1 /* smbk5pwd.c - Overlay for managing Samba and Heimdal passwords */
4 * Copyright 2004-2005 by Howard Chu, Symas Corp.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
18 #ifndef SLAPD_OVER_SMBK5PWD
19 #define SLAPD_OVER_SMBK5PWD SLAPD_MOD_DYNAMIC
22 #ifdef SLAPD_OVER_SMBK5PWD
28 #include <ac/string.h>
33 /* make ASN1_MALLOC_ENCODE use our allocator */
34 #define malloc ch_malloc
37 #include <kadm5/admin.h>
40 static krb5_context context;
41 static void *kadm_context;
42 static kadm5_config_params conf;
45 static AttributeDescription *ad_krb5Key;
46 static AttributeDescription *ad_krb5KeyVersionNumber;
47 static AttributeDescription *ad_krb5PrincipalName;
48 static ObjectClass *oc_krb5KDCEntry;
52 #include <openssl/des.h>
53 #include <openssl/md4.h>
55 static AttributeDescription *ad_sambaLMPassword;
56 static AttributeDescription *ad_sambaNTPassword;
57 static AttributeDescription *ad_sambaPwdLastSet;
58 static ObjectClass *oc_sambaSamAccount;
62 static void smbk5pwd_destroy() {
63 kadm5_destroy(kadm_context);
64 krb5_free_context(context);
69 static const char hex[] = "0123456789abcdef";
71 /* From liblutil/passwd.c... */
72 static void lmPasswd_to_key(
73 const unsigned char *lmPasswd,
76 /* make room for parity bits */
77 ((char *)key)[0] = lmPasswd[0];
78 ((char *)key)[1] = ((lmPasswd[0]&0x01)<<7) | (lmPasswd[1]>>1);
79 ((char *)key)[2] = ((lmPasswd[1]&0x03)<<6) | (lmPasswd[2]>>2);
80 ((char *)key)[3] = ((lmPasswd[2]&0x07)<<5) | (lmPasswd[3]>>3);
81 ((char *)key)[4] = ((lmPasswd[3]&0x0F)<<4) | (lmPasswd[4]>>4);
82 ((char *)key)[5] = ((lmPasswd[4]&0x1F)<<3) | (lmPasswd[5]>>5);
83 ((char *)key)[6] = ((lmPasswd[5]&0x3F)<<2) | (lmPasswd[6]>>6);
84 ((char *)key)[7] = ((lmPasswd[6]&0x7F)<<1);
86 des_set_odd_parity( key );
93 const char in[HASHLEN],
101 out->bv_val = ch_malloc(HASHLEN*2 + 1);
102 out->bv_len = HASHLEN*2;
105 b = (unsigned char *)in;
106 for (i=0; i<HASHLEN; i++) {
108 *a++ = hex[*b++ & 0x0f];
114 struct berval *passwd,
118 char UcasePassword[15];
120 des_key_schedule schedule;
121 des_cblock StdText = "KGS!@#$%";
124 strncpy( UcasePassword, passwd->bv_val, 14 );
125 UcasePassword[14] = '\0';
126 ldap_pvt_str2upper( UcasePassword );
128 lmPasswd_to_key( UcasePassword, &key );
129 des_set_key_unchecked( &key, schedule );
130 des_ecb_encrypt( &StdText, &hbuf[0], schedule , DES_ENCRYPT );
132 lmPasswd_to_key( &UcasePassword[7], &key );
133 des_set_key_unchecked( &key, schedule );
134 des_ecb_encrypt( &StdText, &hbuf[1], schedule , DES_ENCRYPT );
136 hexify( (char *)hbuf, hash );
140 struct berval *passwd,
144 /* Windows currently only allows 14 character passwords, but
145 * may support up to 256 in the future. We assume this means
146 * 256 UCS2 characters, not 256 bytes...
152 if (passwd->bv_len > MAX_PWLEN*2)
153 passwd->bv_len = MAX_PWLEN*2;
156 MD4_Update( &ctx, passwd->bv_val, passwd->bv_len );
157 MD4_Final( hbuf, &ctx );
159 hexify( hbuf, hash );
161 #endif /* DO_SAMBA */
165 static int smbk5pwd_op_cleanup(
171 /* clear out the current key */
172 ldap_pvt_thread_pool_setkey( op->o_threadctx, smbk5pwd_op_cleanup,
175 /* free the callback */
177 op->o_callback = cb->sc_next;
178 op->o_tmpfree( cb, op->o_tmpmemctx );
182 static int smbk5pwd_op_bind(
186 /* If this is a simple Bind, stash the Op pointer so our chk
187 * function can find it. Set a cleanup callback to clear it
188 * out when the Bind completes.
