oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

hdb: eliminate hdb_entry_ex

Browse Source 
Remove hdb_entry_ex and revert to the original design of hdb_entry (except with
an additional context member in hdb_entry which is managed by the free_entry
method in HDB).
This commit is contained in:
Luke Howard
2022-01-07 12:54:40 +11:00
parent c5551775e2
commit 0e8c4ccc6e
50 changed files with 1035 additions and 1032 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
kadmin/load.c
View File

@@ -418,7 +418,7 @@ doit(const char *filename, int mergep)
int lineno; int lineno;
int flags = O_RDWR; int flags = O_RDWR;
struct entry e; struct entry e;
hdb_entry_ex ent; hdb_entry ent;
HDB *db = _kadm5_s_get_db(kadm_handle); HDB *db = _kadm5_s_get_db(kadm_handle);
f = fopen(filename, "r"); f = fopen(filename, "r");
@@ -506,7 +506,7 @@ doit(const char *filename, int mergep)
skip_next(p); skip_next(p);
memset(&ent, 0, sizeof(ent)); memset(&ent, 0, sizeof(ent));
ret2 = krb5_parse_name(context, e.principal, &ent.entry.principal); ret2 = krb5_parse_name(context, e.principal, &ent.principal);
if (ret2) { if (ret2) {
const char *msg = krb5_get_error_message(context, ret); const char *msg = krb5_get_error_message(context, ret);
fprintf(stderr, "%s:%d:%s (%s)\n", fprintf(stderr, "%s:%d:%s (%s)\n",
@@ -516,7 +516,7 @@ doit(const char *filename, int mergep)
continue; continue;
} }
if (parse_keys(&ent.entry, e.key)) { if (parse_keys(&ent, e.key)) {
fprintf (stderr, "%s:%d:error parsing keys (%s)\n", fprintf (stderr, "%s:%d:error parsing keys (%s)\n",
filename, lineno, e.key); filename, lineno, e.key);
hdb_free_entry (context, db, &ent); hdb_free_entry (context, db, &ent);
@@ -524,35 +524,35 @@ doit(const char *filename, int mergep)
continue; continue;
} }
if (parse_event(&ent.entry.created_by, e.created) == -1) { if (parse_event(&ent.created_by, e.created) == -1) {
fprintf (stderr, "%s:%d:error parsing created event (%s)\n", fprintf (stderr, "%s:%d:error parsing created event (%s)\n",
filename, lineno, e.created); filename, lineno, e.created);
hdb_free_entry (context, db, &ent); hdb_free_entry (context, db, &ent);
ret = 1; ret = 1;
continue; continue;
} }
if (parse_event_alloc (&ent.entry.modified_by, e.modified) == -1) { if (parse_event_alloc (&ent.modified_by, e.modified) == -1) {
fprintf (stderr, "%s:%d:error parsing event (%s)\n", fprintf (stderr, "%s:%d:error parsing event (%s)\n",
filename, lineno, e.modified); filename, lineno, e.modified);
hdb_free_entry (context, db, &ent); hdb_free_entry (context, db, &ent);
ret = 1; ret = 1;
continue; continue;
} }
if (parse_time_string_alloc (&ent.entry.valid_start, e.valid_start) == -1) { if (parse_time_string_alloc (&ent.valid_start, e.valid_start) == -1) {
fprintf (stderr, "%s:%d:error parsing time (%s)\n", fprintf (stderr, "%s:%d:error parsing time (%s)\n",
filename, lineno, e.valid_start); filename, lineno, e.valid_start);
hdb_free_entry (context, db, &ent); hdb_free_entry (context, db, &ent);
ret = 1; ret = 1;
continue; continue;
} }
