1 /*
2 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "krb5_locl.h"
35
36 #undef __attribute__
37 #define __attribute__(X)
38
39
40 static void
41 str2data (krb5_data *d,
42 const char *fmt,
43 ...) __attribute__ ((format (printf, 2, 3)));
44
45 static void
str2data(krb5_data * d,const char * fmt,...)46 str2data (krb5_data *d,
47 const char *fmt,
48 ...)
49 {
50 va_list args;
51 char *str;
52
53 va_start(args, fmt);
54 d->length = vasprintf (&str, fmt, args);
55 va_end(args);
56 d->data = str;
57 }
58
59 /*
60 * Change password protocol defined by
61 * draft-ietf-cat-kerb-chg-password-02.txt
62 *
63 * Share the response part of the protocol with MS set password
64 * (RFC3244)
65 */
66
67 static krb5_error_code
chgpw_send_request(krb5_context context,krb5_auth_context * auth_context,krb5_creds * creds,krb5_principal targprinc,int is_stream,rk_socket_t sock,const char * passwd,const char * host)68 chgpw_send_request (krb5_context context,
69 krb5_auth_context *auth_context,
70 krb5_creds *creds,
71 krb5_principal targprinc,
72 int is_stream,
73 rk_socket_t sock,
74 const char *passwd,
75 const char *host)
76 {
77 krb5_error_code ret;
78 krb5_data ap_req_data;
79 krb5_data krb_priv_data;
80 krb5_data passwd_data;
81 size_t len;
82 u_char header[6];
83 struct iovec iov[3];
84 struct msghdr msghdr;
85
86 if (is_stream)
87 return KRB5_KPASSWD_MALFORMED;
88
89 if (targprinc &&
90 krb5_principal_compare(context, creds->client, targprinc) != TRUE)
91 return KRB5_KPASSWD_MALFORMED;
92
93 krb5_data_zero (&ap_req_data);
94
95 ret = krb5_mk_req_extended (context,
96 auth_context,
97 AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY,
98 NULL, /* in_data */
99 creds,
100 &ap_req_data);
101 if (ret)
102 return ret;
103
104 passwd_data.data = rk_UNCONST(passwd);
105 passwd_data.length = strlen(passwd);
106
107 krb5_data_zero (&krb_priv_data);
108
109 ret = krb5_mk_priv (context,
110 *auth_context,
111 &passwd_data,
112 &krb_priv_data,
113 NULL);
114 if (ret)
115 goto out2;
116
117 len = 6 + ap_req_data.length + krb_priv_data.length;
118 header[0] = (len >> 8) & 0xFF;
119 header[1] = (len >> 0) & 0xFF;
120 header[2] = 0;
121 header[3] = 1;
122 header[4] = (ap_req_data.length >> 8) & 0xFF;
123 header[5] = (ap_req_data.length >> 0) & 0xFF;
124
125 memset(&msghdr, 0, sizeof(msghdr));
126 msghdr.msg_name = NULL;
127 msghdr.msg_namelen = 0;
128 msghdr.msg_iov = iov;
129 msghdr.msg_iovlen = sizeof(iov)/sizeof(*iov);
130 #if 0
131 msghdr.msg_control = NULL;
132 msghdr.msg_controllen = 0;
133 #endif
134
135 iov[0].iov_base = (void*)header;
136 iov[0].iov_len = 6;
137 iov[1].iov_base = ap_req_data.data;
138 iov[1].iov_len = ap_req_data.length;
139 iov[2].iov_base = krb_priv_data.data;
140 iov[2].iov_len = krb_priv_data.length;
141
142 if (rk_IS_SOCKET_ERROR( sendmsg (sock, &msghdr, 0) )) {
143 ret = rk_SOCK_ERRNO;
144 krb5_set_error_message(context, ret, "sendmsg %s: %s",
145 host, strerror(ret));
146 }
147
148 krb5_data_free (&krb_priv_data);
149 out2:
150 krb5_data_free (&ap_req_data);
151 return ret;
152 }
153
154 /*
155 * Set password protocol as defined by RFC3244 --
156 * Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols
157 */
158
159 static krb5_error_code
setpw_send_request(krb5_context context,krb5_auth_context * auth_context,krb5_creds * creds,krb5_principal targprinc,int is_stream,rk_socket_t sock,const char * passwd,const char * host)160 setpw_send_request (krb5_context context,
161 krb5_auth_context *auth_context,
162 krb5_creds *creds,
163 krb5_principal targprinc,
164 int is_stream,
165 rk_socket_t sock,
166 const char *passwd,
167 const char *host)
168 {
169 krb5_error_code ret;
170 krb5_data ap_req_data;
171 krb5_data krb_priv_data;
