oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

hdb: eliminate hdb_entry_ex

Browse Source 
Remove hdb_entry_ex and revert to the original design of hdb_entry (except with
an additional context member in hdb_entry which is managed by the free_entry
method in HDB).
This commit is contained in:
Luke Howard
2022-01-07 12:54:40 +11:00
parent c5551775e2
commit 0e8c4ccc6e
50 changed files with 1035 additions and 1032 deletions
Download Patch File Download Diff File Expand all files Collapse all files

172
lib/hdb/common.c
View File

@@ -148,7 +148,7 @@ fetch_entry_or_alias(krb5_context context,
HDB *db,
krb5_const_principal principal,
unsigned flags,
hdb_entry_ex *entry)
hdb_entry *entry)
{
HDB_EntryOrAlias eoa;
krb5_principal enterprise_principal = NULL;
@@ -180,7 +180,7 @@ fetch_entry_or_alias(krb5_context context,
if (ret == 0)
ret = decode_HDB_EntryOrAlias(value.data, value.length, &eoa, NULL);
if (ret == 0 && eoa.element == choice_HDB_EntryOrAlias_entry) {
entry->entry = eoa.u.entry;
*entry = eoa.u.entry;
} else if (ret == 0 && eoa.element == choice_HDB_EntryOrAlias_alias) {
krb5_data_free(&key);
ret = hdb_principal2key(context, eoa.u.alias.principal, &key);
@@ -190,7 +190,7 @@ fetch_entry_or_alias(krb5_context context,
}
if (ret == 0)
/* No alias chaining */
ret = hdb_value2entry(context, &value, &entry->entry);
ret = hdb_value2entry(context, &value, entry);
krb5_free_principal(context, eoa.u.alias.principal);
} else if (ret == 0)
ret = ENOTSUP;
@@ -200,7 +200,7 @@ fetch_entry_or_alias(krb5_context context,
* the canonicalize flag is unset, the original specification in
* draft-ietf-krb-wg-kerberos-referrals-03.txt says we should.
*/
entry->entry.flags.force_canonicalize = 1;
entry->flags.force_canonicalize = 1;
}
/* HDB_F_GET_ANY indicates request originated from KDC (not kadmin) */
@@ -208,7 +208,7 @@ fetch_entry_or_alias(krb5_context context,
(flags & (HDB_F_CANON|HDB_F_GET_ANY)) == 0) {
/* `principal' was alias but canon not req'd */
free_HDB_entry(&entry->entry);
free_HDB_entry(entry);
ret = HDB_ERR_NOENTRY;
}
@@ -221,7 +221,7 @@ fetch_entry_or_alias(krb5_context context,
krb5_error_code
_hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
unsigned flags, krb5_kvno kvno, hdb_entry_ex *entry)
unsigned flags, krb5_kvno kvno, hdb_entry *entry)
{
krb5_error_code ret;
@@ -231,21 +231,21 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
if ((flags & HDB_F_DECRYPT) && (flags & HDB_F_ALL_KVNOS)) {
/* Decrypt the current keys */
ret = hdb_unseal_keys(context, db, &entry->entry);
ret = hdb_unseal_keys(context, db, entry);
if (ret) {
hdb_free_entry(context, db, entry);
return ret;
}
/* Decrypt the key history too */
ret = hdb_unseal_keys_kvno(context, db, 0, flags, &entry->entry);
ret = hdb_unseal_keys_kvno(context, db, 0, flags, entry);
if (ret) {
hdb_free_entry(context, db, entry);
return ret;
}
} else if ((flags & HDB_F_DECRYPT)) {
if ((flags & HDB_F_KVNO_SPECIFIED) == 0 || kvno == entry->entry.kvno) {
if ((flags & HDB_F_KVNO_SPECIFIED) == 0 || kvno == entry->kvno) {
/* Decrypt the current keys */
ret = hdb_unseal_keys(context, db, &entry->entry);
ret = hdb_unseal_keys(context, db, entry);
if (ret) {
hdb_free_entry(context, db, entry);
return ret;
@@ -257,7 +257,7 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
* Find and decrypt the keys from the history that we want,
* and swap them with the current keys
*/
ret = hdb_unseal_keys_kvno(context, db, kvno, flags, &entry->entry);
ret = hdb_unseal_keys_kvno(context, db, kvno, flags, entry);
if (ret) {
hdb_free_entry(context, db, entry);
return ret;
@@ -271,7 +271,7 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
* key was generated, but given the salt will be ignored by a keytab
* client it doesn't hurt to include the default salt.
*/
ret = add_default_salts(context, db, &entry->entry);
ret = add_default_salts(context, db, entry);
if (ret) {
hdb_free_entry(context, db, entry);
return ret;
@@ -325,20 +325,20 @@ hdb_remove_aliases(krb5_context context, HDB *db, krb5_data *key)
static krb5_error_code
hdb_add_aliases(krb5_context context, HDB *db,
unsigned flags, hdb_entry_ex *entry)
unsigned flags, hdb_entry *entry)
{
const HDB_Ext_Aliases *aliases;
krb5_error_code code;
krb5_data key, value;
size_t i;
code = hdb_entry_get_aliases(&entry->entry, &aliases);
code = hdb_entry_get_aliases(entry, &aliases);
if (code || aliases == NULL)
return code;
for (i = 0; i < aliases->aliases.len; i++) {
hdb_entry_alias entryalias;
entryalias.principal = entry->entry.principal;
entryalias.principal = entry->principal;
code = hdb_entry_alias2value(context, &entryalias, &value);
if (code)
@@ -358,7 +358,7 @@ hdb_add_aliases(krb5_context context, HDB *db,
/* Check if new aliases are already used for other entries */
static krb5_error_code
hdb_check_aliases(krb5_context context, HDB *db, hdb_entry_ex *entry)
hdb_check_aliases(krb5_context context, HDB *db, hdb_entry *entry)
{
const HDB_Ext_Aliases *aliases = NULL;
HDB_EntryOrAlias eoa;
@@ -370,7 +370,7 @@ hdb_check_aliases(krb5_context context, HDB *db, hdb_entry_ex *entry)
krb5_data_zero(&value);
akey = value;
ret = hdb_entry_get_aliases(&entry->entry, &aliases);
ret = hdb_entry_get_aliases(entry, &aliases);
for (i = 0; ret == 0 && aliases && i < aliases->aliases.len; i++) {
ret = hdb_principal2key(context, &aliases->aliases.val[i], &akey);
if (ret == 0)
@@ -385,7 +385,7 @@ hdb_check_aliases(krb5_context context, HDB *db, hdb_entry_ex *entry)
ret = HDB_ERR_EXISTS;
if (ret == 0 && eoa.element == choice_HDB_EntryOrAlias_alias &&
!krb5_principal_compare(context, eoa.u.alias.principal,
entry->entry.principal))
entry->principal))
/* New alias names an existing alias of a different entry */
ret = HDB_ERR_EXISTS;
if (ret == HDB_ERR_NOENTRY) /* from db->hdb__get */
@@ -459,13 +459,13 @@ hdb_derive_etypes(krb5_context context, hdb_entry *e, HDB_Ext_KeySet *base_keys)
}
krb5_error_code
_hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
_hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
krb5_data key, value;
int code;
if (entry->entry.flags.do_not_store ||
entry->entry.flags.force_canonicalize)
if (entry->flags.do_not_store ||
entry->flags.force_canonicalize)
return HDB_ERR_MISUSE;
/* check if new aliases already is used */
code = hdb_check_aliases(context, db, entry);
@@ -476,7 +476,7 @@ _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
return 0;
if ((flags & HDB_F_PRECHECK)) {
code = hdb_principal2key(context, entry->entry.principal, &key);
code = hdb_principal2key(context, entry->principal, &key);
if (code)
return code;
code = db->hdb__get(context, db, key, &value);
@@ -488,29 +488,29 @@ _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
return code ? code : HDB_ERR_EXISTS;
}
if ((entry->entry.etypes == NULL || entry->entry.etypes->len == 0) &&
(code = hdb_derive_etypes(context, &entry->entry, NULL)))
if ((entry->etypes == NULL || entry->etypes->len == 0) &&
(code = hdb_derive_etypes(context, entry, NULL)))
return code;
if (entry->entry.generation == NULL) {
if (entry->generation == NULL) {
struct timeval t;
entry->entry.generation = malloc(sizeof(*entry->entry.generation));
if(entry->entry.generation == NULL) {
entry->generation = malloc(sizeof(*entry->generation));
if(entry->generation == NULL) {
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM;
}
gettimeofday(&t, NULL);
entry->entry.generation->time = t.tv_sec;
entry->entry.generation->usec = t.tv_usec;
entry->entry.generation->gen = 0;
entry->generation->time = t.tv_sec;
entry->generation->usec = t.tv_usec;
entry->generation->gen = 0;
} else
entry->entry.generation->gen++;
entry->generation->gen++;
code = hdb_seal_keys(context, db, &entry->entry);
code = hdb_seal_keys(context, db, entry);
if (code)
return code;
code = hdb_principal2key(context, entry->entry.principal, &key);
code = hdb_principal2key(context, entry->principal, &key);
if (code)
return code;
@@ -520,7 +520,7 @@ _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
krb5_data_free(&key);
return code;
}
hdb_entry2value(context, &entry->entry, &value);
hdb_entry2value(context, entry, &value);
code = db->hdb__put(context, db, flags & HDB_F_REPLACE, key, value);
krb5_data_free(&value);
krb5_data_free(&key);
@@ -722,7 +722,7 @@ derive_keyset(krb5_context context,
/* Possibly derive and install in `h' a keyset identified by `t' */
static krb5_error_code
derive_keys_for_kr(krb5_context context,
hdb_entry_ex *h,
hdb_entry *h,
HDB_Ext_KeySet *base_keys,
int is_current_keyset,
int rotation_period_offset,
@@ -796,7 +796,7 @@ derive_keys_for_kr(krb5_context context,
ret = derive_keyset(context, &base_keys->val[i].keys, princ, etype, kvno,
set_time, &dks);
if (ret == 0)
ret = hdb_install_keyset(context, &h->entry, is_current_keyset, &dks);
ret = hdb_install_keyset(context, h, is_current_keyset, &dks);
free_HDB_keyset(&dks);
return ret;
@@ -805,7 +805,7 @@ derive_keys_for_kr(krb5_context context,
/* Derive and install current keys, and possibly preceding or next keys */
static krb5_error_code
derive_keys_for_current_kr(krb5_context context,
hdb_entry_ex *h,
hdb_entry *h,
HDB_Ext_KeySet *base_keys,
const char *princ,
unsigned int flags,
@@ -871,12 +871,12 @@ derive_keys_for_current_kr(krb5_context context,
* Arguments:
*
* - `flags' is the flags passed to `hdb_fetch_kvno()'
* - `princ' is the name of the principal we'll end up with in `h->entry'
* - `princ' is the name of the principal we'll end up with in `entry'
* - `h_is_namespace' indicates whether `h' is for a namespace or a concrete
* principal (that might nonetheless have virtual/derived keys)
* - `t' is the time such that the derived keys are for kvnos needed at `t'
* - `etype' indicates what enctype to derive keys for (0 for all enctypes in
* `h->entry.etypes')
* `entry->etypes')
* - `kvno' requests a particular kvno, or all if zero
*
* The caller doesn't know if the principal needs key derivation -- we make
@@ -968,7 +968,7 @@ derive_keys(krb5_context context,
krb5_timestamp t,
krb5int32 etype,
krb5uint32 kvno,
hdb_entry_ex *h)
hdb_entry *h)
{
HDB_Ext_KeyRotation kr;
HDB_Ext_KeySet base_keys;
@@ -977,9 +977,9 @@ derive_keys(krb5_context context,
char *p = NULL;
int valid = 1;
if (!h_is_namespace && !h->entry.flags.virtual_keys)
if (!h_is_namespace && !h->flags.virtual_keys)
return 0;
h->entry.flags.virtual = 1;
h->flags.virtual = 1;
kr.len = 0;
kr.val = 0;
@@ -987,7 +987,7 @@ derive_keys(krb5_context context,
const HDB_Ext_KeyRotation *ckr;
/* Installing keys invalidates `ckr', so we copy it */
ret = hdb_entry_get_key_rotation(context, &h->entry, &ckr);
ret = hdb_entry_get_key_rotation(context, h, &ckr);
if (!ckr)
return ret;
if (ret == 0)
@@ -998,11 +998,11 @@ derive_keys(krb5_context context,
base_keys.val = 0;
base_keys.len = 0;
if (ret == 0)
ret = hdb_remove_base_keys(context, &h->entry, &base_keys);
ret = hdb_remove_base_keys(context, h, &base_keys);
/* Make sure we have h->entry.etypes */
if (ret == 0 && !h->entry.etypes)
ret = hdb_derive_etypes(context, &h->entry, &base_keys);
/* Make sure we have h->etypes */
if (ret == 0 && !h->etypes)
ret = hdb_derive_etypes(context, h, &base_keys);
/* Keys not desired? Don't derive them! */
if (ret || !(flags & HDB_F_DECRYPT)) {
@@ -1094,10 +1094,10 @@ derive_keys(krb5_context context,
/*
* Derive and set in `h' its current kvno and current keys.
*
* This will set h->entry.kvno as well.
* This will set h->kvno as well.
*
* This may set up to TWO keysets for the current key rotation period:
* - current keys (h->entry.keys and h->entry.kvno)
* - current keys (h->keys and h->kvno)
* - possibly one future
* OR
* possibly one past keyset in hist_keys for the current_kr
@@ -1130,14 +1130,14 @@ derive_keys(krb5_context context,
kr.val[current_kr].epoch - 1, &kr.val[past_kr]);
/*
* Impose a bound on h->entry.max_life so that [when the KDC is the caller]
* Impose a bound on h->max_life so that [when the KDC is the caller]
* the KDC won't issue tickets longer lived than this.
*/
if (ret == 0 && !h->entry.max_life &&
(h->entry.max_life = calloc(1, sizeof(h->entry.max_life[0]))) == NULL)
if (ret == 0 && !h->max_life &&
(h->max_life = calloc(1, sizeof(h->max_life[0]))) == NULL)
ret = krb5_enomem(context);
if (ret == 0 && *h->entry.max_life > kr.val[current_kr].period >> 1)
*h->entry.max_life = kr.val[current_kr].period >> 1;
if (ret == 0 && *h->max_life > kr.val[current_kr].period >> 1)
*h->max_life = kr.val[current_kr].period >> 1;
free_HDB_Ext_KeyRotation(&kr);
free_HDB_Ext_KeySet(&base_keys);
@@ -1177,7 +1177,7 @@ pick_kvno(krb5_context context,
unsigned flags,
krb5_timestamp now,
krb5uint32 kvno,
hdb_entry_ex *h)
hdb_entry *h)
{
HDB_extension *ext;
HDB_Ext_KeySet keys;
@@ -1190,25 +1190,25 @@ pick_kvno(krb5_context context,
* delayed, or if there's no new-key delay configured, or we're not
* fetching for use as a service principal, then we're out.
*/
if (!(flags & HDB_F_DELAY_NEW_KEYS) || kvno || h->entry.flags.virtual ||
h->entry.flags.virtual_keys || db->new_service_key_delay <= 0)
if (!(flags & HDB_F_DELAY_NEW_KEYS) || kvno || h->flags.virtual ||
h->flags.virtual_keys || db->new_service_key_delay <= 0)
return 0;
/* No history -> current keyset is the only one and therefore the best */
ext = hdb_find_extension(&h->entry, choice_HDB_extension_data_hist_keys);
ext = hdb_find_extension(h, choice_HDB_extension_data_hist_keys);
if (!ext)
return 0;
/* Assume the current keyset is the best to start with */
(void) hdb_entry_get_pw_change_time(&h->entry, &current);
if (current == 0 && h->entry.modified_by)
current = h->entry.modified_by->time;
(void) hdb_entry_get_pw_change_time(h, &current);
if (current == 0 && h->modified_by)
current = h->modified_by->time;
if (current == 0)
current = h->entry.created_by.time;
current = h->created_by.time;
/* Current keyset starts out as best */
best = current;
kvno = h->entry.kvno;
kvno = h->kvno;
/* Look for a better keyset in the history */
keys = ext->data.u.hist_keys;
@@ -1248,7 +1248,7 @@ pick_kvno(krb5_context context,
best = keys.val[i].set_time[0];
kvno = keys.val[i].kvno;
}
return hdb_change_kvno(context, kvno, &h->entry);
return hdb_change_kvno(context, kvno, h);
}
/*
@@ -1359,15 +1359,15 @@ rewrite_hostname(krb5_context context,
}
/*
* Fix `h->entry.principal' to match the desired `princ' in the namespace
* `nsprinc' (which is either the same as `h->entry.principal' or an alias
* Fix `h->principal' to match the desired `princ' in the namespace
* `nsprinc' (which is either the same as `h->principal' or an alias
* of it).
*/
static krb5_error_code
fix_princ_name(krb5_context context,
krb5_const_principal princ,
krb5_const_principal nsprinc,
hdb_entry_ex *h)
hdb_entry *h)
{
krb5_error_code ret = 0;
char *s = NULL;
@@ -1379,7 +1379,7 @@ fix_princ_name(krb5_context context,
/* `nsprinc' must be a namespace principal */
if (krb5_principal_compare(context, nsprinc, h->entry.principal)) {
if (krb5_principal_compare(context, nsprinc, h->principal)) {
/*
* `h' is the HDB entry for `nsprinc', and `nsprinc' is its canonical
* name.
@@ -1387,23 +1387,23 @@ fix_princ_name(krb5_context context,
* Set the entry's principal name to the desired name. The keys will
* be fixed next (upstairs, but don't forget to!).
*/
free_Principal(h->entry.principal);
return copy_Principal(princ, h->entry.principal);
free_Principal(h->principal);
return copy_Principal(princ, h->principal);
}
if (!is_namespace_princ_p(context, h->entry.principal)) {
if (!is_namespace_princ_p(context, h->principal)) {
/*
* The alias is a namespace, but the canonical name is not. WAT.
*
* Well, the KDC will just issue a referral anyways, so we can leave
* `h->entry.principal' as is...
* `h->principal' as is...
*
* Remove all of `h->entry's keys just in case, and leave
* `h->entry.principal' as-is.
* Remove all of `h's keys just in case, and leave
* `h->principal' as-is.
*/
free_Keys(&h->entry.keys);
(void) hdb_entry_clear_password(context, &h->entry);
return hdb_clear_extension(context, &h->entry,
free_Keys(&h->keys);
(void) hdb_entry_clear_password(context, h);
return hdb_clear_extension(context, h,
choice_HDB_extension_data_hist_keys);
}
@@ -1418,15 +1418,15 @@ fix_princ_name(krb5_context context,
* we'll want to treat host/foo.ns.test.h5l.se as an alias of
* host/foo.ns.example.org.
*/
if (krb5_principal_get_num_comp(context, h->entry.principal) !=
if (krb5_principal_get_num_comp(context, h->principal) !=
2 + krb5_principal_get_num_comp(context, princ))
ret = HDB_ERR_NOENTRY; /* Only host-based services for now */
if (ret == 0)
ret = rewrite_hostname(context, princ, nsprinc, h->entry.principal, &s);
ret = rewrite_hostname(context, princ, nsprinc, h->principal, &s);
if (ret == 0) {
krb5_free_principal(context, h->entry.principal);
h->entry.principal = NULL;
ret = krb5_make_principal(context, &h->entry.principal,
krb5_free_principal(context, h->principal);
h->principal = NULL;
ret = krb5_make_principal(context, &h->principal,
krb5_principal_get_realm(context, princ),
krb5_principal_get_comp_string(context,
princ, 0),
@@ -1445,7 +1445,7 @@ fetch_it(krb5_context context,
krb5_timestamp t,
krb5int32 etype,
krb5uint32 kvno,
hdb_entry_ex *ent)
hdb_entry *ent)
{
krb5_const_principal tmpprinc = princ;
krb5_principal nsprinc = NULL;
@@ -1604,7 +1604,7 @@ hdb_fetch_kvno(krb5_context context,
krb5_timestamp t,
krb5int32 etype,
krb5uint32 kvno,
hdb_entry_ex *h)
hdb_entry *h)
{
krb5_error_code ret = HDB_ERR_NOENTRY;
@@ -1621,8 +1621,8 @@ hdb_fetch_kvno(krb5_context context,
* independently of principal aliases (used by Samba).
*/
if (ret == 0 && !(flags & HDB_F_ADMIN_DATA) &&
!h->entry.flags.force_canonicalize &&
!krb5_realm_compare(context, principal, h->entry.principal))
!h->flags.force_canonicalize &&
!krb5_realm_compare(context, principal, h->principal))
ret = HDB_ERR_WRONG_REALM;
return ret;
}

