2 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "krb5_locl.h"
37 #define __attribute__(X)
41 str2data (krb5_data *d,
43 ...) __attribute__ ((format (printf, 2, 3)));
46 str2data (krb5_data *d,
54 d->length = vasprintf (&str, fmt, args);
60 * Change password protocol defined by
61 * draft-ietf-cat-kerb-chg-password-02.txt
63 * Share the response part of the protocol with MS set password
67 static krb5_error_code
68 chgpw_send_request (krb5_context context,
69 krb5_auth_context *auth_context,
71 krb5_principal targprinc,
78 krb5_data ap_req_data;
79 krb5_data krb_priv_data;
80 krb5_data passwd_data;
87 return KRB5_KPASSWD_MALFORMED;
90 krb5_principal_compare(context, creds->client, targprinc) != TRUE)
91 return KRB5_KPASSWD_MALFORMED;
93 krb5_data_zero (&ap_req_data);
95 ret = krb5_mk_req_extended (context,
97 AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY,
104 passwd_data.data = rk_UNCONST(passwd);
105 passwd_data.length = strlen(passwd);
107 krb5_data_zero (&krb_priv_data);
109 ret = krb5_mk_priv (context,
117 len = 6 + ap_req_data.length + krb_priv_data.length;
118 header[0] = (len >> 8) & 0xFF;
119 header[1] = (len >> 0) & 0xFF;
122 header[4] = (ap_req_data.length >> 8) & 0xFF;
123 header[5] = (ap_req_data.length >> 0) & 0xFF;
125 memset(&msghdr, 0, sizeof(msghdr));
126 msghdr.msg_name = NULL;
127 msghdr.msg_namelen = 0;
128 msghdr.msg_iov = iov;
129 msghdr.msg_iovlen = sizeof(iov)/sizeof(*iov);
131 msghdr.msg_control = NULL;
132 msghdr.msg_controllen = 0;
135 iov[0].iov_base = (void*)header;
137 iov[1].iov_base = ap_req_data.data;
138 iov[1].iov_len = ap_req_data.length;
139 iov[2].iov_base = krb_priv_data.data;
140 iov[2].iov_len = krb_priv_data.length;
142 if (rk_IS_SOCKET_ERROR( sendmsg (sock, &msghdr, 0) )) {
144 krb5_set_error_message(context, ret, "sendmsg %s: %s",
145 host, strerror(ret));
148 krb5_data_free (&krb_priv_data);
150 krb5_data_free (&ap_req_data);
155 * Set password protocol as defined by RFC3244 --
156 * Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols
159 static krb5_error_code
160 setpw_send_request (krb5_context context,
161 krb5_auth_context *auth_context,
163 krb5_principal targprinc,
170 krb5_data ap_req_data;
171 krb5_data krb_priv_data;
173 ChangePasswdDataMS chpw;
175 u_char header[4 + 6];
178 struct msghdr msghdr;
180 krb5_data_zero (&ap_req_data);
182 ret = krb5_mk_req_extended (context,
184 AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY,
191 chpw.newpasswd.length = strlen(passwd);
192 chpw.newpasswd.data = rk_UNCONST(passwd);
194 chpw.targname = &targprinc->name;
195 chpw.targrealm = &targprinc->realm;
197 chpw.targname = NULL;
198 chpw.targrealm = NULL;
201 ASN1_MALLOC_ENCODE(ChangePasswdDataMS, pwd_data.data, pwd_data.length,
204 krb5_data_free (&ap_req_data);
208 if(pwd_data.length != len)
209 krb5_abortx(context, "internal error in ASN.1 encoder");
211 ret = krb5_mk_priv (context,
219 len = 6 + ap_req_data.length + krb_priv_data.length;
222 _krb5_put_int(p, len, 4);
225 *p++ = (len >> 8) & 0xFF;
226 *p++ = (len >> 0) & 0xFF;
229 *p++ = (ap_req_data.length >> 8) & 0xFF;
230 *p = (ap_req_data.length >> 0) & 0xFF;
232 memset(&msghdr, 0, sizeof(msghdr));
233 msghdr.msg_name = NULL;
234 msghdr.msg_namelen = 0;
235 msghdr.msg_iov = iov;
236 msghdr.msg_iovlen = sizeof(iov)/sizeof(*iov);
238 msghdr.msg_control = NULL;
239 msghdr.msg_controllen = 0;
242 iov[0].iov_base = (void*)header;
247 iov[1].iov_base = ap_req_data.data;
248 iov[1].iov_len = ap_req_data.length;
249 iov[2].iov_base = krb_priv_data.data;
250 iov[2].iov_len = krb_priv_data.length;
252 if (rk_IS_SOCKET_ERROR( sendmsg (sock, &msghdr, 0) )) {
254 krb5_set_error_message(context, ret, "sendmsg %s: %s",
255 host, strerror(ret));