172 krb5_data pwd_data;
173 ChangePasswdDataMS chpw;
174 size_t len = 0;
175 u_char header[4 + 6];
176 u_char *p;
177 struct iovec iov[3];
178 struct msghdr msghdr;
179
180 krb5_data_zero (&ap_req_data);
181
182 ret = krb5_mk_req_extended (context,
183 auth_context,
184 AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY,
185 NULL, /* in_data */
186 creds,
187 &ap_req_data);
188 if (ret)
189 return ret;
190
191 chpw.newpasswd.length = strlen(passwd);
192 chpw.newpasswd.data = rk_UNCONST(passwd);
193 if (targprinc) {
194 chpw.targname = &targprinc->name;
195 chpw.targrealm = &targprinc->realm;
196 } else {
197 chpw.targname = NULL;
198 chpw.targrealm = NULL;
199 }
200
201 ASN1_MALLOC_ENCODE(ChangePasswdDataMS, pwd_data.data, pwd_data.length,
202 &chpw, &len, ret);
203 if (ret) {
204 krb5_data_free (&ap_req_data);
205 return ret;
206 }
207
208 if(pwd_data.length != len)
209 krb5_abortx(context, "internal error in ASN.1 encoder");
210
211 ret = krb5_mk_priv (context,
212 *auth_context,
213 &pwd_data,
214 &krb_priv_data,
215 NULL);
216 if (ret)
217 goto out2;
218
219 len = 6 + ap_req_data.length + krb_priv_data.length;
220 p = header;
221 if (is_stream) {
222 _krb5_put_int(p, len, 4);
223 p += 4;
224 }
225 *p++ = (len >> 8) & 0xFF;
226 *p++ = (len >> 0) & 0xFF;
227 *p++ = 0xff;
228 *p++ = 0x80;
229 *p++ = (ap_req_data.length >> 8) & 0xFF;
230 *p = (ap_req_data.length >> 0) & 0xFF;
231
232 memset(&msghdr, 0, sizeof(msghdr));
233 msghdr.msg_name = NULL;
234 msghdr.msg_namelen = 0;
235 msghdr.msg_iov = iov;
236 msghdr.msg_iovlen = sizeof(iov)/sizeof(*iov);
237 #if 0
238 msghdr.msg_control = NULL;
239 msghdr.msg_controllen = 0;
240 #endif
241
242 iov[0].iov_base = (void*)header;
243 if (is_stream)
244 iov[0].iov_len = 10;
245 else
246 iov[0].iov_len = 6;
247 iov[1].iov_base = ap_req_data.data;
248 iov[1].iov_len = ap_req_data.length;
249 iov[2].iov_base = krb_priv_data.data;
250 iov[2].iov_len = krb_priv_data.length;
251
252 if (rk_IS_SOCKET_ERROR( sendmsg (sock, &msghdr, 0) )) {
253 ret = rk_SOCK_ERRNO;
254 krb5_set_error_message(context, ret, "sendmsg %s: %s",
255 host, strerror(ret));
256 }
257
258 krb5_data_free (&krb_priv_data);
259 out2:
260 krb5_data_free (&ap_req_data);
261 krb5_data_free (&pwd_data);
262 return ret;
263 }
264
265 static krb5_error_code
process_reply(krb5_context context,krb5_auth_context auth_context,int is_stream,rk_socket_t sock,int * result_code,krb5_data * result_code_string,krb5_data * result_string,const char * host)266 process_reply (krb5_context context,
267 krb5_auth_context auth_context,
268 int is_stream,
269 rk_socket_t sock,
270 int *result_code,
271 krb5_data *result_code_string,
272 krb5_data *result_string,
273 const char *host)
274 {
275 krb5_error_code ret;
276 u_char reply[1024 * 3];
277 size_t len;
278 uint16_t pkt_len, pkt_ver;
279 krb5_data ap_rep_data;
280 int save_errno;
281
282 len = 0;
283 if (is_stream) {
284 while (len < sizeof(reply)) {
285 unsigned long size;
286
287 ret = recvfrom (sock, reply + len, sizeof(reply) - len,
288 0, NULL, NULL);
289 if (rk_IS_SOCKET_ERROR(ret)) {
290 save_errno = rk_SOCK_ERRNO;
291 krb5_set_error_message(context, save_errno,
292 "recvfrom %s: %s",
293 host, strerror(save_errno));
294 return save_errno;
295 } else if (ret == 0) {
296 krb5_set_error_message(context, 1,"recvfrom timeout %s", host);
297 return 1;
298 }
299 len += ret;
300 if (len < 4)
301 continue;
302 _krb5_get_int(reply, &size, 4);
303 if (size + 4 < len)
304 continue;
305 memmove(reply, reply + 4, size);
306 len = size;
307 break;
308 }
309 if (len == sizeof(reply)) {
310 krb5_set_error_message(context, ENOMEM,
311 N_("Message too large from %s", "host"),
312 host);
