]> andersk Git - moira.git/blame - incremental/winad/setpw.c
andersk / moira.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
#define KRB5_DEPRECATED and KRB5_PRIVATE, so we can build against more
[moira.git] / incremental / winad / setpw.c
CommitLineData
d7051053 1#define LDAP_AUTH_OTHERKIND 0x86L
2#define LDAP_AUTH_NEGOTIATE (LDAP_AUTH_OTHERKIND | 0x0400)
cd9e6b16 3/*--
4
5THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
6ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
7TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
8PARTICULAR PURPOSE.
9
10Copyright (C) 1999 Microsoft Corporation. All rights reserved.
11
12Module Name:
13
f78c7eaf 14 setpw.c
cd9e6b16 15
16Abstract:
17
18 Set a user's password using the
19 Kerberos Change Password Protocol (I-D) variant for Windows 2000
20
21--*/
22/*
23 * lib/krb5/os/changepw.c
24 *
25 * Copyright 1990 by the Massachusetts Institute of Technology.
26 * All Rights Reserved.
27 *
28 * Export of this software from the United States of America may
29 * require a specific license from the United States Government.
30 * It is the responsibility of any person or organization contemplating
31 * export to obtain such a license before exporting.
32 *
33 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
34 * distribute this software and its documentation for any purpose and
35 * without fee is hereby granted, provided that the above copyright
36 * notice appear in all copies and that both that copyright notice and
37 * this permission notice appear in supporting documentation, and that
38 * the name of M.I.T. not be used in advertising or publicity pertaining
39 * to distribution of the software without specific, written prior
40 * permission. M.I.T. makes no representations about the suitability of
41 * this software for any purpose. It is provided "as is" without express
42 * or implied warranty.
43 *
44 */
45
f78c7eaf 46
cd9e6b16 47#define NEED_SOCKETS
48#include <krb5.h>
49#include <krb.h>
f78c7eaf 50#include <ldap.h>
cd9e6b16 51#ifdef _WIN32
f78c7eaf 52#include <wshelper.h>
cd9e6b16 53#include "k5-int.h"
54#include "adm_err.h"
55#include "krb5_err.h"
f78c7eaf 56#else
cd9e6b16 57#include <sys/socket.h>
58#include <netdb.h>
59#include <sys/select.h>
60#endif
f78c7eaf 61#include <auth_con.h>
cd9e6b16 62#include <stdio.h>
63#include <stdlib.h>
64#include <time.h>
65#include <sys/timeb.h>
66#include <errno.h>
f78c7eaf 67#include "kpasswd.h"
68#include "gsssasl.h"
69#include "gssldap.h"
cd9e6b16 70
cd9e6b16 71#define PW_LENGTH 25
f78c7eaf 72#define KDC_PORT 464
73#define ULONG unsigned long
cd9e6b16 74
75#ifndef krb5_is_krb_error
76#define krb5_is_krb_error(dat)\
f78c7eaf 77 ((dat) && (dat)->length && ((dat)->data[0] == 0x7e ||\
78 (dat)->data[0] == 0x5e))
79#endif
80
81#ifdef _WIN32
82#define sleep(Seconds) Sleep(Seconds * 1000)
83#define gethostbyname(Server) rgethostbyname(Server)
cd9e6b16 84#endif
85
86/* Win32 defines. */
87#if defined(_WIN32) && !defined(__CYGWIN32__)
88#ifndef ECONNABORTED
89#define ECONNABORTED WSAECONNABORTED
90#endif
91#ifndef ECONNREFUSED
92#define ECONNREFUSED WSAECONNREFUSED
93#endif
94#ifndef EHOSTUNREACH
95#define EHOSTUNREACH WSAEHOSTUNREACH
96#endif
97#endif /* _WIN32 && !__CYGWIN32__ */
98
99static const char rcsid[] = "$Id$";
100
101static int frequency[26][26] =
102{ {4, 20, 28, 52, 2, 11, 28, 4, 32, 4, 6, 62, 23, 167, 2, 14, 0, 83, 76,
