1 /* $NetBSD: ent_setup.c,v 1.2 2017/01/28 21:31:49 christos Exp $ */ 2 3 /* 4 * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Portions Copyright (c) 2009 Apple Inc. All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 21 * 3. Neither the name of the Institute nor the names of its contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 */ 37 38 #include "kadm5_locl.h" 39 40 __RCSID("$NetBSD: ent_setup.c,v 1.2 2017/01/28 21:31:49 christos Exp $"); 41 42 #define set_value(X, V) do { if((X) == NULL) (X) = malloc(sizeof(*(X))); *(X) = V; } while(0) 43 #define set_null(X) do { if((X) != NULL) free((X)); (X) = NULL; } while (0) 44 45 static void 46 attr_to_flags(unsigned attr, HDBFlags *flags) 47 { 48 flags->postdate = !(attr & KRB5_KDB_DISALLOW_POSTDATED); 49 flags->forwardable = !(attr & KRB5_KDB_DISALLOW_FORWARDABLE); 50 flags->initial = !!(attr & KRB5_KDB_DISALLOW_TGT_BASED); 51 flags->renewable = !(attr & KRB5_KDB_DISALLOW_RENEWABLE); 52 flags->proxiable = !(attr & KRB5_KDB_DISALLOW_PROXIABLE); 53 /* DUP_SKEY */ 54 flags->invalid = !!(attr & KRB5_KDB_DISALLOW_ALL_TIX); 55 flags->require_preauth = !!(attr & KRB5_KDB_REQUIRES_PRE_AUTH); 56 flags->require_pwchange = !!(attr & KRB5_KDB_REQUIRES_PWCHANGE); 57 /* HW_AUTH */ 58 flags->server = !(attr & KRB5_KDB_DISALLOW_SVR); 59 flags->change_pw = !!(attr & KRB5_KDB_PWCHANGE_SERVICE); 60 flags->client = 1; /* XXX */ 61 flags->ok_as_delegate = !!(attr & KRB5_KDB_OK_AS_DELEGATE); 62 flags->trusted_for_delegation = !!(attr & KRB5_KDB_TRUSTED_FOR_DELEGATION); 63 flags->allow_kerberos4 = !!(attr & KRB5_KDB_ALLOW_KERBEROS4); 64 flags->allow_digest = !!(attr & KRB5_KDB_ALLOW_DIGEST); 65 } 66 67 /* 68 * Modify the `ent' according to `tl_data'. 69 */ 70 71 static kadm5_ret_t 72 perform_tl_data(krb5_context context, 73 HDB *db, 74 hdb_entry_ex *ent, 75 const krb5_tl_data *tl_data) 76 { 77 kadm5_ret_t ret = 0; 78 79 if (tl_data->tl_data_type == KRB5_TL_PASSWORD) { 80 heim_utf8_string pw = tl_data->tl_data_contents; 81 82 if (pw[tl_data->tl_data_length] != '\0') 83 return KADM5_BAD_TL_TYPE; 84 85 ret = hdb_entry_set_password(context, db, &ent->entry, pw); 86 87 } else if (tl_data->tl_data_type == KRB5_TL_LAST_PWD_CHANGE) { 88 unsigned char *s; 89 time_t t; 90 91 if (tl_data->tl_data_length != 4) 92 return KADM5_BAD_TL_TYPE; 93 94 s = tl_data->tl_data_contents; 95 96 t = s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24); 97 98 ret = hdb_entry_set_pw_change_time(context, &ent->entry, t); 99 100 } else if (tl_data->tl_data_type == KRB5_TL_EXTENSION) { 101 HDB_extension ext; 102 103 ret = decode_HDB_extension(tl_data->tl_data_contents, 104 tl_data->tl_data_length, 105 &ext, 106 NULL); 107 if (ret) 108 return KADM5_BAD_TL_TYPE; 109 110 ret = hdb_replace_extension(context, &ent->entry, &ext); 111 free_HDB_extension(&ext); 112 } else { 113 return KADM5_BAD_TL_TYPE; 114 } 115 return ret; 116 } 117 118 static void 119 default_flags(hdb_entry_ex *ent, int server) 120 { 121 