]> andersk Git - moira.git/blame - incremental/winad/setpw.c
andersk / moira.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Enable qsort() on all platforms, not jusr WIN32.
[moira.git] / incremental / winad / setpw.c
CommitLineData
cd9e6b16 1/*--
2
3THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
4ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
5TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
6PARTICULAR PURPOSE.
7
8Copyright (C) 1999 Microsoft Corporation. All rights reserved.
9
10Module Name:
11
f78c7eaf 12 setpw.c
cd9e6b16 13
14Abstract:
15
16 Set a user's password using the
17 Kerberos Change Password Protocol (I-D) variant for Windows 2000
18
19--*/
20/*
21 * lib/krb5/os/changepw.c
22 *
23 * Copyright 1990 by the Massachusetts Institute of Technology.
24 * All Rights Reserved.
25 *
26 * Export of this software from the United States of America may
27 * require a specific license from the United States Government.
28 * It is the responsibility of any person or organization contemplating
29 * export to obtain such a license before exporting.
30 *
31 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
32 * distribute this software and its documentation for any purpose and
33 * without fee is hereby granted, provided that the above copyright
34 * notice appear in all copies and that both that copyright notice and
35 * this permission notice appear in supporting documentation, and that
36 * the name of M.I.T. not be used in advertising or publicity pertaining
37 * to distribution of the software without specific, written prior
38 * permission. M.I.T. makes no representations about the suitability of
39 * this software for any purpose. It is provided "as is" without express
40 * or implied warranty.
41 *
42 */
43
f78c7eaf 44
cd9e6b16 45#define NEED_SOCKETS
46#include <krb5.h>
47#include <krb.h>
f78c7eaf 48#include <ldap.h>
cd9e6b16 49#ifdef _WIN32
f78c7eaf 50#include <wshelper.h>
cd9e6b16 51#include "k5-int.h"
52#include "adm_err.h"
53#include "krb5_err.h"
f78c7eaf 54#else
cd9e6b16 55#include <sys/socket.h>
56#include <netdb.h>
57#include <sys/select.h>
58#endif
f78c7eaf 59#include <auth_con.h>
cd9e6b16 60#include <stdio.h>
61#include <stdlib.h>
62#include <time.h>
63#include <sys/timeb.h>
64#include <errno.h>
f78c7eaf 65#include "kpasswd.h"
66#include "gsssasl.h"
67#include "gssldap.h"
cd9e6b16 68
cd9e6b16 69#define PW_LENGTH 25
f78c7eaf 70#define KDC_PORT 464
71#define ULONG unsigned long
cd9e6b16 72
73#ifndef krb5_is_krb_error
74#define krb5_is_krb_error(dat)\
f78c7eaf 75 ((dat) && (dat)->length && ((dat)->data[0] == 0x7e ||\
76 (dat)->data[0] == 0x5e))
77#endif
78
79#ifdef _WIN32
80#define sleep(Seconds) Sleep(Seconds * 1000)
81#define gethostbyname(Server) rgethostbyname(Server)
cd9e6b16 82#endif
83
84/* Win32 defines. */
85#if defined(_WIN32) && !defined(__CYGWIN32__)
86#ifndef ECONNABORTED
87#define ECONNABORTED WSAECONNABORTED
88#endif
89#ifndef ECONNREFUSED
90#define ECONNREFUSED WSAECONNREFUSED
91#endif
92#ifndef EHOSTUNREACH
93#define EHOSTUNREACH WSAEHOSTUNREACH
94#endif
95#endif /* _WIN32 && !__CYGWIN32__ */
96
97static const char rcsid[] = "$Id$";
98
99static int frequency[26][26] =
100{ {4, 20, 28, 52, 2, 11, 28, 4, 32, 4, 6, 62, 23, 167, 2, 14, 0, 83, 76,
101127, 7, 25, 8, 1, 9, 1}, /* aa - az */
