Merge remote-tracking branch 'origin/mdb.master' into OPENLDAP_REL_ENG_2_4

[openldap] / contrib / slapd-modules / smbk5pwd / smbk5pwd.c

diff --git a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
index 38b8b47102d00e19aab9a32bd380602307c47f43..301bdc89456ab39310e2629338561a7196976b46 100644 (file)
--- a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
+++ b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
@@ -1,7 +1,9 @@
 /* smbk5pwd.c - Overlay for managing Samba and Heimdal passwords */
 /* $OpenLDAP$ */
-/*
- * Copyright 2004-2005 by Howard Chu, Symas Corp.
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 2004-2013 The OpenLDAP Foundation.
+ * Portions Copyright 2004-2005 by Howard Chu, Symas Corp.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -12,11 +14,10 @@
  * top-level directory of the distribution or, alternatively, at
  * <http://www.OpenLDAP.org/license.html>.
  */
-/*
+/* ACKNOWLEDGEMENTS:
  * Support for table-driven configuration added by Pierangelo Masarati.
  * Support for sambaPwdMustChange and sambaPwdCanChange added by Marco D'Ettorre.
- *
- * The conditions of the OpenLDAP Public License apply.
+ * Support for shadowLastChange added by SATOH Fumiyasu @ OSS Technology, Inc.
  */
 
 #include <portable.h>
@@ -59,12 +60,20 @@ static HDB *db;
 static AttributeDescription *ad_krb5Key;
 static AttributeDescription *ad_krb5KeyVersionNumber;
 static AttributeDescription *ad_krb5PrincipalName;
+static AttributeDescription *ad_krb5ValidEnd;
 static ObjectClass *oc_krb5KDCEntry;
 #endif
 
 #ifdef DO_SAMBA
+#ifdef HAVE_GNUTLS
+#include <gcrypt.h>
+typedef unsigned char DES_cblock[8];
+#elif HAVE_OPENSSL
 #include <openssl/des.h>
 #include <openssl/md4.h>
+#else
+#error Unsupported crypto backend.
+#endif
 #include "ldap_utf8.h"
 
 static AttributeDescription *ad_sambaLMPassword;
@@ -75,14 +84,21 @@ static AttributeDescription *ad_sambaPwdCanChange;
 static ObjectClass *oc_sambaSamAccount;
 #endif
 
+#ifdef DO_SHADOW
+static AttributeDescription *ad_shadowLastChange;
+static ObjectClass *oc_shadowAccount;
+#endif
+
 /* Per-instance configuration information */
 typedef struct smbk5pwd_t {
        unsigned        mode;
 #define        SMBK5PWD_F_KRB5         (0x1U)
 #define        SMBK5PWD_F_SAMBA        (0x2U)
+#define        SMBK5PWD_F_SHADOW       (0x4U)
 
 #define SMBK5PWD_DO_KRB5(pi)   ((pi)->mode & SMBK5PWD_F_KRB5)
 #define SMBK5PWD_DO_SAMBA(pi)  ((pi)->mode & SMBK5PWD_F_SAMBA)
+#define SMBK5PWD_DO_SHADOW(pi) ((pi)->mode & SMBK5PWD_F_SHADOW)
 
 #ifdef DO_KRB5
        /* nothing yet */
@@ -94,6 +110,10 @@ typedef struct smbk5pwd_t {
        /* How many seconds after allowing a password change? */
        time_t  smb_can_change;
 #endif
+
+#ifdef DO_SHADOW
+       /* nothing yet */
+#endif
 } smbk5pwd_t;
 
 static const unsigned SMBK5PWD_F_ALL   =
@@ -104,6 +124,9 @@ static const unsigned SMBK5PWD_F_ALL        =
 #ifdef DO_SAMBA
        | SMBK5PWD_F_SAMBA
 #endif
+#ifdef DO_SHADOW
+       | SMBK5PWD_F_SHADOW
+#endif
 ;
 
 static int smbk5pwd_modules_init( smbk5pwd_t *pi );
@@ -114,7 +137,7 @@ static const char hex[] = "0123456789abcdef";
 /* From liblutil/passwd.c... */
 static void lmPasswd_to_key(
        const char *lmPasswd,
-       des_cblock *key)
+       DES_cblock *key)
 {
        const unsigned char *lpw = (const unsigned char *)lmPasswd;
        unsigned char *k = (unsigned char *)key;
@@ -129,7 +152,9 @@ static void lmPasswd_to_key(
        k[6] = ((lpw[5]&0x3F)<<2) | (lpw[6]>>6);
        k[7] = ((lpw[6]&0x7F)<<1);
 
