0SLionel Sambuc
127ebfedea0SLionel Sambuc memset(&msghdr, 0, sizeof(msghdr));
128ebfedea0SLionel Sambuc msghdr.msg_name = NULL;
129ebfedea0SLionel Sambuc msghdr.msg_namelen = 0;
130ebfedea0SLionel Sambuc msghdr.msg_iov = iov;
131ebfedea0SLionel Sambuc msghdr.msg_iovlen = sizeof(iov)/sizeof(*iov);
132ebfedea0SLionel Sambuc #if 0
133ebfedea0SLionel Sambuc msghdr.msg_control = NULL;
134ebfedea0SLionel Sambuc msghdr.msg_controllen = 0;
135ebfedea0SLionel Sambuc #endif
136ebfedea0SLionel Sambuc
137ebfedea0SLionel Sambuc iov[0].iov_base = (void*)header;
138ebfedea0SLionel Sambuc iov[0].iov_len = 6;
139ebfedea0SLionel Sambuc iov[1].iov_base = ap_req_data.data;
140ebfedea0SLionel Sambuc iov[1].iov_len = ap_req_data.length;
141ebfedea0SLionel Sambuc iov[2].iov_base = krb_priv_data.data;
142ebfedea0SLionel Sambuc iov[2].iov_len = krb_priv_data.length;
143ebfedea0SLionel Sambuc
144ebfedea0SLionel Sambuc if (rk_IS_SOCKET_ERROR( sendmsg (sock, &msghdr, 0) )) {
145ebfedea0SLionel Sambuc ret = rk_SOCK_ERRNO;
146ebfedea0SLionel Sambuc krb5_set_error_message(context, ret, "sendmsg %s: %s",
147ebfedea0SLionel Sambuc host, strerror(ret));
148ebfedea0SLionel Sambuc }
149ebfedea0SLionel Sambuc
150ebfedea0SLionel Sambuc krb5_data_free (&krb_priv_data);
151ebfedea0SLionel Sambuc out2:
152ebfedea0SLionel Sambuc krb5_data_free (&ap_req_data);
153ebfedea0SLionel Sambuc return ret;
154ebfedea0SLionel Sambuc }
155ebfedea0SLionel Sambuc
156ebfedea0SLionel Sambuc /*
157ebfedea0SLionel Sambuc * Set password protocol as defined by RFC3244 --
158ebfedea0SLionel Sambuc * Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols
159ebfedea0SLionel Sambuc */
160ebfedea0SLionel Sambuc
161ebfedea0SLionel Sambuc static krb5_error_code
setpw_send_request(krb5_context context,krb5_auth_context * auth_context,krb5_creds * creds,krb5_principal targprinc,int is_stream,rk_socket_t sock,const char * passwd,const char * host)162ebfedea0SLionel Sambuc setpw_send_request (krb5_context context,
163ebfedea0SLionel Sambuc krb5_auth_context *auth_context,
164ebfedea0SLionel Sambuc krb5_creds *creds,
165ebfedea0SLionel Sambuc krb5_principal targprinc,
166ebfedea0SLionel Sambuc int is_stream,
167ebfedea0SLionel Sambuc rk_socket_t sock,
168ebfedea0SLionel Sambuc const char *passwd,
169ebfedea0SLionel Sambuc const char *host)
170ebfedea0SLionel Sambuc {
171ebfedea0SLionel Sambuc krb5_error_code ret;
172ebfedea0SLionel Sambuc krb5_data ap_req_data;
173ebfedea0SLionel Sambuc krb5_data krb_priv_data;
174ebfedea0SLionel Sambuc krb5_data pwd_data;
175ebfedea0SLionel Sambuc ChangePasswdDataMS chpw;
176*0a6a1f1dSLionel Sambuc size_t len = 0;
177ebfedea0SLionel Sambuc u_char header[4 + 6];
178ebfedea0SLionel Sambuc u_char *p;
179ebfedea0SLionel Sambuc struct iovec iov[3];
180ebfedea0SLionel Sambuc struct msghdr msghdr;
181ebfedea0SLionel Sambuc
182ebfedea0SLionel Sambuc krb5_data_zero (&ap_req_data);
183ebfedea0SLionel Sambuc
184ebfedea0SLionel Sambuc ret = krb5_mk_req_extended (context,
185ebfedea0SLionel Sambuc auth_context,
186ebfedea0SLionel Sambuc AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY,
187ebfedea0SLionel Sambuc NULL, /* in_data */
188ebfedea0SLionel Sambuc creds,
189ebfedea0SLionel Sambuc &ap_req_data);
190ebfedea0SLionel Sambuc if (ret)
191ebfedea0SLionel Sambuc return ret;
192ebfedea0SLionel Sambuc
193ebfedea0SLionel Sambuc chpw.newpasswd.length = strlen(passwd);
194ebfedea0SLionel Sambuc chpw.newpasswd.data = rk_UNCONST(passwd);
195ebfedea0SLionel Sambuc if (targprinc) {
196ebfedea0SLionel Sambuc chpw.targname = &targprinc->name;
197ebfedea0SLionel Sambuc chpw.targrealm = &targprinc->realm;
198ebfedea0SLionel Sambuc } else {
199ebfedea0SLionel Sambuc chpw.targname = NULL;
200ebfedea0SLionel Sambuc chpw.targrealm = NULL;
201ebfedea0SLionel Sambuc }
202ebfedea0SLionel Sambuc
203ebfedea0SLionel Sambuc ASN1_MALLOC_ENCODE(ChangePasswdDataMS, pwd_data.data, pwd_data.length,
204ebfedea0SLionel Sambuc &chpw, &len, ret);
205ebfedea0SLionel Sambuc if (ret) {
206ebfedea0SLionel Sambuc krb5_data_free (&ap_req_data);