258 krb5_data_free (&krb_priv_data);
260 krb5_data_free (&ap_req_data);
261 krb5_data_free (&pwd_data);
265 static krb5_error_code
266 process_reply (krb5_context context,
267 krb5_auth_context auth_context,
271 krb5_data *result_code_string,
272 krb5_data *result_string,
276 u_char reply[1024 * 3];
278 uint16_t pkt_len, pkt_ver;
279 krb5_data ap_rep_data;
284 while (len < sizeof(reply)) {
287 ret = recvfrom (sock, reply + len, sizeof(reply) - len,
289 if (rk_IS_SOCKET_ERROR(ret)) {
290 save_errno = rk_SOCK_ERRNO;
291 krb5_set_error_message(context, save_errno,
293 host, strerror(save_errno));
295 } else if (ret == 0) {
296 krb5_set_error_message(context, 1,"recvfrom timeout %s", host);
302 _krb5_get_int(reply, &size, 4);
305 memmove(reply, reply + 4, size);
309 if (len == sizeof(reply)) {
310 krb5_set_error_message(context, ENOMEM,
311 N_("Message too large from %s", "host"),
316 ret = recvfrom (sock, reply, sizeof(reply), 0, NULL, NULL);
317 if (rk_IS_SOCKET_ERROR(ret)) {
318 save_errno = rk_SOCK_ERRNO;
319 krb5_set_error_message(context, save_errno,
321 host, strerror(save_errno));
328 str2data (result_string, "server %s sent to too short message "
329 "(%zu bytes)", host, len);
330 *result_code = KRB5_KPASSWD_MALFORMED;
334 pkt_len = (reply[0] << 8) | (reply[1]);
335 pkt_ver = (reply[2] << 8) | (reply[3]);
337 if ((pkt_len != len) || (reply[1] == 0x7e || reply[1] == 0x5e)) {
342 memset(&error, 0, sizeof(error));
344 ret = decode_KRB_ERROR(reply, len, &error, &size);
348 if (error.e_data->length < 2) {
349 str2data(result_string, "server %s sent too short "
350 "e_data to print anything usable", host);
351 free_KRB_ERROR(&error);
352 *result_code = KRB5_KPASSWD_MALFORMED;
356 p = error.e_data->data;
357 *result_code = (p[0] << 8) | p[1];
358 if (error.e_data->length == 2)
359 str2data(result_string, "server only sent error code");
361 krb5_data_copy (result_string,
363 error.e_data->length - 2);
364 free_KRB_ERROR(&error);
368 if (pkt_len != len) {
369 str2data (result_string, "client: wrong len in reply");
370 *result_code = KRB5_KPASSWD_MALFORMED;
373 if (pkt_ver != KRB5_KPASSWD_VERS_CHANGEPW) {
374 str2data (result_string,
375 "client: wrong version number (%d)", pkt_ver);
376 *result_code = KRB5_KPASSWD_MALFORMED;
380 ap_rep_data.data = reply + 6;
381 ap_rep_data.length = (reply[4] << 8) | (reply[5]);
383 if (reply + len < (u_char *)ap_rep_data.data + ap_rep_data.length) {
384 str2data (result_string, "client: wrong AP len in reply");
385 *result_code = KRB5_KPASSWD_MALFORMED;
389 if (ap_rep_data.length) {
390 krb5_ap_rep_enc_part *ap_rep;
394 priv_data.data = (u_char*)ap_rep_data.data + ap_rep_data.length;
395 priv_data.length = len - ap_rep_data.length - 6;
397 ret = krb5_rd_rep (context,
404 krb5_free_ap_rep_enc_part (context, ap_rep);
406 ret = krb5_rd_priv (context,
412 krb5_data_free (result_code_string);
416 if (result_code_string->length < 2) {
417 *result_code = KRB5_KPASSWD_MALFORMED;
418 str2data (result_string,
419 "client: bad length in result");
423 p = result_code_string->data;
425 *result_code = (p[0] << 8) | p[1];
426 krb5_data_copy (result_string,
427 (unsigned char*)result_code_string->data + 2,
428 result_code_string->length - 2);
435 ret = decode_KRB_ERROR(reply + 6, len - 6, &error, &size);
439 if (error.e_data->length < 2) {
440 krb5_warnx (context, "too short e_data to print anything usable");
444 p = error.e_data->data;
445 *result_code = (p[0] << 8) | p[1];
446 krb5_data_copy (result_string,
448 error.e_data->length - 2);
455 * change the password using the credentials in `creds' (for the
456 * principal indicated in them) to `newpw', storing the result of
457 * the operation in `result_*' and an error code or 0.