313 return ENOMEM;
314 }
315 } else {
316 ret = recvfrom (sock, reply, sizeof(reply), 0, NULL, NULL);
317 if (rk_IS_SOCKET_ERROR(ret)) {
318 save_errno = rk_SOCK_ERRNO;
319 krb5_set_error_message(context, save_errno,
320 "recvfrom %s: %s",
321 host, strerror(save_errno));
322 return save_errno;
323 }
324 len = ret;
325 }
326
327 if (len < 6) {
328 str2data (result_string, "server %s sent to too short message "
329 "(%zu bytes)", host, len);
330 *result_code = KRB5_KPASSWD_MALFORMED;
331 return 0;
332 }
333
334 pkt_len = (reply[0] << 8) | (reply[1]);
335 pkt_ver = (reply[2] << 8) | (reply[3]);
336
337 if ((pkt_len != len) || (reply[1] == 0x7e || reply[1] == 0x5e)) {
338 KRB_ERROR error;
339 size_t size;
340 u_char *p;
341
342 memset(&error, 0, sizeof(error));
343
344 ret = decode_KRB_ERROR(reply, len, &error, &size);
345 if (ret)
346 return ret;
347
348 if (error.e_data->length < 2) {
349 str2data(result_string, "server %s sent too short "
350 "e_data to print anything usable", host);
351 free_KRB_ERROR(&error);
352 *result_code = KRB5_KPASSWD_MALFORMED;
353 return 0;
354 }
355
356 p = error.e_data->data;
357 *result_code = (p[0] << 8) | p[1];
358 if (error.e_data->length == 2)
359 str2data(result_string, "server only sent error code");
360 else
361 krb5_data_copy (result_string,
362 p + 2,
363 error.e_data->length - 2);
364 free_KRB_ERROR(&error);
365 return 0;
366 }
367
368 if (pkt_len != len) {
369 str2data (result_string, "client: wrong len in reply");
370 *result_code = KRB5_KPASSWD_MALFORMED;
371 return 0;
372 }
373 if (pkt_ver != KRB5_KPASSWD_VERS_CHANGEPW) {
374 str2data (result_string,
375 "client: wrong version number (%d)", pkt_ver);
376 *result_code = KRB5_KPASSWD_MALFORMED;
377 return 0;
378 }
379
380 ap_rep_data.data = reply + 6;
381 ap_rep_data.length = (reply[4] << 8) | (reply[5]);
382
383 if (reply + len < (u_char *)ap_rep_data.data + ap_rep_data.length) {
384 str2data (result_string, "client: wrong AP len in reply");
385 *result_code = KRB5_KPASSWD_MALFORMED;
386 return 0;
387 }
388
389 if (ap_rep_data.length) {
390 krb5_ap_rep_enc_part *ap_rep;
391 krb5_data priv_data;
392 u_char *p;
393
394 priv_data.data = (u_char*)ap_rep_data.data + ap_rep_data.length;
395 priv_data.length = len - ap_rep_data.length - 6;
396
397 ret = krb5_rd_rep (context,
398 auth_context,
399 &ap_rep_data,
400 &ap_rep);
401 if (ret)
402 return ret;
403
404 krb5_free_ap_rep_enc_part (context, ap_rep);
405
406 ret = krb5_rd_priv (context,
407 auth_context,
408 &priv_data,
409 result_code_string,
410 NULL);
411 if (ret) {
412 krb5_data_free (result_code_string);
413 return ret;
414 }
415
416 if (result_code_string->length < 2) {
417 *result_code = KRB5_KPASSWD_MALFORMED;
418 str2data (result_string,
419 "client: bad length in result");
420 return 0;
421 }
422
423 p = result_code_string->data;
424
425 *result_code = (p[0] << 8) | p[1];
426 krb5_data_copy (result_string,
427 (unsigned char*)result_code_string->data + 2,
428 result_code_string->length - 2);
429 return 0;
430 } else {
431 KRB_ERROR error;
432 size_t size;
433 u_char *p;
434
435 ret = decode_KRB_ERROR(reply + 6, len - 6, &error, &size);
436 if (ret) {
437 return ret;
438 }
439 if (error.e_data->length < 2) {
440 krb5_warnx (context, "too short e_data to print anything usable");
441 return 1; /* XXX */
442 }
443
444 p = error.e_data->data;
445 *result_code = (p[0] << 8) | p[1];
446 krb5_data_copy (result_string,
447 p + 2,
448 error.e_data->length - 2);
449 return 0;
450 }
451 }
452
453
454 /*
455 * change the password using the credentials in `creds' (for the
456 * principal indicated in them) to `newpw', storing the result of
457 * the operation in `result_*' and an error code or 0.
