xref: /illumos-gate/usr/src/cmd/krb5/kadmin/server/misc.c (revision d2ec54f7875f7e05edd56195adbeb593c947763f)
1 /*
2  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #pragma ident	"%Z%%M%	%I%	%E% SMI"
7 
8 /*
9  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
10  *
11  *	Openvision retains the copyright to derivative works of
12  *	this source code.  Do *NOT* create a derivative of this
13  *	source code before consulting with your legal department.
14  *	Do *NOT* integrate *ANY* of this source code into another
15  *	product before consulting with your legal department.
16  *
17  *	For further information, read the top-level Openvision
18  *	copyright which is contained in the top-level MIT Kerberos
19  *	copyright.
20  *
21  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
22  *
23  */
24 
25 
26 /*
27  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
28  *
29  */
30 
31 #include    <k5-int.h>
32 #include    <krb5/kdb.h>
33 #include    <kadm5/server_internal.h>
34 #include    "misc.h"
35 
36 /*
37  * Function: chpass_principal_wrapper_3
38  *
39  * Purpose: wrapper to kadm5_chpass_principal that checks to see if
40  *	    pw_min_life has been reached. if not it returns an error.
41  *	    otherwise it calls kadm5_chpass_principal
42  *
43  * Arguments:
44  *	principal	(input) krb5_principals whose password we are
45  *				changing
46  *	keepold 	(input) whether to preserve old keys
47  *	n_ks_tuple	(input) the number of key-salt tuples in ks_tuple
48  *	ks_tuple	(input) array of tuples indicating the caller's
49  *				requested enctypes/salttypes
50  *	password	(input) password we are going to change to.
51  * 	<return value>	0 on success error code on failure.
52  *
53  * Requires:
54  *	kadm5_init to have been run.
55  *
56  * Effects:
57  *	calls kadm5_chpass_principal which changes the kdb and the
58  *	the admin db.
59  *
60  */
61 kadm5_ret_t
62 chpass_principal_wrapper_3(void *server_handle,
63 			   krb5_principal principal,
64 			   krb5_boolean keepold,
65 			   int n_ks_tuple,
66 			   krb5_key_salt_tuple *ks_tuple,
67 			   char *password)
68 {
69     kadm5_ret_t			ret;
70 
71     ret = check_min_life(server_handle, principal);
72     if (ret)
73 	 return ret;
74 
75     return kadm5_chpass_principal_3(server_handle, principal,
76 				    keepold, n_ks_tuple, ks_tuple,
77 				    password);
78 }
79 
80 
81 /*
82  * Function: randkey_principal_wrapper_3
83  *
84  * Purpose: wrapper to kadm5_randkey_principal which checks the
85  *	    password's min. life.
86  *
87  * Arguments:
88  *	principal	    (input) krb5_principal whose password we are
89  *				    changing
90  *	keepold 	(input) whether to preserve old keys
91  *	n_ks_tuple	(input) the number of key-salt tuples in ks_tuple
92  *	ks_tuple	(input) array of tuples indicating the caller's
93  *				requested enctypes/salttypes
94  *	key		    (output) new random key
95  * 	<return value>	    0, error code on error.
96  *
97  * Requires:
98  *	kadm5_init	 needs to be run
99  *
100  * Effects:
101  *	calls kadm5_randkey_principal
102  *
103  */
104 kadm5_ret_t
105 randkey_principal_wrapper_3(void *server_handle,
106 			    krb5_principal principal,
107 			    krb5_boolean keepold,
108 			    int n_ks_tuple,
109 			    krb5_key_salt_tuple *ks_tuple,
110 			    krb5_keyblock **keys, int *n_keys)
111 {
112     kadm5_ret_t			ret;
113 
114     ret = check_min_life(server_handle, principal);
115     if (ret)
116 	 return ret;
117     return kadm5_randkey_principal_3(server_handle, principal,
118 				     keepold, n_ks_tuple, ks_tuple,
119 				     keys, n_keys);
120 }
121 
122 kadm5_ret_t
123 chpass_util_wrapper(void *server_handle, krb5_principal princ,
124 		    char *new_pw, char **ret_pw,
125 		    char *msg_ret, unsigned int msg_len)
126 {
127     kadm5_ret_t ret;
128 
129     ret = check_min_life(server_handle, princ);
130     if (ret)
131 	return ret;
132 
133     return kadm5_chpass_principal_util(server_handle, princ,
134 				       new_pw, ret_pw,
135 				       msg_ret, msg_len);
136 }
137 
138 kadm5_ret_t
139 randkey_principal_wrapper(void *server_handle, krb5_principal princ,
140 			  krb5_keyblock ** keys, int *n_keys)
141 {
142     kadm5_ret_t ret;
143 
144     ret = check_min_life(server_handle, princ);
145 	if (ret)
146 	    return ret;
147 
148     return kadm5_randkey_principal(server_handle, princ, keys, n_keys);
149 }
150 
151 kadm5_ret_t
152 check_min_life(void *server_handle, krb5_principal principal)
153 {
154     krb5_int32			now;
155     kadm5_ret_t			ret;
156     kadm5_policy_ent_rec	pol;
157     kadm5_principal_ent_rec	princ;
158     kadm5_server_handle_t	handle = server_handle;
159 
160     ret = krb5_timeofday(handle->context, &now);
161     if (ret)
162 	return ret;
163 
164     ret = kadm5_get_principal(handle->lhandle, principal,
165 			      &princ, KADM5_PRINCIPAL_NORMAL_MASK);
166     if(ret)
167 	 return ret;
168     if(princ.aux_attributes & KADM5_POLICY) {
169 	if((ret=kadm5_get_policy(handle->lhandle,
170 				 princ.policy, &pol)) != KADM5_OK) {
171 	    (void) kadm5_free_principal_ent(handle->lhandle, &princ);
172 	    return ret;
173 	}
174 	if((now - princ.last_pwd_change) < pol.pw_min_life &&
175 	   !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
176 	    (void) kadm5_free_policy_ent(handle->lhandle, &pol);
177 	    (void) kadm5_free_principal_ent(handle->lhandle, &princ);
178 	    return KADM5_PASS_TOOSOON;
179 	}
180 
181 	ret = kadm5_free_policy_ent(handle->lhandle, &pol);
182 	if (ret) {
183 	    (void) kadm5_free_principal_ent(handle->lhandle, &princ);
184 	    return ret;
185         }
186     }
187 
188     return kadm5_free_principal_ent(handle->lhandle, &princ);
189 }
190