460 typedef krb5_error_code (*kpwd_send_request) (krb5_context,
468 typedef krb5_error_code (*kpwd_process_reply) (krb5_context,
477 static struct kpwd_proc {
480 #define SUPPORT_TCP 1
481 #define SUPPORT_UDP 2
482 kpwd_send_request send_req;
483 kpwd_process_reply process_rep;
487 SUPPORT_TCP|SUPPORT_UDP,
497 { NULL, 0, NULL, NULL }
504 static krb5_error_code
505 change_password_loop (krb5_context context,
507 krb5_principal targprinc,
510 krb5_data *result_code_string,
511 krb5_data *result_string,
512 struct kpwd_proc *proc)
515 krb5_auth_context auth_context = NULL;
516 krb5_krbhst_handle handle = NULL;
517 krb5_krbhst_info *hi;
524 realm = targprinc->realm;
526 realm = creds->client->realm;
528 ret = krb5_auth_con_init (context, &auth_context);
532 krb5_auth_con_setflags (context, auth_context,
533 KRB5_AUTH_CONTEXT_DO_SEQUENCE);
535 ret = krb5_krbhst_init (context, realm, KRB5_KRBHST_CHANGEPW, &handle);
539 while (!done && (ret = krb5_krbhst_next(context, handle, &hi)) == 0) {
540 struct addrinfo *ai, *a;
544 case KRB5_KRBHST_UDP:
545 if ((proc->flags & SUPPORT_UDP) == 0)
549 case KRB5_KRBHST_TCP:
550 if ((proc->flags & SUPPORT_TCP) == 0)
558 ret = krb5_krbhst_get_addrinfo(context, hi, &ai);
562 for (a = ai; !done && a != NULL; a = a->ai_next) {
565 sock = socket (a->ai_family, a->ai_socktype | SOCK_CLOEXEC, a->ai_protocol);
566 if (rk_IS_BAD_SOCKET(sock))
570 ret = connect(sock, a->ai_addr, a->ai_addrlen);
571 if (rk_IS_SOCKET_ERROR(ret)) {
572 rk_closesocket (sock);
576 ret = krb5_auth_con_genaddrs (context, auth_context, sock,
577 KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR);
579 rk_closesocket (sock);
583 for (i = 0; !done && i < 5; ++i) {
590 ret = (*proc->send_req) (context,
599 rk_closesocket(sock);
604 #ifndef NO_LIMIT_FD_SETSIZE
605 if (sock >= FD_SETSIZE) {
607 krb5_set_error_message(context, ret,
608 "fd %d too large", sock);
609 rk_closesocket (sock);
615 FD_SET(sock, &fdset);
617 tv.tv_sec = 1 + (1 << i);
619 ret = select (sock + 1, &fdset, NULL, NULL, &tv);
620 if (rk_IS_SOCKET_ERROR(ret) && rk_SOCK_ERRNO != EINTR) {
621 rk_closesocket(sock);
625 ret = (*proc->process_rep) (context,
635 else if (i > 0 && ret == KRB5KRB_AP_ERR_MUT_FAIL)
638 ret = KRB5_KDC_UNREACH;
641 rk_closesocket (sock);
646 krb5_krbhst_free (context, handle);
647 krb5_auth_con_free (context, auth_context);
649 if (ret == KRB5_KDC_UNREACH) {
650 krb5_set_error_message(context,
652 N_("Unable to reach any changepw server "
653 " in realm %s", "realm"), realm);
654 *result_code = KRB5_KPASSWD_HARDERROR;
659 #ifndef HEIMDAL_SMALLER
661 static struct kpwd_proc *
662 find_chpw_proto(const char *name)
665 for (p = procs; p->name != NULL; p++) {
666 if (strcmp(p->name, name) == 0)
673 * Deprecated: krb5_change_password() is deprecated, use krb5_set_password().