103127, 7, 25, 8, 1, 9, 1}, /* aa - az */
104 {13, 0, 0, 0, 55, 0, 0, 0, 8, 2, 0, 22, 0, 0, 11, 0, 0, 15, 4, 2, 13, 0,
1050, 0, 15, 0}, /* ba - bz */
106 {32, 0, 7, 1, 69, 0, 0, 33, 17, 0, 10, 9, 1, 0, 50, 3, 0, 10, 0, 28, 11,
1070, 0, 0, 3, 0}, /* ca - cz */
108 {40, 16, 9, 5, 65, 18, 3, 9, 56, 0, 1, 4, 15, 6, 16, 4, 0, 21, 18, 53,
10919, 5, 15, 0, 3, 0}, /* da - dz */
110 {84, 20, 55, 125, 51, 40, 19, 16, 50, 1, 4, 55, 54, 146, 35, 37, 6, 191,
111149, 65, 9, 26, 21, 12, 5, 0}, /* ea - ez */
112 {19, 3, 5, 1, 19, 21, 1, 3, 30, 2, 0, 11, 1, 0, 51, 0, 0, 26, 8, 47, 6,
1133, 3, 0, 2, 0}, /* fa - fz */
114 {20, 4, 3, 2, 35, 1, 3, 15, 18, 0, 0, 5, 1, 4, 21, 1, 1, 20, 9, 21, 9,
1150, 5, 0, 1, 0}, /* ga - gz */
116 {101, 1, 3, 0, 270, 5, 1, 6, 57, 0, 0, 0, 3, 2, 44, 1, 0, 3, 10, 18, 6,
1170, 5, 0, 3, 0}, /* ha - hz */
118 {40, 7, 51, 23, 25, 9, 11, 3, 0, 0, 2, 38, 25, 202, 56, 12, 1, 46, 79,
119117, 1, 22, 0, 4, 0, 3}, /* ia - iz */
120 {3, 0, 0, 0, 5, 0, 0, 0, 1, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 3, 0, 0, 0,
1210, 0}, /* ja - jz */
122 {1, 0, 0, 0, 11, 0, 0, 0, 13, 0, 0, 0, 0, 2, 0, 0, 0, 0, 6, 2, 1, 0, 2,
1230, 1, 0}, /* ka - kz */
124 {44, 2, 5, 12, 62, 7, 5, 2, 42, 1, 1, 53, 2, 2, 25, 1, 1, 2, 16, 23, 9,
1250, 1, 0, 33, 0}, /* la - lz */
126 {52, 14, 1, 0, 64, 0, 0, 3, 37, 0, 0, 0, 7, 1, 17, 18, 1, 2, 12, 3, 8,
1270, 1, 0, 2, 0}, /* ma - mz */
128 {42, 10, 47, 122, 63, 19, 106, 12, 30, 1, 6, 6, 9, 7, 54, 7, 1, 7, 44,
129124, 6, 1, 15, 0, 12, 0}, /* na - nz */
130 {7, 12, 14, 17, 5, 95, 3, 5, 14, 0, 0, 19, 41, 134, 13, 23, 0, 91, 23,
13142, 55, 16, 28, 0, 4, 1}, /* oa - oz */
132 {19, 1, 0, 0, 37, 0, 0, 4, 8, 0, 0, 15, 1, 0, 27, 9, 0, 33, 14, 7, 6, 0,
1330, 0, 0, 0}, /* pa - pz */
134 {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0,
1350, 0, 0}, /* qa - qz */
136 {83, 8, 16, 23, 169, 4, 8, 8, 77, 1, 10, 5, 26, 16, 60, 4, 0, 24, 37,
13755, 6, 11, 4, 0, 28, 0}, /* ra - rz */
138 {65, 9, 17, 9, 73, 13, 1, 47, 75, 3, 0, 7, 11, 12, 56, 17, 6, 9, 48,
139116, 35, 1, 28, 0, 4, 0}, /* sa - sz */
140 {57, 22, 3, 1, 76, 5, 2, 330, 126, 1, 0, 14, 10, 6, 79, 7, 0, 49, 50,
14156, 21, 2, 27, 0, 24, 0}, /* ta - tz */
142 {11, 5, 9, 6, 9, 1, 6, 0, 9, 0, 1, 19, 5, 31, 1, 15, 0, 47, 39, 31, 0,
1433, 0, 0, 0, 0}, /* ua - uz */
144 {7, 0, 0, 0, 72, 0, 0, 0, 28, 0, 0, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 0,
1450, 3, 0}, /* va - vz */
146 {36, 1, 1, 0, 38, 0, 0, 33, 36, 0, 0, 4, 1, 8, 15, 0, 0, 0, 4, 2, 0, 0,
1471, 0, 0, 0}, /* wa - wz */
148 {1, 0, 2, 0, 0, 1, 0, 0, 3, 0, 0, 0, 0, 0, 1, 5, 0, 0, 0, 3, 0, 0, 1, 0,
1490, 0}, /* xa - xz */
150 {14, 5, 4, 2, 7, 12, 12, 6, 10, 0, 0, 3, 7, 5, 17, 3, 0, 4, 16, 30, 0,
1510, 5, 0, 0, 0}, /* ya - yz */
152 {1, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
1530, 0}}; /* za - zz */
154
155/*
156 * This MUST be equal to the sum of the equivalent rows above.
157 */
158
159static int row_sums[26] =
fc53249d 160{796,160,284,401,1276,262,199,539,777,
161 16,39,351,243,751,662,181,17,683,
162 662,968,248,115,180,17,162,5};
cd9e6b16 163
164/*
165 * Frequencies of starting characters
166 */
167
168static int start_freq [26] =
fc53249d 169{1299,425,725,271,375,470,93,223,1009,
170 24,20,355,379,319,823,618,21,317,
171 962,1991,271,104,516,6,16,14};
cd9e6b16 172
173/*
174 * This MUST be equal to the sum of all elements in the above array.