18
lib/hdb/db.c
View File

@@ -114,7 +114,7 @@ DB_unlock(krb5_context context, HDB *db)
static krb5_error_code
DB_seq(krb5_context context, HDB *db,
unsigned flags, hdb_entry_ex *entry, int flag)
unsigned flags, hdb_entry *entry, int flag)
{
DB *d = (DB*)db->hdb_db;
DBT key, value;
@@ -138,21 +138,21 @@ DB_seq(krb5_context context, HDB *db,
data.data = value.data;
data.length = value.size;
memset(entry, 0, sizeof(*entry));
if (hdb_value2entry(context, &data, &entry->entry))
if (hdb_value2entry(context, &data, entry))
return DB_seq(context, db, flags, entry, R_NEXT);
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
code = hdb_unseal_keys (context, db, &entry->entry);
code = hdb_unseal_keys (context, db, entry);
if (code)
hdb_free_entry (context, db, entry);
}
if (code == 0 && entry->entry.principal == NULL) {
entry->entry.principal = malloc(sizeof(*entry->entry.principal));
if (entry->entry.principal == NULL) {
if (code == 0 && entry->principal == NULL) {
entry->principal = malloc(sizeof(*entry->principal));
if (entry->principal == NULL) {
code = ENOMEM;
krb5_set_error_message(context, code, "malloc: out of memory");
hdb_free_entry (context, db, entry);
} else {
hdb_key2principal(context, &key_data, entry->entry.principal);
hdb_key2principal(context, &key_data, entry->principal);
}
}
return code;
@@ -160,14 +160,14 @@ DB_seq(krb5_context context, HDB *db,
static krb5_error_code
DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
return DB_seq(context, db, flags, entry, R_FIRST);
}
static krb5_error_code
DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
return DB_seq(context, db, flags, entry, R_NEXT);
}

18
lib/hdb/db3.c
View File

@@ -136,7 +136,7 @@ DB_unlock(krb5_context context, HDB *db)
static krb5_error_code
DB_seq(krb5_context context, HDB *db,
unsigned flags, hdb_entry_ex *entry, int flag)
unsigned flags, hdb_entry *entry, int flag)
{
DBT key, value;
DBC *dbcp = db->hdb_dbc;
@@ -156,21 +156,21 @@ DB_seq(krb5_context context, HDB *db,
data.data = value.data;
data.length = value.size;
memset(entry, 0, sizeof(*entry));
if (hdb_value2entry(context, &data, &entry->entry))
if (hdb_value2entry(context, &data, entry))
return DB_seq(context, db, flags, entry, DB_NEXT);
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
code = hdb_unseal_keys (context, db, &entry->entry);
code = hdb_unseal_keys (context, db, entry);
if (code)
hdb_free_entry (context, db, entry);
}
if (entry->entry.principal == NULL) {
entry->entry.principal = malloc(sizeof(*entry->entry.principal));
if (entry->entry.principal == NULL) {
if (entry->principal == NULL) {
entry->principal = malloc(sizeof(*entry->principal));
if (entry->principal == NULL) {
hdb_free_entry (context, db, entry);
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM;
} else {
hdb_key2principal(context, &key_data, entry->entry.principal);
hdb_key2principal(context, &key_data, entry->principal);
}
}
return 0;
@@ -178,14 +178,14 @@ DB_seq(krb5_context context, HDB *db,
static krb5_error_code
DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
return DB_seq(context, db, flags, entry, DB_FIRST);
}
static krb5_error_code
DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
return DB_seq(context, db, flags, entry, DB_NEXT);
}