102 {13, 0, 0, 0, 55, 0, 0, 0, 8, 2, 0, 22, 0, 0, 11, 0, 0, 15, 4, 2, 13, 0,
1030, 0, 15, 0}, /* ba - bz */
104 {32, 0, 7, 1, 69, 0, 0, 33, 17, 0, 10, 9, 1, 0, 50, 3, 0, 10, 0, 28, 11,
1050, 0, 0, 3, 0}, /* ca - cz */
106 {40, 16, 9, 5, 65, 18, 3, 9, 56, 0, 1, 4, 15, 6, 16, 4, 0, 21, 18, 53,
10719, 5, 15, 0, 3, 0}, /* da - dz */
108 {84, 20, 55, 125, 51, 40, 19, 16, 50, 1, 4, 55, 54, 146, 35, 37, 6, 191,
109149, 65, 9, 26, 21, 12, 5, 0}, /* ea - ez */
110 {19, 3, 5, 1, 19, 21, 1, 3, 30, 2, 0, 11, 1, 0, 51, 0, 0, 26, 8, 47, 6,
1113, 3, 0, 2, 0}, /* fa - fz */
112 {20, 4, 3, 2, 35, 1, 3, 15, 18, 0, 0, 5, 1, 4, 21, 1, 1, 20, 9, 21, 9,
1130, 5, 0, 1, 0}, /* ga - gz */
114 {101, 1, 3, 0, 270, 5, 1, 6, 57, 0, 0, 0, 3, 2, 44, 1, 0, 3, 10, 18, 6,
1150, 5, 0, 3, 0}, /* ha - hz */
116 {40, 7, 51, 23, 25, 9, 11, 3, 0, 0, 2, 38, 25, 202, 56, 12, 1, 46, 79,
117117, 1, 22, 0, 4, 0, 3}, /* ia - iz */
118 {3, 0, 0, 0, 5, 0, 0, 0, 1, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 3, 0, 0, 0,
1190, 0}, /* ja - jz */
120 {1, 0, 0, 0, 11, 0, 0, 0, 13, 0, 0, 0, 0, 2, 0, 0, 0, 0, 6, 2, 1, 0, 2,
1210, 1, 0}, /* ka - kz */
122 {44, 2, 5, 12, 62, 7, 5, 2, 42, 1, 1, 53, 2, 2, 25, 1, 1, 2, 16, 23, 9,
1230, 1, 0, 33, 0}, /* la - lz */
124 {52, 14, 1, 0, 64, 0, 0, 3, 37, 0, 0, 0, 7, 1, 17, 18, 1, 2, 12, 3, 8,
1250, 1, 0, 2, 0}, /* ma - mz */
126 {42, 10, 47, 122, 63, 19, 106, 12, 30, 1, 6, 6, 9, 7, 54, 7, 1, 7, 44,
127124, 6, 1, 15, 0, 12, 0}, /* na - nz */
128 {7, 12, 14, 17, 5, 95, 3, 5, 14, 0, 0, 19, 41, 134, 13, 23, 0, 91, 23,
12942, 55, 16, 28, 0, 4, 1}, /* oa - oz */
130 {19, 1, 0, 0, 37, 0, 0, 4, 8, 0, 0, 15, 1, 0, 27, 9, 0, 33, 14, 7, 6, 0,
1310, 0, 0, 0}, /* pa - pz */
132 {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0,
1330, 0, 0}, /* qa - qz */
134 {83, 8, 16, 23, 169, 4, 8, 8, 77, 1, 10, 5, 26, 16, 60, 4, 0, 24, 37,
13555, 6, 11, 4, 0, 28, 0}, /* ra - rz */
136 {65, 9, 17, 9, 73, 13, 1, 47, 75, 3, 0, 7, 11, 12, 56, 17, 6, 9, 48,
137116, 35, 1, 28, 0, 4, 0}, /* sa - sz */
138 {57, 22, 3, 1, 76, 5, 2, 330, 126, 1, 0, 14, 10, 6, 79, 7, 0, 49, 50,
13956, 21, 2, 27, 0, 24, 0}, /* ta - tz */
140 {11, 5, 9, 6, 9, 1, 6, 0, 9, 0, 1, 19, 5, 31, 1, 15, 0, 47, 39, 31, 0,
1413, 0, 0, 0, 0}, /* ua - uz */
142 {7, 0, 0, 0, 72, 0, 0, 0, 28, 0, 0, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 0,
1430, 3, 0}, /* va - vz */
144 {36, 1, 1, 0, 38, 0, 0, 33, 36, 0, 0, 4, 1, 8, 15, 0, 0, 0, 4, 2, 0, 0,
1451, 0, 0, 0}, /* wa - wz */
146 {1, 0, 2, 0, 0, 1, 0, 0, 3, 0, 0, 0, 0, 0, 1, 5, 0, 0, 0, 3, 0, 0, 1, 0,
1470, 0}, /* xa - xz */
148 {14, 5, 4, 2, 7, 12, 12, 6, 10, 0, 0, 3, 7, 5, 17, 3, 0, 4, 16, 30, 0,
1490, 5, 0, 0, 0}, /* ya - yz */
150 {1, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
1510, 0}}; /* za - zz */
152
153/*
154 * This MUST be equal to the sum of the equivalent rows above.
155 */
156
157static int row_sums[26] =
fc53249d 158{796,160,284,401,1276,262,199,539,777,
159 16,39,351,243,751,662,181,17,683,
160 662,968,248,115,180,17,162,5};
cd9e6b16 161
162/*
163 * Frequencies of starting characters
164 */
165
166static int start_freq [26] =
fc53249d 167{1299,425,725,271,375,470,93,223,1009,
168 24,20,355,379,319,823,618,21,317,
169 962,1991,271,104,516,6,16,14};
cd9e6b16 170
171/*
172 * This MUST be equal to the sum of all elements in the above array.
