aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/kadm5
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/kadm5')
-rw-r--r--src/lib/kadm5/chpass_util.c8
-rw-r--r--src/lib/kadm5/deps14
-rw-r--r--src/lib/kadm5/kadm_err.et1
-rw-r--r--src/lib/kadm5/srv/Makefile.in20
-rw-r--r--src/lib/kadm5/srv/deps21
-rw-r--r--src/lib/kadm5/srv/libkadm5srv_mit.exports5
-rw-r--r--src/lib/kadm5/srv/server_acl.c823
-rw-r--r--src/lib/kadm5/srv/server_acl.h100
-rw-r--r--src/lib/kadm5/srv/server_kdb.c2
-rw-r--r--src/lib/kadm5/srv/server_misc.c14
-rw-r--r--src/lib/kadm5/srv/svr_principal.c88
-rw-r--r--src/lib/kadm5/unit-test/setkey-test.c3
12 files changed, 51 insertions, 1048 deletions
diff --git a/src/lib/kadm5/chpass_util.c b/src/lib/kadm5/chpass_util.c
index 408b0eb31fac..1680a5504922 100644
--- a/src/lib/kadm5/chpass_util.c
+++ b/src/lib/kadm5/chpass_util.c
@@ -4,15 +4,11 @@
*/
-#include "autoconf.h"
-#include <stdio.h>
-#include <time.h>
-#include <string.h>
+#include "k5-int.h"
#include <kadm5/admin.h>
#include "admin_internal.h"
-#include <krb5.h>
#define string_text error_message
@@ -218,7 +214,7 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle,
time_t until;
char *time_string, *ptr;
- until = princ_ent.last_pwd_change + policy_ent.pw_min_life;
+ until = ts_incr(princ_ent.last_pwd_change, policy_ent.pw_min_life);
time_string = ctime(&until);
if (*(ptr = &time_string[strlen(time_string)-1]) == '\n')
diff --git a/src/lib/kadm5/deps b/src/lib/kadm5/deps
index c9f0cbfdb7e2..3585f08f6442 100644
--- a/src/lib/kadm5/deps
+++ b/src/lib/kadm5/deps
@@ -42,13 +42,21 @@ chpass_util.so chpass_util.po $(OUTPRE)chpass_util.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
$(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
$(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \
$(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
$(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
$(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
$(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
- $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/kdb.h \
- $(top_srcdir)/include/krb5.h admin_internal.h chpass_util.c
+ $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+ $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
+ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
+ admin_internal.h chpass_util.c
alt_prof.so alt_prof.po $(OUTPRE)alt_prof.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
$(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
diff --git a/src/lib/kadm5/kadm_err.et b/src/lib/kadm5/kadm_err.et
index 71b053460117..892a6fac1053 100644
--- a/src/lib/kadm5/kadm_err.et
+++ b/src/lib/kadm5/kadm_err.et
@@ -66,4 +66,5 @@ error_code KADM5_BAD_KEYSALTS, "Invalid key/salt tuples"
error_code KADM5_SETKEY_BAD_KVNO, "Invalid multiple or duplicate kvnos in setkey operation"
error_code KADM5_AUTH_EXTRACT, "Operation requires ``extract-keys'' privilege"
error_code KADM5_PROTECT_KEYS, "Principal keys are locked down"
+error_code KADM5_AUTH_INITIAL, "Operation requires initial ticket"
end
diff --git a/src/lib/kadm5/srv/Makefile.in b/src/lib/kadm5/srv/Makefile.in
index f4b5b5b6a06d..617d6566665f 100644
--- a/src/lib/kadm5/srv/Makefile.in
+++ b/src/lib/kadm5/srv/Makefile.in
@@ -32,7 +32,6 @@ SRCS = $(srcdir)/pwqual.c \
$(srcdir)/pwqual_princ.c \
$(srcdir)/svr_policy.c \
$(srcdir)/svr_principal.c \
- $(srcdir)/server_acl.c \
$(srcdir)/server_kdb.c \
$(srcdir)/server_misc.c \
$(srcdir)/server_init.c \
@@ -48,7 +47,6 @@ OBJS = pwqual.$(OBJEXT) \
kadm5_hook.$(OBJEXT) \
svr_policy.$(OBJEXT) \
svr_principal.$(OBJEXT) \
- server_acl.$(OBJEXT) \
server_kdb.$(OBJEXT) \
server_misc.$(OBJEXT) \
server_init.$(OBJEXT) \
@@ -65,7 +63,6 @@ STLIBOBJS = \
kadm5_hook.o \
svr_policy.o \
svr_principal.o \
- server_acl.o \
server_kdb.o \
server_misc.o \
server_init.o \
@@ -73,23 +70,10 @@ STLIBOBJS = \
svr_chpass_util.o \
adb_xdr.o
-all-unix: includes
all-unix: all-liblinks
all-windows: $(OBJS)
-generate-files-mac: includes darwin.exports
-
-includes: server_acl.h
- if cmp $(srcdir)/server_acl.h \
- $(BUILDTOP)/include/kadm5/server_acl.h >/dev/null 2>&1; then :; \
- else \
- (set -x; $(RM) $(BUILDTOP)/include/kadm5/server_acl.h; \
- $(CP) $(srcdir)/server_acl.h \
- $(BUILDTOP)/include/kadm5/server_acl.h) ; \
- fi
-
-clean-unix::
- $(RM) $(BUILDTOP)/include/kadm5/server_acl.h
+generate-files-mac: darwin.exports
check-windows:
@@ -104,8 +88,6 @@ install-unix:
(cd $(DESTDIR)$(KRB5_LIBDIR) && $(LN_S) lib$(LIBBASE)$(DEPLIBEXT) \
libkadm5srv$(DEPLIBEXT))
-depend: includes
-
@lib_frag@
@libobj_frag@
diff --git a/src/lib/kadm5/srv/deps b/src/lib/kadm5/srv/deps
index 20df4e9b8205..01080d56053e 100644
--- a/src/lib/kadm5/srv/deps
+++ b/src/lib/kadm5/srv/deps
@@ -150,27 +150,6 @@ svr_principal.so svr_principal.po $(OUTPRE)svr_principal.$(OBJEXT): \
$(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kadm5_hook_plugin.h \
$(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
$(top_srcdir)/include/socket-utils.h svr_principal.c
