search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge pull request #174 from abhinav-upadhyay/fix-krb5.conf.5
[heimdal.git] / lib / kadm5 / chpass_s.c
blob4b873ed782ecf6d740eba0dc5890885fb00acfe9
1 /*
2 * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kadm5_locl.h"
35
36 RCSID("$Id$");
37
38 static kadm5_ret_t
39 change(void *server_handle,
40 krb5_principal princ,
41 int keepold,
42 int n_ks_tuple,
43 krb5_key_salt_tuple *ks_tuple,
44 const char *password,
45 int cond)
46 {
47 kadm5_server_context *context = server_handle;
48 hdb_entry_ex ent;
49 kadm5_ret_t ret;
50 Key *keys;
51 size_t num_keys;
52 int existsp = 0;
53
54 memset(&ent, 0, sizeof(ent));
55 if (!context->keep_open) {
56 ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
57 if(ret)
58 return ret;
59 }
60
61 ret = kadm5_log_init(context);
62 if (ret)
63 goto out;
64
65 ret = context->db->hdb_fetch_kvno(context->context, context->db, princ,
66 HDB_F_DECRYPT|HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent);
67 if(ret)
68 goto out;
69
70 if (keepold || cond) {
71 /*
72 * We save these for now so we can handle password history checking;
73 * we handle keepold further below.
74 */
75 ret = hdb_add_current_keys_to_history(context->context, &ent.entry);
76 if (ret)
77 goto out;
78 }
79
80 if (context->db->hdb_capability_flags & HDB_CAP_F_HANDLE_PASSWORDS) {
81 ret = context->db->hdb_password(context->context, context->db,
82 &ent, password, cond);
83 if (ret)
84 goto out2;
85 } else {
86
87 num_keys = ent.entry.keys.len;
88 keys = ent.entry.keys.val;
89
90 ent.entry.keys.len = 0;
91 ent.entry.keys.val = NULL;
92
93 ret = _kadm5_set_keys(context, &ent.entry, n_ks_tuple, ks_tuple,
94 password);
95 if(ret) {
96 _kadm5_free_keys(context->context, num_keys, keys);
97 goto out2;
98 }
99 _kadm5_free_keys(context->context, num_keys, keys);
100
101 if (cond) {
102 HDB_extension *ext;
103
104 ext = hdb_find_extension(&ent.entry, choice_HDB_extension_data_hist_keys);
105 if (ext != NULL)
106 existsp = _kadm5_exists_keys_hist(ent.entry.keys.val,
107 ent.entry.keys.len,
108 &ext->data.u.hist_keys);
109 }
110
111 if (existsp) {
112 ret = KADM5_PASS_REUSE;
113 krb5_set_error_message(context->context, ret,
114 "Password reuse forbidden");
115 goto out2;
116 }
117 }
118 ent.entry.kvno++;
119
120 ent.entry.flags.require_pwchange = 0;
121
122 if (!keepold) {
123 HDB_extension ext;
124
125 memset(&ext, 0, sizeof (ext));
126 ext.mandatory = FALSE;
127 ext.data.element = choice_HDB_extension_data_hist_keys;
128 ret = hdb_replace_extension(context->context, &ent.entry, &ext);
129 if (ret)
130 goto out2;
131 }
132
133 ret = hdb_seal_keys(context->context, context->db, &ent.entry);
134 if (ret)
135 goto out2;
136
137 ret = _kadm5_set_modifier(context, &ent.entry);
138 if(ret)
139 goto out2;
140
141 ret = _kadm5_bump_pw_expire(context, &ent.entry);
142 if (ret)
143 goto out2;
144
145 /* This logs the change for iprop and writes to the HDB */
146 ret = kadm5_log_modify(context, &ent.entry,
147 KADM5_ATTRIBUTES | KADM5_PRINCIPAL |
148 KADM5_MOD_NAME | KADM5_MOD_TIME |
149 KADM5_KEY_DATA | KADM5_KVNO |
150 KADM5_PW_EXPIRATION | KADM5_TL_DATA);
151
152 out2:
153 hdb_free_entry(context->context, &ent);
154 out:
155 (void) kadm5_log_end(context);
156 if (!context->keep_open) {
157 kadm5_ret_t ret2;
158 ret2 = context->db->hdb_close(context->context, context->db);
159 if (ret == 0 && ret2 != 0)
160 ret = ret2;
161 }
162 return _kadm5_error_code(ret);
163 }
164
165
166
167 /*
168 * change the password of `princ' to `password' if it's not already that.