if (parse_time_string_alloc (&ent.entry.valid_end, e.valid_end) == -1) { if (parse_time_string_alloc (&ent.valid_end, e.valid_end) == -1) {
fprintf (stderr, "%s:%d:error parsing time (%s)\n", fprintf (stderr, "%s:%d:error parsing time (%s)\n",
filename, lineno, e.valid_end); filename, lineno, e.valid_end);
hdb_free_entry (context, db, &ent); hdb_free_entry (context, db, &ent);
ret = 1; ret = 1;
continue; continue;
} }
if (parse_time_string_alloc (&ent.entry.pw_end, e.pw_end) == -1) { if (parse_time_string_alloc (&ent.pw_end, e.pw_end) == -1) {
fprintf (stderr, "%s:%d:error parsing time (%s)\n", fprintf (stderr, "%s:%d:error parsing time (%s)\n",
filename, lineno, e.pw_end); filename, lineno, e.pw_end);
hdb_free_entry (context, db, &ent); hdb_free_entry (context, db, &ent);
@@ -560,7 +560,7 @@ doit(const char *filename, int mergep)
continue; continue;
} }
if (parse_integer_alloc (&ent.entry.max_life, e.max_life) == -1) { if (parse_integer_alloc (&ent.max_life, e.max_life) == -1) {
fprintf (stderr, "%s:%d:error parsing lifetime (%s)\n", fprintf (stderr, "%s:%d:error parsing lifetime (%s)\n",
filename, lineno, e.max_life); filename, lineno, e.max_life);
hdb_free_entry (context, db, &ent); hdb_free_entry (context, db, &ent);
@@ -568,7 +568,7 @@ doit(const char *filename, int mergep)
continue; continue;
} }
if (parse_integer_alloc (&ent.entry.max_renew, e.max_renew) == -1) { if (parse_integer_alloc (&ent.max_renew, e.max_renew) == -1) {
fprintf (stderr, "%s:%d:error parsing lifetime (%s)\n", fprintf (stderr, "%s:%d:error parsing lifetime (%s)\n",
filename, lineno, e.max_renew); filename, lineno, e.max_renew);
hdb_free_entry (context, db, &ent); hdb_free_entry (context, db, &ent);
@@ -576,7 +576,7 @@ doit(const char *filename, int mergep)
continue; continue;
} }
if (parse_hdbflags2int (&ent.entry.flags, e.flags) != 1) { if (parse_hdbflags2int (&ent.flags, e.flags) != 1) {
fprintf (stderr, "%s:%d:error parsing flags (%s)\n", fprintf (stderr, "%s:%d:error parsing flags (%s)\n",
filename, lineno, e.flags); filename, lineno, e.flags);
hdb_free_entry (context, db, &ent); hdb_free_entry (context, db, &ent);
@@ -584,7 +584,7 @@ doit(const char *filename, int mergep)
continue; continue;
} }
if(parse_generation(e.generation, &ent.entry.generation) == -1) { if(parse_generation(e.generation, &ent.generation) == -1) {
fprintf (stderr, "%s:%d:error parsing generation (%s)\n", fprintf (stderr, "%s:%d:error parsing generation (%s)\n",
filename, lineno, e.generation); filename, lineno, e.generation);
hdb_free_entry (context, db, &ent); hdb_free_entry (context, db, &ent);
@@ -592,7 +592,7 @@ doit(const char *filename, int mergep)
continue; continue;
} }
if (parse_extensions(&e.extensions, &ent.entry.extensions) == -1) { if (parse_extensions(&e.extensions, &ent.extensions) == -1) {
fprintf (stderr, "%s:%d:error parsing extension (%s)\n", fprintf (stderr, "%s:%d:error parsing extension (%s)\n",
filename, lineno, e.extensions); filename, lineno, e.extensions);
hdb_free_entry (context, db, &ent); hdb_free_entry (context, db, &ent);

