1 /* smbk5pwd.c - Overlay for managing Samba and Heimdal passwords */
4 * Copyright 2004-2005 by Howard Chu, Symas Corp.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
18 #ifndef SLAPD_OVER_SMBK5PWD
19 #define SLAPD_OVER_SMBK5PWD SLAPD_MOD_DYNAMIC
22 #ifdef SLAPD_OVER_SMBK5PWD
28 #include <ac/string.h>
33 /* make ASN1_MALLOC_ENCODE use our allocator */
34 #define malloc ch_malloc
37 #include <kadm5/admin.h>
40 #ifndef HDB_INTERFACE_VERSION
41 #define HDB_MASTER_KEY_SET master_key_set
43 #define HDB_MASTER_KEY_SET hdb_master_key_set
46 static krb5_context context;
47 static void *kadm_context;
48 static kadm5_config_params conf;
51 static AttributeDescription *ad_krb5Key;
52 static AttributeDescription *ad_krb5KeyVersionNumber;
53 static AttributeDescription *ad_krb5PrincipalName;
54 static ObjectClass *oc_krb5KDCEntry;
58 #include <openssl/des.h>
59 #include <openssl/md4.h>
61 static AttributeDescription *ad_sambaLMPassword;
62 static AttributeDescription *ad_sambaNTPassword;
63 static AttributeDescription *ad_sambaPwdLastSet;
64 static ObjectClass *oc_sambaSamAccount;
68 static void smbk5pwd_destroy() {
69 kadm5_destroy(kadm_context);
70 krb5_free_context(context);
75 static const char hex[] = "0123456789abcdef";
77 /* From liblutil/passwd.c... */
78 static void lmPasswd_to_key(
82 const unsigned char *lpw = (const unsigned char *)lmPasswd;
83 unsigned char *k = (unsigned char *)key;
85 /* make room for parity bits */
87 k[1] = ((lpw[0]&0x01)<<7) | (lpw[1]>>1);
88 k[2] = ((lpw[1]&0x03)<<6) | (lpw[2]>>2);
89 k[3] = ((lpw[2]&0x07)<<5) | (lpw[3]>>3);
90 k[4] = ((lpw[3]&0x0F)<<4) | (lpw[4]>>4);
91 k[5] = ((lpw[4]&0x1F)<<3) | (lpw[5]>>5);
92 k[6] = ((lpw[5]&0x3F)<<2) | (lpw[6]>>6);
93 k[7] = ((lpw[6]&0x7F)<<1);
95 des_set_odd_parity( key );
102 const char in[HASHLEN],
110 out->bv_val = ch_malloc(HASHLEN*2 + 1);
111 out->bv_len = HASHLEN*2;
114 b = (unsigned char *)in;
115 for (i=0; i<HASHLEN; i++) {
117 *a++ = hex[*b++ & 0x0f];
123 struct berval *passwd,
127 char UcasePassword[15];
129 des_key_schedule schedule;
130 des_cblock StdText = "KGS!@#$%";
133 strncpy( UcasePassword, passwd->bv_val, 14 );
134 UcasePassword[14] = '\0';
135 ldap_pvt_str2upper( UcasePassword );
137 lmPasswd_to_key( UcasePassword, &key );
138 des_set_key_unchecked( &key, schedule );
139 des_ecb_encrypt( &StdText, &hbuf[0], schedule , DES_ENCRYPT );
141 lmPasswd_to_key( &UcasePassword[7], &key );
142 des_set_key_unchecked( &key, schedule );
143 des_ecb_encrypt( &StdText, &hbuf[1], schedule , DES_ENCRYPT );
145 hexify( (char *)hbuf, hash );
149 struct berval *passwd,
153 /* Windows currently only allows 14 character passwords, but
154 * may support up to 256 in the future. We assume this means
155 * 256 UCS2 characters, not 256 bytes...