173 */
f78c7eaf 174
175struct sockaddr_in kdc_server;
176SOCKET kdc_socket;
177krb5_context context;
178krb5_ccache ccache;
179krb5_auth_context auth_context = NULL;
180krb5_data ap_req;
181krb5_creds *credsp = NULL;
182krb5_creds creds;
183char connected_server[128];
184
cd9e6b16 185static int total_sum = 11646;
186
f78c7eaf 187int get_krb5_error(krb5_error_code rc, char *in, char *out);
188int ad_connect(LDAP **ldap_handle, char *ldap_domain, char *dn_path,
189 char *Win2kPassword, char *Win2kUser, char *default_server,
190 int connect_to_kdc);
191int ad_kdc_connect(char *connectedServer);
192int ad_server_connect(char *connectedServer, char *domain);
193void ad_kdc_disconnect();
194int compare_elements(const void *arg1, const void *arg2);
195int convert_domain_to_dn(char *domain, char *dnp);
196int set_password(char *user, char *password, char *domain);
197
198int locate_ldap_server(char *domain, char **server_name);
199
cd9e6b16 200long myrandom();
201void generate_password(char *password);
cd9e6b16 202krb5_error_code encode_krb5_setpw
f78c7eaf 203 PROTOTYPE((const krb5_setpw *rep, krb5_data ** code));
cd9e6b16 204
f78c7eaf 205krb5_error_code make_setpw_req(krb5_context context, krb5_auth_context auth_context,
cd9e6b16 206 krb5_data *ap_req, krb5_principal targprinc,
207 char *passwd, krb5_data *packet)
208{
209 krb5_error_code ret;
210 krb5_setpw setpw;
211 krb5_data cipherpw;
212 krb5_data *encoded_setpw;
213 krb5_replay_data replay;
214 char *ptr;
215 register int count = 2;
216
f78c7eaf 217 memset(&setpw, 0, sizeof(krb5_setpw));
cd9e6b16 218 if (ret = krb5_auth_con_setflags(context, auth_context,
219 KRB5_AUTH_CONTEXT_DO_SEQUENCE))
fc53249d 220 return(ret);
cd9e6b16 221 setpw.targprinc = targprinc;
222 setpw.newpasswd.length = strlen(passwd);
223 setpw.newpasswd.data = passwd;
224 if ((ret = encode_krb5_setpw(&setpw, &encoded_setpw)))
fc53249d 225 return( ret );
cd9e6b16 226 if (ret = krb5_mk_priv(context, auth_context,
fc53249d 227 encoded_setpw, &cipherpw, &replay))
228 return(ret);
cd9e6b16 229 packet->length = 6 + ap_req->length + cipherpw.length;
230 packet->data = (char *) malloc(packet->length);
231 ptr = packet->data;
232 /* Length */
233 *ptr++ = (packet->length>>8) & 0xff;
234 *ptr++ = packet->length & 0xff;
235 /* version */
236 *ptr++ = (char)0xff;
237 *ptr++ = (char)0x80;
238 /* ap_req length, big-endian */
239 *ptr++ = (ap_req->length>>8) & 0xff;
240 *ptr++ = ap_req->length & 0xff;
241 /* ap-req data */
242 memcpy(ptr, ap_req->data, ap_req->length);
243 ptr += ap_req->length;
244 /* krb-priv of password */
245 memcpy(ptr, cipherpw.data, cipherpw.length);
f78c7eaf 246 free(cipherpw.data);
247/* krb5_free_data_contents(context, &cipherpw);*/
248 krb5_free_data(context, encoded_setpw);
cd9e6b16 249 return(0);
250}
251
f78c7eaf 252krb5_error_code get_setpw_rep(krb5_context context, krb5_auth_context auth_context,
253 krb5_data *packet, int *result_code,
254 krb5_data *result_data)
cd9e6b16 255{
256 char *ptr;
257 int plen;
258 int vno;
259 krb5_data ap_rep;
260 krb5_error_code ret;
261 krb5_data cipherresult;
262 krb5_data clearresult;
263 krb5_error *krberror;
264 krb5_replay_data replay;
265 krb5_keyblock *tmp;
266 krb5_ap_rep_enc_part *ap_rep_enc;
267
268 if (packet->length < 4)
fc53249d 269 return(KRB5KRB_AP_ERR_MODIFIED);
cd9e6b16 270 ptr = packet->data;
271 if (krb5_is_krb_error(packet))
272 {
fc53249d 273 ret = decode_krb5_error(packet, &krberror);
