From 0e8c4ccc6ee0123ea39e53e8917fc3f6bb74e8c8 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Fri, 7 Jan 2022 12:54:40 +1100 Subject: [PATCH] hdb: eliminate hdb_entry_ex Remove hdb_entry_ex and revert to the original design of hdb_entry (except with an additional context member in hdb_entry which is managed by the free_entry method in HDB). --- kadmin/load.c | 26 +- kdc/altsecid_gss_preauth_authorizer.c | 4 +- kdc/digest-service.c | 4 +- kdc/digest.c | 24 +- kdc/fast.c | 8 +- kdc/gss_preauth.c | 12 +- kdc/hprop.c | 8 +- kdc/hprop.h | 2 +- kdc/hpropd.c | 6 +- kdc/kdc-plugin.c | 38 +-- kdc/kdc-plugin.h | 23 +- kdc/kdc.h | 6 +- kdc/kdc_locl.h | 2 +- kdc/kerberos5.c | 139 +++++----- kdc/krb5tgs.c | 107 ++++---- kdc/kx509.c | 2 +- kdc/misc.c | 74 +++--- kdc/mit_dump.c | 4 +- kdc/mssfu.c | 37 +-- kdc/pkinit.c | 26 +- lib/hdb/common.c | 172 ++++++------- lib/hdb/db.c | 18 +- lib/hdb/db3.c | 18 +- lib/hdb/hdb-keytab.c | 22 +- lib/hdb/hdb-ldap.c | 348 +++++++++++++------------- lib/hdb/hdb-mdb.c | 18 +- lib/hdb/hdb-mitdb.c | 26 +- lib/hdb/hdb-sqlite.c | 24 +- lib/hdb/hdb.c | 28 +-- lib/hdb/hdb.h | 34 +-- lib/hdb/keytab.c | 30 +-- lib/hdb/ndbm.c | 18 +- lib/hdb/print.c | 6 +- lib/hdb/test_concurrency.c | 52 ++-- lib/hdb/test_namespace.c | 145 ++++++----- lib/kadm5/chpass_s.c | 52 ++-- lib/kadm5/create_s.c | 24 +- lib/kadm5/delete_s.c | 6 +- lib/kadm5/ent_setup.c | 78 +++--- lib/kadm5/get_princs_s.c | 4 +- lib/kadm5/get_s.c | 112 ++++----- lib/kadm5/ipropd_master.c | 4 +- lib/kadm5/ipropd_slave.c | 4 +- lib/kadm5/log.c | 154 ++++++------ lib/kadm5/modify_s.c | 10 +- lib/kadm5/prune_s.c | 8 +- lib/kadm5/randkey_s.c | 24 +- lib/kadm5/rename_s.c | 26 +- lib/kadm5/setkey3_s.c | 26 +- tests/plugin/kdc_test_plugin.c | 24 +- 50 files changed, 1035 insertions(+), 1032 deletions(-) diff --git a/kadmin/load.c b/kadmin/load.c index 10dae5578..f62f8b96d 100644 --- a/kadmin/load.c +++ b/kadmin/load.c @@ -418,7 +418,7 @@ doit(const char *filename, int mergep) int lineno; int flags = O_RDWR; struct entry e; - hdb_entry_ex ent; + hdb_entry ent; HDB *db = _kadm5_s_get_db(kadm_handle); f = fopen(filename, "r"); @@ -506,7 +506,7 @@ doit(const char *filename, int mergep) skip_next(p); memset(&ent, 0, sizeof(ent)); - ret2 = krb5_parse_name(context, e.principal, &ent.entry.principal); + ret2 = krb5_parse_name(context, e.principal, &ent.principal); if (ret2) { const char *msg = krb5_get_error_message(context, ret); fprintf(stderr, "%s:%d:%s (%s)\n", @@ -516,7 +516,7 @@ doit(const char *filename, int mergep) continue; } - if (parse_keys(&ent.entry, e.key)) { + if (parse_keys(&ent, e.key)) { fprintf (stderr, "%s:%d:error parsing keys (%s)\n", filename, lineno, e.key); hdb_free_entry (context, db, &ent); @@ -524,35 +524,35 @@ doit(const char *filename, int mergep) continue; } - if (parse_event(&ent.entry.created_by, e.created) == -1) { + if (parse_event(&ent.created_by, e.created) == -1) { fprintf (stderr, "%s:%d:error parsing created event (%s)\n", filename, lineno, e.created); hdb_free_entry (context, db, &ent); ret = 1; continue; } - if (parse_event_alloc (&ent.entry.modified_by, e.modified) == -1) { + if (parse_event_alloc (&ent.modified_by, e.modified) == -1) { fprintf (stderr, "%s:%d:error parsing event (%s)\n", filename, lineno, e.modified); hdb_free_entry (context, db, &ent); ret = 1; continue; } - if (parse_time_string_alloc (&ent.entry.valid_start, e.valid_start) == -1) { + if (parse_time_string_alloc (&ent.valid_start, e.valid_start) == -1) { fprintf (stderr, "%s:%d:error parsing time (%s)\n", filename, lineno, e.valid_start); hdb_free_entry (context, db, &ent); ret = 1; continue; } - if (parse_time_string_alloc (&ent.entry.valid_end, e.valid_end) == -1) { + if (parse_time_string_alloc (&ent.valid_end, e.valid_end) == -1) { fprintf (stderr, "%s:%d:error parsing time (%s)\n", filename, lineno, e.valid_end); hdb_free_entry (context, db, &ent); ret = 1; continue; } - if (parse_time_string_alloc (&ent.entry.pw_end, e.pw_end) == -1) { + if (parse_time_string_alloc (&ent.pw_end, e.pw_end) == -1) { fprintf (stderr, "%s:%d:error parsing time (%s)\n", filename, lineno, e.pw_end); hdb_free_entry (context, db, &ent); @@ -560,7 +560,7 @@ doit(const char *filename, int mergep) continue; } - if (parse_integer_alloc (&ent.entry.max_life, e.max_life) == -1) { + if (parse_integer_alloc (&ent.max_life, e.max_life) == -1) { fprintf (stderr, "%s:%d:error parsing lifetime (%s)\n", filename, lineno, e.max_life); hdb_free_entry (context, db, &ent); @@ -568,7 +568,7 @@ doit(const char *filename, int mergep) continue; } - if (parse_integer_alloc (&ent.entry.max_renew, e.max_renew) == -1) { + if (parse_integer_alloc (&ent.max_renew, e.max_renew) == -1) { fprintf (stderr, "%s:%d:error parsing lifetime (%s)\n", filename, lineno, e.max_renew); hdb_free_entry (context, db, &ent); @@ -576,7 +576,7 @@ doit(const char *filename, int mergep) continue; } - if (parse_hdbflags2int (&ent.entry.flags, e.flags) != 1) { + if (parse_hdbflags2int (&ent.flags, e.flags) != 1) { fprintf (stderr, "%s:%d:error parsing flags (%s)\n", filename, lineno, e.flags); hdb_free_entry (context, db, &ent); @@ -584,7 +584,7 @@ doit(const char *filename, int mergep) continue; } - if(parse_generation(e.generation, &ent.entry.generation) == -1) { + if(parse_generation(e.generation, &ent.generation) == -1) { fprintf (stderr, "%s:%d:error parsing generation (%s)\n", filename, lineno, e.generation); hdb_free_entry (context, db, &ent); @@ -592,7 +592,7 @@ doit(const char *filename, int mergep) continue; } - if (parse_extensions(&e.extensions, &ent.entry.extensions) == -1) { + if (parse_extensions(&e.extensions, &ent.extensions) == -1) { fprintf (stderr, "%s:%d:error parsing extension (%s)\n", filename, lineno, e.extensions); hdb_free_entry (context, db, &ent); diff --git a/kdc/altsecid_gss_preauth_authorizer.c b/kdc/altsecid_gss_preauth_authorizer.c index 626608397..fde6fa64d 100644 --- a/kdc/altsecid_gss_preauth_authorizer.c +++ b/kdc/altsecid_gss_preauth_authorizer.c @@ -397,7 +397,7 @@ authorize(void *ctx, struct altsecid_gss_preauth_authorizer_context *c = ctx; struct ad_server_tuple *server = NULL; krb5_error_code ret; - krb5_const_realm realm = krb5_principal_get_realm(r->context, r->client->entry.principal); + krb5_const_realm realm = krb5_principal_get_realm(r->context, r->client->principal); krb5_boolean reconnect_p = FALSE; krb5_boolean is_tgs; heim_data_t requestor_sid = NULL; @@ -405,7 +405,7 @@ authorize(void *ctx, *authorized = FALSE; *mapped_name = NULL; - if (!krb5_principal_is_federated(r->context, r->client->entry.principal) || + if (!krb5_principal_is_federated(r->context, r->client->principal) || (ret_flags & GSS_C_ANON_FLAG)) return KRB5_PLUGIN_NO_HANDLE; diff --git a/kdc/digest-service.c b/kdc/digest-service.c index a61b2c7e3..4ea76dbe7 100644 --- a/kdc/digest-service.c +++ b/kdc/digest-service.c @@ -60,7 +60,7 @@ ntlm_service(void *ctx, const heim_idata *req, unsigned char sessionkey[16]; heim_idata rep = { 0, NULL }; krb5_context context = ctx; - hdb_entry_ex *user = NULL; + hdb_entry *user = NULL; HDB *db = NULL; Key *key = NULL; NTLMReply ntp; @@ -119,7 +119,7 @@ ntlm_service(void *ctx, const heim_idata *req, if (ret) goto failed; - ret = hdb_enctype2key(context, &user->entry, NULL, + ret = hdb_enctype2key(context, user, NULL, ETYPE_ARCFOUR_HMAC_MD5, &key); if (ret) { krb5_set_error_message(context, ret, "NTLM missing arcfour key"); diff --git a/kdc/digest.c b/kdc/digest.c index 0f620df7d..092b4a75a 100644 --- a/kdc/digest.c +++ b/kdc/digest.c @@ -57,7 +57,7 @@ const struct units _kdc_digestunits[] = { static krb5_error_code get_digest_key(krb5_context context, krb5_kdc_configuration *config, - hdb_entry_ex *server, + hdb_entry *server, krb5_crypto *crypto) { krb5_error_code ret; @@ -81,12 +81,12 @@ get_digest_key(krb5_context context, static char * get_ntlm_targetname(krb5_context context, - hdb_entry_ex *client) + hdb_entry *client) { char *targetname, *p; targetname = strdup(krb5_principal_get_realm(context, - client->entry.principal)); + client->principal)); if (targetname == NULL) return NULL; @@ -101,7 +101,7 @@ get_ntlm_targetname(krb5_context context, static krb5_error_code fill_targetinfo(krb5_context context, char *targetname, - hdb_entry_ex *client, + hdb_entry *client, krb5_data *data) { struct ntlm_targetinfo ti; @@ -113,7 +113,7 @@ fill_targetinfo(krb5_context context, memset(&ti, 0, sizeof(ti)); ti.domainname = targetname; - p = client->entry.principal; + p = client->principal; str = krb5_principal_get_comp_string(context, p, 0); if (str != NULL && (strcmp("host", str) == 0 || @@ -168,7 +168,7 @@ get_password_entry(krb5_context context, { krb5_principal clientprincipal; krb5_error_code ret; - hdb_entry_ex *user; + hdb_entry *user; HDB *db; /* get username */ @@ -182,7 +182,7 @@ get_password_entry(krb5_context context, if (ret) return ret; - ret = hdb_entry_get_password(context, db, &user->entry, password); + ret = hdb_entry_get_password(context, db, user, password); if (ret || password == NULL) { if (ret == 0) { ret = EINVAL; @@ -218,9 +218,9 @@ _kdc_do_digest(krb5_context context, krb5_storage *sp = NULL; Checksum res; HDB *serverdb, *userdb; - hdb_entry_ex *server = NULL, *user = NULL; + hdb_entry *server = NULL, *user = NULL; HDB *clientdb; - hdb_entry_ex *client = NULL; + hdb_entry *client = NULL; char *client_name = NULL, *password = NULL; krb5_data serverNonce; @@ -321,7 +321,7 @@ _kdc_do_digest(krb5_context context, if (ret) goto out; - if (client->entry.flags.allow_digest == 0) { + if (client->flags.allow_digest == 0) { kdc_log(context, config, 2, "Client %s tried to use digest " "but is not allowed to", @@ -888,7 +888,7 @@ _kdc_do_digest(krb5_context context, goto failed; } - ret = hdb_enctype2key(context, &user->entry, NULL, + ret = hdb_enctype2key(context, user, NULL, ETYPE_ARCFOUR_HMAC_MD5, &key); if (ret) { krb5_set_error_message(context, ret, @@ -1216,7 +1216,7 @@ _kdc_do_digest(krb5_context context, goto out; } - ret = hdb_enctype2key(context, &user->entry, NULL, + ret = hdb_enctype2key(context, user, NULL, ETYPE_ARCFOUR_HMAC_MD5, &key); if (ret) { krb5_set_error_message(context, ret, "NTLM missing arcfour key"); diff --git a/kdc/fast.c b/kdc/fast.c index 80f19c60b..42b4527cd 100644 --- a/kdc/fast.c +++ b/kdc/fast.c @@ -109,7 +109,7 @@ get_fastuser_crypto(astgs_request_t r, { krb5_principal fast_princ; HDB *fast_db; - hdb_entry_ex *fast_user = NULL; + hdb_entry *fast_user = NULL; Key *cookie_key = NULL; krb5_crypto fast_crypto = NULL; krb5_error_code ret; @@ -131,7 +131,7 @@ get_fastuser_crypto(astgs_request_t r, ret = _kdc_get_preferred_key(r->context, r->config, fast_user, "fast-cookie", &enctype, &cookie_key); else - ret = hdb_enctype2key(r->context, &fast_user->entry, NULL, + ret = hdb_enctype2key(r->context, fast_user, NULL, enctype, &cookie_key); if (ret) goto out; @@ -563,7 +563,7 @@ fast_unwrap_request(astgs_request_t r, goto out; } - ret = hdb_enctype2key(r->context, &r->armor_server->entry, NULL, + ret = hdb_enctype2key(r->context, r->armor_server, NULL, ap_req.ticket.enc_part.etype, &r->armor_key); if (ret) { @@ -836,7 +836,7 @@ _kdc_fast_check_armor_pac(astgs_request_t r) krb5_pac mspac = NULL; krb5_principal armor_client_principal = NULL; HDB *armor_db; - hdb_entry_ex *armor_client = NULL; + hdb_entry *armor_client = NULL; char *armor_client_principal_name = NULL; flags = HDB_F_FOR_TGS_REQ; diff --git a/kdc/gss_preauth.c b/kdc/gss_preauth.c index 6df4a0bd6..3b145fa54 100644 --- a/kdc/gss_preauth.c +++ b/kdc/gss_preauth.c @@ -584,7 +584,7 @@ pa_gss_authorize_default(astgs_request_t r, { krb5_error_code ret; krb5_principal principal; - krb5_const_realm realm = r->server->entry.principal->realm; + krb5_const_realm realm = r->server->principal->realm; int flags = 0, cross_realm_allowed = 0, unauth_anon; /* @@ -680,7 +680,7 @@ _kdc_gss_check_client(astgs_request_t r, { krb5_error_code ret; krb5_principal initiator_princ = NULL; - hdb_entry_ex *initiator = NULL; + hdb_entry *initiator = NULL; krb5_boolean authorized = FALSE; HDB *clientdb = r->clientdb; @@ -740,15 +740,15 @@ _kdc_gss_check_client(astgs_request_t r, * two principals must match, noting that GSS pre-authentication is * for authentication, not general purpose impersonation. */ - if (krb5_principal_is_federated(r->context, r->client->entry.principal)) { - initiator->entry.flags.force_canonicalize = 1; + if (krb5_principal_is_federated(r->context, r->client->principal)) { + initiator->flags.force_canonicalize = 1; _kdc_free_ent(r->context, clientdb, r->client); r->client = initiator; initiator = NULL; } else if (!krb5_principal_compare(r->context, - r->client->entry.principal, - initiator->entry.principal)) { + r->client->principal, + initiator->principal)) { kdc_log(r->context, r->config, 2, "GSS %s initiator %.*s does not match principal %s", gss_oid_to_name(gcp->mech_type), diff --git a/kdc/hprop.c b/kdc/hprop.c index 880a6f746..da9af2ab0 100644 --- a/kdc/hprop.c +++ b/kdc/hprop.c @@ -87,28 +87,28 @@ open_socket(krb5_context context, const char *hostname, const char *port) } krb5_error_code -v5_prop(krb5_context context, HDB *db, hdb_entry_ex *entry, void *appdata) +v5_prop(krb5_context context, HDB *db, hdb_entry *entry, void *appdata) { krb5_error_code ret; struct prop_data *pd = appdata; krb5_data data; if(encrypt_flag) { - ret = hdb_seal_keys_mkey(context, &entry->entry, mkey5); + ret = hdb_seal_keys_mkey(context, entry, mkey5); if (ret) { krb5_warn(context, ret, "hdb_seal_keys_mkey"); return ret; } } if(decrypt_flag) { - ret = hdb_unseal_keys_mkey(context, &entry->entry, mkey5); + ret = hdb_unseal_keys_mkey(context, entry, mkey5); if (ret) { krb5_warn(context, ret, "hdb_unseal_keys_mkey"); return ret; } } - ret = hdb_entry2value(context, &entry->entry, &data); + ret = hdb_entry2value(context, entry, &data); if(ret) { krb5_warn(context, ret, "hdb_entry2value"); return ret; diff --git a/kdc/hprop.h b/kdc/hprop.h index 462ea8b44..59c39ea47 100644 --- a/kdc/hprop.h +++ b/kdc/hprop.h @@ -53,7 +53,7 @@ struct prop_data{ #define NEVERDATE ((1U << 31) - 1) #endif -krb5_error_code v5_prop(krb5_context, HDB*, hdb_entry_ex*, void*); +krb5_error_code v5_prop(krb5_context, HDB*, hdb_entry*, void*); int mit_prop_dump(void*, const char*); #endif /* __HPROP_H__ */ diff --git a/kdc/hpropd.c b/kdc/hpropd.c index 4bfb89fc7..fa06a1fd4 100644 --- a/kdc/hpropd.c +++ b/kdc/hpropd.c @@ -226,7 +226,7 @@ main(int argc, char **argv) nprincs = 0; while (1){ krb5_data data; - hdb_entry_ex entry; + hdb_entry entry; if (from_stdin) { ret = krb5_read_message(context, &sock, &data); @@ -255,7 +255,7 @@ main(int argc, char **argv) break; } memset(&entry, 0, sizeof(entry)); - ret = hdb_value2entry(context, &data, &entry.entry); + ret = hdb_value2entry(context, &data, &entry); krb5_data_free(&data); if (ret) krb5_err(context, 1, ret, "hdb_value2entry"); @@ -269,7 +269,7 @@ main(int argc, char **argv) ret = db->hdb_store(context, db, 0, &entry); if (ret == HDB_ERR_EXISTS) { char *s; - ret = krb5_unparse_name(context, entry.entry.principal, &s); + ret = krb5_unparse_name(context, entry.principal, &s); if (ret) s = strdup(unparseable_name); krb5_warnx(context, "Entry exists: %s", s); diff --git a/kdc/kdc-plugin.c b/kdc/kdc-plugin.c index 8ccf9ec33..83eabfb3d 100644 --- a/kdc/kdc-plugin.c +++ b/kdc/kdc-plugin.c @@ -49,7 +49,7 @@ static const char *kdc_plugin_deps[] = { static struct heim_plugin_data kdc_plugin_data = { "krb5", "kdc", - KRB5_PLUGIN_KDC_VERSION_9, + KRB5_PLUGIN_KDC_VERSION_10, kdc_plugin_deps, kdc_get_instance }; @@ -70,8 +70,9 @@ krb5_kdc_plugin_init(krb5_context context) } struct generate_uc { - hdb_entry_ex *client; - hdb_entry_ex *server; + krb5_kdc_configuration *config; + hdb_entry *client; + hdb_entry *server; const krb5_keyblock *reply_key; uint64_t pac_attributes; krb5_pac *pac; @@ -86,7 +87,9 @@ generate(krb5_context context, const void *plug, void *plugctx, void *userctx) if (ft->pac_generate == NULL) return KRB5_PLUGIN_NO_HANDLE; - return ft->pac_generate((void *)plug, context, + return ft->pac_generate((void *)plug, + context, + uc->config, uc->client, uc->server, uc->reply_key, @@ -97,8 +100,9 @@ generate(krb5_context context, const void *plug, void *plugctx, void *userctx) krb5_error_code _kdc_pac_generate(krb5_context context, - hdb_entry_ex *client, - hdb_entry_ex *server, + krb5_kdc_configuration *config, + hdb_entry *client, + hdb_entry *server, const krb5_keyblock *reply_key, uint64_t pac_attributes, krb5_pac *pac) @@ -109,11 +113,12 @@ _kdc_pac_generate(krb5_context context, *pac = NULL; if (krb5_config_get_bool_default(context, NULL, FALSE, "realms", - client->entry.principal->realm, + client->principal->realm, "disable_pac", NULL)) return 0; if (have_plugin) { + uc.config = config; uc.client = client; uc.server = server; uc.reply_key = reply_key; @@ -134,11 +139,12 @@ _kdc_pac_generate(krb5_context context, } struct verify_uc { + krb5_kdc_configuration *config; krb5_principal client_principal; krb5_principal delegated_proxy_principal; - hdb_entry_ex *client; - hdb_entry_ex *server; - hdb_entry_ex *krbtgt; + hdb_entry *client; + hdb_entry *server; + hdb_entry *krbtgt; krb5_pac *pac; }; @@ -152,7 +158,9 @@ verify(krb5_context context, const void *plug, void *plugctx, void *userctx) if (ft->pac_verify == NULL) return KRB5_PLUGIN_NO_HANDLE; - ret = ft->pac_verify((void *)plug, context, + ret = ft->pac_verify((void *)plug, + context, + uc->config, uc->client_principal, uc->delegated_proxy_principal, uc->client, uc->server, uc->krbtgt, uc->pac); @@ -161,11 +169,12 @@ verify(krb5_context context, const void *plug, void *plugctx, void *userctx) krb5_error_code _kdc_pac_verify(krb5_context context, + krb5_kdc_configuration *config, const krb5_principal client_principal, const krb5_principal delegated_proxy_principal, - hdb_entry_ex *client, - hdb_entry_ex *server, - hdb_entry_ex *krbtgt, + hdb_entry *client, + hdb_entry *server, + hdb_entry *krbtgt, krb5_pac *pac) { struct verify_uc uc; @@ -173,6 +182,7 @@ _kdc_pac_verify(krb5_context context, if (!have_plugin) return KRB5_PLUGIN_NO_HANDLE; + uc.config = config; uc.client_principal = client_principal; uc.delegated_proxy_principal = delegated_proxy_principal; uc.client = client; diff --git a/kdc/kdc-plugin.h b/kdc/kdc-plugin.h index 312c56ca7..e4d374d4e 100644 --- a/kdc/kdc-plugin.h +++ b/kdc/kdc-plugin.h @@ -38,8 +38,7 @@ #include #include - -struct hdb_entry_ex; +#include /* * Allocate a PAC for the given client with krb5_pac_init(), @@ -47,9 +46,11 @@ struct hdb_entry_ex; */ typedef krb5_error_code -(KRB5_CALLCONV *krb5plugin_kdc_pac_generate)(void *, krb5_context, - struct hdb_entry_ex *, /* client */ - struct hdb_entry_ex *, /* server */ +(KRB5_CALLCONV *krb5plugin_kdc_pac_generate)(void *, + krb5_context, /* context */ + krb5_kdc_configuration *, /* configuration */ + hdb_entry *, /* client */ + hdb_entry *, /* server */ const krb5_keyblock *, /* pk_replykey */ uint64_t, /* pac_attributes */ krb5_pac *); @@ -61,12 +62,14 @@ typedef krb5_error_code */ typedef krb5_error_code -(KRB5_CALLCONV *krb5plugin_kdc_pac_verify)(void *, krb5_context, +(KRB5_CALLCONV *krb5plugin_kdc_pac_verify)(void *, + krb5_context, /* context */ + krb5_kdc_configuration *, /* configuration */ const krb5_principal, /* new ticket client */ const krb5_principal, /* delegation proxy */ - struct hdb_entry_ex *,/* client */ - struct hdb_entry_ex *,/* server */ - struct hdb_entry_ex *,/* krbtgt */ + hdb_entry *,/* client */ + hdb_entry *,/* server */ + hdb_entry *,/* krbtgt */ krb5_pac *); /* @@ -115,7 +118,7 @@ typedef krb5_error_code * Plugins should carefully check API contract notes for changes * between plugin API versions. */ -#define KRB5_PLUGIN_KDC_VERSION_9 9 +#define KRB5_PLUGIN_KDC_VERSION_10 10 typedef struct krb5plugin_kdc_ftable { int minor_version; diff --git a/kdc/kdc.h b/kdc/kdc.h index 55a5756f1..27be708b2 100644 --- a/kdc/kdc.h +++ b/kdc/kdc.h @@ -141,18 +141,18 @@ typedef struct krb5_kdc_configuration { \ /* client principal (AS) or TGT/S4U principal (TGS) */ \ krb5_principal client_princ; \ - hdb_entry_ex *client; \ + hdb_entry *client; \ HDB *clientdb; \ krb5_principal canon_client_princ; \ \ /* server principal */ \ krb5_principal server_princ; \ - hdb_entry_ex *server; \ + hdb_entry *server; \ HDB *serverdb; \ \ /* presented ticket in TGS-REQ (unused by AS) */ \ krb5_principal *krbtgt_princ; \ - hdb_entry_ex *krbtgt; \ + hdb_entry *krbtgt; \ HDB *krbtgtdb; \ krb5_ticket *ticket; \ \ diff --git a/kdc/kdc_locl.h b/kdc/kdc_locl.h index 0522f48c5..3a2b4d2fd 100644 --- a/kdc/kdc_locl.h +++ b/kdc/kdc_locl.h @@ -87,7 +87,7 @@ struct astgs_request_desc { unsigned int fast_asserted : 1; krb5_crypto armor_crypto; - hdb_entry_ex *armor_server; + hdb_entry *armor_server; HDB *armor_serverdb; krb5_ticket *armor_ticket; Key *armor_key; diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 375c4217b..5c5b3137e 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -161,7 +161,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags, krb5_boolean use_strongest_session_key; krb5_boolean is_preauth = flags & KFE_IS_PREAUTH; krb5_boolean is_tgs = flags & KFE_IS_TGS; - hdb_entry_ex *princ; + hdb_entry *princ; krb5_principal request_princ; krb5_error_code ret; krb5_salt def_salt; @@ -171,15 +171,15 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags, size_t i, k, m; if (is_preauth && (flags & KFE_USE_CLIENT) && - r->client->entry.flags.synthetic) + r->client->flags.synthetic) return KRB5KDC_ERR_ETYPE_NOSUPP; - if ((flags & KFE_USE_CLIENT) && !r->client->entry.flags.synthetic) { + if ((flags & KFE_USE_CLIENT) && !r->client->flags.synthetic) { princ = r->client; request_princ = r->client_princ; } else { princ = r->server; - request_princ = r->server->entry.principal; + request_princ = r->server->principal; } use_strongest_session_key = @@ -227,7 +227,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags, p[i] != (krb5_enctype)ETYPE_NULL && enctype == (krb5_enctype)ETYPE_NULL; i++) { if (krb5_enctype_valid(r->context, p[i]) != 0 && - !_kdc_is_weak_exception(princ->entry.principal, p[i])) + !_kdc_is_weak_exception(princ->principal, p[i])) continue; /* check that the client supports it too */ @@ -248,15 +248,15 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags, /* check target princ support */ key = NULL; - if (!(flags & KFE_USE_CLIENT) && princ->entry.etypes) { + if (!(flags & KFE_USE_CLIENT) && princ->etypes) { /* * Use the etypes list from the server's HDB entry instead * of deriving it from its long-term keys. This allows an * entry to have just one long-term key but record support * for multiple enctypes. */ - for (m = 0; m < princ->entry.etypes->len; m++) { - if (p[i] == princ->entry.etypes->val[m]) { + for (m = 0; m < princ->etypes->len; m++) { + if (p[i] == princ->etypes->val[m]) { ret = 0; break; } @@ -268,7 +268,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags, * PA-ETYPE-INFO* or because we're selecting a session key * enctype. */ - while (hdb_next_enctype2key(r->context, &princ->entry, NULL, + while (hdb_next_enctype2key(r->context, princ, NULL, p[i], &key) == 0) { if (key->key.keyvalue.length == 0) { ret = KRB5KDC_ERR_NULL_KEY; @@ -296,12 +296,12 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags, for(i = 0; ret != 0 && i < len; i++) { if (krb5_enctype_valid(r->context, etypes[i]) != 0 && - !_kdc_is_weak_exception(princ->entry.principal, etypes[i])) + !