From 7422cd1f6b012c2edb4e04ec03c993b5c047611f Mon Sep 17 00:00:00 2001
From: Florian Best <best@univention.de>
Date: Mon, 30 Nov 2015 16:20:32 +0100
Subject: [PATCH] Implement
 krb5_get_init_creds_opt_set_change_password_prompt()

---
 lib/krb5/init_creds.c           |  7 +++++++
 lib/krb5/init_creds_pw.c        | 17 +++++++++++++----
 lib/krb5/krb5.h                 |  2 ++
 lib/krb5/krb5_get_init_creds.3  |  5 +++++
 lib/krb5/libkrb5-exports.def.in |  1 +
 lib/krb5/version-script.map     |  1 +
 6 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/lib/krb5/init_creds.c b/lib/krb5/init_creds.c
index 4c0b89710..58734c43f 100644
--- a/lib/krb5/init_creds.c
+++ b/lib/krb5/init_creds.c
@@ -195,6 +195,13 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context,
 #endif
 }
 
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
+krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt,
+                                                   int change_password_prompt)
+{
+	opt->flags |= KRB5_GET_INIT_CREDS_OPT_CHANGE_PASSWORD_PROMPT;
+	opt->change_password_prompt = change_password_prompt;
+}
 
 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt,
diff --git a/lib/krb5/init_creds_pw.c b/lib/krb5/init_creds_pw.c
index 32d887dcd..eb5a503b0 100644
--- a/lib/krb5/init_creds_pw.c
+++ b/lib/krb5/init_creds_pw.c
@@ -540,10 +540,15 @@ change_password (krb5_context context,
     krb5_get_init_creds_opt_set_tkt_life (options, 60);
     krb5_get_init_creds_opt_set_forwardable (options, FALSE);
     krb5_get_init_creds_opt_set_proxiable (options, FALSE);
-    if (old_options && old_options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST)
-	krb5_get_init_creds_opt_set_preauth_list (options,
-						  old_options->preauth_list,
-						  old_options->preauth_list_length);
+    if (old_options &&
+        (old_options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST))
+	krb5_get_init_creds_opt_set_preauth_list(options,
+						 old_options->preauth_list,
+						 old_options->preauth_list_length);
+    if (old_options &&
+        (old_options->flags & KRB5_GET_INIT_CREDS_OPT_CHANGE_PASSWORD_PROMPT))
+        krb5_get_init_creds_opt_set_change_password_prompt(options,
+                                                           old_options->change_password_prompt);
 
     krb5_data_zero (&result_code_string);
     krb5_data_zero (&result_string);
@@ -2684,6 +2689,10 @@ krb5_get_init_creds_password(krb5_context context,
 	if (prompter == NULL)
 	    goto out;
 
+	if ((options->flags & KRB5_GET_INIT_CREDS_OPT_CHANGE_PASSWORD_PROMPT) &&
+            !options->change_password_prompt)
+		goto out;
+
 	ret = change_password (context,
 			       client,
 			       ctx->password,
diff --git a/lib/krb5/krb5.h b/lib/krb5/krb5.h
index 572db7ed7..19c89f21a 100644
--- a/lib/krb5/krb5.h
+++ b/lib/krb5/krb5.h
@@ -748,6 +748,7 @@ struct _krb5_get_init_creds_opt {
     int forwardable;
     int proxiable;
     int anonymous;
+    int change_password_prompt;
     krb5_enctype *etype_list;
     int etype_list_length;
     krb5_addresses *address_list;
@@ -771,6 +772,7 @@ typedef struct _krb5_get_init_creds_opt krb5_get_init_creds_opt;
 #define KRB5_GET_INIT_CREDS_OPT_SALT		0x0080 /* no supported */
 #define KRB5_GET_INIT_CREDS_OPT_ANONYMOUS	0x0100
 #define KRB5_GET_INIT_CREDS_OPT_DISABLE_TRANSITED_CHECK	0x0200
+#define KRB5_GET_INIT_CREDS_OPT_CHANGE_PASSWORD_PROMPT	0x0400
 
 /* krb5_init_creds_step flags argument */
 #define KRB5_INIT_CREDS_STEP_FLAG_CONTINUE	0x0001
diff --git a/lib/krb5/krb5_get_init_creds.3 b/lib/krb5/krb5_get_init_creds.3
index fccad5c4c..11257b9d9 100644
--- a/lib/krb5/krb5_get_init_creds.3
+++ b/lib/krb5/krb5_get_init_creds.3
@@ -97,6 +97,11 @@ Kerberos 5 Library (libkrb5, -lkrb5)
 .Fa "int anonymous"
 .Fc
 .Ft void
+.Fo krb5_get_init_creds_opt_set_change_password_prompt
+.Fa "krb5_get_init_creds_opt *opt"
+.Fa "int change_password_prompt"
+.Fc
+.Ft void
 .Fo krb5_get_init_creds_opt_set_default_flags
 .Fa "krb5_context context"
 .Fa "const char *appname"
diff --git a/lib/krb5/libkrb5-exports.def.in b/lib/krb5/libkrb5-exports.def.in
index 4236e1e73..01f9f78c3 100644
--- a/lib/krb5/libkrb5-exports.def.in
+++ b/lib/krb5/libkrb5-exports.def.in
@@ -350,6 +350,7 @@ EXPORTS
 	krb5_get_init_creds_opt_set_address_list
 	krb5_get_init_creds_opt_set_addressless
 	krb5_get_init_creds_opt_set_anonymous
+	krb5_get_init_creds_opt_set_change_password_prompt
 	krb5_get_init_creds_opt_set_canonicalize
 	krb5_get_init_creds_opt_set_default_flags
 	krb5_get_init_creds_opt_set_etype_list
diff --git a/lib/krb5/version-script.map b/lib/krb5/version-script.map
index 997103b2f..6c49368a8 100644
--- a/lib/krb5/version-script.map
+++ b/lib/krb5/version-script.map
@@ -346,6 +346,7 @@ HEIMDAL_KRB5_2.0 {
 		krb5_get_init_creds_opt_set_address_list;
 		krb5_get_init_creds_opt_set_addressless;
 		krb5_get_init_creds_opt_set_anonymous;
+		krb5_get_init_creds_opt_set_change_password_prompt;
 		krb5_get_init_creds_opt_set_canonicalize;
 		krb5_get_init_creds_opt_set_default_flags;
 		krb5_get_init_creds_opt_set_etype_list;