161 if (passwd->bv_len > MAX_PWLEN*2)
162 passwd->bv_len = MAX_PWLEN*2;
165 MD4_Update( &ctx, passwd->bv_val, passwd->bv_len );
166 MD4_Final( (unsigned char *)hbuf, &ctx );
168 hexify( hbuf, hash );
170 #endif /* DO_SAMBA */
174 static int smbk5pwd_op_cleanup(
180 /* clear out the current key */
181 ldap_pvt_thread_pool_setkey( op->o_threadctx, smbk5pwd_op_cleanup,
184 /* free the callback */
186 op->o_callback = cb->sc_next;
187 op->o_tmpfree( cb, op->o_tmpmemctx );
191 static int smbk5pwd_op_bind(
195 /* If this is a simple Bind, stash the Op pointer so our chk
196 * function can find it. Set a cleanup callback to clear it
197 * out when the Bind completes.
199 if ( op->oq_bind.rb_method == LDAP_AUTH_SIMPLE ) {
201 ldap_pvt_thread_pool_setkey( op->o_threadctx, smbk5pwd_op_cleanup, op,
203 cb = op->o_tmpcalloc( 1, sizeof(slap_callback), op->o_tmpmemctx );
204 cb->sc_cleanup = smbk5pwd_op_cleanup;
205 cb->sc_next = op->o_callback;
208 return SLAP_CB_CONTINUE;
211 static LUTIL_PASSWD_CHK_FUNC k5key_chk;
212 static LUTIL_PASSWD_HASH_FUNC k5key_hash;
213 static const struct berval k5key_scheme = BER_BVC("{K5KEY}");
215 /* This password scheme stores no data in the userPassword attribute
216 * other than the scheme name. It assumes the invoking entry is a
217 * krb5KDCentry and compares the passed-in credentials against the
218 * krb5Key attribute. The krb5Key may be multi-valued, but they are
219 * simply multiple keytypes generated from the same input string, so
220 * only the first value needs to be compared here.
222 * Since the lutil_passwd API doesn't pass the Entry object in, we
223 * have to fetch it ourselves in order to get access to the other
224 * attributes. We accomplish this with the help of the overlay's Bind
225 * function, which stores the current Operation pointer in thread-specific
226 * storage so we can retrieve it here. The Operation provides all
227 * the necessary context for us to get Entry from the database.
229 static int k5key_chk(
230 const struct berval *sc,
231 const struct berval *passwd,
232 const struct berval *cred,
245 /* Find our thread context, find our Operation */
246 ctx = ldap_pvt_thread_pool_context();
248 if ( ldap_pvt_thread_pool_getkey( ctx, smbk5pwd_op_cleanup, (void **)&op, NULL ) ||
250 return LUTIL_PASSWD_ERR;
252 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
253 if ( rc != LDAP_SUCCESS ) return LUTIL_PASSWD_ERR;
255 rc = LUTIL_PASSWD_ERR;
260 a = attr_find( e->e_attrs, ad_krb5PrincipalName );
263 memset( &ent, 0, sizeof(ent) );
264 ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal);
266 krb5_get_pw_salt( context, ent.principal, &salt );
267 krb5_free_principal( context, ent.principal );
269 a = attr_find( e->e_attrs, ad_krb5Key );
273 ent.keys.val = &ekey;
274 decode_Key((unsigned char *) a->a_vals[0].bv_val,
275 (size_t) a->a_vals[0].bv_len, &ent.keys.val[0], &l);
276 if ( db->HDB_MASTER_KEY_SET )
277 hdb_unseal_keys( context, db, &ent );