-server_acl.so server_acl.po $(OUTPRE)server_acl.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
- $(BUILDTOP)/include/gssapi/gssapi_generic.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \
- $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(top_srcdir)/include/adm_proto.h $(top_srcdir)/include/gssrpc/auth.h \
- $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
- $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
- $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
- $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
- $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \
- $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- server_acl.c server_acl.h
server_kdb.so server_kdb.po $(OUTPRE)server_kdb.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
$(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
diff --git a/src/lib/kadm5/srv/libkadm5srv_mit.exports b/src/lib/kadm5/srv/libkadm5srv_mit.exports
index aedfdd7f5813..804eba16abb8 100644
--- a/src/lib/kadm5/srv/libkadm5srv_mit.exports
+++ b/src/lib/kadm5/srv/libkadm5srv_mit.exports
@@ -1,10 +1,5 @@
_kadm5_check_handle
_kadm5_chpass_principal_util
-kadm5int_acl_check
-kadm5int_acl_check_krb
-kadm5int_acl_finish
-kadm5int_acl_impose_restrictions
-kadm5int_acl_init
hist_princ
kadm5_set_use_password_server
kadm5_chpass_principal
diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c
deleted file mode 100644
index 59ed0b975472..000000000000
--- a/src/lib/kadm5/srv/server_acl.c
+++ /dev/null
@@ -1,823 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/kadm5/srv/server_acl.c */
-/*
- * Copyright 1995-2004, 2007, 2008 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "k5-int.h"
-#include <syslog.h>
-#include <sys/param.h>
-#include <gssapi/gssapi_generic.h>
-#include <kadm5/server_internal.h>
-#include <kadm5/admin.h>
-#include "adm_proto.h"
-#include "server_acl.h"
-#include <ctype.h>
-
-typedef struct _acl_op_table {
- char ao_op;
- krb5_int32 ao_mask;
-} aop_t;
-
-typedef struct _acl_entry {
- struct _acl_entry *ae_next;
- char *ae_name;
- krb5_boolean ae_name_bad;
- krb5_principal ae_principal;
- krb5_int32 ae_op_allowed;
- char *ae_target;
- krb5_boolean ae_target_bad;
- krb5_principal ae_target_princ;
- char *ae_restriction_string;
- /* eg: "-maxlife 3h -service +proxiable" */
- krb5_boolean ae_restriction_bad;
- restriction_t *ae_restrictions;
-} aent_t;
-
-static const aop_t acl_op_table[] = {
- { 'a', ACL_ADD },
- { 'd', ACL_DELETE },
- { 'm', ACL_MODIFY },
- { 'c', ACL_CHANGEPW },
- { 'i', ACL_INQUIRE },
- { 'l', ACL_LIST },
- { 'p', ACL_IPROP },
- { 's', ACL_SETKEY },
- { 'x', ACL_ALL_MASK },
- { '*', ACL_ALL_MASK },
- { 'e', ACL_EXTRACT },
- { '\0', 0 }
-};
-
-typedef struct _wildstate {
- int nwild;
- const krb5_data *backref[9];
-} wildstate_t;
-
-static aent_t *acl_list_head = (aent_t *) NULL;
-static aent_t *acl_list_tail = (aent_t *) NULL;
-
-static const char *acl_acl_file = (char *) NULL;
-static int acl_inited = 0;
-static int acl_debug_level = 0;
-/*
- * This is the catchall entry. If nothing else appropriate is found, or in
- * the case where the ACL file is not present, this entry controls what can
- * be done.
- */
-static const char *acl_catchall_entry = NULL;
-
-static const char *acl_line2long_msg = N_("%s: line %d too long, truncated");
-static const char *acl_op_bad_msg = N_("Unrecognized ACL operation '%c' in "
- "%s");
-static const char *acl_syn_err_msg = N_("%s: syntax error at line %d "
- "<%10s...>");
-static const char *acl_cantopen_msg = N_("%s while opening ACL file %s");
-
-/*
- * kadm5int_acl_get_line() - Get a line from the ACL file.
- * Lines ending with \ are continued on the next line
- */
-static char *
-kadm5int_acl_get_line(fp, lnp)
- FILE *fp;
- int *lnp; /* caller should set to 1 before first call */
-{
- int i, domore;
- static int line_incr = 0;
- static char acl_buf[BUFSIZ];
-
- *lnp += line_incr;
- line_incr = 0;
- for (domore = 1; domore && !feof(fp); ) {
- /* Copy in the line, with continuations */
- for (i = 0; ((i < BUFSIZ) && !feof(fp)); i++) {
- int byte;
- byte = fgetc(fp);
- acl_buf[i] = byte;
- if (byte == EOF) {
- if (i > 0 && acl_buf[i-1] == '\\')
- i--;
- break; /* it gets nulled-out below */
- }
- else if (acl_buf[i] == '\n') {
- if (i == 0 || acl_buf[i-1] != '\\')
- break; /* empty line or normal end of line */
- else {
- i -= 2; /* back up over "\\\n" and continue */
- line_incr++;
- }
- }
- }
- /* Check if we exceeded our buffer size */
- if (i == sizeof acl_buf && (i--, !feof(fp))) {
- int c1 = acl_buf[i], c2;
-
- krb5_klog_syslog(LOG_ERR, _(acl_line2long_msg), acl_acl_file,
- *lnp);
- while ((c2 = fgetc(fp)) != EOF) {
- if (c2 == '\n') {
- if (c1 != '\\')
- break;
- line_incr++;
- }
- c1 = c2;
- }
- }
- acl_buf[i] = '\0';
- if (acl_buf[0] == (char) EOF) /* ptooey */
- acl_buf[0] = '\0';
- else
- line_incr++;
- if ((acl_buf[0] != '#') && (acl_buf[0] != '\0'))
- domore = 0;
- }
- if (domore || (strlen(acl_buf) == 0))
- return((char *) NULL);
- else
- return(acl_buf);
-}
-
-/*
- * kadm5int_acl_parse_line() - Parse the contents of an ACL line.
