lib/kadm5/chpass_s.c

   1 /*
   2  * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "kadm5_locl.h"
  35
  36 RCSID("$Id$");
  37
  38 static kadm5_ret_t
  39 change(void *server_handle,
  40        krb5_principal princ,
  41        int keepold,
  42        int n_ks_tuple,
  43        krb5_key_salt_tuple *ks_tuple,
  44        const char *password,
  45        int cond)
  46 {
  47     kadm5_server_context *context = server_handle;
  48     hdb_entry_ex ent;
  49     kadm5_ret_t ret;
  50     Key *keys;
  51     size_t num_keys;
  52     int existsp = 0;
  53
  54     memset(&ent, 0, sizeof(ent));
  55     if (!context->keep_open) {
  56         ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
  57         if(ret)
  58             return ret;
  59     }
  60
  61     ret = context->db->hdb_fetch_kvno(context->context, context->db, princ,
  62                                       HDB_F_DECRYPT|HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent);
  63     if(ret)
  64         goto out;
  65
  66     if (keepold || cond) {
  67         /*
  68          * We save these for now so we can handle password history checking;
  69          * we handle keepold further below.
  70          */
  71         ret = hdb_add_current_keys_to_history(context->context, &ent.entry);
  72         if (ret)
  73             goto out;
  74     }
  75
  76     if (context->db->hdb_capability_flags & HDB_CAP_F_HANDLE_PASSWORDS) {
  77         ret = context->db->hdb_password(context->context, context->db,
  78                                         &ent, password, cond);
  79         if (ret)
  80             goto out2;
  81     } else {
  82
  83         num_keys = ent.entry.keys.len;
  84         keys     = ent.entry.keys.val;
  85
  86         ent.entry.keys.len = 0;
  87         ent.entry.keys.val = NULL;
  88
  89         ret = _kadm5_set_keys(context, &ent.entry, n_ks_tuple, ks_tuple,
  90                               password);
  91         if(ret) {
  92             _kadm5_free_keys(context->context, num_keys, keys);
  93             goto out2;
  94         }
  95         _kadm5_free_keys(context->context, num_keys, keys);
  96
  97         if (cond) {
  98             HDB_extension *ext;
  99
 100             ext = hdb_find_extension(&ent.entry, choice_HDB_extension_data_hist_keys);
 101             if (ext != NULL)
 102                 existsp = _kadm5_exists_keys_hist(ent.entry.keys.val,
 103                                                   ent.entry.keys.len,
 104                                                   &ext->data.u.hist_keys);
 105         }
 106
 107         if (existsp) {
 108             ret = KADM5_PASS_REUSE;
 109             krb5_set_error_message(context->context, ret,
 110                                    "Password reuse forbidden");
 111             goto out2;
 112         }
 113     }
 114     ent.entry.kvno++;
 115
 116     ent.entry.flags.require_pwchange = 0;
 117
 118     if (!keepold) {
 119         HDB_extension ext;
 120
 121         memset(&ext, 0, sizeof (ext));
 122         ext.data.element = choice_HDB_extension_data_hist_keys;
 123         ret = hdb_replace_extension(context->context, &ent.entry, &ext);
 124         if (ret)
 125             goto out2;
 126     }
 127
 128     ret = hdb_seal_keys(context->context, context->db, &ent.entry);
 129     if (ret)
 130         goto out2;
 131
 132     ret = _kadm5_set_modifier(context, &ent.entry);
 133     if(ret)
 134         goto out2;
 135
 136     ret = _kadm5_bump_pw_expire(context, &ent.entry);
 137     if (ret)
 138         goto out2;
 139
 140     ret = context->db->hdb_store(context->context, context->db,
 141                                  HDB_F_REPLACE, &ent);
 142     if (ret)
 143         goto out2;
 144
 145     kadm5_log_modify(context, &ent.entry,
 146                      KADM5_ATTRIBUTES | KADM5_PRINCIPAL | KADM5_MOD_NAME |
 147                      KADM5_MOD_TIME | KADM5_KEY_DATA | KADM5_KVNO |
 148                      KADM5_PW_EXPIRATION | KADM5_TL_DATA);
 149
 150 out2:
 151     hdb_free_entry(context->context, &ent);
 152 out:
 153     if (!context->keep_open)
 154         context->db->hdb_close(context->context, context->db);
 155     return _kadm5_error_code(ret);
 156 }
 157
 158
 159
 160 /*
 161  * change the password of `princ' to `password' if it's not already that.
