27
25
if ((ret = krb5_auth_con_setflags(context, auth_context,
28
26
KRB5_AUTH_CONTEXT_DO_SEQUENCE)))
31
29
clearpw.length = strlen(passwd);
32
30
clearpw.data = passwd;
34
32
if ((ret = krb5_mk_priv(context, auth_context,
35
33
&clearpw, &cipherpw, &replay)))
38
36
packet->length = 6 + ap_req->length + cipherpw.length;
39
37
packet->data = (char *) malloc(packet->length);
40
if (packet->data == NULL)
38
if (packet->data == NULL) {
45
42
ptr = packet->data;
49
*ptr++ = (packet->length>> 8) & 0xff;
50
*ptr++ = packet->length & 0xff;
46
store_16_be(packet->length, ptr);
52
49
/* version == 0x0001 big-endian */
69
66
memcpy(ptr, cipherpw.data, cipherpw.length);
72
if(cipherpw.data != NULL) /* allocated by krb5_mk_priv */
69
if (cipherpw.data != NULL) /* allocated by krb5_mk_priv */
79
krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *packet, int *result_code, krb5_data *result_data)
76
krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context,
77
krb5_data *packet, int *result_code, krb5_data *result_data)
101
99
plen = (*ptr++ & 0xff);
102
100
plen = (plen<<8) | (*ptr++ & 0xff);
104
if (plen != packet->length)
107
* MS KDCs *may* send back a KRB_ERROR. Although
108
* not 100% correct via RFC3244, it's something
109
* we can workaround here.
111
if (krb5_is_krb_error(packet)) {
113
if ((ret = krb5_rd_error(context, packet, &krberror)))
116
if (krberror->e_data.data == NULL) {
117
ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
118
krb5_free_error(context, krberror);
124
return(KRB5KRB_AP_ERR_MODIFIED);
102
if (plen != packet->length) {
104
* MS KDCs *may* send back a KRB_ERROR. Although
105
* not 100% correct via RFC3244, it's something
106
* we can workaround here.
108
if (krb5_is_krb_error(packet)) {
110
if ((ret = krb5_rd_error(context, packet, &krberror)))
113
if (krberror->e_data.data == NULL) {
114
ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
115
krb5_free_error(context, krberror);
119
return(KRB5KRB_AP_ERR_MODIFIED);
129
124
/* verify version number */
241
236
krb5_error_code KRB5_CALLCONV
242
krb5_chpw_result_code_string(krb5_context context, int result_code, char **code_string)
237
krb5_chpw_result_code_string(krb5_context context, int result_code,
244
switch (result_code) {
245
case KRB5_KPASSWD_MALFORMED:
246
*code_string = "Malformed request error";
248
case KRB5_KPASSWD_HARDERROR:
249
*code_string = "Server error";
251
case KRB5_KPASSWD_AUTHERROR:
252
*code_string = "Authentication error";
254
case KRB5_KPASSWD_SOFTERROR:
255
*code_string = "Password change rejected";
258
*code_string = "Password change failed";
240
switch (result_code) {
241
case KRB5_KPASSWD_MALFORMED:
242
*code_string = "Malformed request error";
244
case KRB5_KPASSWD_HARDERROR:
245
*code_string = "Server error";
247
case KRB5_KPASSWD_AUTHERROR:
248
*code_string = "Authentication error";
250
case KRB5_KPASSWD_SOFTERROR:
251
*code_string = "Password change rejected";
254
*code_string = "Password change failed";
266
krb5int_mk_setpw_req(
267
krb5_context context,
268
krb5_auth_context auth_context,
270
krb5_principal targprinc,
262
krb5int_mk_setpw_req(krb5_context context,
263
krb5_auth_context auth_context,
265
krb5_principal targprinc,
274
269
krb5_error_code ret;
275
270
krb5_data cipherpw;
276
271
krb5_data *encoded_setpw;
272
struct krb5_setpw_req req;
280
cipherpw.data = NULL;
276
cipherpw.data = NULL;
283
279
if ((ret = krb5_auth_con_setflags(context, auth_context,
284
280
KRB5_AUTH_CONTEXT_DO_SEQUENCE)))
287
ret = encode_krb5_setpw_req(targprinc, passwd, &encoded_setpw);
283
req.target = targprinc;
284
req.password.data = passwd;
285
req.password.length = strlen(passwd);
286
ret = encode_krb5_setpw_req(&req, &encoded_setpw);
292
if ( (ret = krb5_mk_priv(context, auth_context, encoded_setpw, &cipherpw, NULL)) != 0) {
293
krb5_free_data( context, encoded_setpw);
291
if ((ret = krb5_mk_priv(context, auth_context, encoded_setpw, &cipherpw, NULL)) != 0) {
292
krb5_free_data(context, encoded_setpw);
296
krb5_free_data( context, encoded_setpw);
295
krb5_free_data(context, encoded_setpw);
299
298
packet->length = 6 + ap_req->length + cipherpw.length;
305
304
ptr = packet->data;
307
** build the packet -
309
/* put in the length */
310
*ptr++ = (packet->length>>8) & 0xff;
311
*ptr++ = packet->length & 0xff;
312
/* put in the version */
306
** build the packet -
308
/* put in the length */
309
store_16_be(packet->length, ptr);
311
/* put in the version */
313
312
*ptr++ = (char)0xff;
314
313
*ptr++ = (char)0x80;
315
/* the ap_req length is big endian */
316
*ptr++ = (ap_req->length>>8) & 0xff;
317
*ptr++ = ap_req->length & 0xff;
318
/* put in the request data */
314
/* the ap_req length is big endian */
315
store_16_be(ap_req->length, ptr);
317
/* put in the request data */
319
318
memcpy(ptr, ap_req->data, ap_req->length);