- */
-static aent_t *
-kadm5int_acl_parse_line(lp)
- const char *lp;
-{
- static char acle_principal[BUFSIZ];
- static char acle_ops[BUFSIZ];
- static char acle_object[BUFSIZ];
- static char acle_restrictions[BUFSIZ];
- aent_t *acle;
- char *op;
- int t, found, opok, nmatch;
-
- DPRINT(DEBUG_CALLS, acl_debug_level,
- ("* kadm5int_acl_parse_line(line=%20s)\n", lp));
- /*
- * Format is still simple:
- * entry ::= [<whitespace>] <principal> <whitespace> <opstring>
- * [<whitespace> <target> [<whitespace> <restrictions>
- * [<whitespace>]]]
- */
- acle = (aent_t *) NULL;
- acle_object[0] = '\0';
- nmatch = sscanf(lp, "%s %s %s %[^\n]", acle_principal, acle_ops,
- acle_object, acle_restrictions);
- if (nmatch >= 2) {
- acle = (aent_t *) malloc(sizeof(aent_t));
- if (acle) {
- acle->ae_next = (aent_t *) NULL;
- acle->ae_op_allowed = (krb5_int32) 0;
- acle->ae_target =
- (nmatch >= 3) ? strdup(acle_object) : (char *) NULL;
- acle->ae_target_bad = 0;
- acle->ae_target_princ = (krb5_principal) NULL;
- opok = 1;
- for (op=acle_ops; *op; op++) {
- char rop;
-
- rop = (isupper((unsigned char) *op)) ? tolower((unsigned char) *op) : *op;
- found = 0;
- for (t=0; acl_op_table[t].ao_op; t++) {
- if (rop == acl_op_table[t].ao_op) {
- found = 1;
- if (rop == *op)
- acle->ae_op_allowed |= acl_op_table[t].ao_mask;
- else
- acle->ae_op_allowed &= ~acl_op_table[t].ao_mask;
- }
- }
- if (!found) {
- krb5_klog_syslog(LOG_ERR, _(acl_op_bad_msg), *op, lp);
- opok = 0;
- }
- }
- if (opok) {
- acle->ae_name = strdup(acle_principal);
- if (acle->ae_name) {
- acle->ae_principal = (krb5_principal) NULL;
- acle->ae_name_bad = 0;
- DPRINT(DEBUG_ACL, acl_debug_level,
- ("A ACL entry %s -> opmask %x\n",
- acle->ae_name, acle->ae_op_allowed));
- }
- else {
- if (acle->ae_target)
- free(acle->ae_target);
- free(acle);
- acle = (aent_t *) NULL;
- }
- }
- else {
- if (acle->ae_target)
- free(acle->ae_target);
- free(acle);
- acle = (aent_t *) NULL;
- }
-
- if (acle) {
- if ( nmatch >= 4 ) {
- char *trailing;
-
- trailing = &acle_restrictions[strlen(acle_restrictions)-1];
- while ( isspace((int) *trailing) )
- trailing--;
- trailing[1] = '\0';
- acle->ae_restriction_string =
- strdup(acle_restrictions);
- }
- else {
- acle->ae_restriction_string = (char *) NULL;
- }
- acle->ae_restriction_bad = 0;
- acle->ae_restrictions = (restriction_t *) NULL;
- }
- }
- }
- DPRINT(DEBUG_CALLS, acl_debug_level,
- ("X kadm5int_acl_parse_line() = %x\n", (long) acle));
- return(acle);
-}
-
-/*
- * kadm5int_acl_parse_restrictions() - Parse optional restrictions field
- *
- * Allowed restrictions are:
- * [+-]flagname (recognized by krb5_flagspec_to_mask)
- * flag is forced to indicated value
- * -clearpolicy policy is forced clear
- * -policy pol policy is forced to be "pol"
- * -{expire,pwexpire,maxlife,maxrenewlife} deltat
- * associated value will be forced to
- * MIN(deltat, requested value)
- *
- * Returns: 0 on success, or system errors
- */
-static krb5_error_code
-kadm5int_acl_parse_restrictions(s, rpp)
- char *s;
- restriction_t **rpp;
-{
- char *sp = NULL, *tp, *ap, *save;
- static const char *delims = "\t\n\f\v\r ,";
- krb5_deltat dt;
- krb5_error_code code;
-
- DPRINT(DEBUG_CALLS, acl_debug_level,
- ("* kadm5int_acl_parse_restrictions(s=%20s, rpp=0x%08x)\n", s, (long)rpp));
-
- *rpp = (restriction_t *) NULL;
- code = 0;
- if (s) {
- if (!(sp = strdup(s)) /* Don't munge the original */
- || !(*rpp = (restriction_t *) malloc(sizeof(restriction_t)))) {
- code = ENOMEM;
- } else {
- memset(*rpp, 0, sizeof(**rpp));
- (*rpp)->forbid_attrs = ~(krb5_flags)0;
- for (tp = strtok_r(sp, delims, &save); tp;
- tp = strtok_r(NULL, delims, &save)) {
- if (!krb5_flagspec_to_mask(tp, &(*rpp)->require_attrs,