 162  */
 163
 164 kadm5_ret_t
 165 kadm5_s_chpass_principal_cond(void *server_handle,
 166                               krb5_principal princ,
 167                               int keepold,
 168                               const char *password)
 169 {
 170     return change (server_handle, princ, keepold, 0, NULL, password, 1);
 171 }
 172
 173 /*
 174  * change the password of `princ' to `password'
 175  */
 176
 177 kadm5_ret_t
 178 kadm5_s_chpass_principal(void *server_handle,
 179                          krb5_principal princ,
 180                          int keepold,
 181                          int n_ks_tuple,
 182                          krb5_key_salt_tuple *ks_tuple,
 183                          const char *password)
 184 {
 185     return change (server_handle, princ, keepold,
 186         n_ks_tuple, ks_tuple, password, 0);
 187 }
 188
 189 /*
 190  * change keys for `princ' to `keys'
 191  */
 192
 193 kadm5_ret_t
 194 kadm5_s_chpass_principal_with_key(void *server_handle,
 195                                   krb5_principal princ,
 196                                   int keepold,
 197                                   int n_key_data,
 198                                   krb5_key_data *key_data)
 199 {
 200     kadm5_server_context *context = server_handle;
 201     hdb_entry_ex ent;
 202     kadm5_ret_t ret;
 203
 204     memset(&ent, 0, sizeof(ent));
 205     if (!context->keep_open) {
 206         ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
 207         if(ret)
 208             return ret;
 209     }
 210     ret = context->db->hdb_fetch_kvno(context->context, context->db, princ, 0,
 211                                       HDB_F_GET_ANY|HDB_F_ADMIN_DATA, &ent);
 212     if(ret == HDB_ERR_NOENTRY)
 213         goto out;
 214     if (keepold) {
 215         ret = hdb_add_current_keys_to_history(context->context, &ent.entry);
 216         if (ret)
 217             goto out2;
 218     }
 219     ret = _kadm5_set_keys2(context, &ent.entry, n_key_data, key_data);
 220     if(ret)
 221         goto out2;
 222     ent.entry.kvno++;
 223     ret = _kadm5_set_modifier(context, &ent.entry);
 224     if(ret)
 225         goto out2;
 226     ret = _kadm5_bump_pw_expire(context, &ent.entry);
 227     if (ret)
 228         goto out2;
 229
 230     if (keepold) {
 231         ret = hdb_seal_keys(context->context, context->db, &ent.entry);
 232         if (ret)
 233             goto out2;
 234     } else {
 235         HDB_extension ext;
 236
 237         memset(&ext, 0, sizeof (ext));
 238         ext.data.element = choice_HDB_extension_data_hist_keys;
 239         ext.data.u.hist_keys.len = 0;
 240         ext.data.u.hist_keys.val = NULL;
 241         hdb_replace_extension(context->context, &ent.entry, &ext);
 242     }
 243
 244
 245     ret = context->db->hdb_store(context->context, context->db,
 246                                  HDB_F_REPLACE, &ent);
 247     if (ret)
 248         goto out2;
 249
 250     kadm5_log_modify (context,
 251                       &ent.entry,
 252                       KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME |
 253                       KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION |
 254                       KADM5_TL_DATA);
 255
 256 out2:
 257     hdb_free_entry(context->context, &ent);
 258 out:
 259     if (!context->keep_open)
 260         context->db->hdb_close(context->context, context->db);
 261     return _kadm5_error_code(ret);
 262 }