320
319
ptr += ap_req->length;
322
** put in the "private" password data -
321
** put in the "private" password data -
324
323
memcpy(ptr, cipherpw.data, cipherpw.length);
327
326
if (cipherpw.data)
328
327
krb5_free_data_contents(context, &cipherpw);
329
328
if ((ret != 0) && packet->data) {
331
330
packet->data = NULL;
337
krb5int_rd_setpw_rep( krb5_context context, krb5_auth_context auth_context, krb5_data *packet,
338
int *result_code, krb5_data *result_data )
336
krb5int_rd_setpw_rep(krb5_context context, krb5_auth_context auth_context,
338
int *result_code, krb5_data *result_data)
341
341
unsigned int message_length, version_number;
369
369
krberror->e_data.data = NULL; /*So we can free it later*/
370
370
krberror->e_data.length = 0;
371
371
krb5_free_error(context, krberror);
373
373
} else { /* Not an error*/
376
** validate the message length -
377
** length is big endian
376
** validate the message length -
377
** length is big endian
379
379
message_length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
382
** make sure the message length and packet length agree -
382
** make sure the message length and packet length agree -
384
384
if (message_length != packet->length)
385
385
return(KRB5KRB_AP_ERR_MODIFIED);
387
** get the version number -
387
** get the version number -
389
389
version_number = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
392
** make sure we support the version returned -
395
** set password version is 0xff80, change password version is 1
392
** make sure we support the version returned -
395
** set password version is 0xff80, change password version is 1
397
397
if (version_number != 1 && version_number != 0xff80)
398
398
return(KRB5KDC_ERR_BAD_PVNO);
400
** now fill in ap_rep with the reply -
403
** get the reply length -
400
** now fill in ap_rep with the reply -
403
** get the reply length -
405
405
ap_rep.length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
408
** validate ap_rep length agrees with the packet length -
408
** validate ap_rep length agrees with the packet length -
410
410
if (ptr + ap_rep.length >= packet->data + packet->length)
411
411
return(KRB5KRB_AP_ERR_MODIFIED);
413
** if data was returned, set the ap_rep ptr -
415
if( ap_rep.length ) {
413
** if data was returned, set the ap_rep ptr -
416
416
ap_rep.data = ptr;
417
417
ptr += ap_rep.length;
453
453
return (KRB5KRB_AP_ERR_MODIFIED);
454
454
} /*Response instead of error*/
457
** validate the cleartext length
457
** validate the cleartext length
459
459
if (clearresult.length < 2) {
460
460
ret = KRB5KRB_AP_ERR_MODIFIED;
464
** now decode the result -
464
** now decode the result -
466
466
ptr = clearresult.data;
468
468
*result_code = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
472
** result code 5 is access denied
474
if ((*result_code < KRB5_KPASSWD_SUCCESS) || (*result_code > 5))
472
** result code 5 is access denied
474
if ((*result_code < KRB5_KPASSWD_SUCCESS) || (*result_code > 5)) {
476
475
ret = KRB5KRB_AP_ERR_MODIFIED;
480
** all success replies should be authenticated/encrypted
482
if( (ap_rep.length == 0) && (*result_code == KRB5_KPASSWD_SUCCESS) )
479
** all success replies should be authenticated/encrypted
481
if ((ap_rep.length == 0) && (*result_code == KRB5_KPASSWD_SUCCESS)) {
484
482
ret = KRB5KRB_AP_ERR_MODIFIED;
508
krb5int_setpw_result_code_string( krb5_context context, int result_code, const char **code_string )
504
krb5int_setpw_result_code_string(krb5_context context, int result_code,
505
const char **code_string)
512
case KRB5_KPASSWD_MALFORMED:
513
*code_string = "Malformed request error";
515
case KRB5_KPASSWD_HARDERROR:
516
*code_string = "Server error";
518
case KRB5_KPASSWD_AUTHERROR:
519
*code_string = "Authentication error";
521
case KRB5_KPASSWD_SOFTERROR:
522
*code_string = "Password change rejected";
524
case 5: /* access denied */
525
*code_string = "Access denied";
527
case 6: /* bad version */
528
*code_string = "Wrong protocol version";
530
case 7: /* initial flag is needed */
531
*code_string = "Initial password required";
534
*code_string = "Success";
536
*code_string = "Password change failed";
507
switch (result_code) {
508
case KRB5_KPASSWD_MALFORMED:
509
*code_string = "Malformed request error";
511
case KRB5_KPASSWD_HARDERROR:
512
*code_string = "Server error";
514
case KRB5_KPASSWD_AUTHERROR:
515
*code_string = "Authentication error";
517
case KRB5_KPASSWD_SOFTERROR:
518
*code_string = "Password change rejected";
520
case 5: /* access denied */
521
*code_string = "Access denied";
523
case 6: /* bad version */
524
*code_string = "Wrong protocol version";
526
case 7: /* initial flag is needed */
527
*code_string = "Initial password required";
530
*code_string = "Success";
533
*code_string = "Password change failed";