_kdc_is_weak_exception(princ->principal, etypes[i])) continue; key = NULL; while (ret != 0 && - hdb_next_enctype2key(r->context, &princ->entry, NULL, + hdb_next_enctype2key(r->context, princ, NULL, etypes[i], &key) == 0) { if (key->key.keyvalue.length == 0) { ret = KRB5KDC_ERR_NULL_KEY; @@ -323,7 +323,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags, * the service key list, provide a DES-CBC-CRC key. */ if (ret_key == NULL && - _kdc_is_weak_exception(princ->entry.principal, ETYPE_DES_CBC_CRC)) { + _kdc_is_weak_exception(princ->principal, ETYPE_DES_CBC_CRC)) { ret = 0; enctype = ETYPE_DES_CBC_CRC; } else { @@ -504,7 +504,7 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa) } r->pa_endtime = _kdc_pk_endtime(pkp); - if (!r->client->entry.flags.synthetic) + if (!r->client->flags.synthetic) r->pa_max_life = _kdc_pk_max_life(pkp); _kdc_r_log(r, 4, "PKINIT pre-authentication succeeded -- %s using %s", @@ -621,7 +621,7 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa) return ret; } - if (r->client->entry.flags.locked_out) { + if (r->client->flags.locked_out) { ret = KRB5KDC_ERR_CLIENT_REVOKED; kdc_log(r->context, r->config, 0, "Client (%s) is locked out", r->cname); @@ -650,11 +650,11 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa) kdc_log(r->context, r->config, 5, "FAST armor enctype is: %d", (int)aenctype); - for (i = 0; i < r->client->entry.keys.len; i++) { + for (i = 0; i < r->client->keys.len; i++) { krb5_crypto challengecrypto, longtermcrypto; krb5_keyblock challengekey; - k = &r->client->entry.keys.val[i]; + k = &r->client->keys.val[i]; ret = krb5_crypto_init(r->context, &k->key, 0, &longtermcrypto); if (ret) @@ -794,7 +794,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa) return ret; } - if (r->client->entry.flags.locked_out) { + if (r->client->flags.locked_out) { ret = KRB5KDC_ERR_CLIENT_REVOKED; kdc_log(r->context, r->config, 0, "Client (%s) is locked out", r->cname); @@ -814,7 +814,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa) goto out; } - ret = hdb_enctype2key(r->context, &r->client->entry, NULL, + ret = hdb_enctype2key(r->context, r->client, NULL, enc_data.etype, &pa_key); if(ret){ char *estr; @@ -873,7 +873,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa) pa_key->key.keytype); _kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY); - if(hdb_next_enctype2key(r->context, &r->client->entry, NULL, + if(hdb_next_enctype2key(r->context, r->client, NULL, enc_data.etype, &pa_key) == 0) goto try_next_key; @@ -1612,12 +1612,10 @@ _log_astgs_req(astgs_request_t r, krb5_enctype setype) KDC_LIB_FUNCTION krb5_error_code KDC_LIB_CALL kdc_check_flags(astgs_request_t r, krb5_boolean is_as_req, - hdb_entry_ex *client_ex, - hdb_entry_ex *server_ex) + hdb_entry *client, + hdb_entry *server) { - if (client_ex != NULL) { - hdb_entry *client = &client_ex->entry; - + if (client != NULL) { /* check client */ if (client->flags.locked_out) { _kdc_audit_addreason((kdc_request_t)r, "Client is locked out"); @@ -1655,11 +1653,11 @@ kdc_check_flags(astgs_request_t r, } if (client->flags.require_pwchange && - (server_ex == NULL || !server_ex->entry.flags.change_pw)) + (server == NULL || !server->flags.change_pw)) return KRB5KDC_ERR_KEY_EXPIRED; if (client->pw_end && *client->pw_end < kdc_time - && (server_ex == NULL || !server_ex->entry.flags.change_pw)) { + && (server == NULL || !server->flags.change_pw)) { char pwend_str[100]; krb5_format_time(r->context, *client->pw_end, pwend_str, sizeof(pwend_str), TRUE); @@ -1671,9 +1669,7 @@ kdc_check_flags(astgs_request_t r, /* check server */ - if (server_ex != NULL) { - hdb_entry *server = &server_ex->entry; - + if (server != NULL) { if (server->flags.locked_out) { _kdc_audit_addreason((kdc_request_t)r, "Server locked out"); return KRB5KDC_ERR_SERVICE_REVOKED; @@ -1851,6 +1847,7 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey, */ ret = _kdc_pac_generate(r->context, + r->config, r->client, r->server, r->pa_used && !pa_used_flag_isset(r, PA_USES_LONG_TERM_KEY) @@ -1865,7 +1862,7 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey, if (r->pac == NULL) return 0; - rodc_id = r->server->entry.kvno >> 16; + rodc_id = r->server->kvno >> 16; /* libkrb5 expects ticket and PAC client names to match */ ret = _krb5_principalname2krb5_principal(r->context, &client, @@ -1950,8 +1947,8 @@ static int require_preauth_p(astgs_request_t r) { return r->config->require_preauth - || r->client->entry.flags.require_preauth - || r->server->entry.flags.require_preauth; + || r->client->flags.require_preauth + || r->server->flags.require_preauth; } @@ -2023,7 +2020,7 @@ get_local_tgs(krb5_context context, krb5_kdc_configuration *config, krb5_const_realm realm, HDB **krbtgtdb, - hdb_entry_ex **krbtgt) + hdb_entry **krbtgt) { krb5_error_code ret; krb5_principal tgs_name; @@ -2151,7 +2148,7 @@ _kdc_as_rep(astgs_request_t r) case HDB_ERR_WRONG_REALM: { char *fixed_client_name = NULL; - ret = krb5_unparse_name(r->context, r->client->entry.principal, + ret = krb5_unparse_name(r->context, r->client->principal, &fixed_client_name); if (ret) { goto out; @@ -2165,7 +2162,7 @@ _kdc_as_rep(astgs_request_t r) ret = _kdc_fast_mk_error(r, r->rep.padata, r->armor_crypto, &req->req_body, r->ret = KRB5_KDC_ERR_WRONG_REALM, - r->client->entry.principal, r->server_princ, + r->client->principal, r->server_princ, NULL, NULL, r->reply); goto out; } @@ -2237,7 +2234,7 @@ _kdc_as_rep(astgs_request_t r) i = 0; pa = _kdc_find_padata(req, &i, pat[n].type); if (pa) { - if (r->client->entry.flags.synthetic && + if (r->client->flags.synthetic && !(pat[n].flags & PA_SYNTHETIC_OK)) { kdc_log(r->context, config, 4, "UNKNOWN -- %s", r->cname); ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; @@ -2288,7 +2285,7 @@ _kdc_as_rep(astgs_request_t r) size_t n; krb5_boolean default_salt; - if (r->client->entry.flags.synthetic) { + if (r->client->flags.synthetic) { kdc_log(r->context, config, 4, "UNKNOWN -- %s", r->cname); ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; goto out; @@ -2347,7 +2344,7 @@ _kdc_as_rep(astgs_request_t r) goto out; } - r->canon_client_princ = r->client->entry.principal; + r->canon_client_princ = r->client->principal; /* * Verify flags after the user been required to prove its identity @@ -2414,7 +2411,7 @@ _kdc_as_rep(astgs_request_t r) _kdc_is_anonymous(r->context, r->client_princ)) { Realm anon_realm = KRB5_ANON_REALM; ret = copy_Realm(&anon_realm, &rep->crealm); - } else if (f.canonicalize || r->client->entry.flags.force_canonicalize) + } else if (f.canonicalize || r->client->flags.force_canonicalize) ret = copy_Realm(&r->canon_client_princ->realm, &rep->crealm); else ret = copy_Realm(&r->client_princ->realm, &rep->crealm); @@ -2422,7 +2419,7 @@ _kdc_as_rep(astgs_request_t r) goto out; if (r->et.flags.anonymous) ret = _kdc_make_anonymous_principalname(&rep->cname); - else if (f.canonicalize || r->client->entry.flags.force_canonicalize) + else if (f.canonicalize || r->client->flags.force_canonicalize) ret = _krb5_principal2principalname(&rep->cname, r->canon_client_princ); else ret = _krb5_principal2principalname(&rep->cname, r->client_princ); @@ -2430,15 +2427,15 @@ _kdc_as_rep(astgs_request_t r) goto out; rep->ticket.tkt_vno = 5; - if (f.canonicalize || r->server->entry.flags.force_canonicalize) - ret = copy_Realm(&r->server->entry.principal->realm, &rep->ticket.realm); + if (f.canonicalize || r->server->flags.force_canonicalize) + ret = copy_Realm(&r->server->principal->realm, &rep->ticket.realm); else ret = copy_Realm(&r->server_princ->realm, &rep->ticket.realm); if (ret) goto out; - if (f.canonicalize || r->server->entry.flags.force_canonicalize) + if (f.canonicalize || r->server->flags.force_canonicalize) _krb5_principal2principalname(&rep->ticket.sname, - r->server->entry.principal); + r->server->principal); else _krb5_principal2principalname(&rep->ticket.sname, r->server_princ); @@ -2450,16 +2447,16 @@ _kdc_as_rep(astgs_request_t r) #undef CNT r->et.flags.initial = 1; - if(r->client->entry.flags.forwardable && r->server->entry.flags.forwardable) + if(r->client->flags.forwardable && r->server->flags.forwardable) r->et.flags.forwardable = f.forwardable; - if(r->client->entry.flags.proxiable && r->server->entry.flags.proxiable) + if(r->client->flags.proxiable && r->server->flags.proxiable) r->et.flags.proxiable = f.proxiable; else if (f.proxiable) { _kdc_set_e_text(r, "Ticket may not be proxiable"); ret = KRB5KDC_ERR_POLICY; goto out; } - if(r->client->entry.flags.postdate && r->server->entry.flags.postdate) + if(r->client->flags.postdate && r->server->flags.postdate) r->et.flags.may_postdate = f.allow_postdate; else if (f.allow_postdate){ _kdc_set_e_text(r, "Ticket may not be postdate"); @@ -2506,18 +2503,18 @@ _kdc_as_rep(astgs_request_t r) /* be careful not overflowing */ /* - * Pre-auth can override r->client->entry.max_life if configured. + * Pre-auth can override r->client->max_life if configured. * * See pre-auth methods, specifically PKINIT, which can get or derive * this from the client's certificate. */ if (r->pa_max_life > 0) t = start + min(t - start, r->pa_max_life); - else if (r->client->entry.max_life) - t = start + min(t - start, *r->client->entry.max_life); + else if (r->client->max_life) + t = start + min(t - start, *r->client->max_life); - if (r->server->entry.max_life) - t = start + min(t - start, *r->server->entry.max_life); + if (r->server->max_life) + t = start + min(t - start, *r->server->max_life); /* Pre-auth can bound endtime as well */ if (r->pa_endtime > 0) @@ -2539,10 +2536,10 @@ _kdc_as_rep(astgs_request_t r) t = *b->rtime; if(t == 0) t = MAX_TIME; - if(r->client->entry.max_renew) - t = start + min(t - start, *r->client->entry.max_renew); - if(r->server->entry.max_renew) - t = start + min(t - start, *r->server->entry.max_renew); + if(r->client->max_renew) + t = start + min(t - start, *r->client->max_renew); + if(r->server->max_renew) + t = start + min(t - start, *r->server->max_renew); #if 0 t = min(t, start + realm->max_renew); #endif @@ -2575,16 +2572,16 @@ _kdc_as_rep(astgs_request_t r) goto out; } r->ek.last_req.len = 0; - if (r->client->entry.pw_end + if (r->client->pw_end && (config->kdc_warn_pwexpire == 0 - || kdc_time + config->kdc_warn_pwexpire >= *r->client->entry.pw_end)) { + || kdc_time + config->kdc_warn_pwexpire >= *r->client->pw_end)) { r->ek.last_req.val[r->ek.last_req.len].lr_type = LR_PW_EXPTIME; - r->ek.last_req.val[r->ek.last_req.len].lr_value = *r->client->entry.pw_end; + r->ek.last_req.val[r->ek.last_req.len].lr_value = *r->client->pw_end; ++r->ek.last_req.len; } - if (r->client->entry.valid_end) { + if (r->client->valid_end) { r->ek.last_req.val[r->ek.last_req.len].lr_type = LR_ACCT_EXPTIME; - r->ek.last_req.val[r->ek.last_req.len].lr_value = *r->client->entry.valid_end; + r->ek.last_req.val[r->ek.last_req.len].lr_value = *r->client->valid_end; ++r->ek.last_req.len; } if (r->ek.last_req.len == 0) { @@ -2593,16 +2590,16 @@ _kdc_as_rep(astgs_request_t r) ++r->ek.last_req.len; } r->ek.nonce = b->nonce; - if (r->client->entry.valid_end || r->client->entry.pw_end) { + if (r->client->valid_end || r->client->pw_end) { ALLOC(r->ek.key_expiration); - if (r->client->entry.valid_end) { - if (r->client->entry.pw_end) - *r->ek.key_expiration = min(*r->client->entry.valid_end, - *r->client->entry.pw_end); + if (r->client->valid_end) { + if (r->client->pw_end) + *r->ek.key_expiration = min(*r->client->valid_end, + *r->client->pw_end); else - *r->ek.key_expiration = *r->client->entry.valid_end; + *r->ek.key_expiration = *r->client->valid_end; } else - *r->ek.key_expiration = *r->client->entry.pw_end; + *r->ek.key_expiration = *r->client->pw_end; } else r->ek.key_expiration = NULL; r->ek.flags = r->et.flags; @@ -2656,7 +2653,7 @@ _kdc_as_rep(astgs_request_t r) generate_pac(r, skey, krbtgt_key, is_tgs); } - if (r->client->entry.flags.synthetic) { + if (r->client->flags.synthetic) { ret = add_synthetic_princ_ad(r); if (ret) goto out; @@ -2713,8 +2710,8 @@ _kdc_as_rep(astgs_request_t r) ret = _kdc_encode_reply(r->context, config, r, req->req_body.nonce, setype, - r->server->entry.kvno, &skey->key, - pa_used_flag_isset(r, PA_REPLACE_REPLY_KEY) ? 0 : r->client->entry.kvno, + r->server->kvno, &skey->key, + pa_used_flag_isset(r, PA_REPLACE_REPLY_KEY) ? 0 : r->client->kvno, 0, r->reply); if (ret) goto out; diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index 510114bb4..5bef071f7 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -80,10 +80,10 @@ _kdc_check_pac(krb5_context context, krb5_kdc_configuration *config, const krb5_principal client_principal, const krb5_principal delegated_proxy_principal, - hdb_entry_ex *client, - hdb_entry_ex *server, - hdb_entry_ex *krbtgt, - hdb_entry_ex *ticket_server, + hdb_entry *client, + hdb_entry *server, + hdb_entry *krbtgt, + hdb_entry *ticket_server, const EncryptionKey *server_check_key, const EncryptionKey *krbtgt_check_key, EncTicketPart *tkt, @@ -122,7 +122,8 @@ _kdc_check_pac(krb5_context context, } /* Verify the KDC signatures. */ - ret = _kdc_pac_verify(context, client_principal, delegated_proxy_principal, + ret = _kdc_pac_verify(context, config, + client_principal, delegated_proxy_principal, client, server, krbtgt, &pac); if (ret == 0) { if (pac_canon_name) { @@ -140,8 +141,8 @@ _kdc_check_pac(krb5_context context, * We can't verify the KDC signatures if the ticket was issued by * another realm's KDC. */ - if (krb5_realm_compare(context, server->entry.principal, - ticket_server->entry.principal)) { + if (krb5_realm_compare(context, server->principal, + ticket_server->principal)) { ret = krb5_pac_verify(context, pac, 0, NULL, NULL, krbtgt_check_key); if (ret) { @@ -173,7 +174,7 @@ _kdc_check_pac(krb5_context context, *kdc_issued = signedticket || krb5_principal_is_krbtgt(context, - ticket_server->entry.principal); + ticket_server->principal); *ppac = pac; return 0; @@ -359,8 +360,8 @@ krb5_error_code _kdc_check_client_matches_target_service(krb5_context context, krb5_kdc_configuration *config, HDB *clientdb, - hdb_entry_ex *client, - hdb_entry_ex *target_server, + hdb_entry *client, + hdb_entry *target_server, krb5_const_principal target_server_principal) { krb5_error_code ret; @@ -378,7 +379,7 @@ _kdc_check_client_matches_target_service(krb5_context context, if (ret == 0) return 0; } else if (krb5_principal_compare(context, - client->entry.principal, + client->principal, target_server_principal) == TRUE) { /* if client does a s4u2self to itself, and there is no plugin, that is ok */ return 0; @@ -536,9 +537,9 @@ tgs_make_reply(astgs_request_t r, const krb5_keyblock *sessionkey, krb5_kvno kvno, AuthorizationData *auth_data, - hdb_entry_ex *server, + hdb_entry *server, krb5_principal server_principal, - hdb_entry_ex *client, + hdb_entry *client, krb5_principal client_principal, const char *tgt_realm, uint16_t rodc_id, @@ -596,7 +597,7 @@ tgs_make_reply(astgs_request_t r, GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK), &tgt->transited, et, krb5_principal_get_realm(r->context, client_principal), - krb5_principal_get_realm(r->context, server->entry.principal), + krb5_principal_get_realm(r->context, server->principal), tgt_realm); if(ret) goto out; @@ -628,10 +629,10 @@ tgs_make_reply(astgs_request_t r, { time_t life; life = et->endtime - *et->starttime; - if(client && client->entry.max_life) - life = min(life, *client->entry.max_life); - if(server->entry.max_life) - life = min(life, *server->entry.max_life); + if(client && client->max_life) + life = min(life, *client->max_life); + if(server->max_life) + life = min(life, *server->max_life); et->endtime = *et->starttime + life; } if(f.renewable_ok && tgt->flags.renewable && @@ -645,10 +646,10 @@ tgs_make_reply(astgs_request_t r, if(et->renew_till){ time_t renew; renew = *et->renew_till - *et->starttime; - if(client && client->entry.max_renew) - renew = min(renew, *client->entry.max_renew); - if(server->entry.max_renew) - renew = min(renew, *server->entry.max_renew); + if(client && client->max_renew) + renew = min(renew, *client->max_renew); + if(server->max_renew) + renew = min(renew, *server->max_renew); *et->renew_till = *et->starttime + renew; } @@ -672,12 +673,12 @@ tgs_make_reply(astgs_request_t r, et->flags.pre_authent = tgt->flags.pre_authent; et->flags.hw_authent = tgt->flags.hw_authent; - et->flags.ok_as_delegate = server->entry.flags.ok_as_delegate; + et->flags.ok_as_delegate = server->flags.ok_as_delegate; /* See MS-KILE 3.3.5.1 */ - if (!server->entry.flags.forwardable) + if (!server->flags.forwardable) et->flags.forwardable = 0; - if (!server->entry.flags.proxiable) + if (!server->flags.proxiable) et->flags.proxiable = 0; if (auth_data) { @@ -729,7 +730,7 @@ tgs_make_reply(astgs_request_t r, et->endtime, et->renew_till); if (krb5_enctype_valid(r->context, serverkey->keytype) != 0 - && _kdc_is_weak_exception(server->entry.principal, serverkey->keytype)) + && _kdc_is_weak_exception(server->principal, serverkey->keytype)) { krb5_enctype_enable(r->context, serverkey->keytype); is_weak = 1; @@ -761,7 +762,7 @@ tgs_make_reply(astgs_request_t r, */ if (_kdc_include_pac_p(r)) { krb5_boolean is_tgs = - krb5_principal_is_krbtgt(r->context, server->entry.principal); + krb5_principal_is_krbtgt(r->context, server->principal); ret = _krb5_kdc_pac_sign_ticket(r->context, r->pac, r->client_princ, serverkey, krbtgtkey, rodc_id, NULL, r->canon_client_princ, @@ -1016,12 +1017,12 @@ tgs_parse_request(astgs_request_t r, goto out; } - krbtgt_kvno_try = krbtgt_kvno ? krbtgt_kvno : r->krbtgt->entry.kvno; + krbtgt_kvno_try = krbtgt_kvno ? krbtgt_kvno : r->krbtgt->kvno; *krbtgt_etype = ap_req.ticket.enc_part.etype; next_kvno: - krbtgt_keys = hdb_kvno2keys(r->context, &r->krbtgt->entry, krbtgt_kvno_try); - ret = hdb_enctype2key(r->context, &r->krbtgt->entry, krbtgt_keys, + krbtgt_keys = hdb_kvno2keys(r->context, r->krbtgt, krbtgt_kvno_try); + ret = hdb_enctype2key(r->context, r->krbtgt, krbtgt_keys, ap_req.ticket.enc_part.etype, &tkey); if (ret && krbtgt_kvno == 0 && kvno_search_tries > 0) { kvno_search_tries--; @@ -1301,10 +1302,10 @@ _kdc_db_fetch_client(krb5_context context, const char *cpn, const char *krbtgt_realm, HDB **clientdb, - hdb_entry_ex **client_out) + hdb_entry **client_out) { krb5_error_code ret; - hdb_entry_ex *client = NULL; + hdb_entry *client = NULL; *client_out = NULL; @@ -1333,7 +1334,7 @@ _kdc_db_fetch_client(krb5_context context, msg = krb5_get_error_message(context, ret); kdc_log(context, config, 4, "Client not found in database: %s", msg); krb5_free_error_message(context, msg); - } else if (client->entry.flags.invalid || !client->entry.flags.client) { + } else if (client->flags.invalid || !client->flags.client) { kdc_log(context, config, 4, "Client has invalid bit set"); _kdc_free_ent(context, *clientdb, client); return KRB5KDC_ERR_POLICY; @@ -1360,9 +1361,9 @@ tgs_build_reply(astgs_request_t priv, krb5_principal user2user_princ = NULL; char *spn = NULL, *cpn = NULL, *krbtgt_out_n = NULL; char *user2user_name = NULL; - hdb_entry_ex *server = NULL, *client = NULL; + hdb_entry *server = NULL, *client = NULL; HDB *user2user_krbtgtdb; - hdb_entry_ex *user2user_krbtgt = NULL; + hdb_entry *user2user_krbtgt = NULL; HDB *clientdb; HDB *serverdb = NULL; krb5_realm ref_realm = NULL; @@ -1374,14 +1375,14 @@ tgs_build_reply(astgs_request_t priv, uint16_t rodc_id; krb5_boolean add_ticket_sig = FALSE; const char *tgt_realm = /* Realm of TGT issuer */ - krb5_principal_get_realm(context, priv->krbtgt->entry.principal); + krb5_principal_get_realm(context, priv->krbtgt->principal); const char *our_realm = /* Realm of this KDC */ - krb5_principal_get_comp_string(context, priv->krbtgt->entry.principal, 1); + krb5_principal_get_comp_string(context, priv->krbtgt->principal, 1); char **capath = NULL; size_t num_capath = 0; HDB *krbtgt_outdb; - hdb_entry_ex *krbtgt_out = NULL; + hdb_entry *krbtgt_out = NULL; PrincipalName *s; Realm r; @@ -1457,7 +1458,7 @@ server_lookup: goto out; } else if (ret == HDB_ERR_WRONG_REALM) { free(ref_realm); - ref_realm = strdup(server->entry.principal->realm); + ref_realm = strdup(server->principal->realm); if (ref_realm == NULL) { ret = krb5_enomem(context); goto out; @@ -1579,8 +1580,8 @@ server_lookup: * backend to override this by setting the force-canonicalize HDB * flag in the server entry. */ - if (server->entry.flags.force_canonicalize) - rsp = server->entry.principal; + if (server->flags.force_canonicalize) + rsp = server->principal; else rsp = priv->server_princ; @@ -1614,7 +1615,7 @@ server_lookup: HDB_F_GET_KRBTGT, NULL, &krbtgt_outdb, &krbtgt_out); if (ret) { char *ktpn = NULL; - ret = krb5_unparse_name(context, priv->krbtgt->entry.principal, &ktpn); + ret = krb5_unparse_name(context, priv->krbtgt->principal, &ktpn); kdc_log(context, config, 4, "No such principal %s (needed for authz-data signature keys) " "while processing TGS-REQ for service %s with krbtg %s", @@ -1639,7 +1640,7 @@ server_lookup: krb5uint32 *kvno_ptr = NULL; size_t i; HDB *user2user_db; - hdb_entry_ex *user2user_client = NULL; + hdb_entry *user2user_client = NULL; krb5_boolean user2user_kdc_issued = FALSE; char *tpn; @@ -1684,7 +1685,7 @@ server_lookup: krb5_xfree(tpn); goto out; } - ret = hdb_enctype2key(context, &user2user_krbtgt->entry, NULL, + ret = hdb_enctype2key(context, user2user_krbtgt, NULL, t->enc_part.etype, &uukey); if(ret){ ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */ @@ -1832,7 +1833,7 @@ server_lookup: goto out; } ekey = &skey->key; - kvno = server->entry.kvno; + kvno = server->kvno; } ret = krb5_generate_random_keyblock(context, etype, &sessionkey); @@ -1853,10 +1854,10 @@ server_lookup: * the DB to possibly correct the case of the realm (Samba4 does * this) before the strcmp() */ - if (strcmp(krb5_principal_get_realm(context, server->entry.principal), - krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) { + if (strcmp(krb5_principal_get_realm(context, server->principal), + krb5_principal_get_realm(context, krbtgt_out->principal)) != 0) { char *ktpn; - ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &ktpn); + ret = krb5_unparse_name(context, krbtgt_out->principal, &ktpn); kdc_log(context, config, 4, "Request with wrong krbtgt: %s", (ret == 0) ? ktpn : ""); @@ -1876,7 +1877,7 @@ server_lookup: "Failed to find key for krbtgt PAC signature"); goto out; } - ret = hdb_enctype2key(context, &krbtgt_out->entry, NULL, + ret = hdb_enctype2key(context, krbtgt_out, NULL, tkey_sign->key.keytype, &tkey_sign); if(ret) { kdc_log(context, config, 4, @@ -1935,8 +1936,8 @@ server_lookup: if((b->kdc_options.validate || b->kdc_options.renew) && !krb5_principal_compare(context, - priv->krbtgt->entry.principal, - priv->server->entry.principal)){ + priv->krbtgt->principal, + priv->server->principal)){ _kdc_audit_addreason((kdc_request_t)priv, "Inconsistent request"); kdc_log(context, config, 4, "Inconsistent request."); ret = KRB5KDC_ERR_SERVER_NOMATCH; @@ -2007,7 +2008,7 @@ server_lookup: */ if (kdc_issued && - !krb5_principal_is_krbtgt(context, server->entry.principal)) { + !krb5_principal_is_krbtgt(context, server->principal)) { /* Validate armor TGT before potentially including device claims */ if (priv->armor_ticket) { @@ -2024,7 +2025,7 @@ server_lookup: * read-only-dc identifier, we need to embed it in the PAC KDC signatures. */ - rodc_id = krbtgt_out->entry.kvno >> 16; + rodc_id = krbtgt_out->kvno >> 16; /* * diff --git a/kdc/kx509.c b/kdc/kx509.c index b48bdf6b2..81a3fd0de 100644 --- a/kdc/kx509.c +++ b/kdc/kx509.c @@ -254,7 +254,7 @@ is_local_realm(krb5_context context, krb5_error_code ret; krb5_principal tgs; HDB *db; - hdb_entry_ex *ent = NULL; + hdb_entry *ent = NULL; ret = krb5_make_principal(context, &tgs, realm, KRB5_TGS_NAME, realm, NULL); diff --git a/kdc/misc.c b/kdc/misc.c index 2b82c5cbc..61a6ecf13 100644 --- a/kdc/misc.c +++ b/kdc/misc.c @@ -67,11 +67,11 @@ synthesize_client(krb5_context context, krb5_kdc_configuration *config, krb5_const_principal princ, HDB **db, - hdb_entry_ex **h) + hdb_entry **h) { static HDB null_db; krb5_error_code ret; - hdb_entry_ex *e; + hdb_entry *e; /* Hope this works! */ null_db.hdb_destroy = synthesize_hdb_close; @@ -81,40 +81,40 @@ synthesize_client(krb5_context context, ret = (e = calloc(1, sizeof(*e))) ? 0 : krb5_enomem(context); if (ret == 0) { - e->entry.flags.client = 1; - e->entry.flags.immutable = 1; - e->entry.flags.virtual = 1; - e->entry.flags.synthetic = 1; - e->entry.flags.do_not_store = 1; - e->entry.kvno = 1; - e->entry.keys.len = 0; - e->entry.keys.val = NULL; - e->entry.created_by.time = time(NULL); - e->entry.modified_by = NULL; - e->entry.valid_start = NULL; - e->entry.valid_end = NULL; - e->entry.pw_end = NULL; - e->entry.etypes = NULL; - e->entry.generation = NULL; - e->entry.extensions = NULL; + e->flags.client = 1; + e->flags.immutable = 1; + e->flags.virtual = 1; + e->flags.synthetic = 1; + e->flags.do_not_store = 1; + e->kvno = 1; + e->keys.len = 0; + e->keys.val = NULL; + e->created_by.time = time(NULL); + e->modified_by = NULL; + e->valid_start = NULL; + e->valid_end = NULL; + e->pw_end = NULL; + e->etypes = NULL; + e->generation = NULL; + e->extensions = NULL; } if (ret == 0) - ret = (e->entry.max_renew = calloc(1, sizeof(*e->entry.max_renew))) ? + ret = (e->max_renew = calloc(1, sizeof(*e->max_renew))) ? 