458 */
459
460 typedef krb5_error_code (*kpwd_send_request) (krb5_context,
461 krb5_auth_context *,
462 krb5_creds *,
463 krb5_principal,
464 int,
465 rk_socket_t,
466 const char *,
467 const char *);
468 typedef krb5_error_code (*kpwd_process_reply) (krb5_context,
469 krb5_auth_context,
470 int,
471 rk_socket_t,
472 int *,
473 krb5_data *,
474 krb5_data *,
475 const char *);
476
477 static struct kpwd_proc {
478 const char *name;
479 int flags;
480 #define SUPPORT_TCP 1
481 #define SUPPORT_UDP 2
482 kpwd_send_request send_req;
483 kpwd_process_reply process_rep;
484 } procs[] = {
485 {
486 "MS set password",
487 SUPPORT_TCP|SUPPORT_UDP,
488 setpw_send_request,
489 process_reply
490 },
491 {
492 "change password",
493 SUPPORT_UDP,
494 chgpw_send_request,
495 process_reply
496 },
497 { NULL, 0, NULL, NULL }
498 };
499
500 /*
501 *
502 */
503
504 static krb5_error_code
change_password_loop(krb5_context context,krb5_creds * creds,krb5_principal targprinc,const char * newpw,int * result_code,krb5_data * result_code_string,krb5_data * result_string,struct kpwd_proc * proc)505 change_password_loop (krb5_context context,
506 krb5_creds *creds,
507 krb5_principal targprinc,
508 const char *newpw,
509 int *result_code,
510 krb5_data *result_code_string,
511 krb5_data *result_string,
512 struct kpwd_proc *proc)
513 {
514 krb5_error_code ret;
515 krb5_auth_context auth_context = NULL;
516 krb5_krbhst_handle handle = NULL;
517 krb5_krbhst_info *hi;
518 rk_socket_t sock;
519 unsigned int i;
520 int done = 0;
521 krb5_realm realm;
522
523 if (targprinc)
524 realm = targprinc->realm;
525 else
526 realm = creds->client->realm;
527
528 ret = krb5_auth_con_init (context, &auth_context);
529 if (ret)
530 return ret;
531
532 krb5_auth_con_setflags (context, auth_context,
533 KRB5_AUTH_CONTEXT_DO_SEQUENCE);
534
535 ret = krb5_krbhst_init (context, realm, KRB5_KRBHST_CHANGEPW, &handle);
536 if (ret)
537 goto out;
538
539 while (!done && (ret = krb5_krbhst_next(context, handle, &hi)) == 0) {
540 struct addrinfo *ai, *a;
541 int is_stream;
542
543 switch (hi->proto) {
544 case KRB5_KRBHST_UDP:
545 if ((proc->flags & SUPPORT_UDP) == 0)
546 continue;
547 is_stream = 0;
548 break;
549 case KRB5_KRBHST_TCP:
550 if ((proc->flags & SUPPORT_TCP) == 0)
551 continue;
552 is_stream = 1;
553 break;
554 default:
555 continue;
556 }
557
558 ret = krb5_krbhst_get_addrinfo(context, hi, &ai);
559 if (ret)
560 continue;
561
562 for (a = ai; !done && a != NULL; a = a->ai_next) {
563 int replied = 0;
564
565 sock = socket (a->ai_family, a->ai_socktype | SOCK_CLOEXEC, a->ai_protocol);
566 if (rk_IS_BAD_SOCKET(sock))
567 continue;
568 rk_cloexec(sock);
569
570 ret = connect(sock, a->ai_addr, a->ai_addrlen);
571 if (rk_IS_SOCKET_ERROR(ret)) {
572 rk_closesocket (sock);
573 goto out;
574 }
575
576 ret = krb5_auth_con_genaddrs (context, auth_context, sock,
577 KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR);
578 if (ret) {
579 rk_closesocket (sock);
580 goto out;
581 }
582
583 for (i = 0; !done && i < 5; ++i) {
584 fd_set fdset;