175 */
f78c7eaf 176
177struct sockaddr_in kdc_server;
178SOCKET kdc_socket;
179krb5_context context;
180krb5_ccache ccache;
181krb5_auth_context auth_context = NULL;
182krb5_data ap_req;
183krb5_creds *credsp = NULL;
184krb5_creds creds;
185char connected_server[128];
186
cd9e6b16 187static int total_sum = 11646;
188
f78c7eaf 189int get_krb5_error(krb5_error_code rc, char *in, char *out);
190int ad_connect(LDAP **ldap_handle, char *ldap_domain, char *dn_path,
191 char *Win2kPassword, char *Win2kUser, char *default_server,
d7051053 192 int connect_to_kdc, char **ServerList, int *IgnoreServerListError);
f78c7eaf 193int ad_kdc_connect(char *connectedServer);
194int ad_server_connect(char *connectedServer, char *domain);
195void ad_kdc_disconnect();
196int compare_elements(const void *arg1, const void *arg2);
197int convert_domain_to_dn(char *domain, char *dnp);
198int set_password(char *user, char *password, char *domain);
199
200int locate_ldap_server(char *domain, char **server_name);
201
cd9e6b16 202long myrandom();
203void generate_password(char *password);
cd9e6b16 204krb5_error_code encode_krb5_setpw
f78c7eaf 205 PROTOTYPE((const krb5_setpw *rep, krb5_data ** code));
cd9e6b16 206
f78c7eaf 207krb5_error_code make_setpw_req(krb5_context context, krb5_auth_context auth_context,
cd9e6b16 208 krb5_data *ap_req, krb5_principal targprinc,
209 char *passwd, krb5_data *packet)
210{
211 krb5_error_code ret;
212 krb5_setpw setpw;
213 krb5_data cipherpw;
214 krb5_data *encoded_setpw;
215 krb5_replay_data replay;
216 char *ptr;
217 register int count = 2;
218
f78c7eaf 219 memset(&setpw, 0, sizeof(krb5_setpw));
cd9e6b16 220 if (ret = krb5_auth_con_setflags(context, auth_context,
221 KRB5_AUTH_CONTEXT_DO_SEQUENCE))
fc53249d 222 return(ret);
cd9e6b16 223 setpw.targprinc = targprinc;
224 setpw.newpasswd.length = strlen(passwd);
225 setpw.newpasswd.data = passwd;
226 if ((ret = encode_krb5_setpw(&setpw, &encoded_setpw)))
fc53249d 227 return( ret );
cd9e6b16 228 if (ret = krb5_mk_priv(context, auth_context,
fc53249d 229 encoded_setpw, &cipherpw, &replay))
230 return(ret);
cd9e6b16 231 packet->length = 6 + ap_req->length + cipherpw.length;
232 packet->data = (char *) malloc(packet->length);
233 ptr = packet->data;
234 /* Length */
235 *ptr++ = (packet->length>>8) & 0xff;
236 *ptr++ = packet->length & 0xff;
237 /* version */
238 *ptr++ = (char)0xff;
239 *ptr++ = (char)0x80;
240 /* ap_req length, big-endian */
241 *ptr++ = (ap_req->length>>8) & 0xff;
242 *ptr++ = ap_req->length & 0xff;
243 /* ap-req data */
244 memcpy(ptr, ap_req->data, ap_req->length);
245 ptr += ap_req->length;
246 /* krb-priv of password */
247 memcpy(ptr, cipherpw.data, cipherpw.length);
f78c7eaf 248 free(cipherpw.data);
249/* krb5_free_data_contents(context, &cipherpw);*/
250 krb5_free_data(context, encoded_setpw);
cd9e6b16 251 return(0);
252}
253
f78c7eaf 254krb5_error_code get_setpw_rep(krb5_context context, krb5_auth_context auth_context,
255 krb5_data *packet, int *result_code,
256 krb5_data *result_data)
cd9e6b16 257{
258 char *ptr;
259 int plen;
260 int vno;
261 krb5_data ap_rep;
262 krb5_error_code ret;
263 krb5_data cipherresult;
264 krb5_data clearresult;
265 krb5_error *krberror;
266 krb5_replay_data replay;
267 krb5_keyblock *tmp;
268 krb5_ap_rep_enc_part *ap_rep_enc;
269
270 if (packet->length < 4)
fc53249d 271 return(KRB5KRB_AP_ERR_MODIFIED);
cd9e6b16 272 ptr = packet->data;
273 if (krb5_is_krb_error(packet))
274 {
fc53249d 275 ret = decode_krb5_error(packet, &krberror);
276 if (ret)
277 return(ret);
278 ret = krberror->error;