0 : krb5_enomem(context); if (ret == 0) - ret = (e->entry.max_life = calloc(1, sizeof(*e->entry.max_life))) ? + ret = (e->max_life = calloc(1, sizeof(*e->max_life))) ? 0 : krb5_enomem(context); if (ret == 0) - ret = krb5_copy_principal(context, princ, &e->entry.principal); + ret = krb5_copy_principal(context, princ, &e->principal); if (ret == 0) - ret = krb5_copy_principal(context, princ, &e->entry.created_by.principal); + ret = krb5_copy_principal(context, princ, &e->created_by.principal); if (ret == 0) { /* * We can't check OCSP in the TGS path, so we can't let tickets for * synthetic principals live very long. */ - *(e->entry.max_renew) = config->synthetic_clients_max_renew; - *(e->entry.max_life) = config->synthetic_clients_max_life; + *(e->max_renew) = config->synthetic_clients_max_renew; + *(e->max_life) = config->synthetic_clients_max_life; *h = e; } else { hdb_free_entry(context, &null_db, e); @@ -129,9 +129,9 @@ _kdc_db_fetch(krb5_context context, unsigned flags, krb5uint32 *kvno_ptr, HDB **db, - hdb_entry_ex **h) + hdb_entry **h) { - hdb_entry_ex *ent = NULL; + hdb_entry *ent = NULL; krb5_error_code ret = HDB_ERR_NOENTRY; int i; unsigned kvno = 0; @@ -246,7 +246,7 @@ out: } KDC_LIB_FUNCTION void KDC_LIB_CALL -_kdc_free_ent(krb5_context context, HDB *db, hdb_entry_ex *ent) +_kdc_free_ent(krb5_context context, HDB *db, hdb_entry *ent) { hdb_free_entry (context, db, ent); free (ent); @@ -260,7 +260,7 @@ _kdc_free_ent(krb5_context context, HDB *db, hdb_entry_ex *ent) krb5_error_code _kdc_get_preferred_key(krb5_context context, krb5_kdc_configuration *config, - hdb_entry_ex *h, + hdb_entry *h, const char *name, krb5_enctype *enctype, Key **key) @@ -273,9 +273,9 @@ _kdc_get_preferred_key(krb5_context context, for (i = 0; p[i] != (krb5_enctype)ETYPE_NULL; i++) { if (krb5_enctype_valid(context, p[i]) != 0 && - !_kdc_is_weak_exception(h->entry.principal, p[i])) + !_kdc_is_weak_exception(h->principal, p[i])) continue; - ret = hdb_enctype2key(context, &h->entry, NULL, p[i], key); + ret = hdb_enctype2key(context, h, NULL, p[i], key); if (ret != 0) continue; if (enctype != NULL) @@ -285,12 +285,12 @@ _kdc_get_preferred_key(krb5_context context, } else { *key = NULL; - for (i = 0; i < h->entry.keys.len; i++) { - if (krb5_enctype_valid(context, h->entry.keys.val[i].key.keytype) != 0 && - !_kdc_is_weak_exception(h->entry.principal, h->entry.keys.val[i].key.keytype)) + for (i = 0; i < h->keys.len; i++) { + if (krb5_enctype_valid(context, h->keys.val[i].key.keytype) != 0 && + !_kdc_is_weak_exception(h->principal, h->keys.val[i].key.keytype)) continue; - ret = hdb_enctype2key(context, &h->entry, NULL, - h->entry.keys.val[i].key.keytype, key); + ret = hdb_enctype2key(context, h, NULL, + h->keys.val[i].key.keytype, key); if (ret != 0) continue; if (enctype != NULL) @@ -334,9 +334,9 @@ _kdc_verify_checksum(krb5_context context, krb5_boolean _kdc_include_pac_p(astgs_request_t r) { - if (krb5_principal_is_krbtgt(r->context, r->server->entry.principal)) + if (krb5_principal_is_krbtgt(r->context, r->server->principal)) return TRUE; - else if (r->server->entry.flags.no_auth_data_reqd) + else if (r->server->flags.no_auth_data_reqd) return FALSE; return !!(r->pac_attributes & (KRB5_PAC_WAS_REQUESTED | KRB5_PAC_WAS_GIVEN_IMPLICITLY)); diff --git a/kdc/mit_dump.c b/kdc/mit_dump.c index 409eae40e..32cf5dc65 100644 --- a/kdc/mit_dump.c +++ b/kdc/mit_dump.c @@ -146,7 +146,7 @@ mit_prop_dump(void *arg, const char *file) char *line = NULL; int lineno = 0; FILE *f; - struct hdb_entry_ex ent; + hdb_entry ent; struct prop_data *pd = arg; krb5_storage *sp = NULL; krb5_data kdb_ent; @@ -202,7 +202,7 @@ mit_prop_dump(void *arg, const char *file) } ret = krb5_storage_to_data(sp, &kdb_ent); if (ret) break; - ret = _hdb_mdb_value2entry(pd->context, &kdb_ent, 0, &ent.entry); + ret = _hdb_mdb_value2entry(pd->context, &kdb_ent, 0, &ent); krb5_data_free(&kdb_ent); if (ret) { warnx("line: %d: failed to store; ignoring", lineno); diff --git a/kdc/mssfu.c b/kdc/mssfu.c index 84c7c6012..877b11d05 100644 --- a/kdc/mssfu.c +++ b/kdc/mssfu.c @@ -47,8 +47,8 @@ static krb5_error_code check_constrained_delegation(krb5_context context, krb5_kdc_configuration *config, HDB *clientdb, - hdb_entry_ex *client, - hdb_entry_ex *server, + hdb_entry *client, + hdb_entry *server, krb5_const_principal target) { const HDB_Ext_Constrained_delegation_acl *acl; @@ -61,7 +61,7 @@ check_constrained_delegation(krb5_context context, * of the principals here, while "target" is the principal * provided by the client. */ - if (!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) { + if (!krb5_realm_compare(context, client->principal, server->principal)) { ret = KRB5KDC_ERR_BADOPTION; kdc_log(context, config, 4, "Bad request for constrained delegation"); @@ -74,10 +74,10 @@ check_constrained_delegation(krb5_context context, return 0; } else { /* if client delegates to itself, that ok */ - if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE) + if (krb5_principal_compare(context, client->principal, server->principal) == TRUE) return 0; - ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl); + ret = hdb_entry_get_ConstrainedDelegACL(client, &acl); if (ret) { krb5_clear_error_message(context); return ret; @@ -101,7 +101,7 @@ update_client_names(astgs_request_t r, char **s4ucname, krb5_principal *s4u_client_name, HDB **s4u_clientdb, - hdb_entry_ex **s4u_client, + hdb_entry **s4u_client, krb5_principal *s4u_canon_client_name, krb5_pac *s4u_pac) { @@ -139,7 +139,7 @@ validate_protocol_transition(astgs_request_t r) krb5_error_code ret; KDC_REQ_BODY *b = &r->req.req_body; EncTicketPart *ticket = &r->ticket->ticket; - hdb_entry_ex *s4u_client = NULL; + hdb_entry *s4u_client = NULL; HDB *s4u_clientdb; int flags = HDB_F_FOR_TGS_REQ; krb5_principal s4u_client_name = NULL, s4u_canon_client_name = NULL; @@ -275,15 +275,16 @@ validate_protocol_transition(astgs_request_t r) * Ignore require_pwchange and pw_end attributes (as Windows does), * since S4U2Self is not password authentication. */ - s4u_client->entry.flags.require_pwchange = FALSE; - free(s4u_client->entry.pw_end); - s4u_client->entry.pw_end = NULL; + s4u_client->flags.require_pwchange = FALSE; + free(s4u_client->pw_end); + s4u_client->pw_end = NULL; ret = kdc_check_flags(r, FALSE, s4u_client, r->server); if (ret) goto out; /* kdc_check_flags() calls _kdc_audit_addreason() */ ret = _kdc_pac_generate(r->context, + r->config, s4u_client, r->server, NULL, @@ -312,7 +313,7 @@ validate_protocol_transition(astgs_request_t r) goto out; } - ret = krb5_copy_principal(r->context, s4u_client->entry.principal, + ret = krb5_copy_principal(r->context, s4u_client->principal, &s4u_canon_client_name); if (ret) goto out; @@ -322,8 +323,8 @@ validate_protocol_transition(astgs_request_t r) * delegation or if the impersonate client is disallowed * forwardable, remove the forwardable flag. */ - if (r->client->entry.flags.trusted_for_delegation && - s4u_client->entry.flags.forwardable) { + if (r->client->flags.trusted_for_delegation && + s4u_client->flags.forwardable) { str = "[forwardable]"; } else { b->kdc_options.forwardable = 0; @@ -373,7 +374,7 @@ validate_constrained_delegation(astgs_request_t r) char *s4ucname = NULL, *s4usname = NULL; EncTicketPart evidence_tkt; HDB *s4u_clientdb; - hdb_entry_ex *s4u_client = NULL; + hdb_entry *s4u_client = NULL; krb5_boolean ad_kdc_issued = FALSE; Key *clientkey; Ticket *t; @@ -388,7 +389,7 @@ validate_constrained_delegation(astgs_request_t r) memset(&evidence_tkt, 0, sizeof(evidence_tkt)); local_realm = - krb5_principal_get_comp_string(r->context, r->krbtgt->entry.principal, 1); + krb5_principal_get_comp_string(r->context, r->krbtgt->principal, 1); /* * We require that the service's TGT has a PAC; this will have been @@ -405,8 +406,8 @@ validate_constrained_delegation(astgs_request_t r) t = &b->additional_tickets->val[0]; - ret = hdb_enctype2key(r->context, &r->client->entry, - hdb_kvno2keys(r->context, &r->client->entry, + ret = hdb_enctype2key(r->context, r->client, + hdb_kvno2keys(r->context, r->client, t->enc_part.kvno ? * t->enc_part.kvno : 0), t->enc_part.etype, &clientkey); if (ret) { @@ -530,7 +531,7 @@ validate_constrained_delegation(astgs_request_t r) * can insert the canonical client name ourselves. */ if (s4u_canon_client_name == NULL && s4u_client != NULL) { - ret = krb5_copy_principal(r->context, s4u_client->entry.principal, + ret = krb5_copy_principal(r->context, s4u_client->principal, &s4u_canon_client_name); if (ret) goto out; diff --git a/kdc/pkinit.c b/kdc/pkinit.c index 56bb2df84..f01178983 100644 --- a/kdc/pkinit.c +++ b/kdc/pkinit.c @@ -388,7 +388,7 @@ _kdc_pk_rd_padata(astgs_request_t priv, krb5_context context = priv->context; krb5_kdc_configuration *config = priv->config; const KDC_REQ *req = &priv->req; - hdb_entry_ex *client = priv->client; + hdb_entry *client = priv->client; pk_client_params *cp; krb5_error_code ret; heim_oid eContentType = { 0, NULL }, contentInfoOid = { 0, NULL }; @@ -431,7 +431,7 @@ _kdc_pk_rd_padata(astgs_request_t priv, } /* Add any registered certificates for this client as trust anchors */ - ret = hdb_entry_get_pkinit_cert(&client->entry, &pc); + ret = hdb_entry_get_pkinit_cert(client, &pc); if (ret == 0 && pc != NULL) { hx509_cert cert; unsigned int i; @@ -467,7 +467,7 @@ _kdc_pk_rd_padata(astgs_request_t priv, type = "PK-INIT-Win2k"; - if (_kdc_is_anonymous(context, client->entry.principal)) { + if (_kdc_is_anonymous(context, client->principal)) { ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED; krb5_set_error_message(context, ret, "Anonymous client not supported in RSA mode"); @@ -613,7 +613,7 @@ _kdc_pk_rd_padata(astgs_request_t priv, hx509_certs signer_certs; int flags = HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH; /* BTMM */ - if (_kdc_is_anonymous(context, client->entry.principal) + if (_kdc_is_anonymous(context, client->principal) || (config->historical_anon_realm && _kdc_is_anon_request(req))) flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER; @@ -699,7 +699,7 @@ _kdc_pk_rd_padata(astgs_request_t priv, goto out; } - if (_kdc_is_anonymous(context, client->entry.principal) && + if (_kdc_is_anonymous(context, client->principal) && ap.clientPublicValue == NULL) { free_AuthPack(&ap); ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED; @@ -1598,7 +1598,7 @@ match_ms_upn_san(krb5_context context, hx509_context hx509ctx, hx509_cert client_cert, HDB *clientdb, - hdb_entry_ex *client) + hdb_entry *client) { hx509_octet_string_list list; krb5_principal principal = NULL; @@ -1652,7 +1652,7 @@ match_ms_upn_san(krb5_context context, */ strupr(principal->realm); - if (krb5_principal_compare(context, principal, client->entry.principal) == FALSE) + if (krb5_principal_compare(context, principal, client->principal) == FALSE) ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; } @@ -1671,7 +1671,7 @@ _kdc_pk_check_client(astgs_request_t r, { krb5_kdc_configuration *config = r->config; HDB *clientdb = r->clientdb; - hdb_entry_ex *client = r->client; + hdb_entry *client = r->client; const HDB_Ext_PKINIT_acl *acl; const HDB_Ext_PKINIT_cert *pc; krb5_error_code ret; @@ -1679,7 +1679,7 @@ _kdc_pk_check_client(astgs_request_t r, size_t i; if (cp->cert == NULL) { - if (!_kdc_is_anonymous(r->context, client->entry.principal) + if (!_kdc_is_anonymous(r->context, client->principal) && !config->historical_anon_realm) return KRB5KDC_ERR_BADOPTION; @@ -1716,7 +1716,7 @@ _kdc_pk_check_client(astgs_request_t r, "Trying to authorize PKINIT subject DN %s", *subject_name); - ret = hdb_entry_get_pkinit_cert(&client->entry, &pc); + ret = hdb_entry_get_pkinit_cert(client, &pc); if (ret == 0 && pc) { hx509_cert cert; size_t j; @@ -1743,7 +1743,7 @@ _kdc_pk_check_client(astgs_request_t r, ret = match_rfc_san(r->context, config, r->context->hx509ctx, cp->cert, - client->entry.principal); + client->principal); if (ret == 0) { kdc_log(r->context, config, 5, "Found matching PKINIT SAN in certificate"); @@ -1761,7 +1761,7 @@ _kdc_pk_check_client(astgs_request_t r, } } - ret = hdb_entry_get_pkinit_acl(&client->entry, &acl); + ret = hdb_entry_get_pkinit_acl(client, &acl); if (ret == 0 && acl != NULL) { /* * Cheat here and compare the generated name with the string @@ -1787,7 +1787,7 @@ _kdc_pk_check_client(astgs_request_t r, krb5_boolean b; b = krb5_principal_compare(r->context, - client->entry.principal, + client->principal, principal_mappings.val[i].principal); if (b == FALSE) continue; diff --git a/lib/hdb/common.c b/lib/hdb/common.c index 55176e27e..f6c7ef777 100644 --- a/lib/hdb/common.c +++ b/lib/hdb/common.c @@ -148,7 +148,7 @@ fetch_entry_or_alias(krb5_context context, HDB *db, krb5_const_principal principal, unsigned flags, - hdb_entry_ex *entry) + hdb_entry *entry) { HDB_EntryOrAlias eoa; krb5_principal enterprise_principal = NULL; @@ -180,7 +180,7 @@ fetch_entry_or_alias(krb5_context context, if (ret == 0) ret = decode_HDB_EntryOrAlias(value.data, value.length, &eoa, NULL); if (ret == 0 && eoa.element == choice_HDB_EntryOrAlias_entry) { - entry->entry = eoa.u.entry; + *entry = eoa.u.entry; } else if (ret == 0 && eoa.element == choice_HDB_EntryOrAlias_alias) { krb5_data_free(&key); ret = hdb_principal2key(context, eoa.u.alias.principal, &key); @@ -190,7 +190,7 @@ fetch_entry_or_alias(krb5_context context, } if (ret == 0) /* No alias chaining */ - ret = hdb_value2entry(context, &value, &entry->entry); + ret = hdb_value2entry(context, &value, entry); krb5_free_principal(context, eoa.u.alias.principal); } else if (ret == 0) ret = ENOTSUP; @@ -200,7 +200,7 @@ fetch_entry_or_alias(krb5_context context, * the canonicalize flag is unset, the original specification in * draft-ietf-krb-wg-kerberos-referrals-03.txt says we should. */ - entry->entry.flags.force_canonicalize = 1; + entry->flags.force_canonicalize = 1; } /* HDB_F_GET_ANY indicates request originated from KDC (not kadmin) */ @@ -208,7 +208,7 @@ fetch_entry_or_alias(krb5_context context, (flags & (HDB_F_CANON|HDB_F_GET_ANY)) == 0) { /* `principal' was alias but canon not req'd */ - free_HDB_entry(&entry->entry); + free_HDB_entry(entry); ret = HDB_ERR_NOENTRY; } @@ -221,7 +221,7 @@ fetch_entry_or_alias(krb5_context context, krb5_error_code _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal, - unsigned flags, krb5_kvno kvno, hdb_entry_ex *entry) + unsigned flags, krb5_kvno kvno, hdb_entry *entry) { krb5_error_code ret; @@ -231,21 +231,21 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal, if ((flags & HDB_F_DECRYPT) && (flags & HDB_F_ALL_KVNOS)) { /* Decrypt the current keys */ - ret = hdb_unseal_keys(context, db, &entry->entry); + ret = hdb_unseal_keys(context, db, entry); if (ret) { hdb_free_entry(context, db, entry); return ret; } /* Decrypt the key history too */ - ret = hdb_unseal_keys_kvno(context, db, 0, flags, &entry->entry); + ret = hdb_unseal_keys_kvno(context, db, 0, flags, entry); if (ret) { hdb_free_entry(context, db, entry); return ret; } } else if ((flags & HDB_F_DECRYPT)) { - if ((flags & HDB_F_KVNO_SPECIFIED) == 0 || kvno == entry->entry.kvno) { + if ((flags & HDB_F_KVNO_SPECIFIED) == 0 || kvno == entry->kvno) { /* Decrypt the current keys */ - ret = hdb_unseal_keys(context, db, &entry->entry); + ret = hdb_unseal_keys(context, db, entry); if (ret) { hdb_free_entry(context, db, entry); return ret; @@ -257,7 +257,7 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal, * Find and decrypt the keys from the history that we want, * and swap them with the current keys */ - ret = hdb_unseal_keys_kvno(context, db, kvno, flags, &entry->entry); + ret = hdb_unseal_keys_kvno(context, db, kvno, flags, entry); if (ret) { hdb_free_entry(context, db, entry); return ret; @@ -271,7 +271,7 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal, * key was generated, but given the salt will be ignored by a keytab * client it doesn't hurt to include the default salt. */ - ret = add_default_salts(context, db, &entry->entry); + ret = add_default_salts(context, db, entry); if (ret) { hdb_free_entry(context, db, entry); return ret; @@ -325,20 +325,20 @@ hdb_remove_aliases(krb5_context context, HDB *db, krb5_data *key) static krb5_error_code hdb_add_aliases(krb5_context context, HDB *db, - unsigned flags, hdb_entry_ex *entry) + unsigned flags, hdb_entry *entry) { const HDB_Ext_Aliases *aliases; krb5_error_code code; krb5_data key, value; size_t i; - code = hdb_entry_get_aliases(&entry->entry, &aliases); + code = hdb_entry_get_aliases(entry, &aliases); if (code || aliases == NULL) return code; for (i = 0; i < aliases->aliases.len; i++) { hdb_entry_alias entryalias; - entryalias.principal = entry->entry.principal; + entryalias.principal = entry->principal; code = hdb_entry_alias2value(context, &entryalias, &value); if (code) @@ -358,7 +358,7 @@ hdb_add_aliases(krb5_context context, HDB *db, /* Check if new aliases are already used for other entries */ static krb5_error_code -hdb_check_aliases(krb5_context context, HDB *db, hdb_entry_ex *entry) +hdb_check_aliases(krb5_context context, HDB *db, hdb_entry *entry) { const HDB_Ext_Aliases *aliases = NULL; HDB_EntryOrAlias eoa; @@ -370,7 +370,7 @@ hdb_check_aliases(krb5_context context, HDB *db, hdb_entry_ex *entry) krb5_data_zero(&value); akey = value; - ret = hdb_entry_get_aliases(&entry->entry, &aliases); + ret = hdb_entry_get_aliases(entry, &aliases); for (i = 0; ret == 0 && aliases && i < aliases->aliases.len; i++) { ret = hdb_principal2key(context, &aliases->aliases.val[i], &akey); if (ret == 0) @@ -385,7 +385,7 @@ hdb_check_aliases(krb5_context context, HDB *db, hdb_entry_ex *entry) ret = HDB_ERR_EXISTS; if (ret == 0 && eoa.element == choice_HDB_EntryOrAlias_alias && !krb5_principal_compare(context, eoa.u.alias.principal, - entry->entry.principal)) + entry->principal)) /* New alias names an existing alias of a different entry */ ret = HDB_ERR_EXISTS; if (ret == HDB_ERR_NOENTRY) /* from db->hdb__get */ @@ -459,13 +459,13 @@ hdb_derive_etypes(krb5_context context, hdb_entry *e, HDB_Ext_KeySet *base_keys) } krb5_error_code -_hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) +_hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) { krb5_data key, value; int code; - if (entry->entry.flags.do_not_store || - entry->entry.flags.force_canonicalize) + if (entry->flags.do_not_store || + entry->flags.force_canonicalize) return HDB_ERR_MISUSE; /* check if new aliases already is used */ code = hdb_check_aliases(context, db, entry); @@ -476,7 +476,7 @@ _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) return 0; if ((flags & HDB_F_PRECHECK)) { - code = hdb_principal2key(context, entry->entry.principal, &key); + code = hdb_principal2key(context, entry->principal, &key); if (code) return code; code = db->hdb__get(context, db, key, &value); @@ -488,29 +488,29 @@ _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) return code ? code : HDB_ERR_EXISTS; } - if ((entry->entry.etypes == NULL || entry->entry.etypes->len == 0) && - (code = hdb_derive_etypes(context, &entry->entry, NULL))) + if ((entry->etypes == NULL || entry->etypes->len == 0) && + (code = hdb_derive_etypes(context, entry, NULL))) return code; - if (entry->entry.generation == NULL) { + if (entry->generation == NULL) { struct timeval t; - entry->entry.generation = malloc(sizeof(*entry->entry.generation)); - if(entry->entry.generation == NULL) { + entry->generation = malloc(sizeof(*entry->generation)); + if(entry->generation == NULL) { krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); return ENOMEM; } gettimeofday(&t, NULL); - entry->entry.generation->time = t.tv_sec; - entry->entry.generation->usec = t.tv_usec; - entry->entry.generation->gen = 0; + entry->generation->time = t.tv_sec; + entry->generation->usec = t.tv_usec; + entry->generation->gen = 0; } else - entry->entry.generation->gen++; + entry->generation->gen++; - code = hdb_seal_keys(context, db, &entry->entry); + code = hdb_seal_keys(context, db, entry); if (code) return code; - code = hdb_principal2key(context, entry->entry.principal, &key); + code = hdb_principal2key(context, entry->principal, &key); if (code) return code; @@ -520,7 +520,7 @@ _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) krb5_data_free(&key); return code; } - hdb_entry2value(context, &entry->entry, &value); + hdb_entry2value(context, entry, &value); code = db->hdb__put(context, db, flags & HDB_F_REPLACE, key, value); krb5_data_free(&value); krb5_data_free(&key); @@ -722,7 +722,7 @@ derive_keyset(krb5_context context, /* Possibly derive and install in `h' a keyset identified by `t' */ static krb5_error_code derive_keys_for_kr(krb5_context context, - hdb_entry_ex *h, + hdb_entry *h, HDB_Ext_KeySet *base_keys, int is_current_keyset, int rotation_period_offset, @@ -796,7 +796,7 @@ derive_keys_for_kr(krb5_context context, ret = derive_keyset(context, &base_keys->val[i].keys, princ, etype, kvno, set_time, &dks); if (ret == 0) - ret = hdb_install_keyset(context, &h->entry, is_current_keyset, &dks); + ret = hdb_install_keyset(context, h, is_current_keyset, &dks); free_HDB_keyset(&dks); return ret; @@ -805,7 +805,7 @@ derive_keys_for_kr(krb5_context context, /* Derive and install current keys, and possibly preceding or next keys */ static krb5_error_code derive_keys_for_current_kr(krb5_context context, - hdb_entry_ex *h, + hdb_entry *h, HDB_Ext_KeySet *base_keys, const char *princ, unsigned int flags, @@ -871,12 +871,12 @@ derive_keys_for_current_kr(krb5_context context, * Arguments: * * - `flags' is the flags passed to `hdb_fetch_kvno()' - * - `princ' is the name of the principal we'll end up with in `h->entry' + * - `princ' is the name of the principal we'll end up with in `entry' * - `h_is_namespace' indicates whether `h' is for a namespace or a concrete * principal (that might nonetheless have virtual/derived keys) * - `t' is the time such that the derived keys are for kvnos needed at `t' * - `etype' indicates what enctype to derive keys for (0 for all enctypes in - * `h->entry.etypes') + * `entry->etypes') * - `kvno' requests a particular kvno, or all if zero * * The caller doesn't know if the principal needs key derivation -- we make @@ -968,7 +968,7 @@ derive_keys(krb5_context context, krb5_timestamp t, krb5int32 etype, krb5uint32 kvno, - hdb_entry_ex *h) + hdb_entry *h) { HDB_Ext_KeyRotation kr; HDB_Ext_KeySet base_keys; @@ -977,9 +977,9 @@ derive_keys(krb5_context context, char *p = NULL; int valid = 1; - if (!h_is_namespace && !h->entry.flags.virtual_keys) + if (!h_is_namespace && !h->flags.virtual_keys) return 0; - h->entry.flags.virtual = 1; + h->flags.virtual = 1; kr.len = 0; kr.val = 0; @@ -987,7 +987,7 @@ derive_keys(krb5_context context, const HDB_Ext_KeyRotation *ckr; /* Installing keys invalidates `ckr', so we copy it */ - ret = hdb_entry_get_key_rotation(context, &h->entry, &ckr); + ret = hdb_entry_get_key_rotation(context, h, &ckr); if (!ckr) return ret; if (ret == 0) @@ -998,11 +998,11 @@ derive_keys(krb5_context context, base_keys.val = 0; base_keys.len = 0; if (ret == 0) - ret = hdb_remove_base_keys(context, &h->entry, &base_keys); + ret = hdb_remove_base_keys(context, h, &base_keys); - /* Make sure we have h->entry.etypes */ - if (ret == 0 && !h->entry.etypes) - ret = hdb_derive_etypes(context, &h->entry, &base_keys); + /* Make sure we have h->etypes */ + if (ret == 0 && !h->etypes) + ret = hdb_derive_etypes(context, h, &base_keys); /* Keys not desired? Don't derive them! */ if (ret || !