+#ifdef HAVE_OPENSSL
        des_set_odd_parity( key );
+#endif
 }
 
 #define MAX_PWLEN 256
@@ -162,22 +187,46 @@ static void lmhash(
 )
 {
        char UcasePassword[15];
-       des_cblock key;
-       des_key_schedule schedule;
-       des_cblock StdText = "KGS!@#$%";
-       des_cblock hbuf[2];
+       DES_cblock key;
+       DES_cblock StdText = "KGS!@#$%";
+       DES_cblock hbuf[2];
+#ifdef HAVE_OPENSSL
+       DES_key_schedule schedule;
+#elif defined(HAVE_GNUTLS)
+       gcry_cipher_hd_t h = NULL;
+       gcry_error_t err;
+
+       err = gcry_cipher_open( &h, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_CBC, 0 );
+       if ( err ) return;
+#endif
 
        strncpy( UcasePassword, passwd->bv_val, 14 );
        UcasePassword[14] = '\0';
        ldap_pvt_str2upper( UcasePassword );
 
        lmPasswd_to_key( UcasePassword, &key );
+#ifdef HAVE_GNUTLS
+       err = gcry_cipher_setkey( h, &key, sizeof(key) );
+       if ( err == 0 ) {
+               err = gcry_cipher_encrypt( h, &hbuf[0], sizeof(key), &StdText, sizeof(key) );
+               if ( err == 0 ) {
+                       gcry_cipher_reset( h );
+                       lmPasswd_to_key( &UcasePassword[7], &key );
+                       err = gcry_cipher_setkey( h, &key, sizeof(key) );
+                       if ( err == 0 ) {
+                               err = gcry_cipher_encrypt( h, &hbuf[1], sizeof(key), &StdText, sizeof(key) );
+                       }
+               }
+               gcry_cipher_close( h );
+       }
+#elif defined(HAVE_OPENSSL)
        des_set_key_unchecked( &key, schedule );
        des_ecb_encrypt( &StdText, &hbuf[0], schedule , DES_ENCRYPT );
 
        lmPasswd_to_key( &UcasePassword[7], &key );
        des_set_key_unchecked( &key, schedule );
        des_ecb_encrypt( &StdText, &hbuf[1], schedule , DES_ENCRYPT );
+#endif
 
        hexify( (char *)hbuf, hash );
 }
@@ -192,14 +241,20 @@ static void nthash(
         * 256 UCS2 characters, not 256 bytes...
         */
        char hbuf[HASHLEN];
+#ifdef HAVE_OPENSSL
        MD4_CTX ctx;
+#endif
 
        if (passwd->bv_len > MAX_PWLEN*2)
                passwd->bv_len = MAX_PWLEN*2;
-               
+
+#ifdef HAVE_OPENSSL
        MD4_Init( &ctx );
        MD4_Update( &ctx, passwd->bv_val, passwd->bv_len );
        MD4_Final( (unsigned char *)hbuf, &ctx );
+#elif defined(HAVE_GNUTLS)
+       gcry_md_hash_buffer(GCRY_MD_MD4, hbuf, passwd->bv_val, passwd->bv_len );
+#endif
 
        hexify( hbuf, hash );
 }
@@ -273,9 +328,9 @@ static int k5key_chk(
        int rc;
        Entry *e;
        Attribute *a;
-    krb5_error_code ret;
-    krb5_keyblock key;
-    krb5_salt salt;
+       krb5_error_code ret;
+       krb5_keyblock key;
+       krb5_salt salt;
        hdb_entry ent;
 
        /* Find our thread context, find our Operation */
@@ -300,6 +355,19 @@ static int k5key_chk(
                memset( &ent, 0, sizeof(ent) );
                ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal);
                if ( ret ) break;
+
+               a = attr_find( e->e_attrs, ad_krb5ValidEnd );
+               if (a) {
+                       struct lutil_tm tm;
+                       struct lutil_timet tt;
+                       if ( lutil_parsetime( a->a_vals[0].bv_val, &tm ) == 0 &&
+                               lutil_tm2time( &tm, &tt ) == 0 && tt.tt_usec < op->o_time ) {
+                               /* Account is expired */
+                               rc = LUTIL_PASSWD_ERR;
+                               break;
+                       }
+               }
+
                krb5_get_pw_salt( context, ent.principal, &salt );
                krb5_free_principal( context, ent.principal );
 