274 if (ret)
275 return(ret);
276 ret = krberror->error;
277 krb5_free_error(context, krberror);
278 return(ret);
cd9e6b16 279 }
280 /* verify length */
281 plen = (*ptr++ & 0xff);
282 plen = (plen<<8) | (*ptr++ & 0xff);
283 if (plen != packet->length)
fc53249d 284 return(KRB5KRB_AP_ERR_MODIFIED);
cd9e6b16 285 vno = (*ptr++ & 0xff);
286 vno = (vno<<8) | (*ptr++ & 0xff);
287 if (vno != KRB5_KPASSWD_VERS_SETPW && vno != KRB5_KPASSWD_VERS_CHANGEPW)
fc53249d 288 return(KRB5KDC_ERR_BAD_PVNO);
cd9e6b16 289 /* read, check ap-rep length */
290 ap_rep.length = (*ptr++ & 0xff);
291 ap_rep.length = (ap_rep.length<<8) | (*ptr++ & 0xff);
292 if (ptr + ap_rep.length >= packet->data + packet->length)
fc53249d 293 return(KRB5KRB_AP_ERR_MODIFIED);
cd9e6b16 294 if (ap_rep.length)
295 {
fc53249d 296 /* verify ap_rep */
297 ap_rep.data = ptr;
298 ptr += ap_rep.length;
299 if (ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc))
300 return(ret);
301 krb5_free_ap_rep_enc_part(context, ap_rep_enc);
302 /* extract and decrypt the result */
303 cipherresult.data = ptr;
304 cipherresult.length = (packet->data + packet->length) - ptr;
305 /* XXX there's no api to do this right. The problem is that
306 if there's a remote subkey, it will be used. This is
307 not what the spec requires */
308 tmp = auth_context->remote_subkey;
309 auth_context->remote_subkey = NULL;
310 ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult,
311 &replay);
312 auth_context->remote_subkey = tmp;
313 if (ret)
314 return(ret);
cd9e6b16 315 }
316 else
317 {
fc53249d 318 cipherresult.data = ptr;
319 cipherresult.length = (packet->data + packet->length) - ptr;
f78c7eaf 320
fc53249d 321 if (ret = krb5_rd_error(context, &cipherresult, &krberror))
322 return(ret);
f78c7eaf 323
fc53249d 324 clearresult = krberror->e_data;
cd9e6b16 325 }
326 if (clearresult.length < 2)
327 {
fc53249d 328 ret = KRB5KRB_AP_ERR_MODIFIED;
329 goto cleanup;
cd9e6b16 330 }
331 ptr = clearresult.data;
332 *result_code = (*ptr++ & 0xff);
333 *result_code = (*result_code<<8) | (*ptr++ & 0xff);
334 if ((*result_code < KRB5_KPASSWD_SUCCESS) ||
fc53249d 335 (*result_code > KRB5_KPASSWD_ACCESSDENIED))
cd9e6b16 336 {
fc53249d 337 ret = KRB5KRB_AP_ERR_MODIFIED;
338 goto cleanup;
cd9e6b16 339 }
340 /* all success replies should be authenticated/encrypted */
341 if ((ap_rep.length == 0) && (*result_code == KRB5_KPASSWD_SUCCESS))
342 {
fc53249d 343 ret = KRB5KRB_AP_ERR_MODIFIED;
f78c7eaf 344 goto cleanup;
cd9e6b16 345 }
346 result_data->length = (clearresult.data + clearresult.length) - ptr;
347 if (result_data->length)
348 {
fc53249d 349 result_data->data = (char *) malloc(result_data->length);
350 memcpy(result_data->data, ptr, result_data->length);
cd9e6b16 351 }
352 else
f78c7eaf 353 result_data->data = NULL;
cd9e6b16 354 ret = 0;
355cleanup:
356 if (ap_rep.length)
fc53249d 357 free(clearresult.data);
cd9e6b16 358 else
f78c7eaf 359 krb5_free_error(context, krberror);
cd9e6b16 360 return(ret);
361}
362
f78c7eaf 363krb5_error_code kdc_set_password(krb5_context context, krb5_ccache ccache,
cd9e6b16 364 char *newpw, char *user, char *domain,
365 int *result_code)
366{
f78c7eaf 367 krb5_data chpw_snd;
368 krb5_data chpw_rcv;
cd9e6b16 369 krb5_data result_string;
370 krb5_address local_kaddr;
371 krb5_address remote_kaddr;
372 char userrealm[256];
373 char temp[256];
374 krb5_error_code code;
cd9e6b16 375 struct sockaddr local_addr;