- &(*rpp)->forbid_attrs)) {
- (*rpp)->mask |= KADM5_ATTRIBUTES;
- } else if (!strcmp(tp, "-clearpolicy")) {
- (*rpp)->mask |= KADM5_POLICY_CLR;
- } else {
- /* everything else needs an argument ... */
- if (!(ap = strtok_r(NULL, delims, &save))) {
- code = EINVAL;
- break;
- }
- if (!strcmp(tp, "-policy")) {
- if (!((*rpp)->policy = strdup(ap))) {
- code = ENOMEM;
- break;
- }
- (*rpp)->mask |= KADM5_POLICY;
- } else {
- /* all other arguments must be a deltat ... */
- if (krb5_string_to_deltat(ap, &dt)) {
- code = EINVAL;
- break;
- }
- if (!strcmp(tp, "-expire")) {
- (*rpp)->princ_lifetime = dt;
- (*rpp)->mask |= KADM5_PRINC_EXPIRE_TIME;
- } else if (!strcmp(tp, "-pwexpire")) {
- (*rpp)->pw_lifetime = dt;
- (*rpp)->mask |= KADM5_PW_EXPIRATION;
- } else if (!strcmp(tp, "-maxlife")) {
- (*rpp)->max_life = dt;
- (*rpp)->mask |= KADM5_MAX_LIFE;
- } else if (!strcmp(tp, "-maxrenewlife")) {
- (*rpp)->max_renewable_life = dt;
- (*rpp)->mask |= KADM5_MAX_RLIFE;
- } else {
- code = EINVAL;
- break;
- }
- }
- }
- }
- if (code) {
- krb5_klog_syslog(LOG_ERR, _("%s: invalid restrictions: %s"),
- acl_acl_file, s);
- }
- }
- }
- if (sp)
- free(sp);
- if (*rpp && code) {
- if ((*rpp)->policy)
- free((*rpp)->policy);
- free(*rpp);
- *rpp = (restriction_t *) NULL;
- }
- DPRINT(DEBUG_CALLS, acl_debug_level,
- ("X kadm5int_acl_parse_restrictions() = %d, mask=0x%08x\n",
- code, (*rpp) ? (*rpp)->mask : 0));
- return code;
-}
-
-/*
- * kadm5int_acl_impose_restrictions() - impose restrictions, modifying *recp, *maskp
- *
- * Returns: 0 on success;
- * malloc or timeofday errors
- */
-krb5_error_code
-kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp)
- krb5_context kcontext;
- kadm5_principal_ent_rec *recp;
- long *maskp;
- restriction_t *rp;
-{
- krb5_error_code code;
- krb5_int32 now;
-
- DPRINT(DEBUG_CALLS, acl_debug_level,
- ("* kadm5int_acl_impose_restrictions(..., *maskp=0x%08x, rp=0x%08x)\n",
- *maskp, (long)rp));
- if (!rp)
- return 0;
- if (rp->mask & (KADM5_PRINC_EXPIRE_TIME|KADM5_PW_EXPIRATION))
- if ((code = krb5_timeofday(kcontext, &now)))
- return code;
-
- if (rp->mask & KADM5_ATTRIBUTES) {
- recp->attributes |= rp->require_attrs;
- recp->attributes &= rp->forbid_attrs;
- *maskp |= KADM5_ATTRIBUTES;
- }
- if (rp->mask & KADM5_POLICY_CLR) {
- *maskp &= ~KADM5_POLICY;
- *maskp |= KADM5_POLICY_CLR;
- } else if (rp->mask & KADM5_POLICY) {
- if (recp->policy && strcmp(recp->policy, rp->policy)) {
- free(recp->policy);
- recp->policy = (char *) NULL;
- }
- if (!recp->policy) {
- recp->policy = strdup(rp->policy); /* XDR will free it */
- if (!recp->policy)
- return ENOMEM;
- }
- *maskp |= KADM5_POLICY;
- }
- if (rp->mask & KADM5_PRINC_EXPIRE_TIME) {
- if (!(*maskp & KADM5_PRINC_EXPIRE_TIME)
- || (recp->princ_expire_time > (now + rp->princ_lifetime)))
- recp->princ_expire_time = now + rp->princ_lifetime;
- *maskp |= KADM5_PRINC_EXPIRE_TIME;
- }
- if (rp->mask & KADM5_PW_EXPIRATION) {
- if (!(*maskp & KADM5_PW_EXPIRATION)
- || (recp->pw_expiration > (now + rp->pw_lifetime)))
- recp->pw_expiration = now + rp->pw_lifetime;
- *maskp |= KADM5_PW_EXPIRATION;
- }
- if (rp->mask & KADM5_MAX_LIFE) {
- if (!(*maskp & KADM5_MAX_LIFE)
- || (recp->max_life > rp->max_life))
- recp->max_life = rp->max_life;
- *maskp |= KADM5_MAX_LIFE;
- }
- if (rp->mask & KADM5_MAX_RLIFE) {
- if (!(*maskp & KADM5_MAX_RLIFE)
- || (recp->max_renewable_life > rp->max_renewable_life))
- recp->max_renewable_life = rp->max_renewable_life;
- *maskp |= KADM5_MAX_RLIFE;
- }
- DPRINT(DEBUG_CALLS, acl_debug_level,
- ("X kadm5int_acl_impose_restrictions() = 0, *maskp=0x%08x\n", *maskp));
- return 0;
-}
-
-/*
- * kadm5int_acl_free_entries() - Free all ACL entries.
