From 4a0353a24a025f07ef37d2d63d26a4908b6f3543 Mon Sep 17 00:00:00 2001 From: Paul Park Date: Tue, 9 May 1995 19:46:53 +0000 Subject: [PATCH] Make passwd_check_npass_ok a global routine git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5774 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kadmin/v5server/passwd.c | 146 +++++++++++++++++++++-------------- 1 file changed, 88 insertions(+), 58 deletions(-) diff --git a/src/kadmin/v5server/passwd.c b/src/kadmin/v5server/passwd.c index 2e5b498a5..83d273980 100644 --- a/src/kadmin/v5server/passwd.c +++ b/src/kadmin/v5server/passwd.c @@ -116,6 +116,7 @@ passwd_check_opass_ok(kcontext, debug_level, princ, dbentp, pwdata) krb5_boolean pwret; krb5_keyblock pkey, akey; krb5_keyblock pkey1, akey1; + krb5_data psalt, asalt; krb5_error_code kret; DPRINT(DEBUG_CALLS, debug_level, ("* passwd_check_opass_ok()\n")); @@ -126,6 +127,8 @@ passwd_check_opass_ok(kcontext, debug_level, princ, dbentp, pwdata) memset((char *) &akey, 0, sizeof(akey)); memset((char *) &pkey1, 0, sizeof(pkey)); memset((char *) &akey1, 0, sizeof(akey)); + memset((char *) &psalt, 0, sizeof(psalt)); + memset((char *) &asalt, 0, sizeof(asalt)); /* Make key(s) using alleged old password */ kret = key_string_to_keys(kcontext, @@ -134,7 +137,9 @@ passwd_check_opass_ok(kcontext, debug_level, princ, dbentp, pwdata) dbentp->salt_type, dbentp->alt_salt_type, &pkey, - &akey); + &akey, + &psalt, + &asalt); /* Now decrypt database entries */ if (!kret) @@ -176,57 +181,16 @@ passwd_check_opass_ok(kcontext, debug_level, princ, dbentp, pwdata) memset((char *) pkey.contents, 0, (size_t) pkey.length); krb5_xfree(pkey.contents); } - DPRINT(DEBUG_CALLS, debug_level, - ("X passwd_check_opass_ok() = %d\n", pwret)); - return(pwret); -} - -/* - * passwd_check_npass_ok() - Check if new password is ok. - */ -static krb5_boolean -passwd_check_npass_ok(kcontext, debug_level, princ, dbentp, pwdata, supp) - krb5_context kcontext; - int debug_level; - krb5_principal princ; - krb5_db_entry *dbentp; - krb5_data *pwdata; - krb5_int32 *supp; -{ - krb5_boolean pwret; - - DPRINT(DEBUG_CALLS, debug_level, ("* passwd_check_npass_ok()\n")); - pwret = 1; - - /* - * Check whether a new password is good. - */ -#if KPWD_CHECK_LENGTH - /* Check length */ - if (pwdata->length < KPWD_MIN_PWD_LENGTH) { - pwret = 0; - *supp = KRB5_ADM_PWD_TOO_SHORT; - DPRINT(DEBUG_CALLS, debug_level, - ("* passwd_check_npass_ok() - TOO SHORT\n")); + if (psalt.data) { + memset((char *) psalt.data, 0, (size_t) psalt.length); + krb5_xfree(psalt.data); } -#endif /* KPWD_CHECK_LENGTH */ - -#if KPWD_CHECK_WEAKNESS - /* Check weakness of keys generated by password */ - if (key_pwd_is_weak(kcontext, - princ, - pwdata, - dbentp->salt_type, - dbentp->alt_salt_type)) { - pwret = 0; - *supp = KRB5_ADM_PWD_WEAK; - DPRINT(DEBUG_CALLS, debug_level, - ("* passwd_check_npass_ok() - WEAK\n")); + if (asalt.data) { + memset((char *) asalt.data, 0, (size_t) asalt.length); + krb5_xfree(asalt.data); } -#endif /* KPWD_CHECK_WEAKNESS */ - DPRINT(DEBUG_CALLS, debug_level, - ("X passwd_check_npass_ok() = %d\n", pwret)); + ("X passwd_check_opass_ok() = %d\n", pwret)); return(pwret); } @@ -244,6 +208,7 @@ passwd_set_npass(kcontext, debug_level, princ, dbentp, pwdata) krb5_keyblock pkey, akey; krb5_error_code kret; krb5_db_entry entry2write; + krb5_data psalt, asalt; int nwrite; DPRINT(DEBUG_CALLS, debug_level, ("* passwd_set_npass()\n")); @@ -252,6 +217,8 @@ passwd_set_npass(kcontext, debug_level, princ, dbentp, pwdata) memset((char *) &pkey, 0, sizeof(pkey)); memset((char *) &akey, 0, sizeof(akey)); memset((char *) &entry2write, 0, sizeof(krb5_db_entry)); + memset((char *) &psalt, 0, sizeof(psalt)); + memset((char *) &asalt, 0, sizeof(asalt)); /* Make key(s) using the new password */ if (kret = key_string_to_keys(kcontext, @@ -260,7 +227,9 @@ passwd_set_npass(kcontext, debug_level, princ, dbentp, pwdata) dbentp->salt_type, dbentp->alt_salt_type, &pkey, - &akey)) + &akey, + &psalt, + &asalt)) goto cleanup; /* Now get a