2 * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "kadm5_locl.h"
38 #define set_value(X, V) do { if((X) == NULL) (X) = malloc(sizeof(*(X))); *(X) = V; } while(0)
39 #define set_null(X) do { if((X) != NULL) free((X)); (X) = NULL; } while (0)
42 attr_to_flags(unsigned attr
, HDBFlags
*flags
)
44 flags
->postdate
= !(attr
& KRB5_KDB_DISALLOW_POSTDATED
);
45 flags
->forwardable
= !(attr
& KRB5_KDB_DISALLOW_FORWARDABLE
);
46 flags
->initial
= !!(attr
& KRB5_KDB_DISALLOW_TGT_BASED
);
47 flags
->renewable
= !(attr
& KRB5_KDB_DISALLOW_RENEWABLE
);
48 flags
->proxiable
= !(attr
& KRB5_KDB_DISALLOW_PROXIABLE
);
50 flags
->invalid
= !!(attr
& KRB5_KDB_DISALLOW_ALL_TIX
);
51 flags
->require_preauth
= !!(attr
& KRB5_KDB_REQUIRES_PRE_AUTH
);
53 flags
->server
= !(attr
& KRB5_KDB_DISALLOW_SVR
);
54 flags
->change_pw
= !!(attr
& KRB5_KDB_PWCHANGE_SERVICE
);
55 flags
->client
= 1; /* XXX */
56 flags
->ok_as_delegate
= !!(attr
& KRB5_KDB_OK_AS_DELEGATE
);
57 flags
->trusted_for_delegation
= !!(attr
& KRB5_KDB_TRUSTED_FOR_DELEGATION
);
58 flags
->allow_kerberos4
= !!(attr
& KRB5_KDB_ALLOW_KERBEROS4
);
59 flags
->allow_digest
= !!(attr
& KRB5_KDB_ALLOW_DIGEST
);
63 * Modify the `ent' according to `tl_data'.
67 perform_tl_data(krb5_context context
,
70 const krb5_tl_data
*tl_data
)
74 if (tl_data
->tl_data_type
== KRB5_TL_PASSWORD
) {
75 heim_utf8_string pw
= tl_data
->tl_data_contents
;
77 if (pw
[tl_data
->tl_data_length
] != '\0')
78 return KADM5_BAD_TL_TYPE
;
80 ret
= hdb_entry_set_password(context
, db
, &ent
->entry
, pw
);
82 } else if (tl_data
->tl_data_type
== KRB5_TL_LAST_PWD_CHANGE
) {
86 if (tl_data
->tl_data_length
!= 4)
87 return KADM5_BAD_TL_TYPE
;
89 s
= tl_data
->tl_data_contents
;
91 t
= s
[0] | (s
[1] << 8) | (s
[2] << 16) | (s
[3] << 24);
93 ret
= hdb_entry_set_pw_change_time(context
, &ent
->entry
, t
);
95 } else if (tl_data
->tl_data_type
== KRB5_TL_EXTENSION
) {
98 ret
= decode_HDB_extension(tl_data
->tl_data_contents
,
99 tl_data
->tl_data_length
,
103 return KADM5_BAD_TL_TYPE
;
105 ret
= hdb_replace_extension(context
, &ent
->entry
, &ext
);
106 free_HDB_extension(&ext
);
108 return KADM5_BAD_TL_TYPE
;
115 * Create the hdb entry `ent' based on data from `princ' with
116 * `princ_mask' specifying what fields to be gotten from there and
117 * `mask' specifying what fields we want filled in.
121 _kadm5_setup_entry(kadm5_server_context
*context
,
124 kadm5_principal_ent_t princ
,
126 kadm5_principal_ent_t def
,
129 if(mask
& KADM5_PRINC_EXPIRE_TIME
130 && princ_mask
& KADM5_PRINC_EXPIRE_TIME
) {
131 if (princ
->princ_expire_time
)
132 set_value(ent
->entry
.valid_end
, princ
->princ_expire_time
);
134 set_null(ent
->entry
.valid_end
);
136 if(mask
& KADM5_PW_EXPIRATION
137 && princ_mask
& KADM5_PW_EXPIRATION
) {
138 if (princ
->pw_expiration
)
139 set_value(ent
->entry
.pw_end
, princ
->pw_expiration
);
141 set_null(ent
->entry
.pw_end
);
143 if(mask
& KADM5_ATTRIBUTES
) {
144 if (princ_mask
& KADM5_ATTRIBUTES
) {
145 attr_to_flags(princ
->attributes
, &ent
->entry
.flags
);
146 } else if(def_mask
& KADM5_ATTRIBUTES
) {
147 attr_to_flags(def
->attributes
, &ent
->entry
.flags
);
148 ent
->entry
.flags
.invalid
= 0;
150 ent
->entry
.flags
.client
= 1;
151 ent
->entry
.flags
.server
= 1;
152 ent
->entry
.flags
.forwardable
= 1;
153 ent
->entry
.flags
.proxiable
= 1;
154 ent
->entry
.flags
.renewable
= 1;
155 ent
->entry
.flags
.postdate
= 1;
158 if(mask
& KADM5_MAX_LIFE
) {
159 if(princ_mask
& KADM5_MAX_LIFE
) {
161 set_value(ent
->entry
.max_life
, princ
->max_life
);
163 set_null(ent
->entry
.max_life
);
164 } else if(def_mask
& KADM5_MAX_LIFE
) {
166 set_value(ent
->entry
.max_life
, def
->max_life
);
168 set_null(ent
->entry
.max_life
);
172 && princ_mask
& KADM5_KVNO
)
173 ent
->entry
.kvno
= princ
->kvno
;
174 if(mask
& KADM5_MAX_RLIFE
) {
175 if(princ_mask
& KADM5_MAX_RLIFE
) {
176 if(princ
->max_renewable_life
)
177 set_value(ent
->entry
.max_renew
, princ
->max_renewable_life
);
179 set_null(ent
->entry
.max_renew
);
180 } else if(def_mask
& KADM5_MAX_RLIFE
) {
181 if(def
->max_renewable_life
)
182 set_value(ent
->entry
.max_renew
, def
->max_renewable_life
);
184 set_null(ent
->entry
.max_renew
);
187 if(mask
& KADM5_KEY_DATA
188 && princ_mask
& KADM5_KEY_DATA
) {
189 _kadm5_set_keys2(context
, &ent
->entry
,
190 princ
->n_key_data
, princ
->key_data
);
192 if(mask
& KADM5_TL_DATA
) {
195 for (tl
= princ
->tl_data
; tl
!= NULL
; tl
= tl
->tl_data_next
) {
197 ret
= perform_tl_data(context
->context
, context
->db
, ent
, tl
);
202 if(mask
& KADM5_FAIL_AUTH_COUNT
) {