1/* 2 * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34#include "kadm5_locl.h" 35 36RCSID("$Id$"); 37 38static kadm5_ret_t 39change(void *server_handle, 40 krb5_principal princ, 41 int keepold, 42 const char *password, 43 int cond, 44 int n_ks_tuple, 45 krb5_key_salt_tuple *ks_tuple) 46{ 47 kadm5_server_context *context = server_handle; 48 hdb_entry_ex ent; 49 kadm5_ret_t ret; 50 Key *keys; 51 size_t num_keys; 52 int existsp = 0; 53 int flags; 54 unsigned int modify_flags; 55 56 memset(&ent, 0, sizeof(ent)); 57 if (!context->keep_open) { 58 ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0); 59 if(ret) 60 return ret; 61 } 62 63 flags = HDB_F_GET_ANY|HDB_F_ADMIN_DATA; 64 if (cond) 65 flags |= HDB_F_DECRYPT; 66 67 ret = context->db->hdb_fetch_kvno(context->context, context->db, princ, flags, 0, &ent); 68 if(ret) 69 goto out; 70 71 modify_flags = KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME | 72 KADM5_KVNO | KADM5_PW_EXPIRATION | KADM5_TL_DATA; 73 74 if (keepold || cond) { 75 /* 76 * We save these for now so we can handle password history checking; 77 * we handle keepold further below. 78 */ 79 ret = hdb_add_current_keys_to_history(context->context, &ent.entry); 80 if (ret) 81 goto out; 82 } 83 84 if (context->db->hdb_capability_flags & HDB_CAP_F_HANDLE_PASSWORDS) { 85 ret = context->db->hdb_password(context->context, context->db, 86 &ent, password, 87 cond ? HDB_PWD_CONDITIONAL : 0); 88 if (ret) 89 goto out2; 90 } else { 91 92 num_keys = ent.entry.keys.len; 93 keys = ent.entry.keys.val; 94 95 ent.entry.keys.len = 0; 96 ent.entry.keys.val = NULL; 97 98 ret = _kadm5_set_keys(context, &ent.entry, password, 99 n_ks_tuple, ks_tuple); 100 if(ret) { 101 _kadm5_free_keys(context->context, (int)num_keys, keys); 102 goto out2; 103 } 104 _kadm5_free_keys(context->context, (int)num_keys, keys); 105 106 if (cond) { 107 HDB_extension *ext; 108 109 ext = hdb_find_extension(&ent.entry, choice_HDB_extension_data_hist_keys); 110 if (ext != NULL) 111 existsp = _kadm5_exists_keys_hist(ent.entry.keys.val, 112 ent.entry.keys.len, 113 &ext->data.u.hist_keys); 114 } 115 116 if (existsp) { 117 ret = KADM5_PASS_REUSE; 118 krb5_set_error_message(context->context, ret, 119 "Password reuse forbidden"); 120 goto out2; 121 } 122 } 123 ent.entry.kvno++; 124 125 modify_flags |= KADM5_KEY_DATA; 126 127 if (keepold) { 128 ret = hdb_seal_keys(context->context, context->db, &ent.entry); 129 if (ret) 130 goto out2; 131 } else { 132 HDB_extension ext; 133 134 ext.data.element = choice_HDB_extension_data_hist_keys; 135 ext.data.u.hist_keys.len = 0; 136 ext.data.u.hist_keys.val = NULL; 137 ret = hdb_replace_extension(context->context, &ent.entry, &ext); 138 if (ret) 139 goto out2; 140 } 141 142 ret = _kadm5_set_modifier(context, &ent.entry); 143 if(ret) 144 goto out2; 145 146 ret = _kadm5_bump_pw_expire(context, &ent.entry); 147 if (ret) 148 goto out2; 149 150 ret = context->db->hdb_store(context->context, context->db, 151 HDB_F_REPLACE|HDB_F_CHANGE_PASSWORD, &ent); 152 if (ret) 153 goto out2; 154 155 kadm5_log_modify(context, &ent.entry, modify_flags); 156 157out2: 158 hdb_free_entry(context->context, &ent); 159out: 160 if (!context->keep_open) 161 context->db->hdb_close(context->context, context->db); 162 return _kadm5_error_code(ret); 163} 164 165 166 167/* 168 * change the password of `princ' to `password' if it's not already that. 169 */ 170 171kadm5_ret_t 172kadm5_s_chpass_principal_cond(void *server_handle, 173 krb5_principal princ, 174 int keepold, 175 const char *password, 176 int n_ks_tuple, 177 krb5_key_salt_tuple *ks_tuple) 178{ 179 return change (server_handle, princ, keepold, password, 1, n_ks_tuple, ks_tuple); 180} 181 182/* 183 * change the password of `princ' to `password' 184 */ 185 186kadm5_ret_t 187kadm5_s_chpass_principal(void *server_handle, 188 krb5_principal princ, 189 int keepold, 190 const char *password, 191 int n_ks_tuple, 192 krb5_key_salt_tuple *ks_tuple) 193{ 194 return change (server_handle, princ, keepold, password, 0, n_ks_tuple, ks_tuple); 195} 196 197/* 198 * change keys for `princ' to `keys' 199 */ 200 201kadm5_ret_t 202kadm5_s_chpass_principal_with_key(void *server_handle, 203 krb5_principal princ, 204 int keepold, 205 int n_key_data, 206 krb5_key_data *key_data) 207{ 208 kadm5_server_context *context = server_handle; 209 hdb_entry_ex ent; 210 kadm5_ret_t ret; 211 212 memset(&ent, 0, sizeof(ent)); 213 if (!context->keep_open) { 214 ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0); 215 if(ret) 216 return ret; 217 } 218 ret = context->db->hdb_fetch_kvno(context->context, context->db, princ, 0, 219 HDB_F_GET_ANY|HDB_F_ADMIN_DATA, &ent); 220 if(ret == HDB_ERR_NOENTRY) 221 goto out; 222 if (keepold) { 223 ret = hdb_add_current_keys_to_history(context->context, &ent.entry); 224 if (ret) 225 goto out2; 226 } 227 ret = _kadm5_set_keys2(context, &ent.entry, n_key_data, key_data); 228 if(ret) 229 goto out2; 230 ent.entry.kvno++; 231 ret = _kadm5_set_modifier(context, &ent.entry); 232 if(ret) 233 goto out2; 234 ret = _kadm5_bump_pw_expire(context, &ent.entry); 235 if (ret) 236 goto out2; 237 238 if (keepold) { 239 ret = hdb_seal_keys(context->context, context->db, &ent.entry); 240 if (ret) 241 goto out2; 242 } else { 243 HDB_extension ext; 244 245 ext.data.element = choice_HDB_extension_data_hist_keys; 246 ext.data.u.hist_keys.len = 0; 247 ext.data.u.hist_keys.val = NULL; 248 hdb_replace_extension(context->context, &ent.entry, &ext); 249 } 250 251 252 ret = context->db->hdb_store(context->context, context->db, 253 HDB_F_REPLACE, &ent); 254 if (ret) 255 goto out2; 256 257 kadm5_log_modify (context, 258 &ent.entry, 259 KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME | 260 KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION | 261 KADM5_TL_DATA); 262 263out2: 264 hdb_free_entry(context->context, &ent); 265out: 266 if (!context->keep_open) 267 context->db->hdb_close(context->context, context->db); 268 return _kadm5_error_code(ret); 269} 270