4
kdc/altsecid_gss_preauth_authorizer.c
View File

@@ -397,7 +397,7 @@ authorize(void *ctx,
struct altsecid_gss_preauth_authorizer_context *c = ctx; struct altsecid_gss_preauth_authorizer_context *c = ctx;
struct ad_server_tuple *server = NULL; struct ad_server_tuple *server = NULL;
krb5_error_code ret; krb5_error_code ret;
krb5_const_realm realm = krb5_principal_get_realm(r->context, r->client->entry.principal); krb5_const_realm realm = krb5_principal_get_realm(r->context, r->client->principal);
krb5_boolean reconnect_p = FALSE; krb5_boolean reconnect_p = FALSE;
krb5_boolean is_tgs; krb5_boolean is_tgs;
heim_data_t requestor_sid = NULL; heim_data_t requestor_sid = NULL;
@@ -405,7 +405,7 @@ authorize(void *ctx,
*authorized = FALSE; *authorized = FALSE;
*mapped_name = NULL; *mapped_name = NULL;
if (!krb5_principal_is_federated(r->context, r->client->entry.principal) || if (!krb5_principal_is_federated(r->context, r->client->principal) ||
(ret_flags & GSS_C_ANON_FLAG)) (ret_flags & GSS_C_ANON_FLAG))
return KRB5_PLUGIN_NO_HANDLE; return KRB5_PLUGIN_NO_HANDLE;

4
kdc/digest-service.c
View File

@@ -60,7 +60,7 @@ ntlm_service(void *ctx, const heim_idata *req,
unsigned char sessionkey[16]; unsigned char sessionkey[16];
heim_idata rep = { 0, NULL }; heim_idata rep = { 0, NULL };
krb5_context context = ctx; krb5_context context = ctx;
hdb_entry_ex *user = NULL; hdb_entry *user = NULL;
HDB *db = NULL; HDB *db = NULL;
Key *key = NULL; Key *key = NULL;
NTLMReply ntp; NTLMReply ntp;
@@ -119,7 +119,7 @@ ntlm_service(void *ctx, const heim_idata *req,
if (ret) if (ret)
goto failed; goto failed;
ret = hdb_enctype2key(context, &user->entry, NULL, ret = hdb_enctype2key(context, user, NULL,
ETYPE_ARCFOUR_HMAC_MD5, &key); ETYPE_ARCFOUR_HMAC_MD5, &key);
if (ret) { if (ret) {
krb5_set_error_message(context, ret, "NTLM missing arcfour key"); krb5_set_error_message(context, ret, "NTLM missing arcfour key");