- */
-static void
-kadm5int_acl_free_entries()
-{
- aent_t *ap;
- aent_t *np;
-
- DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_free_entries()\n"));
- for (ap=acl_list_head; ap; ap = np) {
- if (ap->ae_name)
- free(ap->ae_name);
- if (ap->ae_principal)
- krb5_free_principal((krb5_context) NULL, ap->ae_principal);
- if (ap->ae_target)
- free(ap->ae_target);
- if (ap->ae_target_princ)
- krb5_free_principal((krb5_context) NULL, ap->ae_target_princ);
- if (ap->ae_restriction_string)
- free(ap->ae_restriction_string);
- if (ap->ae_restrictions) {
- if (ap->ae_restrictions->policy)
- free(ap->ae_restrictions->policy);
- free(ap->ae_restrictions);
- }
- np = ap->ae_next;
- free(ap);
- }
- acl_list_head = acl_list_tail = (aent_t *) NULL;
- acl_inited = 0;
- DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_free_entries()\n"));
-}
-
-/*
- * kadm5int_acl_load_acl_file() - Open and parse the ACL file.
- */
-static int
-kadm5int_acl_load_acl_file()
-{
- FILE *afp;
- char *alinep;
- aent_t **aentpp;
- int alineno;
- int retval = 1;
-
- DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_load_acl_file()\n"));
- /* Open the ACL file for read */
- afp = fopen(acl_acl_file, "r");
- if (afp) {
- set_cloexec_file(afp);
- alineno = 1;
- aentpp = &acl_list_head;
-
- /* Get a non-comment line */
- while ((alinep = kadm5int_acl_get_line(afp, &alineno))) {
- /* Parse it */
- *aentpp = kadm5int_acl_parse_line(alinep);
- /* If syntax error, then fall out */
- if (!*aentpp) {
- krb5_klog_syslog(LOG_ERR, _(acl_syn_err_msg),
- acl_acl_file, alineno, alinep);
- retval = 0;
- break;
- }
- acl_list_tail = *aentpp;
- aentpp = &(*aentpp)->ae_next;
- }
-
- fclose(afp);
-
- if (acl_catchall_entry) {
- *aentpp = kadm5int_acl_parse_line(acl_catchall_entry);
- if (*aentpp) {
- acl_list_tail = *aentpp;
- }
- else {
- retval = 0;
- DPRINT(DEBUG_OPERATION, acl_debug_level,
- ("> catchall acl entry (%s) load failed\n",
- acl_catchall_entry));
- }
- }
- }
- else {
- krb5_klog_syslog(LOG_ERR, _(acl_cantopen_msg),
- error_message(errno), acl_acl_file);
- if (acl_catchall_entry &&
- (acl_list_head = kadm5int_acl_parse_line(acl_catchall_entry))) {
- acl_list_tail = acl_list_head;
- }
- else {
- retval = 0;
- DPRINT(DEBUG_OPERATION, acl_debug_level,
- ("> catchall acl entry (%s) load failed\n",
- acl_catchall_entry));
- }
- }
-
- if (!retval) {
- kadm5int_acl_free_entries();
- }
- DPRINT(DEBUG_CALLS, acl_debug_level,
- ("X kadm5int_acl_load_acl_file() = %d\n", retval));
- return(retval);
-}
-
-/*
- * kadm5int_acl_match_data() - See if two data entries match.
- *
- * Wildcarding is only supported for a whole component.
- */
-static krb5_boolean
-kadm5int_acl_match_data(const krb5_data *e1, const krb5_data *e2,
- int targetflag, wildstate_t *ws)
-{
- krb5_boolean retval;
-
- DPRINT(DEBUG_CALLS, acl_debug_level,
- ("* acl_match_entry(%s, %s)\n", e1->data, e2->data));
- retval = 0;
- if (!strncmp(e1->data, "*", e1->length)) {
- retval = 1;
- if (ws && !targetflag) {
- if (ws->nwild >= 9) {
- DPRINT(DEBUG_ACL, acl_debug_level,
- ("Too many wildcards in ACL entry.\n"));
- }
- else
- ws->backref[ws->nwild++] = e2;
- }
- }
- else if (ws && targetflag && (e1->length == 2) && (e1->data[0] == '*') &&
- (e1->data[1] >= '1') && (e1->data[1] <= '9')) {
- int n = e1->data[1] - '1';
- if (n >= ws->nwild) {
- DPRINT(DEBUG_ACL, acl_debug_level,
- ("Too many backrefs in ACL entry.\n"));
- }
- else if ((ws->backref[n]->length == e2->length) &&
- (!strncmp(ws->backref[n]->data, e2->data, e2->length)))
- retval = 1;
-
- }
- else {
- if ((e1->length == e2->length) &&
- (!strncmp(e1->data, e2->data, e1->length)))
- retval = 1;
- }
- DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_match_entry()=%d\n",retval));
- return(retval);
-}
-
-/*
- * kadm5int_acl_find_entry() - Find a matching entry.