376 struct sockaddr remote_addr;
cd9e6b16 377 int i;
cd9e6b16 378 int addrlen;
379 int cc;
380 int local_result_code;
f78c7eaf 381 int nfds;
cd9e6b16 382 krb5_principal targprinc;
f78c7eaf 383 struct timeval TimeVal;
384 fd_set readfds;
cd9e6b16 385
cd9e6b16 386 memset(&local_addr, 0, sizeof(local_addr));
387 memset(&local_kaddr, 0, sizeof(local_kaddr));
388 memset(&result_string, 0, sizeof(result_string));
389 memset(&remote_kaddr, 0, sizeof(remote_kaddr));
f78c7eaf 390 memset(&chpw_snd, 0, sizeof(krb5_data));
391 memset(&chpw_rcv, 0, sizeof(krb5_data));
cd9e6b16 392 memset(userrealm, '\0', sizeof(userrealm));
393 targprinc = NULL;
f78c7eaf 394
395 chpw_rcv.length = 1500;
396 chpw_rcv.data = (char *) calloc(1, chpw_rcv.length);
397
cd9e6b16 398 for (i = 0; i < (int)strlen(domain); i++)
fc53249d 399 userrealm[i] = toupper(domain[i]);
cd9e6b16 400
401 sprintf(temp, "%s@%s", user, userrealm);
402 krb5_parse_name(context, temp, &targprinc);
403
f78c7eaf 404 if (credsp == NULL)
405 {
406 memset(&creds, 0, sizeof(creds));
407 memset(&ap_req, 0, sizeof(krb5_data));
408 sprintf(temp, "%s@%s", "kadmin/changepw", userrealm);
409 if (code = krb5_parse_name(context, temp, &creds.server))
410 goto cleanup;
411 if (code = krb5_cc_get_principal(context, ccache, &creds.client))
412 goto cleanup;
413 if (code = krb5_get_credentials(context, 0, ccache, &creds, &credsp))
414 goto cleanup;
415 if (code = krb5_mk_req_extended(context, &auth_context, AP_OPTS_USE_SUBKEY,
416 NULL, credsp, &ap_req))
417 goto cleanup;
cd9e6b16 418 }
419
f78c7eaf 420 addrlen = sizeof(local_addr);
421 if (getsockname(kdc_socket, &local_addr, &addrlen) < 0)
cd9e6b16 422 {
f78c7eaf 423 code = KDC_GETSOCKNAME_ERROR;
424 goto cleanup;
cd9e6b16 425 }
f78c7eaf 426 if (((struct sockaddr_in *)&local_addr)->sin_addr.s_addr != 0)
cd9e6b16 427 {
f78c7eaf 428 local_kaddr.addrtype = ADDRTYPE_INET;
429 local_kaddr.length =
430 sizeof(((struct sockaddr_in *) &local_addr)->sin_addr);
431 local_kaddr.contents =
432 (char *) &(((struct sockaddr_in *) &local_addr)->sin_addr);
cd9e6b16 433 }
f78c7eaf 434 else
cd9e6b16 435 {
f78c7eaf 436 krb5_address **addrs;
437 krb5_os_localaddr(context, &addrs);
438 local_kaddr.magic = addrs[0]->magic;
439 local_kaddr.addrtype = addrs[0]->addrtype;
440 local_kaddr.length = addrs[0]->length;
441 local_kaddr.contents = calloc(1, addrs[0]->length);
442 memcpy(local_kaddr.contents, addrs[0]->contents, addrs[0]->length);
443 krb5_free_addresses(context, addrs);
444 }
fc53249d 445
f78c7eaf 446 addrlen = sizeof(remote_addr);
447 if (getpeername(kdc_socket, &remote_addr, &addrlen) < 0)
448 {
449 code = KDC_GETPEERNAME_ERROR;
450 goto cleanup;
451 }
452 remote_kaddr.addrtype = ADDRTYPE_INET;
453 remote_kaddr.length = sizeof(((struct sockaddr_in *) &remote_addr)->sin_addr);
454 remote_kaddr.contents = (char *) &(((struct sockaddr_in *) &remote_addr)->sin_addr);
fc53249d 455
f78c7eaf 456 if (code = krb5_auth_con_setaddrs(context, auth_context, &local_kaddr, NULL))
457 goto cleanup;
458 if (code = make_setpw_req(context, auth_context, &ap_req,
459 targprinc, newpw, &chpw_snd))
460 goto cleanup;
fc53249d 461
f78c7eaf 462 for (i = 0; i < 3; i++)
463 {
464 if ((cc = sendto(kdc_socket, chpw_snd.data, chpw_snd.length, 0,
465 NULL,
466 0)) != chpw_snd.length)
467 {
468 code = KDC_SEND_ERROR;
469 sleep(1);
470 continue;
471 }
fc53249d 472
f78c7eaf 473 TimeVal.tv_sec = 3;
474 TimeVal.tv_usec = 0;
