6885914 KDC doesn't enforce the password min-age policy

1 files changed, 10 insertions, 70 deletions

diff --git a/usr/src/cmd/krb5/kadmin/server/misc.c b/usr/src/cmd/krb5/kadmin/server/misc.c
index 40965ed1db..9bdd12ed74 100644
--- a/usr/src/cmd/krb5/kadmin/server/misc.c
+++ b/usr/src/cmd/krb5/kadmin/server/misc.c
@@ -1,9 +1,7 @@
 /*
- * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
+ * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
-
 /*
  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
  *
@@ -21,7 +19,6 @@
  *
  */
 
-
 /*
  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
  *
@@ -30,6 +27,7 @@
 #include    <k5-int.h>
 #include    <krb5/kdb.h>
 #include    <kadm5/server_internal.h>
+#include    <kadm5/admin.h>
 #include    "misc.h"
 
 /*
@@ -67,7 +65,8 @@ chpass_principal_wrapper_3(void *server_handle,
 {
     kadm5_ret_t			ret;
 
-    ret = check_min_life(server_handle, principal, NULL, 0);
+    /* Solaris Kerberos */
+    ret = kadm5_check_min_life(server_handle, principal, NULL, 0);
     if (ret)
 	 return ret;
 
@@ -110,7 +109,8 @@ randkey_principal_wrapper_3(void *server_handle,
 {
     kadm5_ret_t			ret;
 
-    ret = check_min_life(server_handle, principal, NULL, 0);
+    /* Solaris Kerberos */
+    ret = kadm5_check_min_life(server_handle, principal, NULL, 0);
     if (ret)
 	 return ret;
     return kadm5_randkey_principal_3(server_handle, principal,
@@ -125,7 +125,8 @@ schpw_util_wrapper(void *server_handle, krb5_principal princ,
 {
     kadm5_ret_t ret;
 
-    ret = check_min_life(server_handle, princ, msg_ret, msg_len);
+    /* Solaris Kerberos */
+    ret = kadm5_check_min_life(server_handle, princ, msg_ret, msg_len);
     if (ret)
 	return ret;
 
@@ -140,71 +141,10 @@ randkey_principal_wrapper(void *server_handle, krb5_principal princ,
 {
     kadm5_ret_t ret;
 
-    ret = check_min_life(server_handle, princ, NULL, 0);
+    /* Solaris Kerberos */
+    ret = kadm5_check_min_life(server_handle, princ, NULL, 0);
 	if (ret)
 	    return ret;
 
     return kadm5_randkey_principal(server_handle, princ, keys, n_keys);
 }
-
-kadm5_ret_t
-check_min_life(void *server_handle, krb5_principal principal,
-	       char *msg_ret, unsigned int msg_len)
-{
-    krb5_int32			now;
-    kadm5_ret_t			ret;
-    kadm5_policy_ent_rec	pol;
-    kadm5_principal_ent_rec	princ;
-    kadm5_server_handle_t	handle = server_handle;
-
-    if (msg_ret != NULL)
-	*msg_ret = '\0';
-
-    ret = krb5_timeofday(handle->context, &now);
-    if (ret)
-	return ret;
-
-    ret = kadm5_get_principal(handle->lhandle, principal, 
-			      &princ, KADM5_PRINCIPAL_NORMAL_MASK);
-    if(ret) 
-	 return ret;
-    if(princ.aux_attributes & KADM5_POLICY) {
-	if((ret=kadm5_get_policy(handle->lhandle,
-				 princ.policy, &pol)) != KADM5_OK) {
-	    (void) kadm5_free_principal_ent(handle->lhandle, &princ);
-	    return ret;
-	}
-	if((now - princ.last_pwd_change) < pol.pw_min_life &&
-	   !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
-	    if (msg_ret != NULL) {
-		time_t until;
-		char *time_string, *ptr, *errstr;
-
-		until = princ.last_pwd_change + pol.pw_min_life;
-
-		time_string = ctime(&until);
-		errstr = (char *)error_message(CHPASS_UTIL_PASSWORD_TOO_SOON);
-
-		if (strlen(errstr) + strlen(time_string) >= msg_len) {
-		    *errstr = '\0';
-		} else {
-		    if (*(ptr = &time_string[strlen(time_string)-1]) == '\n')
-			*ptr = '\0';
-		    sprintf(msg_ret, errstr, time_string);
-		}
-	    }
-
-	    (void) kadm5_free_policy_ent(handle->lhandle, &pol);
-	    (void) kadm5_free_principal_ent(handle->lhandle, &princ);
-	    return KADM5_PASS_TOOSOON;
-	}
-
-	ret = kadm5_free_policy_ent(handle->lhandle, &pol);
-	if (ret) {
-	    (void) kadm5_free_principal_ent(handle->lhandle, &princ);
-	    return ret;
-        }
-    }
-
-    return kadm5_free_principal_ent(handle->lhandle, &princ);
-}