207ebfedea0SLionel Sambuc return ret;
208ebfedea0SLionel Sambuc }
209ebfedea0SLionel Sambuc
210ebfedea0SLionel Sambuc if(pwd_data.length != len)
211ebfedea0SLionel Sambuc krb5_abortx(context, "internal error in ASN.1 encoder");
212ebfedea0SLionel Sambuc
213ebfedea0SLionel Sambuc ret = krb5_mk_priv (context,
214ebfedea0SLionel Sambuc *auth_context,
215ebfedea0SLionel Sambuc &pwd_data,
216ebfedea0SLionel Sambuc &krb_priv_data,
217ebfedea0SLionel Sambuc NULL);
218ebfedea0SLionel Sambuc if (ret)
219ebfedea0SLionel Sambuc goto out2;
220ebfedea0SLionel Sambuc
221ebfedea0SLionel Sambuc len = 6 + ap_req_data.length + krb_priv_data.length;
222ebfedea0SLionel Sambuc p = header;
223ebfedea0SLionel Sambuc if (is_stream) {
224ebfedea0SLionel Sambuc _krb5_put_int(p, len, 4);
225ebfedea0SLionel Sambuc p += 4;
226ebfedea0SLionel Sambuc }
227ebfedea0SLionel Sambuc *p++ = (len >> 8) & 0xFF;
228ebfedea0SLionel Sambuc *p++ = (len >> 0) & 0xFF;
229ebfedea0SLionel Sambuc *p++ = 0xff;
230ebfedea0SLionel Sambuc *p++ = 0x80;
231ebfedea0SLionel Sambuc *p++ = (ap_req_data.length >> 8) & 0xFF;
232ebfedea0SLionel Sambuc *p = (ap_req_data.length >> 0) & 0xFF;
233ebfedea0SLionel Sambuc
234ebfedea0SLionel Sambuc memset(&msghdr, 0, sizeof(msghdr));
235ebfedea0SLionel Sambuc msghdr.msg_name = NULL;
236ebfedea0SLionel Sambuc msghdr.msg_namelen = 0;
237ebfedea0SLionel Sambuc msghdr.msg_iov = iov;
238ebfedea0SLionel Sambuc msghdr.msg_iovlen = sizeof(iov)/sizeof(*iov);
239ebfedea0SLionel Sambuc #if 0
240ebfedea0SLionel Sambuc msghdr.msg_control = NULL;
241ebfedea0SLionel Sambuc msghdr.msg_controllen = 0;
242ebfedea0SLionel Sambuc #endif
243ebfedea0SLionel Sambuc
244ebfedea0SLionel Sambuc iov[0].iov_base = (void*)header;
245ebfedea0SLionel Sambuc if (is_stream)
246ebfedea0SLionel Sambuc iov[0].iov_len = 10;
247ebfedea0SLionel Sambuc else
248ebfedea0SLionel Sambuc iov[0].iov_len = 6;
249ebfedea0SLionel Sambuc iov[1].iov_base = ap_req_data.data;
250ebfedea0SLionel Sambuc iov[1].iov_len = ap_req_data.length;
251ebfedea0SLionel Sambuc iov[2].iov_base = krb_priv_data.data;
252ebfedea0SLionel Sambuc iov[2].iov_len = krb_priv_data.length;
253ebfedea0SLionel Sambuc
254ebfedea0SLionel Sambuc if (rk_IS_SOCKET_ERROR( sendmsg (sock, &msghdr, 0) )) {
255ebfedea0SLionel Sambuc ret = rk_SOCK_ERRNO;
256ebfedea0SLionel Sambuc krb5_set_error_message(context, ret, "sendmsg %s: %s",
257ebfedea0SLionel Sambuc host, strerror(ret));
258ebfedea0SLionel Sambuc }
259ebfedea0SLionel Sambuc
260ebfedea0SLionel Sambuc krb5_data_free (&krb_priv_data);
261ebfedea0SLionel Sambuc out2:
262ebfedea0SLionel Sambuc krb5_data_free (&ap_req_data);
263ebfedea0SLionel Sambuc krb5_data_free (&pwd_data);
264ebfedea0SLionel Sambuc return ret;
265ebfedea0SLionel Sambuc }
266ebfedea0SLionel Sambuc
267ebfedea0SLionel Sambuc static krb5_error_code
process_reply(krb5_context context,krb5_auth_context auth_context,int is_stream,rk_socket_t sock,int * result_code,krb5_data * result_code_string,krb5_data * result_string,const char * host)268ebfedea0SLionel Sambuc process_reply (krb5_context context,
269ebfedea0SLionel Sambuc krb5_auth_context auth_context,
270ebfedea0SLionel Sambuc int is_stream,
271ebfedea0SLionel Sambuc rk_socket_t sock,
272ebfedea0SLionel Sambuc int *result_code,
273ebfedea0SLionel Sambuc krb5_data *result_code_string,
274ebfedea0SLionel Sambuc krb5_data *result_string,
275ebfedea0SLionel Sambuc const char *host)
276ebfedea0SLionel Sambuc {
277ebfedea0SLionel Sambuc krb5_error_code ret;
278ebfedea0SLionel Sambuc u_char reply[1024 * 3];
279*0a6a1f1dSLionel Sambuc size_t len;
280ebfedea0SLionel Sambuc uint16_t pkt_len, pkt_ver;
281ebfedea0SLionel Sambuc krb5_data ap_rep_data;
282ebfedea0SLionel Sambuc int save_errno;
283ebfedea0SLionel Sambuc
284ebfedea0SLionel Sambuc len = 0;
285ebfedea0SLionel Sambuc if (is_stream) {
286ebfedea0SLionel Sambuc while (len < sizeof(reply)) {
287ebfedea0SLionel Sambuc unsigned long size;
288ebfedea0SLionel Sambuc
289ebfedea0SLionel Sambuc ret = recvfrom (sock, reply + len, sizeof(reply) - len,