675 * @param context a Keberos context
679 * @param result_code_string
680 * @param result_string
682 * @return On sucess password is changed.
684 * @ingroup @krb5_deprecated
687 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
688 krb5_change_password (krb5_context context,
692 krb5_data *result_code_string,
693 krb5_data *result_string)
694 KRB5_DEPRECATED_FUNCTION("Use X instead")
696 struct kpwd_proc *p = find_chpw_proto("change password");
698 *result_code = KRB5_KPASSWD_MALFORMED;
699 result_code_string->data = result_string->data = NULL;
700 result_code_string->length = result_string->length = 0;
703 return KRB5_KPASSWD_MALFORMED;
705 return change_password_loop(context, creds, NULL, newpw,
706 result_code, result_code_string,
709 #endif /* HEIMDAL_SMALLER */
712 * Change password using creds.
714 * @param context a Keberos context
715 * @param creds The initial kadmin/passwd for the principal or an admin principal
716 * @param newpw The new password to set
717 * @param targprinc if unset, the default principal is used.
718 * @param result_code Result code, KRB5_KPASSWD_SUCCESS is when password is changed.
719 * @param result_code_string binary message from the server, contains
720 * at least the result_code.
721 * @param result_string A message from the kpasswd service or the
722 * library in human printable form. The string is NUL terminated.
724 * @return On sucess and *result_code is KRB5_KPASSWD_SUCCESS, the password is changed.
729 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
730 krb5_set_password(krb5_context context,
733 krb5_principal targprinc,
735 krb5_data *result_code_string,
736 krb5_data *result_string)
738 krb5_principal principal = NULL;
739 krb5_error_code ret = 0;
742 *result_code = KRB5_KPASSWD_MALFORMED;
743 krb5_data_zero(result_code_string);
744 krb5_data_zero(result_string);
746 if (targprinc == NULL) {
747 ret = krb5_get_default_principal(context, &principal);
751 principal = targprinc;
753 for (i = 0; procs[i].name != NULL; i++) {
755 ret = change_password_loop(context, creds, principal, newpw,
756 result_code, result_code_string,
759 if (ret == 0 && *result_code == 0)
763 if (targprinc == NULL)
764 krb5_free_principal(context, principal);
772 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
773 krb5_set_password_using_ccache(krb5_context context,
776 krb5_principal targprinc,
778 krb5_data *result_code_string,
779 krb5_data *result_string)
781 krb5_creds creds, *credsp;
783 krb5_principal principal = NULL;
785 *result_code = KRB5_KPASSWD_MALFORMED;
786 result_code_string->data = result_string->data = NULL;
787 result_code_string->length = result_string->length = 0;
789 memset(&creds, 0, sizeof(creds));
791 if (targprinc == NULL) {
792 ret = krb5_cc_get_principal(context, ccache, &principal);
796 principal = targprinc;
798 ret = krb5_make_principal(context, &creds.server,
799 krb5_principal_get_realm(context, principal),
800 "kadmin", "changepw", NULL);
804 ret = krb5_cc_get_principal(context, ccache, &creds.client);
806 krb5_free_principal(context, creds.server);
810 ret = krb5_get_credentials(context, 0, ccache, &creds, &credsp);
811 krb5_free_principal(context, creds.server);
812 krb5_free_principal(context, creds.client);
816 ret = krb5_set_password(context,
824 krb5_free_creds(context, credsp);
828 if (targprinc == NULL)
829 krb5_free_principal(context, principal);
837 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
838 krb5_passwd_result_to_string (krb5_context context,
841 static const char *strings[] = {
849 "Initial flag needed"
852 if (result < 0 || result > KRB5_KPASSWD_INITIAL_FLAG_NEEDED)
853 return "unknown result code";
855 return strings[result];