(flags & HDB_F_DECRYPT)) { @@ -1094,10 +1094,10 @@ derive_keys(krb5_context context, /* * Derive and set in `h' its current kvno and current keys. * - * This will set h->entry.kvno as well. + * This will set h->kvno as well. * * This may set up to TWO keysets for the current key rotation period: - * - current keys (h->entry.keys and h->entry.kvno) + * - current keys (h->keys and h->kvno) * - possibly one future * OR * possibly one past keyset in hist_keys for the current_kr @@ -1130,14 +1130,14 @@ derive_keys(krb5_context context, kr.val[current_kr].epoch - 1, &kr.val[past_kr]); /* - * Impose a bound on h->entry.max_life so that [when the KDC is the caller] + * Impose a bound on h->max_life so that [when the KDC is the caller] * the KDC won't issue tickets longer lived than this. */ - if (ret == 0 && !h->entry.max_life && - (h->entry.max_life = calloc(1, sizeof(h->entry.max_life[0]))) == NULL) + if (ret == 0 && !h->max_life && + (h->max_life = calloc(1, sizeof(h->max_life[0]))) == NULL) ret = krb5_enomem(context); - if (ret == 0 && *h->entry.max_life > kr.val[current_kr].period >> 1) - *h->entry.max_life = kr.val[current_kr].period >> 1; + if (ret == 0 && *h->max_life > kr.val[current_kr].period >> 1) + *h->max_life = kr.val[current_kr].period >> 1; free_HDB_Ext_KeyRotation(&kr); free_HDB_Ext_KeySet(&base_keys); @@ -1177,7 +1177,7 @@ pick_kvno(krb5_context context, unsigned flags, krb5_timestamp now, krb5uint32 kvno, - hdb_entry_ex *h) + hdb_entry *h) { HDB_extension *ext; HDB_Ext_KeySet keys; @@ -1190,25 +1190,25 @@ pick_kvno(krb5_context context, * delayed, or if there's no new-key delay configured, or we're not * fetching for use as a service principal, then we're out. */ - if (!(flags & HDB_F_DELAY_NEW_KEYS) || kvno || h->entry.flags.virtual || - h->entry.flags.virtual_keys || db->new_service_key_delay <= 0) + if (!(flags & HDB_F_DELAY_NEW_KEYS) || kvno || h->flags.virtual || + h->flags.virtual_keys || db->new_service_key_delay <= 0) return 0; /* No history -> current keyset is the only one and therefore the best */ - ext = hdb_find_extension(&h->entry, choice_HDB_extension_data_hist_keys); + ext = hdb_find_extension(h, choice_HDB_extension_data_hist_keys); if (!ext) return 0; /* Assume the current keyset is the best to start with */ - (void) hdb_entry_get_pw_change_time(&h->entry, ¤t); - if (current == 0 && h->entry.modified_by) - current = h->entry.modified_by->time; + (void) hdb_entry_get_pw_change_time(h, ¤t); + if (current == 0 && h->modified_by) + current = h->modified_by->time; if (current == 0) - current = h->entry.created_by.time; + current = h->created_by.time; /* Current keyset starts out as best */ best = current; - kvno = h->entry.kvno; + kvno = h->kvno; /* Look for a better keyset in the history */ keys = ext->data.u.hist_keys; @@ -1248,7 +1248,7 @@ pick_kvno(krb5_context context, best = keys.val[i].set_time[0]; kvno = keys.val[i].kvno; } - return hdb_change_kvno(context, kvno, &h->entry); + return hdb_change_kvno(context, kvno, h); } /* @@ -1359,15 +1359,15 @@ rewrite_hostname(krb5_context context, } /* - * Fix `h->entry.principal' to match the desired `princ' in the namespace - * `nsprinc' (which is either the same as `h->entry.principal' or an alias + * Fix `h->principal' to match the desired `princ' in the namespace + * `nsprinc' (which is either the same as `h->principal' or an alias * of it). */ static krb5_error_code fix_princ_name(krb5_context context, krb5_const_principal princ, krb5_const_principal nsprinc, - hdb_entry_ex *h) + hdb_entry *h) { krb5_error_code ret = 0; char *s = NULL; @@ -1379,7 +1379,7 @@ fix_princ_name(krb5_context context, /* `nsprinc' must be a namespace principal */ - if (krb5_principal_compare(context, nsprinc, h->entry.principal)) { + if (krb5_principal_compare(context, nsprinc, h->principal)) { /* * `h' is the HDB entry for `nsprinc', and `nsprinc' is its canonical * name. @@ -1387,23 +1387,23 @@ fix_princ_name(krb5_context context, * Set the entry's principal name to the desired name. The keys will * be fixed next (upstairs, but don't forget to!). */ - free_Principal(h->entry.principal); - return copy_Principal(princ, h->entry.principal); + free_Principal(h->principal); + return copy_Principal(princ, h->principal); } - if (!is_namespace_princ_p(context, h->entry.principal)) { + if (!is_namespace_princ_p(context, h->principal)) { /* * The alias is a namespace, but the canonical name is not. WAT. * * Well, the KDC will just issue a referral anyways, so we can leave - * `h->entry.principal' as is... + * `h->principal' as is... * - * Remove all of `h->entry's keys just in case, and leave - * `h->entry.principal' as-is. + * Remove all of `h's keys just in case, and leave + * `h->principal' as-is. */ - free_Keys(&h->entry.keys); - (void) hdb_entry_clear_password(context, &h->entry); - return hdb_clear_extension(context, &h->entry, + free_Keys(&h->keys); + (void) hdb_entry_clear_password(context, h); + return hdb_clear_extension(context, h, choice_HDB_extension_data_hist_keys); } @@ -1418,15 +1418,15 @@ fix_princ_name(krb5_context context, * we'll want to treat host/foo.ns.test.h5l.se as an alias of * host/foo.ns.example.org. */ - if (krb5_principal_get_num_comp(context, h->entry.principal) != + if (krb5_principal_get_num_comp(context, h->principal) != 2 + krb5_principal_get_num_comp(context, princ)) ret = HDB_ERR_NOENTRY; /* Only host-based services for now */ if (ret == 0) - ret = rewrite_hostname(context, princ, nsprinc, h->entry.principal, &s); + ret = rewrite_hostname(context, princ, nsprinc, h->principal, &s); if (ret == 0) { - krb5_free_principal(context, h->entry.principal); - h->entry.principal = NULL; - ret = krb5_make_principal(context, &h->entry.principal, + krb5_free_principal(context, h->principal); + h->principal = NULL; + ret = krb5_make_principal(context, &h->principal, krb5_principal_get_realm(context, princ), krb5_principal_get_comp_string(context, princ, 0), @@ -1445,7 +1445,7 @@ fetch_it(krb5_context context, krb5_timestamp t, krb5int32 etype, krb5uint32 kvno, - hdb_entry_ex *ent) + hdb_entry *ent) { krb5_const_principal tmpprinc = princ; krb5_principal nsprinc = NULL; @@ -1604,7 +1604,7 @@ hdb_fetch_kvno(krb5_context context, krb5_timestamp t, krb5int32 etype, krb5uint32 kvno, - hdb_entry_ex *h) + hdb_entry *h) { krb5_error_code ret = HDB_ERR_NOENTRY; @@ -1621,8 +1621,8 @@ hdb_fetch_kvno(krb5_context context, * independently of principal aliases (used by Samba). */ if (ret == 0 && !(flags & HDB_F_ADMIN_DATA) && - !h->entry.flags.force_canonicalize && - !krb5_realm_compare(context, principal, h->entry.principal)) + !h->flags.force_canonicalize && + !krb5_realm_compare(context, principal, h->principal)) ret = HDB_ERR_WRONG_REALM; return ret; } diff --git a/lib/hdb/db.c b/lib/hdb/db.c index e845bae02..5fcce7b8e 100644 --- a/lib/hdb/db.c +++ b/lib/hdb/db.c @@ -114,7 +114,7 @@ DB_unlock(krb5_context context, HDB *db) static krb5_error_code DB_seq(krb5_context context, HDB *db, - unsigned flags, hdb_entry_ex *entry, int flag) + unsigned flags, hdb_entry *entry, int flag) { DB *d = (DB*)db->hdb_db; DBT key, value; @@ -138,21 +138,21 @@ DB_seq(krb5_context context, HDB *db, data.data = value.data; data.length = value.size; memset(entry, 0, sizeof(*entry)); - if (hdb_value2entry(context, &data, &entry->entry)) + if (hdb_value2entry(context, &data, entry)) return DB_seq(context, db, flags, entry, R_NEXT); if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) { - code = hdb_unseal_keys (context, db, &entry->entry); + code = hdb_unseal_keys (context, db, entry); if (code) hdb_free_entry (context, db, entry); } - if (code == 0 && entry->entry.principal == NULL) { - entry->entry.principal = malloc(sizeof(*entry->entry.principal)); - if (entry->entry.principal == NULL) { + if (code == 0 && entry->principal == NULL) { + entry->principal = malloc(sizeof(*entry->principal)); + if (entry->principal == NULL) { code = ENOMEM; krb5_set_error_message(context, code, "malloc: out of memory"); hdb_free_entry (context, db, entry); } else { - hdb_key2principal(context, &key_data, entry->entry.principal); + hdb_key2principal(context, &key_data, entry->principal); } } return code; @@ -160,14 +160,14 @@ DB_seq(krb5_context context, HDB *db, static krb5_error_code -DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) +DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) { return DB_seq(context, db, flags, entry, R_FIRST); } static krb5_error_code -DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) +DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) { return DB_seq(context, db, flags, entry, R_NEXT); } diff --git a/lib/hdb/db3.c b/lib/hdb/db3.c index 181f41515..9d0c0a97d 100644 --- a/lib/hdb/db3.c +++ b/lib/hdb/db3.c @@ -136,7 +136,7 @@ DB_unlock(krb5_context context, HDB *db) static krb5_error_code DB_seq(krb5_context context, HDB *db, - unsigned flags, hdb_entry_ex *entry, int flag) + unsigned flags, hdb_entry *entry, int flag) { DBT key, value; DBC *dbcp = db->hdb_dbc; @@ -156,21 +156,21 @@ DB_seq(krb5_context context, HDB *db, data.data = value.data; data.length = value.size; memset(entry, 0, sizeof(*entry)); - if (hdb_value2entry(context, &data, &entry->entry)) + if (hdb_value2entry(context, &data, entry)) return DB_seq(context, db, flags, entry, DB_NEXT); if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) { - code = hdb_unseal_keys (context, db, &entry->entry); + code = hdb_unseal_keys (context, db, entry); if (code) hdb_free_entry (context, db, entry); } - if (entry->entry.principal == NULL) { - entry->entry.principal = malloc(sizeof(*entry->entry.principal)); - if (entry->entry.principal == NULL) { + if (entry->principal == NULL) { + entry->principal = malloc(sizeof(*entry->principal)); + if (entry->principal == NULL) { hdb_free_entry (context, db, entry); krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); return ENOMEM; } else { - hdb_key2principal(context, &key_data, entry->entry.principal); + hdb_key2principal(context, &key_data, entry->principal); } } return 0; @@ -178,14 +178,14 @@ DB_seq(krb5_context context, HDB *db, static krb5_error_code -DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) +DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) { return DB_seq(context, db, flags, entry, DB_FIRST); } static krb5_error_code -DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) +DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) { return DB_seq(context, db, flags, entry, DB_NEXT); } diff --git a/lib/hdb/hdb-keytab.c b/lib/hdb/hdb-keytab.c index f3cb8fbe6..c9b469cb1 100644 --- a/lib/hdb/hdb-keytab.c +++ b/lib/hdb/hdb-keytab.c @@ -90,14 +90,14 @@ hkt_unlock(krb5_context context, HDB *db) static krb5_error_code hkt_firstkey(krb5_context context, HDB *db, - unsigned flags, hdb_entry_ex *entry) + unsigned flags, hdb_entry *entry) { return HDB_ERR_DB_INUSE; } static krb5_error_code hkt_nextkey(krb5_context context, HDB * db, unsigned flags, - hdb_entry_ex * entry) + hdb_entry * entry) { return HDB_ERR_DB_INUSE; } @@ -119,7 +119,7 @@ hkt_open(krb5_context context, HDB * db, int flags, mode_t mode) static krb5_error_code hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal, - unsigned flags, krb5_kvno kvno, hdb_entry_ex * entry) + unsigned flags, krb5_kvno kvno, hdb_entry * entry) { hdb_keytab k = (hdb_keytab)db->hdb_db; krb5_error_code ret; @@ -132,13 +132,13 @@ hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal, memset(&ktentry, 0, sizeof(ktentry)); - entry->entry.flags.server = 1; - entry->entry.flags.forwardable = 1; - entry->entry.flags.renewable = 1; + entry->flags.server = 1; + entry->flags.forwardable = 1; + entry->flags.renewable = 1; /* Not recorded in the OD backend, make something up */ ret = krb5_parse_name(context, "hdb/keytab@WELL-KNOWN:KEYTAB-BACKEND", - &entry->entry.created_by.principal); + &entry->created_by.principal); if (ret) goto out; @@ -155,7 +155,7 @@ hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal, goto out; } - ret = krb5_copy_principal(context, principal, &entry->entry.principal); + ret = krb5_copy_principal(context, principal, &entry->principal); if (ret) goto out; @@ -163,8 +163,8 @@ hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal, out: if (ret) { - free_HDB_entry(&entry->entry); - memset(&entry->entry, 0, sizeof(entry->entry)); + free_HDB_entry(entry); + memset(entry, 0, sizeof(*entry)); } krb5_kt_free_entry(context, &ktentry); @@ -173,7 +173,7 @@ hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal, static krb5_error_code hkt_store(krb5_context context, HDB * db, unsigned flags, - hdb_entry_ex * entry) + hdb_entry * entry) { return HDB_ERR_DB_INUSE; } diff --git a/lib/hdb/hdb-ldap.c b/lib/hdb/hdb-ldap.c index 5bdb36c0d..6a2876c51 100644 --- a/lib/hdb/hdb-ldap.c +++ b/lib/hdb/hdb-ldap.c @@ -47,7 +47,7 @@ static krb5_error_code LDAP_close(krb5_context context, HDB *); static krb5_error_code LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg, - int flags, hdb_entry_ex * ent); + int flags, hdb_entry * ent); static const char *default_structural_object = "account"; static char *structural_object; @@ -388,14 +388,14 @@ bervalstrcmp(struct berval *v, const char *str) static krb5_error_code -LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent, +LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry * ent, LDAPMessage * msg, LDAPMod *** pmods, krb5_boolean *pis_new_entry) { krb5_error_code ret; krb5_boolean is_new_entry = FALSE; char *tmp = NULL; LDAPMod **mods = NULL; - hdb_entry_ex orig; + hdb_entry orig; unsigned long oflags, nflags; int i; @@ -477,12 +477,12 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent, } if (is_new_entry || - krb5_principal_compare(context, ent->entry.principal, orig.entry.principal) + krb5_principal_compare(context, ent->principal, orig.principal) == FALSE) { if (is_heimdal_principal || is_heimdal_entry) { - ret = krb5_unparse_name(context, ent->entry.principal, &tmp); + ret = krb5_unparse_name(context, ent->principal, &tmp); if (ret) goto out; @@ -496,7 +496,7 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent, } if (is_account || is_samba_account) { - ret = krb5_unparse_name_short(context, ent->entry.principal, &tmp); + ret = krb5_unparse_name_short(context, ent->principal, &tmp); if (ret) goto out; ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "uid", tmp); @@ -508,15 +508,15 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent, } } - if (is_heimdal_entry && (ent->entry.kvno != orig.entry.kvno || is_new_entry)) { + if (is_heimdal_entry && (ent->kvno != orig.kvno || is_new_entry)) { ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE, "krb5KeyVersionNumber", - ent->entry.kvno); + ent->kvno); if (ret) goto out; } - if (is_heimdal_entry && ent->entry.extensions) { + if (is_heimdal_entry && ent->extensions) { if (!is_new_entry) { vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5ExtendedAttributes"); if (vals) { @@ -527,11 +527,11 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent, } } - for (i = 0; i < ent->entry.extensions->len; i++) { + for (i = 0; i < ent->extensions->len; i++) { unsigned char *buf; size_t size, sz = 0; - ASN1_MALLOC_ENCODE(HDB_extension, buf, size, &ent->entry.extensions->val[i], &sz, ret); + ASN1_MALLOC_ENCODE(HDB_extension, buf, size, &ent->extensions->val[i], &sz, ret); if (ret) goto out; if (size != sz) @@ -543,42 +543,42 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent, } } - if (is_heimdal_entry && ent->entry.valid_start) { - if (orig.entry.valid_end == NULL - || (*(ent->entry.valid_start) != *(orig.entry.valid_start))) { + if (is_heimdal_entry && ent->valid_start) { + if (orig.valid_end == NULL + || (*(ent->valid_start) != *(orig.valid_start))) { ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE, "krb5ValidStart", - ent->entry.valid_start); + ent->valid_start); if (ret) goto out; } } - if (ent->entry.valid_end) { - if (orig.entry.valid_end == NULL || (*(ent->entry.valid_end) != *(orig.entry.valid_end))) { + if (ent->valid_end) { + if (orig.valid_end == NULL || (*(ent->valid_end) != *(orig.valid_end))) { if (is_heimdal_entry) { ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE, "krb5ValidEnd", - ent->entry.valid_end); + ent->valid_end); if (ret) goto out; } if (is_samba_account) { ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE, "sambaKickoffTime", - *(ent->entry.valid_end)); + *(ent->valid_end)); if (ret) goto out; } } } - if (ent->entry.pw_end) { - if (orig.entry.pw_end == NULL || (*(ent->entry.pw_end) != *(orig.entry.pw_end))) { + if (ent->pw_end) { + if (orig.pw_end == NULL || (*(ent->pw_end) != *(orig.pw_end))) { if (is_heimdal_entry) { ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE, "krb5PasswordEnd", - ent->entry.pw_end); + ent->pw_end); if (ret) goto out; } @@ -586,7 +586,7 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent, if (is_samba_account) { ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE, "sambaPwdMustChange", - *(ent->entry.pw_end)); + *(ent->pw_end)); if (ret) goto out; } @@ -595,43 +595,43 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent, #if 0 /* we we have last_pw_change */ - if (is_samba_account && ent->entry.last_pw_change) { - if (orig.entry.last_pw_change == NULL || (*(ent->entry.last_pw_change) != *(orig.entry.last_pw_change))) { + if (is_samba_account && ent->last_pw_change) { + if (orig.last_pw_change == NULL || (*(ent->last_pw_change) != *(orig.last_pw_change))) { ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE, "sambaPwdLastSet", - *(ent->entry.last_pw_change)); + *(ent->last_pw_change)); if (ret) goto out; } } #endif - if (is_heimdal_entry && ent->entry.max_life) { - if (orig.entry.max_life == NULL - || (*(ent->entry.max_life) != *(orig.entry.max_life))) { + if (is_heimdal_entry && ent->max_life) { + if (orig.max_life == NULL + || (*(ent->max_life) != *(orig.max_life))) { ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE, "krb5MaxLife", - *(ent->entry.max_life)); + *(ent->max_life)); if (ret) goto out; } } - if (is_heimdal_entry && ent->entry.max_renew) { - if (orig.entry.max_renew == NULL - || (*(ent->entry.max_renew) != *(orig.entry.max_renew))) { + if (is_heimdal_entry && ent->max_renew) { + if (orig.max_renew == NULL + || (*(ent->max_renew) != *(orig.max_renew))) { ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE, "krb5MaxRenew", - *(ent->entry.max_renew)); + *(ent->max_renew)); if (ret) goto out; } } - oflags = HDBFlags2int(orig.entry.flags); - nflags = HDBFlags2int(ent->entry.flags); + oflags = HDBFlags2int(orig.flags); + nflags = HDBFlags2int(ent->flags); if (is_heimdal_entry && oflags != nflags) { @@ -643,7 +643,7 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent, } /* Remove keys if they exists, and then replace keys. */ - if (!is_new_entry && orig.entry.keys.len > 0) { + if (!is_new_entry && orig.keys.len > 0) { vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key"); if (vals) { ldap_value_free_len(vals); @@ -654,21 +654,21 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent, } } - for (i = 0; i < ent->entry.keys.len; i++) { + for (i = 0; i < ent->keys.len; i++) { if (is_samba_account - && ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) { + && ent->keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) { char *ntHexPassword; char *nt; time_t now = time(NULL); /* the key might have been 'sealed', but samba passwords are clear in the directory */ - ret = hdb_unseal_key(context, db, &ent->entry.keys.val[i]); + ret = hdb_unseal_key(context, db, &ent->keys.val[i]); if (ret) goto out; - nt = ent->entry.keys.val[i].key.keyvalue.data; + nt = ent->keys.val[i].key.keyvalue.data; /* store in ntPassword, not krb5key */ ret = hex_encode(nt, 16, &ntHexPassword); if (ret < 0) { @@ -701,7 +701,7 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent, unsigned char *buf; size_t len, buf_size; - ASN1_MALLOC_ENCODE(Key, buf, buf_size, &ent->entry.keys.val[i], &len, ret); + ASN1_MALLOC_ENCODE(Key, buf, buf_size, &ent->keys.val[i], &len, ret); if (ret) goto out; if(buf_size != len) @@ -714,7 +714,7 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent, } } - if (ent->entry.etypes) { + if (ent->etypes) { int add_krb5EncryptionType = 0; /* @@ -736,15 +736,15 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent, add_krb5EncryptionType = 1; if (add_krb5EncryptionType) { - for (i = 0; i < ent->entry.etypes->len; i++) { + for (i = 0; i < ent->etypes->len; i++) { if (is_samba_account && - ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) + ent->keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) { ; } else if (is_heimdal_entry) { ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_ADD, "krb5EncryptionType", - ent->entry.etypes->val[i]); + ent->etypes->val[i]); if (ret) goto out; } @@ -1005,7 +1005,7 @@ LDAP_principal2message(krb5_context context, HDB * db, */ static krb5_error_code LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg, - int flags, hdb_entry_ex * ent) + int flags, hdb_entry * ent) { char *unparsed_name = NULL, *dn = NULL, *ntPasswordIN = NULL; char *samba_acct_flags = NULL; @@ -1015,18 +1015,18 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg, int tmp, tmp_time, i, ret, have_arcfour = 0; memset(ent, 0, sizeof(*ent)); - ent->entry.flags = int2HDBFlags(0); + ent->flags = int2HDBFlags(0); ret = LDAP_get_string_value(db, msg, "krb5PrincipalName", &unparsed_name); if (ret == 0) { - ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal); + ret = krb5_parse_name(context, unparsed_name, &ent->principal); if (ret) goto out; } else { ret = LDAP_get_string_value(db, msg, "uid", &unparsed_name); if (ret == 0) { - ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal); + ret = krb5_parse_name(context, unparsed_name, &ent->principal); if (ret) goto out; } else { @@ -1042,25 +1042,25 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg, ret = LDAP_get_integer_value(db, msg, "krb5KeyVersionNumber", &integer); if (ret) - ent->entry.kvno = 0; + ent->kvno = 0; else - ent->entry.kvno = integer; + ent->kvno = integer; } keys = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key"); if (keys != NULL) { size_t l; - ent->entry.keys.len = ldap_count_values_len(keys); - ent->entry.keys.val = (Key *) calloc(ent->entry.keys.len, sizeof(Key)); - if (ent->entry.keys.val == NULL) { + ent->keys.len = ldap_count_values_len(keys); + ent->keys.val = (Key *) calloc(ent->keys.len, sizeof(Key)); + if (ent->keys.val == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, "calloc: out of memory"); goto out; } - for (i = 0; i < ent->entry.keys.len; i++) { + for (i = 0; i < ent->keys.len; i++) { decode_Key((unsigned char *) keys[i]->bv_val, - (size_t) keys[i]->bv_len, &ent->entry.keys.val[i], &l); + (size_t) keys[i]->bv_len, &ent->keys.val[i], &l); } ber_bvecfree(keys); } else { @@ -1070,8 +1070,8 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg, * be related to a general directory entry without creating * the keys. Hopefully it's OK. */ - ent->entry.keys.len = 0; - ent->entry.keys.val = NULL; + ent->keys.len = 0; + ent->keys.val = NULL; #else ret = HDB_ERR_NOENTRY; goto out; @@ -1082,47 +1082,47 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg, if (extensions != NULL) { size_t l; - ent->entry.extensions = calloc(1, sizeof(*(ent->entry.extensions))); - if (ent->entry.extensions == NULL) { + ent->extensions = calloc(1, sizeof(*(ent->extensions))); + if (ent->extensions == NULL) { ret = krb5_enomem(context); goto out; } - ent->entry.extensions->len = ldap_count_values_len(extensions); - ent->entry.extensions->val = (HDB_extension *) calloc(ent->entry.extensions->len, sizeof(HDB_extension)); - if (ent->entry.extensions->val == NULL) { - ent->entry.extensions->len = 0; + ent->extensions->len = ldap_count_values_len(extensions); + ent->extensions->val = (HDB_extension *) calloc(ent->extensions->len, sizeof(HDB_extension)); + if (ent->extensions->val == NULL) { + ent->extensions->len = 0; ret = krb5_enomem(context); goto out; } - for (i = 0; i < ent->entry.extensions->len; i++) { + for (i = 0; i < ent->extensions->len; i++) { ret = decode_HDB_extension((unsigned char *) extensions[i]->bv_val, - (size_t) extensions[i]->bv_len, &ent->entry.extensions->val[i], &l); + (size_t) extensions[i]->bv_len, &ent->extensions->val[i], &l); if (ret) krb5_set_error_message(context, ret, "decode_HDB_extension