1*3641Ssemery /* 2*3641Ssemery * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 3*3641Ssemery * Use is subject to license terms. 4*3641Ssemery */ 5*3641Ssemery 60Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 70Sstevel@tonic-gate 80Sstevel@tonic-gate /* 90Sstevel@tonic-gate * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING 100Sstevel@tonic-gate * 110Sstevel@tonic-gate * Openvision retains the copyright to derivative works of 120Sstevel@tonic-gate * this source code. Do *NOT* create a derivative of this 130Sstevel@tonic-gate * source code before consulting with your legal department. 140Sstevel@tonic-gate * Do *NOT* integrate *ANY* of this source code into another 150Sstevel@tonic-gate * product before consulting with your legal department. 160Sstevel@tonic-gate * 170Sstevel@tonic-gate * For further information, read the top-level Openvision 180Sstevel@tonic-gate * copyright which is contained in the top-level MIT Kerberos 190Sstevel@tonic-gate * copyright. 200Sstevel@tonic-gate * 210Sstevel@tonic-gate * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING 220Sstevel@tonic-gate * 230Sstevel@tonic-gate */ 240Sstevel@tonic-gate 250Sstevel@tonic-gate 260Sstevel@tonic-gate /* 270Sstevel@tonic-gate * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved 280Sstevel@tonic-gate * 290Sstevel@tonic-gate */ 300Sstevel@tonic-gate 310Sstevel@tonic-gate #include <kadm5/adb.h> 320Sstevel@tonic-gate #include <kadm5/server_internal.h> 330Sstevel@tonic-gate #include <krb5/kdb.h> 340Sstevel@tonic-gate #include "misc.h" 350Sstevel@tonic-gate 360Sstevel@tonic-gate /* 372881Smp153739 * Function: chpass_principal_wrapper_3 382881Smp153739 * 390Sstevel@tonic-gate * Purpose: wrapper to kadm5_chpass_principal that checks to see if 400Sstevel@tonic-gate * pw_min_life has been reached. if not it returns an error. 410Sstevel@tonic-gate * otherwise it calls kadm5_chpass_principal 420Sstevel@tonic-gate * 430Sstevel@tonic-gate * Arguments: 440Sstevel@tonic-gate * principal (input) krb5_principals whose password we are 450Sstevel@tonic-gate * changing 462881Smp153739 * keepold (input) whether to preserve old keys 472881Smp153739 * n_ks_tuple (input) the number of key-salt tuples in ks_tuple 482881Smp153739 * ks_tuple (input) array of tuples indicating the caller's 492881Smp153739 * requested enctypes/salttypes 502881Smp153739 * password (input) password we are going to change to. 512881Smp153739 * <return value> 0 on success error code on failure. 520Sstevel@tonic-gate * 530Sstevel@tonic-gate * Requires: 540Sstevel@tonic-gate * kadm5_init to have been run. 552881Smp153739 * 560Sstevel@tonic-gate * Effects: 570Sstevel@tonic-gate * calls kadm5_chpass_principal which changes the kdb and the 580Sstevel@tonic-gate * the admin db. 590Sstevel@tonic-gate * 600Sstevel@tonic-gate */ 610Sstevel@tonic-gate kadm5_ret_t 622881Smp153739 chpass_principal_wrapper_3(void *server_handle, 632881Smp153739 krb5_principal principal, 642881Smp153739 krb5_boolean keepold, 652881Smp153739 int n_ks_tuple, 662881Smp153739 krb5_key_salt_tuple *ks_tuple, 672881Smp153739 char *password) 680Sstevel@tonic-gate { 692881Smp153739 kadm5_ret_t ret; 700Sstevel@tonic-gate 712881Smp153739 ret = check_min_life(server_handle, principal); 722881Smp153739 if (ret) 732881Smp153739 return ret; 740Sstevel@tonic-gate 752881Smp153739 return kadm5_chpass_principal_3(server_handle, principal, 762881Smp153739 keepold, n_ks_tuple, ks_tuple, 772881Smp153739 password); 780Sstevel@tonic-gate } 790Sstevel@tonic-gate 800Sstevel@tonic-gate 810Sstevel@tonic-gate /* 822881Smp153739 * Function: randkey_principal_wrapper_3 832881Smp153739 * 840Sstevel@tonic-gate * Purpose: wrapper to kadm5_randkey_principal which checks the 852881Smp153739 * password's min. life. 860Sstevel@tonic-gate * 870Sstevel@tonic-gate * Arguments: 880Sstevel@tonic-gate * principal (input) krb5_principal whose password we are 890Sstevel@tonic-gate * changing 902881Smp153739 * keepold (input) whether to preserve old keys 912881Smp153739 * n_ks_tuple (input) the number of key-salt tuples in ks_tuple 922881Smp153739 * ks_tuple (input) array of tuples indicating the caller's 932881Smp153739 * requested enctypes/salttypes 940Sstevel@tonic-gate * key (output) new random key 952881Smp153739 * <return value> 0, error code on error. 