585 struct timeval tv;
586
587 if (!replied) {
588 replied = 0;
589
590 ret = (*proc->send_req) (context,
591 &auth_context,
592 creds,
593 targprinc,
594 is_stream,
595 sock,
596 newpw,
597 hi->hostname);
598 if (ret) {
599 rk_closesocket(sock);
600 goto out;
601 }
602 }
603
604 #ifndef NO_LIMIT_FD_SETSIZE
605 if (sock >= FD_SETSIZE) {
606 ret = ERANGE;
607 krb5_set_error_message(context, ret,
608 "fd %d too large", sock);
609 rk_closesocket (sock);
610 goto out;
611 }
612 #endif
613
614 FD_ZERO(&fdset);
615 FD_SET(sock, &fdset);
616 tv.tv_usec = 0;
617 tv.tv_sec = 1 + (1 << i);
618
619 ret = select (sock + 1, &fdset, NULL, NULL, &tv);
620 if (rk_IS_SOCKET_ERROR(ret) && rk_SOCK_ERRNO != EINTR) {
621 rk_closesocket(sock);
622 goto out;
623 }
624 if (ret == 1) {
625 ret = (*proc->process_rep) (context,
626 auth_context,
627 is_stream,
628 sock,
629 result_code,
630 result_code_string,
631 result_string,
632 hi->hostname);
633 if (ret == 0)
634 done = 1;
635 else if (i > 0 && ret == KRB5KRB_AP_ERR_MUT_FAIL)
636 replied = 1;
637 } else {
638 ret = KRB5_KDC_UNREACH;
639 }
640 }
641 rk_closesocket (sock);
642 }
643 }
644
645 out:
646 krb5_krbhst_free (context, handle);
647 krb5_auth_con_free (context, auth_context);
648
649 if (ret == KRB5_KDC_UNREACH) {
650 krb5_set_error_message(context,
651 ret,
652 N_("Unable to reach any changepw server "
653 " in realm %s", "realm"), realm);
654 *result_code = KRB5_KPASSWD_HARDERROR;
655 }
656 return ret;
657 }
658
659 #ifndef HEIMDAL_SMALLER
660
661 static struct kpwd_proc *
find_chpw_proto(const char * name)662 find_chpw_proto(const char *name)
663 {
664 struct kpwd_proc *p;
665 for (p = procs; p->name != NULL; p++) {
666 if (strcmp(p->name, name) == 0)
667 return p;
668 }
669 return NULL;
670 }
671
672 /**
673 * Deprecated: krb5_change_password() is deprecated, use krb5_set_password().
674 *
675 * @param context a Keberos context
676 * @param creds
677 * @param newpw
678 * @param result_code
679 * @param result_code_string
680 * @param result_string
681 *
682 * @return On sucess password is changed.
683
684 * @ingroup @krb5_deprecated
685 */
686
687 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_change_password(krb5_context context,krb5_creds * creds,const char * newpw,int * result_code,krb5_data * result_code_string,krb5_data * result_string)688 krb5_change_password (krb5_context context,
689 krb5_creds *creds,
690 const char *newpw,
691 int *result_code,
692 krb5_data *result_code_string,
693 krb5_data *result_string)
694 KRB5_DEPRECATED_FUNCTION("Use X instead")
695 {
696 struct kpwd_proc *p = find_chpw_proto("change password");
697
698 *result_code = KRB5_KPASSWD_MALFORMED;
699 result_code_string->data = result_string->data = NULL;
700 result_code_string->length = result_string->length = 0;
701
702 if (p == NULL)
703 return KRB5_KPASSWD_MALFORMED;
704
705 return change_password_loop(context, creds, NULL, newpw,
706 result_code, result_code_string,
707 result_string, p);
708 }
709 #endif /* HEIMDAL_SMALLER */
710
711 /**
712 * Change password using creds.