- */
-static aent_t *
-kadm5int_acl_find_entry(krb5_context kcontext, krb5_const_principal principal,
- krb5_const_principal dest_princ)
-{
- aent_t *entry;
- krb5_error_code kret;
- int i;
- int matchgood;
- wildstate_t state;
-
- DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_find_entry()\n"));
- for (entry=acl_list_head; entry; entry = entry->ae_next) {
- memset(&state, 0, sizeof(state));
- if (entry->ae_name_bad)
- continue;
- if (!strcmp(entry->ae_name, "*")) {
- DPRINT(DEBUG_ACL, acl_debug_level, ("A wildcard ACL match\n"));
- matchgood = 1;
- }
- else {
- if (!entry->ae_principal && !entry->ae_name_bad) {
- kret = krb5_parse_name(kcontext,
- entry->ae_name,
- &entry->ae_principal);
- if (kret)
- entry->ae_name_bad = 1;
- }
- if (entry->ae_name_bad) {
- DPRINT(DEBUG_ACL, acl_debug_level,
- ("Bad ACL entry %s\n", entry->ae_name));
- continue;
- }
- matchgood = 0;
- if (kadm5int_acl_match_data(&entry->ae_principal->realm,
- &principal->realm, 0, (wildstate_t *)0) &&
- (entry->ae_principal->length == principal->length)) {
- matchgood = 1;
- for (i=0; i<principal->length; i++) {
- if (!kadm5int_acl_match_data(&entry->ae_principal->data[i],
- &principal->data[i], 0, &state)) {
- matchgood = 0;
- break;
- }
- }
- }
- }
- if (!matchgood)
- continue;
-
- /* We've matched the principal. If we have a target, then try it */
- if (entry->ae_target && strcmp(entry->ae_target, "*")) {
- if (!entry->ae_target_princ && !entry->ae_target_bad) {
- kret = krb5_parse_name(kcontext, entry->ae_target,
- &entry->ae_target_princ);
- if (kret)
- entry->ae_target_bad = 1;
- }
- if (entry->ae_target_bad) {
- DPRINT(DEBUG_ACL, acl_debug_level,
- ("Bad target in ACL entry for %s\n", entry->ae_name));
- entry->ae_name_bad = 1;
- continue;
- }
- if (!dest_princ)
- matchgood = 0;
- else if (entry->ae_target_princ && dest_princ) {
- if (kadm5int_acl_match_data(&entry->ae_target_princ->realm,
- &dest_princ->realm, 1, (wildstate_t *)0) &&
- (entry->ae_target_princ->length == dest_princ->length)) {
- for (i=0; i<dest_princ->length; i++) {
- if (!kadm5int_acl_match_data(&entry->ae_target_princ->data[i],
- &dest_princ->data[i], 1, &state)) {
- matchgood = 0;
- break;
- }
- }
- }
- else
- matchgood = 0;
- }
- }
- if (!matchgood)
- continue;
-
- if (entry->ae_restriction_string
- && !entry->ae_restriction_bad
- && !entry->ae_restrictions
- && kadm5int_acl_parse_restrictions(entry->ae_restriction_string,
- &entry->ae_restrictions)) {
- DPRINT(DEBUG_ACL, acl_debug_level,
- ("Bad restrictions in ACL entry for %s\n", entry->ae_name));
- entry->ae_restriction_bad = 1;
- }
- if (entry->ae_restriction_bad) {
- entry->ae_name_bad = 1;
- continue;
- }
- break;
- }
- DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_find_entry()=%x\n",entry));
- return(entry);
-}
-
-/*
- * kadm5int_acl_init() - Initialize ACL context.
- */
-krb5_error_code
-kadm5int_acl_init(kcontext, debug_level, acl_file)
- krb5_context kcontext;
- int debug_level;
- char *acl_file;
-{
- krb5_error_code kret;
-
- kret = 0;
- acl_debug_level = debug_level;
- DPRINT(DEBUG_CALLS, acl_debug_level,
- ("* kadm5int_acl_init(afile=%s)\n",
- ((acl_file) ? acl_file : "(null)")));
- acl_acl_file = (acl_file) ? acl_file : (char *) KRB5_DEFAULT_ADMIN_ACL;
- acl_inited = kadm5int_acl_load_acl_file();
-
- DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_init() = %d\n", kret));
- return(kret);
-}
-
-/*
- * kadm5int_acl_finish - Terminate ACL context.
- */
-void
-kadm5int_acl_finish(kcontext, debug_level)
- krb5_context kcontext;
- int debug_level;
-{
- DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_finish()\n"));
- kadm5int_acl_free_entries();
- DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_finish()\n"));
-}
-
-/*
- * kadm5int_acl_check_krb() - Is this operation permitted for this principal?
- */
-krb5_boolean
-kadm5int_acl_check_krb(kcontext, caller_princ, opmask, principal, restrictions)
- krb5_context kcontext;
- krb5_const_principal caller_princ;
- krb5_int32 opmask;
- krb5_const_principal principal;
- restriction_t **restrictions;
-{
- krb5_boolean retval;
- aent_t *aentry;
-
- DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_op_permitted()\n"));
-
- retval = FALSE;
-
- aentry = kadm5int_acl_find_entry(kcontext, caller_princ, principal);
- if (aentry) {
- if ((aentry->ae_op_allowed & opmask) == opmask) {
- retval = TRUE;
- if (restrictions) {
- *restrictions =
- (aentry->ae_restrictions && aentry->ae_restrictions->mask)
- ? aentry->ae_restrictions
- : (restriction_t *) NULL;
- }
- }
- }
-
- DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_op_permitted()=%d\n",
- retval));
- return retval;
-}
-
-/*
- * kadm5int_acl_check() - Is this operation permitted for this principal?
- * this code used not to be based on gssapi. In order
- * to minimize porting hassles, I've put all the
- * gssapi hair in this function. This might not be
- * the best medium-term solution. (The best long-term
- * solution is, of course, a real authorization service.)
- */
-krb5_boolean
-kadm5int_acl_check(kcontext, caller, opmask, principal, restrictions)
- krb5_context kcontext;
- gss_name_t caller;
- krb5_int32 opmask;
- krb5_principal principal;
- restriction_t **restrictions;
-{
- krb5_boolean retval;
- gss_buffer_desc caller_buf;
- gss_OID caller_oid;
- OM_uint32 emin;
- krb5_error_code code;
- krb5_principal caller_princ;
-
- if (GSS_ERROR(gss_display_name(&emin, caller, &caller_buf, &caller_oid)))
- return FALSE;
-
- code = krb5_parse_name(kcontext, (char *) caller_buf.value,
- &caller_princ);
-
- gss_release_buffer(&emin, &caller_buf);
-
- if (code != 0)
- return FALSE;
-
- retval = kadm5int_acl_check_krb(kcontext, caller_princ,
- opmask, principal, restrictions);
-
- krb5_free_principal(kcontext, caller_princ);
-
- return retval;
-}
-
-kadm5_ret_t
-kadm5_get_privs(void *server_handle, long *privs)
-{
- CHECK_HANDLE(server_handle);
-
- /* this is impossible to do with the current interface. For now,
- return all privs, which will confuse some clients, but not
- deny any access to users of "smart" clients which try to cache */
-
- *privs = ~0;
-
- return KADM5_OK;
-}
diff --git a/src/lib/kadm5/srv/server_acl.h b/src/lib/kadm5/srv/server_acl.h
deleted file mode 100644
index d8db2f75b087..000000000000
--- a/src/lib/kadm5/srv/server_acl.h
+++ /dev/null
@@ -1,100 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/kadm5/srv/server_acl.h */
-/*
- * Copyright 1995-2004, 2007, 2008 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-#ifndef SERVER_ACL_H__
-#define SERVER_ACL_H__
-
-/*
- * Debug definitions.