new database entry */ @@ -288,7 +257,11 @@ passwd_set_npass(kcontext, debug_level, princ, dbentp, pwdata) /* Update the kvno */ entry2write.kvno++; - /* Salt? */ + /* Salt */ + entry2write.salt_length = psalt.length; + entry2write.salt = (krb5_octet *) psalt.data; + entry2write.alt_salt_length = asalt.length; + entry2write.alt_salt = (krb5_octet *) asalt.data; /* Now write the entry */ nwrite = 1; @@ -300,13 +273,13 @@ passwd_set_npass(kcontext, debug_level, princ, dbentp, pwdata) cleanup: if (entry2write.key.contents) { - memset((char *) &entry2write.key, 0, sizeof(krb5_encrypted_keyblock)); krb5_xfree(entry2write.key.contents); + memset((char *) &entry2write.key, 0, sizeof(krb5_encrypted_keyblock)); } if (entry2write.alt_key.contents) { + krb5_xfree(entry2write.alt_key.contents); memset((char *) &entry2write.alt_key, 0, sizeof(krb5_encrypted_keyblock)); - krb5_xfree(entry2write.alt_key.contents); } if (akey.contents) { memset((char *) akey.contents, 0, (size_t) akey.length); @@ -316,6 +289,14 @@ passwd_set_npass(kcontext, debug_level, princ, dbentp, pwdata) memset((char *) pkey.contents, 0, (size_t) pkey.length); krb5_xfree(pkey.contents); } + if (psalt.data) { + memset((char *) psalt.data, 0, (size_t) psalt.length); + krb5_xfree(psalt.data); + } + if (asalt.data) { + memset((char *) asalt.data, 0, (size_t) asalt.length); + krb5_xfree(asalt.data); + } DPRINT(DEBUG_CALLS, debug_level, ("X passwd_set_npass() = %d\n", kret)); return(kret); @@ -339,7 +320,7 @@ passwd_check(kcontext, debug_level, auth_context, ticket, pwdata, supp) char *canon_name; krb5_db_entry tmp_entry; int tmp_nents; - int tmp_more; + krb5_boolean tmp_more; DPRINT(DEBUG_CALLS, debug_level, ("* passwd_check()\n")); pwret = KRB5_ADM_SUCCESS; @@ -358,7 +339,7 @@ passwd_check(kcontext, debug_level, auth_context, ticket, pwdata, supp) &tmp_entry, &tmp_nents, &tmp_more)) { - *supp = KRB5_ADM_BAD_PRINC; + *supp = KADM_BAD_PRINC; goto cleanup; } @@ -412,7 +393,7 @@ passwd_change(kcontext, debug_level, auth_context, ticket, char *canon_name; krb5_db_entry tmp_entry; int tmp_nents; - int tmp_more; + krb5_boolean tmp_more; DPRINT(DEBUG_CALLS, debug_level, ("* passwd_change()\n")); pwret = KRB5_ADM_SUCCESS; @@ -437,7 +418,7 @@ passwd_change(kcontext, debug_level, auth_context, ticket, &tmp_entry, &tmp_nents, &tmp_more)) { - *supp = KRB5_ADM_BAD_PRINC; + *supp = KADM_BAD_PRINC; goto cleanup; } @@ -447,7 +428,7 @@ passwd_change(kcontext, debug_level, auth_context, ticket, if (!acl_op_permitted(kcontext, client, ACL_CHANGE_OWN_PW)) { com_err(programname, 0, pwd_perm_denied, canon_name); pwret = KRB5_ADM_CANT_CHANGE; - *supp = KRB5_ADM_NOT_ALLOWED; + *supp = KADM_NOT_ALLOWED; goto cleanup; } @@ -505,3 +486,52 @@ passwd_change(kcontext, debug_level, auth_context, ticket, DPRINT(DEBUG_CALLS, debug_level, ("X passwd_change() = %d\n", pwret)); return(pwret); } + +/* + * passwd_check_npass_ok() - Check if new password is ok. + */ +krb5_boolean +passwd_check_npass_ok(kcontext, debug_level, princ, dbentp, pwdata, supp) + krb5_context kcontext; + int debug_level; + krb5_principal princ; + krb5_db_entry *dbentp; + krb5_data *pwdata; + krb5_int32 *supp; +{ + krb5_boolean pwret; + + DPRINT(DEBUG_CALLS, debug_level, ("* passwd_check_npass_ok()\n")); + pwret = 1; + + /* + * Check whether a new password is good. + */ +#if KPWD_CHECK_LENGTH + /* Check length */ + if (pwdata->length < KPWD_MIN_PWD_LENGTH) { + pwret = 0; + *supp = KADM_PWD_TOO_SHORT; + DPRINT(DEBUG_CALLS, debug_level, + ("* passwd_check_npass_ok() - TOO SHORT\n")); + } +#endif /* KPWD_CHECK_LENGTH */ + +#if KPWD_CHECK_WEAKNESS + /* Check weakness of keys generated by password */ + if (key_pwd_is_weak(kcontext, + princ, + pwdata, + dbentp->salt_type, + dbentp->alt_salt_type)) { + pwret = 0; + *supp = KADM_PWD_WEAK; + DPRINT(DEBUG_CALLS, debug_level, + ("* passwd_check_npass_ok() - WEAK\n")); + } +#endif /* KPWD_CHECK_WEAKNESS */ + + DPRINT(DEBUG_CALLS, debug_level, + ("X passwd_check_npass_ok() = %d\n", pwret)); + return(pwret); +} -- 2.26.2