ent->entry.flags.client = 1; 122 ent->entry.flags.server = !!server; 123 ent->entry.flags.forwardable = 1; 124 ent->entry.flags.proxiable = 1; 125 ent->entry.flags.renewable = 1; 126 ent->entry.flags.postdate = 1; 127 } 128 129 130 /* 131 * Create the hdb entry `ent' based on data from `princ' with 132 * `princ_mask' specifying what fields to be gotten from there and 133 * `mask' specifying what fields we want filled in. 134 */ 135 136 kadm5_ret_t 137 _kadm5_setup_entry(kadm5_server_context *context, 138 hdb_entry_ex *ent, 139 uint32_t mask, 140 kadm5_principal_ent_t princ, 141 uint32_t princ_mask, 142 kadm5_principal_ent_t def, 143 uint32_t def_mask) 144 { 145 if(mask & KADM5_PRINC_EXPIRE_TIME 146 && princ_mask & KADM5_PRINC_EXPIRE_TIME) { 147 if (princ->princ_expire_time) 148 set_value(ent->entry.valid_end, princ->princ_expire_time); 149 else 150 set_null(ent->entry.valid_end); 151 } 152 if(mask & KADM5_PW_EXPIRATION 153 && princ_mask & KADM5_PW_EXPIRATION) { 154 if (princ->pw_expiration) 155 set_value(ent->entry.pw_end, princ->pw_expiration); 156 else 157 set_null(ent->entry.pw_end); 158 } 159 if(mask & KADM5_ATTRIBUTES) { 160 if (princ_mask & KADM5_ATTRIBUTES) { 161 attr_to_flags(princ->attributes, &ent->entry.flags); 162 } else if(def_mask & KADM5_ATTRIBUTES) { 163 attr_to_flags(def->attributes, &ent->entry.flags); 164 ent->entry.flags.invalid = 0; 165 } else { 166 default_flags(ent, 1); 167 } 168 } 169 170 if(mask & KADM5_MAX_LIFE) { 171 if(princ_mask & KADM5_MAX_LIFE) { 172 if(princ->max_life) 173 set_value(ent->entry.max_life, princ->max_life); 174 else 175 set_null(ent->entry.max_life); 176 } else if(def_mask & KADM5_MAX_LIFE) { 177 if(def->max_life) 178 set_value(ent->entry.max_life, def->max_life); 179 else 180 set_null(ent->entry.max_life); 181 } 182 } 183 if(mask & KADM5_KVNO 184 && (princ_mask & KADM5_KVNO)) { 185 krb5_error_code ret; 186 187 ret = hdb_change_kvno(context->context, princ->kvno, &ent->entry); 188 if (ret && ret != HDB_ERR_KVNO_NOT_FOUND) 189 return ret; 190 ent->entry.kvno = princ->kvno; /* force it */ 191 } 192 if(mask & KADM5_MAX_RLIFE) { 193 if(princ_mask & KADM5_MAX_RLIFE) { 194 if(princ->max_renewable_life) 195 set_value(ent->entry.max_renew, princ->max_renewable_life); 196 else 197 set_null(ent->entry.max_renew); 198 } else if(def_mask & KADM5_MAX_RLIFE) { 199 if(def->max_renewable_life) 200 set_value(ent->entry.max_renew, def->max_renewable_life); 201 else 202 set_null(ent->entry.max_renew); 203 } 204 } 205 if(mask & KADM5_KEY_DATA 206 && princ_mask & KADM5_KEY_DATA) { 207 _kadm5_set_keys2(context, &ent->entry, 208 princ->n_key_data, princ->key_data); 209 } 210 if(mask & KADM5_TL_DATA) { 211 krb5_tl_data *tl; 212 213 for (tl = princ->tl_data; tl != NULL; tl = tl->tl_data_next) { 214 kadm5_ret_t ret; 215 ret = perform_tl_data(context->context, context->db, ent, tl); 216 if (ret) 217 return ret; 218 } 219 } 220 if(mask & KADM5_FAIL_AUTH_COUNT) { 221 /* XXX */ 222 } 223 return 0; 224 } 225