ba7b222e36bac28710a7f43739283302b617e7f5Glenn Barry * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
ba7b222e36bac28710a7f43739283302b617e7f5Glenn Barry * Use is subject to license terms.
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb** set password functions added by Paul W. Nelson, Thursby Software Systems, Inc.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Solaris Kerberos */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* #include "krb5_err.h" */
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb if ((ret = krb5_auth_con_setflags(context, auth_context,
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb /* length */
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb /* version == 0x0001 big-endian */
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb /* ap_req length, big-endian */
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb /* ap-req data */
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb /* krb-priv of password */
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb if(cipherpw.data != NULL) /* allocated by krb5_mk_priv */
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtbkrb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *packet, int *result_code, krb5_data *result_data)
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan /* Solaris Kerberos */
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb /* either this, or the server is printing bad messages,
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb or the caller passed in garbage */
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb /* verify length */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * MS KDCs *may* send back a KRB_ERROR. Although
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * not 100% correct via RFC3244, it's something
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * we can workaround here.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan if ((ret = krb5_rd_error(context, packet, &krberror)))
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan /* Solaris Kerberos */
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb /* verify version number */
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb /* read, check ap-rep length */
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb if (ptr + ap_rep.length >= packet->data + packet->length)
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb /* verify ap_rep */
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb * Save send_subkey to later smash recv_subkey.
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmp);
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc);
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb /* extract and decrypt the result */
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb cipherresult.length = (packet->data + packet->length) - ptr;
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb * Smash recv_subkey to be send_subkey, per spec.
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmp);
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult,
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb cipherresult.length = (packet->data + packet->length) - ptr;
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb if ((ret = krb5_rd_error(context, &cipherresult, &krberror)))
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb /* all success replies should be authenticated/encrypted */
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb if ((ap_rep.length == 0) && (*result_code == KRB5_KPASSWD_SUCCESS)) {
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb result_data->length = (clearresult.data + clearresult.length) - ptr;
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb result_data->data = (char *) malloc(result_data->length);
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtbkrb5_chpw_result_code_string(krb5_context context, int result_code, char **code_string)
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb return(0);
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb if ((ret = krb5_auth_con_setflags(context, auth_context,
ba7b222e36bac28710a7f43739283302b617e7f5Glenn Barry ret = encode_krb5_setpw_req(&req, &encoded_setpw);
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb if ( (ret = krb5_mk_priv(context, auth_context, encoded_setpw, &cipherpw, NULL)) != 0) {
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb** build the packet -
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb/* put in the length */
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb/* put in the version */
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb/* the ap_req length is big endian */
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb/* put in the request data */
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb** put in the "private" password data -
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtbkrb5int_rd_setpw_rep( krb5_context context, krb5_auth_context auth_context, krb5_data *packet,
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb** validate the packet length -
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb** see if it is an error
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb krberror->e_data.data = NULL; /*So we can free it later*/
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb } else { /* Not an error*/
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb** validate the message length -
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb** length is big endian
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb message_length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb** make sure the message length and packet length agree -
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb** get the version number -
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb version_number = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb** make sure we support the version returned -
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb** set password version is 0xff80, change password version is 1
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan if (version_number != 1 && version_number != 0xff80)
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb** now fill in ap_rep with the reply -
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb** get the reply length -
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb** validate ap_rep length agrees with the packet length -
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb if (ptr + ap_rep.length >= packet->data + packet->length)
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb** if data was returned, set the ap_rep ptr -
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb * Save send_subkey to later smash recv_subkey.
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmpkey);
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc);
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb** now decrypt the result -
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb cipherresult.length = (packet->data + packet->length) - ptr;
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb * Smash recv_subkey to be send_subkey, per spec.
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmpkey);
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult,
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb } /*We got an ap_rep*/
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb } /*Response instead of error*/
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb** validate the cleartext length
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb** now decode the result -
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb** result code 5 is access denied
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb if ((*result_code < KRB5_KPASSWD_SUCCESS) || (*result_code > 5))
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb** all success replies should be authenticated/encrypted
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb if( (ap_rep.length == 0) && (*result_code == KRB5_KPASSWD_SUCCESS) )
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb result_data->length = (clearresult.data + clearresult.length) - ptr;
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb result_data->data = (char *) malloc(result_data->length);
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtbkrb5int_setpw_result_code_string( krb5_context context, int result_code, const char **code_string )
10db1377dafab8ba3feedef26db9c5d8539a5cd1gtb return(0);