- */
-#define DEBUG_SPROC 1
-#define DEBUG_OPERATION 2
-#define DEBUG_HOST 4
-#define DEBUG_REALM 8
-#define DEBUG_REQUESTS 16
-#define DEBUG_ACL 32
-#define DEBUG_PROTO 64
-#define DEBUG_CALLS 128
-#define DEBUG_NOSLAVES 256
-#ifdef DEBUG
-#define DPRINT(l1, cl, al) if ((cl & l1) != 0) printf al
-#else /* DEBUG */
-#define DPRINT(l1, cl, al)
-#endif /* DEBUG */
-
-/*
- * Access control bits.
- */
-#define ACL_ADD 1
-#define ACL_DELETE 2
-#define ACL_MODIFY 4
-#define ACL_CHANGEPW 8
-/* #define ACL_CHANGE_OWN_PW 16 */
-#define ACL_INQUIRE 32
-#define ACL_EXTRACT 64
-#define ACL_LIST 128
-#define ACL_SETKEY 256
-#define ACL_IPROP 512
-#define ACL_RENAME (ACL_ADD+ACL_DELETE)
-
-#define ACL_ALL_MASK (ACL_ADD | \
- ACL_DELETE | \
- ACL_MODIFY | \
- ACL_CHANGEPW | \
- ACL_INQUIRE | \
- ACL_LIST | \
- ACL_IPROP | \
- ACL_SETKEY)
-
-typedef struct _restriction {
- long mask;
- krb5_flags require_attrs;
- krb5_flags forbid_attrs;
- krb5_deltat princ_lifetime;
- krb5_deltat pw_lifetime;
- krb5_deltat max_life;
- krb5_deltat max_renewable_life;
- long aux_attributes;
- char *policy;
-} restriction_t;
-
-krb5_error_code kadm5int_acl_init(krb5_context, int, char *);
-void kadm5int_acl_finish(krb5_context, int);
-krb5_boolean kadm5int_acl_check(krb5_context,
- gss_name_t,
- krb5_int32,
- krb5_principal,
- restriction_t **);
-krb5_boolean kadm5int_acl_check_krb(krb5_context,
- krb5_const_principal,
- krb5_int32,
- krb5_const_principal,
- restriction_t **);
-krb5_error_code kadm5int_acl_impose_restrictions(krb5_context,
- kadm5_principal_ent_rec *,
- long *,
- restriction_t *);
-#endif /* SERVER_ACL_H__ */
diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c
index 612553ba3e19..f4b8aef2bde1 100644
--- a/src/lib/kadm5/srv/server_kdb.c
+++ b/src/lib/kadm5/srv/server_kdb.c
@@ -365,7 +365,7 @@ kdb_put_entry(kadm5_server_handle_t handle,
krb5_db_entry *kdb, osa_princ_ent_rec *adb)
{
krb5_error_code ret;
- krb5_int32 now;
+ krb5_timestamp now;
XDR xdrs;
krb5_tl_data tl_data;
diff --git a/src/lib/kadm5/srv/server_misc.c b/src/lib/kadm5/srv/server_misc.c
index b361847bd553..87e97c9f8a2f 100644
--- a/src/lib/kadm5/srv/server_misc.c
+++ b/src/lib/kadm5/srv/server_misc.c
@@ -142,3 +142,17 @@ destroy_pwqual(kadm5_server_handle_t handle)
k5_pwqual_free_handles(handle->context, handle->qual_handles);
handle->qual_handles = NULL;
}
+
+kadm5_ret_t
+kadm5_get_privs(void *server_handle, long *privs)
+{
+ CHECK_HANDLE(server_handle);
+
+ /* this is impossible to do with the current interface. For now,
+ return all privs, which will confuse some clients, but not
+ deny any access to users of "smart" clients which try to cache */
+
+ *privs = ~0;
+
+ return KADM5_OK;
+}
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 0640b47c40d4..2420f2c2bebb 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -296,7 +296,7 @@ kadm5_create_principal_3(void *server_handle,
osa_princ_ent_rec adb;
kadm5_policy_ent_rec polent;
krb5_boolean have_polent = FALSE;
- krb5_int32 now;
+ krb5_timestamp now;
krb5_tl_data *tl_data_tail;
unsigned int ret;
kadm5_server_handle_t handle = server_handle;
@@ -400,7 +400,7 @@ kadm5_create_principal_3(void *server_handle,
kdb->pw_expiration = 0;
if (have_polent) {
if(polent.pw_max_life)
- kdb->pw_expiration = now + polent.pw_max_life;
+ kdb->pw_expiration = ts_incr(now, polent.pw_max_life);
else
kdb->pw_expiration = 0;
}
@@ -612,7 +612,7 @@ kadm5_modify_principal(void *server_handle,
&(kdb->pw_expiration));
if (ret)
goto done;
- kdb->pw_expiration += pol.pw_max_life;
+ kdb->pw_expiration = ts_incr(kdb->pw_expiration, pol.pw_max_life);
} else {
kdb->pw_expiration = 0;
}
@@ -1322,11 +1322,11 @@ kadm5_chpass_principal_3(void *server_handle,
int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
char *password)
{
- krb5_int32 now;
+ krb5_timestamp now;
kadm5_policy_ent_rec pol;
osa_princ_ent_rec adb;
krb5_db_entry *kdb;
- int ret, ret2, last_pwd, hist_added;
+ int ret, ret2, hist_added;
krb5_boolean have_pol = FALSE;
kadm5_server_handle_t handle = server_handle;
osa_pw_hist_ent hist;
@@ -1399,24 +1399,6 @@ kadm5_chpass_principal_3(void *server_handle,
if ((adb.aux_attributes & KADM5_POLICY)) {
/* the policy was loaded before */
- ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
- if (ret)
- goto done;
-
-#if 0
- /*
- * The spec says this check is overridden if the caller has
- * modify privilege. The admin server therefore makes this
- * check itself (in chpass_principal_wrapper, misc.c). A
- * local caller implicitly has all authorization bits.