475 FD_ZERO(&readfds);
476 FD_SET(kdc_socket, &readfds);
477 nfds = kdc_socket + 1;
478 code = select(nfds, &readfds, NULL, NULL, &TimeVal);
479 if ((code == 0) || (code == SOCKET_ERROR))
cd9e6b16 480 {
f78c7eaf 481 code = KDC_RECEIVE_TIMEOUT;
fc53249d 482 sleep(1);
f78c7eaf 483 continue;
cd9e6b16 484 }
f78c7eaf 485
486 if ((cc = recvfrom(kdc_socket, chpw_rcv.data, chpw_rcv.length, 0,
487 NULL, NULL)) < 0)
cd9e6b16 488 {
f78c7eaf 489 code = KDC_RECEIVE_TIMEOUT;
490 sleep(1);
491 continue;
fc53249d 492 }
f78c7eaf 493 chpw_rcv.length = cc;
494 if (code = krb5_auth_con_setaddrs(context, auth_context, NULL, &remote_kaddr))
cd9e6b16 495 {
f78c7eaf 496 sleep(1);
497 continue;
fc53249d 498 }
cd9e6b16 499 local_result_code = 0;
f78c7eaf 500 code = get_setpw_rep(context, auth_context, &chpw_rcv,
501 &local_result_code, &result_string);
cd9e6b16 502
fc53249d 503 if (local_result_code)
504 {
505 if (local_result_code == KRB5_KPASSWD_SOFTERROR)
506 local_result_code = KRB5_KPASSWD_SUCCESS;
507 *result_code = local_result_code;
508 }
f78c7eaf 509 if ((code == 0) && (local_result_code == 0))
510 break;
511 sleep(1);
cd9e6b16 512 }
f78c7eaf 513
cd9e6b16 514cleanup:
f78c7eaf 515 if (chpw_snd.data != NULL)
516 free(chpw_snd.data);
517 if (chpw_rcv.data != NULL)
518 free(chpw_rcv.data);
cd9e6b16 519 if (targprinc != NULL)
520 krb5_free_principal(context, targprinc);
fc53249d 521 return(code);
cd9e6b16 522}
523
f78c7eaf 524int set_password(char *user, char *password, char *domain)
cd9e6b16 525{
cd9e6b16 526 int res_code;
527 krb5_error_code retval;
fc53249d 528 char pw[PW_LENGTH+1];
cd9e6b16 529
cd9e6b16 530 memset(pw, '\0', sizeof(pw));
f78c7eaf 531 if (strlen(password) != 0)
532 strcpy(pw, password);
533 else
534 generate_password(pw);
fc53249d 535 res_code = 0;
f78c7eaf 536 retval = kdc_set_password(context, ccache, pw, user, domain, &res_code);
cd9e6b16 537
f78c7eaf 538 if (res_code)
539 return(res_code);
540 return(retval);
cd9e6b16 541}
542
543void generate_password(char *password)
544{
fc53249d 545 int i;
cd9e6b16 546 int j;
547 int row_position;
548 int nchars;
549 int position;
fc53249d 550 int word;
cd9e6b16 551 int line;
fc53249d 552 char *pwp;
cd9e6b16 553
fc53249d 554 for (line = 22; line; --line)
cd9e6b16 555 {
556 for (word = 7; word; --word)
557 {
558 position = myrandom()%total_sum;
559 for(row_position = 0, j = 0; position >= row_position; row_position += start_freq[j], j++)
560 continue;
561 *(pwp = password) = j + 'a' - 1;
562 for (nchars = PW_LENGTH-1; nchars; --nchars)
563 {
564 i = *pwp - 'a';
565 pwp++;
566 position = myrandom()%row_sums[i];
567 for (row_position = 0, j = 0; position >= row_position; row_position += frequency[i][j], j++)
568 continue;
569 *pwp = j + 'a' - 1;
570 }
571 *(++pwp)='\0';
572 return;
fc53249d 573 }
cd9e6b16 574 putchar('\n');
575 }
576}
577
578long myrandom()
579{
580 static int init = 0;
581 int pid;
582#ifdef _WIN32
583 struct _timeb timebuffer;
584#else
585 struct timeval tv;
586#endif
587
588 if (!init)
589 {
590 init = 1;
591 pid = getpid();
592#ifdef _WIN32
593 _ftime(&timebuffer);
594 srand(timebuffer.time ^ timebuffer.millitm ^ pid);
595#else
596 gettimeofday(&tv, (struct timezone *) NULL);
597 srandom(tv.tv_sec ^ tv.tv_usec ^ pid);
598#endif
599 }
600 return (rand());
601}
f78c7eaf 602
603int get_krb5_error(krb5_error_code rc, char *in, char *out)
604{
605 int krb5Error;
606 int retval;
607
608 retval = 1;
609
610 if (rc < 0)