@@ -350,6 +418,7 @@ static int smbk5pwd_exop_passwd(
        Modifications *ml;
        slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
        smbk5pwd_t *pi = on->on_bi.bi_private;
+       char term;
 
        /* Not the operation we expected, pass it on... */
        if ( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) ) {
@@ -360,12 +429,16 @@ static int smbk5pwd_exop_passwd(
        rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
        if ( rc != LDAP_SUCCESS ) return rc;
 
+       term = qpw->rs_new.bv_val[qpw->rs_new.bv_len];
+       qpw->rs_new.bv_val[qpw->rs_new.bv_len] = '\0';
+
 #ifdef DO_KRB5
        /* Kerberos stuff */
        do {
                krb5_error_code ret;
                hdb_entry ent;
                struct berval *keys;
+               size_t nkeys;
                int kvno, i;
                Attribute *a;
 
@@ -396,7 +469,9 @@ static int smbk5pwd_exop_passwd(
                                op->o_log_prefix, e->e_name.bv_val, 0 );
                }
 
-               ret = _kadm5_set_keys(kadm_context, &ent, qpw->rs_new.bv_val);
+               ret = hdb_generate_key_set_password(context, ent.principal,
+                       qpw->rs_new.bv_val, &ent.keys.val, &nkeys);
+               ent.keys.len = nkeys;
                hdb_seal_keys(context, db, &ent);
                krb5_free_principal( context, ent.principal );
 
@@ -415,7 +490,7 @@ static int smbk5pwd_exop_passwd(
                }
                BER_BVZERO( &keys[i] );
 
-               _kadm5_free_keys(kadm_context, ent.keys.len, ent.keys.val);
+               hdb_free_keys(context, ent.keys.len, ent.keys.val);
 
                if ( i != ent.keys.len ) {
                        ber_bvarray_free( keys );
@@ -595,7 +670,37 @@ static int smbk5pwd_exop_passwd(
                }
        }
 #endif /* DO_SAMBA */
+
+#ifdef DO_SHADOW
+       /* shadow stuff */
+       if ( SMBK5PWD_DO_SHADOW( pi ) && is_entry_objectclass(e, oc_shadowAccount, 0 ) ) {
+               struct berval *keys;
+
+               ml = ch_malloc(sizeof(Modifications));
+               if (!qpw->rs_modtail) qpw->rs_modtail = &ml->sml_next;
+               ml->sml_next = qpw->rs_mods;
+               qpw->rs_mods = ml;
+
+               keys = ch_malloc( sizeof(struct berval) * 2);
+               BER_BVZERO( &keys[1] );
+               keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) );
+               keys[0].bv_len = snprintf(keys[0].bv_val,
+                       LDAP_PVT_INTTYPE_CHARS(long),
+                       "%ld", (long)(slap_get_time() / (60 * 60 * 24)));
+
+               ml->sml_desc = ad_shadowLastChange;
+               ml->sml_op = LDAP_MOD_REPLACE;
+#ifdef SLAP_MOD_INTERNAL
+               ml->sml_flags = SLAP_MOD_INTERNAL;
+#endif
+               ml->sml_numvals = 1;
+               ml->sml_values = keys;
+               ml->sml_nvalues = NULL;
+       }
+#endif /* DO_SHADOW */
+
        be_entry_release_r( op, e );
+       qpw->rs_new.bv_val[qpw->rs_new.bv_len] = term;
 
        return SLAP_CB_CONTINUE;
 }
@@ -656,6 +761,7 @@ static ConfigOCs smbk5pwd_cfocs[] = {
 static slap_verbmasks smbk5pwd_modules[] = {
        { BER_BVC( "krb5" ),            SMBK5PWD_F_KRB5 },
        { BER_BVC( "samba" ),           SMBK5PWD_F_SAMBA },
+       { BER_BVC( "shadow" ),          SMBK5PWD_F_SHADOW },
        { BER_BVNULL,                   -1 }
 };
 
