1 /* 2 * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "kadm5_locl.h" 35 36 RCSID("$Id$"); 37 38 static kadm5_ret_t 39 get_default(kadm5_server_context *context, krb5_principal princ, 40 kadm5_principal_ent_t def) 41 { 42 kadm5_ret_t ret; 43 krb5_principal def_principal; 44 krb5_const_realm realm = krb5_principal_get_realm(context->context, princ); 45 46 ret = krb5_make_principal(context->context, &def_principal, 47 realm, "default", NULL); 48 if (ret) 49 return ret; 50 ret = kadm5_s_get_principal(context, def_principal, def, 51 KADM5_PRINCIPAL_NORMAL_MASK); 52 krb5_free_principal (context->context, def_principal); 53 return ret; 54 } 55 56 static kadm5_ret_t 57 create_principal(kadm5_server_context *context, 58 kadm5_principal_ent_t princ, 59 uint32_t mask, 60 hdb_entry_ex *ent, 61 uint32_t required_mask, 62 uint32_t forbidden_mask) 63 { 64 kadm5_ret_t ret; 65 kadm5_principal_ent_rec defrec, *defent; 66 uint32_t def_mask; 67 68 memset(ent, 0, sizeof(*ent)); 69 if((mask & required_mask) != required_mask) 70 return KADM5_BAD_MASK; 71 if((mask & forbidden_mask)) 72 return KADM5_BAD_MASK; 73 if((mask & KADM5_POLICY) && strcmp(princ->policy, "default")) 74 /* XXX no real policies for now */ 75 return KADM5_UNK_POLICY; 76 ret = krb5_copy_principal(context->context, princ->principal, 77 &ent->entry.principal); 78 if(ret) 79 return ret; 80 81 defent = &defrec; 82 ret = get_default(context, princ->principal, defent); 83 if(ret) { 84 defent = NULL; 85 def_mask = 0; 86 } else { 87 def_mask = KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_MAX_RLIFE; 88 } 89 90 ret = _kadm5_setup_entry(context, 91 ent, mask | def_mask, 92 princ, mask, 93 defent, def_mask); 94 if(defent) 95 kadm5_free_principal_ent(context, defent); 96 if (ret) 97 return ret; 98 99 ent->entry.created_by.time = time(NULL); 100 101 return krb5_copy_principal(context->context, context->caller, 102 &ent->entry.created_by.principal); 103 } 104 105 kadm5_ret_t 106 kadm5_s_create_principal_with_key(void *server_handle, 107 kadm5_principal_ent_t princ, 108 uint32_t mask) 109 { 110 kadm5_ret_t ret; 111 hdb_entry_ex ent; 112 kadm5_server_context *context = server_handle; 113 114 ret = create_principal(context, princ, mask, &ent, 115 KADM5_PRINCIPAL | KADM5_KEY_DATA, 116 KADM5_LAST_PWD_CHANGE | KADM5_MOD_TIME 117 | KADM5_MOD_NAME | KADM5_MKVNO 118 | KADM5_AUX_ATTRIBUTES 119 | KADM5_POLICY_CLR | KADM5_LAST_SUCCESS 120 | KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT); 121 if(ret) 122 goto out; 123 124 if ((mask & KADM5_KVNO) == 0) 125 ent.entry.kvno = 1; 126 127 ret = hdb_seal_keys(context->context, context->db, &ent.entry); 128 if (ret) 129 goto out; 130 131 ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0); 132 if(ret) 133 goto out; 134 ret = context->db->hdb_store(context->context, context->db, 0, &ent); 135 context->db->hdb_close(context->context, context->db); 136 if (ret) 137 goto out; 138 kadm5_log_create (context, &ent.entry); 139 140 out: 141 hdb_free_entry(context->context, &ent); 142 return _kadm5_error_code(ret); 143 } 144 145 146 kadm5_ret_t 147 kadm5_s_create_principal(void *server_handle, 148 kadm5_principal_ent_t princ, 149 uint32_t mask, 150 const char *password) 151 { 152 kadm5_ret_t ret; 153 hdb_entry_ex ent; 154 kadm5_server_context *context = server_handle; 155 156 ret = create_principal(context, princ, mask, &ent, 157 KADM5_PRINCIPAL, 158 KADM5_LAST_PWD_CHANGE | KADM5_MOD_TIME 159 | KADM5_MOD_NAME | KADM5_MKVNO 160 | KADM5_AUX_ATTRIBUTES | KADM5_KEY_DATA 161 | KADM5_POLICY_CLR | KADM5_LAST_SUCCESS 162 | KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT); 163 if(ret) 164 goto out; 165 166 if ((mask & KADM5_KVNO) == 0) 167 ent.entry.kvno = 1; 168 169 ent.entry.keys.len = 0; 170 ent.entry.keys.val = NULL; 171 172 ret = fbsd_ossl_provider_load(); 173 if (ret) 174 goto out; 175 176 ret = _kadm5_set_keys(context, &ent.entry, password); 177 if (ret) 178 goto out; 179 180 ret = hdb_seal_keys(context->context, context->db, &ent.entry); 181 if (ret) 182 goto out; 183 184 ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0); 185 if(ret) 186 goto out; 187 ret = context->db->hdb_store(context->context, context->db, 0, &ent); 188 context->db->hdb_close(context->context, context->db); 189 if (ret) 190 goto out; 191 192 kadm5_log_create (context, &ent.entry); 193 194 out: 195 hdb_free_entry(context->context, &ent); 196 return _kadm5_error_code(ret); 197 } 198 199