1/* 2 * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34#include "kadm5_locl.h" 35 36RCSID("$Id$"); 37 38static kadm5_ret_t 39change(void *server_handle, 40 krb5_principal princ, 41 const char *password, 42 int cond) 43{ 44 kadm5_server_context *context = server_handle; 45 hdb_entry_ex ent; 46 kadm5_ret_t ret; 47 Key *keys; 48 size_t num_keys; 49 int existsp = 0; 50 51 memset(&ent, 0, sizeof(ent)); 52 ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0); 53 if(ret) 54 return ret; 55 56 ret = context->db->hdb_fetch_kvno(context->context, context->db, princ, 57 HDB_F_DECRYPT|HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent); 58 if(ret) 59 goto out; 60 61 if (context->db->hdb_capability_flags & HDB_CAP_F_HANDLE_PASSWORDS) { 62 ret = context->db->hdb_password(context->context, context->db, 63 &ent, password, cond); 64 if (ret) 65 goto out2; 66 } else { 67 68 num_keys = ent.entry.keys.len; 69 keys = ent.entry.keys.val; 70 71 ent.entry.keys.len = 0; 72 ent.entry.keys.val = NULL; 73 74 ret = _kadm5_set_keys(context, &ent.entry, password); 75 if(ret) { 76 _kadm5_free_keys (context->context, num_keys, keys); 77 goto out2; 78 } 79 80 if (cond) 81 existsp = _kadm5_exists_keys (ent.entry.keys.val, 82 ent.entry.keys.len, 83 keys, num_keys); 84 _kadm5_free_keys (context->context, num_keys, keys); 85 86 if (existsp) { 87 ret = KADM5_PASS_REUSE; 88 krb5_set_error_message(context->context, ret, 89 "Password reuse forbidden"); 90 goto out2; 91 } 92 93 ret = hdb_seal_keys(context->context, context->db, &ent.entry); 94 if (ret) 95 goto out2; 96 } 97 ent.entry.kvno++; 98 99 ret = _kadm5_set_modifier(context, &ent.entry); 100 if(ret) 101 goto out2; 102 103 ret = _kadm5_bump_pw_expire(context, &ent.entry); 104 if (ret) 105 goto out2; 106 107 ret = context->db->hdb_store(context->context, context->db, 108 HDB_F_REPLACE, &ent); 109 if (ret) 110 goto out2; 111 112 kadm5_log_modify (context, 113 &ent.entry, 114 KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME | 115 KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION | 116 KADM5_TL_DATA); 117 118out2: 119 hdb_free_entry(context->context, &ent); 120out: 121 context->db->hdb_close(context->context, context->db); 122 return _kadm5_error_code(ret); 123} 124 125 126 127/* 128 * change the password of `princ' to `password' if it's not already that. 129 */ 130 131kadm5_ret_t 132kadm5_s_chpass_principal_cond(void *server_handle, 133 krb5_principal princ, 134 const char *password) 135{ 136 return change (server_handle, princ, password, 1); 137} 138 139/* 140 * change the password of `princ' to `password' 141 */ 142 143kadm5_ret_t 144kadm5_s_chpass_principal(void *server_handle, 145 krb5_principal princ, 146 const char *password) 147{ 148 return change (server_handle, princ, password, 0); 149} 150 151/* 152 * change keys for `princ' to `keys' 153 */ 154 155kadm5_ret_t 156kadm5_s_chpass_principal_with_key(void *server_handle, 157 krb5_principal princ, 158 int n_key_data, 159 krb5_key_data *key_data) 160{ 161 kadm5_server_context *context = server_handle; 162 hdb_entry_ex ent; 163 kadm5_ret_t ret; 164 165 memset(&ent, 0, sizeof(ent)); 166 ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0); 167 if(ret) 168 return ret; 169 ret = context->db->hdb_fetch_kvno(context->context, context->db, princ, 0, 170 HDB_F_GET_ANY|HDB_F_ADMIN_DATA, &ent); 171 if(ret == HDB_ERR_NOENTRY) 172 goto out; 173 ret = _kadm5_set_keys2(context, &ent.entry, n_key_data, key_data); 174 if(ret) 175 goto out2; 176 ent.entry.kvno++; 177 ret = _kadm5_set_modifier(context, &ent.entry); 178 if(ret) 179 goto out2; 180 ret = _kadm5_bump_pw_expire(context, &ent.entry); 181 if (ret) 182 goto out2; 183 184 ret = hdb_seal_keys(context->context, context->db, &ent.entry); 185 if (ret) 186 goto out2; 187 188 ret = context->db->hdb_store(context->context, context->db, 189 HDB_F_REPLACE, &ent); 190 if (ret) 191 goto out2; 192 193 kadm5_log_modify (context, 194 &ent.entry, 195 KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME | 196 KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION | 197 KADM5_TL_DATA); 198 199out2: 200 hdb_free_entry(context->context, &ent); 201out: 202 context->db->hdb_close(context->context, context->db); 203 return _kadm5_error_code(ret); 204} 205