290ebfedea0SLionel Sambuc 0, NULL, NULL);
291ebfedea0SLionel Sambuc if (rk_IS_SOCKET_ERROR(ret)) {
292ebfedea0SLionel Sambuc save_errno = rk_SOCK_ERRNO;
293ebfedea0SLionel Sambuc krb5_set_error_message(context, save_errno,
294ebfedea0SLionel Sambuc "recvfrom %s: %s",
295ebfedea0SLionel Sambuc host, strerror(save_errno));
296ebfedea0SLionel Sambuc return save_errno;
297ebfedea0SLionel Sambuc } else if (ret == 0) {
298ebfedea0SLionel Sambuc krb5_set_error_message(context, 1,"recvfrom timeout %s", host);
299ebfedea0SLionel Sambuc return 1;
300ebfedea0SLionel Sambuc }
301ebfedea0SLionel Sambuc len += ret;
302ebfedea0SLionel Sambuc if (len < 4)
303ebfedea0SLionel Sambuc continue;
304ebfedea0SLionel Sambuc _krb5_get_int(reply, &size, 4);
305ebfedea0SLionel Sambuc if (size + 4 < len)
306ebfedea0SLionel Sambuc continue;
307ebfedea0SLionel Sambuc memmove(reply, reply + 4, size);
308ebfedea0SLionel Sambuc len = size;
309ebfedea0SLionel Sambuc break;
310ebfedea0SLionel Sambuc }
311ebfedea0SLionel Sambuc if (len == sizeof(reply)) {
312ebfedea0SLionel Sambuc krb5_set_error_message(context, ENOMEM,
313ebfedea0SLionel Sambuc N_("Message too large from %s", "host"),
314ebfedea0SLionel Sambuc host);
315ebfedea0SLionel Sambuc return ENOMEM;
316ebfedea0SLionel Sambuc }
317ebfedea0SLionel Sambuc } else {
318ebfedea0SLionel Sambuc ret = recvfrom (sock, reply, sizeof(reply), 0, NULL, NULL);
319ebfedea0SLionel Sambuc if (rk_IS_SOCKET_ERROR(ret)) {
320ebfedea0SLionel Sambuc save_errno = rk_SOCK_ERRNO;
321ebfedea0SLionel Sambuc krb5_set_error_message(context, save_errno,
322ebfedea0SLionel Sambuc "recvfrom %s: %s",
323ebfedea0SLionel Sambuc host, strerror(save_errno));
324ebfedea0SLionel Sambuc return save_errno;
325ebfedea0SLionel Sambuc }
326ebfedea0SLionel Sambuc len = ret;
327ebfedea0SLionel Sambuc }
328ebfedea0SLionel Sambuc
329ebfedea0SLionel Sambuc if (len < 6) {
330ebfedea0SLionel Sambuc str2data (result_string, "server %s sent to too short message "
331*0a6a1f1dSLionel Sambuc "(%zu bytes)", host, len);
332ebfedea0SLionel Sambuc *result_code = KRB5_KPASSWD_MALFORMED;
333ebfedea0SLionel Sambuc return 0;
334ebfedea0SLionel Sambuc }
335ebfedea0SLionel Sambuc
336ebfedea0SLionel Sambuc pkt_len = (reply[0] << 8) | (reply[1]);
337ebfedea0SLionel Sambuc pkt_ver = (reply[2] << 8) | (reply[3]);
338ebfedea0SLionel Sambuc
339ebfedea0SLionel Sambuc if ((pkt_len != len) || (reply[1] == 0x7e || reply[1] == 0x5e)) {
340ebfedea0SLionel Sambuc KRB_ERROR error;
341ebfedea0SLionel Sambuc size_t size;
342ebfedea0SLionel Sambuc u_char *p;
343ebfedea0SLionel Sambuc
344ebfedea0SLionel Sambuc memset(&error, 0, sizeof(error));
345ebfedea0SLionel Sambuc
346ebfedea0SLionel Sambuc ret = decode_KRB_ERROR(reply, len, &error, &size);
347ebfedea0SLionel Sambuc if (ret)
348ebfedea0SLionel Sambuc return ret;
349ebfedea0SLionel Sambuc
350ebfedea0SLionel Sambuc if (error.e_data->length < 2) {
351ebfedea0SLionel Sambuc str2data(result_string, "server %s sent too short "
352ebfedea0SLionel Sambuc "e_data to print anything usable", host);
353ebfedea0SLionel Sambuc free_KRB_ERROR(&error);
354ebfedea0SLionel Sambuc *result_code = KRB5_KPASSWD_MALFORMED;
355ebfedea0SLionel Sambuc return 0;
356ebfedea0SLionel Sambuc }
357ebfedea0SLionel Sambuc
358ebfedea0SLionel Sambuc p = error.e_data->data;
359ebfedea0SLionel Sambuc *result_code = (p[0] << 8) | p[1];
360ebfedea0SLionel Sambuc if (error.e_data->length == 2)
361ebfedea0SLionel Sambuc str2data(result_string, "server only sent error code");
362ebfedea0SLionel Sambuc else
363ebfedea0SLionel Sambuc krb5_data_copy (result_string,
364ebfedea0SLionel Sambuc p + 2,
365ebfedea0SLionel Sambuc error.e_data->length - 2);
366ebfedea0SLionel Sambuc free_KRB_ERROR(&error);
367ebfedea0SLionel Sambuc return 0;
368ebfedea0SLionel Sambuc }
369ebfedea0SLionel Sambuc
370ebfedea0SLionel Sambuc if (pkt_len != len) {
371ebfedea0SLionel Sambuc str2data (result_string, "client: wrong len in reply");
372ebfedea0SLionel Sambuc *result_code = KRB5_KPASSWD_MALFORMED;
373ebfedea0SLionel Sambuc return 0;
374ebfedea0SLionel Sambuc }