279 krb5_free_error(context, krberror);
280 return(ret);
cd9e6b16 281 }
282 /* verify length */
283 plen = (*ptr++ & 0xff);
284 plen = (plen<<8) | (*ptr++ & 0xff);
285 if (plen != packet->length)
fc53249d 286 return(KRB5KRB_AP_ERR_MODIFIED);
cd9e6b16 287 vno = (*ptr++ & 0xff);
288 vno = (vno<<8) | (*ptr++ & 0xff);
289 if (vno != KRB5_KPASSWD_VERS_SETPW && vno != KRB5_KPASSWD_VERS_CHANGEPW)
fc53249d 290 return(KRB5KDC_ERR_BAD_PVNO);
cd9e6b16 291 /* read, check ap-rep length */
292 ap_rep.length = (*ptr++ & 0xff);
293 ap_rep.length = (ap_rep.length<<8) | (*ptr++ & 0xff);
294 if (ptr + ap_rep.length >= packet->data + packet->length)
fc53249d 295 return(KRB5KRB_AP_ERR_MODIFIED);
cd9e6b16 296 if (ap_rep.length)
297 {
fc53249d 298 /* verify ap_rep */
299 ap_rep.data = ptr;
300 ptr += ap_rep.length;
301 if (ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc))
302 return(ret);
303 krb5_free_ap_rep_enc_part(context, ap_rep_enc);
304 /* extract and decrypt the result */
305 cipherresult.data = ptr;
306 cipherresult.length = (packet->data + packet->length) - ptr;
307 /* XXX there's no api to do this right. The problem is that
308 if there's a remote subkey, it will be used. This is
309 not what the spec requires */
310 tmp = auth_context->remote_subkey;
311 auth_context->remote_subkey = NULL;
312 ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult,
313 &replay);
314 auth_context->remote_subkey = tmp;
315 if (ret)
316 return(ret);
cd9e6b16 317 }
318 else
319 {
fc53249d 320 cipherresult.data = ptr;
321 cipherresult.length = (packet->data + packet->length) - ptr;
f78c7eaf 322
fc53249d 323 if (ret = krb5_rd_error(context, &cipherresult, &krberror))
324 return(ret);
f78c7eaf 325
fc53249d 326 clearresult = krberror->e_data;
cd9e6b16 327 }
328 if (clearresult.length < 2)
329 {
fc53249d 330 ret = KRB5KRB_AP_ERR_MODIFIED;
331 goto cleanup;
cd9e6b16 332 }
333 ptr = clearresult.data;
334 *result_code = (*ptr++ & 0xff);
335 *result_code = (*result_code<<8) | (*ptr++ & 0xff);
336 if ((*result_code < KRB5_KPASSWD_SUCCESS) ||
fc53249d 337 (*result_code > KRB5_KPASSWD_ACCESSDENIED))
cd9e6b16 338 {
fc53249d 339 ret = KRB5KRB_AP_ERR_MODIFIED;
340 goto cleanup;
cd9e6b16 341 }
342 /* all success replies should be authenticated/encrypted */
343 if ((ap_rep.length == 0) && (*result_code == KRB5_KPASSWD_SUCCESS))
344 {
fc53249d 345 ret = KRB5KRB_AP_ERR_MODIFIED;
f78c7eaf 346 goto cleanup;
cd9e6b16 347 }
348 result_data->length = (clearresult.data + clearresult.length) - ptr;
349 if (result_data->length)
350 {
fc53249d 351 result_data->data = (char *) malloc(result_data->length);
352 memcpy(result_data->data, ptr, result_data->length);
cd9e6b16 353 }
354 else
f78c7eaf 355 result_data->data = NULL;
cd9e6b16 356 ret = 0;
357cleanup:
358 if (ap_rep.length)
fc53249d 359 free(clearresult.data);
cd9e6b16 360 else
f78c7eaf 361 krb5_free_error(context, krberror);
cd9e6b16 362 return(ret);
363}
364
f78c7eaf 365krb5_error_code kdc_set_password(krb5_context context, krb5_ccache ccache,
cd9e6b16 366 char *newpw, char *user, char *domain,
367 int *result_code)
368{
f78c7eaf 369 krb5_data chpw_snd;
370 krb5_data chpw_rcv;
cd9e6b16 371 krb5_data result_string;
372 krb5_address local_kaddr;
373 krb5_address remote_kaddr;
374 char userrealm[256];
375 char temp[256];
376 krb5_error_code code;
cd9e6b16 377 struct sockaddr local_addr;
378 struct sockaddr remote_addr;
cd9e6b16 379 int i;
cd9e6b16 380 int addrlen;
381 int cc;
382 int local_result_code;
f78c7eaf 383 int nfds;
cd9e6b16 384 krb5_principal targprinc;