22
lib/hdb/hdb-keytab.c
View File

@@ -90,14 +90,14 @@ hkt_unlock(krb5_context context, HDB *db)
static krb5_error_code
hkt_firstkey(krb5_context context, HDB *db,
unsigned flags, hdb_entry_ex *entry)
unsigned flags, hdb_entry *entry)
{
return HDB_ERR_DB_INUSE;
}
static krb5_error_code
hkt_nextkey(krb5_context context, HDB * db, unsigned flags,
hdb_entry_ex * entry)
hdb_entry * entry)
{
return HDB_ERR_DB_INUSE;
}
@@ -119,7 +119,7 @@ hkt_open(krb5_context context, HDB * db, int flags, mode_t mode)
static krb5_error_code
hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
unsigned flags, krb5_kvno kvno, hdb_entry_ex * entry)
unsigned flags, krb5_kvno kvno, hdb_entry * entry)
{
hdb_keytab k = (hdb_keytab)db->hdb_db;
krb5_error_code ret;
@@ -132,13 +132,13 @@ hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
memset(&ktentry, 0, sizeof(ktentry));
entry->entry.flags.server = 1;
entry->entry.flags.forwardable = 1;
entry->entry.flags.renewable = 1;
entry->flags.server = 1;
entry->flags.forwardable = 1;
entry->flags.renewable = 1;
/* Not recorded in the OD backend, make something up */
ret = krb5_parse_name(context, "hdb/keytab@WELL-KNOWN:KEYTAB-BACKEND",
&entry->entry.created_by.principal);
&entry->created_by.principal);
if (ret)
goto out;
@@ -155,7 +155,7 @@ hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
goto out;
}
ret = krb5_copy_principal(context, principal, &entry->entry.principal);
ret = krb5_copy_principal(context, principal, &entry->principal);
if (ret)
goto out;
@@ -163,8 +163,8 @@ hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
out:
if (ret) {
free_HDB_entry(&entry->entry);
memset(&entry->entry, 0, sizeof(entry->entry));
free_HDB_entry(entry);
memset(entry, 0, sizeof(*entry));
}
krb5_kt_free_entry(context, &ktentry);
@@ -173,7 +173,7 @@ hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
static krb5_error_code
hkt_store(krb5_context context, HDB * db, unsigned flags,
hdb_entry_ex * entry)
hdb_entry * entry)
{
return HDB_ERR_DB_INUSE;
}