960Sstevel@tonic-gate * 970Sstevel@tonic-gate * Requires: 980Sstevel@tonic-gate * kadm5_init needs to be run 992881Smp153739 * 1000Sstevel@tonic-gate * Effects: 1010Sstevel@tonic-gate * calls kadm5_randkey_principal 1020Sstevel@tonic-gate * 1030Sstevel@tonic-gate */ 1040Sstevel@tonic-gate kadm5_ret_t 1052881Smp153739 randkey_principal_wrapper_3(void *server_handle, 1062881Smp153739 krb5_principal principal, 1072881Smp153739 krb5_boolean keepold, 1082881Smp153739 int n_ks_tuple, 1092881Smp153739 krb5_key_salt_tuple *ks_tuple, 1102881Smp153739 krb5_keyblock **keys, int *n_keys) 1110Sstevel@tonic-gate { 1122881Smp153739 kadm5_ret_t ret; 1130Sstevel@tonic-gate 1142881Smp153739 ret = check_min_life(server_handle, principal); 1152881Smp153739 if (ret) 1162881Smp153739 return ret; 1172881Smp153739 return kadm5_randkey_principal_3(server_handle, principal, 1182881Smp153739 keepold, n_ks_tuple, ks_tuple, 1192881Smp153739 keys, n_keys); 1202881Smp153739 } 1210Sstevel@tonic-gate 1222881Smp153739 kadm5_ret_t 1232881Smp153739 chpass_util_wrapper(void *server_handle, krb5_principal princ, 1242881Smp153739 char *new_pw, char **ret_pw, 1252881Smp153739 char *msg_ret, unsigned int msg_len) 1262881Smp153739 { 1272881Smp153739 kadm5_ret_t ret; 1282881Smp153739 1292881Smp153739 ret = check_min_life(server_handle, princ); 1302881Smp153739 if (ret) 1312881Smp153739 return ret; 1322881Smp153739 1332881Smp153739 return kadm5_chpass_principal_util(server_handle, princ, 1342881Smp153739 new_pw, ret_pw, 1352881Smp153739 msg_ret, msg_len); 1362881Smp153739 } 1370Sstevel@tonic-gate 1382881Smp153739 kadm5_ret_t 139*3641Ssemery randkey_principal_wrapper(void *server_handle, krb5_principal princ, 140*3641Ssemery krb5_keyblock ** keys, int *n_keys) 141*3641Ssemery { 142*3641Ssemery kadm5_ret_t ret; 143*3641Ssemery 144*3641Ssemery ret = check_min_life(server_handle, princ); 145*3641Ssemery if (ret) 146*3641Ssemery return ret; 147*3641Ssemery 148*3641Ssemery return kadm5_randkey_principal(server_handle, princ, keys, n_keys); 149*3641Ssemery } 150*3641Ssemery 151*3641Ssemery kadm5_ret_t 1522881Smp153739 check_min_life(void *server_handle, krb5_principal principal) 1532881Smp153739 { 1542881Smp153739 krb5_int32 now; 1552881Smp153739 kadm5_ret_t ret; 1562881Smp153739 kadm5_policy_ent_rec pol; 1572881Smp153739 kadm5_principal_ent_rec princ; 1582881Smp153739 kadm5_server_handle_t handle = server_handle; 1592881Smp153739 1602881Smp153739 ret = krb5_timeofday(handle->context, &now); 1612881Smp153739 if (ret) 1622881Smp153739 return ret; 1632881Smp153739 1642881Smp153739 ret = kadm5_get_principal(handle->lhandle, principal, 1652881Smp153739 &princ, KADM5_PRINCIPAL_NORMAL_MASK); 1662881Smp153739 if(ret != OSA_ADB_OK) 1672881Smp153739 return ret; 1682881Smp153739 if(princ.aux_attributes & KADM5_POLICY) { 1692881Smp153739 if((ret=kadm5_get_policy(handle->lhandle, 1702881Smp153739 princ.policy, &pol)) != KADM5_OK) { 1712881Smp153739 (void) kadm5_free_principal_ent(handle->lhandle, &princ); 1722881Smp153739 return ret; 1730Sstevel@tonic-gate } 1742881Smp153739 if((now - princ.last_pwd_change) < pol.pw_min_life && 1752881Smp153739 !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { 1762881Smp153739 (void) kadm5_free_policy_ent(handle->lhandle, &pol); 1772881Smp153739 (void) kadm5_free_principal_ent(handle->lhandle, &princ); 1782881Smp153739 return KADM5_PASS_TOOSOON; 1792881Smp153739 } 1802881Smp153739 1812881Smp153739 ret = kadm5_free_policy_ent(handle->lhandle, &pol); 1822881Smp153739 if (ret) { 1832881Smp153739 (void) kadm5_free_principal_ent(handle->lhandle, &princ); 1842881Smp153739 return ret; 1852881Smp153739 } 1862881Smp153739 } 1872881Smp153739 1882881Smp153739 return kadm5_free_principal_ent(handle->lhandle, &princ); 1890Sstevel@tonic-gate } 190