713 *
714 * @param context a Keberos context
715 * @param creds The initial kadmin/passwd for the principal or an admin principal
716 * @param newpw The new password to set
717 * @param targprinc if unset, the default principal is used.
718 * @param result_code Result code, KRB5_KPASSWD_SUCCESS is when password is changed.
719 * @param result_code_string binary message from the server, contains
720 * at least the result_code.
721 * @param result_string A message from the kpasswd service or the
722 * library in human printable form. The string is NUL terminated.
723 *
724 * @return On sucess and *result_code is KRB5_KPASSWD_SUCCESS, the password is changed.
725
726 * @ingroup @krb5
727 */
728
729 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_set_password(krb5_context context,krb5_creds * creds,const char * newpw,krb5_principal targprinc,int * result_code,krb5_data * result_code_string,krb5_data * result_string)730 krb5_set_password(krb5_context context,
731 krb5_creds *creds,
732 const char *newpw,
733 krb5_principal targprinc,
734 int *result_code,
735 krb5_data *result_code_string,
736 krb5_data *result_string)
737 {
738 krb5_principal principal = NULL;
739 krb5_error_code ret = 0;
740 int i;
741
742 *result_code = KRB5_KPASSWD_MALFORMED;
743 krb5_data_zero(result_code_string);
744 krb5_data_zero(result_string);
745
746 if (targprinc == NULL) {
747 ret = krb5_get_default_principal(context, &principal);
748 if (ret)
749 return ret;
750 } else
751 principal = targprinc;
752
753 for (i = 0; procs[i].name != NULL; i++) {
754 *result_code = 0;
755 ret = change_password_loop(context, creds, principal, newpw,
756 result_code, result_code_string,
757 result_string,
758 &procs[i]);
759 if (ret == 0 && *result_code == 0)
760 break;
761 }
762
763 if (targprinc == NULL)
764 krb5_free_principal(context, principal);
765 return ret;
766 }
767
768 /*
769 *
770 */
771
772 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_set_password_using_ccache(krb5_context context,krb5_ccache ccache,const char * newpw,krb5_principal targprinc,int * result_code,krb5_data * result_code_string,krb5_data * result_string)773 krb5_set_password_using_ccache(krb5_context context,
774 krb5_ccache ccache,
775 const char *newpw,
776 krb5_principal targprinc,
777 int *result_code,
778 krb5_data *result_code_string,
779 krb5_data *result_string)
780 {
781 krb5_creds creds, *credsp;
782 krb5_error_code ret;
783 krb5_principal principal = NULL;
784
785 *result_code = KRB5_KPASSWD_MALFORMED;
786 result_code_string->data = result_string->data = NULL;
787 result_code_string->length = result_string->length = 0;
788
789 memset(&creds, 0, sizeof(creds));
790
791 if (targprinc == NULL) {
792 ret = krb5_cc_get_principal(context, ccache, &principal);
793 if (ret)
794 return ret;
795 } else
796 principal = targprinc;
797
798 ret = krb5_make_principal(context, &creds.server,
799 krb5_principal_get_realm(context, principal),
800 "kadmin", "changepw", NULL);
801 if (ret)
802 goto out;
803
804 ret = krb5_cc_get_principal(context, ccache, &creds.client);
805 if (ret) {
806 krb5_free_principal(context, creds.server);
807 goto out;
808 }
809
810 ret = krb5_get_credentials(context, 0, ccache, &creds, &credsp);
811 krb5_free_principal(context, creds.server);
812 krb5_free_principal(context, creds.client);
813 if (ret)
814 goto out;
815
816 ret = krb5_set_password(context,
817 credsp,
818 newpw,
819 principal,
820 result_code,
821 result_code_string,
822 result_string);
823
824 krb5_free_creds(context, credsp);
825
826 return ret;
827 out:
828 if (targprinc == NULL)
829 krb5_free_principal(context, principal);
830 return ret;
831 }
832
833 /*
834 *
835 */
836
837 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
krb5_passwd_result_to_string(krb5_context context,int result)838 krb5_passwd_result_to_string (krb5_context context,
839 int result)
840 {
841 static const char *strings[] = {
842 "Success",
843 "Malformed",
844 "Hard error",
845 "Auth error",
846 "Soft error" ,
847 "Access denied",
848 "Bad version",
849 "Initial flag needed"
850 };
851
852 if (result < 0 || result > KRB5_KPASSWD_INITIAL_FLAG_NEEDED)
853 return "unknown result code";
854 else
855 return strings[result];
856 }
857