1 /* 2 * Copyright (c) 1997-2006 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "kadm5_locl.h" 35 36 RCSID("$Id: chpass_s.c 20608 2007-05-08 07:11:48Z lha $"); 37 38 static kadm5_ret_t 39 change(void *server_handle, 40 krb5_principal princ, 41 const char *password, 42 int cond) 43 { 44 kadm5_server_context *context = server_handle; 45 hdb_entry_ex ent; 46 kadm5_ret_t ret; 47 Key *keys; 48 size_t num_keys; 49 int cmp = 1; 50 51 memset(&ent, 0, sizeof(ent)); 52 ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0); 53 if(ret) 54 return ret; 55 ret = context->db->hdb_fetch(context->context, context->db, princ, 56 HDB_F_DECRYPT|HDB_F_GET_ANY, &ent); 57 if(ret == HDB_ERR_NOENTRY) 58 goto out; 59 60 num_keys = ent.entry.keys.len; 61 keys = ent.entry.keys.val; 62 63 ent.entry.keys.len = 0; 64 ent.entry.keys.val = NULL; 65 66 ret = _kadm5_set_keys(context, &ent.entry, password); 67 if(ret) { 68 _kadm5_free_keys (context->context, num_keys, keys); 69 goto out2; 70 } 71 ent.entry.kvno++; 72 if (cond) 73 cmp = _kadm5_cmp_keys (ent.entry.keys.val, ent.entry.keys.len, 74 keys, num_keys); 75 _kadm5_free_keys (context->context, num_keys, keys); 76 77 if (cmp == 0) { 78 krb5_set_error_string(context->context, "Password reuse forbidden"); 79 ret = KADM5_PASS_REUSE; 80 goto out2; 81 } 82 83 ret = _kadm5_set_modifier(context, &ent.entry); 84 if(ret) 85 goto out2; 86 87 ret = _kadm5_bump_pw_expire(context, &ent.entry); 88 if (ret) 89 goto out2; 90 91 ret = hdb_seal_keys(context->context, context->db, &ent.entry); 92 if (ret) 93 goto out2; 94 95 ret = context->db->hdb_store(context->context, context->db, 96 HDB_F_REPLACE, &ent); 97 if (ret) 98 goto out2; 99 100 kadm5_log_modify (context, 101 &ent.entry, 102 KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME | 103 KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION | 104 KADM5_TL_DATA); 105 106 out2: 107 hdb_free_entry(context->context, &ent); 108 out: 109 context->db->hdb_close(context->context, context->db); 110 return _kadm5_error_code(ret); 111 } 112 113 114 115 /* 116 * change the password of `princ' to `password' if it's not already that. 117 */ 118 119 kadm5_ret_t 120 kadm5_s_chpass_principal_cond(void *server_handle, 121 krb5_principal princ, 122 const char *password) 123 { 124 return change (server_handle, princ, password, 1); 125 } 126 127 /* 128 * change the password of `princ' to `password' 129 */ 130 131 kadm5_ret_t 132 kadm5_s_chpass_principal(void *server_handle, 133 krb5_principal princ, 134 const char *password) 135 { 136 return change (server_handle, princ, password, 0); 137 } 138 139 /* 140 * change keys for `princ' to `keys' 141 */ 142 143 kadm5_ret_t 144 kadm5_s_chpass_principal_with_key(void *server_handle, 145 krb5_principal princ, 146 int n_key_data, 147 krb5_key_data *key_data) 148 { 149 kadm5_server_context *context = server_handle; 150 hdb_entry_ex ent; 151 kadm5_ret_t ret; 152 153 memset(&ent, 0, sizeof(ent)); 154 ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0); 155 if(ret) 156 return ret; 157 ret = context->db->hdb_fetch(context->context, context->db, princ, 158 HDB_F_GET_ANY, &ent); 159 if(ret == HDB_ERR_NOENTRY) 160 goto out; 161 ret = _kadm5_set_keys2(context, &ent.entry, n_key_data, key_data); 162 if(ret) 163 goto out2; 164 ent.entry.kvno++; 165 ret = _kadm5_set_modifier(context, &ent.entry); 166 if(ret) 167 goto out2; 168 ret = _kadm5_bump_pw_expire(context, &ent.entry); 169 if (ret) 170 goto out2; 171 172 ret = hdb_seal_keys(context->context, context->db, &ent.entry); 173 if (ret) 174 goto out2; 175 176 ret = context->db->hdb_store(context->context, context->db, 177 HDB_F_REPLACE, &ent); 178 if (ret) 179 goto out2; 180 181 kadm5_log_modify (context, 182 &ent.entry, 183 KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME | 184 KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION | 185 KADM5_TL_DATA); 186 187 out2: 188 hdb_free_entry(context->context, &ent); 189 out: 190 context->db->hdb_close(context->context, context->db); 191 return _kadm5_error_code(ret); 192 } 193