348
lib/hdb/hdb-ldap.c
View File

@@ -47,7 +47,7 @@ static krb5_error_code LDAP_close(krb5_context context, HDB *);
static krb5_error_code
LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
int flags, hdb_entry_ex * ent);
int flags, hdb_entry * ent);
static const char *default_structural_object = "account";
static char *structural_object;
@@ -388,14 +388,14 @@ bervalstrcmp(struct berval *v, const char *str)
static krb5_error_code
LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry * ent,
LDAPMessage * msg, LDAPMod *** pmods, krb5_boolean *pis_new_entry)
{
krb5_error_code ret;
krb5_boolean is_new_entry = FALSE;
char *tmp = NULL;
LDAPMod **mods = NULL;
hdb_entry_ex orig;
hdb_entry orig;
unsigned long oflags, nflags;
int i;
@@ -477,12 +477,12 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
}
if (is_new_entry ||
krb5_principal_compare(context, ent->entry.principal, orig.entry.principal)
krb5_principal_compare(context, ent->principal, orig.principal)
== FALSE)
{
if (is_heimdal_principal || is_heimdal_entry) {
ret = krb5_unparse_name(context, ent->entry.principal, &tmp);
ret = krb5_unparse_name(context, ent->principal, &tmp);
if (ret)
goto out;
@@ -496,7 +496,7 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
}
if (is_account || is_samba_account) {
ret = krb5_unparse_name_short(context, ent->entry.principal, &tmp);
ret = krb5_unparse_name_short(context, ent->principal, &tmp);
if (ret)
goto out;
ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "uid", tmp);
@@ -508,15 +508,15 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
}
}
if (is_heimdal_entry && (ent->entry.kvno != orig.entry.kvno || is_new_entry)) {
if (is_heimdal_entry && (ent->kvno != orig.kvno || is_new_entry)) {
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
"krb5KeyVersionNumber",
ent->entry.kvno);
ent->kvno);
if (ret)
goto out;
}
if (is_heimdal_entry && ent->entry.extensions) {
if (is_heimdal_entry && ent->extensions) {
if (!is_new_entry) {
vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5ExtendedAttributes");
if (vals) {
@@ -527,11 +527,11 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
}
}
for (i = 0; i < ent->entry.extensions->len; i++) {
for (i = 0; i < ent->extensions->len; i++) {
unsigned char *buf;
size_t size, sz = 0;
ASN1_MALLOC_ENCODE(HDB_extension, buf, size, &ent->entry.extensions->val[i], &sz, ret);
ASN1_MALLOC_ENCODE(HDB_extension, buf, size, &ent->extensions->val[i], &sz, ret);
if (ret)
goto out;
if (size != sz)
@@ -543,42 +543,42 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
}
}
if (is_heimdal_entry && ent->entry.valid_start) {
if (orig.entry.valid_end == NULL
|| (*(ent->entry.valid_start) != *(orig.entry.valid_start))) {
if (is_heimdal_entry && ent->valid_start) {
if (orig.valid_end == NULL
|| (*(ent->valid_start) != *(orig.valid_start))) {
ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
"krb5ValidStart",
ent->entry.valid_start);
ent->valid_start);
if (ret)
goto out;
}
}
if (ent->entry.valid_end) {
if (orig.entry.valid_end == NULL || (*(ent->entry.valid_end) != *(orig.entry.valid_end))) {
if (ent->valid_end) {
if (orig.valid_end == NULL || (*(ent->valid_end) != *(orig.valid_end))) {
if (is_heimdal_entry) {
ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
"krb5ValidEnd",
ent->entry.valid_end);
ent->valid_end);
if (ret)
goto out;
}
if (is_samba_account) {
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
"sambaKickoffTime",
*(ent->entry.valid_end));
*(ent->valid_end));
if (ret)
goto out;
}
}
}
if (ent->entry.pw_end) {
if (orig.entry.pw_end == NULL || (*(ent->entry.pw_end) != *(orig.entry.pw_end))) {
if (ent->pw_end) {
if (orig.pw_end == NULL || (*(ent->pw_end) != *(orig.pw_end))) {
if (is_heimdal_entry) {
ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
"krb5PasswordEnd",
ent->entry.pw_end);
ent->pw_end);
if (ret)
goto out;
}
@@ -586,7 +586,7 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
if (is_samba_account) {
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
"sambaPwdMustChange",
*(ent->entry.pw_end));
*(ent->pw_end));
if (ret)
goto out;
}
@@ -595,43 +595,43 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
#if 0 /* we we have last_pw_change */
if (is_samba_account && ent->entry.last_pw_change) {
if (orig.entry.last_pw_change == NULL || (*(ent->entry.last_pw_change) != *(orig.entry.last_pw_change))) {
if (is_samba_account && ent->last_pw_change) {
if (orig.last_pw_change == NULL || (*(ent->last_pw_change) != *(orig.last_pw_change))) {
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
"sambaPwdLastSet",
*(ent->entry.last_pw_change));
*(ent->last_pw_change));
if (ret)
goto out;
}
}
#endif
if (is_heimdal_entry && ent->entry.max_life) {
if (orig.entry.max_life == NULL
|| (*(ent->entry.max_life) != *(orig.entry.max_life))) {
if (is_heimdal_entry && ent->max_life) {
if (orig.max_life == NULL
|| (*(ent->max_life) != *(orig.max_life))) {
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
"krb5MaxLife",
*(ent->entry.max_life));
*(ent->max_life));
if (ret)
goto out;
}
}
if (is_heimdal_entry && ent->entry.max_renew) {
if (orig.entry.max_renew == NULL
|| (*(ent->entry.max_renew) != *(orig.entry.max_renew))) {
if (is_heimdal_entry && ent->max_renew) {
if (orig.max_renew == NULL
|| (*(ent->max_renew) != *(orig.max_renew))) {
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
"krb5MaxRenew",
*(ent->entry.max_renew));
*(ent->max_renew));
if (ret)
goto out;
}
}
oflags = HDBFlags2int(orig.entry.flags);
nflags = HDBFlags2int(ent->entry.flags);
oflags = HDBFlags2int(orig.flags);
nflags = HDBFlags2int(ent->flags);
if (is_heimdal_entry && oflags != nflags) {
@@ -643,7 +643,7 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
}
/* Remove keys if they exists, and then replace keys. */
if (!is_new_entry && orig.entry.keys.len > 0) {
if (!is_new_entry && orig.keys.len > 0) {
vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key");
if (vals) {
ldap_value_free_len(vals);
@@ -654,21 +654,21 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
}
}
for (i = 0; i < ent->entry.keys.len; i++) {
for (i = 0; i < ent->keys.len; i++) {
if (is_samba_account
&& ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
&& ent->keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
char *ntHexPassword;
char *nt;
time_t now = time(NULL);
/* the key might have been 'sealed', but samba passwords
are clear in the directory */
ret = hdb_unseal_key(context, db, &ent->entry.keys.val[i]);
ret = hdb_unseal_key(context, db, &ent->keys.val[i]);
if (ret)
goto out;
nt = ent->entry.keys.val[i].key.keyvalue.data;
nt = ent->keys.val[i].key.keyvalue.data;
/* store in ntPassword, not krb5key */
ret = hex_encode(nt, 16, &ntHexPassword);
if (ret < 0) {
@@ -701,7 +701,7 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
unsigned char *buf;
size_t len, buf_size;
ASN1_MALLOC_ENCODE(Key, buf, buf_size, &ent->entry.keys.val[i], &len, ret);
ASN1_MALLOC_ENCODE(Key, buf, buf_size, &ent->keys.val[i], &len, ret);
if (ret)
goto out;
if(buf_size != len)
@@ -714,7 +714,7 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
}
}
if (ent->entry.etypes) {
if (ent->etypes) {
int add_krb5EncryptionType = 0;
/*
@@ -736,15 +736,15 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
add_krb5EncryptionType = 1;
if (add_krb5EncryptionType) {
for (i = 0; i < ent->entry.etypes->len; i++) {
for (i = 0; i < ent->etypes->len; i++) {
if (is_samba_account &&
ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5)
ent->keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5)
{
;
} else if (is_heimdal_entry) {
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_ADD,
"krb5EncryptionType",
ent->entry.etypes->val[i]);
ent->etypes->val[i]);
if (ret)
goto out;
}
@@ -1005,7 +1005,7 @@ LDAP_principal2message(krb5_context context, HDB * db,
*/
static krb5_error_code
LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
int flags, hdb_entry_ex * ent)
int flags, hdb_entry * ent)
{
char *unparsed_name = NULL, *dn = NULL, *ntPasswordIN = NULL;
char *samba_acct_flags = NULL;
@@ -1015,18 +1015,18 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
int tmp, tmp_time, i, ret, have_arcfour = 0;
memset(ent, 0, sizeof(*ent));
ent->entry.flags = int2HDBFlags(0);
ent->flags = int2HDBFlags(0);
ret = LDAP_get_string_value(db, msg, "krb5PrincipalName", &unparsed_name);
if (ret == 0) {
ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal);
ret = krb5_parse_name(context, unparsed_name, &ent->principal);
if (ret)
goto out;
} else {
ret = LDAP_get_string_value(db, msg, "uid",
&unparsed_name);
if (ret == 0) {
ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal);
ret = krb5_parse_name(context, unparsed_name, &ent->principal);
if (ret)
goto out;
} else {
@@ -1042,25 +1042,25 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
ret = LDAP_get_integer_value(db, msg, "krb5KeyVersionNumber",
&integer);
if (ret)
ent->entry.kvno = 0;
ent->kvno = 0;
else
ent->entry.kvno = integer;
ent->kvno = integer;
}
keys = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key");
if (keys != NULL) {
size_t l;
ent->entry.keys.len = ldap_count_values_len(keys);
ent->entry.keys.val = (Key *) calloc(ent->entry.keys.len, sizeof(Key));
if (ent->entry.keys.val == NULL) {
ent->keys.len = ldap_count_values_len(keys);
ent->keys.val = (Key *) calloc(ent->keys.len, sizeof(Key));
if (ent->keys.val == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "calloc: out of memory");
goto out;
}
for (i = 0; i < ent->entry.keys.len; i++) {
for (i = 0; i < ent->keys.len; i++) {
decode_Key((unsigned char *) keys[i]->bv_val,
(size_t) keys[i]->bv_len, &ent->entry.keys.val[i], &l);
(size_t) keys[i]->bv_len, &ent->keys.val[i], &l);
}
ber_bvecfree(keys);
} else {
@@ -1070,8 +1070,8 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
* be related to a general directory entry without creating
* the keys. Hopefully it's OK.
*/
ent->entry.keys.len = 0;
ent->entry.keys.val = NULL;
ent->keys.len = 0;
ent->keys.val = NULL;
#else
ret = HDB_ERR_NOENTRY;
goto out;
@@ -1082,47 +1082,47 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
if (extensions != NULL) {
size_t l;
ent->entry.extensions = calloc(1, sizeof(*(ent->entry.extensions)));
if (ent->entry.extensions == NULL) {
ent->extensions = calloc(1, sizeof(*(ent->extensions)));
if (ent->extensions == NULL) {
ret = krb5_enomem(context);
goto out;
}
ent->entry.extensions->len = ldap_count_values_len(extensions);
ent->entry.extensions->val = (HDB_extension *) calloc(ent->entry.extensions->len, sizeof(HDB_extension));
if (ent->entry.extensions->val == NULL) {
ent->entry.extensions->len = 0;
ent->extensions->len = ldap_count_values_len(extensions);
ent->extensions->val = (HDB_extension *) calloc(ent->extensions->len, sizeof(HDB_extension));
if (ent->extensions->val == NULL) {
ent->extensions->len = 0;
ret = krb5_enomem(context);
goto out;
}
for (i = 0; i < ent->entry.extensions->len; i++) {
for (i = 0; i < ent->extensions->len; i++) {
ret = decode_HDB_extension((unsigned char *) extensions[i]->bv_val,
(size_t) extensions[i]->bv_len, &ent->entry.extensions->val[i], &l);
(size_t) extensions[i]->bv_len, &ent->extensions->val[i], &l);
if (ret)
krb5_set_error_message(context, ret, "decode_HDB_extension failed");
}
ber_bvecfree(extensions);
} else {
ent->entry.extensions = NULL;
ent->extensions = NULL;
}
vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5EncryptionType");
if (vals != NULL) {
ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes)));
if (ent->entry.etypes == NULL) {
ent->etypes = malloc(sizeof(*(ent->etypes)));
if (ent->etypes == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret,"malloc: out of memory");
goto out;
}
ent->entry.etypes->len = ldap_count_values_len(vals);
ent->entry.etypes->val = calloc(ent->entry.etypes->len,
sizeof(ent->entry.etypes->val[0]));
if (ent->entry.etypes->val == NULL) {
ent->etypes->len = ldap_count_values_len(vals);
ent->etypes->val = calloc(ent->etypes->len,
sizeof(ent->etypes->val[0]));
if (ent->etypes->val == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
ent->entry.etypes->len = 0;
ent->etypes->len = 0;
goto out;
}
for (i = 0; i < ent->entry.etypes->len; i++) {
for (i = 0; i < ent->etypes->len; i++) {
char *buf;
buf = malloc(vals[i]->bv_len + 1);
@@ -1133,14 +1133,14 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
}
memcpy(buf, vals[i]->bv_val, vals[i]->bv_len);
buf[vals[i]->bv_len] = '\0';
ent->entry.etypes->val[i] = atoi(buf);
ent->etypes->val[i] = atoi(buf);
free(buf);
}
ldap_value_free_len(vals);
}
for (i = 0; i < ent->entry.keys.len; i++) {
if (ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
for (i = 0; i < ent->keys.len; i++) {
if (ent->keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
have_arcfour = 1;
break;
}
@@ -1152,151 +1152,151 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
unsigned *etypes;
Key *ks;
ks = realloc(ent->entry.keys.val,
(ent->entry.keys.len + 1) *
sizeof(ent->entry.keys.val[0]));
ks = realloc(ent->keys.val,
(ent->keys.len + 1) *
sizeof(ent->keys.val[0]));
if (ks == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ent->entry.keys.val = ks;
memset(&ent->entry.keys.val[ent->entry.keys.len], 0, sizeof(Key));
ent->entry.keys.val[ent->entry.keys.len].key.keytype = ETYPE_ARCFOUR_HMAC_MD5;
ret = krb5_data_alloc (&ent->entry.keys.val[ent->entry.keys.len].key.keyvalue, 16);
ent->keys.val = ks;
memset(&ent->keys.val[ent->keys.len], 0, sizeof(Key));
ent->keys.val[ent->keys.len].key.keytype = ETYPE_ARCFOUR_HMAC_MD5;
ret = krb5_data_alloc (&ent->keys.val[ent->keys.len].key.keyvalue, 16);
if (ret) {
krb5_set_error_message(context, ret, "malloc: out of memory");
ret = ENOMEM;
goto out;
}
ret = hex_decode(ntPasswordIN,
ent->entry.keys.val[ent->entry.keys.len].key.keyvalue.data, 16);
ent->entry.keys.len++;
ent->keys.val[ent->keys.len].key.keyvalue.data, 16);
ent->keys.len++;
if (ret == -1) {
krb5_set_error_message(context, ret = EINVAL,
"invalid hex encoding of password");
goto out;
}
if (ent->entry.etypes == NULL) {
ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes)));
if (ent->entry.etypes == NULL) {
if (ent->etypes == NULL) {
ent->etypes = malloc(sizeof(*(ent->etypes)));
if (ent->etypes == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ent->entry.etypes->val = NULL;
ent->entry.etypes->len = 0;
ent->etypes->val = NULL;
ent->etypes->len = 0;
}
for (i = 0; i < ent->entry.etypes->len; i++)
if (ent->entry.etypes->val[i] == ETYPE_ARCFOUR_HMAC_MD5)
for (i = 0; i < ent->etypes->len; i++)
if (ent->etypes->val[i] == ETYPE_ARCFOUR_HMAC_MD5)
break;
/* If there is no ARCFOUR enctype, add one */
if (i == ent->entry.etypes->len) {
etypes = realloc(ent->entry.etypes->val,
(ent->entry.etypes->len + 1) *
sizeof(ent->entry.etypes->val[0]));
if (i == ent->etypes->len) {
etypes = realloc(ent->etypes->val,
(ent->etypes->len + 1) *
sizeof(ent->etypes->val[0]));
if (etypes == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ent->entry.etypes->val = etypes;
ent->entry.etypes->val[ent->entry.etypes->len] =
ent->etypes->val = etypes;
ent->etypes->val[ent->etypes->len] =
ETYPE_ARCFOUR_HMAC_MD5;
ent->entry.etypes->len++;
ent->etypes->len++;
}
}
ret = LDAP_get_generalized_time_value(db, msg, "createTimestamp",
&ent->entry.created_by.time);
&ent->created_by.time);
if (ret)
ent->entry.created_by.time = time(NULL);
ent->created_by.time = time(NULL);
ent->entry.created_by.principal = NULL;
ent->created_by.principal = NULL;
if (flags & HDB_F_ADMIN_DATA) {
ret = LDAP_get_string_value(db, msg, "creatorsName", &dn);
if (ret == 0) {
LDAP_dn2principal(context, db, dn, &ent->entry.created_by.principal);
LDAP_dn2principal(context, db, dn, &ent->created_by.principal);
free(dn);
}
ent->entry.modified_by = calloc(1, sizeof(*ent->entry.modified_by));
if (ent->entry.modified_by == NULL) {
ent->modified_by = calloc(1, sizeof(*ent->modified_by));
if (ent->modified_by == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ret = LDAP_get_generalized_time_value(db, msg, "modifyTimestamp",
&ent->entry.modified_by->time);
&ent->modified_by->time);
if (ret == 0) {
ret = LDAP_get_string_value(db, msg, "modifiersName", &dn);
if (ret == 0) {
LDAP_dn2principal(context, db, dn, &ent->entry.modified_by->principal);
LDAP_dn2principal(context, db, dn, &ent->modified_by->principal);
free(dn);
} else {
free(ent->entry.modified_by);
ent->entry.modified_by = NULL;
free(ent->modified_by);
ent->modified_by = NULL;
}
}
}
ent->entry.valid_start = malloc(sizeof(*ent->entry.valid_start));
if (ent->entry.valid_start == NULL) {
ent->valid_start = malloc(sizeof(*ent->valid_start));
if (ent->valid_start == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidStart",
ent->entry.valid_start);
ent->valid_start);
if (ret) {
/* OPTIONAL */
free(ent->entry.valid_start);
ent->entry.valid_start = NULL;
free(ent->valid_start);
ent->valid_start = NULL;
}
ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end));
if (ent->entry.valid_end == NULL) {
ent->valid_end = malloc(sizeof(*ent->valid_end));
if (ent->valid_end == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidEnd",
ent->entry.valid_end);
ent->valid_end);
if (ret) {
/* OPTIONAL */
free(ent->entry.valid_end);
ent->entry.valid_end = NULL;
free(ent->valid_end);
ent->valid_end = NULL;
}
ret = LDAP_get_integer_value(db, msg, "sambaKickoffTime", &tmp_time);
if (ret == 0) {
if (ent->entry.valid_end == NULL) {
ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end));
if (ent->entry.valid_end == NULL) {
if (ent->valid_end == NULL) {
ent->valid_end = malloc(sizeof(*ent->valid_end));
if (ent->valid_end == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
}
*ent->entry.valid_end = tmp_time;
*ent->valid_end = tmp_time;
}
ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
if (ent->entry.pw_end == NULL) {
ent->pw_end = malloc(sizeof(*ent->pw_end));
if (ent->pw_end == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ret = LDAP_get_generalized_time_value(db, msg, "krb5PasswordEnd",
ent->entry.pw_end);
ent->pw_end);
if (ret) {
/* OPTIONAL */
free(ent->entry.pw_end);
ent->entry.pw_end = NULL;
free(ent->pw_end);
ent->pw_end = NULL;
}
ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time);
@@ -1310,76 +1310,76 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
NULL);
if (delta) {
if (ent->entry.pw_end == NULL) {
ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
if (ent->entry.pw_end == NULL) {
if (ent->pw_end == NULL) {
ent->pw_end = malloc(sizeof(*ent->pw_end));
if (ent->pw_end == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
}
*ent->entry.pw_end = tmp_time + delta;
*ent->pw_end = tmp_time + delta;
}
}
ret = LDAP_get_integer_value(db, msg, "sambaPwdMustChange", &tmp_time);
if (ret == 0) {
if (ent->entry.pw_end == NULL) {
ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
if (ent->entry.pw_end == NULL) {
if (ent->pw_end == NULL) {
ent->pw_end = malloc(sizeof(*ent->pw_end));
if (ent->pw_end == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
}
*ent->entry.pw_end = tmp_time;
*ent->pw_end = tmp_time;
}
/* OPTIONAL */
ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time);
if (ret == 0)
hdb_entry_set_pw_change_time(context, &ent->entry, tmp_time);
hdb_entry_set_pw_change_time(context, ent, tmp_time);
{
int max_life;
ent->entry.max_life = malloc(sizeof(*ent->entry.max_life));
if (ent->entry.max_life == NULL) {
ent->max_life = malloc(sizeof(*ent->max_life));
if (ent->max_life == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ret = LDAP_get_integer_value(db, msg, "krb5MaxLife", &max_life);
if (ret) {
free(ent->entry.max_life);
ent->entry.max_life = NULL;
free(ent->max_life);
ent->max_life = NULL;
} else
*ent->entry.max_life = max_life;
*ent->max_life = max_life;
}
{
int max_renew;
ent->entry.max_renew = malloc(sizeof(*ent->entry.max_renew));
if (ent->entry.max_renew == NULL) {
ent->max_renew = malloc(sizeof(*ent->max_renew));
if (ent->max_renew == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ret = LDAP_get_integer_value(db, msg, "krb5MaxRenew", &max_renew);
if (ret) {
free(ent->entry.max_renew);
ent->entry.max_renew = NULL;
free(ent->max_renew);
ent->max_renew = NULL;
} else
*ent->entry.max_renew = max_renew;
*ent->max_renew = max_renew;
}
ret = LDAP_get_integer_value(db, msg, "krb5KDCFlags", &tmp);
if (ret)
tmp = 0;
ent->entry.flags = int2HDBFlags(tmp);
ent->flags = int2HDBFlags(tmp);
/* Try and find Samba flags to put into the mix */
ret = LDAP_get_string_value(db, msg, "sambaAcctFlags", &samba_acct_flags);
@@ -1411,7 +1411,7 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
/* Allow forwarding */
if (samba_forwardable)
ent->entry.flags.forwardable = TRUE;
ent->flags.forwardable = TRUE;
for (i=0; i < flags_len; i++) {
switch (samba_acct_flags[i]) {
@@ -1423,36 +1423,36 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
/* how to handle no password in kerberos? */
break;
case 'D':
ent->entry.flags.invalid = TRUE;
ent->flags.invalid = TRUE;
break;
case 'H':
break;
case 'T':
/* temp duplicate */
ent->entry.flags.invalid = TRUE;
ent->flags.invalid = TRUE;
break;
case 'U':
ent->entry.flags.client = TRUE;
ent->flags.client = TRUE;
break;
case 'M':
break;
case 'W':
case 'S':
ent->entry.flags.server = TRUE;
ent->entry.flags.client = TRUE;
ent->flags.server = TRUE;
ent->flags.client = TRUE;
break;
case 'L':
ent->entry.flags.invalid = TRUE;
ent->flags.invalid = TRUE;
break;
case 'X':
if (ent->entry.pw_end) {
free(ent->entry.pw_end);
ent->entry.pw_end = NULL;
if (ent->pw_end) {
free(ent->pw_end);
ent->pw_end = NULL;
}
break;
case 'I':
ent->entry.flags.server = TRUE;
ent->entry.flags.client = TRUE;
ent->flags.server = TRUE;
ent->flags.client = TRUE;
break;
}
}
@@ -1496,7 +1496,7 @@ LDAP_unlock(krb5_context context, HDB * db)
}
static krb5_error_code
LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry_ex * entry)
LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry * entry)
{
int msgid, rc, parserc;
krb5_error_code ret;
@@ -1550,7 +1550,7 @@ LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry_ex * entry)
if (ret == 0) {
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
ret = hdb_unseal_keys(context, db, &entry->entry);
ret = hdb_unseal_keys(context, db, entry);
if (ret)
hdb_free_entry(context, db, entry);
}
@@ -1561,7 +1561,7 @@ LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry_ex * entry)
static krb5_error_code
LDAP_firstkey(krb5_context context, HDB *db, unsigned flags,
hdb_entry_ex *entry)
hdb_entry *entry)
{
krb5_error_code ret;
int msgid;
@@ -1589,7 +1589,7 @@ LDAP_firstkey(krb5_context context, HDB *db, unsigned flags,
static krb5_error_code
LDAP_nextkey(krb5_context context, HDB * db, unsigned flags,
hdb_entry_ex * entry)
hdb_entry * entry)
{
return LDAP_seq(context, db, flags, entry);
}
@@ -1692,7 +1692,7 @@ LDAP_open(krb5_context context, HDB * db, int flags, mode_t mode)
static krb5_error_code
LDAP_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
unsigned flags, krb5_kvno kvno, hdb_entry_ex * entry)
unsigned flags, krb5_kvno kvno, hdb_entry * entry)
{
LDAPMessage *msg, *e;
krb5_error_code ret;
@@ -1710,7 +1710,7 @@ LDAP_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
ret = LDAP_message2entry(context, db, e, flags, entry);
if (ret == 0) {
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
ret = hdb_unseal_keys(context, db, &entry->entry);
ret = hdb_unseal_keys(context, db, entry);
if (ret)
hdb_free_entry(context, db, entry);
}
@@ -1725,7 +1725,7 @@ LDAP_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
#if 0
static krb5_error_code
LDAP_fetch(krb5_context context, HDB * db, krb5_const_principal principal,
unsigned flags, hdb_entry_ex * entry)
unsigned flags, hdb_entry * entry)
{
return LDAP_fetch_kvno(context, db, principal,
flags & (~HDB_F_KVNO_SPECIFIED), 0, entry);
@@ -1734,7 +1734,7 @@ LDAP_fetch(krb5_context context, HDB * db, krb5_const_principal principal,
static krb5_error_code
LDAP_store(krb5_context context, HDB * db, unsigned flags,
hdb_entry_ex * entry)
hdb_entry * entry)
{
LDAPMod **mods = NULL;
krb5_error_code ret;
@@ -1747,17 +1747,17 @@ LDAP_store(krb5_context context, HDB * db, unsigned flags,
if ((flags & HDB_F_PRECHECK))
return 0; /* we can't guarantee whether we'll be able to perform it */
ret = LDAP_principal2message(context, db, entry->entry.principal, &msg);
ret = LDAP_principal2message(context, db, entry->principal, &msg);
if (ret == 0)
e = ldap_first_entry(HDB2LDAP(db), msg);
ret = krb5_unparse_name(context, entry->entry.principal, &name);
ret = krb5_unparse_name(context, entry->principal, &name);
if (ret) {
free(name);
return ret;
}
ret = hdb_seal_keys(context, db, &entry->entry);
ret = hdb_seal_keys(context, db, entry);
if (ret)
goto out;