375ebfedea0SLionel Sambuc if (pkt_ver != KRB5_KPASSWD_VERS_CHANGEPW) {
376ebfedea0SLionel Sambuc str2data (result_string,
377ebfedea0SLionel Sambuc "client: wrong version number (%d)", pkt_ver);
378ebfedea0SLionel Sambuc *result_code = KRB5_KPASSWD_MALFORMED;
379ebfedea0SLionel Sambuc return 0;
380ebfedea0SLionel Sambuc }
381ebfedea0SLionel Sambuc
382ebfedea0SLionel Sambuc ap_rep_data.data = reply + 6;
383ebfedea0SLionel Sambuc ap_rep_data.length = (reply[4] << 8) | (reply[5]);
384ebfedea0SLionel Sambuc
385ebfedea0SLionel Sambuc if (reply + len < (u_char *)ap_rep_data.data + ap_rep_data.length) {
386ebfedea0SLionel Sambuc str2data (result_string, "client: wrong AP len in reply");
387ebfedea0SLionel Sambuc *result_code = KRB5_KPASSWD_MALFORMED;
388ebfedea0SLionel Sambuc return 0;
389ebfedea0SLionel Sambuc }
390ebfedea0SLionel Sambuc
391ebfedea0SLionel Sambuc if (ap_rep_data.length) {
392ebfedea0SLionel Sambuc krb5_ap_rep_enc_part *ap_rep;
393ebfedea0SLionel Sambuc krb5_data priv_data;
394ebfedea0SLionel Sambuc u_char *p;
395ebfedea0SLionel Sambuc
396ebfedea0SLionel Sambuc priv_data.data = (u_char*)ap_rep_data.data + ap_rep_data.length;
397ebfedea0SLionel Sambuc priv_data.length = len - ap_rep_data.length - 6;
398ebfedea0SLionel Sambuc
399ebfedea0SLionel Sambuc ret = krb5_rd_rep (context,
400ebfedea0SLionel Sambuc auth_context,
401ebfedea0SLionel Sambuc &ap_rep_data,
402ebfedea0SLionel Sambuc &ap_rep);
403ebfedea0SLionel Sambuc if (ret)
404ebfedea0SLionel Sambuc return ret;
405ebfedea0SLionel Sambuc
406ebfedea0SLionel Sambuc krb5_free_ap_rep_enc_part (context, ap_rep);
407ebfedea0SLionel Sambuc
408ebfedea0SLionel Sambuc ret = krb5_rd_priv (context,
409ebfedea0SLionel Sambuc auth_context,
410ebfedea0SLionel Sambuc &priv_data,
411ebfedea0SLionel Sambuc result_code_string,
412ebfedea0SLionel Sambuc NULL);
413ebfedea0SLionel Sambuc if (ret) {
414ebfedea0SLionel Sambuc krb5_data_free (result_code_string);
415ebfedea0SLionel Sambuc return ret;
416ebfedea0SLionel Sambuc }
417ebfedea0SLionel Sambuc
418ebfedea0SLionel Sambuc if (result_code_string->length < 2) {
419ebfedea0SLionel Sambuc *result_code = KRB5_KPASSWD_MALFORMED;
420ebfedea0SLionel Sambuc str2data (result_string,
421ebfedea0SLionel Sambuc "client: bad length in result");
422ebfedea0SLionel Sambuc return 0;
423ebfedea0SLionel Sambuc }
424ebfedea0SLionel Sambuc
425ebfedea0SLionel Sambuc p = result_code_string->data;
426ebfedea0SLionel Sambuc
427ebfedea0SLionel Sambuc *result_code = (p[0] << 8) | p[1];
428ebfedea0SLionel Sambuc krb5_data_copy (result_string,
429ebfedea0SLionel Sambuc (unsigned char*)result_code_string->data + 2,
430ebfedea0SLionel Sambuc result_code_string->length - 2);
431ebfedea0SLionel Sambuc return 0;
432ebfedea0SLionel Sambuc } else {
433ebfedea0SLionel Sambuc KRB_ERROR error;
434ebfedea0SLionel Sambuc size_t size;
435ebfedea0SLionel Sambuc u_char *p;
436ebfedea0SLionel Sambuc
437ebfedea0SLionel Sambuc ret = decode_KRB_ERROR(reply + 6, len - 6, &error, &size);
438ebfedea0SLionel Sambuc if (ret) {
439ebfedea0SLionel Sambuc return ret;
440ebfedea0SLionel Sambuc }
441ebfedea0SLionel Sambuc if (error.e_data->length < 2) {
442ebfedea0SLionel Sambuc krb5_warnx (context, "too short e_data to print anything usable");
443ebfedea0SLionel Sambuc return 1; /* XXX */
444ebfedea0SLionel Sambuc }
445ebfedea0SLionel Sambuc
446ebfedea0SLionel Sambuc p = error.e_data->data;
447ebfedea0SLionel Sambuc *result_code = (p[0] << 8) | p[1];
448ebfedea0SLionel Sambuc krb5_data_copy (result_string,
449ebfedea0SLionel Sambuc p + 2,
450ebfedea0SLionel Sambuc error.e_data->length - 2);
451ebfedea0SLionel Sambuc return 0;
452ebfedea0SLionel Sambuc }
453ebfedea0SLionel Sambuc }
454ebfedea0SLionel Sambuc
455ebfedea0SLionel Sambuc
456ebfedea0SLionel Sambuc /*
457ebfedea0SLionel Sambuc * change the password using the credentials in `creds' (for the
458ebfedea0SLionel Sambuc * principal indicated in them) to `newpw', storing the result of
459ebfedea0SLionel Sambuc * the operation in `result_*' and an error code or 0.