f78c7eaf 385 struct timeval TimeVal;
386 fd_set readfds;
cd9e6b16 387
cd9e6b16 388 memset(&local_addr, 0, sizeof(local_addr));
389 memset(&local_kaddr, 0, sizeof(local_kaddr));
390 memset(&result_string, 0, sizeof(result_string));
391 memset(&remote_kaddr, 0, sizeof(remote_kaddr));
f78c7eaf 392 memset(&chpw_snd, 0, sizeof(krb5_data));
393 memset(&chpw_rcv, 0, sizeof(krb5_data));
cd9e6b16 394 memset(userrealm, '\0', sizeof(userrealm));
395 targprinc = NULL;
f78c7eaf 396
397 chpw_rcv.length = 1500;
398 chpw_rcv.data = (char *) calloc(1, chpw_rcv.length);
399
cd9e6b16 400 for (i = 0; i < (int)strlen(domain); i++)
fc53249d 401 userrealm[i] = toupper(domain[i]);
cd9e6b16 402
403 sprintf(temp, "%s@%s", user, userrealm);
404 krb5_parse_name(context, temp, &targprinc);
405
f78c7eaf 406 if (credsp == NULL)
407 {
408 memset(&creds, 0, sizeof(creds));
409 memset(&ap_req, 0, sizeof(krb5_data));
410 sprintf(temp, "%s@%s", "kadmin/changepw", userrealm);
411 if (code = krb5_parse_name(context, temp, &creds.server))
412 goto cleanup;
413 if (code = krb5_cc_get_principal(context, ccache, &creds.client))
414 goto cleanup;
415 if (code = krb5_get_credentials(context, 0, ccache, &creds, &credsp))
416 goto cleanup;
417 if (code = krb5_mk_req_extended(context, &auth_context, AP_OPTS_USE_SUBKEY,
418 NULL, credsp, &ap_req))
419 goto cleanup;
cd9e6b16 420 }
421
f78c7eaf 422 addrlen = sizeof(local_addr);
423 if (getsockname(kdc_socket, &local_addr, &addrlen) < 0)
cd9e6b16 424 {
f78c7eaf 425 code = KDC_GETSOCKNAME_ERROR;
426 goto cleanup;
cd9e6b16 427 }
f78c7eaf 428 if (((struct sockaddr_in *)&local_addr)->sin_addr.s_addr != 0)
cd9e6b16 429 {
f78c7eaf 430 local_kaddr.addrtype = ADDRTYPE_INET;
431 local_kaddr.length =
432 sizeof(((struct sockaddr_in *) &local_addr)->sin_addr);
433 local_kaddr.contents =
434 (char *) &(((struct sockaddr_in *) &local_addr)->sin_addr);
cd9e6b16 435 }
f78c7eaf 436 else
cd9e6b16 437 {
f78c7eaf 438 krb5_address **addrs;
439 krb5_os_localaddr(context, &addrs);
440 local_kaddr.magic = addrs[0]->magic;
441 local_kaddr.addrtype = addrs[0]->addrtype;
442 local_kaddr.length = addrs[0]->length;
443 local_kaddr.contents = calloc(1, addrs[0]->length);
444 memcpy(local_kaddr.contents, addrs[0]->contents, addrs[0]->length);
445 krb5_free_addresses(context, addrs);
446 }
fc53249d 447
f78c7eaf 448 addrlen = sizeof(remote_addr);
449 if (getpeername(kdc_socket, &remote_addr, &addrlen) < 0)
450 {
451 code = KDC_GETPEERNAME_ERROR;
452 goto cleanup;
453 }
454 remote_kaddr.addrtype = ADDRTYPE_INET;
455 remote_kaddr.length = sizeof(((struct sockaddr_in *) &remote_addr)->sin_addr);
456 remote_kaddr.contents = (char *) &(((struct sockaddr_in *) &remote_addr)->sin_addr);
fc53249d 457
f78c7eaf 458 if (code = krb5_auth_con_setaddrs(context, auth_context, &local_kaddr, NULL))
459 goto cleanup;
460 if (code = make_setpw_req(context, auth_context, &ap_req,
461 targprinc, newpw, &chpw_snd))
462 goto cleanup;
fc53249d 463
f78c7eaf 464 for (i = 0; i < 3; i++)
465 {
466 if ((cc = sendto(kdc_socket, chpw_snd.data, chpw_snd.length, 0,
467 NULL,
468 0)) != chpw_snd.length)
469 {
470 code = KDC_SEND_ERROR;
471 sleep(1);
472 continue;
473 }
fc53249d 474
f78c7eaf 475 TimeVal.tv_sec = 3;
476 TimeVal.tv_usec = 0;
477 FD_ZERO(&readfds);
478 FD_SET(kdc_socket, &readfds);
479 nfds = kdc_socket + 1;
480 code = select(nfds, &readfds, NULL, NULL, &TimeVal);
481 if ((code == 0) || (code == SOCKET_ERROR))
cd9e6b16 482 {
f78c7eaf 483 code = KDC_RECEIVE_TIMEOUT;
fc53249d 484 sleep(1);
f78c7eaf 485 continue;
cd9e6b16 486 }
f78c7eaf 487