18
lib/hdb/hdb-mdb.c
View File

@@ -383,7 +383,7 @@ DB_unlock(krb5_context context, HDB *db)
static krb5_error_code
DB_seq(krb5_context context, HDB *db,
unsigned flags, hdb_entry_ex *entry, int flag)
unsigned flags, hdb_entry *entry, int flag)
{
mdb_info *mi = db->hdb_db;
MDB_val key, value;
@@ -406,21 +406,21 @@ DB_seq(krb5_context context, HDB *db,
data.data = value.mv_data;
data.length = value.mv_size;
memset(entry, 0, sizeof(*entry));
if (hdb_value2entry(context, &data, &entry->entry))
if (hdb_value2entry(context, &data, entry))
return DB_seq(context, db, flags, entry, MDB_NEXT);
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
code = hdb_unseal_keys (context, db, &entry->entry);
code = hdb_unseal_keys (context, db, entry);
if (code)
hdb_free_entry (context, db, entry);
}
if (entry->entry.principal == NULL) {
entry->entry.principal = malloc(sizeof(*entry->entry.principal));
if (entry->entry.principal == NULL) {
if (entry->principal == NULL) {
entry->principal = malloc(sizeof(*entry->principal));
if (entry->principal == NULL) {
hdb_free_entry (context, db, entry);
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM;
} else {
hdb_key2principal(context, &key_data, entry->entry.principal);
hdb_key2principal(context, &key_data, entry->principal);
}
}
return 0;
@@ -428,7 +428,7 @@ DB_seq(krb5_context context, HDB *db,
static krb5_error_code
DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
krb5_error_code ret = 0;
mdb_info *mi = db->hdb_db;
@@ -462,7 +462,7 @@ DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
static krb5_error_code
DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
return DB_seq(context, db, flags, entry, MDB_NEXT);
}

26
lib/hdb/hdb-mitdb.c
View File

@@ -765,7 +765,7 @@ mdb_unlock(krb5_context context, HDB *db)
static krb5_error_code
mdb_seq(krb5_context context, HDB *db,
unsigned flags, hdb_entry_ex *entry, int flag)
unsigned flags, hdb_entry *entry, int flag)
{
DB *d = (DB*)db->hdb_db;
DBT key, value;
@@ -796,11 +796,11 @@ mdb_seq(krb5_context context, HDB *db,
data.length = value.size;
memset(entry, 0, sizeof(*entry));
if (_hdb_mdb_value2entry(context, &data, 0, &entry->entry))
if (_hdb_mdb_value2entry(context, &data, 0, entry))
return mdb_seq(context, db, flags, entry, R_NEXT);
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
code = hdb_unseal_keys (context, db, &entry->entry);
code = hdb_unseal_keys (context, db, entry);
if (code)
hdb_free_entry (context, db, entry);
}
@@ -810,14 +810,14 @@ mdb_seq(krb5_context context, HDB *db,
static krb5_error_code
mdb_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
mdb_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
return mdb_seq(context, db, flags, entry, R_FIRST);
}
static krb5_error_code
mdb_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
mdb_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
return mdb_seq(context, db, flags, entry, R_NEXT);
}
@@ -941,7 +941,7 @@ mdb__del(krb5_context context, HDB *db, krb5_data key)
static krb5_error_code
mdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
unsigned flags, krb5_kvno kvno, hdb_entry_ex *entry)
unsigned flags, krb5_kvno kvno, hdb_entry *entry)
{
krb5_data key, value;
krb5_error_code ret;
@@ -953,13 +953,13 @@ mdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
krb5_data_free(&key);
if(ret)
return ret;
ret = _hdb_mdb_value2entry(context, &value, kvno, &entry->entry);
ret = _hdb_mdb_value2entry(context, &value, kvno, entry);
krb5_data_free(&value);
if (ret)
return ret;
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
ret = hdb_unseal_keys (context, db, &entry->entry);
ret = hdb_unseal_keys (context, db, entry);
if (ret) {
hdb_free_entry(context, db, entry);
return ret;
@@ -970,7 +970,7 @@ mdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
}
static krb5_error_code
mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
krb5_error_code ret;
krb5_storage *sp = NULL;
@@ -985,7 +985,7 @@ mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
return 0;
if ((flags & HDB_F_PRECHECK)) {
ret = mdb_principal2key(context, entry->entry.principal, &key);
ret = mdb_principal2key(context, entry->principal, &key);
if (ret) return ret;
ret = db->hdb__get(context, db, key, &value);
krb5_data_free(&key);
@@ -999,9 +999,9 @@ mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
sp = krb5_storage_emem();
if (!sp) return ENOMEM;
ret = _hdb_set_master_key_usage(context, db, 0); /* MIT KDB uses KU 0 */
ret = hdb_seal_keys(context, db, &entry->entry);
ret = hdb_seal_keys(context, db, entry);
if (ret) return ret;
ret = entry2mit_string_int(context, sp, &entry->entry);
ret = entry2mit_string_int(context, sp, entry);
if (ret) goto out;
sz = krb5_storage_write(sp, "\n", 2); /* NUL-terminate */
ret = ENOMEM;
@@ -1016,7 +1016,7 @@ mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
if (ret) goto out;
ret = krb5_storage_to_data(spent, &kdb_ent);
if (ret) goto out;
ret = mdb_principal2key(context, entry->entry.principal, &key);
ret = mdb_principal2key(context, entry->principal, &key);
if (ret) goto out;
ret = mdb__put(context, db, 1, key, kdb_ent);