279 krb5_string_to_key_salt( context, ekey.key.keytype, cred->bv_val,
282 krb5_free_salt( context, salt );
284 if ( memcmp( ekey.key.keyvalue.data, key.keyvalue.data,
285 key.keyvalue.length ) == 0 ) rc = LUTIL_PASSWD_OK;
287 krb5_free_keyblock_contents( context, &key );
288 krb5_free_keyblock_contents( context, &ekey.key );
291 be_entry_release_r( op, e );
295 static int k5key_hash(
296 const struct berval *scheme,
297 const struct berval *passwd,
301 ber_dupbv( hash, (struct berval *)&k5key_scheme );
302 return LUTIL_PASSWD_OK;
306 static int smbk5pwd_exop_passwd(
311 req_pwdexop_s *qpw = &op->oq_pwdexop;
315 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
317 /* Not the operation we expected, pass it on... */
318 if ( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) ) {
319 return SLAP_CB_CONTINUE;
322 op->o_bd->bd_info = (BackendInfo *)on->on_info;
323 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
324 if ( rc != LDAP_SUCCESS ) return rc;
334 if ( !is_entry_objectclass(e, oc_krb5KDCEntry, 0 ) ) break;
336 a = attr_find( e->e_attrs, ad_krb5PrincipalName );
339 memset( &ent, 0, sizeof(ent) );
340 ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal);
343 a = attr_find( e->e_attrs, ad_krb5KeyVersionNumber );
345 kvno = atoi(a->a_vals[0].bv_val);
347 /* shouldn't happen, this is a required attr */
351 ret = _kadm5_set_keys(kadm_context, &ent, qpw->rs_new.bv_val);
352 hdb_seal_keys(context, db, &ent);
353 krb5_free_principal( context, ent.principal );
355 keys = ch_malloc( (ent.keys.len + 1) * sizeof(struct berval));
357 for (i = 0; i < ent.keys.len; i++) {
361 ASN1_MALLOC_ENCODE(Key, buf, len, &ent.keys.val[i], &len, ret);
365 keys[i].bv_val = (char *)buf;
366 keys[i].bv_len = len;
368 keys[i].bv_val = NULL;
371 _kadm5_free_keys(kadm_context, ent.keys.len, ent.keys.val);
373 if ( i != ent.keys.len ) {
374 ber_bvarray_free( keys );
378 ml = ch_malloc(sizeof(Modifications));
379 if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next;
380 ml->sml_next = qpw->rs_mods;
383 ml->sml_desc = ad_krb5Key;
384 ml->sml_op = LDAP_MOD_REPLACE;
385 #ifdef SLAP_MOD_INTERNAL
386 ml->sml_flags = SLAP_MOD_INTERNAL;
388 ml->sml_values = keys;
389 ml->sml_nvalues = NULL;
391 ml = ch_malloc(sizeof(Modifications));
392 ml->sml_next = qpw->rs_mods;
395 ml->sml_desc = ad_krb5KeyVersionNumber;
396 ml->sml_op = LDAP_MOD_REPLACE;
397 #ifdef SLAP_MOD_INTERNAL
398 ml->sml_flags = SLAP_MOD_INTERNAL;
400 ml->sml_values = ch_malloc( 2 * sizeof(struct berval));
401 ml->sml_values[0].bv_val = ch_malloc( 64 );
402 ml->sml_values[0].bv_len = sprintf(ml->sml_values[0].bv_val,
404 ml->sml_values[1].bv_val = NULL;
405 ml->sml_values[1].bv_len = 0;
406 ml->sml_nvalues = NULL;
412 if ( is_entry_objectclass(e, oc_sambaSamAccount, 0 ) ) {
419 /* Expand incoming UTF8 string to UCS4 */
420 l = ldap_utf8_chars(qpw->rs_new.bv_val);
421 wcs = ch_malloc((l+1) * sizeof(wchar_t));
423 ldap_x_utf8s_to_wcs( wcs, qpw->rs_new.bv_val, l );
425 /* Truncate UCS4 to UCS2 */