488 if ((cc = recvfrom(kdc_socket, chpw_rcv.data, chpw_rcv.length, 0,
489 NULL, NULL)) < 0)
cd9e6b16 490 {
f78c7eaf 491 code = KDC_RECEIVE_TIMEOUT;
492 sleep(1);
493 continue;
fc53249d 494 }
f78c7eaf 495 chpw_rcv.length = cc;
496 if (code = krb5_auth_con_setaddrs(context, auth_context, NULL, &remote_kaddr))
cd9e6b16 497 {
f78c7eaf 498 sleep(1);
499 continue;
fc53249d 500 }
cd9e6b16 501 local_result_code = 0;
f78c7eaf 502 code = get_setpw_rep(context, auth_context, &chpw_rcv,
503 &local_result_code, &result_string);
cd9e6b16 504
fc53249d 505 if (local_result_code)
506 {
507 if (local_result_code == KRB5_KPASSWD_SOFTERROR)
508 local_result_code = KRB5_KPASSWD_SUCCESS;
509 *result_code = local_result_code;
510 }
f78c7eaf 511 if ((code == 0) && (local_result_code == 0))
512 break;
513 sleep(1);
cd9e6b16 514 }
f78c7eaf 515
cd9e6b16 516cleanup:
f78c7eaf 517 if (chpw_snd.data != NULL)
518 free(chpw_snd.data);
519 if (chpw_rcv.data != NULL)
520 free(chpw_rcv.data);
cd9e6b16 521 if (targprinc != NULL)
522 krb5_free_principal(context, targprinc);
fc53249d 523 return(code);
cd9e6b16 524}
525
f78c7eaf 526int set_password(char *user, char *password, char *domain)
cd9e6b16 527{
cd9e6b16 528 int res_code;
529 krb5_error_code retval;
fc53249d 530 char pw[PW_LENGTH+1];
cd9e6b16 531
cd9e6b16 532 memset(pw, '\0', sizeof(pw));
f78c7eaf 533 if (strlen(password) != 0)
534 strcpy(pw, password);
535 else
536 generate_password(pw);
fc53249d 537 res_code = 0;
f78c7eaf 538 retval = kdc_set_password(context, ccache, pw, user, domain, &res_code);
cd9e6b16 539
f78c7eaf 540 if (res_code)
541 return(res_code);
542 return(retval);
cd9e6b16 543}
544
545void generate_password(char *password)
546{
fc53249d 547 int i;
cd9e6b16 548 int j;
549 int row_position;
550 int nchars;
551 int position;
fc53249d 552 int word;
cd9e6b16 553 int line;
fc53249d 554 char *pwp;
cd9e6b16 555
fc53249d 556 for (line = 22; line; --line)
cd9e6b16 557 {
558 for (word = 7; word; --word)
559 {
560 position = myrandom()%total_sum;
561 for(row_position = 0, j = 0; position >= row_position; row_position += start_freq[j], j++)
562 continue;
563 *(pwp = password) = j + 'a' - 1;
564 for (nchars = PW_LENGTH-1; nchars; --nchars)
565 {
566 i = *pwp - 'a';
567 pwp++;
568 position = myrandom()%row_sums[i];
569 for (row_position = 0, j = 0; position >= row_position; row_position += frequency[i][j], j++)
570 continue;
571 *pwp = j + 'a' - 1;
572 }
573 *(++pwp)='\0';
574 return;
fc53249d 575 }
cd9e6b16 576 putchar('\n');
577 }
578}
579
580long myrandom()
581{
582 static int init = 0;
583 int pid;
584#ifdef _WIN32
585 struct _timeb timebuffer;
586#else
587 struct timeval tv;
588#endif
589
590 if (!init)
591 {
592 init = 1;
593 pid = getpid();
594#ifdef _WIN32
595 _ftime(&timebuffer);
596 srand(timebuffer.time ^ timebuffer.millitm ^ pid);
597#else
598 gettimeofday(&tv, (struct timezone *) NULL);
599 srandom(tv.tv_sec ^ tv.tv_usec ^ pid);
600#endif
601 }
602 return (rand());
603}
f78c7eaf 604
605int get_krb5_error(krb5_error_code rc, char *in, char *out)
606{
607 int krb5Error;
608 int retval;
609
610 retval = 1;
611
612 if (rc < 0)
613 {
614 krb5Error = ((int)(rc & 255));
615 sprintf(out, "%s: %s(%ld)", in, error_message(rc), krb5Error);
616 }
617 else
618 {
619 switch (rc)
620 {
621 case KDC_RECEIVE_TIMEOUT:
622 {
623 retval = 0;
624 sprintf(out, "%s: %s(%d)", in, "Receive timeout", rc);
625 break;
626 }
627 case KDC_RECEIVE_ERROR:
628 {
629 retval = 0;
630 sprintf(out, "%s: %s(%d)", in, "Receive error", rc);
631 break;
632 }
633 case KRB5_KPASSWD_MALFORMED:
634 {
635 sprintf(out, "%s: %s(%d)", in, "malformed password", rc);
636 break;
637 }
638 case KRB5_KPASSWD_HARDERROR:
639 {
640 sprintf(out, "%s: %s(%d)", in, "hard error", rc);
641 break;
642 }
643 case KRB5_KPASSWD_AUTHERROR:
644 {
645 retval = 0;
646 sprintf(out, "%s: %s(%d)", in, "authentication error", rc);
647 break;
648 }
649 case KRB5_KPASSWD_SOFTERROR:
650 {
651 retval = 0;
652 sprintf(out, "%s: %s(%d)", in, "soft error", rc);
653 break;
654 }
655 case KRB5_KPASSWD_ACCESSDENIED:
656 {
657 sprintf(out, "%s: %s(%d)", in, "Access denied", rc);
658 break;
659 }
660 case KDC_SEND_ERROR:
661 {
662 retval = 0;
663 sprintf(out, "%s: %s(%d)", in, "Send error", rc);
664 break;
665 }
666 case KDC_GETSOCKNAME_ERROR:
667 {
668 retval = 0;
669 sprintf(out, "%s: %s(%d)", in, "Socket error - getsockname", rc);
670 break;
671 }
672 case KDC_GETPEERNAME_ERROR:
673 {
674 retval = 0;
675 sprintf(out, "%s: %s(%d)", in, "Socket error - getpeername", rc);
676 break;
677 }
678 default:
679 {
680 sprintf(out, "%s: %s(%d)", in, "unknown error", rc);
681 break;
682 }
683 }
684 }
685 return(retval);
686}
687
688int ad_connect(LDAP **ldap_handle, char *ldap_domain, char *dn_path,
689 char *Win2kPassword, char *Win2kUser, char *default_server,
d7051053 690 int connect_to_kdc, char **ServerList, int *IgnoreServerListError)
f78c7eaf 691{
692 int i;
d7051053 693 int k;
694 int Count;
f78c7eaf 695 char *server_name[MAX_SERVER_NAMES];
f78c7eaf 696 static char temp[128];
697 ULONG version = LDAP_VERSION3;
698 ULONG rc;
699 int Max_wait_time = 500;
700 int Max_size_limit = LDAP_NO_LIMIT;
701
702 if (ldap_domain == NULL)
703 ldap_domain = "win.mit.edu";
704 convert_domain_to_dn(ldap_domain, dn_path);
705 if (strlen(dn_path) == 0)
706 return(1);
707
d7051053 708 Count = 0;
709 while (ServerList[Count] != NULL)
710 ++Count;
711
f78c7eaf 712 memset(server_name, 0, sizeof(server_name[0]) * MAX_SERVER_NAMES);
d7051053 713 if (locate_ldap_server(ldap_domain, server_name) == -1)
714 return(2);
715
716 for (i = 0; i < MAX_SERVER_NAMES; i++)
f78c7eaf 717 {
d7051053 718 if (server_name[i] != NULL)
f78c7eaf 719 {
d7051053 720 if (Count >= MAX_SERVER_NAMES)
721 {
722 free(server_name[i]);
723 server_name[i] = NULL;
724 continue;
725 }
726 for (k = 0; k < (int)strlen(server_name[i]); k++)
727 server_name[i][k] = toupper(server_name[i][k]);
728 for (k = 0; k < Count; k++)
729 {
730 if (!strcasecmp(server_name[i], ServerList[k]))
731 {
732 free(server_name[i]);
733 server_name[i] = NULL;
734 break;
735 }
736 }
737 if (k == Count)
f78c7eaf 738 {
d7051053 739 ServerList[Count] = calloc(1, 256);
740 strcpy(ServerList[Count], server_name[i]);
741 ServerList[Count] = (char *)strdup((char *)server_name[i]);
742 ++Count;
f78c7eaf 743 free(server_name[i]);
f78c7eaf 744 }
745 }
f78c7eaf 746 }
d7051053 747
748 for (i = 0; i < Count; i++)
f78c7eaf 749 {
d7051053 750 if (ServerList[i] == NULL)
751 continue;
752
753 if (((*ldap_handle) = ldap_open(ServerList[i], LDAP_PORT)) != NULL)
f78c7eaf 754 {
d7051053 755 rc = ldap_set_option((*ldap_handle), LDAP_OPT_PROTOCOL_VERSION, &version);
756 rc = ldap_set_option((*ldap_handle), LDAP_OPT_TIMELIMIT,
757 (void *)&Max_wait_time);
758 rc = ldap_set_option((*ldap_handle), LDAP_OPT_SIZELIMIT,
759 (void *)&Max_size_limit);
760 rc = ldap_set_option((*ldap_handle), LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
761 rc = ldap_adgssapi_bind((*ldap_handle), dn_path, GSSSASL_PRIVACY_PROTECTION);
762 if (rc == LDAP_SUCCESS)
f78c7eaf 763 {
d7051053 764 if (connect_to_kdc)
f78c7eaf 765 {