611 {
612 krb5Error = ((int)(rc & 255));
613 sprintf(out, "%s: %s(%ld)", in, error_message(rc), krb5Error);
614 }
615 else
616 {
617 switch (rc)
618 {
619 case KDC_RECEIVE_TIMEOUT:
620 {
621 retval = 0;
622 sprintf(out, "%s: %s(%d)", in, "Receive timeout", rc);
623 break;
624 }
625 case KDC_RECEIVE_ERROR:
626 {
627 retval = 0;
628 sprintf(out, "%s: %s(%d)", in, "Receive error", rc);
629 break;
630 }
631 case KRB5_KPASSWD_MALFORMED:
632 {
633 sprintf(out, "%s: %s(%d)", in, "malformed password", rc);
634 break;
635 }
636 case KRB5_KPASSWD_HARDERROR:
637 {
638 sprintf(out, "%s: %s(%d)", in, "hard error", rc);
639 break;
640 }
641 case KRB5_KPASSWD_AUTHERROR:
642 {
643 retval = 0;
644 sprintf(out, "%s: %s(%d)", in, "authentication error", rc);
645 break;
646 }
647 case KRB5_KPASSWD_SOFTERROR:
648 {
649 retval = 0;
650 sprintf(out, "%s: %s(%d)", in, "soft error", rc);
651 break;
652 }
653 case KRB5_KPASSWD_ACCESSDENIED:
654 {
655 sprintf(out, "%s: %s(%d)", in, "Access denied", rc);
656 break;
657 }
658 case KDC_SEND_ERROR:
659 {
660 retval = 0;
661 sprintf(out, "%s: %s(%d)", in, "Send error", rc);
662 break;
663 }
664 case KDC_GETSOCKNAME_ERROR:
665 {
666 retval = 0;
667 sprintf(out, "%s: %s(%d)", in, "Socket error - getsockname", rc);
668 break;
669 }
670 case KDC_GETPEERNAME_ERROR:
671 {
672 retval = 0;
673 sprintf(out, "%s: %s(%d)", in, "Socket error - getpeername", rc);
674 break;
675 }
676 default:
677 {
678 sprintf(out, "%s: %s(%d)", in, "unknown error", rc);
679 break;
680 }
681 }
682 }
683 return(retval);
684}
685
686int ad_connect(LDAP **ldap_handle, char *ldap_domain, char *dn_path,
687 char *Win2kPassword, char *Win2kUser, char *default_server,
688 int connect_to_kdc)
689{
690 int i;
691 int j;
692 char *server_name[MAX_SERVER_NAMES];
693 char server_array[MAX_SERVER_NAMES][256];
694 static char temp[128];
695 ULONG version = LDAP_VERSION3;
696 ULONG rc;
697 int Max_wait_time = 500;
698 int Max_size_limit = LDAP_NO_LIMIT;
699
700 if (ldap_domain == NULL)
701 ldap_domain = "win.mit.edu";
702 convert_domain_to_dn(ldap_domain, dn_path);
703 if (strlen(dn_path) == 0)
704 return(1);
705
706 memset(server_name, 0, sizeof(server_name[0]) * MAX_SERVER_NAMES);
707 memset(server_array, 0, sizeof(server_array[0]) * MAX_SERVER_NAMES);
708 if (strlen(default_server) == 0)
709 {
710 if (locate_ldap_server(ldap_domain, server_name) == -1)
711 return(2);
712 j = 0;
713 for (i = 0; i < MAX_SERVER_NAMES; i++)
714 {
715 if (server_name[i] != NULL)
716 {
717 strcpy(server_array[i], server_name[i]);
718 free(server_name[i]);
719 j++;
720 }
721 }
722 if (j == 0)
723 return(2);
f78c7eaf 724 qsort((void *)server_array, (size_t)j, sizeof(server_array[0]), compare_elements);
f78c7eaf 725 }
726 else
727 strcpy(server_array[0], default_server);
728
729 for (i = 0; i < MAX_SERVER_NAMES; i++)
730 {
731 if (strlen(server_array[i]) != 0)
732 {
733 if (((*ldap_handle) = ldap_open(server_array[i], LDAP_PORT)) != NULL)
734 {
735 rc = ldap_set_option((*ldap_handle), LDAP_OPT_PROTOCOL_VERSION, &version);
736 rc = ldap_set_option((*ldap_handle), LDAP_OPT_TIMELIMIT,
737 (void *)&Max_wait_time);
738 rc = ldap_set_option((*ldap_handle), LDAP_OPT_SIZELIMIT,
739 (void *)&Max_size_limit);
740 rc = ldap_set_option((*ldap_handle), LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
741 rc = ldap_adgssapi_bind((*ldap_handle), dn_path, GSSSASL_PRIVACY_PROTECTION);
742 if (rc == LDAP_SUCCESS)