169 */
170
171 kadm5_ret_t
172 kadm5_s_chpass_principal_cond(void *server_handle,
173 krb5_principal princ,
174 int keepold,
175 const char *password)
176 {
177 return change (server_handle, princ, keepold, 0, NULL, password, 1);
178 }
179
180 /*
181 * change the password of `princ' to `password'
182 */
183
184 kadm5_ret_t
185 kadm5_s_chpass_principal(void *server_handle,
186 krb5_principal princ,
187 int keepold,
188 int n_ks_tuple,
189 krb5_key_salt_tuple *ks_tuple,
190 const char *password)
191 {
192 return change (server_handle, princ, keepold,
193 n_ks_tuple, ks_tuple, password, 0);
194 }
195
196 /*
197 * change keys for `princ' to `keys'
198 */
199
200 kadm5_ret_t
201 kadm5_s_chpass_principal_with_key(void *server_handle,
202 krb5_principal princ,
203 int keepold,
204 int n_key_data,
205 krb5_key_data *key_data)
206 {
207 kadm5_server_context *context = server_handle;
208 hdb_entry_ex ent;
209 kadm5_ret_t ret;
210
211 memset(&ent, 0, sizeof(ent));
212 if (!context->keep_open) {
213 ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
214 if(ret)
215 return ret;
216 }
217
218 ret = kadm5_log_init(context);
219 if (ret)
220 goto out;
221
222 ret = context->db->hdb_fetch_kvno(context->context, context->db, princ, 0,
223 HDB_F_GET_ANY|HDB_F_ADMIN_DATA, &ent);
224 if(ret == HDB_ERR_NOENTRY)
225 goto out;
226 if (keepold) {
227 ret = hdb_add_current_keys_to_history(context->context, &ent.entry);
228 if (ret)
229 goto out2;
230 }
231 ret = _kadm5_set_keys2(context, &ent.entry, n_key_data, key_data);
232 if(ret)
233 goto out2;
234 ent.entry.kvno++;
235 ret = _kadm5_set_modifier(context, &ent.entry);
236 if(ret)
237 goto out2;
238 ret = _kadm5_bump_pw_expire(context, &ent.entry);
239 if (ret)
240 goto out2;
241
242 if (keepold) {
243 ret = hdb_seal_keys(context->context, context->db, &ent.entry);
244 if (ret)
245 goto out2;
246 } else {
247 HDB_extension ext;
248
249 memset(&ext, 0, sizeof (ext));
250 ext.mandatory = FALSE;
251 ext.data.element = choice_HDB_extension_data_hist_keys;
252 ext.data.u.hist_keys.len = 0;
253 ext.data.u.hist_keys.val = NULL;
254 hdb_replace_extension(context->context, &ent.entry, &ext);
255 }
256
257 /* This logs the change for iprop and writes to the HDB */
258 ret = kadm5_log_modify(context, &ent.entry,
259 KADM5_PRINCIPAL | KADM5_MOD_NAME |
260 KADM5_MOD_TIME | KADM5_KEY_DATA | KADM5_KVNO |
261 KADM5_PW_EXPIRATION | KADM5_TL_DATA);
262
263 out2:
264 hdb_free_entry(context->context, &ent);
265 out:
266 (void) kadm5_log_end(context);
267 if (!context->keep_open) {
268 kadm5_ret_t ret2;
269 ret2 = context->db->hdb_close(context->context, context->db);
270 if (ret == 0 && ret2 != 0)
271 ret = ret2;
272 }
273 return _kadm5_error_code(ret);
274 }
Heimdal