failed"); } ber_bvecfree(extensions); } else { - ent->entry.extensions = NULL; + ent->extensions = NULL; } vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5EncryptionType"); if (vals != NULL) { - ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes))); - if (ent->entry.etypes == NULL) { + ent->etypes = malloc(sizeof(*(ent->etypes))); + if (ent->etypes == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret,"malloc: out of memory"); goto out; } - ent->entry.etypes->len = ldap_count_values_len(vals); - ent->entry.etypes->val = calloc(ent->entry.etypes->len, - sizeof(ent->entry.etypes->val[0])); - if (ent->entry.etypes->val == NULL) { + ent->etypes->len = ldap_count_values_len(vals); + ent->etypes->val = calloc(ent->etypes->len, + sizeof(ent->etypes->val[0])); + if (ent->etypes->val == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, "malloc: out of memory"); - ent->entry.etypes->len = 0; + ent->etypes->len = 0; goto out; } - for (i = 0; i < ent->entry.etypes->len; i++) { + for (i = 0; i < ent->etypes->len; i++) { char *buf; buf = malloc(vals[i]->bv_len + 1); @@ -1133,14 +1133,14 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg, } memcpy(buf, vals[i]->bv_val, vals[i]->bv_len); buf[vals[i]->bv_len] = '\0'; - ent->entry.etypes->val[i] = atoi(buf); + ent->etypes->val[i] = atoi(buf); free(buf); } ldap_value_free_len(vals); } - for (i = 0; i < ent->entry.keys.len; i++) { - if (ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) { + for (i = 0; i < ent->keys.len; i++) { + if (ent->keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) { have_arcfour = 1; break; } @@ -1152,151 +1152,151 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg, unsigned *etypes; Key *ks; - ks = realloc(ent->entry.keys.val, - (ent->entry.keys.len + 1) * - sizeof(ent->entry.keys.val[0])); + ks = realloc(ent->keys.val, + (ent->keys.len + 1) * + sizeof(ent->keys.val[0])); if (ks == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } - ent->entry.keys.val = ks; - memset(&ent->entry.keys.val[ent->entry.keys.len], 0, sizeof(Key)); - ent->entry.keys.val[ent->entry.keys.len].key.keytype = ETYPE_ARCFOUR_HMAC_MD5; - ret = krb5_data_alloc (&ent->entry.keys.val[ent->entry.keys.len].key.keyvalue, 16); + ent->keys.val = ks; + memset(&ent->keys.val[ent->keys.len], 0, sizeof(Key)); + ent->keys.val[ent->keys.len].key.keytype = ETYPE_ARCFOUR_HMAC_MD5; + ret = krb5_data_alloc (&ent->keys.val[ent->keys.len].key.keyvalue, 16); if (ret) { krb5_set_error_message(context, ret, "malloc: out of memory"); ret = ENOMEM; goto out; } ret = hex_decode(ntPasswordIN, - ent->entry.keys.val[ent->entry.keys.len].key.keyvalue.data, 16); - ent->entry.keys.len++; + ent->keys.val[ent->keys.len].key.keyvalue.data, 16); + ent->keys.len++; if (ret == -1) { krb5_set_error_message(context, ret = EINVAL, "invalid hex encoding of password"); goto out; } - if (ent->entry.etypes == NULL) { - ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes))); - if (ent->entry.etypes == NULL) { + if (ent->etypes == NULL) { + ent->etypes = malloc(sizeof(*(ent->etypes))); + if (ent->etypes == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } - ent->entry.etypes->val = NULL; - ent->entry.etypes->len = 0; + ent->etypes->val = NULL; + ent->etypes->len = 0; } - for (i = 0; i < ent->entry.etypes->len; i++) - if (ent->entry.etypes->val[i] == ETYPE_ARCFOUR_HMAC_MD5) + for (i = 0; i < ent->etypes->len; i++) + if (ent->etypes->val[i] == ETYPE_ARCFOUR_HMAC_MD5) break; /* If there is no ARCFOUR enctype, add one */ - if (i == ent->entry.etypes->len) { - etypes = realloc(ent->entry.etypes->val, - (ent->entry.etypes->len + 1) * - sizeof(ent->entry.etypes->val[0])); + if (i == ent->etypes->len) { + etypes = realloc(ent->etypes->val, + (ent->etypes->len + 1) * + sizeof(ent->etypes->val[0])); if (etypes == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } - ent->entry.etypes->val = etypes; - ent->entry.etypes->val[ent->entry.etypes->len] = + ent->etypes->val = etypes; + ent->etypes->val[ent->etypes->len] = ETYPE_ARCFOUR_HMAC_MD5; - ent->entry.etypes->len++; + ent->etypes->len++; } } ret = LDAP_get_generalized_time_value(db, msg, "createTimestamp", - &ent->entry.created_by.time); + &ent->created_by.time); if (ret) - ent->entry.created_by.time = time(NULL); + ent->created_by.time = time(NULL); - ent->entry.created_by.principal = NULL; + ent->created_by.principal = NULL; if (flags & HDB_F_ADMIN_DATA) { ret = LDAP_get_string_value(db, msg, "creatorsName", &dn); if (ret == 0) { - LDAP_dn2principal(context, db, dn, &ent->entry.created_by.principal); + LDAP_dn2principal(context, db, dn, &ent->created_by.principal); free(dn); } - ent->entry.modified_by = calloc(1, sizeof(*ent->entry.modified_by)); - if (ent->entry.modified_by == NULL) { + ent->modified_by = calloc(1, sizeof(*ent->modified_by)); + if (ent->modified_by == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } ret = LDAP_get_generalized_time_value(db, msg, "modifyTimestamp", - &ent->entry.modified_by->time); + &ent->modified_by->time); if (ret == 0) { ret = LDAP_get_string_value(db, msg, "modifiersName", &dn); if (ret == 0) { - LDAP_dn2principal(context, db, dn, &ent->entry.modified_by->principal); + LDAP_dn2principal(context, db, dn, &ent->modified_by->principal); free(dn); } else { - free(ent->entry.modified_by); - ent->entry.modified_by = NULL; + free(ent->modified_by); + ent->modified_by = NULL; } } } - ent->entry.valid_start = malloc(sizeof(*ent->entry.valid_start)); - if (ent->entry.valid_start == NULL) { + ent->valid_start = malloc(sizeof(*ent->valid_start)); + if (ent->valid_start == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidStart", - ent->entry.valid_start); + ent->valid_start); if (ret) { /* OPTIONAL */ - free(ent->entry.valid_start); - ent->entry.valid_start = NULL; + free(ent->valid_start); + ent->valid_start = NULL; } - ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end)); - if (ent->entry.valid_end == NULL) { + ent->valid_end = malloc(sizeof(*ent->valid_end)); + if (ent->valid_end == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidEnd", - ent->entry.valid_end); + ent->valid_end); if (ret) { /* OPTIONAL */ - free(ent->entry.valid_end); - ent->entry.valid_end = NULL; + free(ent->valid_end); + ent->valid_end = NULL; } ret = LDAP_get_integer_value(db, msg, "sambaKickoffTime", &tmp_time); if (ret == 0) { - if (ent->entry.valid_end == NULL) { - ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end)); - if (ent->entry.valid_end == NULL) { + if (ent->valid_end == NULL) { + ent->valid_end = malloc(sizeof(*ent->valid_end)); + if (ent->valid_end == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } } - *ent->entry.valid_end = tmp_time; + *ent->valid_end = tmp_time; } - ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end)); - if (ent->entry.pw_end == NULL) { + ent->pw_end = malloc(sizeof(*ent->pw_end)); + if (ent->pw_end == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } ret = LDAP_get_generalized_time_value(db, msg, "krb5PasswordEnd", - ent->entry.pw_end); + ent->pw_end); if (ret) { /* OPTIONAL */ - free(ent->entry.pw_end); - ent->entry.pw_end = NULL; + free(ent->pw_end); + ent->pw_end = NULL; } ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time); @@ -1310,76 +1310,76 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg, NULL); if (delta) { - if (ent->entry.pw_end == NULL) { - ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end)); - if (ent->entry.pw_end == NULL) { + if (ent->pw_end == NULL) { + ent->pw_end = malloc(sizeof(*ent->pw_end)); + if (ent->pw_end == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } } - *ent->entry.pw_end = tmp_time + delta; + *ent->pw_end = tmp_time + delta; } } ret = LDAP_get_integer_value(db, msg, "sambaPwdMustChange", &tmp_time); if (ret == 0) { - if (ent->entry.pw_end == NULL) { - ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end)); - if (ent->entry.pw_end == NULL) { + if (ent->pw_end == NULL) { + ent->pw_end = malloc(sizeof(*ent->pw_end)); + if (ent->pw_end == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } } - *ent->entry.pw_end = tmp_time; + *ent->pw_end = tmp_time; } /* OPTIONAL */ ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time); if (ret == 0) - hdb_entry_set_pw_change_time(context, &ent->entry, tmp_time); + hdb_entry_set_pw_change_time(context, ent, tmp_time); { int max_life; - ent->entry.max_life = malloc(sizeof(*ent->entry.max_life)); - if (ent->entry.max_life == NULL) { + ent->max_life = malloc(sizeof(*ent->max_life)); + if (ent->max_life == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } ret = LDAP_get_integer_value(db, msg, "krb5MaxLife", &max_life); if (ret) { - free(ent->entry.max_life); - ent->entry.max_life = NULL; + free(ent->max_life); + ent->max_life = NULL; } else - *ent->entry.max_life = max_life; + *ent->max_life = max_life; } { int max_renew; - ent->entry.max_renew = malloc(sizeof(*ent->entry.max_renew)); - if (ent->entry.max_renew == NULL) { + ent->max_renew = malloc(sizeof(*ent->max_renew)); + if (ent->max_renew == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } ret = LDAP_get_integer_value(db, msg, "krb5MaxRenew", &max_renew); if (ret) { - free(ent->entry.max_renew); - ent->entry.max_renew = NULL; + free(ent->max_renew); + ent->max_renew = NULL; } else - *ent->entry.max_renew = max_renew; + *ent->max_renew = max_renew; } ret = LDAP_get_integer_value(db, msg, "krb5KDCFlags", &tmp); if (ret) tmp = 0; - ent->entry.flags = int2HDBFlags(tmp); + ent->flags = int2HDBFlags(tmp); /* Try and find Samba flags to put into the mix */ ret = LDAP_get_string_value(db, msg, "sambaAcctFlags", &samba_acct_flags); @@ -1411,7 +1411,7 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg, /* Allow forwarding */ if (samba_forwardable) - ent->entry.flags.forwardable = TRUE; + ent->flags.forwardable = TRUE; for (i=0; i < flags_len; i++) { switch (samba_acct_flags[i]) { @@ -1423,36 +1423,36 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg, /* how to handle no password in kerberos? */ break; case 'D': - ent->entry.flags.invalid = TRUE; + ent->flags.invalid = TRUE; break; case 'H': break; case 'T': /* temp duplicate */ - ent->entry.flags.invalid = TRUE; + ent->flags.invalid = TRUE; break; case 'U': - ent->entry.flags.client = TRUE; + ent->flags.client = TRUE; break; case 'M': break; case 'W': case 'S': - ent->entry.flags.server = TRUE; - ent->entry.flags.client = TRUE; + ent->flags.server = TRUE; + ent->flags.client = TRUE; break; case 'L': - ent->entry.flags.invalid = TRUE; + ent->flags.invalid = TRUE; break; case 'X': - if (ent->entry.pw_end) { - free(ent->entry.pw_end); - ent->entry.pw_end = NULL; + if (ent->pw_end) { + free(ent->pw_end); + ent->pw_end = NULL; } break; case 'I': - ent->entry.flags.server = TRUE; - ent->entry.flags.client = TRUE; + ent->flags.server = TRUE; + ent->flags.client = TRUE; break; } } @@ -1496,7 +1496,7 @@ LDAP_unlock(krb5_context context, HDB * db) } static krb5_error_code -LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry_ex * entry) +LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry * entry) { int msgid, rc, parserc; krb5_error_code ret; @@ -1550,7 +1550,7 @@ LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry_ex * entry) if (ret == 0) { if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) { - ret = hdb_unseal_keys(context, db, &entry->entry); + ret = hdb_unseal_keys(context, db, entry); if (ret) hdb_free_entry(context, db, entry); } @@ -1561,7 +1561,7 @@ LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry_ex * entry) static krb5_error_code LDAP_firstkey(krb5_context context, HDB *db, unsigned flags, - hdb_entry_ex *entry) + hdb_entry *entry) { krb5_error_code ret; int msgid; @@ -1589,7 +1589,7 @@ LDAP_firstkey(krb5_context context, HDB *db, unsigned flags, static krb5_error_code LDAP_nextkey(krb5_context context, HDB * db, unsigned flags, - hdb_entry_ex * entry) + hdb_entry * entry) { return LDAP_seq(context, db, flags, entry); } @@ -1692,7 +1692,7 @@ LDAP_open(krb5_context context, HDB * db, int flags, mode_t mode) static krb5_error_code LDAP_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal, - unsigned flags, krb5_kvno kvno, hdb_entry_ex * entry) + unsigned flags, krb5_kvno kvno, hdb_entry * entry) { LDAPMessage *msg, *e; krb5_error_code ret; @@ -1710,7 +1710,7 @@ LDAP_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal, ret = LDAP_message2entry(context, db, e, flags, entry); if (ret == 0) { if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) { - ret = hdb_unseal_keys(context, db, &entry->entry); + ret = hdb_unseal_keys(context, db, entry); if (ret) hdb_free_entry(context, db, entry); } @@ -1725,7 +1725,7 @@ LDAP_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal, #if 0 static krb5_error_code LDAP_fetch(krb5_context context, HDB * db, krb5_const_principal principal, - unsigned flags, hdb_entry_ex * entry) + unsigned flags, hdb_entry * entry) { return LDAP_fetch_kvno(context, db, principal, flags & (~HDB_F_KVNO_SPECIFIED), 0, entry); @@ -1734,7 +1734,7 @@ LDAP_fetch(krb5_context context, HDB * db, krb5_const_principal principal, static krb5_error_code LDAP_store(krb5_context context, HDB * db, unsigned flags, - hdb_entry_ex * entry) + hdb_entry * entry) { LDAPMod **mods = NULL; krb5_error_code ret; @@ -1747,17 +1747,17 @@ LDAP_store(krb5_context context, HDB * db, unsigned flags, if ((flags & HDB_F_PRECHECK)) return 0; /* we can't guarantee whether we'll be able to perform it */ - ret = LDAP_principal2message(context, db, entry->entry.principal, &msg); + ret = LDAP_principal2message(context, db, entry->principal, &msg); if (ret == 0) e = ldap_first_entry(HDB2LDAP(db), msg); - ret = krb5_unparse_name(context, entry->entry.principal, &name); + ret = krb5_unparse_name(context, entry->principal, &name); if (ret) { free(name); return ret; } - ret = hdb_seal_keys(context, db, &entry->entry); + ret = hdb_seal_keys(context, db, entry); if (ret) goto out; diff --git a/lib/hdb/hdb-mdb.c b/lib/hdb/hdb-mdb.c index 114744680..6aa5201eb 100644 --- a/lib/hdb/hdb-mdb.c +++ b/lib/hdb/hdb-mdb.c @@ -383,7 +383,7 @@ DB_unlock(krb5_context context, HDB *db) static krb5_error_code DB_seq(krb5_context context, HDB *db, - unsigned flags, hdb_entry_ex *entry, int flag) + unsigned flags, hdb_entry *entry, int flag) { mdb_info *mi = db->hdb_db; MDB_val key, value; @@ -406,21 +406,21 @@ DB_seq(krb5_context context, HDB *db, data.data = value.mv_data; data.length = value.mv_size; memset(entry, 0, sizeof(*entry)); - if (hdb_value2entry(context, &data, &entry->entry)) + if (hdb_value2entry(context, &data, entry)) return DB_seq(context, db, flags, entry, MDB_NEXT); if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) { - code = hdb_unseal_keys (context, db, &entry->entry); + code = hdb_unseal_keys (context, db, entry); if (code) hdb_free_entry (context, db, entry); } - if (entry->entry.principal == NULL) { - entry->entry.principal = malloc(sizeof(*entry->entry.principal)); - if (entry->entry.principal == NULL) { + if (entry->principal == NULL) { + entry->principal = malloc(sizeof(*entry->principal)); + if (entry->principal == NULL) { hdb_free_entry (context, db, entry); krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); return ENOMEM; } else { - hdb_key2principal(context, &key_data, entry->entry.principal); + hdb_key2principal(context, &key_data, entry->principal); } } return 0; @@ -428,7 +428,7 @@ DB_seq(krb5_context context, HDB *db, static krb5_error_code -DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) +DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) { krb5_error_code ret = 0; mdb_info *mi = db->hdb_db; @@ -462,7 +462,7 @@ DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) static krb5_error_code -DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) +DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) { return DB_seq(context, db, flags, entry, MDB_NEXT); } diff --git a/lib/hdb/hdb-mitdb.c b/lib/hdb/hdb-mitdb.c index 94e9c6971..f763a69ad 100644 --- a/lib/hdb/hdb-mitdb.c +++ b/lib/hdb/hdb-mitdb.c @@ -765,7 +765,7 @@ mdb_unlock(krb5_context context, HDB *db) static krb5_error_code mdb_seq(krb5_context context, HDB *db, - unsigned flags, hdb_entry_ex *entry, int flag) + unsigned flags, hdb_entry *entry, int flag) { DB *d = (DB*)db->hdb_db; DBT key, value; @@ -796,11 +796,11 @@ mdb_seq(krb5_context context, HDB *db, data.length = value.size; memset(entry, 0, sizeof(*entry)); - if (_hdb_mdb_value2entry(context, &data, 0, &entry->entry)) + if (_hdb_mdb_value2entry(context, &data, 0, entry)) return mdb_seq(context, db, flags, entry, R_NEXT); if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) { - code = hdb_unseal_keys (context, db, &entry->entry); + code = hdb_unseal_keys (context, db, entry); if (code) hdb_free_entry (context, db, entry); } @@ -810,14 +810,14 @@ mdb_seq(krb5_context context, HDB *db, static krb5_error_code -mdb_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) +mdb_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) { return mdb_seq(context, db, flags, entry, R_FIRST); } static krb5_error_code -mdb_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) +mdb_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) { return mdb_seq(context, db, flags, entry, R_NEXT); } @@ -941,7 +941,7 @@ mdb__del(krb5_context context, HDB *db, krb5_data key) static krb5_error_code mdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal, - unsigned flags, krb5_kvno kvno, hdb_entry_ex *entry) + unsigned flags, krb5_kvno kvno, hdb_entry *entry) { krb5_data key, value; krb5_error_code ret; @@ -953,13 +953,13 @@ mdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal, krb5_data_free(&key); if(ret) return ret; - ret = _hdb_mdb_value2entry(context, &value, kvno, &entry->entry); + ret = _hdb_mdb_value2entry(context, &value, kvno, entry); krb5_data_free(&value); if (ret) return ret; if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) { - ret = hdb_unseal_keys (context, db, &entry->entry); + ret = hdb_unseal_keys (context, db, entry); if (ret) { hdb_free_entry(context, db, entry); return ret; @@ -970,7 +970,7 @@ mdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal, } static krb5_error_code -mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) +mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) { krb5_error_code ret; krb5_storage *sp = NULL; @@ -985,7 +985,7 @@ mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) return 0; if ((flags & HDB_F_PRECHECK)) { - ret = mdb_principal2key(context, entry->entry.principal, &key); + ret = mdb_principal2key(context, entry->principal, &key); if (ret) return ret; ret = db->hdb__get(context, db, key, &value); krb5_data_free(&key); @@ -999,9 +999,9 @@ mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) sp = krb5_storage_emem(); if (!sp) return ENOMEM; ret = _hdb_set_master_key_usage(context, db, 0); /* MIT KDB uses KU 0 */ - ret = hdb_seal_keys(context, db, &entry->entry); + ret = hdb_seal_keys(context, db, entry); if (ret) return ret; - ret = entry2mit_string_int(context, sp, &entry->entry); + ret = entry2mit_string_int(context, sp, entry); if (ret) goto out; sz = krb5_storage_write(sp, "\n", 2); /* NUL-terminate */ ret = ENOMEM; @@ -1016,7 +1016,7 @@ mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) if (ret) goto out; ret = krb5_storage_to_data(spent, &kdb_ent); if (ret) goto out; - ret = mdb_principal2key(context, entry->entry.principal, &key); + ret = mdb_principal2key(context, entry->principal, &key); if (ret) goto out; ret = mdb__put(context, db, 1, key, kdb_ent); diff --git a/lib/hdb/hdb-sqlite.c b/lib/hdb/hdb-sqlite.c index 655c5c8da..71109ca9a 100644 --- a/lib/hdb/hdb-sqlite.c +++ b/lib/hdb/hdb-sqlite.c @@ -495,7 +495,7 @@ hdb_sqlite_make_database(krb5_context context, HDB *db, const char *filename) */ static krb5_error_code hdb_sqlite_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal, - unsigned flags, krb5_kvno kvno, hdb_entry_ex *entry) + unsigned flags, krb5_kvno kvno, hdb_entry *entry) { int sqlite_error; krb5_error_code ret; @@ -541,12 +541,12 @@ hdb_sqlite_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal princi value.length = sqlite3_column_bytes(fetch, 0); value.data = (void *) sqlite3_column_blob(fetch, 0); - ret = hdb_value2entry(context, &value, &entry->entry); + ret = hdb_value2entry(context, &value, entry); if(ret) goto out; if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) { - ret = hdb_unseal_keys(context, db, &entry->entry); + ret = hdb_unseal_keys(context, db, entry); if(ret) { hdb_free_entry(context, db, entry); goto out; @@ -600,7 +600,7 @@ hdb_sqlite_step_once(krb5_context context, HDB *db, sqlite3_stmt *statement) */ static krb5_error_code hdb_sqlite_store(krb5_context context, HDB *db, unsigned flags, - hdb_entry_ex *entry) + hdb_entry *entry) { int ret; int i; @@ -624,17 +624,17 @@ hdb_sqlite_store(krb5_context context, HDB *db, unsigned flags, goto rollback; } - ret = hdb_seal_keys(context, db, &entry->entry); + ret = hdb_seal_keys(context, db, entry); if(ret) { goto rollback; } - ret = hdb_entry2value(context, &entry->entry, &value); + ret = hdb_entry2value(context, entry, &value); if(ret) { goto rollback; } - ret = bind_principal(context, entry->entry.principal, get_ids, 1); + ret = bind_principal(context, entry->principal, get_ids, 1); if (ret) goto rollback; @@ -656,7 +656,7 @@ hdb_sqlite_store(krb5_context context, HDB *db, unsigned flags, goto rollback; } - ret = bind_principal(context, entry->entry.principal, hsdb->add_principal, 1); + ret = bind_principal(context, entry->principal, hsdb->add_principal, 1); if (ret) goto rollback; @@ -711,7 +711,7 @@ hdb_sqlite_store(krb5_context context, HDB *db, unsigned flags, goto rollback; } - ret = hdb_entry_get_aliases(&entry->entry, &aliases); + ret = hdb_entry_get_aliases(entry, &aliases); if(ret || aliases == NULL) goto commit; @@ -862,7 +862,7 @@ hdb_sqlite_unlock(krb5_context context, HDB *db) */ static krb5_error_code hdb_sqlite_nextkey(krb5_context context, HDB *db, unsigned flags, - hdb_entry_ex *entry) + hdb_entry *entry) { krb5_error_code ret = 0; int sqlite_error; @@ -876,7 +876,7 @@ hdb_sqlite_nextkey(krb5_context context, HDB *db, unsigned flags, value.length = sqlite3_column_bytes(hsdb->get_all_entries, 0); value.data = (void *) sqlite3_column_blob(hsdb->get_all_entries, 0); memset(entry, 0, sizeof(*entry)); - ret = hdb_value2entry(context, &value, &entry->entry); + ret = hdb_value2entry(context, &value, entry); } else if(sqlite_error == SQLITE_DONE) { /* No more entries */ @@ -900,7 +900,7 @@ hdb_sqlite_nextkey(krb5_context context, HDB *db, unsigned flags, */ static krb5_error_code hdb_sqlite_firstkey(krb5_context context, HDB *db, unsigned flags, - hdb_entry_ex *entry) + hdb_entry *entry) { hdb_sqlite_db *hsdb = (hdb_sqlite_db *) db->hdb_db; krb5_error_code ret; diff --git a/lib/hdb/hdb.c b/lib/hdb/hdb.c index 11015b44f..471deb9db 100644 --- a/lib/hdb/hdb.c +++ b/lib/hdb/hdb.c @@ -397,7 +397,7 @@ hdb_unlock(int fd) } void -hdb_free_entry(krb5_context context, HDB *db, hdb_entry_ex *ent) +hdb_free_entry(krb5_context context, HDB *db, hdb_entry *ent) { Key *k; size_t i; @@ -405,15 +405,15 @@ hdb_free_entry(krb5_context context, HDB *db, hdb_entry_ex *ent) if (db && db->hdb_free_entry_context) db->hdb_free_entry_context(context, db, ent); - for(i = 0; i < ent->entry.keys.len; i++) { - k = &ent->entry.keys.val[i]; + for(i = 0; i < ent->keys.len; i++) { + k = &ent->keys.val[i]; memset_s(k->key.keyvalue.data, k->key.keyvalue.length, 0, k->key.keyvalue.length); } - free_HDB_entry(&ent->entry); + free_HDB_entry(ent); } krb5_error_code @@ -424,7 +424,7 @@ hdb_foreach(krb5_context context, void *data) { krb5_error_code ret; - hdb_entry_ex entry; + hdb_entry entry; ret = db->hdb_firstkey(context, db, flags, &entry); if (ret == 0) krb5_clear_error_message(context); @@ -665,22 +665,22 @@ hdb_list_builtin(krb5_context context, char **list) krb5_error_code _hdb_keytab2hdb_entry(krb5_context context, const krb5_keytab_entry *ktentry, - hdb_entry_ex *entry) + hdb_entry *entry) { - entry->entry.kvno = ktentry->vno; - entry->entry.created_by.time = ktentry->timestamp; + entry->kvno = ktentry->vno; + entry->created_by.time = ktentry->timestamp; - entry->entry.keys.val = calloc(1, sizeof(entry->entry.keys.val[0])); - if (entry->entry.keys.val == NULL) + entry->keys.val = calloc(1, sizeof(entry->keys.val[0])); + if (entry->keys.val == NULL) return ENOMEM; - entry->entry.keys.len = 1; + entry->keys.len = 1; - entry->entry.keys.val[0].mkvno = NULL; - entry->entry.keys.val[0].salt = NULL; + entry->keys.val[0].mkvno = NULL; + entry->keys.val[0].salt = NULL; return krb5_copy_keyblock_contents(context, &ktentry->keyblock, - &entry->entry.keys.val[0].key); + &entry->keys.val[0].key); } static krb5_error_code diff --git a/lib/hdb/hdb.h b/lib/hdb/hdb.h index 9b561e2d7..be51a58b5 100644 --- a/lib/hdb/hdb.h +++ b/lib/hdb/hdb.h @@ -102,18 +102,6 @@ typedef struct hdb_request_desc { typedef struct hdb_master_key_data *hdb_master_key; -/** - * hdb_entry_ex is a wrapper structure around the hdb_entry structure - * that allows backends to keep a pointer to the backing store, ie in - * ->hdb_fetch_kvno(), so that we the kadmin/kpasswd backend gets around to - * ->hdb_store(), the backend doesn't need to lookup the entry again. - */ - -typedef struct hdb_entry_ex { - hdb_entry entry; -} hdb_entry_ex; - - /** * HDB backend function pointer structure * @@ -165,7 +153,7 @@ typedef struct HDB { /** * Free backend-specific entry context. */ - void (*hdb_free_entry_context)(krb5_context, struct HDB*, hdb_entry_ex*); + void (*hdb_free_entry_context)(krb5_context, struct HDB*, hdb_entry*); /** * Fetch an entry from the backend * @@ -175,12 +163,12 @@ typedef struct HDB { */ krb5_error_code (*hdb_fetch_kvno)(krb5_context, struct HDB*, krb5_const_principal, unsigned, krb5_kvno, - hdb_entry_ex*); + hdb_entry*); /** * Store an entry to database */ krb5_error_code (*hdb_store)(krb5_context, struct HDB*, - unsigned, hdb_entry_ex*); + unsigned, hdb_entry*); /** * Remove an entry from the database. */ @@ -190,12 +178,12 @@ typedef struct HDB { * As part of iteration, fetch one entry */ krb5_error_code (*hdb_firstkey)(krb5_context, struct HDB*, - unsigned, hdb_entry_ex*); + unsigned, hdb_entry*); /** * As part of iteration, fetch next entry */ krb5_error_code (*hdb_nextkey)(krb5_context, struct HDB*, - unsigned, hdb_entry_ex*); + unsigned, hdb_entry*); /** * Lock database * @@ -274,7 +262,7 @@ typedef struct HDB { * The backend needs to call _kadm5_set_keys() and perform password * quality checks. */ - krb5_error_code (*hdb_password)(krb5_context, struct HDB*, hdb_entry_ex*, const char *, int); + krb5_error_code (*hdb_password)(krb5_context, struct HDB*, hdb_entry*, const char *, int); /** * Authentication auditing. Note that this function is called by @@ -287,22 +275,22 @@ typedef struct HDB { * In case the entry is locked out, the backend should set the * hdb_entry.flags.locked-out flag. */ - krb5_error_code (*hdb_audit)(krb5_context, struct HDB *, hdb_entry_ex *, hdb_request_t); + krb5_error_code (*hdb_audit)(krb5_context, struct HDB *, hdb_entry *, hdb_request_t); /** * Check if delegation is allowed. */ - krb5_error_code (*hdb_check_constrained_delegation)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal); + krb5_error_code (*hdb_check_constrained_delegation)(krb5_context, struct HDB *, hdb_entry *, krb5_const_principal); /** * Check if this name is an alias for the supplied client for PKINIT userPrinicpalName logins */ - krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal); + krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry *, krb5_const_principal); /** * Check if s4u2self is allowed from this client to this server or the SPN is a valid SPN of this client (for user2user) */ - krb5_error_code (*hdb_check_client_matches_target_service)(krb5_context, struct HDB *, hdb_entry_ex *, hdb_entry_ex *); + krb5_error_code (*hdb_check_client_matches_target_service)(krb5_context, struct HDB *, hdb_entry *, hdb_entry *); /** * Enable/disable synchronous updates @@ -337,7 +325,7 @@ struct hdb_print_entry_arg { }; typedef krb5_error_code (*hdb_foreach_func_t)(krb5_context, HDB*, - hdb_entry_ex*, void*); + hdb_entry*, void*); extern krb5_kt_ops hdb_kt_ops; extern krb5_kt_ops hdb_get_kt_ops; diff --git a/lib/hdb/keytab.c b/lib/hdb/keytab.c index fc8621391..ed6b222b5 100644 --- a/lib/hdb/keytab.c +++ b/lib/hdb/keytab.c @@ -42,7 +42,7 @@ struct hdb_data { struct hdb_cursor { HDB *db; - hdb_entry_ex hdb_entry; + hdb_entry hdb_entry; int first, next; int key_idx; }; @@ -181,7 +181,7 @@ hdb_get_entry(krb5_context context, krb5_enctype enctype, krb5_keytab_entry *entry) { - hdb_entry_ex ent; + hdb_entry ent; krb5_error_code ret; struct hdb_data *d = id->data; const char *dbname = d->dbname; @@ -226,21 +226,21 @@ hdb_get_entry(krb5_context context, }else if(ret) goto out; - if(kvno && (krb5_kvno)ent.entry.kvno != kvno) { + if(kvno && (krb5_kvno)ent.kvno != kvno) { hdb_free_entry(context, db, &ent); ret = KRB5_KT_NOTFOUND; goto out; } if(enctype == 0) - if(ent.entry.keys.len > 0) - enctype = ent.entry.keys.val[0].key.keytype; + if(ent.keys.len > 0) + enctype = ent.keys.val[0].key.keytype; ret = KRB5_KT_NOTFOUND; - for(i = 0; i < ent.entry.keys.len; i++) { - if(ent.entry.keys.val[i].key.keytype == enctype) { + for(i = 0; i < ent.keys.len; i++) { + if(ent.keys.val[i].key.keytype == enctype) { krb5_copy_principal(context, principal, &entry->principal); - entry->vno = ent.entry.kvno; + entry->vno = ent.kvno; krb5_copy_keyblock_contents(context, - &ent.entry.keys.val[i].key, + &ent.keys.val[i].key, &entry->keyblock); ret = 0; break; @@ -336,7 +336,7 @@ hdb_next_entry(krb5_context context, else if (ret) return ret; - if (c->hdb_entry.entry.keys.len == 0) + if (c->hdb_entry.keys.len == 0) hdb_free_entry(context, c->db, &c->hdb_entry); else c->next = FALSE; @@ -353,7 +353,7 @@ hdb_next_entry(krb5_context context, return ret; /* If no keys on this entry, try again */ - if (c->hdb_entry.entry.keys.len == 0) + if (c->hdb_entry.keys.len == 0) hdb_free_entry(context, c->db, &c->hdb_entry); else c->next = FALSE; @@ -365,14 +365,14 @@ hdb_next_entry(krb5_context context, */ ret = krb5_copy_principal(context, - c->hdb_entry.entry.principal, + c->hdb_entry.principal, &entry->principal); if (ret) return ret; - entry->vno = c->hdb_entry.entry.kvno; + entry->vno = c->hdb_entry.kvno; ret = krb5_copy_keyblock_contents(context, - &c->hdb_entry.entry.keys.val[c->key_idx].key, + &c->hdb_entry.keys.val[c->key_idx].key, &entry->keyblock); if (ret) { krb5_free_principal(context, entry->principal); @@ -386,7 +386,7 @@ hdb_next_entry(krb5_context context, * next entry */ - if ((size_t)c->key_idx == c->hdb_entry.entry.keys.len) { + if ((size_t)c->key_idx == c->hdb_entry.keys.len) { hdb_free_entry(context, c->db, &c->hdb_entry); c->next = TRUE; c->key_idx = 0; diff --git a/lib/hdb/ndbm.c b/lib/hdb/ndbm.c index 92773f22b..00cd966e6 100644 --- a/lib/hdb/ndbm.c +++ b/lib/hdb/ndbm.c @@ -76,7 +76,7 @@ NDBM_unlock(krb5_context context, HDB *db) static krb5_error_code NDBM_seq(krb5_context context, HDB *db, - unsigned flags, hdb_entry_ex *entry, int first) + unsigned flags, hdb_entry *entry, int first) { struct ndbm_db *d = (struct ndbm_db *)db->hdb_db; @@ -99,21 +99,21 @@ NDBM_seq(krb5_context context, HDB *db, data.data = value.dptr; data.length = value.dsize; memset(entry, 0, sizeof(*entry)); - if(hdb_value2entry(context, &data, &entry->entry)) + if(hdb_value2entry(context, &data, entry)) return NDBM_seq(context, db, flags, entry, 0); if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) { - ret = hdb_unseal_keys (context, db, &entry->entry); + ret = hdb_unseal_keys (context, db, entry); if (ret) hdb_free_entry (context, db, entry); } - if (ret == 0 && entry->entry.principal == NULL) { - entry->entry.principal = malloc (sizeof(*entry->entry.principal)); - if (entry->entry.principal == NULL) { + if (ret == 0 && entry->principal == NULL) { + entry->principal = malloc (sizeof(*entry->principal)); + if (entry->principal == NULL) { hdb_free_entry (context, db, entry); ret = ENOMEM; krb5_set_error_message(context, ret, "malloc: out of memory"); } else { - hdb_key2principal (context, &key_data, entry->entry.principal); + hdb_key2principal (context, &key_data, entry->principal); } } return ret; @@ -121,14 +121,14 @@ NDBM_seq(krb5_context context, HDB *db, static krb5_error_code -NDBM_firstkey(krb5_context context, HDB *db,unsigned flags,hdb_entry_ex *entry) +NDBM_firstkey(krb5_context context, HDB *db,unsigned flags,hdb_entry *entry) { return NDBM_seq(context, db, flags, entry, 1); } static krb5_error_code -NDBM_nextkey(krb5_context context, HDB *db, unsigned flags,hdb_entry_ex *entry) +NDBM_nextkey(krb5_context context, HDB *db, unsigned flags,hdb_entry *entry) { return NDBM_seq(context, db, flags, entry, 0); } diff --git a/lib/hdb/print.c b/lib/hdb/print.c index 0d1e28552..4512aca98 100644 --- a/lib/hdb/print.c +++ b/lib/hdb/print.c @@ -556,7 +556,7 @@ hdb_entry2string(krb5_context context, hdb_entry *ent, char **str) /* print a hdb_entry to (FILE*)data; suitable for hdb_foreach */ krb5_error_code -hdb_print_entry(krb5_context context, HDB *db, hdb_entry_ex *entry, +hdb_print_entry(krb5_context context, HDB *db, hdb_entry *entry, void *data) { struct hdb_print_entry_arg *parg = data; @@ -572,10 +572,10 @@ hdb_print_entry(krb5_context context, HDB *db, hdb_entry_ex *entry, switch (parg->fmt) { case HDB_DUMP_HEIMDAL: - ret = entry2string_int(context, sp, &entry->entry); + ret = entry2string_int(context, sp, entry); break; case HDB_DUMP_MIT: - ret = entry2mit_string_int(context, sp, &entry->entry); + ret = entry2mit_string_int(context, sp, entry); break; default: heim_abort("Only two dump formats supported: Heimdal and MIT"); diff --git a/lib/hdb/test_concurrency.c b/lib/hdb/test_concurrency.c index d88c5382e..35c01f59f 100644 --- a/lib/hdb/test_concurrency.c +++ b/lib/hdb/test_concurrency.c @@ -70,7 +70,7 @@ threaded_reader(void *d) krb5_error_code ret; krb5_context context; struct tsync *s = d; - hdb_entry_ex entr; + hdb_entry entr; HDB *dbr = NULL; printf("Reader thread opening HDB\n"); @@ -101,7 +101,7 @@ threaded_reader(void *d) //(void) unlink(s->fname); krb5_err(context, 1, ret, "Could not iterate HDB %s", s->hdb_name); } - free_HDB_entry(&entr.entry); + free_HDB_entry(&entr); /* Tell the writer to go ahead and write */ printf("Reader thread iterated one entry; telling writer to write more\n"); @@ -124,7 +124,7 @@ threaded_reader(void *d) "Could not iterate while writing to HDB %s", s->hdb_name); } printf("Reader thread iterated another entry\n"); - free_HDB_entry(&entr.entry); + free_HDB_entry(&entr); if ((ret = dbr->hdb_nextkey(context, dbr, 0, &entr)) == 0) { //(void) unlink(s->fname); krb5_warn(context, ret, @@ -154,7 +154,7 @@ forked_reader(struct tsync *s) { krb5_error_code ret; krb5_context context; - hdb_entry_ex entr; + hdb_entry entr; ssize_t bytes; char b[1]; HDB *dbr = NULL; @@ -190,7 +190,7 @@ forked_reader(struct tsync *s) krb5_err(context, 1, ret, "Could not iterate HDB %s", s->hdb_name); } printf("Reader process iterated one entry\n"); - free_HDB_entry(&entr.entry); + free_HDB_entry(&entr); /* Tell the writer to go ahead and write */ printf("Reader process iterated one entry; telling writer to write more\n"); @@ -217,13 +217,13 @@ forked_reader(struct tsync *s) krb5_err(context, 1, ret, "Could not iterate while writing to HDB %s", s->hdb_name); } - free_HDB_entry(&entr.entry); + free_HDB_entry(&entr); printf("Reader process iterated another entry\n"); if ((ret = dbr->hdb_nextkey(context, dbr, 0, &entr)) == 0) { //(void) unlink(s->fname); krb5_warn(context, ret, "HDB %s sees writes committed since starting iteration (%s)", - s->hdb_name, entr.entry.principal->name.name_string.val[0]); + s->hdb_name, entr.principal->name.name_string.val[0]); } else if (ret != HDB_ERR_NOENTRY) { //(void) unlink(s->fname); krb5_err(context, 1, ret, @@ -248,27 +248,27 @@ forked_reader(struct tsync *s) } static krb5_error_code -make_entry(krb5_context context, hdb_entry_ex *entry, const char *name) +make_entry(krb5_context context, hdb_entry *entry, const char *name) { krb5_error_code ret; memset(entry, 0, sizeof(*entry)); - entry->entry.kvno = 2; - entry->entry.keys.len = 0; - entry->entry.keys.val = NULL; - entry->entry.created_by.time = time(NULL); - entry->entry.modified_by = NULL; - entry->entry.valid_start = NULL; - entry->entry.valid_end = NULL; - entry->entry.max_life = NULL; - entry->entry.max_renew = NULL; - entry->entry.etypes = NULL; - entry->entry.generation = NULL; - entry->entry.extensions = NULL; - if ((ret = krb5_make_principal(context, &entry->entry.principal, + entry->kvno = 2; + entry->keys.len = 0; + entry->keys.val = NULL; + entry->created_by.time = time(NULL); + entry->modified_by = NULL; + entry->valid_start = NULL; + entry->valid_end = NULL; + entry->max_life = NULL; + entry->max_renew = NULL; + entry->etypes = NULL; + entry->generation = NULL; + entry->extensions = NULL; + if ((ret = krb5_make_principal(context, &entry->principal, "TEST.H5L.SE", name, NULL))) return ret; - if ((ret = krb5_make_principal(context, &entry->entry.created_by.principal, + if ((ret = krb5_make_principal(context, &entry->created_by.principal, "TEST.H5L.SE", "tester", NULL))) return ret; return 0; @@ -326,7 +326,7 @@ test_hdb_concurrency(char *name, const char *ext, int threaded) char *fname_ext = NULL; pthread_t reader_thread; struct tsync ts; - hdb_entry_ex entw; + hdb_entry entw; pid_t child = getpid(); HDB *dbw = NULL; int status; @@ -393,14 +393,14 @@ test_hdb_concurrency(char *name, const char *ext, int threaded) krb5_err(context, 1, ret, "Could not store entry for \"foo\" in HDB %s", name); } - free_HDB_entry(&entw.entry); + free_HDB_entry(&entw); if ((ret = make_entry(context, &entw, "bar")) || (ret = dbw->hdb_store(context, dbw, 0, &entw))) { (void) unlink(fname_ext); krb5_err(context, 1, ret, "Could not store entry for \"foo\" in HDB %s", name); } - free_HDB_entry(&entw.entry); + free_HDB_entry(&entw); /* Tell the reader to start reading */ readers_turn(&ts, child, threaded); @@ -413,7 +413,7 @@ test_hdb_concurrency(char *name, const char *ext, int threaded) "Could not store entry for \"foobar\" in HDB %s " "while iterating it", name); } - free_HDB_entry(&entw.entry); + free_HDB_entry(&entw); /* Tell the reader to go again */ readers_turn(&ts, child, threaded); diff --git a/lib/hdb/test_namespace.c b/lib/hdb/test_namespace.c index 189888564..0f65ba3a0 100644 --- a/lib/hdb/test_namespace.c +++ b/lib/hdb/test_namespace.c @@ -106,7 +106,7 @@ TDB_unlock(krb5_context context, HDB *db) } static krb5_error_code -TDB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) +TDB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) { /* XXX Implement */ /* Tricky thing: heim_dict_iterate_f() is inconvenient here */ @@ -115,7 +115,7 @@ TDB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) } static krb5_error_code -TDB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) +TDB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) { /* XXX Implement */ /* Tricky thing: heim_dict_iterate_f() is inconvenient here */ @@ -337,7 +337,7 @@ static void make_namespace(krb5_context context, HDB *db, const char *name) { krb5_error_code ret = 0; - hdb_entry_ex e; + hdb_entry e; Key k; memset(&k, 0, sizeof(k)); @@ -346,76 +346,76 @@ make_namespace(krb5_context context, HDB *db, const char *name) /* Setup the HDB entry */ memset(&e, 0, sizeof(e)); - e.entry.created_by.time = krs[0].epoch; - e.entry.valid_start = e.entry.valid_end = e.entry.pw_end = 0; - e.entry.generation = 0; - e.entry.flags = int2HDBFlags(0); - e.entry.flags.server = e.entry.flags.client = 1; - e.entry.flags.virtual = 1; + e.created_by.time = krs[0].epoch; + e.valid_start = e.valid_end = e.pw_end = 0; + e.generation = 0; + e.flags = int2HDBFlags(0); + e.flags.server = e.flags.client = 1; + e.flags.virtual = 1; /* Setup etypes */ if (ret == 0 && - (e.entry.etypes = malloc(sizeof(*e.entry.etypes))) == NULL) + (e.etypes = malloc(sizeof(*e.etypes))) == NULL) ret = krb5_enomem(context); if (ret == 0) - e.entry.etypes->len = 3; + e.etypes->len = 3; if (ret == 0 && - (e.entry.etypes->val = calloc(e.entry.etypes->len, - sizeof(e.entry.etypes->val[0]))) == NULL) + (e.etypes->val = calloc(e.etypes->len, + sizeof(e.etypes->val[0]))) == NULL) ret = krb5_enomem(context); if (ret == 0) { - e.entry.etypes->val[0] = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128; - e.entry.etypes->val[1] = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192; - e.entry.etypes->val[2] = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96; + e.etypes->val[0] = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128; + e.etypes->val[1] = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192; + e.etypes->val[2] = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96; } /* Setup max_life and max_renew */ if (ret == 0 && - (e.entry.max_life = malloc(sizeof(*e.entry.max_life))) == NULL) + (e.max_life = malloc(sizeof(*e.max_life))) == NULL) ret = krb5_enomem(context); if (ret == 0 && - (e.entry.max_renew = malloc(sizeof(*e.entry.max_renew))) == NULL) + (e.max_renew = malloc(sizeof(*e.max_renew))) == NULL) ret = krb5_enomem(context); if (ret == 0) /* Make it long, so we see the clamped max */ - *e.entry.max_renew = 2 * ((*e.entry.max_life = 15 * 24 * 3600)); + *e.max_renew = 2 * ((*e.max_life = 15 * 24 * 3600)); /* Setup principal name and created_by */ if (ret == 0) - ret = krb5_parse_name(context, name, &e.entry.principal); + ret = krb5_parse_name(context, name, &e.principal); if (ret == 0) ret = krb5_parse_name(context, "admin@BAR.EXAMPLE", - &e.entry.created_by.principal); + &e.created_by.principal); /* Make base keys for first epoch */ if (ret == 0) - ret = make_base_key(context, e.entry.principal, base_pw[0], &k.key); + ret = make_base_key(context, e.principal, base_pw[0], &k.key); if (ret == 0) - add_Keys(&e.entry.keys, &k); + add_Keys(&e.keys, &k); if (ret == 0) - ret = hdb_entry_set_pw_change_time(context, &e.entry, krs[0].epoch); + ret = hdb_entry_set_pw_change_time(context, &e, krs[0].epoch); free_Key(&k); - e.entry.kvno = krs[0].base_key_kvno; + e.kvno = krs[0].base_key_kvno; /* Move them to history */ if (ret == 0) - ret = hdb_add_current_keys_to_history(context, &e.entry); - free_Keys(&e.entry.keys); + ret = hdb_add_current_keys_to_history(context, &e); + free_Keys(&e.keys); /* Make base keys for second epoch */ if (ret == 0) - ret = make_base_key(context, e.entry.principal, base_pw[1], &k.key); + ret = make_base_key(context, e.principal, base_pw[1], &k.key); if (ret == 0) - add_Keys(&e.entry.keys, &k); - e.entry.kvno = krs[1].base_key_kvno; + add_Keys(&e.keys, &k); + e.kvno = krs[1].base_key_kvno; if (ret == 0) - ret = hdb_entry_set_pw_change_time(context, &e.entry, krs[1].epoch); + ret = hdb_entry_set_pw_change_time(context, &e, krs[1].epoch); /* Add the key rotation metadata */ if (ret == 0) - ret = hdb_entry_add_key_rotation(context, &e.entry, 0, &krs[0]); + ret = hdb_entry_add_key_rotation(context, &e, 0, &krs[0]); if (ret == 0) - ret = hdb_entry_add_key_rotation(context, &e.entry, 0, &krs[1]); + ret = hdb_entry_add_key_rotation(context, &e, 0, &krs[1]); if (ret == 0) ret = db->hdb_store(context, db, 0, &e); @@ -447,7 +447,7 @@ static const char *unexpected[] = { * different time offsets in each period. */ #define NUM_OFFSETS 5 -static hdb_entry_ex e[ +static hdb_entry e[ (sizeof(expected) / sizeof(expected[0])) * (sizeof(krs) / sizeof(krs[0])) * NUM_OFFSETS @@ -479,8 +479,8 @@ fetch_entries(krb5_context context, krb5_error_code ret = 0; krb5_principal p = NULL; krb5_keyblock base_key, dk; - hdb_entry_ex *ep; - hdb_entry_ex no; + hdb_entry *ep; + hdb_entry no; size_t i, b; int toffset = 0; @@ -541,14 +541,14 @@ fetch_entries(krb5_context context, } } else { if (ret == 0 && - !krb5_principal_compare(context, p, ep->entry.principal)) + !krb5_principal_compare(context, p, ep->principal)) krb5_errx(context, 1, "wrong principal in fetched entry"); } { HDB_Ext_KeySet *hist_keys; HDB_extension *ext; - ext = hdb_find_extension(&ep->entry, + ext = hdb_find_extension(ep, choice_HDB_extension_data_hist_keys); if (ext) { /* Sort key history by kvno, why not */ @@ -611,23 +611,23 @@ fetch_entries(krb5_context context, if (ret) krb5_err(context, 1, ret, "deriving keys for comparison"); - if (kvno != ep->entry.kvno) - krb5_errx(context, 1, "kvno mismatch (%u != %u)", kvno, ep->entry.kvno); - (void) hdb_entry_get_pw_change_time(&ep->entry, &chg_time); + if (kvno != ep->kvno) + krb5_errx(context, 1, "kvno mismatch (%u != %u)", kvno, ep->kvno); + (void) hdb_entry_get_pw_change_time(ep, &chg_time); if (set_time != chg_time) krb5_errx(context, 1, "key change time mismatch"); - if (ep->entry.keys.len == 0) + if (ep->keys.len == 0) krb5_errx(context, 1, "no keys!"); - if (ep->entry.keys.val[0].key.keytype != dk.keytype) + if (ep->keys.val[0].key.keytype != dk.keytype) krb5_errx(context, 1, "enctype mismatch!"); - if (ep->entry.keys.val[0].key.keyvalue.length != + if (ep->keys.val[0].key.keyvalue.length != dk.keyvalue.length) krb5_errx(context, 1, "key length mismatch!"); - if (memcmp(ep->entry.keys.val[0].key.keyvalue.data, + if (memcmp(ep->keys.val[0].key.keyvalue.data, dk.keyvalue.data, dk.keyvalue.length) != 0) krb5_errx(context, 1, "key mismatch!"); - if (memcmp(ep->entry.keys.val[0].key.keyvalue.data, - e[b + i - 1].entry.keys.val[0].key.keyvalue.data, + if (memcmp(ep->keys.val[0].key.keyvalue.data, + e[b + i - 1].keys.val[0].key.keyvalue.data, dk.keyvalue.length) == 0) krb5_errx(context, 1, "different virtual principals have the same keys!"); /* XXX Add check that we have the expected number of history keys */ @@ -653,14 +653,14 @@ check_kvnos(krb5_context context) for (k = 0; k < sizeof(e)/sizeof(e[0]); k++) { HDB_Ext_KeySet *hist_keys; HDB_extension *ext; - hdb_entry_ex *ep; + hdb_entry *ep; int match = 0; if ((k % NUM_OFFSETS) != i) continue; ep = &e[k]; - if (ep->entry.principal == NULL) + if (ep->principal == NULL) continue; /* Didn't fetch this one */ /* @@ -668,15 +668,15 @@ check_kvnos(krb5_context context) * or else add them to `keysets'. */ for (m = 0; m < keysets.len; m++) { - if (ep->entry.kvno == keysets.val[m].kvno) { + if (ep->kvno == keysets.val[m].kvno) { /* Check the key is the same */ - if (ep->entry.keys.val[0].key.keytype != + if (ep->keys.val[0].key.keytype != keysets.val[m].keys.val[0].key.keytype || - ep->entry.keys.val[0].key.keyvalue.length != + ep->keys.val[0].key.keyvalue.length != keysets.val[m].keys.val[0].key.keyvalue.length || - memcmp(ep->entry.keys.val[0].key.keyvalue.data, + memcmp(ep->keys.val[0].key.keyvalue.data, keysets.val[m].keys.val[0].key.keyvalue.data, - ep->entry.keys.val[0].key.keyvalue.length) != 0) + ep->keys.val[0].key.keyvalue.length) != 0) krb5_errx(context, 1, "key mismatch for same princ & kvno"); match = 1; @@ -685,8 +685,8 @@ check_kvnos(krb5_context context) if (m == keysets.len) { hdb_keyset ks; - ks.kvno = ep->entry.kvno; - ks.keys = ep->entry.keys; + ks.kvno = ep->kvno; + ks.keys = ep->keys; ks.set_time = 0; if (add_HDB_Ext_KeySet(&keysets, &ks)) krb5_err(context, 1, ENOMEM, "out of memory"); @@ -696,7 +696,7 @@ check_kvnos(krb5_context context) continue; /* For all non-current keysets, repeat the above */ - ext = hdb_find_extension(&ep->entry, + ext = hdb_find_extension(ep, choice_HDB_extension_data_hist_keys); if (!ext) continue; @@ -704,20 +704,20 @@ check_kvnos(krb5_context context) for (p = 0; p < hist_keys->len; p++) { for (m = 0; m < keysets.len; m++) { if (keysets.val[m].kvno == hist_keys->val[p].kvno) - if (ep->entry.keys.val[0].key.keytype != + if (ep->keys.val[0].key.keytype != keysets.val[m].keys.val[0].key.keytype || - ep->entry.keys.val[0].key.keyvalue.length != + ep->keys.val[0].key.keyvalue.length != keysets.val[m].keys.val[0].key.keyvalue.length || - memcmp(ep->entry.keys.val[0].key.keyvalue.data, + memcmp(ep->keys.val[0].key.keyvalue.data, keysets.val[m].keys.val[0].key.keyvalue.data, - ep->entry.keys.val[0].key.keyvalue.length) != 0) + ep->keys.val[0].key.keyvalue.length) != 0) krb5_errx(context, 1, "key mismatch for same princ & kvno"); } if (m == keysets.len) { hdb_keyset ks; - ks.kvno = ep->entry.kvno; - ks.keys = ep->entry.keys; + ks.kvno = ep->kvno; + ks.keys = ep->keys; ks.set_time = 0; if (add_HDB_Ext_KeySet(&keysets, &ks)) krb5_err(context, 1, ENOMEM, "out of memory"); @@ -741,15 +741,14 @@ print_em(krb5_context context) if (0 == i % (sizeof(expected)/sizeof(expected[0]))) continue; - if (e[i].entry.principal == NULL) + if (e[i].principal == NULL) continue; - hex_encode(e[i].entry.keys.val[0].key.keyvalue.data, - e[i].entry.keys.val[0].key.keyvalue.length, &x); - printf("%s %u %s\n", x, e[i].entry.kvno, name); + hex_encode(e[i].keys.val[0].key.keyvalue.data, + e[i].keys.val[0].key.keyvalue.length, &x); + printf("%s %u %s\n", x, e[i].kvno, name); free(x); - ext = hdb_find_extension(&e[i].entry, - choice_HDB_extension_data_hist_keys); + ext = hdb_find_extension(&e[i], choice_HDB_extension_data_hist_keys); if (!ext) continue; hist_keys = &ext->data.u.hist_keys; @@ -771,12 +770,12 @@ check_expected_kvnos(krb5_context context) for (i = 0; i < sizeof(expected)/sizeof(expected[0]); i++) { for (k = 0; k < sizeof(krs)/sizeof(krs[0]); k++) { - hdb_entry_ex *ep = &e[k * sizeof(expected)/sizeof(expected[0]) + i]; + hdb_entry *ep = &e[k * sizeof(expected)/sizeof(expected[0]) + i]; - if (ep->entry.principal == NULL) + if (ep->principal == NULL) continue; for (m = 0; m < NUM_OFFSETS; m++) { - ext = hdb_find_extension(&ep->entry, + ext = hdb_find_extension(ep, choice_HDB_extension_data_hist_keys); if (!ext) continue; @@ -787,7 +786,7 @@ check_expected_kvnos(krb5_context context) } } fprintf(stderr, "%s at %lu: kvno %u\n", expected[i], k, - ep->entry.kvno); + ep->kvno); } } } diff --git a/lib/kadm5/chpass_s.c b/lib/kadm5/chpass_s.c index 6ec0ec8b8..c89448f48 100644 --- a/lib/kadm5/chpass_s.c +++ b/lib/kadm5/chpass_s.c @@ -111,7 +111,7 @@ change(void *server_handle, int cond) { kadm5_server_context *context = server_handle; - hdb_entry_ex ent; + hdb_entry ent; kadm5_ret_t ret; Key *keys; size_t num_keys; @@ -167,7 +167,7 @@ change(void *server_handle, * We save these for now so we can handle password history checking; * we handle keepold further below. */ - ret = hdb_add_current_keys_to_history(context->context, &ent.entry); + ret = hdb_add_current_keys_to_history(context->context, &ent); if (ret) goto out3; } @@ -179,13 +179,13 @@ change(void *server_handle, goto out3; } else { - num_keys = ent.entry.keys.len; - keys = ent.entry.keys.val; + num_keys = ent.keys.len; + keys = ent.keys.val; - ent.entry.keys.len = 0; - ent.entry.keys.val = NULL; + ent.keys.len = 0; + ent.keys.val = NULL; - ret = _kadm5_set_keys(context, &ent.entry, n_ks_tuple, ks_tuple, + ret = _kadm5_set_keys(context, &ent, n_ks_tuple, ks_tuple, password); if(ret) { _kadm5_free_keys(context->context, num_keys, keys); @@ -196,10 +196,10 @@ change(void *server_handle, if (cond) { HDB_extension *ext; - ext = hdb_find_extension(&ent.entry, choice_HDB_extension_data_hist_keys); + ext = hdb_find_extension(&ent, choice_HDB_extension_data_hist_keys); if (ext != NULL) - existsp = _kadm5_exists_keys_hist(ent.entry.keys.val, - ent.entry.keys.len, + existsp = _kadm5_exists_keys_hist(ent.keys.val, + ent.keys.len, &ext->data.u.hist_keys); } @@ -210,9 +210,9 @@ change(void *server_handle, goto out3; } } - ent.entry.kvno++; + ent.kvno++; - ent.entry.flags.require_pwchange = 0; + ent.flags.require_pwchange = 0; if (!keepold) { HDB_extension ext; @@ -220,25 +220,25 @@ change(void *server_handle, memset(&ext, 0, sizeof (ext)); ext.mandatory = FALSE; ext.data.element = choice_HDB_extension_data_hist_keys; - ret = hdb_replace_extension(context->context, &ent.entry, &ext); + ret = hdb_replace_extension(context->context, &ent, &ext); if (ret) goto out3; } - ret = hdb_seal_keys(context->context, context->db, &ent.entry); + ret = hdb_seal_keys(context->context, context->db, &ent); if (ret) goto out3; - ret = _kadm5_set_modifier(context, &ent.entry); + ret = _kadm5_set_modifier(context, &ent); if(ret) goto out3; - ret = _kadm5_bump_pw_expire(context, &ent.entry); + ret = _kadm5_bump_pw_expire(context, &ent); if (ret) goto out3; /* This logs the change for iprop and writes to the HDB */ - ret = kadm5_log_modify(context, &ent.entry, + ret = kadm5_log_modify(context, &ent, KADM5_ATTRIBUTES | KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME | KADM5_KEY_DATA | KADM5_KVNO | @@ -367,7 +367,7 @@ kadm5_s_chpass_principal_with_key(void *server_handle, krb5_key_data *key_data) { kadm5_server_context *context = server_handle; - hdb_entry_ex ent; + hdb_entry ent; kadm5_ret_t ret; uint32_t hook_flags = 0; @@ -396,23 +396,23 @@ kadm5_s_chpass_principal_with_key(void *server_handle, goto out3; if (keepold) { - ret = hdb_add_current_keys_to_history(context->context, &ent.entry); + ret = hdb_add_current_keys_to_history(context->context, &ent); if (ret) goto out3; } - ret = _kadm5_set_keys2(context, &ent.entry, n_key_data, key_data); + ret = _kadm5_set_keys2(context, &ent, n_key_data, key_data); if (ret) goto out3; - ent.entry.kvno++; - ret = _kadm5_set_modifier(context, &ent.entry); + ent.kvno++; + ret = _kadm5_set_modifier(context, &ent); if (ret) goto out3; - ret = _kadm5_bump_pw_expire(context, &ent.entry); + ret = _kadm5_bump_pw_expire(context, &ent); if (ret) goto out3; if (keepold) { - ret = hdb_seal_keys(context->context, context->db, &ent.entry); + ret = hdb_seal_keys(context->context, context->db, &ent); if (ret) goto out3; } else { @@ -423,11 +423,11 @@ kadm5_s_chpass_principal_with_key(void *server_handle, ext.data.element = choice_HDB_extension_data_hist_keys; ext.data.u.hist_keys.len = 0; ext.data.u.hist_keys.val = NULL; - hdb_replace_extension(context->context, &ent.entry, &ext); + hdb_replace_extension(context->context, &ent, &ext); } /* This logs the change for iprop and writes to the HDB */ - ret = kadm5_log_modify(context, &ent.entry, + ret = kadm5_log_modify(context, &ent, KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME | KADM5_KEY_DATA | KADM5_KVNO | KADM5_PW_EXPIRATION | KADM5_TL_DATA); diff --git a/lib/kadm5/create_s.c b/lib/kadm5/create_s.c index 656c958ba..1c2ab15f3 100644 --- a/lib/kadm5/create_s.c +++ b/lib/kadm5/create_s.c @@ -57,7 +57,7 @@ static kadm5_ret_t create_principal(kadm5_server_context *context, kadm5_principal_ent_t princ, uint32_t mask, - hdb_entry_ex *ent, + hdb_entry *ent, uint32_t required_mask, uint32_t forbidden_mask) { @@ -74,7 +74,7 @@ create_principal(kadm5_server_context *context, /* XXX no real policies for now */ return KADM5_UNK_POLICY; ret = krb5_copy_principal(context->context, princ->principal, - &ent->entry.principal); + &ent->principal); if(ret) return ret; @@ -96,10 +96,10 @@ create_principal(kadm5_server_context *context, if (ret) return ret; - ent->entry.created_by.time = time(NULL); + ent->created_by.time = time(NULL); return krb5_copy_principal(context->context, context->caller, - &ent->entry.created_by.principal); + &ent->created_by.principal); } struct create_principal_hook_ctx { @@ -167,7 +167,7 @@ kadm5_s_create_principal_with_key(void *server_handle, uint32_t mask) { kadm5_ret_t ret; - hdb_entry_ex ent; + hdb_entry ent; kadm5_server_context *context = server_handle; if ((mask & KADM5_KVNO) == 0) { @@ -203,7 +203,7 @@ kadm5_s_create_principal_with_key(void *server_handle, if (ret) goto out; - ret = hdb_seal_keys(context->context, context->db, &ent.entry); + ret = hdb_seal_keys(context->context, context->db, &ent); if (ret) goto out2; @@ -213,7 +213,7 @@ kadm5_s_create_principal_with_key(void *server_handle, * Creation of would-be virtual principals w/o the materialize flag will be * rejected in kadm5_log_create(). */ - ret = kadm5_log_create(context, &ent.entry); + ret = kadm5_log_create(context, &ent); (void) create_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT, ret, princ, mask, NULL); @@ -241,7 +241,7 @@ kadm5_s_create_principal(void *server_handle, const char *password) { kadm5_ret_t ret; - hdb_entry_ex ent; + hdb_entry ent; kadm5_server_context *context = server_handle; int use_pw = 1; @@ -324,20 +324,20 @@ kadm5_s_create_principal(void *server_handle, if (ret) goto out; - free_Keys(&ent.entry.keys); + free_Keys(&ent.keys); if (use_pw) { - ret = _kadm5_set_keys(context, &ent.entry, n_ks_tuple, ks_tuple, password); + ret = _kadm5_set_keys(context, &ent, n_ks_tuple, ks_tuple, password); if (ret) goto out2; } - ret = hdb_seal_keys(context->context, context->db, &ent.entry); + ret = hdb_seal_keys(context->context, context->db, &ent); if (ret) goto out2; /* This logs the change for iprop and writes to the HDB */ - ret = kadm5_log_create(context, &ent.entry); + ret = kadm5_log_create(context, &ent); (void) create_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT, ret, princ, mask, password); diff --git a/lib/kadm5/delete_s.c b/lib/kadm5/delete_s.c index ead87fe60..aa9fdb4fc 100644 --- a/lib/kadm5/delete_s.c +++ b/lib/kadm5/delete_s.c @@ -92,7 +92,7 @@ kadm5_s_delete_principal(void *server_handle, krb5_principal princ) { kadm5_server_context *context = server_handle; kadm5_ret_t ret; - hdb_entry_ex ent; + hdb_entry ent; memset(&ent, 0, sizeof(ent)); if (!context->keep_open) { @@ -112,7 +112,7 @@ kadm5_s_delete_principal(void *server_handle, krb5_principal princ) 0, &ent); if (ret == HDB_ERR_NOENTRY) goto out2; - if (ent.entry.flags.immutable) { + if (ent.flags.immutable) { ret = KADM5_PROTECT_PRINCIPAL; goto out3; } @@ -121,7 +121,7 @@ kadm5_s_delete_principal(void *server_handle, krb5_principal princ) if (ret) goto out3; - ret = hdb_seal_keys(context->context, context->db, &ent.entry); + ret = hdb_seal_keys(context->context, context->db, &ent); if (ret) goto out3; diff --git a/lib/kadm5/ent_setup.c b/lib/kadm5/ent_setup.c index 677bda6d8..24a7983b6 100644 --- a/lib/kadm5/ent_setup.c +++ b/lib/kadm5/ent_setup.c @@ -73,7 +73,7 @@ attr_to_flags(unsigned attr, HDBFlags *flags) static kadm5_ret_t perform_tl_data(krb5_context context, HDB *db, - hdb_entry_ex *ent, + hdb_entry *ent, const krb5_tl_data *tl_data) { kadm5_ret_t ret = 0; @@ -84,7 +84,7 @@ perform_tl_data(krb5_context context, if (pw[tl_data->tl_data_length] != '\0') return KADM5_BAD_TL_TYPE; - ret = hdb_entry_set_password(context, db, &ent->entry, pw); + ret = hdb_entry_set_password(context, db, ent, pw); } else if (tl_data->tl_data_type == KRB5_TL_LAST_PWD_CHANGE) { unsigned long t; @@ -96,7 +96,7 @@ perform_tl_data(krb5_context context, s = tl_data->tl_data_contents; (void) _krb5_get_int(s, &t, tl_data->tl_data_length); - ret = hdb_entry_set_pw_change_time(context, &ent->entry, t); + ret = hdb_entry_set_pw_change_time(context, ent, t); } else if (tl_data->tl_data_type == KRB5_TL_KEY_ROTATION) { HDB_Ext_KeyRotation *prev_kr = 0; @@ -105,7 +105,7 @@ perform_tl_data(krb5_context context, ext.mandatory = 0; ext.data.element = choice_HDB_extension_data_key_rotation; - prev_ext = hdb_find_extension(&ent->entry, ext.data.element); + prev_ext = hdb_find_extension(ent, ext.data.element); if (prev_ext) prev_kr = &prev_ext->data.u.key_rotation; ret = decode_HDB_Ext_KeyRotation(tl_data->tl_data_contents, @@ -115,7 +115,7 @@ perform_tl_data(krb5_context context, ret = hdb_validate_key_rotations(context, prev_kr, &ext.data.u.key_rotation); if (ret == 0) - ret = hdb_replace_extension(context, &ent->entry, &ext); + ret = hdb_replace_extension(context, ent, &ext); free_HDB_extension(&ext); } else if (tl_data->tl_data_type == KRB5_TL_EXTENSION) { HDB_extension ext; @@ -128,7 +128,7 @@ perform_tl_data(krb5_context context, return KADM5_BAD_TL_TYPE; if (ext.data.element == choice_HDB_extension_data_key_rotation) { - HDB_extension *prev_ext = hdb_find_extension(&ent->entry, + HDB_extension *prev_ext = hdb_find_extension(ent, ext.data.element); HDB_Ext_KeyRotation *prev_kr = 0; @@ -140,19 +140,19 @@ perform_tl_data(krb5_context context, if (ret) ret = KADM5_BAD_TL_TYPE; /* XXX Need new error code */ if (ret == 0) - ret = hdb_replace_extension(context, &ent->entry, &ext); + ret = hdb_replace_extension(context, ent, &ext); free_HDB_extension(&ext); } else if (tl_data->tl_data_type == KRB5_TL_ETYPES) { - if (!ent->entry.etypes && - (ent->entry.etypes = calloc(1, - sizeof(ent->entry.etypes[0]))) == NULL) + if (!ent->etypes && + (ent->etypes = calloc(1, + sizeof(ent->etypes[0]))) == NULL) ret = krb5_enomem(context); - if (ent->entry.etypes) - free_HDB_EncTypeList(ent->entry.etypes); + if (ent->etypes) + free_HDB_EncTypeList(ent->etypes); if (ret == 0) ret = decode_HDB_EncTypeList(tl_data->tl_data_contents, tl_data->tl_data_length, - ent->entry.etypes, NULL); + ent->etypes, NULL); if (ret) return KADM5_BAD_TL_TYPE; } else if (tl_data->tl_data_type == KRB5_TL_ALIASES) { @@ -164,14 +164,14 @@ perform_tl_data(krb5_context context, } static void -default_flags(hdb_entry_ex *ent) +default_flags(hdb_entry *ent) { - ent->entry.flags.client = 1; - ent->entry.flags.server = 1; - ent->entry.flags.forwardable = 1; - ent->entry.flags.proxiable = 1; - ent->entry.flags.renewable = 1; - ent->entry.flags.postdate = 1; + ent->flags.client = 1; + ent->flags.server = 1; + ent->flags.forwardable = 1; + ent->flags.proxiable = 1; + ent->flags.renewable = 1; + ent->flags.postdate = 1; } @@ -183,7 +183,7 @@ default_flags(hdb_entry_ex *ent) kadm5_ret_t _kadm5_setup_entry(kadm5_server_context *context, - hdb_entry_ex *ent, + hdb_entry *ent, uint32_t mask, kadm5_principal_ent_t princ, uint32_t princ_mask, @@ -193,23 +193,23 @@ _kadm5_setup_entry(kadm5_server_context *context, if(mask & KADM5_PRINC_EXPIRE_TIME && princ_mask & KADM5_PRINC_EXPIRE_TIME) { if (princ->princ_expire_time) - set_value(ent->entry.valid_end, princ->princ_expire_time); + set_value(ent->valid_end, princ->princ_expire_time); else - set_null(ent->entry.valid_end); + set_null(ent->valid_end); } if(mask & KADM5_PW_EXPIRATION && princ_mask & KADM5_PW_EXPIRATION) { if (princ->pw_expiration) - set_value(ent->entry.pw_end, princ->pw_expiration); + set_value(ent->pw_end, princ->pw_expiration); else - set_null(ent->entry.pw_end); + set_null(ent->pw_end); } if(mask & KADM5_ATTRIBUTES) { if (princ_mask & KADM5_ATTRIBUTES) { - attr_to_flags(princ->attributes, &ent->entry.flags); + attr_to_flags(princ->attributes, &ent->flags); } else if(def_mask & KADM5_ATTRIBUTES) { - attr_to_flags(def->attributes, &ent->entry.flags); - ent->entry.flags.invalid = 0; + attr_to_flags(def->attributes, &ent->flags); + ent->flags.invalid = 0; } else { default_flags(ent); } @@ -218,41 +218,41 @@ _kadm5_setup_entry(kadm5_server_context *context, if(mask & KADM5_MAX_LIFE) { if(princ_mask & KADM5_MAX_LIFE) { if(princ->max_life) - set_value(ent->entry.max_life, princ->max_life); + set_value(ent->max_life, princ->max_life); else - set_null(ent->entry.max_life); + set_null(ent->max_life); } else if(def_mask & KADM5_MAX_LIFE) { if(def->max_life) - set_value(ent->entry.max_life, def->max_life); + set_value(ent->max_life, def->max_life); else - set_null(ent->entry.max_life); + set_null(ent->max_life); } } if(mask & KADM5_KVNO && (princ_mask & KADM5_KVNO)) { krb5_error_code ret; - ret = hdb_change_kvno(context->context, princ->kvno, &ent->entry); + ret = hdb_change_kvno(context->context, princ->kvno, ent); if (ret && ret != HDB_ERR_KVNO_NOT_FOUND) return ret; - ent->entry.kvno = princ->kvno; /* force it */ + ent->kvno = princ->kvno; /* force it */ } if(mask & KADM5_MAX_RLIFE) { if(princ_mask & KADM5_MAX_RLIFE) { if(princ->max_renewable_life) - set_value(ent->entry.max_renew, princ->max_renewable_life); + set_value(ent->max_renew, princ->max_renewable_life); else - set_null(ent->entry.max_renew); + set_null(ent->max_renew); } else if(def_mask & KADM5_MAX_RLIFE) { if(def->max_renewable_life) - set_value(ent->entry.max_renew, def->max_renewable_life); + set_value(ent->max_renew, def->max_renewable_life); else - set_null(ent->entry.max_renew); + set_null(ent->max_renew); } } if(mask & KADM5_KEY_DATA && princ_mask & KADM5_KEY_DATA) { - _kadm5_set_keys2(context, &ent->entry, + _kadm5_set_keys2(context, ent, princ->n_key_data, princ->key_data); } if(mask & KADM5_TL_DATA) { diff --git a/lib/kadm5/get_princs_s.c b/lib/kadm5/get_princs_s.c index f7182d7ec..5bbaa6e08 100644 --- a/lib/kadm5/get_princs_s.c +++ b/lib/kadm5/get_princs_s.c @@ -55,12 +55,12 @@ add_princ(krb5_context context, struct foreach_data *d, char *princ) } static krb5_error_code -foreach(krb5_context context, HDB *db, hdb_entry_ex *ent, void *data) +foreach(krb5_context context, HDB *db, hdb_entry *ent, void *data) { struct foreach_data *d = data; char *princ; krb5_error_code ret; - ret = krb5_unparse_name(context, ent->entry.principal, &princ); + ret = krb5_unparse_name(context, ent->principal, &princ); if(ret) return ret; if(d->exp){ diff --git a/lib/kadm5/get_s.c b/lib/kadm5/get_s.c index d719fbbff..7e741592c 100644 --- a/lib/kadm5/get_s.c +++ b/lib/kadm5/get_s.c @@ -122,7 +122,7 @@ kadm5_s_get_principal(void *server_handle, { kadm5_server_context *context = server_handle; kadm5_ret_t ret; - hdb_entry_ex ent; + hdb_entry ent; unsigned int flags = HDB_F_GET_ANY | HDB_F_ADMIN_DATA; if ((mask & KADM5_KEY_DATA) || (mask & KADM5_KVNO)) @@ -157,57 +157,57 @@ kadm5_s_get_principal(void *server_handle, return _kadm5_error_code(ret); if(mask & KADM5_PRINCIPAL) - ret = krb5_copy_principal(context->context, ent.entry.principal, + ret = krb5_copy_principal(context->context, ent.principal, &out->principal); if(ret) goto out; - if(mask & KADM5_PRINC_EXPIRE_TIME && ent.entry.valid_end) - out->princ_expire_time = *ent.entry.valid_end; - if(mask & KADM5_PW_EXPIRATION && ent.entry.pw_end) - out->pw_expiration = *ent.entry.pw_end; + if(mask & KADM5_PRINC_EXPIRE_TIME && ent.valid_end) + out->princ_expire_time = *ent.valid_end; + if(mask & KADM5_PW_EXPIRATION && ent.pw_end) + out->pw_expiration = *ent.pw_end; if(mask & KADM5_LAST_PWD_CHANGE) - hdb_entry_get_pw_change_time(&ent.entry, &out->last_pwd_change); + hdb_entry_get_pw_change_time(&ent, &out->last_pwd_change); if(mask & KADM5_ATTRIBUTES){ - out->attributes |= ent.entry.flags.postdate ? 0 : KRB5_KDB_DISALLOW_POSTDATED; - out->attributes |= ent.entry.flags.forwardable ? 0 : KRB5_KDB_DISALLOW_FORWARDABLE; - out->attributes |= ent.entry.flags.initial ? KRB5_KDB_DISALLOW_TGT_BASED : 0; - out->attributes |= ent.entry.flags.renewable ? 0 : KRB5_KDB_DISALLOW_RENEWABLE; - out->attributes |= ent.entry.flags.proxiable ? 0 : KRB5_KDB_DISALLOW_PROXIABLE; - out->attributes |= ent.entry.flags.invalid ? KRB5_KDB_DISALLOW_ALL_TIX : 0; - out->attributes |= ent.entry.flags.require_preauth ? KRB5_KDB_REQUIRES_PRE_AUTH : 0; - out->attributes |= ent.entry.flags.require_pwchange ? KRB5_KDB_REQUIRES_PWCHANGE : 0; - out->attributes |= ent.entry.flags.client ? 0 : KRB5_KDB_DISALLOW_CLIENT; - out->attributes |= ent.entry.flags.server ? 0 : KRB5_KDB_DISALLOW_SVR; - out->attributes |= ent.entry.flags.change_pw ? KRB5_KDB_PWCHANGE_SERVICE : 0; - out->attributes |= ent.entry.flags.ok_as_delegate ? KRB5_KDB_OK_AS_DELEGATE : 0; - out->attributes |= ent.entry.flags.trusted_for_delegation ? KRB5_KDB_TRUSTED_FOR_DELEGATION : 0; - out->attributes |= ent.entry.flags.allow_kerberos4 ? KRB5_KDB_ALLOW_KERBEROS4 : 0; - out->attributes |= ent.entry.flags.allow_digest ? KRB5_KDB_ALLOW_DIGEST : 0; - out->attributes |= ent.entry.flags.virtual_keys ? KRB5_KDB_VIRTUAL_KEYS : 0; - out->attributes |= ent.entry.flags.virtual ? KRB5_KDB_VIRTUAL : 0; - out->attributes |= ent.entry.flags.no_auth_data_reqd ? KRB5_KDB_NO_AUTH_DATA_REQUIRED : 0; + out->attributes |= ent.flags.postdate ? 0 : KRB5_KDB_DISALLOW_POSTDATED; + out->attributes |= ent.flags.forwardable ? 0 : KRB5_KDB_DISALLOW_FORWARDABLE; + out->attributes |= ent.flags.initial ? KRB5_KDB_DISALLOW_TGT_BASED : 0; + out->attributes |= ent.flags.renewable ? 0 : KRB5_KDB_DISALLOW_RENEWABLE; + out->attributes |= ent.flags.proxiable ? 0 : KRB5_KDB_DISALLOW_PROXIABLE; + out->attributes |= ent.flags.invalid ? KRB5_KDB_DISALLOW_ALL_TIX : 0; + out->attributes |= ent.flags.require_preauth ? KRB5_KDB_REQUIRES_PRE_AUTH : 0; + out->attributes |= ent.flags.require_pwchange ? KRB5_KDB_REQUIRES_PWCHANGE : 0; + out->attributes |= ent.flags.client ? 0 : KRB5_KDB_DISALLOW_CLIENT; + out->attributes |= ent.flags.server ? 0 : KRB5_KDB_DISALLOW_SVR; + out->attributes |= ent.flags.change_pw ? KRB5_KDB_PWCHANGE_SERVICE : 0; + out->attributes |= ent.flags.ok_as_delegate ? KRB5_KDB_OK_AS_DELEGATE : 0; + out->attributes |= ent.flags.trusted_for_delegation ? KRB5_KDB_TRUSTED_FOR_DELEGATION : 0; + out->attributes |= ent.flags.allow_kerberos4 ? KRB5_KDB_ALLOW_KERBEROS4 : 0; + out->attributes |= ent.flags.allow_digest ? KRB5_KDB_ALLOW_DIGEST : 0; + out->attributes |= ent.flags.virtual_keys ? KRB5_KDB_VIRTUAL_KEYS : 0; + out->attributes |= ent.flags.virtual ? KRB5_KDB_VIRTUAL : 0; + out->attributes |= ent.flags.no_auth_data_reqd ? KRB5_KDB_NO_AUTH_DATA_REQUIRED : 0; } if(mask & KADM5_MAX_LIFE) { - if(ent.entry.max_life) - out->max_life = *ent.entry.max_life; + if(ent.max_life) + out->max_life = *ent.max_life; else out->max_life = INT_MAX; } if(mask & KADM5_MOD_TIME) { - if(ent.entry.modified_by) - out->mod_date = ent.entry.modified_by->time; + if(ent.modified_by) + out->mod_date = ent.modified_by->time; else - out->mod_date = ent.entry.created_by.time; + out->mod_date = ent.created_by.time; } if(mask & KADM5_MOD_NAME) { - if(ent.entry.modified_by) { - if (ent.entry.modified_by->principal != NULL) + if(ent.modified_by) { + if (ent.modified_by->principal != NULL) ret = krb5_copy_principal(context->context, - ent.entry.modified_by->principal, + ent.modified_by->principal, &out->mod_name); - } else if(ent.entry.created_by.principal != NULL) + } else if(ent.created_by.principal != NULL) ret = krb5_copy_principal(context->context, - ent.entry.created_by.principal, + ent.created_by.principal, &out->mod_name); else out->mod_name = NULL; @@ -216,13 +216,13 @@ kadm5_s_get_principal(void *server_handle, goto out; if(mask & KADM5_KVNO) - out->kvno = ent.entry.kvno; + out->kvno = ent.kvno; if(mask & KADM5_MKVNO) { size_t n; out->mkvno = 0; /* XXX */ - for(n = 0; n < ent.entry.keys.len; n++) - if(ent.entry.keys.val[n].mkvno) { - out->mkvno = *ent.entry.keys.val[n].mkvno; /* XXX this isn't right */ + for(n = 0; n < ent.keys.len; n++) + if(ent.keys.val[n].mkvno) { + out->mkvno = *ent.keys.val[n].mkvno; /* XXX this isn't right */ break; } } @@ -239,7 +239,7 @@ kadm5_s_get_principal(void *server_handle, if(mask & KADM5_POLICY) { HDB_extension *ext; - ext = hdb_find_extension(&ent.entry, choice_HDB_extension_data_policy); + ext = hdb_find_extension(&ent, choice_HDB_extension_data_policy); if (ext == NULL) { out->policy = strdup("default"); /* It's OK if we retun NULL instead of "default" */ @@ -252,27 +252,27 @@ kadm5_s_get_principal(void *server_handle, } } if(mask & KADM5_MAX_RLIFE) { - if(ent.entry.max_renew) - out->max_renewable_life = *ent.entry.max_renew; + if(ent.max_renew) + out->max_renewable_life = *ent.max_renew; else out->max_renewable_life = INT_MAX; } if(mask & KADM5_KEY_DATA){ size_t i; - size_t n_keys = ent.entry.keys.len; + size_t n_keys = ent.keys.len; krb5_salt salt; HDB_extension *ext; HDB_Ext_KeySet *hist_keys = NULL; /* Don't return stale keys to kadm5 clients */ - ret = hdb_prune_keys(context->context, &ent.entry); + ret = hdb_prune_keys(context->context, &ent); if (ret) goto out; - ext = hdb_find_extension(&ent.entry, choice_HDB_extension_data_hist_keys); + ext = hdb_find_extension(&ent, choice_HDB_extension_data_hist_keys); if (ext != NULL) hist_keys = &ext->data.u.hist_keys; - krb5_get_pw_salt(context->context, ent.entry.principal, &salt); + krb5_get_pw_salt(context->context, ent.principal, &salt); for (i = 0; hist_keys != NULL && i < hist_keys->len; i++) n_keys += hist_keys->val[i].keys.len; out->key_data = malloc(n_keys * sizeof(*out->key_data)); @@ -281,8 +281,8 @@ kadm5_s_get_principal(void *server_handle, goto out; } out->n_key_data = 0; - ret = copy_keyset_to_kadm5(context, ent.entry.kvno, ent.entry.keys.len, - ent.entry.keys.val, &salt, out); + ret = copy_keyset_to_kadm5(context, ent.kvno, ent.keys.len, + ent.keys.val, &salt, out); if (ret) goto out; for (i = 0; hist_keys != NULL && i < hist_keys->len; i++) { @@ -305,12 +305,12 @@ kadm5_s_get_principal(void *server_handle, const HDB_Ext_KeyRotation *kr; heim_octet_string krb5_config; - if (ent.entry.etypes) { + if (ent.etypes) { krb5_data buf; size_t len; ASN1_MALLOC_ENCODE(HDB_EncTypeList, buf.data, buf.length, - ent.entry.etypes, &len, ret); + ent.etypes, &len, ret); if (ret == 0) { ret = add_tl_data(out, KRB5_TL_ETYPES, buf.data, buf.length); free(buf.data); @@ -319,14 +319,14 @@ kadm5_s_get_principal(void *server_handle, goto out; } - ret = hdb_entry_get_pw_change_time(&ent.entry, &last_pw_expire); + ret = hdb_entry_get_pw_change_time(&ent, &last_pw_expire); if (ret == 0 && last_pw_expire) { unsigned char buf[4]; _krb5_put_int(buf, last_pw_expire, sizeof(buf)); ret = add_tl_data(out, KRB5_TL_LAST_PWD_CHANGE, buf, sizeof(buf)); } - ret = hdb_entry_get_krb5_config(&ent.entry, &krb5_config); + ret = hdb_entry_get_krb5_config(&ent, &krb5_config); if (ret == 0 && krb5_config.length) { ret = add_tl_data(out, KRB5_TL_KRB5_CONFIG, krb5_config.data, krb5_config.length); @@ -342,7 +342,7 @@ kadm5_s_get_principal(void *server_handle, /* XXX But not if the client doesn't have ext-keys */ ret = hdb_entry_get_password(context->context, - context->db, &ent.entry, &pw); + context->db, &ent, &pw); if (ret == 0) { ret = add_tl_data(out, KRB5_TL_PASSWORD, pw, strlen(pw) + 1); free(pw); @@ -352,7 +352,7 @@ kadm5_s_get_principal(void *server_handle, krb5_clear_error_message(context->context); } - ret = hdb_entry_get_pkinit_acl(&ent.entry, &acl); + ret = hdb_entry_get_pkinit_acl(&ent, &acl); if (ret == 0 && acl) { krb5_data buf; size_t len; @@ -370,7 +370,7 @@ kadm5_s_get_principal(void *server_handle, goto out; } - ret = hdb_entry_get_aliases(&ent.entry, &aliases); + ret = hdb_entry_get_aliases(&ent, &aliases); if (ret == 0 && aliases) { krb5_data buf; size_t len; @@ -388,7 +388,7 @@ kadm5_s_get_principal(void *server_handle, goto out; } - ret = hdb_entry_get_key_rotation(context->context, &ent.entry, &kr); + ret = hdb_entry_get_key_rotation(context->context, &ent, &kr); if (ret == 0 && kr) { krb5_data buf; size_t len; diff --git a/lib/kadm5/ipropd_master.c b/lib/kadm5/ipropd_master.c index 167c7e15a..a04fd84b0 100644 --- a/lib/kadm5/ipropd_master.c +++ b/lib/kadm5/ipropd_master.c @@ -392,14 +392,14 @@ error: } static int -dump_one (krb5_context context, HDB *db, hdb_entry_ex *entry, void *v) +dump_one (krb5_context context, HDB *db, hdb_entry *entry, void *v) { krb5_error_code ret; krb5_storage *dump = (krb5_storage *)v; krb5_storage *sp; krb5_data data; - ret = hdb_entry2value (context, &entry->entry, &data); + ret = hdb_entry2value (context, entry, &data); if (ret) return ret; ret = krb5_data_realloc (&data, data.length + 4); diff --git a/lib/kadm5/ipropd_slave.c b/lib/kadm5/ipropd_slave.c index bceb8f6e1..5ad1e8331 100644 --- a/lib/kadm5/ipropd_slave.c +++ b/lib/kadm5/ipropd_slave.c @@ -571,7 +571,7 @@ receive_everything(krb5_context context, int fd, krb5_ret_uint32(sp, &opcode); if (opcode == ONE_PRINC) { krb5_data fake_data; - hdb_entry_ex entry; + hdb_entry entry; krb5_storage_free(sp); @@ -580,7 +580,7 @@ receive_everything(krb5_context context, int fd, memset(&entry, 0, sizeof(entry)); - ret = hdb_value2entry(context, &fake_data, &entry.entry); + ret = hdb_value2entry(context, &fake_data, &entry); if (ret) krb5_err(context, IPROPD_RESTART, ret, "hdb_value2entry"); ret = mydb->hdb_store(server_context->context, diff --git a/lib/kadm5/log.c b/lib/kadm5/log.c index ae0799c2f..4f66426c4 100644 --- a/lib/kadm5/log.c +++ b/lib/kadm5/log.c @@ -974,12 +974,12 @@ kadm5_log_create(kadm5_server_context *context, hdb_entry *entry) krb5_ssize_t bytes; kadm5_ret_t ret; krb5_data value; - hdb_entry_ex ent, existing; + hdb_entry ent, existing; kadm5_log_context *log_context = &context->log_context; memset(&existing, 0, sizeof(existing)); memset(&ent, 0, sizeof(ent)); - ent.entry = *entry; + ent = *entry; /* * Do not allow creation of concrete entries within namespaces unless @@ -989,14 +989,14 @@ kadm5_log_create(kadm5_server_context *context, hdb_entry *entry) 0, 0, 0, &existing); if (ret != 0 && ret != HDB_ERR_NOENTRY) return ret; - if (ret == 0 && !ent.entry.flags.materialize && - (existing.entry.flags.virtual || existing.entry.flags.virtual_keys)) { + if (ret == 0 && !ent.flags.materialize && + (existing.flags.virtual || existing.flags.virtual_keys)) { hdb_free_entry(context->context, context->db, &existing); return HDB_ERR_EXISTS; } if (ret == 0) hdb_free_entry(context->context, context->db, &existing); - ent.entry.flags.materialize = 0; /* Clear in stored entry */ + ent.flags.materialize = 0; /* Clear in stored entry */ /* * If we're not logging then we can't recover-to-perform, so just @@ -1055,7 +1055,7 @@ kadm5_log_replay_create(kadm5_server_context *context, { krb5_error_code ret; krb5_data data; - hdb_entry_ex ent; + hdb_entry ent; memset(&ent, 0, sizeof(ent)); @@ -1065,7 +1065,7 @@ kadm5_log_replay_create(kadm5_server_context *context, return ret; } krb5_storage_read(sp, data.data, len); - ret = hdb_value2entry(context->context, &data, &ent.entry); + ret = hdb_value2entry(context->context, &data, &ent); krb5_data_free(&data); if (ret) { krb5_set_error_message(context->context, ret, @@ -1196,11 +1196,11 @@ kadm5_log_rename(kadm5_server_context *context, off_t end_off = 0; /* Ditto; this allows de-indentation by two levels */ off_t off; krb5_data value; - hdb_entry_ex ent; + hdb_entry ent; kadm5_log_context *log_context = &context->log_context; memset(&ent, 0, sizeof(ent)); - ent.entry = *entry; + ent = *entry; if (strcmp(log_context->log_file, "/dev/null") == 0) { ret = context->db->hdb_store(context->context, context->db, 0, &ent); @@ -1306,7 +1306,7 @@ kadm5_log_replay_rename(kadm5_server_context *context, { krb5_error_code ret; krb5_principal source; - hdb_entry_ex target_ent; + hdb_entry target_ent; krb5_data value; off_t off; size_t princ_len, data_len; @@ -1328,7 +1328,7 @@ kadm5_log_replay_rename(kadm5_server_context *context, return ret; } krb5_storage_read(sp, value.data, data_len); - ret = hdb_value2entry(context->context, &value, &target_ent.entry); + ret = hdb_value2entry(context->context, &value, &target_ent); krb5_data_free(&value); if (ret) { krb5_free_principal(context->context, source); @@ -1360,11 +1360,11 @@ kadm5_log_modify(kadm5_server_context *context, kadm5_ret_t ret; krb5_data value; uint32_t len; - hdb_entry_ex ent; + hdb_entry ent; kadm5_log_context *log_context = &context->log_context; memset(&ent, 0, sizeof(ent)); - ent.entry = *entry; + ent = *entry; if (strcmp(log_context->log_file, "/dev/null") == 0) return context->db->hdb_store(context->context, context->db, @@ -1428,7 +1428,7 @@ kadm5_log_replay_modify(kadm5_server_context *context, krb5_error_code ret; uint32_t mask; krb5_data value; - hdb_entry_ex ent, log_ent; + hdb_entry ent, log_ent; memset(&log_ent, 0, sizeof(log_ent)); @@ -1446,7 +1446,7 @@ kadm5_log_replay_modify(kadm5_server_context *context, ret = errno ? errno : EIO; return ret; } - ret = hdb_value2entry (context->context, &value, &log_ent.entry); + ret = hdb_value2entry (context->context, &value, &log_ent); krb5_data_free(&value); if (ret) return ret; @@ -1454,37 +1454,37 @@ kadm5_log_replay_modify(kadm5_server_context *context, memset(&ent, 0, sizeof(ent)); /* NOTE: We do not use hdb_fetch_kvno() here */ ret = context->db->hdb_fetch_kvno(context->context, context->db, - log_ent.entry.principal, + log_ent.principal, HDB_F_DECRYPT|HDB_F_ALL_KVNOS| HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent); if (ret) goto out; if (mask & KADM5_PRINC_EXPIRE_TIME) { - if (log_ent.entry.valid_end == NULL) { - ent.entry.valid_end = NULL; + if (log_ent.valid_end == NULL) { + ent.valid_end = NULL; } else { - if (ent.entry.valid_end == NULL) { - ent.entry.valid_end = malloc(sizeof(*ent.entry.valid_end)); - if (ent.entry.valid_end == NULL) { + if (ent.valid_end == NULL) { + ent.valid_end = malloc(sizeof(*ent.valid_end)); + if (ent.valid_end == NULL) { ret = krb5_enomem(context->context); goto out; } } - *ent.entry.valid_end = *log_ent.entry.valid_end; + *ent.valid_end = *log_ent.valid_end; } } if (mask & KADM5_PW_EXPIRATION) { - if (log_ent.entry.pw_end == NULL) { - ent.entry.pw_end = NULL; + if (log_ent.pw_end == NULL) { + ent.pw_end = NULL; } else { - if (ent.entry.pw_end == NULL) { - ent.entry.pw_end = malloc(sizeof(*ent.entry.pw_end)); - if (ent.entry.pw_end == NULL) { + if (ent.pw_end == NULL) { + ent.pw_end = malloc(sizeof(*ent.pw_end)); + if (ent.pw_end == NULL) { ret = krb5_enomem(context->context); goto out; } } - *ent.entry.pw_end = *log_ent.entry.pw_end; + *ent.pw_end = *log_ent.pw_end; } } if (mask & KADM5_LAST_PWD_CHANGE) { @@ -1492,39 +1492,39 @@ kadm5_log_replay_modify(kadm5_server_context *context, "Unimplemented mask KADM5_LAST_PWD_CHANGE"); } if (mask & KADM5_ATTRIBUTES) { - ent.entry.flags = log_ent.entry.flags; + ent.flags = log_ent.flags; } if (mask & KADM5_MAX_LIFE) { - if (log_ent.entry.max_life == NULL) { - ent.entry.max_life = NULL; + if (log_ent.max_life == NULL) { + ent.max_life = NULL; } else { - if (ent.entry.max_life == NULL) { - ent.entry.max_life = malloc (sizeof(*ent.entry.max_life)); - if (ent.entry.max_life == NULL) { + if (ent.max_life == NULL) { + ent.max_life = malloc (sizeof(*ent.max_life)); + if (ent.max_life == NULL) { ret = krb5_enomem(context->context); goto out; } } - *ent.entry.max_life = *log_ent.entry.max_life; + *ent.max_life = *log_ent.max_life; } } if ((mask & KADM5_MOD_TIME) && (mask & KADM5_MOD_NAME)) { - if (ent.entry.modified_by == NULL) { - ent.entry.modified_by = malloc(sizeof(*ent.entry.modified_by)); - if (ent.entry.modified_by == NULL) { + if (ent.modified_by == NULL) { + ent.modified_by = malloc(sizeof(*ent.modified_by)); + if (ent.modified_by == NULL) { ret = krb5_enomem(context->context); goto out; } } else - free_Event(ent.entry.modified_by); - ret = copy_Event(log_ent.entry.modified_by, ent.entry.modified_by); + free_Event(ent.modified_by); + ret = copy_Event(log_ent.modified_by, ent.modified_by); if (ret) { ret = krb5_enomem(context->context); goto out; } } if (mask & KADM5_KVNO) { - ent.entry.kvno = log_ent.entry.kvno; + ent.kvno = log_ent.kvno; } if (mask & KADM5_MKVNO) { krb5_warnx(context->context, "Unimplemented mask KADM5_KVNO"); @@ -1537,17 +1537,17 @@ kadm5_log_replay_modify(kadm5_server_context *context, krb5_warnx(context->context, "Unimplemented mask KADM5_POLICY_CLR"); } if (mask & KADM5_MAX_RLIFE) { - if (log_ent.entry.max_renew == NULL) { - ent.entry.max_renew = NULL; + if (log_ent.max_renew == NULL) { + ent.max_renew = NULL; } else { - if (ent.entry.max_renew == NULL) { - ent.entry.max_renew = malloc (sizeof(*ent.entry.max_renew)); - if (ent.entry.max_renew == NULL) { + if (ent.max_renew == NULL) { + ent.max_renew = malloc (sizeof(*ent.max_renew)); + if (ent.max_renew == NULL) { ret = krb5_enomem(context->context); goto out; } } - *ent.entry.max_renew = *log_ent.entry.max_renew; + *ent.max_renew = *log_ent.max_renew; } } if (mask & KADM5_LAST_SUCCESS) { @@ -1573,62 +1573,62 @@ kadm5_log_replay_modify(kadm5_server_context *context, */ mask |= KADM5_TL_DATA; - for (i = 0; i < ent.entry.keys.len; ++i) - free_Key(&ent.entry.keys.val[i]); - free (ent.entry.keys.val); + for (i = 0; i < ent.keys.len; ++i) + free_Key(&ent.keys.val[i]); + free (ent.keys.val); - num = log_ent.entry.keys.len; + num = log_ent.keys.len; - ent.entry.keys.len = num; - ent.entry.keys.val = malloc(len * sizeof(*ent.entry.keys.val)); - if (ent.entry.keys.val == NULL) { + ent.keys.len = num; + ent.keys.val = malloc(len * sizeof(*ent.keys.val)); + if (ent.keys.val == NULL) { krb5_enomem(context->context); goto out; } - for (i = 0; i < ent.entry.keys.len; ++i) { - ret = copy_Key(&log_ent.entry.keys.val[i], - &ent.entry.keys.val[i]); + for (i = 0; i < ent.keys.len; ++i) { + ret = copy_Key(&log_ent.keys.val[i], + &ent.keys.val[i]); if (ret) { krb5_set_error_message(context->context, ret, "out of memory"); goto out; } } } - if ((mask & KADM5_TL_DATA) && log_ent.entry.etypes) { - if (ent.entry.etypes) - free_HDB_EncTypeList(ent.entry.etypes); - free(ent.entry.etypes); - ent.entry.etypes = calloc(1, sizeof(*ent.entry.etypes)); - if (ent.entry.etypes == NULL) + if ((mask & KADM5_TL_DATA) && log_ent.etypes) { + if (ent.etypes) + free_HDB_EncTypeList(ent.etypes); + free(ent.etypes); + ent.etypes = calloc(1, sizeof(*ent.etypes)); + if (ent.etypes == NULL) ret = ENOMEM; if (ret == 0) - ret = copy_HDB_EncTypeList(log_ent.entry.etypes, ent.entry.etypes); + ret = copy_HDB_EncTypeList(log_ent.etypes, ent.etypes); if (ret) { ret = krb5_enomem(context->context); - free(ent.entry.etypes); - ent.entry.etypes = NULL; + free(ent.etypes); + ent.etypes = NULL; goto out; } } - if ((mask & KADM5_TL_DATA) && log_ent.entry.extensions) { - if (ent.entry.extensions) { - free_HDB_extensions(ent.entry.extensions); - free(ent.entry.extensions); - ent.entry.extensions = NULL; + if ((mask & KADM5_TL_DATA) && log_ent.extensions) { + if (ent.extensions) { + free_HDB_extensions(ent.extensions); + free(ent.extensions); + ent.extensions = NULL; } - ent.entry.extensions = calloc(1, sizeof(*ent.entry.extensions)); - if (ent.entry.extensions == NULL) + ent.extensions = calloc(1, sizeof(*ent.extensions)); + if (ent.extensions == NULL) ret = ENOMEM; if (ret == 0) - ret = copy_HDB_extensions(log_ent.entry.extensions, - ent.entry.extensions); + ret = copy_HDB_extensions(log_ent.extensions, + ent.extensions); if (ret) { ret = krb5_enomem(context->context); - free(ent.entry.extensions); - ent.entry.extensions = NULL; + free(ent.extensions); + ent.extensions = NULL; goto out; } } diff --git a/lib/kadm5/modify_s.c b/lib/kadm5/modify_s.c index 7e4f54323..2159caf55 100644 --- a/lib/kadm5/modify_s.c +++ b/lib/kadm5/modify_s.c @@ -97,7 +97,7 @@ modify_principal(void *server_handle, uint32_t forbidden_mask) { kadm5_server_context *context = server_handle; - hdb_entry_ex ent; + hdb_entry ent; kadm5_ret_t ret; memset(&ent, 0, sizeof(ent)); @@ -139,7 +139,7 @@ modify_principal(void *server_handle, ret = _kadm5_setup_entry(context, &ent, mask, princ, mask, NULL, 0); if (ret) goto out3; - ret = _kadm5_set_modifier(context, &ent.entry); + ret = _kadm5_set_modifier(context, &ent); if (ret) goto out3; @@ -157,7 +157,7 @@ modify_principal(void *server_handle, goto out3; } - ret = hdb_seal_keys(context->context, context->db, &ent.entry); + ret = hdb_seal_keys(context->context, context->db, &ent); if (ret) goto out3; @@ -174,14 +174,14 @@ modify_principal(void *server_handle, goto out3; } /* This calls free_HDB_extension(), freeing ext.data.u.policy */ - ret = hdb_replace_extension(context->context, &ent.entry, &ext); + ret = hdb_replace_extension(context->context, &ent, &ext); free(ext.data.u.policy); if (ret) goto out3; } /* This logs the change for iprop and writes to the HDB */ - ret = kadm5_log_modify(context, &ent.entry, + ret = kadm5_log_modify(context, &ent, mask | KADM5_MOD_NAME | KADM5_MOD_TIME); (void) modify_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT, diff --git a/lib/kadm5/prune_s.c b/lib/kadm5/prune_s.c index 659fb4bfa..96133f242 100644 --- a/lib/kadm5/prune_s.c +++ b/lib/kadm5/prune_s.c @@ -95,7 +95,7 @@ kadm5_s_prune_principal(void *server_handle, int kvno) { kadm5_server_context *context = server_handle; - hdb_entry_ex ent; + hdb_entry ent; kadm5_ret_t ret; memset(&ent, 0, sizeof(ent)); @@ -121,15 +121,15 @@ kadm5_s_prune_principal(void *server_handle, if (ret) goto out3; - ret = hdb_prune_keys_kvno(context->context, &ent.entry, kvno); + ret = hdb_prune_keys_kvno(context->context, &ent, kvno); if (ret) goto out3; - ret = hdb_seal_keys(context->context, context->db, &ent.entry); + ret = hdb_seal_keys(context->context, context->db, &ent); if (ret) goto out3; - ret = kadm5_log_modify(context, &ent.entry, KADM5_KEY_DATA); + ret = kadm5_log_modify(context, &ent, KADM5_KEY_DATA); (void) prune_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT, ret, princ, kvno); diff --git a/lib/kadm5/randkey_s.c b/lib/kadm5/randkey_s.c index d6fd5a8c7..cb3696720 100644 --- a/lib/kadm5/randkey_s.c +++ b/lib/kadm5/randkey_s.c @@ -102,7 +102,7 @@ kadm5_s_randkey_principal(void *server_handle, int *n_keys) { kadm5_server_context *context = server_handle; - hdb_entry_ex ent; + hdb_entry ent; kadm5_ret_t ret; size_t i; @@ -129,36 +129,36 @@ kadm5_s_randkey_principal(void *server_handle, goto out3; if (keepold) { - ret = hdb_add_current_keys_to_history(context->context, &ent.entry); + ret = hdb_add_current_keys_to_history(context->context, &ent); if (ret == 0 && keepold == 1) - ret = hdb_prune_keys_kvno(context->context, &ent.entry, 0); + ret = hdb_prune_keys_kvno(context->context, &ent, 0); if (ret) goto out3; } else { /* Remove all key history */ - ret = hdb_clear_extension(context->context, &ent.entry, + ret = hdb_clear_extension(context->context, &ent, choice_HDB_extension_data_hist_keys); if (ret) goto out3; } - ret = _kadm5_set_keys_randomly(context, &ent.entry, n_ks_tuple, ks_tuple, + ret = _kadm5_set_keys_randomly(context, &ent, n_ks_tuple, ks_tuple, new_keys, n_keys); if (ret) goto out3; - ent.entry.kvno++; + ent.kvno++; - ent.entry.flags.require_pwchange = 0; + ent.flags.require_pwchange = 0; - ret = _kadm5_set_modifier(context, &ent.entry); + ret = _kadm5_set_modifier(context, &ent); if(ret) goto out4; - ret = _kadm5_bump_pw_expire(context, &ent.entry); + ret = _kadm5_bump_pw_expire(context, &ent); if (ret) goto out4; if (keepold) { - ret = hdb_seal_keys(context->context, context->db, &ent.entry); + ret = hdb_seal_keys(context->context, context->db, &ent); if (ret) goto out4; } else { @@ -169,11 +169,11 @@ kadm5_s_randkey_principal(void *server_handle, ext.data.element = choice_HDB_extension_data_hist_keys; ext.data.u.hist_keys.len = 0; ext.data.u.hist_keys.val = NULL; - hdb_replace_extension(context->context, &ent.entry, &ext); + hdb_replace_extension(context->context, &ent, &ext); } /* This logs the change for iprop and writes to the HDB */ - ret = kadm5_log_modify(context, &ent.entry, + ret = kadm5_log_modify(context, &ent, KADM5_ATTRIBUTES | KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME | KADM5_KEY_DATA | KADM5_KVNO | diff --git a/lib/kadm5/rename_s.c b/lib/kadm5/rename_s.c index 341e50359..f572dff34 100644 --- a/lib/kadm5/rename_s.c +++ b/lib/kadm5/rename_s.c @@ -97,7 +97,7 @@ kadm5_s_rename_principal(void *server_handle, { kadm5_server_context *context = server_handle; kadm5_ret_t ret; - hdb_entry_ex ent; + hdb_entry ent; krb5_principal oldname; size_t i; @@ -121,14 +121,14 @@ kadm5_s_rename_principal(void *server_handle, 0, &ent); if (ret) goto out2; - oldname = ent.entry.principal; + oldname = ent.principal; ret = rename_principal_hook(context, KADM5_HOOK_STAGE_PRECOMMIT, 0, source, target); if (ret) goto out3; - ret = _kadm5_set_modifier(context, &ent.entry); + ret = _kadm5_set_modifier(context, &ent); if (ret) goto out3; { @@ -139,14 +139,14 @@ kadm5_s_rename_principal(void *server_handle, krb5_get_pw_salt(context->context, source, &salt2); salt.type = hdb_pw_salt; salt.salt = salt2.saltvalue; - for(i = 0; i < ent.entry.keys.len; i++){ - if(ent.entry.keys.val[i].salt == NULL){ - ent.entry.keys.val[i].salt = - malloc(sizeof(*ent.entry.keys.val[i].salt)); - if (ent.entry.keys.val[i].salt == NULL) + for(i = 0; i < ent.keys.len; i++){ + if(ent.keys.val[i].salt == NULL){ + ent.keys.val[i].salt = + malloc(sizeof(*ent.keys.val[i].salt)); + if (ent.keys.val[i].salt == NULL) ret = krb5_enomem(context->context); else - ret = copy_Salt(&salt, ent.entry.keys.val[i].salt); + ret = copy_Salt(&salt, ent.keys.val[i].salt); if (ret) break; } @@ -157,19 +157,19 @@ kadm5_s_rename_principal(void *server_handle, goto out3; /* Borrow target */ - ent.entry.principal = target; - ret = hdb_seal_keys(context->context, context->db, &ent.entry); + ent.principal = target; + ret = hdb_seal_keys(context->context, context->db, &ent); if (ret) goto out3; /* This logs the change for iprop and writes to the HDB */ - ret = kadm5_log_rename(context, source, &ent.entry); + ret = kadm5_log_rename(context, source, &ent); (void) rename_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT, ret, source, target); out3: - ent.entry.principal = oldname; /* Unborrow target */ + ent.principal = oldname; /* Unborrow target */ hdb_free_entry(context->context, context->db, &ent); out2: diff --git a/lib/kadm5/setkey3_s.c b/lib/kadm5/setkey3_s.c index 279ac19f8..584c194dd 100644 --- a/lib/kadm5/setkey3_s.c +++ b/lib/kadm5/setkey3_s.c @@ -115,7 +115,7 @@ kadm5_s_setkey_principal_3(void *server_handle, krb5_keyblock *keyblocks, int n_keys) { kadm5_server_context *context = server_handle; - hdb_entry_ex ent; + hdb_entry ent; kadm5_ret_t ret = 0; size_t i; @@ -154,9 +154,9 @@ kadm5_s_setkey_principal_3(void *server_handle, } if (keepold) { - ret = hdb_add_current_keys_to_history(context->context, &ent.entry); + ret = hdb_add_current_keys_to_history(context->context, &ent); } else - ret = hdb_clear_extension(context->context, &ent.entry, + ret = hdb_clear_extension(context->context, &ent, choice_HDB_extension_data_hist_keys); /* @@ -167,7 +167,7 @@ kadm5_s_setkey_principal_3(void *server_handle, * each ks_tuple's enctype matches the corresponding key enctype. */ if (ret == 0) { - free_Keys(&ent.entry.keys); + free_Keys(&ent.keys); for (i = 0; i < n_keys; ++i) { Key k; Salt s; @@ -186,22 +186,22 @@ kadm5_s_setkey_principal_3(void *server_handle, s.opaque = 0; k.salt = &s; } - if ((ret = add_Keys(&ent.entry.keys, &k)) != 0) + if ((ret = add_Keys(&ent.keys, &k)) != 0) break; } } if (ret == 0) { - ent.entry.kvno++; - ent.entry.flags.require_pwchange = 0; - hdb_entry_set_pw_change_time(context->context, &ent.entry, 0); - hdb_entry_clear_password(context->context, &ent.entry); + ent.kvno++; + ent.flags.require_pwchange = 0; + hdb_entry_set_pw_change_time(context->context, &ent, 0); + hdb_entry_clear_password(context->context, &ent); if ((ret = hdb_seal_keys(context->context, context->db, - &ent.entry)) == 0 - && (ret = _kadm5_set_modifier(context, &ent.entry)) == 0 - && (ret = _kadm5_bump_pw_expire(context, &ent.entry)) == 0) - ret = kadm5_log_modify(context, &ent.entry, + &ent)) == 0 + && (ret = _kadm5_set_modifier(context, &ent)) == 0 + && (ret = _kadm5_bump_pw_expire(context, &ent)) == 0) + ret = kadm5_log_modify(context, &ent, KADM5_ATTRIBUTES | KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_MOD_TIME | KADM5_KEY_DATA | KADM5_KVNO | diff --git a/tests/plugin/kdc_test_plugin.c b/tests/plugin/kdc_test_plugin.c index af2c10a94..d03aec4ee 100644 --- a/tests/plugin/kdc_test_plugin.c +++ b/tests/plugin/kdc_test_plugin.c @@ -19,9 +19,11 @@ fini(void *ctx) } static krb5_error_code KRB5_CALLCONV -pac_generate(void *ctx, krb5_context context, - struct hdb_entry_ex *client, - struct hdb_entry_ex *server, +pac_generate(void *ctx, + krb5_context context, + krb5_kdc_configuration *config, + hdb_entry *client, + hdb_entry *server, const krb5_keyblock *pk_replykey, uint64_t pac_attributes, krb5_pac *pac) @@ -52,12 +54,14 @@ pac_generate(void *ctx, krb5_context context, } static krb5_error_code KRB5_CALLCONV -pac_verify(void *ctx, krb5_context context, +pac_verify(void *ctx, + krb5_context context, + krb5_kdc_configuration *config, const krb5_principal new_ticket_client, const krb5_principal delegation_proxy, - struct hdb_entry_ex * client, - struct hdb_entry_ex * server, - struct hdb_entry_ex * krbtgt, + hdb_entry * client, + hdb_entry * server, + hdb_entry * krbtgt, krb5_pac *pac) { krb5_error_code ret; @@ -78,7 +82,7 @@ pac_verify(void *ctx, krb5_context context, if (ret) return ret; - if (rodc_id == 0 || rodc_id != krbtgt->entry.kvno >> 16) { + if (rodc_id == 0 || rodc_id != krbtgt->kvno >> 16) { krb5_warnx(context, "Wrong RODCIdentifier"); return EINVAL; } @@ -87,7 +91,7 @@ pac_verify(void *ctx, krb5_context context, if (ret) return ret; - ret = hdb_enctype2key(context, &krbtgt->entry, NULL, etype, &key); + ret = hdb_enctype2key(context, krbtgt, NULL, etype, &key); if (ret) return ret; @@ -152,7 +156,7 @@ audit(void *ctx, astgs_request_t r) } static krb5plugin_kdc_ftable kdc_plugin = { - KRB5_PLUGIN_KDC_VERSION_9, + KRB5_PLUGIN_KDC_VERSION_10, init, fini, pac_generate,