1 /* 2 * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "kadm5_locl.h" 35 36 RCSID("$Id$"); 37 38 static kadm5_ret_t 39 change(void *server_handle, 40 krb5_principal princ, 41 const char *password, 42 int cond) 43 { 44 kadm5_server_context *context = server_handle; 45 hdb_entry_ex ent; 46 kadm5_ret_t ret; 47 Key *keys; 48 size_t num_keys; 49 int existsp = 0; 50 51 memset(&ent, 0, sizeof(ent)); 52 ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0); 53 if(ret) 54 return ret; 55 56 ret = context->db->hdb_fetch_kvno(context->context, context->db, princ, 57 HDB_F_DECRYPT|HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent); 58 if(ret) 59 goto out; 60 61 ret = hdb_add_current_keys_to_history(context->context, &ent.entry); 62 if (ret) 63 goto out; 64 65 if (context->db->hdb_capability_flags & HDB_CAP_F_HANDLE_PASSWORDS) { 66 ret = context->db->hdb_password(context->context, context->db, 67 &ent, password, cond); 68 if (ret) 69 goto out2; 70 } else { 71 72 num_keys = ent.entry.keys.len; 73 keys = ent.entry.keys.val; 74 75 ent.entry.keys.len = 0; 76 ent.entry.keys.val = NULL; 77 78 ret = _kadm5_set_keys(context, &ent.entry, password); 79 if(ret) { 80 _kadm5_free_keys (context->context, num_keys, keys); 81 goto out2; 82 } 83 84 if (cond) 85 existsp = _kadm5_exists_keys (ent.entry.keys.val, 86 ent.entry.keys.len, 87 keys, num_keys); 88 _kadm5_free_keys (context->context, num_keys, keys); 89 90 if (existsp) { 91 ret = KADM5_PASS_REUSE; 92 krb5_set_error_message(context->context, ret, 93 "Password reuse forbidden"); 94 goto out2; 95 } 96 97 ret = hdb_seal_keys(context->context, context->db, &ent.entry); 98 if (ret) 99 goto out2; 100 } 101 ent.entry.kvno++; 102 103 ret = _kadm5_set_modifier(context, &ent.entry); 104 if(ret) 105 goto out2; 106 107 ret = _kadm5_bump_pw_expire(context, &ent.entry); 108 if (ret) 109 goto out2; 110 111 ret = context->db->hdb_store(context->context, context->db, 112 HDB_F_REPLACE, &ent); 113 if (ret) 114 goto out2; 115 116 kadm5_log_modify (context, 117 &ent.entry, 118 KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME | 119 KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION | 120 KADM5_TL_DATA); 121 122 out2: 123 hdb_free_entry(context->context, &ent); 124 out: 125 context->db->hdb_close(context->context, context->db); 126 return _kadm5_error_code(ret); 127 } 128 129 130 131 /* 132 * change the password of `princ' to `password' if it's not already that. 133 */ 134 135 kadm5_ret_t 136 kadm5_s_chpass_principal_cond(void *server_handle, 137 krb5_principal princ, 138 const char *password) 139 { 140 return change (server_handle, princ, password, 1); 141 } 142 143 /* 144 * change the password of `princ' to `password' 145 */ 146 147 kadm5_ret_t 148 kadm5_s_chpass_principal(void *server_handle, 149 krb5_principal princ, 150 const char *password) 151 { 152 return change (server_handle, princ, password, 0); 153 } 154 155 /* 156 * change keys for `princ' to `keys' 157 */ 158 159 kadm5_ret_t 160 kadm5_s_chpass_principal_with_key(void *server_handle, 161 krb5_principal princ, 162 int n_key_data, 163 krb5_key_data *key_data) 164 { 165 kadm5_server_context *context = server_handle; 166 hdb_entry_ex ent; 167 kadm5_ret_t ret; 168 169 memset(&ent, 0, sizeof(ent)); 170 ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0); 171 if(ret) 172 return ret; 173 ret = context->db->hdb_fetch_kvno(context->context, context->db, princ, 0, 174 HDB_F_GET_ANY|HDB_F_ADMIN_DATA, &ent); 175 if(ret) 176 goto out; 177 ret = hdb_add_current_keys_to_history(context->context, &ent.entry); 178 if (ret) 179 goto out2; 180 ret = _kadm5_set_keys2(context, &ent.entry, n_key_data, key_data); 181 if(ret) 182 goto out2; 183 ent.entry.kvno++; 184 ret = _kadm5_set_modifier(context, &ent.entry); 185 if(ret) 186 goto out2; 187 ret = _kadm5_bump_pw_expire(context, &ent.entry); 188 if (ret) 189 goto out2; 190 191 ret = hdb_seal_keys(context->context, context->db, &ent.entry); 192 if (ret) 193 goto out2; 194 195 ret = context->db->hdb_store(context->context, context->db, 196 HDB_F_REPLACE, &ent); 197 if (ret) 198 goto out2; 199 200 kadm5_log_modify (context, 201 &ent.entry, 202 KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME | 203 KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION | 204 KADM5_TL_DATA); 205 206 out2: 207 hdb_free_entry(context->context, &ent); 208 out: 209 context->db->hdb_close(context->context, context->db); 210 return _kadm5_error_code(ret); 211 } 212