1 /* $NetBSD: ent_setup.c,v 1.2 2017/01/28 21:31:49 christos Exp $ */
2
3 /*
4 * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
5 * (Royal Institute of Technology, Stockholm, Sweden).
6 * All rights reserved.
7 *
8 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 *
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 *
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
20 *
21 * 3. Neither the name of the Institute nor the names of its contributors
22 * may be used to endorse or promote products derived from this software
23 * without specific prior written permission.
24 *
25 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * SUCH DAMAGE.
36 */
37
38 #include "kadm5_locl.h"
39
40 __RCSID("$NetBSD: ent_setup.c,v 1.2 2017/01/28 21:31:49 christos Exp $");
41
42 #define set_value(X, V) do { if((X) == NULL) (X) = malloc(sizeof(*(X))); *(X) = V; } while(0)
43 #define set_null(X) do { if((X) != NULL) free((X)); (X) = NULL; } while (0)
44
45 static void
attr_to_flags(unsigned attr,HDBFlags * flags)46 attr_to_flags(unsigned attr, HDBFlags *flags)
47 {
48 flags->postdate = !(attr & KRB5_KDB_DISALLOW_POSTDATED);
49 flags->forwardable = !(attr & KRB5_KDB_DISALLOW_FORWARDABLE);
50 flags->initial = !!(attr & KRB5_KDB_DISALLOW_TGT_BASED);
51 flags->renewable = !(attr & KRB5_KDB_DISALLOW_RENEWABLE);
52 flags->proxiable = !(attr & KRB5_KDB_DISALLOW_PROXIABLE);
53 /* DUP_SKEY */
54 flags->invalid = !!(attr & KRB5_KDB_DISALLOW_ALL_TIX);
55 flags->require_preauth = !!(attr & KRB5_KDB_REQUIRES_PRE_AUTH);
56 flags->require_pwchange = !!(attr & KRB5_KDB_REQUIRES_PWCHANGE);
57 /* HW_AUTH */
58 flags->server = !(attr & KRB5_KDB_DISALLOW_SVR);
59 flags->change_pw = !!(attr & KRB5_KDB_PWCHANGE_SERVICE);
60 flags->client = 1; /* XXX */
61 flags->ok_as_delegate = !!(attr & KRB5_KDB_OK_AS_DELEGATE);
62 flags->trusted_for_delegation = !!(attr & KRB5_KDB_TRUSTED_FOR_DELEGATION);
63 flags->allow_kerberos4 = !!(attr & KRB5_KDB_ALLOW_KERBEROS4);
64 flags->allow_digest = !!(attr & KRB5_KDB_ALLOW_DIGEST);
65 }
66
67 /*
68 * Modify the `ent' according to `tl_data'.
69 */
70
71 static kadm5_ret_t
perform_tl_data(krb5_context context,HDB * db,hdb_entry_ex * ent,const krb5_tl_data * tl_data)72 perform_tl_data(krb5_context context,
73 HDB *db,
74 hdb_entry_ex *ent,
75 const krb5_tl_data *tl_data)
76 {
77 kadm5_ret_t ret = 0;
78
79 if (tl_data->tl_data_type == KRB5_TL_PASSWORD) {
80 heim_utf8_string pw = tl_data->tl_data_contents;
81
82 if (pw[tl_data->tl_data_length] != '\0')
83 return KADM5_BAD_TL_TYPE;
84
85 ret = hdb_entry_set_password(context, db, &ent->entry, pw);
86
87 } else if (tl_data->tl_data_type == KRB5_TL_LAST_PWD_CHANGE) {
88 unsigned char *s;
89 time_t t;
90
91 if (tl_data->tl_data_length != 4)
92 return KADM5_BAD_TL_TYPE;
93
94 s = tl_data->tl_data_contents;
95
96 t = s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24);
97
98 ret = hdb_entry_set_pw_change_time(context, &ent->entry, t);
99
100 } else if (tl_data->tl_data_type == KRB5_TL_EXTENSION) {
101 HDB_extension ext;
102
103 ret = decode_HDB_extension(tl_data->tl_data_contents,
104 tl_data->tl_data_length,
105 &ext,
106 NULL);
107 if (ret)
108 return KADM5_BAD_TL_TYPE;
109
110 ret = hdb_replace_extension(context, &ent->entry, &ext);
111 free_HDB_extension(&ext);
112 } else {
113 return KADM5_BAD_TL_TYPE;
114 }
115 return ret;
116 }
117
118 static void
default_flags(hdb_entry_ex * ent,int server)119 default_flags(hdb_entry_ex *ent, int server)
120 {
121 ent->entry.flags.client = 1;
122 ent->entry.flags.server = !!server;
123 ent->entry.flags.forwardable = 1;
124 ent->entry.flags.proxiable = 1;
125 ent->entry.flags.renewable = 1;
126 ent->entry.flags.postdate = 1;
127 }
128
129
130 /*
131 * Create the hdb entry `ent' based on data from `princ' with
132 * `princ_mask' specifying what fields to be gotten from there and
133 * `mask' specifying what fields we want filled in.
