1/*
2 * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 *    notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 *    may be used to endorse or promote products derived from this software
19 *    without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34#include "kadm5_locl.h"
35
36RCSID("$Id$");
37
38static kadm5_ret_t
39change(void *server_handle,
40       krb5_principal princ,
41       int keepold,
42       const char *password,
43       int cond,
44       int n_ks_tuple,
45       krb5_key_salt_tuple *ks_tuple)
46{
47    kadm5_server_context *context = server_handle;
48    hdb_entry_ex ent;
49    kadm5_ret_t ret;
50    Key *keys;
51    size_t num_keys;
52    int existsp = 0;
53    int flags;
54    unsigned int modify_flags;
55
56    memset(&ent, 0, sizeof(ent));
57    if (!context->keep_open) {
58	ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
59	if(ret)
60	    return ret;
61    }
62
63    flags = HDB_F_GET_ANY|HDB_F_ADMIN_DATA;
64    if (cond)
65	flags |= HDB_F_DECRYPT;
66
67    ret = context->db->hdb_fetch_kvno(context->context, context->db, princ, flags, 0, &ent);
68    if(ret)
69	goto out;
70
71    modify_flags = KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME |
72	KADM5_KVNO | KADM5_PW_EXPIRATION | KADM5_TL_DATA;
73
74    if (keepold || cond) {
75	/*
76	 * We save these for now so we can handle password history checking;
77	 * we handle keepold further below.
78	 */
79	ret = hdb_add_current_keys_to_history(context->context, &ent.entry);
80	if (ret)
81	    goto out;
82    }
83
84    if (context->db->hdb_capability_flags & HDB_CAP_F_HANDLE_PASSWORDS) {
85	ret = context->db->hdb_password(context->context, context->db,
86					&ent, password,
87					cond ? HDB_PWD_CONDITIONAL : 0);
88	if (ret)
89	    goto out2;
90    } else {
91
92	num_keys = ent.entry.keys.len;
93	keys     = ent.entry.keys.val;
94
95	ent.entry.keys.len = 0;
96	ent.entry.keys.val = NULL;
97
98	ret = _kadm5_set_keys(context, &ent.entry, password,
99			      n_ks_tuple, ks_tuple);
100	if(ret) {
101	    _kadm5_free_keys(context->context, (int)num_keys, keys);
102	    goto out2;
103	}
104	_kadm5_free_keys(context->context, (int)num_keys, keys);
105
106	if (cond) {
107	    HDB_extension *ext;
108
109	    ext = hdb_find_extension(&ent.entry, choice_HDB_extension_data_hist_keys);
110	    if (ext != NULL)
111		existsp = _kadm5_exists_keys_hist(ent.entry.keys.val,
112						  ent.entry.keys.len,
113						  &ext->data.u.hist_keys);
114	}
115
116	if (existsp) {
117	    ret = KADM5_PASS_REUSE;
118	    krb5_set_error_message(context->context, ret,
119				   "Password reuse forbidden");
120	    goto out2;
121	}
122    }
123    ent.entry.kvno++;
124
125    modify_flags |= KADM5_KEY_DATA;
126
127    if (keepold) {
128	ret = hdb_seal_keys(context->context, context->db, &ent.entry);
129	if (ret)
130	    goto out2;
131    } else {
132	HDB_extension ext;
133
134	ext.data.element = choice_HDB_extension_data_hist_keys;
135	ext.data.u.hist_keys.len = 0;
136	ext.data.u.hist_keys.val = NULL;
137	ret = hdb_replace_extension(context->context, &ent.entry, &ext);
138	if (ret)
139	    goto out2;
140    }
141
142    ret = _kadm5_set_modifier(context, &ent.entry);
143    if(ret)
144	goto out2;
145
146    ret = _kadm5_bump_pw_expire(context, &ent.entry);
147    if (ret)
148	goto out2;
149
150    ret = context->db->hdb_store(context->context, context->db,
151				 HDB_F_REPLACE|HDB_F_CHANGE_PASSWORD, &ent);
152    if (ret)
153	goto out2;
154
155    kadm5_log_modify(context, &ent.entry, modify_flags);
156
157out2:
158    hdb_free_entry(context->context, &ent);
159out:
160    if (!context->keep_open)
161	context->db->hdb_close(context->context, context->db);
162    return _kadm5_error_code(ret);
163}
164
165
166
167/*
168 * change the password of `princ' to `password' if it's not already that.
169 */
170
171kadm5_ret_t
172kadm5_s_chpass_principal_cond(void *server_handle,
173			      krb5_principal princ,
174			      int keepold,
175			      const char *password,
176			      int n_ks_tuple,
177			      krb5_key_salt_tuple *ks_tuple)
178{
179    return change (server_handle, princ, keepold, password, 1, n_ks_tuple, ks_tuple);
180}
181
182/*
183 * change the password of `princ' to `password'
184 */
185
186kadm5_ret_t
187kadm5_s_chpass_principal(void *server_handle,
188			 krb5_principal princ,
189			 int keepold,
190			 const char *password,
191			 int n_ks_tuple,
192			 krb5_key_salt_tuple *ks_tuple)
193{
194    return change (server_handle, princ, keepold, password, 0, n_ks_tuple, ks_tuple);
195}
196
197/*
198 * change keys for `princ' to `keys'
199 */
200
201kadm5_ret_t
202kadm5_s_chpass_principal_with_key(void *server_handle,
203				  krb5_principal princ,
204				  int keepold,
205				  int n_key_data,
206				  krb5_key_data *key_data)
207{
208    kadm5_server_context *context = server_handle;
209    hdb_entry_ex ent;
210    kadm5_ret_t ret;
211
212    memset(&ent, 0, sizeof(ent));
213    if (!context->keep_open) {
214	ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
215	if(ret)
216	    return ret;
217    }
218    ret = context->db->hdb_fetch_kvno(context->context, context->db, princ, 0,
219				      HDB_F_GET_ANY|HDB_F_ADMIN_DATA, &ent);
220    if(ret == HDB_ERR_NOENTRY)
221	goto out;
222    if (keepold) {
223	ret = hdb_add_current_keys_to_history(context->context, &ent.entry);
224	if (ret)
225	    goto out2;
226    }
227    ret = _kadm5_set_keys2(context, &ent.entry, n_key_data, key_data);
228    if(ret)
229	goto out2;
230    ent.entry.kvno++;
231    ret = _kadm5_set_modifier(context, &ent.entry);
232    if(ret)
233	goto out2;
234    ret = _kadm5_bump_pw_expire(context, &ent.entry);
235    if (ret)
236	goto out2;
237
238    if (keepold) {
239	ret = hdb_seal_keys(context->context, context->db, &ent.entry);
240	if (ret)
241	    goto out2;
242    } else {
243	HDB_extension ext;
244
245	ext.data.element = choice_HDB_extension_data_hist_keys;
246	ext.data.u.hist_keys.len = 0;
247	ext.data.u.hist_keys.val = NULL;
248	hdb_replace_extension(context->context, &ent.entry, &ext);
249    }
250
251
252    ret = context->db->hdb_store(context->context, context->db,
253				 HDB_F_REPLACE, &ent);
254    if (ret)
255	goto out2;
256
257    kadm5_log_modify (context,
258		      &ent.entry,
259		      KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME |
260		      KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION |
261		      KADM5_TL_DATA);
262
263out2:
264    hdb_free_entry(context->context, &ent);
265out:
266    if (!context->keep_open)
267	context->db->hdb_close(context->context, context->db);
268    return _kadm5_error_code(ret);
269}
270