743 {
744 if (connect_to_kdc)
745 {
746 if (!ad_server_connect(server_array[i], ldap_domain))
747 {
748 ldap_unbind_s((*ldap_handle));
749 continue;
750 }
751 }
752 if (strlen(default_server) == 0)
753 strcpy(default_server, server_array[i]);
754 strcpy(connected_server, server_array[i]);
755 break;
756 }
757 }
758 }
759 }
760 if (i >= MAX_SERVER_NAMES)
761 return(3);
762 return(0);
763}
764
765int ad_server_connect(char *connectedServer, char *domain)
766{
767 krb5_error_code rc;
768 krb5_creds creds;
769 krb5_creds *credsp;
770 char temp[256];
771 char userrealm[256];
772 int i;
773 unsigned short port = KDC_PORT;
774
775 context = NULL;
776 credsp = NULL;
777 memset(&ccache, 0, sizeof(ccache));
778 memset(&creds, 0, sizeof(creds));
779 memset(userrealm, '\0', sizeof(userrealm));
780
781 rc = 0;
782 if (krb5_init_context(&context))
783 goto cleanup;
784 if (krb5_cc_default(context, &ccache))
785 goto cleanup;
786
787 for (i = 0; i < (int)strlen(domain); i++)
788 userrealm[i] = toupper(domain[i]);
789 sprintf(temp, "%s@%s", "kadmin/changepw", userrealm);
790 if (krb5_parse_name(context, temp, &creds.server))
791 goto cleanup;
792 if (krb5_cc_get_principal(context, ccache, &creds.client))
793 goto cleanup;
794 if (krb5_get_credentials(context, 0, ccache, &creds, &credsp))
795 goto cleanup;
796
797 rc = ad_kdc_connect(connectedServer);
798
799
800cleanup:
801 if (!rc)
802 {
803 krb5_cc_close(context, ccache);
804 krb5_free_context(context);
805 }
806 krb5_free_cred_contents(context, &creds);
807 if (credsp != NULL)
808 krb5_free_creds(context, credsp);
809 return(rc);
810}
811
812
813int ad_kdc_connect(char *connectedServer)
814{
815 struct hostent *hp;
816 int rc;
817
818 rc = 0;
819 hp = gethostbyname(connectedServer);
820 if (hp == NULL)
821 goto cleanup;
822 memset(&kdc_server, 0, sizeof(kdc_server));
823 memcpy(&(kdc_server.sin_addr),hp->h_addr_list[0],hp->h_length);
824 kdc_server.sin_family = hp->h_addrtype;
825 kdc_server.sin_port = htons(KDC_PORT);
826
827 if ((kdc_socket = socket(AF_INET, SOCK_DGRAM, 0)) == INVALID_SOCKET)
828 goto cleanup;
829 if (connect(kdc_socket, (struct sockaddr*)&kdc_server, sizeof(kdc_server)) == SOCKET_ERROR)
830 goto cleanup;
831 rc = 1;
832
833cleanup:
834 return(rc);
835}
836
837void ad_kdc_disconnect()
838{
839
840 if (auth_context != NULL)
841 {
842 krb5_auth_con_free(context, auth_context);
843 if (ap_req.data != NULL)
844 free(ap_req.data);
845 krb5_free_cred_contents(context, &creds);
846 if (credsp != NULL)
847 krb5_free_creds(context, credsp);
848 }
849 credsp = NULL;
850 auth_context = NULL;
851 if (context != NULL)
852 {
853 krb5_cc_close(context, ccache);
854 krb5_free_context(context);
855 }
856 closesocket(kdc_socket);
857
858}
859
860int convert_domain_to_dn(char *domain, char *dnp)
861{
862 char *fp;
863 char *dp;
864 char dn[512];
865
866 memset(dn, '\0', sizeof(dn));
867 strcpy(dn, "dc=");
868 dp = dn+3;
869 for (fp = domain; *fp; fp++)
870 {
871 if (*fp == '.')
872 {
873 strcpy(dp, ",dc=");
874 dp += 4;
875 }
876 else
877 *dp++ = *fp;
878 }
879
880 strcpy(dnp, dn);
881 return 0;
882}
883
884int compare_elements(const void *arg1, const void *arg2)
885{
886 int rc;
887
888 rc = strcmp((char*)arg1, (char*)arg2);
889 if (rc < 0)
890 return(1);
891 if (rc > 0)
892 return(-1);
893 return(rc);
894}
895
Moira, the Athena Service Management system
This page took 0.406783 seconds and 5 git commands to generate.