134 */
135
136 kadm5_ret_t
_kadm5_setup_entry(kadm5_server_context * context,hdb_entry_ex * ent,uint32_t mask,kadm5_principal_ent_t princ,uint32_t princ_mask,kadm5_principal_ent_t def,uint32_t def_mask)137 _kadm5_setup_entry(kadm5_server_context *context,
138 hdb_entry_ex *ent,
139 uint32_t mask,
140 kadm5_principal_ent_t princ,
141 uint32_t princ_mask,
142 kadm5_principal_ent_t def,
143 uint32_t def_mask)
144 {
145 if(mask & KADM5_PRINC_EXPIRE_TIME
146 && princ_mask & KADM5_PRINC_EXPIRE_TIME) {
147 if (princ->princ_expire_time)
148 set_value(ent->entry.valid_end, princ->princ_expire_time);
149 else
150 set_null(ent->entry.valid_end);
151 }
152 if(mask & KADM5_PW_EXPIRATION
153 && princ_mask & KADM5_PW_EXPIRATION) {
154 if (princ->pw_expiration)
155 set_value(ent->entry.pw_end, princ->pw_expiration);
156 else
157 set_null(ent->entry.pw_end);
158 }
159 if(mask & KADM5_ATTRIBUTES) {
160 if (princ_mask & KADM5_ATTRIBUTES) {
161 attr_to_flags(princ->attributes, &ent->entry.flags);
162 } else if(def_mask & KADM5_ATTRIBUTES) {
163 attr_to_flags(def->attributes, &ent->entry.flags);
164 ent->entry.flags.invalid = 0;
165 } else {
166 default_flags(ent, 1);
167 }
168 }
169
170 if(mask & KADM5_MAX_LIFE) {
171 if(princ_mask & KADM5_MAX_LIFE) {
172 if(princ->max_life)
173 set_value(ent->entry.max_life, princ->max_life);
174 else
175 set_null(ent->entry.max_life);
176 } else if(def_mask & KADM5_MAX_LIFE) {
177 if(def->max_life)
178 set_value(ent->entry.max_life, def->max_life);
179 else
180 set_null(ent->entry.max_life);
181 }
182 }
183 if(mask & KADM5_KVNO
184 && (princ_mask & KADM5_KVNO)) {
185 krb5_error_code ret;
186
187 ret = hdb_change_kvno(context->context, princ->kvno, &ent->entry);
188 if (ret && ret != HDB_ERR_KVNO_NOT_FOUND)
189 return ret;
190 ent->entry.kvno = princ->kvno; /* force it */
191 }
192 if(mask & KADM5_MAX_RLIFE) {
193 if(princ_mask & KADM5_MAX_RLIFE) {
194 if(princ->max_renewable_life)
195 set_value(ent->entry.max_renew, princ->max_renewable_life);
196 else
197 set_null(ent->entry.max_renew);
198 } else if(def_mask & KADM5_MAX_RLIFE) {
199 if(def->max_renewable_life)
200 set_value(ent->entry.max_renew, def->max_renewable_life);
201 else
202 set_null(ent->entry.max_renew);
203 }
204 }
205 if(mask & KADM5_KEY_DATA
206 && princ_mask & KADM5_KEY_DATA) {
207 _kadm5_set_keys2(context, &ent->entry,
208 princ->n_key_data, princ->key_data);
209 }
210 if(mask & KADM5_TL_DATA) {
211 krb5_tl_data *tl;
212
213 for (tl = princ->tl_data; tl != NULL; tl = tl->tl_data_next) {
214 kadm5_ret_t ret;
215 ret = perform_tl_data(context->context, context->db, ent, tl);
216 if (ret)
217 return ret;
218 }
219 }
220 if(mask & KADM5_FAIL_AUTH_COUNT) {
221 /* XXX */
222 }
223 return 0;
224 }
225