@@ -714,10 +820,10 @@ smbk5pwd_cf_func( ConfigArgs *c )
                                pi->mode = 0;
 
                        } else {
-                               slap_mask_t     m;
+                               int i;
 
-                               m = verb_to_mask( c->line, smbk5pwd_modules );
-                               pi->mode &= ~m;
+                               i = verb_to_mask( c->line, smbk5pwd_modules );
+                               pi->mode &= ~smbk5pwd_modules[i].mask;
                        }
                        break;
 
@@ -766,7 +872,7 @@ smbk5pwd_cf_func( ConfigArgs *c )
                 break;
 
        case PC_SMB_ENABLE: {
-               slap_mask_t     mode = pi->mode, m;
+               slap_mask_t     mode = pi->mode, m = 0;
 
                rc = verbs_to_mask( c->argc, c->argv, smbk5pwd_modules, &m );
                if ( rc > 0 ) {
@@ -801,6 +907,16 @@ smbk5pwd_cf_func( ConfigArgs *c )
                }
 #endif /* ! DO_SAMBA */
 
+#ifndef DO_SHADOW
+               if ( SMBK5PWD_DO_SHADOW( pi ) ) {
+                       Debug( LDAP_DEBUG_ANY, "%s: smbk5pwd: "
+                               "<%s> module \"%s\" only allowed when compiled with -DDO_SHADOW.\n",
+                               c->log, c->argv[ 0 ], c->argv[ rc ] );
+                       pi->mode = mode;
+                       return 1;
+               }
+#endif /* ! DO_SHADOW */
+
                {
                        BackendDB       db = *c->be;
 
@@ -835,6 +951,7 @@ smbk5pwd_modules_init( smbk5pwd_t *pi )
                { "krb5Key",                    &ad_krb5Key },
                { "krb5KeyVersionNumber",       &ad_krb5KeyVersionNumber },
                { "krb5PrincipalName",          &ad_krb5PrincipalName },
+               { "krb5ValidEnd",               &ad_krb5ValidEnd },
                { NULL }
        },
 #endif /* DO_KRB5 */
@@ -848,6 +965,12 @@ smbk5pwd_modules_init( smbk5pwd_t *pi )
                { NULL }
        },
 #endif /* DO_SAMBA */
+#ifdef DO_SHADOW
+       shadow_ad[] = {
+               { "shadowLastChange",           &ad_shadowLastChange },
+               { NULL }
+       },
+#endif /* DO_SHADOW */
        dummy_ad;
 
        /* this is to silence the unused var warning */
@@ -903,7 +1026,7 @@ smbk5pwd_modules_init( smbk5pwd_t *pi )
                        char *err_str, *err_msg = "<unknown error>";
                        err_str = krb5_get_error_string( context );
                        if (!err_str)
-                               err_msg = krb5_get_err_text( context, ret );
+                               err_msg = (char *)krb5_get_err_text( context, ret );
                        Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
                                "unable to initialize krb5 admin context: %s (%d).\n",
                                err_str ? err_str : err_msg, ret, 0 );
@@ -947,6 +1070,35 @@ smbk5pwd_modules_init( smbk5pwd_t *pi )
        }
 #endif /* DO_SAMBA */
 
+#ifdef DO_SHADOW
+       if ( SMBK5PWD_DO_SHADOW( pi ) && oc_shadowAccount == NULL ) {
+               int             i, rc;
+
+               oc_shadowAccount = oc_find( "shadowAccount" );
+               if ( !oc_shadowAccount ) {
+                       Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
+                               "unable to find \"shadowAccount\" objectClass.\n",
+                               0, 0, 0 );
+                       return -1;
+               }
+
+               for ( i = 0; shadow_ad[ i ].name != NULL; i++ ) {
+                       const char      *text;
+
+                       *(shadow_ad[ i ].adp) = NULL;
+
+                       rc = slap_str2ad( shadow_ad[ i ].name, shadow_ad[ i ].adp, &text );
+                       if ( rc != LDAP_SUCCESS ) {
+                               Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
+                                       "unable to find \"%s\" attributeType: %s (%d).\n",
+                                       shadow_ad[ i ].name, text, rc );
+                               oc_shadowAccount = NULL;
+                               return rc;
+                       }
+               }
+       }
+#endif /* DO_SHADOW */
+
        return 0;
 }