blob: db199bffcb22421163aab6854bb36b55c7e5b5b1 [file] [log] [blame]
David K. Bainbridgebd6b2882021-08-26 13:31:02 +00001// Package kadmin provides Kerberos administration capabilities.
2package kadmin
3
4import (
5 "github.com/jcmturner/gokrb5/v8/crypto"
6 "github.com/jcmturner/gokrb5/v8/krberror"
7 "github.com/jcmturner/gokrb5/v8/messages"
8 "github.com/jcmturner/gokrb5/v8/types"
9)
10
11// ChangePasswdMsg generate a change password request and also return the key needed to decrypt the reply.
12func ChangePasswdMsg(cname types.PrincipalName, realm, password string, tkt messages.Ticket, sessionKey types.EncryptionKey) (r Request, k types.EncryptionKey, err error) {
13 // Create change password data struct and marshal to bytes
14 chgpasswd := ChangePasswdData{
15 NewPasswd: []byte(password),
16 TargName: cname,
17 TargRealm: realm,
18 }
19 chpwdb, err := chgpasswd.Marshal()
20 if err != nil {
21 err = krberror.Errorf(err, krberror.KRBMsgError, "error marshaling change passwd data")
22 return
23 }
24
25 // Generate authenticator
26 auth, err := types.NewAuthenticator(realm, cname)
27 if err != nil {
28 err = krberror.Errorf(err, krberror.KRBMsgError, "error generating new authenticator")
29 return
30 }
31 etype, err := crypto.GetEtype(sessionKey.KeyType)
32 if err != nil {
33 err = krberror.Errorf(err, krberror.KRBMsgError, "error generating subkey etype")
34 return
35 }
36 err = auth.GenerateSeqNumberAndSubKey(etype.GetETypeID(), etype.GetKeyByteSize())
37 if err != nil {
38 err = krberror.Errorf(err, krberror.KRBMsgError, "error generating subkey")
39 return
40 }
41 k = auth.SubKey
42
43 // Generate AP_REQ
44 APreq, err := messages.NewAPReq(tkt, sessionKey, auth)
45 if err != nil {
46 return
47 }
48
49 // Form the KRBPriv encpart data
50 kp := messages.EncKrbPrivPart{
51 UserData: chpwdb,
52 Timestamp: auth.CTime,
53 Usec: auth.Cusec,
54 SequenceNumber: auth.SeqNumber,
55 }
56 kpriv := messages.NewKRBPriv(kp)
57 err = kpriv.EncryptEncPart(k)
58 if err != nil {
59 err = krberror.Errorf(err, krberror.EncryptingError, "error encrypting change passwd data")
60 return
61 }
62
63 r = Request{
64 APREQ: APreq,
65 KRBPriv: kpriv,
66 }
67 return
68}