190 if ( op->oq_bind.rb_method == LDAP_AUTH_SIMPLE ) {
192 ldap_pvt_thread_pool_setkey( op->o_threadctx, smbk5pwd_op_cleanup, op,
194 cb = op->o_tmpcalloc( 1, sizeof(slap_callback), op->o_tmpmemctx );
195 cb->sc_cleanup = smbk5pwd_op_cleanup;
196 cb->sc_next = op->o_callback;
199 return SLAP_CB_CONTINUE;
202 static LUTIL_PASSWD_CHK_FUNC k5key_chk;
203 static LUTIL_PASSWD_HASH_FUNC k5key_hash;
204 static const struct berval k5key_scheme = BER_BVC("{K5KEY}");
206 /* This password scheme stores no data in the userPassword attribute
207 * other than the scheme name. It assumes the invoking entry is a
208 * krb5KDCentry and compares the passed-in credentials against the
209 * krb5Key attribute. The krb5Key may be multi-valued, but they are
210 * simply multiple keytypes generated from the same input string, so
211 * only the first value needs to be compared here.
213 * Since the lutil_passwd API doesn't pass the Entry object in, we
214 * have to fetch it ourselves in order to get access to the other
215 * attributes. We accomplish this with the help of the overlay's Bind
216 * function, which stores the current Operation pointer in thread-specific
217 * storage so we can retrieve it here. The Operation provides all
218 * the necessary context for us to get Entry from the database.
220 static int k5key_chk(
221 const struct berval *sc,
222 const struct berval *passwd,
223 const struct berval *cred,
236 /* Find our thread context, find our Operation */
237 ctx = ldap_pvt_thread_pool_context();
239 if ( ldap_pvt_thread_pool_getkey( ctx, smbk5pwd_op_cleanup, (void **)&op, NULL ) ||
241 return LUTIL_PASSWD_ERR;
243 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
244 if ( rc != LDAP_SUCCESS ) return LUTIL_PASSWD_ERR;
246 rc = LUTIL_PASSWD_ERR;
251 a = attr_find( e->e_attrs, ad_krb5PrincipalName );
254 memset( &ent, 0, sizeof(ent) );
255 ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal);
257 krb5_get_pw_salt( context, ent.principal, &salt );
258 krb5_free_principal( context, ent.principal );
260 a = attr_find( e->e_attrs, ad_krb5Key );
264 ent.keys.val = &ekey;
265 decode_Key((unsigned char *) a->a_vals[0].bv_val,
266 (size_t) a->a_vals[0].bv_len, &ent.keys.val[0], &l);
267 if ( db->master_key_set )
268 hdb_unseal_keys( context, db, &ent );
270 krb5_string_to_key_salt( context, ekey.key.keytype, cred->bv_val,
273 krb5_free_salt( context, salt );
275 if ( memcmp( ekey.key.keyvalue.data, key.keyvalue.data,
276 key.keyvalue.length ) == 0 ) rc = LUTIL_PASSWD_OK;
278 krb5_free_keyblock_contents( context, &key );
279 krb5_free_keyblock_contents( context, &ekey.key );
282 be_entry_release_r( op, e );
286 static int k5key_hash(
287 const struct berval *scheme,
288 const struct berval *passwd,
292 ber_dupbv( hash, (struct berval *)&k5key_scheme );
293 return LUTIL_PASSWD_OK;
297 static int smbk5pwd_exop_passwd(
302 req_pwdexop_s *qpw = &op->oq_pwdexop;
306 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
308 /* Not the operation we expected, pass it on... */
309 if ( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) ) {
310 return SLAP_CB_CONTINUE;
313 op->o_bd->bd_info = (BackendInfo *)on->on_info;
314 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
315 if ( rc != LDAP_SUCCESS ) return rc;
325 if ( !is_entry_objectclass(e, oc_krb5KDCEntry, 0 ) ) break;
327 a = attr_find( e->e_attrs, ad_krb5PrincipalName );
330 memset( &ent, 0, sizeof(ent) );
331 ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal);
334 a = attr_find( e->e_attrs, ad_krb5KeyVersionNumber );
336 kvno = atoi(a->a_vals[0].bv_val);
338 /* shouldn't happen, this is a required attr */
342 ret = _kadm5_set_keys(kadm_context, &ent, qpw->rs_new.bv_val);
343 hdb_seal_keys(context, db, &ent);
344 krb5_free_principal( context, ent.principal );
346 keys = ch_malloc( (ent.keys.len + 1) * sizeof(struct berval));
348 for (i = 0; i < ent.keys.len; i++) {
352 ASN1_MALLOC_ENCODE(Key, buf, len, &ent.keys.val[i], &len, ret);
