xref: /illumos-gate/usr/src/cmd/krb5/kadmin/server/misc.c (revision 60a3f738d56f92ae8b80e4b62a2331c6e1f2311f) 
1 #pragma ident	"%Z%%M%	%I%	%E% SMI"
2 
3 /*
4  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
5  *
6  *	Openvision retains the copyright to derivative works of
7  *	this source code.  Do *NOT* create a derivative of this
8  *	source code before consulting with your legal department.
9  *	Do *NOT* integrate *ANY* of this source code into another
10  *	product before consulting with your legal department.
11  *
12  *	For further information, read the top-level Openvision
13  *	copyright which is contained in the top-level MIT Kerberos
14  *	copyright.
15  *
16  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
17  *
18  */
19 
20 
21 /*
22  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
23  *
24  */
25 
26 #include    <kadm5/adb.h>
27 #include    <kadm5/server_internal.h>
28 #include    <krb5/kdb.h>
29 #include    "misc.h"
30 
31 /*
32  * Function: chpass_principal_wrapper_3
33  *
34  * Purpose: wrapper to kadm5_chpass_principal that checks to see if
35  *	    pw_min_life has been reached. if not it returns an error.
36  *	    otherwise it calls kadm5_chpass_principal
37  *
38  * Arguments:
39  *	principal	(input) krb5_principals whose password we are
40  *				changing
41  *	keepold 	(input) whether to preserve old keys
42  *	n_ks_tuple	(input) the number of key-salt tuples in ks_tuple
43  *	ks_tuple	(input) array of tuples indicating the caller's
44  *				requested enctypes/salttypes
45  *	password	(input) password we are going to change to.
46  * 	<return value>	0 on success error code on failure.
47  *
48  * Requires:
49  *	kadm5_init to have been run.
50  *
51  * Effects:
52  *	calls kadm5_chpass_principal which changes the kdb and the
53  *	the admin db.
54  *
55  */
56 kadm5_ret_t
57 chpass_principal_wrapper_3(void *server_handle,
58 			   krb5_principal principal,
59 			   krb5_boolean keepold,
60 			   int n_ks_tuple,
61 			   krb5_key_salt_tuple *ks_tuple,
62 			   char *password)
63 {
64     kadm5_ret_t			ret;
65 
66     ret = check_min_life(server_handle, principal);
67     if (ret)
68 	 return ret;
69 
70     return kadm5_chpass_principal_3(server_handle, principal,
71 				    keepold, n_ks_tuple, ks_tuple,
72 				    password);
73 }
74 
75 
76 /*
77  * Function: randkey_principal_wrapper_3
78  *
79  * Purpose: wrapper to kadm5_randkey_principal which checks the
80  *	    password's min. life.
81  *
82  * Arguments:
83  *	principal	    (input) krb5_principal whose password we are
84  *				    changing
85  *	keepold 	(input) whether to preserve old keys
86  *	n_ks_tuple	(input) the number of key-salt tuples in ks_tuple
87  *	ks_tuple	(input) array of tuples indicating the caller's
88  *				requested enctypes/salttypes
89  *	key		    (output) new random key
90  * 	<return value>	    0, error code on error.
91  *
92  * Requires:
93  *	kadm5_init	 needs to be run
94  *
95  * Effects:
96  *	calls kadm5_randkey_principal
97  *
98  */
99 kadm5_ret_t
100 randkey_principal_wrapper_3(void *server_handle,
101 			    krb5_principal principal,
102 			    krb5_boolean keepold,
103 			    int n_ks_tuple,
104 			    krb5_key_salt_tuple *ks_tuple,
105 			    krb5_keyblock **keys, int *n_keys)
106 {
107     kadm5_ret_t			ret;
108 
109     ret = check_min_life(server_handle, principal);
110     if (ret)
111 	 return ret;
112     return kadm5_randkey_principal_3(server_handle, principal,
113 				     keepold, n_ks_tuple, ks_tuple,
114 				     keys, n_keys);
115 }
116 
117 kadm5_ret_t
118 chpass_util_wrapper(void *server_handle, krb5_principal princ,
119 		    char *new_pw, char **ret_pw,
120 		    char *msg_ret, unsigned int msg_len)
121 {
122     kadm5_ret_t ret;
123 
124     ret = check_min_life(server_handle, princ);
125     if (ret)
126 	return ret;
127 
128     return kadm5_chpass_principal_util(server_handle, princ,
129 				       new_pw, ret_pw,
130 				       msg_ret, msg_len);
131 }
132 
133 kadm5_ret_t
134 check_min_life(void *server_handle, krb5_principal principal)
135 {
136     krb5_int32			now;
137     kadm5_ret_t			ret;
138     kadm5_policy_ent_rec	pol;
139     kadm5_principal_ent_rec	princ;
140     kadm5_server_handle_t	handle = server_handle;
141 
142     ret = krb5_timeofday(handle->context, &now);
143     if (ret)
144 	return ret;
145 
146     ret = kadm5_get_principal(handle->lhandle, principal,
147 			      &princ, KADM5_PRINCIPAL_NORMAL_MASK);
148     if(ret != OSA_ADB_OK)
149 	 return ret;
150     if(princ.aux_attributes & KADM5_POLICY) {
151 	if((ret=kadm5_get_policy(handle->lhandle,
152 				 princ.policy, &pol)) != KADM5_OK) {
153 	    (void) kadm5_free_principal_ent(handle->lhandle, &princ);
154 	    return ret;
155 	}
156 	if((now - princ.last_pwd_change) < pol.pw_min_life &&
157 	   !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
158 	    (void) kadm5_free_policy_ent(handle->lhandle, &pol);
159 	    (void) kadm5_free_principal_ent(handle->lhandle, &princ);
160 	    return KADM5_PASS_TOOSOON;
161 	}
162 
163 	ret = kadm5_free_policy_ent(handle->lhandle, &pol);
164 	if (ret) {
165 	    (void) kadm5_free_principal_ent(handle->lhandle, &princ);
166 	    return ret;
167         }
168     }
169 
170     return kadm5_free_principal_ent(handle->lhandle, &princ);
171 }
172