kadm5/clnt/changepw.c

/*
 * Copyright (c) 2001, 2012, Oracle and/or its affiliates. All rights reserved.
 */

/*
 * lib/krb5/os/changepw.c
 *
 * Copyright 1990,1999 by the Massachusetts Institute of Technology.
 * All Rights Reserved.
 *
 * Export of this software from the United States of America may
 *   require a specific license from the United States Government.
 *   It is the responsibility of any person or organization contemplating
 *   export to obtain such a license before exporting.
 *
 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
 * distribute this software and its documentation for any purpose and
 * without fee is hereby granted, provided that the above copyright
 * notice appear in all copies and that both that copyright notice and
 * this permission notice appear in supporting documentation, and that
 * the name of M.I.T. not be used in advertising or publicity pertaining
 * to distribution of the software without specific, written prior
 * permission.  Furthermore if you modify this software you must label
 * your software as modified software and not distribute it in such a
 * fashion that it might be confused with the original M.I.T. software.
 * M.I.T. makes no representations about the suitability of
 * this software for any purpose.  It is provided "as is" without express
 * or implied warranty.
 *
 */

#define NEED_SOCKETS
#include <k5-int.h>
#include <kadm5/admin.h>
#include <client_internal.h>
#include <gssapi/gssapi.h>
#include <gssapi_krb5.h>
#include <gssapiP_krb5.h>
#include <krb5.h>

/* #include "adm_err.h" */
#include <stdio.h>
#include <errno.h>

extern krb5_error_code krb5int_mk_chpw_req(krb5_context  context,
                    krb5_auth_context auth_context,
                    krb5_data *ap_req, char *passwd,
                    krb5_data *packet);

extern krb5_error_code krb5int_rd_chpw_rep(krb5_context context,
                    krb5_auth_context auth_context,
                    krb5_data *packet, int *result_code,
                    krb5_data *result_data);

/*
 * _kadm5_get_kpasswd_protocol
 *
 * returns the password change protocol value to the caller.
 * Since the 'handle' is an opaque value to higher up callers,
 * this method is needed to provide a way for them to get a peek
 * at the protocol being used without having to expose the entire
 * handle structure.
 */
krb5_chgpwd_prot
_kadm5_get_kpasswd_protocol(void *handle)
{
    kadm5_server_handle_t srvrhdl = (kadm5_server_handle_t)handle;

    return (srvrhdl->params.kpasswd_protocol);
}

/*
 * kadm5_chpass_principal_v2
 *
 * New function used to prepare to make the change password request to a
 * non-SEAM admin server.  The protocol used in this case is not based on
 * RPCSEC_GSS, it simply makes the request to port 464 (udp and tcp).
 * This is the same way that MIT KRB5 1.2.1 changes passwords.
 */
kadm5_ret_t
kadm5_chpass_principal_v2(void *server_handle,
            krb5_principal princ,
            char *newpw,
            kadm5_ret_t *srvr_rsp_code,
            krb5_data *srvr_msg)
{
    kadm5_ret_t code;
    kadm5_server_handle_t handle  = (kadm5_server_handle_t)server_handle;
    krb5_error_code result;
    krb5_creds mcreds;
    krb5_creds ncreds;
    krb5_ccache ccache;
    int cpwlen;
    char *cpw_service = NULL;
        int tmp_rsp_code;

    /*
     * The credentials have already been stored in the cache in the
     * initialization step earlier, but we dont have direct access to it
     * at this level. Derive the cache and fetch the credentials to use for
     * sending the request.
     */
    memset(&mcreds, 0, sizeof (krb5_creds));
    if ((code = krb5_cc_resolve(handle->context, handle->cache_name,
                    &ccache)))
        return (code);

    /* set the client principal in the credential match structure */
    mcreds.client = princ;

    /*
     * set the server principal (kadmin/changepw@REALM) in the credential
     * match struct
     */
    cpwlen = strlen(KADM5_CHANGEPW_SERVICE) +
        strlen(handle->params.realm) + 2;
    cpw_service = malloc(cpwlen);
    if (cpw_service == NULL) {
        return (ENOMEM);
    }

    snprintf(cpw_service, cpwlen, "%s@%s",
        KADM5_CHANGEPW_SERVICE, handle->params.realm);

    /* generate the server principal from the name string we generated */
    if ((code = krb5_parse_name(handle->context, cpw_service,
        &mcreds.server))) {
        free(cpw_service);
        return (code);
    }

    /* Find the credentials in the cache */
    if ((code = krb5_cc_retrieve_cred(handle->context, ccache, 0, &mcreds,
                    &ncreds))) {
        free(cpw_service);
        return (code);
    }

    /* Now we have all we need to make the change request. */
    result = krb5_change_password(handle->context, &ncreds, newpw,
                      &tmp_rsp_code, NULL, srvr_msg);

        *srvr_rsp_code = (kadm5_ret_t) tmp_rsp_code;
    free(cpw_service);
    return (result);
}