David K. Bainbridge | bd6b288 | 2021-08-26 13:31:02 +0000 | [diff] [blame] | 1 | // Package kadmin provides Kerberos administration capabilities. |
| 2 | package kadmin |
| 3 | |
| 4 | import ( |
| 5 | "github.com/jcmturner/gokrb5/v8/crypto" |
| 6 | "github.com/jcmturner/gokrb5/v8/krberror" |
| 7 | "github.com/jcmturner/gokrb5/v8/messages" |
| 8 | "github.com/jcmturner/gokrb5/v8/types" |
| 9 | ) |
| 10 | |
| 11 | // ChangePasswdMsg generate a change password request and also return the key needed to decrypt the reply. |
| 12 | func ChangePasswdMsg(cname types.PrincipalName, realm, password string, tkt messages.Ticket, sessionKey types.EncryptionKey) (r Request, k types.EncryptionKey, err error) { |
| 13 | // Create change password data struct and marshal to bytes |
| 14 | chgpasswd := ChangePasswdData{ |
| 15 | NewPasswd: []byte(password), |
| 16 | TargName: cname, |
| 17 | TargRealm: realm, |
| 18 | } |
| 19 | chpwdb, err := chgpasswd.Marshal() |
| 20 | if err != nil { |
| 21 | err = krberror.Errorf(err, krberror.KRBMsgError, "error marshaling change passwd data") |
| 22 | return |
| 23 | } |
| 24 | |
| 25 | // Generate authenticator |
| 26 | auth, err := types.NewAuthenticator(realm, cname) |
| 27 | if err != nil { |
| 28 | err = krberror.Errorf(err, krberror.KRBMsgError, "error generating new authenticator") |
| 29 | return |
| 30 | } |
| 31 | etype, err := crypto.GetEtype(sessionKey.KeyType) |
| 32 | if err != nil { |
| 33 | err = krberror.Errorf(err, krberror.KRBMsgError, "error generating subkey etype") |
| 34 | return |
| 35 | } |
| 36 | err = auth.GenerateSeqNumberAndSubKey(etype.GetETypeID(), etype.GetKeyByteSize()) |
| 37 | if err != nil { |
| 38 | err = krberror.Errorf(err, krberror.KRBMsgError, "error generating subkey") |
| 39 | return |
| 40 | } |
| 41 | k = auth.SubKey |
| 42 | |
| 43 | // Generate AP_REQ |
| 44 | APreq, err := messages.NewAPReq(tkt, sessionKey, auth) |
| 45 | if err != nil { |
| 46 | return |
| 47 | } |
| 48 | |
| 49 | // Form the KRBPriv encpart data |
| 50 | kp := messages.EncKrbPrivPart{ |
| 51 | UserData: chpwdb, |
| 52 | Timestamp: auth.CTime, |
| 53 | Usec: auth.Cusec, |
| 54 | SequenceNumber: auth.SeqNumber, |
| 55 | } |
| 56 | kpriv := messages.NewKRBPriv(kp) |
| 57 | err = kpriv.EncryptEncPart(k) |
| 58 | if err != nil { |
| 59 | err = krberror.Errorf(err, krberror.EncryptingError, "error encrypting change passwd data") |
| 60 | return |
| 61 | } |
| 62 | |
| 63 | r = Request{ |
| 64 | APREQ: APreq, |
| 65 | KRBPriv: kpriv, |
| 66 | } |
| 67 | return |
| 68 | } |