460ebfedea0SLionel Sambuc */
461ebfedea0SLionel Sambuc
462ebfedea0SLionel Sambuc typedef krb5_error_code (*kpwd_send_request) (krb5_context,
463ebfedea0SLionel Sambuc krb5_auth_context *,
464ebfedea0SLionel Sambuc krb5_creds *,
465ebfedea0SLionel Sambuc krb5_principal,
466ebfedea0SLionel Sambuc int,
467ebfedea0SLionel Sambuc rk_socket_t,
468ebfedea0SLionel Sambuc const char *,
469ebfedea0SLionel Sambuc const char *);
470ebfedea0SLionel Sambuc typedef krb5_error_code (*kpwd_process_reply) (krb5_context,
471ebfedea0SLionel Sambuc krb5_auth_context,
472ebfedea0SLionel Sambuc int,
473ebfedea0SLionel Sambuc rk_socket_t,
474ebfedea0SLionel Sambuc int *,
475ebfedea0SLionel Sambuc krb5_data *,
476ebfedea0SLionel Sambuc krb5_data *,
477ebfedea0SLionel Sambuc const char *);
478ebfedea0SLionel Sambuc
479ebfedea0SLionel Sambuc static struct kpwd_proc {
480ebfedea0SLionel Sambuc const char *name;
481ebfedea0SLionel Sambuc int flags;
482ebfedea0SLionel Sambuc #define SUPPORT_TCP 1
483ebfedea0SLionel Sambuc #define SUPPORT_UDP 2
484ebfedea0SLionel Sambuc kpwd_send_request send_req;
485ebfedea0SLionel Sambuc kpwd_process_reply process_rep;
486ebfedea0SLionel Sambuc } procs[] = {
487ebfedea0SLionel Sambuc {
488ebfedea0SLionel Sambuc "MS set password",
489ebfedea0SLionel Sambuc SUPPORT_TCP|SUPPORT_UDP,
490ebfedea0SLionel Sambuc setpw_send_request,
491ebfedea0SLionel Sambuc process_reply
492ebfedea0SLionel Sambuc },
493ebfedea0SLionel Sambuc {
494ebfedea0SLionel Sambuc "change password",
495ebfedea0SLionel Sambuc SUPPORT_UDP,
496ebfedea0SLionel Sambuc chgpw_send_request,
497ebfedea0SLionel Sambuc process_reply
498ebfedea0SLionel Sambuc },
499*0a6a1f1dSLionel Sambuc { NULL, 0, NULL, NULL }
500ebfedea0SLionel Sambuc };
501ebfedea0SLionel Sambuc
502ebfedea0SLionel Sambuc /*
503ebfedea0SLionel Sambuc *
504ebfedea0SLionel Sambuc */
505ebfedea0SLionel Sambuc
506ebfedea0SLionel Sambuc static krb5_error_code
change_password_loop(krb5_context context,krb5_creds * creds,krb5_principal targprinc,const char * newpw,int * result_code,krb5_data * result_code_string,krb5_data * result_string,struct kpwd_proc * proc)507ebfedea0SLionel Sambuc change_password_loop (krb5_context context,
508ebfedea0SLionel Sambuc krb5_creds *creds,
509ebfedea0SLionel Sambuc krb5_principal targprinc,
510ebfedea0SLionel Sambuc const char *newpw,
511ebfedea0SLionel Sambuc int *result_code,
512ebfedea0SLionel Sambuc krb5_data *result_code_string,
513ebfedea0SLionel Sambuc krb5_data *result_string,
514ebfedea0SLionel Sambuc struct kpwd_proc *proc)
515ebfedea0SLionel Sambuc {
516ebfedea0SLionel Sambuc krb5_error_code ret;
517ebfedea0SLionel Sambuc krb5_auth_context auth_context = NULL;
518ebfedea0SLionel Sambuc krb5_krbhst_handle handle = NULL;
519ebfedea0SLionel Sambuc krb5_krbhst_info *hi;
520ebfedea0SLionel Sambuc rk_socket_t sock;
521ebfedea0SLionel Sambuc unsigned int i;
522ebfedea0SLionel Sambuc int done = 0;
523ebfedea0SLionel Sambuc krb5_realm realm;
524ebfedea0SLionel Sambuc
525ebfedea0SLionel Sambuc if (targprinc)
526ebfedea0SLionel Sambuc realm = targprinc->realm;
527ebfedea0SLionel Sambuc else
528ebfedea0SLionel Sambuc realm = creds->client->realm;
529ebfedea0SLionel Sambuc
530ebfedea0SLionel Sambuc ret = krb5_auth_con_init (context, &auth_context);
531ebfedea0SLionel Sambuc if (ret)
532ebfedea0SLionel Sambuc return ret;
533ebfedea0SLionel Sambuc
534ebfedea0SLionel Sambuc krb5_auth_con_setflags (context, auth_context,
535ebfedea0SLionel Sambuc KRB5_AUTH_CONTEXT_DO_SEQUENCE);
536ebfedea0SLionel Sambuc
537ebfedea0SLionel Sambuc ret = krb5_krbhst_init (context, realm, KRB5_KRBHST_CHANGEPW, &handle);
538ebfedea0SLionel Sambuc if (ret)
539ebfedea0SLionel Sambuc goto out;
540ebfedea0SLionel Sambuc
541ebfedea0SLionel Sambuc while (!done && (ret = krb5_krbhst_next(context, handle, &hi)) == 0) {
542ebfedea0SLionel Sambuc struct addrinfo *ai, *a;
543ebfedea0SLionel Sambuc int is_stream;
544ebfedea0SLionel Sambuc
545ebfedea0SLionel Sambuc switch (hi->proto) {
546ebfedea0SLionel Sambuc case KRB5_KRBHST_UDP:
547ebfedea0SLionel Sambuc if ((proc->flags & SUPPORT_UDP) == 0)
548ebfedea0SLionel Sambuc continue;
549ebfedea0SLionel Sambuc is_stream = 0;
550ebfedea0SLionel Sambuc break;
551ebfedea0SLionel Sambuc case KRB5_KRBHST_TCP:
552ebfedea0SLionel Sambuc if ((proc->flags & SUPPORT_TCP) == 0)
553ebfedea0SLionel Sambuc continue;
554ebfedea0SLionel Sambuc is_stream = 1;
555ebfedea0SLionel Sambuc break;
556ebfedea0SLionel Sambuc default:
557ebfedea0SLionel Sambuc continue;
558ebfedea0SLionel Sambuc }
559ebfedea0SLionel Sambuc
560ebfedea0SLionel Sambuc ret = krb5_krbhst_get_addrinfo(context, hi, &ai);
561ebfedea0SLionel Sambuc if (ret)
562ebfedea0SLionel Sambuc continue;
563ebfedea0SLionel Sambuc
564ebfedea0SLionel Sambuc for (a = ai; !done && a != NULL; a = a->ai_next) {
565ebfedea0SLionel Sambuc int replied = 0;