- */
- if ((now - last_pwd) < pol.pw_min_life &&
- !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
- ret = KADM5_PASS_TOOSOON;
- goto done;
- }
-#endif
-
ret = check_pw_reuse(handle->context, hist_keyblocks,
kdb->n_key_data, kdb->key_data,
1, &hist);
@@ -1445,7 +1427,7 @@ kadm5_chpass_principal_3(void *server_handle,
}
if (pol.pw_max_life)
- kdb->pw_expiration = now + pol.pw_max_life;
+ kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
else
kdb->pw_expiration = 0;
} else {
@@ -1544,9 +1526,9 @@ kadm5_randkey_principal_3(void *server_handle,
{
krb5_db_entry *kdb;
osa_princ_ent_rec adb;
- krb5_int32 now;
+ krb5_timestamp now;
kadm5_policy_ent_rec pol;
- int ret, last_pwd, n_new_keys;
+ int ret, n_new_keys;
krb5_boolean have_pol = FALSE;
kadm5_server_handle_t handle = server_handle;
krb5_keyblock *act_mkey;
@@ -1605,26 +1587,8 @@ kadm5_randkey_principal_3(void *server_handle,
goto done;
}
if (have_pol) {
- ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
- if (ret)
- goto done;
-
-#if 0
- /*
- * The spec says this check is overridden if the caller has
- * modify privilege. The admin server therefore makes this
- * check itself (in chpass_principal_wrapper, misc.c). A
- * local caller implicitly has all authorization bits.
- */
- if((now - last_pwd) < pol.pw_min_life &&
- !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
- ret = KADM5_PASS_TOOSOON;
- goto done;
- }
-#endif
-
if (pol.pw_max_life)
- kdb->pw_expiration = now + pol.pw_max_life;
+ kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
else
kdb->pw_expiration = 0;
} else {
@@ -1686,14 +1650,11 @@ kadm5_setv4key_principal(void *server_handle,
{
krb5_db_entry *kdb;
osa_princ_ent_rec adb;
- krb5_int32 now;
+ krb5_timestamp now;
kadm5_policy_ent_rec pol;
krb5_keysalt keysalt;
int i, kvno, ret;
krb5_boolean have_pol = FALSE;
-#if 0
- int last_pwd;
-#endif
kadm5_server_handle_t handle = server_handle;
krb5_key_data tmp_key_data;
krb5_keyblock *act_mkey;
@@ -1756,25 +1717,8 @@ kadm5_setv4key_principal(void *server_handle,
goto done;
}
if (have_pol) {
-#if 0
- /*
- * The spec says this check is overridden if the caller has
- * modify privilege. The admin server therefore makes this
- * check itself (in chpass_principal_wrapper, misc.c). A
- * local caller implicitly has all authorization bits.
- */
- if (ret = krb5_dbe_lookup_last_pwd_change(handle->context,
- kdb, &last_pwd))
- goto done;
- if((now - last_pwd) < pol.pw_min_life &&
- !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
- ret = KADM5_PASS_TOOSOON;
- goto done;
- }
-#endif
-
if (pol.pw_max_life)
- kdb->pw_expiration = now + pol.pw_max_life;
+ kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
else
kdb->pw_expiration = 0;
} else {
@@ -1788,6 +1732,9 @@ kadm5_setv4key_principal(void *server_handle,
/* unlock principal on this KDC */
kdb->fail_auth_count = 0;
+ /* key data changed, let the database provider know */
+ kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT;
+
if ((ret = kdb_put_entry(handle, kdb, &adb)))
goto done;
@@ -1888,7 +1835,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal,
{
krb5_db_entry *kdb;
osa_princ_ent_rec adb;
- krb5_int32 now;
+ krb5_timestamp now;
kadm5_policy_ent_rec pol;
krb5_key_data *new_key_data = NULL;
int i, j, ret, n_new_key_data = 0;
@@ -2024,7 +1971,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal,
}
if (have_pol) {
if (pol.pw_max_life)
- kdb->pw_expiration = now + pol.pw_max_life;
+ kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
else
kdb->pw_expiration = 0;
} else {
@@ -2038,6 +1985,9 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal,
/* Unlock principal on this KDC. */
kdb->fail_auth_count = 0;
+ /* key data changed, let the database provider know */
+ kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT;
+
ret = kdb_put_entry(handle, kdb, &adb);
if (ret)
goto done;
diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/unit-test/setkey-test.c
index 60be9e85d5d3..0431653bff44 100644
--- a/src/lib/kadm5/unit-test/setkey-test.c
+++ b/src/lib/kadm5/unit-test/setkey-test.c
@@ -69,7 +69,8 @@ main(int argc, char **argv)
char *whoami, *principal, *authprinc, *authpwd;
krb5_data pwdata;
void *handle;
- int ret, i, test, encnum;
+ int ret, test, encnum;
+ unsigned int i;
whoami = argv[0];