427 for (j=0; j<l; j++) {
430 *c++ = (wc >> 8) & 0xff;
433 pwd.bv_val = (char *)wcs;
436 ml = ch_malloc(sizeof(Modifications));
437 if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next;
438 ml->sml_next = qpw->rs_mods;
441 keys = ch_malloc( 2 * sizeof(struct berval) );
442 keys[1].bv_val = NULL;
444 nthash( &pwd, keys );
446 ml->sml_desc = ad_sambaNTPassword;
447 ml->sml_op = LDAP_MOD_REPLACE;
448 #ifdef SLAP_MOD_INTERNAL
449 ml->sml_flags = SLAP_MOD_INTERNAL;
451 ml->sml_values = keys;
452 ml->sml_nvalues = NULL;
454 /* Truncate UCS2 to 8-bit ASCII */
457 for (j=1; j<l; j++) {
462 pwd.bv_val[pwd.bv_len] = '\0';
464 ml = ch_malloc(sizeof(Modifications));
465 ml->sml_next = qpw->rs_mods;
468 keys = ch_malloc( 2 * sizeof(struct berval) );
469 keys[1].bv_val = NULL;
471 lmhash( &pwd, keys );
473 ml->sml_desc = ad_sambaLMPassword;
474 ml->sml_op = LDAP_MOD_REPLACE;
475 #ifdef SLAP_MOD_INTERNAL
476 ml->sml_flags = SLAP_MOD_INTERNAL;
478 ml->sml_values = keys;
479 ml->sml_nvalues = NULL;
483 ml = ch_malloc(sizeof(Modifications));
484 ml->sml_next = qpw->rs_mods;
487 keys = ch_malloc( 2 * sizeof(struct berval) );
488 keys[1].bv_val = NULL;
490 keys[0].bv_val = ch_malloc(16);
491 keys[0].bv_len = sprintf(keys[0].bv_val, "%d",
494 ml->sml_desc = ad_sambaPwdLastSet;
495 ml->sml_op = LDAP_MOD_REPLACE;
496 #ifdef SLAP_MOD_INTERNAL
497 ml->sml_flags = SLAP_MOD_INTERNAL;
499 ml->sml_values = keys;
500 ml->sml_nvalues = NULL;
502 #endif /* DO_SAMBA */
503 be_entry_release_r( op, e );
505 return SLAP_CB_CONTINUE;
508 static slap_overinst smbk5pwd;
510 int smbk5pwd_init() {
516 extern HDB * _kadm5_s_get_db(void *);
518 /* Make sure all of our necessary schema items are loaded */
519 oc_krb5KDCEntry = oc_find("krb5KDCEntry");
520 if ( !oc_krb5KDCEntry ) return -1;
522 rc = slap_str2ad( "krb5Key", &ad_krb5Key, &text );
524 rc = slap_str2ad( "krb5KeyVersionNumber", &ad_krb5KeyVersionNumber, &text );
526 rc = slap_str2ad( "krb5PrincipalName", &ad_krb5PrincipalName, &text );
529 /* Initialize Kerberos context */
530 ret = krb5_init_context(&context);
535 ret = kadm5_s_init_with_password_ctx( context,
539 &conf, 0, 0, &kadm_context );
541 db = _kadm5_s_get_db(kadm_context);
545 oc_sambaSamAccount = oc_find("sambaSamAccount");
546 if ( !oc_sambaSamAccount ) return -1;
548 rc = slap_str2ad( "sambaLMPassword", &ad_sambaLMPassword, &text );
550 rc = slap_str2ad( "sambaNTPassword", &ad_sambaNTPassword, &text );
552 rc = slap_str2ad( "sambaPwdLastSet", &ad_sambaPwdLastSet, &text );
554 #endif /* DO_SAMBA */
556 smbk5pwd.on_bi.bi_type = "smbk5pwd";
557 smbk5pwd.on_bi.bi_extended = smbk5pwd_exop_passwd;
560 smbk5pwd.on_bi.bi_op_bind = smbk5pwd_op_bind;
562 lutil_passwd_add( (struct berval *)&k5key_scheme, k5key_chk, k5key_hash );
565 return overlay_register( &smbk5pwd );
568 #if SLAPD_OVER_SMBK5PWD == SLAPD_MOD_DYNAMIC
569 int init_module(int argc, char *argv[]) {
570 return smbk5pwd_init();
574 #endif /* defined(SLAPD_OVER_SMBK5PWD) */