24
lib/hdb/hdb-sqlite.c
View File

@@ -495,7 +495,7 @@ hdb_sqlite_make_database(krb5_context context, HDB *db, const char *filename)
*/
static krb5_error_code
hdb_sqlite_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
unsigned flags, krb5_kvno kvno, hdb_entry_ex *entry)
unsigned flags, krb5_kvno kvno, hdb_entry *entry)
{
int sqlite_error;
krb5_error_code ret;
@@ -541,12 +541,12 @@ hdb_sqlite_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal princi
value.length = sqlite3_column_bytes(fetch, 0);
value.data = (void *) sqlite3_column_blob(fetch, 0);
ret = hdb_value2entry(context, &value, &entry->entry);
ret = hdb_value2entry(context, &value, entry);
if(ret)
goto out;
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
ret = hdb_unseal_keys(context, db, &entry->entry);
ret = hdb_unseal_keys(context, db, entry);
if(ret) {
hdb_free_entry(context, db, entry);
goto out;
@@ -600,7 +600,7 @@ hdb_sqlite_step_once(krb5_context context, HDB *db, sqlite3_stmt *statement)
*/
static krb5_error_code
hdb_sqlite_store(krb5_context context, HDB *db, unsigned flags,
hdb_entry_ex *entry)
hdb_entry *entry)
{
int ret;
int i;
@@ -624,17 +624,17 @@ hdb_sqlite_store(krb5_context context, HDB *db, unsigned flags,
goto rollback;
}
ret = hdb_seal_keys(context, db, &entry->entry);
ret = hdb_seal_keys(context, db, entry);
if(ret) {
goto rollback;
}
ret = hdb_entry2value(context, &entry->entry, &value);
ret = hdb_entry2value(context, entry, &value);
if(ret) {
goto rollback;
}
ret = bind_principal(context, entry->entry.principal, get_ids, 1);
ret = bind_principal(context, entry->principal, get_ids, 1);
if (ret)
goto rollback;
@@ -656,7 +656,7 @@ hdb_sqlite_store(krb5_context context, HDB *db, unsigned flags,
goto rollback;
}
ret = bind_principal(context, entry->entry.principal, hsdb->add_principal, 1);
ret = bind_principal(context, entry->principal, hsdb->add_principal, 1);
if (ret)
goto rollback;
@@ -711,7 +711,7 @@ hdb_sqlite_store(krb5_context context, HDB *db, unsigned flags,
goto rollback;
}
ret = hdb_entry_get_aliases(&entry->entry, &aliases);
ret = hdb_entry_get_aliases(entry, &aliases);
if(ret || aliases == NULL)
goto commit;
@@ -862,7 +862,7 @@ hdb_sqlite_unlock(krb5_context context, HDB *db)
*/
static krb5_error_code
hdb_sqlite_nextkey(krb5_context context, HDB *db, unsigned flags,
hdb_entry_ex *entry)
hdb_entry *entry)
{
krb5_error_code ret = 0;
int sqlite_error;
@@ -876,7 +876,7 @@ hdb_sqlite_nextkey(krb5_context context, HDB *db, unsigned flags,
value.length = sqlite3_column_bytes(hsdb->get_all_entries, 0);
value.data = (void *) sqlite3_column_blob(hsdb->get_all_entries, 0);
memset(entry, 0, sizeof(*entry));
ret = hdb_value2entry(context, &value, &entry->entry);
ret = hdb_value2entry(context, &value, entry);
}
else if(sqlite_error == SQLITE_DONE) {
/* No more entries */
@@ -900,7 +900,7 @@ hdb_sqlite_nextkey(krb5_context context, HDB *db, unsigned flags,
*/
static krb5_error_code
hdb_sqlite_firstkey(krb5_context context, HDB *db, unsigned flags,
hdb_entry_ex *entry)
hdb_entry *entry)
{
hdb_sqlite_db *hsdb = (hdb_sqlite_db *) db->hdb_db;
krb5_error_code ret;

28
lib/hdb/hdb.c
View File

@@ -397,7 +397,7 @@ hdb_unlock(int fd)
}
void
hdb_free_entry(krb5_context context, HDB *db, hdb_entry_ex *ent)
hdb_free_entry(krb5_context context, HDB *db, hdb_entry *ent)
{
Key *k;
size_t i;
@@ -405,15 +405,15 @@ hdb_free_entry(krb5_context context, HDB *db, hdb_entry_ex *ent)
if (db && db->hdb_free_entry_context)
db->hdb_free_entry_context(context, db, ent);
for(i = 0; i < ent->entry.keys.len; i++) {
k = &ent->entry.keys.val[i];
for(i = 0; i < ent->keys.len; i++) {
k = &ent->keys.val[i];
memset_s(k->key.keyvalue.data,
k->key.keyvalue.length,
0,
k->key.keyvalue.length);
}
free_HDB_entry(&ent->entry);
free_HDB_entry(ent);
}
krb5_error_code
@@ -424,7 +424,7 @@ hdb_foreach(krb5_context context,
void *data)
{
krb5_error_code ret;
hdb_entry_ex entry;
hdb_entry entry;
ret = db->hdb_firstkey(context, db, flags, &entry);
if (ret == 0)
krb5_clear_error_message(context);
@@ -665,22 +665,22 @@ hdb_list_builtin(krb5_context context, char **list)
krb5_error_code
_hdb_keytab2hdb_entry(krb5_context context,
const krb5_keytab_entry *ktentry,
hdb_entry_ex *entry)
hdb_entry *entry)
{
entry->entry.kvno = ktentry->vno;
entry->entry.created_by.time = ktentry->timestamp;
entry->kvno = ktentry->vno;
entry->created_by.time = ktentry->timestamp;
entry->entry.keys.val = calloc(1, sizeof(entry->entry.keys.val[0]));
if (entry->entry.keys.val == NULL)
entry->keys.val = calloc(1, sizeof(entry->keys.val[0]));
if (entry->keys.val == NULL)
return ENOMEM;
entry->entry.keys.len = 1;
entry->keys.len = 1;
entry->entry.keys.val[0].mkvno = NULL;
entry->entry.keys.val[0].salt = NULL;
entry->keys.val[0].mkvno = NULL;
entry->keys.val[0].salt = NULL;
return krb5_copy_keyblock_contents(context,
&ktentry->keyblock,
&entry->entry.keys.val[0].key);
&entry->keys.val[0].key);
}
static krb5_error_code

34
lib/hdb/hdb.h
View File

@@ -102,18 +102,6 @@ typedef struct hdb_request_desc {
typedef struct hdb_master_key_data *hdb_master_key;
/**
* hdb_entry_ex is a wrapper structure around the hdb_entry structure
* that allows backends to keep a pointer to the backing store, ie in
* ->hdb_fetch_kvno(), so that we the kadmin/kpasswd backend gets around to
* ->hdb_store(), the backend doesn't need to lookup the entry again.
*/
typedef struct hdb_entry_ex {
hdb_entry entry;
} hdb_entry_ex;
/**
* HDB backend function pointer structure
*
@@ -165,7 +153,7 @@ typedef struct HDB {
/**
* Free backend-specific entry context.
*/
void (*hdb_free_entry_context)(krb5_context, struct HDB*, hdb_entry_ex*);
void (*hdb_free_entry_context)(krb5_context, struct HDB*, hdb_entry*);
/**
* Fetch an entry from the backend
*
@@ -175,12 +163,12 @@ typedef struct HDB {
*/
krb5_error_code (*hdb_fetch_kvno)(krb5_context, struct HDB*,
krb5_const_principal, unsigned, krb5_kvno,
hdb_entry_ex*);
hdb_entry*);
/**
* Store an entry to database
*/
krb5_error_code (*hdb_store)(krb5_context, struct HDB*,
unsigned, hdb_entry_ex*);
unsigned, hdb_entry*);
/**
* Remove an entry from the database.
*/
@@ -190,12 +178,12 @@ typedef struct HDB {
* As part of iteration, fetch one entry
*/
krb5_error_code (*hdb_firstkey)(krb5_context, struct HDB*,
unsigned, hdb_entry_ex*);
unsigned, hdb_entry*);
/**
* As part of iteration, fetch next entry
*/
krb5_error_code (*hdb_nextkey)(krb5_context, struct HDB*,
unsigned, hdb_entry_ex*);
unsigned, hdb_entry*);
/**
* Lock database
*
@@ -274,7 +262,7 @@ typedef struct HDB {
* The backend needs to call _kadm5_set_keys() and perform password
* quality checks.
*/
krb5_error_code (*hdb_password)(krb5_context, struct HDB*, hdb_entry_ex*, const char *, int);
krb5_error_code (*hdb_password)(krb5_context, struct HDB*, hdb_entry*, const char *, int);
/**
* Authentication auditing. Note that this function is called by
@@ -287,22 +275,22 @@ typedef struct HDB {
* In case the entry is locked out, the backend should set the
* hdb_entry.flags.locked-out flag.
*/
krb5_error_code (*hdb_audit)(krb5_context, struct HDB *, hdb_entry_ex *, hdb_request_t);
krb5_error_code (*hdb_audit)(krb5_context, struct HDB *, hdb_entry *, hdb_request_t);
/**
* Check if delegation is allowed.
*/
krb5_error_code (*hdb_check_constrained_delegation)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
krb5_error_code (*hdb_check_constrained_delegation)(krb5_context, struct HDB *, hdb_entry *, krb5_const_principal);
/**
* Check if this name is an alias for the supplied client for PKINIT userPrinicpalName logins
*/
krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry *, krb5_const_principal);
/**
* Check if s4u2self is allowed from this client to this server or the SPN is a valid SPN of this client (for user2user)
*/
krb5_error_code (*hdb_check_client_matches_target_service)(krb5_context, struct HDB *, hdb_entry_ex *, hdb_entry_ex *);
krb5_error_code (*hdb_check_client_matches_target_service)(krb5_context, struct HDB *, hdb_entry *, hdb_entry *);
/**
* Enable/disable synchronous updates
@@ -337,7 +325,7 @@ struct hdb_print_entry_arg {
};
typedef krb5_error_code (*hdb_foreach_func_t)(krb5_context, HDB*,
hdb_entry_ex*, void*);
hdb_entry*, void*);
extern krb5_kt_ops hdb_kt_ops;
extern krb5_kt_ops hdb_get_kt_ops;

30
lib/hdb/keytab.c
View File

@@ -42,7 +42,7 @@ struct hdb_data {
struct hdb_cursor {
HDB *db;
hdb_entry_ex hdb_entry;
hdb_entry hdb_entry;
int first, next;
int key_idx;
};
@@ -181,7 +181,7 @@ hdb_get_entry(krb5_context context,
krb5_enctype enctype,
krb5_keytab_entry *entry)
{
hdb_entry_ex ent;
hdb_entry ent;
krb5_error_code ret;
struct hdb_data *d = id->data;
const char *dbname = d->dbname;
@@ -226,21 +226,21 @@ hdb_get_entry(krb5_context context,
}else if(ret)
goto out;
if(kvno && (krb5_kvno)ent.entry.kvno != kvno) {
if(kvno && (krb5_kvno)ent.kvno != kvno) {
hdb_free_entry(context, db, &ent);
ret = KRB5_KT_NOTFOUND;
goto out;
}
if(enctype == 0)
if(ent.entry.keys.len > 0)
enctype = ent.entry.keys.val[0].key.keytype;
if(ent.keys.len > 0)
enctype = ent.keys.val[0].key.keytype;
ret = KRB5_KT_NOTFOUND;
for(i = 0; i < ent.entry.keys.len; i++) {
if(ent.entry.keys.val[i].key.keytype == enctype) {
for(i = 0; i < ent.keys.len; i++) {
if(ent.keys.val[i].key.keytype == enctype) {
krb5_copy_principal(context, principal, &entry->principal);
entry->vno = ent.entry.kvno;
entry->vno = ent.kvno;
krb5_copy_keyblock_contents(context,
&ent.entry.keys.val[i].key,
&ent.keys.val[i].key,
&entry->keyblock);
ret = 0;
break;
@@ -336,7 +336,7 @@ hdb_next_entry(krb5_context context,
else if (ret)
return ret;
if (c->hdb_entry.entry.keys.len == 0)
if (c->hdb_entry.keys.len == 0)
hdb_free_entry(context, c->db, &c->hdb_entry);
else
c->next = FALSE;
@@ -353,7 +353,7 @@ hdb_next_entry(krb5_context context,
return ret;
/* If no keys on this entry, try again */
if (c->hdb_entry.entry.keys.len == 0)
if (c->hdb_entry.keys.len == 0)
hdb_free_entry(context, c->db, &c->hdb_entry);
else
c->next = FALSE;
@@ -365,14 +365,14 @@ hdb_next_entry(krb5_context context,
*/
ret = krb5_copy_principal(context,
c->hdb_entry.entry.principal,
c->hdb_entry.principal,
&entry->principal);
if (ret)
return ret;
entry->vno = c->hdb_entry.entry.kvno;
entry->vno = c->hdb_entry.kvno;
ret = krb5_copy_keyblock_contents(context,
&c->hdb_entry.entry.keys.val[c->key_idx].key,
&c->hdb_entry.keys.val[c->key_idx].key,
&entry->keyblock);
if (ret) {
krb5_free_principal(context, entry->principal);
@@ -386,7 +386,7 @@ hdb_next_entry(krb5_context context,
* next entry
*/
if ((size_t)c->key_idx == c->hdb_entry.entry.keys.len) {
if ((size_t)c->key_idx == c->hdb_entry.keys.len) {
hdb_free_entry(context, c->db, &c->hdb_entry);
c->next = TRUE;
c->key_idx = 0;