356 keys[i].bv_val = buf;
357 keys[i].bv_len = len;
359 keys[i].bv_val = NULL;
362 _kadm5_free_keys(kadm_context, ent.keys.len, ent.keys.val);
364 if ( i != ent.keys.len ) {
365 ber_bvarray_free( keys );
369 ml = ch_malloc(sizeof(Modifications));
370 if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next;
371 ml->sml_next = qpw->rs_mods;
374 ml->sml_desc = ad_krb5Key;
375 ml->sml_op = LDAP_MOD_REPLACE;
376 ml->sml_values = keys;
377 ml->sml_nvalues = NULL;
379 ml = ch_malloc(sizeof(Modifications));
380 ml->sml_next = qpw->rs_mods;
383 ml->sml_desc = ad_krb5KeyVersionNumber;
384 ml->sml_op = LDAP_MOD_REPLACE;
385 ml->sml_values = ch_malloc( 2 * sizeof(struct berval));
386 ml->sml_values[0].bv_val = ch_malloc( 64 );
387 ml->sml_values[0].bv_len = sprintf(ml->sml_values[0].bv_val,
389 ml->sml_values[1].bv_val = NULL;
390 ml->sml_values[1].bv_len = 0;
391 ml->sml_nvalues = NULL;
397 if ( is_entry_objectclass(e, oc_sambaSamAccount, 0 ) ) {
404 /* Expand incoming UTF8 string to UCS4 */
405 l = ldap_utf8_chars(qpw->rs_new.bv_val);
406 wcs = ch_malloc((l+1) * sizeof(wchar_t));
408 ldap_x_utf8s_to_wcs( wcs, qpw->rs_new.bv_val, l );
410 /* Truncate UCS4 to UCS2 */
412 for (j=0; j<l; j++) {
415 *c++ = (wc >> 8) & 0xff;
418 pwd.bv_val = (char *)wcs;
421 ml = ch_malloc(sizeof(Modifications));
422 if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next;
423 ml->sml_next = qpw->rs_mods;
426 keys = ch_malloc( 2 * sizeof(struct berval) );
427 keys[1].bv_val = NULL;
429 nthash( &pwd, keys );
431 ml->sml_desc = ad_sambaNTPassword;
432 ml->sml_op = LDAP_MOD_REPLACE;
433 ml->sml_values = keys;
434 ml->sml_nvalues = NULL;
436 /* Truncate UCS2 to 8-bit ASCII */
439 for (j=1; j<l; j++) {
444 pwd.bv_val[pwd.bv_len] = '\0';
446 ml = ch_malloc(sizeof(Modifications));
447 ml->sml_next = qpw->rs_mods;
450 keys = ch_malloc( 2 * sizeof(struct berval) );
451 keys[1].bv_val = NULL;
453 lmhash( &pwd, keys );
455 ml->sml_desc = ad_sambaLMPassword;
456 ml->sml_op = LDAP_MOD_REPLACE;
457 ml->sml_values = keys;
458 ml->sml_nvalues = NULL;
462 ml = ch_malloc(sizeof(Modifications));
463 ml->sml_next = qpw->rs_mods;
466 keys = ch_malloc( 2 * sizeof(struct berval) );
467 keys[1].bv_val = NULL;
469 keys[0].bv_val = ch_malloc(16);
470 keys[0].bv_len = sprintf(keys[0].bv_val, "%d",
473 ml->sml_desc = ad_sambaPwdLastSet;
474 ml->sml_op = LDAP_MOD_REPLACE;
475 ml->sml_values = keys;
476 ml->sml_nvalues = NULL;
478 #endif /* DO_SAMBA */
479 be_entry_release_r( op, e );
481 return SLAP_CB_CONTINUE;
484 static slap_overinst smbk5pwd;
486 int smbk5pwd_init() {
492 extern HDB * _kadm5_s_get_db(void *);
494 /* Make sure all of our necessary schema items are loaded */
495 oc_krb5KDCEntry = oc_find("krb5KDCEntry");
496 if ( !oc_krb5KDCEntry ) return -1;
498 rc = slap_str2ad( "krb5Key", &ad_krb5Key, &text );
500 rc = slap_str2ad( "krb5KeyVersionNumber", &ad_krb5KeyVersionNumber, &text );
502 rc = slap_str2ad( "krb5PrincipalName", &ad_krb5PrincipalName, &text );
505 /* Initialize Kerberos context */
506 ret = krb5_init_context(&context);
511 ret = kadm5_s_init_with_password_ctx( context,
515 &conf, 0, 0, &kadm_context );
517 db = _kadm5_s_get_db(kadm_context);
521 oc_sambaSamAccount = oc_find("sambaSamAccount");
522 if ( !oc_sambaSamAccount ) return -1;
524 rc = slap_str2ad( "sambaLMPassword", &ad_sambaLMPassword, &text );
526 rc = slap_str2ad( "sambaNTPassword", &ad_sambaNTPassword, &text );
528 rc = slap_str2ad( "sambaPwdLastSet", &ad_sambaPwdLastSet, &text );
530 #endif /* DO_SAMBA */
532 smbk5pwd.on_bi.bi_type = "smbk5pwd";
533 smbk5pwd.on_bi.bi_extended = smbk5pwd_exop_passwd;
536 smbk5pwd.on_bi.bi_op_bind = smbk5pwd_op_bind;
538 lutil_passwd_add( (struct berval *)&k5key_scheme, k5key_chk, k5key_hash );
541 return overlay_register( &smbk5pwd );
544 #if SLAPD_OVER_SMBK5PWD == SLAPD_MOD_DYNAMIC
545 int init_module(int argc, char *argv[]) {
546 return smbk5pwd_init();
550 #endif /* defined(SLAPD_OVER_SMBK5PWD) */