lib/kadm5/chpass_s.c

   1 /*
   2  * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "kadm5_locl.h"
  35
  36 RCSID("$Id$");
  37
  38 static kadm5_ret_t
  39 change(void *server_handle,
  40        krb5_principal princ,
  41        const char *password,
  42        int cond)
  43 {
  44     kadm5_server_context *context = server_handle;
  45     hdb_entry_ex ent;
  46     kadm5_ret_t ret;
  47     Key *keys;
  48     size_t num_keys;
  49     int existsp = 0;
  50
  51     memset(&ent, 0, sizeof(ent));
  52     ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
  53     if(ret)
  54         return ret;
  55
  56     ret = context->db->hdb_fetch(context->context, context->db, princ,
  57                                  HDB_F_DECRYPT|HDB_F_GET_ANY|HDB_F_ADMIN_DATA, &ent);
  58     if(ret)
  59         goto out;
  60
  61     if (context->db->hdb_capability_flags & HDB_CAP_F_HANDLE_PASSWORDS) {
  62         ret = context->db->hdb_password(context->context, context->db,
  63                                         &ent, password, cond);
  64         if (ret)
  65             goto out2;
  66     } else {
  67
  68         num_keys = ent.entry.keys.len;
  69         keys     = ent.entry.keys.val;
  70
  71         ent.entry.keys.len = 0;
  72         ent.entry.keys.val = NULL;
  73
  74         ret = _kadm5_set_keys(context, &ent.entry, password);
  75         if(ret) {
  76             _kadm5_free_keys (context->context, num_keys, keys);
  77             goto out2;
  78         }
  79
  80         if (cond)
  81             existsp = _kadm5_exists_keys (ent.entry.keys.val,
  82                                           ent.entry.keys.len,
  83                                           keys, num_keys);
  84         _kadm5_free_keys (context->context, num_keys, keys);
  85
  86         if (existsp) {
  87             ret = KADM5_PASS_REUSE;
  88             krb5_set_error_message(context->context, ret,
  89                                    "Password reuse forbidden");
  90             goto out2;
  91         }
  92
  93         ret = hdb_seal_keys(context->context, context->db, &ent.entry);
  94         if (ret)
  95             goto out2;
  96     }
  97     ent.entry.kvno++;
  98
  99     ret = _kadm5_set_modifier(context, &ent.entry);
 100     if(ret)
 101         goto out2;
 102
 103     ret = _kadm5_bump_pw_expire(context, &ent.entry);
 104     if (ret)
 105         goto out2;
 106
 107     ret = context->db->hdb_store(context->context, context->db,
 108                                  HDB_F_REPLACE, &ent);
 109     if (ret)
 110         goto out2;
 111
 112     kadm5_log_modify (context,
 113                       &ent.entry,
 114                       KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME |
 115                       KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION |
 116                       KADM5_TL_DATA);
 117
 118 out2:
 119     hdb_free_entry(context->context, &ent);
 120 out:
 121     context->db->hdb_close(context->context, context->db);
 122     return _kadm5_error_code(ret);
 123 }
 124
 125
 126
 127 /*
 128  * change the password of `princ' to `password' if it's not already that.
 129  */
 130
 131 kadm5_ret_t
 132 kadm5_s_chpass_principal_cond(void *server_handle,
 133                               krb5_principal princ,
 134                               const char *password)
 135 {
 136     return change (server_handle, princ, password, 1);
 137 }
 138
 139 /*
 140  * change the password of `princ' to `password'
 141  */
 142
 143 kadm5_ret_t
 144 kadm5_s_chpass_principal(void *server_handle,
 145                          krb5_principal princ,
 146                          const char *password)
 147 {
 148     return change (server_handle, princ, password, 0);
 149 }
 150
 151 /*
 152  * change keys for `princ' to `keys'
 153  */
 154
 155 kadm5_ret_t
 156 kadm5_s_chpass_principal_with_key(void *server_handle,
 157                                   krb5_principal princ,
 158                                   int n_key_data,
 159                                   krb5_key_data *key_data)
 160 {
 161     kadm5_server_context *context = server_handle;
 162     hdb_entry_ex ent;
 163     kadm5_ret_t ret;
 164
 165     memset(&ent, 0, sizeof(ent));
 166     ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
 167     if(ret)
 168         return ret;
 169     ret = context->db->hdb_fetch(context->context, context->db, princ,
 170                                  HDB_F_GET_ANY|HDB_F_ADMIN_DATA, &ent);
 171     if(ret == HDB_ERR_NOENTRY)
 172         goto out;
 173     ret = _kadm5_set_keys2(context, &ent.entry, n_key_data, key_data);
 174     if(ret)
 175         goto out2;
 176     ent.entry.kvno++;
 177     ret = _kadm5_set_modifier(context, &ent.entry);
 178     if(ret)
 179         goto out2;
 180     ret = _kadm5_bump_pw_expire(context, &ent.entry);
 181     if (ret)
 182         goto out2;
 183
 184     ret = hdb_seal_keys(context->context, context->db, &ent.entry);
 185     if (ret)
 186         goto out2;
 187
 188     ret = context->db->hdb_store(context->context, context->db,
 189                                  HDB_F_REPLACE, &ent);
 190     if (ret)
 191         goto out2;
 192
 193     kadm5_log_modify (context,
 194                       &ent.entry,
 195                       KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME |
 196                       KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION |
 197                       KADM5_TL_DATA);
 198
 199 out2:
 200     hdb_free_entry(context->context, &ent);
 201 out:
 202     context->db->hdb_close(context->context, context->db);
 203     return _kadm5_error_code(ret);
 204 }