18
lib/hdb/ndbm.c
View File

@@ -76,7 +76,7 @@ NDBM_unlock(krb5_context context, HDB *db)
static krb5_error_code
NDBM_seq(krb5_context context, HDB *db,
unsigned flags, hdb_entry_ex *entry, int first)
unsigned flags, hdb_entry *entry, int first)
{
struct ndbm_db *d = (struct ndbm_db *)db->hdb_db;
@@ -99,21 +99,21 @@ NDBM_seq(krb5_context context, HDB *db,
data.data = value.dptr;
data.length = value.dsize;
memset(entry, 0, sizeof(*entry));
if(hdb_value2entry(context, &data, &entry->entry))
if(hdb_value2entry(context, &data, entry))
return NDBM_seq(context, db, flags, entry, 0);
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
ret = hdb_unseal_keys (context, db, &entry->entry);
ret = hdb_unseal_keys (context, db, entry);
if (ret)
hdb_free_entry (context, db, entry);
}
if (ret == 0 && entry->entry.principal == NULL) {
entry->entry.principal = malloc (sizeof(*entry->entry.principal));
if (entry->entry.principal == NULL) {
if (ret == 0 && entry->principal == NULL) {
entry->principal = malloc (sizeof(*entry->principal));
if (entry->principal == NULL) {
hdb_free_entry (context, db, entry);
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
} else {
hdb_key2principal (context, &key_data, entry->entry.principal);
hdb_key2principal (context, &key_data, entry->principal);
}
}
return ret;
@@ -121,14 +121,14 @@ NDBM_seq(krb5_context context, HDB *db,
static krb5_error_code
NDBM_firstkey(krb5_context context, HDB *db,unsigned flags,hdb_entry_ex *entry)
NDBM_firstkey(krb5_context context, HDB *db,unsigned flags,hdb_entry *entry)
{
return NDBM_seq(context, db, flags, entry, 1);
}
static krb5_error_code
NDBM_nextkey(krb5_context context, HDB *db, unsigned flags,hdb_entry_ex *entry)
NDBM_nextkey(krb5_context context, HDB *db, unsigned flags,hdb_entry *entry)
{
return NDBM_seq(context, db, flags, entry, 0);
}

6
lib/hdb/print.c
View File

@@ -556,7 +556,7 @@ hdb_entry2string(krb5_context context, hdb_entry *ent, char **str)
/* print a hdb_entry to (FILE*)data; suitable for hdb_foreach */
krb5_error_code
hdb_print_entry(krb5_context context, HDB *db, hdb_entry_ex *entry,
hdb_print_entry(krb5_context context, HDB *db, hdb_entry *entry,
void *data)
{
struct hdb_print_entry_arg *parg = data;
@@ -572,10 +572,10 @@ hdb_print_entry(krb5_context context, HDB *db, hdb_entry_ex *entry,
switch (parg->fmt) {
case HDB_DUMP_HEIMDAL:
ret = entry2string_int(context, sp, &entry->entry);
ret = entry2string_int(context, sp, entry);
break;
case HDB_DUMP_MIT:
ret = entry2mit_string_int(context, sp, &entry->entry);
ret = entry2mit_string_int(context, sp, entry);
break;
default:
heim_abort("Only two dump formats supported: Heimdal and MIT");

52
lib/hdb/test_concurrency.c
View File

@@ -70,7 +70,7 @@ threaded_reader(void *d)
krb5_error_code ret;
krb5_context context;
struct tsync *s = d;
hdb_entry_ex entr;
hdb_entry entr;
HDB *dbr = NULL;
printf("Reader thread opening HDB\n");
@@ -101,7 +101,7 @@ threaded_reader(void *d)
//(void) unlink(s->fname);
krb5_err(context, 1, ret, "Could not iterate HDB %s", s->hdb_name);
}
free_HDB_entry(&entr.entry);
free_HDB_entry(&entr);
/* Tell the writer to go ahead and write */
printf("Reader thread iterated one entry; telling writer to write more\n");
@@ -124,7 +124,7 @@ threaded_reader(void *d)
"Could not iterate while writing to HDB %s", s->hdb_name);
}
printf("Reader thread iterated another entry\n");
free_HDB_entry(&entr.entry);
free_HDB_entry(&entr);
if ((ret = dbr->hdb_nextkey(context, dbr, 0, &entr)) == 0) {
//(void) unlink(s->fname);
krb5_warn(context, ret,
@@ -154,7 +154,7 @@ forked_reader(struct tsync *s)
{
krb5_error_code ret;
krb5_context context;
hdb_entry_ex entr;
hdb_entry entr;
ssize_t bytes;
char b[1];
HDB *dbr = NULL;
@@ -190,7 +190,7 @@ forked_reader(struct tsync *s)
krb5_err(context, 1, ret, "Could not iterate HDB %s", s->hdb_name);
}
printf("Reader process iterated one entry\n");
free_HDB_entry(&entr.entry);
free_HDB_entry(&entr);
/* Tell the writer to go ahead and write */
printf("Reader process iterated one entry; telling writer to write more\n");
@@ -217,13 +217,13 @@ forked_reader(struct tsync *s)
krb5_err(context, 1, ret,
"Could not iterate while writing to HDB %s", s->hdb_name);
}
free_HDB_entry(&entr.entry);
free_HDB_entry(&entr);
printf("Reader process iterated another entry\n");
if ((ret = dbr->hdb_nextkey(context, dbr, 0, &entr)) == 0) {
//(void) unlink(s->fname);
krb5_warn(context, ret,
"HDB %s sees writes committed since starting iteration (%s)",
s->hdb_name, entr.entry.principal->name.name_string.val[0]);
s->hdb_name, entr.principal->name.name_string.val[0]);
} else if (ret != HDB_ERR_NOENTRY) {
//(void) unlink(s->fname);
krb5_err(context, 1, ret,
@@ -248,27 +248,27 @@ forked_reader(struct tsync *s)
}
static krb5_error_code
make_entry(krb5_context context, hdb_entry_ex *entry, const char *name)
make_entry(krb5_context context, hdb_entry *entry, const char *name)
{
krb5_error_code ret;
memset(entry, 0, sizeof(*entry));
entry->entry.kvno = 2;
entry->entry.keys.len = 0;
entry->entry.keys.val = NULL;
entry->entry.created_by.time = time(NULL);
entry->entry.modified_by = NULL;
entry->entry.valid_start = NULL;
entry->entry.valid_end = NULL;
entry->entry.max_life = NULL;
entry->entry.max_renew = NULL;
entry->entry.etypes = NULL;
entry->entry.generation = NULL;
entry->entry.extensions = NULL;
if ((ret = krb5_make_principal(context, &entry->entry.principal,
entry->kvno = 2;
entry->keys.len = 0;
entry->keys.val = NULL;
entry->created_by.time = time(NULL);
entry->modified_by = NULL;
entry->valid_start = NULL;
entry->valid_end = NULL;
entry->max_life = NULL;
entry->max_renew = NULL;
entry->etypes = NULL;
entry->generation = NULL;
entry->extensions = NULL;
if ((ret = krb5_make_principal(context, &entry->principal,
"TEST.H5L.SE", name, NULL)))
return ret;
if ((ret = krb5_make_principal(context, &entry->entry.created_by.principal,
if ((ret = krb5_make_principal(context, &entry->created_by.principal,
"TEST.H5L.SE", "tester", NULL)))
return ret;
return 0;
@@ -326,7 +326,7 @@ test_hdb_concurrency(char *name, const char *ext, int threaded)
char *fname_ext = NULL;
pthread_t reader_thread;
struct tsync ts;
hdb_entry_ex entw;
hdb_entry entw;
pid_t child = getpid();
HDB *dbw = NULL;
int status;
@@ -393,14 +393,14 @@ test_hdb_concurrency(char *name, const char *ext, int threaded)
krb5_err(context, 1, ret,
"Could not store entry for \"foo\" in HDB %s", name);
}
free_HDB_entry(&entw.entry);
free_HDB_entry(&entw);
if ((ret = make_entry(context, &entw, "bar")) ||
(ret = dbw->hdb_store(context, dbw, 0, &entw))) {
(void) unlink(fname_ext);
krb5_err(context, 1, ret,
"Could not store entry for \"foo\" in HDB %s", name);
}
free_HDB_entry(&entw.entry);
free_HDB_entry(&entw);
/* Tell the reader to start reading */
readers_turn(&ts, child, threaded);
@@ -413,7 +413,7 @@ test_hdb_concurrency(char *name, const char *ext, int threaded)
"Could not store entry for \"foobar\" in HDB %s "
"while iterating it", name);
}
free_HDB_entry(&entw.entry);
free_HDB_entry(&entw);
/* Tell the reader to go again */
readers_turn(&ts, child, threaded);