566ebfedea0SLionel Sambuc
567ebfedea0SLionel Sambuc sock = socket (a->ai_family, a->ai_socktype | SOCK_CLOEXEC, a->ai_protocol);
568ebfedea0SLionel Sambuc if (rk_IS_BAD_SOCKET(sock))
569ebfedea0SLionel Sambuc continue;
570ebfedea0SLionel Sambuc rk_cloexec(sock);
571ebfedea0SLionel Sambuc
572ebfedea0SLionel Sambuc ret = connect(sock, a->ai_addr, a->ai_addrlen);
573ebfedea0SLionel Sambuc if (rk_IS_SOCKET_ERROR(ret)) {
574ebfedea0SLionel Sambuc rk_closesocket (sock);
575ebfedea0SLionel Sambuc goto out;
576ebfedea0SLionel Sambuc }
577ebfedea0SLionel Sambuc
578ebfedea0SLionel Sambuc ret = krb5_auth_con_genaddrs (context, auth_context, sock,
579ebfedea0SLionel Sambuc KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR);
580ebfedea0SLionel Sambuc if (ret) {
581ebfedea0SLionel Sambuc rk_closesocket (sock);
582ebfedea0SLionel Sambuc goto out;
583ebfedea0SLionel Sambuc }
584ebfedea0SLionel Sambuc
585ebfedea0SLionel Sambuc for (i = 0; !done && i < 5; ++i) {
586ebfedea0SLionel Sambuc fd_set fdset;
587ebfedea0SLionel Sambuc struct timeval tv;
588ebfedea0SLionel Sambuc
589ebfedea0SLionel Sambuc if (!replied) {
590ebfedea0SLionel Sambuc replied = 0;
591ebfedea0SLionel Sambuc
592ebfedea0SLionel Sambuc ret = (*proc->send_req) (context,
593ebfedea0SLionel Sambuc &auth_context,
594ebfedea0SLionel Sambuc creds,
595ebfedea0SLionel Sambuc targprinc,
596ebfedea0SLionel Sambuc is_stream,
597ebfedea0SLionel Sambuc sock,
598ebfedea0SLionel Sambuc newpw,
599ebfedea0SLionel Sambuc hi->hostname);
600ebfedea0SLionel Sambuc if (ret) {
601ebfedea0SLionel Sambuc rk_closesocket(sock);
602ebfedea0SLionel Sambuc goto out;
603ebfedea0SLionel Sambuc }
604ebfedea0SLionel Sambuc }
605ebfedea0SLionel Sambuc
606ebfedea0SLionel Sambuc #ifndef NO_LIMIT_FD_SETSIZE
607ebfedea0SLionel Sambuc if (sock >= FD_SETSIZE) {
608ebfedea0SLionel Sambuc ret = ERANGE;
609ebfedea0SLionel Sambuc krb5_set_error_message(context, ret,
610ebfedea0SLionel Sambuc "fd %d too large", sock);
611ebfedea0SLionel Sambuc rk_closesocket (sock);
612ebfedea0SLionel Sambuc goto out;
613ebfedea0SLionel Sambuc }
614ebfedea0SLionel Sambuc #endif
615ebfedea0SLionel Sambuc
616ebfedea0SLionel Sambuc FD_ZERO(&fdset);
617ebfedea0SLionel Sambuc FD_SET(sock, &fdset);
618ebfedea0SLionel Sambuc tv.tv_usec = 0;
619ebfedea0SLionel Sambuc tv.tv_sec = 1 + (1 << i);
620ebfedea0SLionel Sambuc
621ebfedea0SLionel Sambuc ret = select (sock + 1, &fdset, NULL, NULL, &tv);
622ebfedea0SLionel Sambuc if (rk_IS_SOCKET_ERROR(ret) && rk_SOCK_ERRNO != EINTR) {
623ebfedea0SLionel Sambuc rk_closesocket(sock);
624ebfedea0SLionel Sambuc goto out;
625ebfedea0SLionel Sambuc }
626ebfedea0SLionel Sambuc if (ret == 1) {
627ebfedea0SLionel Sambuc ret = (*proc->process_rep) (context,
628ebfedea0SLionel Sambuc auth_context,
629ebfedea0SLionel Sambuc is_stream,
630ebfedea0SLionel Sambuc sock,
631ebfedea0SLionel Sambuc result_code,
632ebfedea0SLionel Sambuc result_code_string,
633ebfedea0SLionel Sambuc result_string,
634ebfedea0SLionel Sambuc hi->hostname);
635ebfedea0SLionel Sambuc if (ret == 0)
636ebfedea0SLionel Sambuc done = 1;
637ebfedea0SLionel Sambuc else if (i > 0 && ret == KRB5KRB_AP_ERR_MUT_FAIL)
638ebfedea0SLionel Sambuc replied = 1;
639ebfedea0SLionel Sambuc } else {
640ebfedea0SLionel Sambuc ret = KRB5_KDC_UNREACH;
641ebfedea0SLionel Sambuc }
642ebfedea0SLionel Sambuc }
643ebfedea0SLionel Sambuc rk_closesocket (sock);
644ebfedea0SLionel Sambuc }
645ebfedea0SLionel Sambuc }
646ebfedea0SLionel Sambuc
647ebfedea0SLionel Sambuc out:
648ebfedea0SLionel Sambuc krb5_krbhst_free (context, handle);
649ebfedea0SLionel Sambuc krb5_auth_con_free (context, auth_context);
650ebfedea0SLionel Sambuc
651ebfedea0SLionel Sambuc if (ret == KRB5_KDC_UNREACH) {
652ebfedea0SLionel Sambuc krb5_set_error_message(context,
653ebfedea0SLionel Sambuc ret,
654ebfedea0SLionel Sambuc N_("Unable to reach any changepw server "
655ebfedea0SLionel Sambuc " in realm %s", "realm"), realm);
656ebfedea0SLionel Sambuc *result_code = KRB5_KPASSWD_HARDERROR;
657ebfedea0SLionel Sambuc }
658ebfedea0SLionel Sambuc return ret;
659ebfedea0SLionel Sambuc }
660ebfedea0SLionel Sambuc
661ebfedea0SLionel Sambuc #ifndef HEIMDAL_SMALLER
662ebfedea0SLionel Sambuc
663ebfedea0SLionel Sambuc static struct kpwd_proc *
find_chpw_proto(const char * name)664ebfedea0SLionel Sambuc find_chpw_proto(const char *name)
665ebfedea0SLionel Sambuc {
666ebfedea0SLionel Sambuc struct kpwd_proc *p;
667ebfedea0SLionel Sambuc for (p = procs; p->name != NULL; p++) {
668ebfedea0SLionel Sambuc if (strcmp(p->name, name) == 0)
669ebfedea0SLionel Sambuc return p;
670ebfedea0SLionel Sambuc }
671ebfedea0SLionel Sambuc return NULL;
672ebfedea0SLionel Sambuc }
673ebfedea0SLionel Sambuc
674ebfedea0SLionel Sambuc /**
675ebfedea0SLionel Sambuc * Deprecated: krb5_change_password() is deprecated, use krb5_set_password().