d7051053 766 if (!ad_server_connect(ServerList[i], ldap_domain))
f78c7eaf 767 {
d7051053 768 ldap_unbind_s((*ldap_handle));
769 continue;
f78c7eaf 770 }
f78c7eaf 771 }
d7051053 772 if (strlen(default_server) == 0)
773 strcpy(default_server, ServerList[i]);
774 strcpy(connected_server, ServerList[i]);
775 break;
f78c7eaf 776 }
777 }
d7051053 778 if ((i == 0) && ((*IgnoreServerListError) == 0))
779 {
780 (*IgnoreServerListError) = -1;
781 return(1);
782 }
f78c7eaf 783 }
784 if (i >= MAX_SERVER_NAMES)
785 return(3);
786 return(0);
787}
788
789int ad_server_connect(char *connectedServer, char *domain)
790{
791 krb5_error_code rc;
792 krb5_creds creds;
793 krb5_creds *credsp;
794 char temp[256];
795 char userrealm[256];
796 int i;
797 unsigned short port = KDC_PORT;
798
799 context = NULL;
800 credsp = NULL;
801 memset(&ccache, 0, sizeof(ccache));
802 memset(&creds, 0, sizeof(creds));
803 memset(userrealm, '\0', sizeof(userrealm));
804
805 rc = 0;
806 if (krb5_init_context(&context))
807 goto cleanup;
808 if (krb5_cc_default(context, &ccache))
809 goto cleanup;
810
811 for (i = 0; i < (int)strlen(domain); i++)
812 userrealm[i] = toupper(domain[i]);
813 sprintf(temp, "%s@%s", "kadmin/changepw", userrealm);
814 if (krb5_parse_name(context, temp, &creds.server))
815 goto cleanup;
816 if (krb5_cc_get_principal(context, ccache, &creds.client))
817 goto cleanup;
818 if (krb5_get_credentials(context, 0, ccache, &creds, &credsp))
819 goto cleanup;
820
821 rc = ad_kdc_connect(connectedServer);
822
823
824cleanup:
825 if (!rc)
826 {
827 krb5_cc_close(context, ccache);
828 krb5_free_context(context);
829 }
830 krb5_free_cred_contents(context, &creds);
831 if (credsp != NULL)
832 krb5_free_creds(context, credsp);
833 return(rc);
834}
835
836
837int ad_kdc_connect(char *connectedServer)
838{
839 struct hostent *hp;
840 int rc;
841
842 rc = 0;
843 hp = gethostbyname(connectedServer);
844 if (hp == NULL)
845 goto cleanup;
846 memset(&kdc_server, 0, sizeof(kdc_server));
847 memcpy(&(kdc_server.sin_addr),hp->h_addr_list[0],hp->h_length);
848 kdc_server.sin_family = hp->h_addrtype;
849 kdc_server.sin_port = htons(KDC_PORT);
850
851 if ((kdc_socket = socket(AF_INET, SOCK_DGRAM, 0)) == INVALID_SOCKET)
852 goto cleanup;
853 if (connect(kdc_socket, (struct sockaddr*)&kdc_server, sizeof(kdc_server)) == SOCKET_ERROR)
854 goto cleanup;
855 rc = 1;
856
857cleanup:
858 return(rc);
859}
860
861void ad_kdc_disconnect()
862{
863
864 if (auth_context != NULL)
865 {
866 krb5_auth_con_free(context, auth_context);
867 if (ap_req.data != NULL)
868 free(ap_req.data);
869 krb5_free_cred_contents(context, &creds);
870 if (credsp != NULL)
871 krb5_free_creds(context, credsp);
872 }
873 credsp = NULL;
874 auth_context = NULL;
875 if (context != NULL)
876 {
877 krb5_cc_close(context, ccache);
878 krb5_free_context(context);
879 }
880 closesocket(kdc_socket);
881
882}
883
884int convert_domain_to_dn(char *domain, char *dnp)
885{
886 char *fp;
887 char *dp;
888 char dn[512];
889
890 memset(dn, '\0', sizeof(dn));
891 strcpy(dn, "dc=");
892 dp = dn+3;
893 for (fp = domain; *fp; fp++)
894 {
895 if (*fp == '.')
896 {
897 strcpy(dp, ",dc=");
898 dp += 4;
899 }
900 else
901 *dp++ = *fp;
902 }
903
904 strcpy(dnp, dn);
905 return 0;
906}
907
908int compare_elements(const void *arg1, const void *arg2)
909{
910 int rc;
911
912 rc = strcmp((char*)arg1, (char*)arg2);
913 if (rc < 0)
914 return(1);
915 if (rc > 0)
916 return(-1);
917 return(rc);
918}
Moira, the Athena Service Management system
This page took 0.193686 seconds and 5 git commands to generate.