145
lib/hdb/test_namespace.c
View File

@@ -106,7 +106,7 @@ TDB_unlock(krb5_context context, HDB *db)
}
static krb5_error_code
TDB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
TDB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
/* XXX Implement */
/* Tricky thing: heim_dict_iterate_f() is inconvenient here */
@@ -115,7 +115,7 @@ TDB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
}
static krb5_error_code
TDB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
TDB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
/* XXX Implement */
/* Tricky thing: heim_dict_iterate_f() is inconvenient here */
@@ -337,7 +337,7 @@ static void
make_namespace(krb5_context context, HDB *db, const char *name)
{
krb5_error_code ret = 0;
hdb_entry_ex e;
hdb_entry e;
Key k;
memset(&k, 0, sizeof(k));
@@ -346,76 +346,76 @@ make_namespace(krb5_context context, HDB *db, const char *name)
/* Setup the HDB entry */
memset(&e, 0, sizeof(e));
e.entry.created_by.time = krs[0].epoch;
e.entry.valid_start = e.entry.valid_end = e.entry.pw_end = 0;
e.entry.generation = 0;
e.entry.flags = int2HDBFlags(0);
e.entry.flags.server = e.entry.flags.client = 1;
e.entry.flags.virtual = 1;
e.created_by.time = krs[0].epoch;
e.valid_start = e.valid_end = e.pw_end = 0;
e.generation = 0;
e.flags = int2HDBFlags(0);
e.flags.server = e.flags.client = 1;
e.flags.virtual = 1;
/* Setup etypes */
if (ret == 0 &&
(e.entry.etypes = malloc(sizeof(*e.entry.etypes))) == NULL)
(e.etypes = malloc(sizeof(*e.etypes))) == NULL)
ret = krb5_enomem(context);
if (ret == 0)
e.entry.etypes->len = 3;
e.etypes->len = 3;
if (ret == 0 &&
(e.entry.etypes->val = calloc(e.entry.etypes->len,
sizeof(e.entry.etypes->val[0]))) == NULL)
(e.etypes->val = calloc(e.etypes->len,
sizeof(e.etypes->val[0]))) == NULL)
ret = krb5_enomem(context);
if (ret == 0) {
e.entry.etypes->val[0] = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128;
e.entry.etypes->val[1] = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192;
e.entry.etypes->val[2] = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96;
e.etypes->val[0] = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128;
e.etypes->val[1] = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192;
e.etypes->val[2] = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96;
}
/* Setup max_life and max_renew */
if (ret == 0 &&
(e.entry.max_life = malloc(sizeof(*e.entry.max_life))) == NULL)
(e.max_life = malloc(sizeof(*e.max_life))) == NULL)
ret = krb5_enomem(context);
if (ret == 0 &&
(e.entry.max_renew = malloc(sizeof(*e.entry.max_renew))) == NULL)
(e.max_renew = malloc(sizeof(*e.max_renew))) == NULL)
ret = krb5_enomem(context);
if (ret == 0)
/* Make it long, so we see the clamped max */
*e.entry.max_renew = 2 * ((*e.entry.max_life = 15 * 24 * 3600));
*e.max_renew = 2 * ((*e.max_life = 15 * 24 * 3600));
/* Setup principal name and created_by */
if (ret == 0)
ret = krb5_parse_name(context, name, &e.entry.principal);
ret = krb5_parse_name(context, name, &e.principal);
if (ret == 0)
ret = krb5_parse_name(context, "admin@BAR.EXAMPLE",
&e.entry.created_by.principal);
&e.created_by.principal);
/* Make base keys for first epoch */
if (ret == 0)
ret = make_base_key(context, e.entry.principal, base_pw[0], &k.key);
ret = make_base_key(context, e.principal, base_pw[0], &k.key);
if (ret == 0)
add_Keys(&e.entry.keys, &k);
add_Keys(&e.keys, &k);
if (ret == 0)
ret = hdb_entry_set_pw_change_time(context, &e.entry, krs[0].epoch);
ret = hdb_entry_set_pw_change_time(context, &e, krs[0].epoch);
free_Key(&k);
e.entry.kvno = krs[0].base_key_kvno;
e.kvno = krs[0].base_key_kvno;
/* Move them to history */
if (ret == 0)
ret = hdb_add_current_keys_to_history(context, &e.entry);
free_Keys(&e.entry.keys);
ret = hdb_add_current_keys_to_history(context, &e);
free_Keys(&e.keys);
/* Make base keys for second epoch */
if (ret == 0)
ret = make_base_key(context, e.entry.principal, base_pw[1], &k.key);
ret = make_base_key(context, e.principal, base_pw[1], &k.key);
if (ret == 0)
add_Keys(&e.entry.keys, &k);
e.entry.kvno = krs[1].base_key_kvno;
add_Keys(&e.keys, &k);
e.kvno = krs[1].base_key_kvno;
if (ret == 0)
ret = hdb_entry_set_pw_change_time(context, &e.entry, krs[1].epoch);
ret = hdb_entry_set_pw_change_time(context, &e, krs[1].epoch);
/* Add the key rotation metadata */
if (ret == 0)
ret = hdb_entry_add_key_rotation(context, &e.entry, 0, &krs[0]);
ret = hdb_entry_add_key_rotation(context, &e, 0, &krs[0]);
if (ret == 0)
ret = hdb_entry_add_key_rotation(context, &e.entry, 0, &krs[1]);
ret = hdb_entry_add_key_rotation(context, &e, 0, &krs[1]);
if (ret == 0)
ret = db->hdb_store(context, db, 0, &e);
@@ -447,7 +447,7 @@ static const char *unexpected[] = {
* different time offsets in each period.
*/
#define NUM_OFFSETS 5
static hdb_entry_ex e[
static hdb_entry e[
(sizeof(expected) / sizeof(expected[0])) *
(sizeof(krs) / sizeof(krs[0])) *
NUM_OFFSETS
@@ -479,8 +479,8 @@ fetch_entries(krb5_context context,
krb5_error_code ret = 0;
krb5_principal p = NULL;
krb5_keyblock base_key, dk;
hdb_entry_ex *ep;
hdb_entry_ex no;
hdb_entry *ep;
hdb_entry no;
size_t i, b;
int toffset = 0;
@@ -541,14 +541,14 @@ fetch_entries(krb5_context context,
}
} else {
if (ret == 0 &&
!krb5_principal_compare(context, p, ep->entry.principal))
!krb5_principal_compare(context, p, ep->principal))
krb5_errx(context, 1, "wrong principal in fetched entry");
}
{
HDB_Ext_KeySet *hist_keys;
HDB_extension *ext;
ext = hdb_find_extension(&ep->entry,
ext = hdb_find_extension(ep,
choice_HDB_extension_data_hist_keys);
if (ext) {
/* Sort key history by kvno, why not */
@@ -611,23 +611,23 @@ fetch_entries(krb5_context context,
if (ret)
krb5_err(context, 1, ret, "deriving keys for comparison");
if (kvno != ep->entry.kvno)
krb5_errx(context, 1, "kvno mismatch (%u != %u)", kvno, ep->entry.kvno);
(void) hdb_entry_get_pw_change_time(&ep->entry, &chg_time);
if (kvno != ep->kvno)
krb5_errx(context, 1, "kvno mismatch (%u != %u)", kvno, ep->kvno);
(void) hdb_entry_get_pw_change_time(ep, &chg_time);
if (set_time != chg_time)
krb5_errx(context, 1, "key change time mismatch");
if (ep->entry.keys.len == 0)
if (ep->keys.len == 0)
krb5_errx(context, 1, "no keys!");
if (ep->entry.keys.val[0].key.keytype != dk.keytype)
if (ep->keys.val[0].key.keytype != dk.keytype)
krb5_errx(context, 1, "enctype mismatch!");
if (ep->entry.keys.val[0].key.keyvalue.length !=
if (ep->keys.val[0].key.keyvalue.length !=
dk.keyvalue.length)
krb5_errx(context, 1, "key length mismatch!");
if (memcmp(ep->entry.keys.val[0].key.keyvalue.data,
if (memcmp(ep->keys.val[0].key.keyvalue.data,
dk.keyvalue.data, dk.keyvalue.length) != 0)
krb5_errx(context, 1, "key mismatch!");
if (memcmp(ep->entry.keys.val[0].key.keyvalue.data,
e[b + i - 1].entry.keys.val[0].key.keyvalue.data,
if (memcmp(ep->keys.val[0].key.keyvalue.data,
e[b + i - 1].keys.val[0].key.keyvalue.data,
dk.keyvalue.length) == 0)
krb5_errx(context, 1, "different virtual principals have the same keys!");
/* XXX Add check that we have the expected number of history keys */
@@ -653,14 +653,14 @@ check_kvnos(krb5_context context)
for (k = 0; k < sizeof(e)/sizeof(e[0]); k++) {
HDB_Ext_KeySet *hist_keys;
HDB_extension *ext;
hdb_entry_ex *ep;
hdb_entry *ep;
int match = 0;
if ((k % NUM_OFFSETS) != i)
continue;
ep = &e[k];
if (ep->entry.principal == NULL)
if (ep->principal == NULL)
continue; /* Didn't fetch this one */
/*
@@ -668,15 +668,15 @@ check_kvnos(krb5_context context)
* or else add them to `keysets'.
*/
for (m = 0; m < keysets.len; m++) {
if (ep->entry.kvno == keysets.val[m].kvno) {
if (ep->kvno == keysets.val[m].kvno) {
/* Check the key is the same */
if (ep->entry.keys.val[0].key.keytype !=
if (ep->keys.val[0].key.keytype !=
keysets.val[m].keys.val[0].key.keytype ||
ep->entry.keys.val[0].key.keyvalue.length !=
ep->keys.val[0].key.keyvalue.length !=
keysets.val[m].keys.val[0].key.keyvalue.length ||
memcmp(ep->entry.keys.val[0].key.keyvalue.data,
memcmp(ep->keys.val[0].key.keyvalue.data,
keysets.val[m].keys.val[0].key.keyvalue.data,
ep->entry.keys.val[0].key.keyvalue.length) != 0)
ep->keys.val[0].key.keyvalue.length) != 0)
krb5_errx(context, 1,
"key mismatch for same princ & kvno");
match = 1;
@@ -685,8 +685,8 @@ check_kvnos(krb5_context context)
if (m == keysets.len) {
hdb_keyset ks;
ks.kvno = ep->entry.kvno;
ks.keys = ep->entry.keys;
ks.kvno = ep->kvno;
ks.keys = ep->keys;
ks.set_time = 0;
if (add_HDB_Ext_KeySet(&keysets, &ks))
krb5_err(context, 1, ENOMEM, "out of memory");
@@ -696,7 +696,7 @@ check_kvnos(krb5_context context)
continue;
/* For all non-current keysets, repeat the above */
ext = hdb_find_extension(&ep->entry,
ext = hdb_find_extension(ep,
choice_HDB_extension_data_hist_keys);
if (!ext)
continue;
@@ -704,20 +704,20 @@ check_kvnos(krb5_context context)
for (p = 0; p < hist_keys->len; p++) {
for (m = 0; m < keysets.len; m++) {
if (keysets.val[m].kvno == hist_keys->val[p].kvno)
if (ep->entry.keys.val[0].key.keytype !=
if (ep->keys.val[0].key.keytype !=
keysets.val[m].keys.val[0].key.keytype ||
ep->entry.keys.val[0].key.keyvalue.length !=
ep->keys.val[0].key.keyvalue.length !=
keysets.val[m].keys.val[0].key.keyvalue.length ||
memcmp(ep->entry.keys.val[0].key.keyvalue.data,
memcmp(ep->keys.val[0].key.keyvalue.data,
keysets.val[m].keys.val[0].key.keyvalue.data,
ep->entry.keys.val[0].key.keyvalue.length) != 0)
ep->keys.val[0].key.keyvalue.length) != 0)
krb5_errx(context, 1,
"key mismatch for same princ & kvno");
}
if (m == keysets.len) {
hdb_keyset ks;
ks.kvno = ep->entry.kvno;
ks.keys = ep->entry.keys;
ks.kvno = ep->kvno;
ks.keys = ep->keys;
ks.set_time = 0;
if (add_HDB_Ext_KeySet(&keysets, &ks))
krb5_err(context, 1, ENOMEM, "out of memory");
@@ -741,15 +741,14 @@ print_em(krb5_context context)
if (0 == i % (sizeof(expected)/sizeof(expected[0])))
continue;
if (e[i].entry.principal == NULL)
if (e[i].principal == NULL)
continue;
hex_encode(e[i].entry.keys.val[0].key.keyvalue.data,
e[i].entry.keys.val[0].key.keyvalue.length, &x);
printf("%s %u %s\n", x, e[i].entry.kvno, name);
hex_encode(e[i].keys.val[0].key.keyvalue.data,
e[i].keys.val[0].key.keyvalue.length, &x);
printf("%s %u %s\n", x, e[i].kvno, name);
free(x);
ext = hdb_find_extension(&e[i].entry,
choice_HDB_extension_data_hist_keys);
ext = hdb_find_extension(&e[i], choice_HDB_extension_data_hist_keys);
if (!ext)
continue;
hist_keys = &ext->data.u.hist_keys;
@@ -771,12 +770,12 @@ check_expected_kvnos(krb5_context context)
for (i = 0; i < sizeof(expected)/sizeof(expected[0]); i++) {
for (k = 0; k < sizeof(krs)/sizeof(krs[0]); k++) {
hdb_entry_ex *ep = &e[k * sizeof(expected)/sizeof(expected[0]) + i];
hdb_entry *ep = &e[k * sizeof(expected)/sizeof(expected[0]) + i];
if (ep->entry.principal == NULL)
if (ep->principal == NULL)
continue;
for (m = 0; m < NUM_OFFSETS; m++) {
ext = hdb_find_extension(&ep->entry,
ext = hdb_find_extension(ep,
choice_HDB_extension_data_hist_keys);
if (!ext)
continue;
@@ -787,7 +786,7 @@ check_expected_kvnos(krb5_context context)
}
}
fprintf(stderr, "%s at %lu: kvno %u\n", expected[i], k,
ep->entry.kvno);
ep->kvno);
}
}
}