676ebfedea0SLionel Sambuc *
677ebfedea0SLionel Sambuc * @param context a Keberos context
678ebfedea0SLionel Sambuc * @param creds
679ebfedea0SLionel Sambuc * @param newpw
680ebfedea0SLionel Sambuc * @param result_code
681ebfedea0SLionel Sambuc * @param result_code_string
682ebfedea0SLionel Sambuc * @param result_string
683ebfedea0SLionel Sambuc *
684ebfedea0SLionel Sambuc * @return On sucess password is changed.
685ebfedea0SLionel Sambuc
686ebfedea0SLionel Sambuc * @ingroup @krb5_deprecated
687ebfedea0SLionel Sambuc */
688ebfedea0SLionel Sambuc
689ebfedea0SLionel Sambuc KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_change_password(krb5_context context,krb5_creds * creds,const char * newpw,int * result_code,krb5_data * result_code_string,krb5_data * result_string)690ebfedea0SLionel Sambuc krb5_change_password (krb5_context context,
691ebfedea0SLionel Sambuc krb5_creds *creds,
692ebfedea0SLionel Sambuc const char *newpw,
693ebfedea0SLionel Sambuc int *result_code,
694ebfedea0SLionel Sambuc krb5_data *result_code_string,
695ebfedea0SLionel Sambuc krb5_data *result_string)
696*0a6a1f1dSLionel Sambuc KRB5_DEPRECATED_FUNCTION("Use X instead")
697ebfedea0SLionel Sambuc {
698ebfedea0SLionel Sambuc struct kpwd_proc *p = find_chpw_proto("change password");
699ebfedea0SLionel Sambuc
700ebfedea0SLionel Sambuc *result_code = KRB5_KPASSWD_MALFORMED;
701ebfedea0SLionel Sambuc result_code_string->data = result_string->data = NULL;
702ebfedea0SLionel Sambuc result_code_string->length = result_string->length = 0;
703ebfedea0SLionel Sambuc
704ebfedea0SLionel Sambuc if (p == NULL)
705ebfedea0SLionel Sambuc return KRB5_KPASSWD_MALFORMED;
706ebfedea0SLionel Sambuc
707ebfedea0SLionel Sambuc return change_password_loop(context, creds, NULL, newpw,
708ebfedea0SLionel Sambuc result_code, result_code_string,
709ebfedea0SLionel Sambuc result_string, p);
710ebfedea0SLionel Sambuc }
711ebfedea0SLionel Sambuc #endif /* HEIMDAL_SMALLER */
712ebfedea0SLionel Sambuc
713ebfedea0SLionel Sambuc /**
714ebfedea0SLionel Sambuc * Change password using creds.
715ebfedea0SLionel Sambuc *
716ebfedea0SLionel Sambuc * @param context a Keberos context
717ebfedea0SLionel Sambuc * @param creds The initial kadmin/passwd for the principal or an admin principal
718ebfedea0SLionel Sambuc * @param newpw The new password to set
719ebfedea0SLionel Sambuc * @param targprinc if unset, the default principal is used.
720ebfedea0SLionel Sambuc * @param result_code Result code, KRB5_KPASSWD_SUCCESS is when password is changed.
721ebfedea0SLionel Sambuc * @param result_code_string binary message from the server, contains
722ebfedea0SLionel Sambuc * at least the result_code.
723ebfedea0SLionel Sambuc * @param result_string A message from the kpasswd service or the
724ebfedea0SLionel Sambuc * library in human printable form. The string is NUL terminated.
725ebfedea0SLionel Sambuc *
726ebfedea0SLionel Sambuc * @return On sucess and *result_code is KRB5_KPASSWD_SUCCESS, the password is changed.
727ebfedea0SLionel Sambuc
728ebfedea0SLionel Sambuc * @ingroup @krb5
729ebfedea0SLionel Sambuc */
730ebfedea0SLionel Sambuc
731ebfedea0SLionel Sambuc KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_set_password(krb5_context context,krb5_creds * creds,const char * newpw,krb5_principal targprinc,int * result_code,krb5_data * result_code_string,krb5_data * result_string)732ebfedea0SLionel Sambuc krb5_set_password(krb5_context context,
733ebfedea0SLionel Sambuc krb5_creds *creds,
734ebfedea0SLionel Sambuc const char *newpw,
735ebfedea0SLionel Sambuc krb5_principal targprinc,
736ebfedea0SLionel Sambuc int *result_code,
737ebfedea0SLionel Sambuc krb5_data *result_code_string,
738ebfedea0SLionel Sambuc krb5_data *result_string)
739ebfedea0SLionel Sambuc {
740ebfedea0SLionel Sambuc krb5_principal principal = NULL;
741ebfedea0SLionel Sambuc krb5_error_code ret = 0;
742ebfedea0SLionel Sambuc int i;
743ebfedea0SLionel Sambuc
744ebfedea0SLionel Sambuc *result_code = KRB5_KPASSWD_MALFORMED;
745ebfedea0SLionel Sambuc krb5_data_zero(result_code_string);
746ebfedea0SLionel Sambuc krb5_data_zero(result_string);
747ebfedea0SLionel Sambuc
748ebfedea0SLionel Sambuc if (targprinc == NULL) {
749ebfedea0SLionel Sambuc ret = krb5_get_default_principal(context, &principal);
750ebfedea0SLionel Sambuc if (ret)
751ebfedea0SLionel Sambuc return ret;
752ebfedea0SLionel Sambuc } else
753ebfedea0SLionel Sambuc principal = targprinc;
754ebfedea0SLionel Sambuc
755ebfedea0SLionel Sambuc for (i = 0; procs[i].name != NULL; i++) {
756ebfedea0SLionel Sambuc *result_code = 0;
757ebfedea0SLionel Sambuc ret = change_password_loop(context, creds, principal, newpw,
758ebfedea0SLionel Sambuc result_code, result_code_string,
759ebfedea0SLionel Sambuc result_string,
760ebfedea0SLionel Sambuc &procs[i]);
761ebfedea0SLionel Sambuc if (ret == 0 && *result_code == 0)
762ebfedea0SLionel Sambuc break;
763ebfedea0SLionel Sambuc }
764ebfedea0SLionel Sambuc
765ebfedea0SLionel Sambuc if (targprinc == NULL)
766ebfedea0SLionel Sambuc krb5_free_principal(context, principal);
767ebfedea0SLionel Sambuc return ret;
768ebfedea0SLionel Sambuc }
769ebfedea0SLionel Sambuc
770ebfedea0SLionel Sambuc /*
771ebfedea0SLionel Sambuc *
772ebfedea0SLionel Sambuc */
773ebfedea0SLionel Sambuc
774ebfedea0SLionel Sambuc KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_set_password_using_ccache(krb5_context context,krb5_ccache ccache,const char * newpw,krb5_principal targprinc,int * result_code,krb5_data * result_code_string,krb5_data * result_string)775ebfedea0SLionel Sambuc krb5_set_password_using_ccache(krb5_context context,
776ebfedea0SLionel Sambuc krb5_ccache ccache,
777ebfedea0SLionel Sambuc const char *newpw,
778ebfedea0SLionel Sambuc krb5_principal targprinc,
779ebfedea0SLionel Sambuc int *result_code,
780ebfedea0SLionel Sambuc krb5_data *result_code_string,
781ebfedea0SLionel Sambuc krb5_data *result_string)
782ebfedea0SLionel Sambuc {
783ebfedea0SLionel Sambuc krb5_creds creds, *credsp;
784ebfedea0SLionel Sambuc krb5_error_code ret;
785ebfedea0SLionel Sambuc krb5_principal principal = NULL;
786ebfedea0SLionel Sambuc
787ebfedea0SLionel Sambuc *result_code = KRB5_KPASSWD_MALFORMED;
788ebfedea0SLionel Sambuc result_code_string->data = result_string->data = NULL;
789ebfedea0SLionel Sambuc result_code_string->length = result_string->length = 0;
790ebfedea0SLionel Sambuc
791ebfedea0SLionel Sambuc memset(&creds, 0, sizeof(creds));
792ebfedea0SLionel Sambuc
793ebfedea0SLionel Sambuc if (targprinc == NULL) {
794ebfedea0SLionel Sambuc ret = krb5_cc_get_principal(context, ccache, &principal);
795ebfedea0SLionel Sambuc if (ret)
796ebfedea0SLionel Sambuc return ret;
797ebfedea0SLionel Sambuc } else
798ebfedea0SLionel Sambuc principal = targprinc;
799ebfedea0SLionel Sambuc
800ebfedea0SLionel Sambuc ret = krb5_make_principal(context, &creds.server,
801ebfedea0SLionel Sambuc krb5_principal_get_realm(context, principal),
802ebfedea0SLionel Sambuc "kadmin", "changepw", NULL);
803ebfedea0SLionel Sambuc if (ret)
804ebfedea0SLionel Sambuc goto out;
805ebfedea0SLionel Sambuc
806ebfedea0SLionel Sambuc ret = krb5_cc_get_principal(context, ccache, &creds.client);
807ebfedea0SLionel Sambuc if (ret) {
808ebfedea0SLionel Sambuc krb5_free_principal(context, creds.server);
809ebfedea0SLionel Sambuc goto out;
810ebfedea0SLionel Sambuc }
811ebfedea0SLionel Sambuc
812ebfedea0SLionel Sambuc ret = krb5_get_credentials(context, 0, ccache, &creds, &credsp);
813ebfedea0SLionel Sambuc krb5_free_principal(context, creds.server);
814ebfedea0SLionel Sambuc krb5_free_principal(context, creds.client);
815ebfedea0SLionel Sambuc if (ret)
816ebfedea0SLionel Sambuc goto out;
817ebfedea0SLionel Sambuc
818ebfedea0SLionel Sambuc ret = krb5_set_password(context,
819ebfedea0SLionel Sambuc credsp,
820ebfedea0SLionel Sambuc newpw,
821ebfedea0SLionel Sambuc principal,
822ebfedea0SLionel Sambuc result_code,
823ebfedea0SLionel Sambuc result_code_string,
824ebfedea0SLionel Sambuc result_string);
825ebfedea0SLionel Sambuc
826ebfedea0SLionel Sambuc krb5_free_creds(context, credsp);
827ebfedea0SLionel Sambuc
828ebfedea0SLionel Sambuc return ret;
829ebfedea0SLionel Sambuc out:
830ebfedea0SLionel Sambuc if (targprinc == NULL)
831ebfedea0SLionel Sambuc krb5_free_principal(context, principal);
832ebfedea0SLionel Sambuc return ret;
833ebfedea0SLionel Sambuc }
834ebfedea0SLionel Sambuc
835ebfedea0SLionel Sambuc /*
836ebfedea0SLionel Sambuc *
837ebfedea0SLionel Sambuc */
838ebfedea0SLionel Sambuc
839ebfedea0SLionel Sambuc KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
krb5_passwd_result_to_string(krb5_context context,int result)840ebfedea0SLionel Sambuc krb5_passwd_result_to_string (krb5_context context,
841ebfedea0SLionel Sambuc int result)
842ebfedea0SLionel Sambuc {
843ebfedea0SLionel Sambuc static const char *strings[] = {
844ebfedea0SLionel Sambuc "Success",
845ebfedea0SLionel Sambuc "Malformed",
846ebfedea0SLionel Sambuc "Hard error",
847ebfedea0SLionel Sambuc "Auth error",
848ebfedea0SLionel Sambuc "Soft error" ,
849ebfedea0SLionel Sambuc "Access denied",
850ebfedea0SLionel Sambuc "Bad version",
851ebfedea0SLionel Sambuc "Initial flag needed"
852ebfedea0SLionel Sambuc };
853ebfedea0SLionel Sambuc
854ebfedea0SLionel Sambuc if (result < 0 || result > KRB5_KPASSWD_INITIAL_FLAG_NEEDED)
855ebfedea0SLionel Sambuc return "unknown result code";
856ebfedea0SLionel Sambuc else
857ebfedea0SLionel Sambuc return strings[result];
858ebfedea0SLionel Sambuc }
859