24
kdc/digest.c
View File

@@ -57,7 +57,7 @@ const struct units _kdc_digestunits[] = {
static krb5_error_code static krb5_error_code
get_digest_key(krb5_context context, get_digest_key(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
hdb_entry_ex *server, hdb_entry *server,
krb5_crypto *crypto) krb5_crypto *crypto)
{ {
krb5_error_code ret; krb5_error_code ret;
@@ -81,12 +81,12 @@ get_digest_key(krb5_context context,
static char * static char *
get_ntlm_targetname(krb5_context context, get_ntlm_targetname(krb5_context context,
hdb_entry_ex *client) hdb_entry *client)
{ {
char *targetname, *p; char *targetname, *p;
targetname = strdup(krb5_principal_get_realm(context, targetname = strdup(krb5_principal_get_realm(context,
client->entry.principal)); client->principal));
if (targetname == NULL) if (targetname == NULL)
return NULL; return NULL;
@@ -101,7 +101,7 @@ get_ntlm_targetname(krb5_context context,
static krb5_error_code static krb5_error_code
fill_targetinfo(krb5_context context, fill_targetinfo(krb5_context context,
char *targetname, char *targetname,
hdb_entry_ex *client, hdb_entry *client,
krb5_data *data) krb5_data *data)
{ {
struct ntlm_targetinfo ti; struct ntlm_targetinfo ti;
@@ -113,7 +113,7 @@ fill_targetinfo(krb5_context context,
memset(&ti, 0, sizeof(ti)); memset(&ti, 0, sizeof(ti));
ti.domainname = targetname; ti.domainname = targetname;
p = client->entry.principal; p = client->principal;
str = krb5_principal_get_comp_string(context, p, 0); str = krb5_principal_get_comp_string(context, p, 0);
if (str != NULL && if (str != NULL &&
(strcmp("host", str) == 0 || (strcmp("host", str) == 0 ||
@@ -168,7 +168,7 @@ get_password_entry(krb5_context context,
{ {
krb5_principal clientprincipal; krb5_principal clientprincipal;
krb5_error_code ret; krb5_error_code ret;
hdb_entry_ex *user; hdb_entry *user;
HDB *db; HDB *db;
/* get username */ /* get username */
@@ -182,7 +182,7 @@ get_password_entry(krb5_context context,
if (ret) if (ret)
return ret; return ret;
ret = hdb_entry_get_password(context, db, &user->entry, password); ret = hdb_entry_get_password(context, db, user, password);
if (ret || password == NULL) { if (ret || password == NULL) {
if (ret == 0) { if (ret == 0) {
ret = EINVAL; ret = EINVAL;
@@ -218,9 +218,9 @@ _kdc_do_digest(krb5_context context,
krb5_storage *sp = NULL; krb5_storage *sp = NULL;
Checksum res; Checksum res;
HDB *serverdb, *userdb; HDB *serverdb, *userdb;
hdb_entry_ex *server = NULL, *user = NULL; hdb_entry *server = NULL, *user = NULL;
HDB *clientdb; HDB *clientdb;
hdb_entry_ex *client = NULL; hdb_entry *client = NULL;
char *client_name = NULL, *password = NULL; char *client_name = NULL, *password = NULL;
krb5_data serverNonce; krb5_data serverNonce;
@@ -321,7 +321,7 @@ _kdc_do_digest(krb5_context context,
if (ret) if (ret)
goto out; goto out;
if (client->entry.flags.allow_digest == 0) { if (client->flags.allow_digest == 0) {
kdc_log(context, config, 2, kdc_log(context, config, 2,
"Client %s tried to use digest " "Client %s tried to use digest "
"but is not allowed to", "but is not allowed to",
@@ -888,7 +888,7 @@ _kdc_do_digest(krb5_context context,
goto failed; goto failed;
} }
ret = hdb_enctype2key(context, &user->entry, NULL, ret = hdb_enctype2key(context, user, NULL,
ETYPE_ARCFOUR_HMAC_MD5, &key); ETYPE_ARCFOUR_HMAC_MD5, &key);
if (ret) { if (ret) {
krb5_set_error_message(context, ret, krb5_set_error_message(context, ret,
@@ -1216,7 +1216,7 @@ _kdc_do_digest(krb5_context context,
goto out; goto out;
} }
ret = hdb_enctype2key(context, &user->entry, NULL, ret = hdb_enctype2key(context, user, NULL,
ETYPE_ARCFOUR_HMAC_MD5, &key); ETYPE_ARCFOUR_HMAC_MD5, &key);
if (ret) { if (ret) {
krb5_set_error_message(context, ret, "NTLM missing arcfour key"); krb5_set_error_message(context, ret, "NTLM missing arcfour key");

8
kdc/fast.c
View File

@@ -109,7 +109,7 @@ get_fastuser_crypto(astgs_request_t r,
{ {
krb5_principal fast_princ; krb5_principal fast_princ;
HDB *fast_db; HDB *fast_db;
hdb_entry_ex *fast_user = NULL; hdb_entry *fast_user = NULL;
Key *cookie_key = NULL; Key *cookie_key = NULL;
krb5_crypto fast_crypto = NULL; krb5_crypto fast_crypto = NULL;
krb5_error_code ret; krb5_error_code ret;
@@ -131,7 +131,7 @@ get_fastuser_crypto(astgs_request_t r,
ret = _kdc_get_preferred_key(r->context, r->config, fast_user, ret = _kdc_get_preferred_key(r->context, r->config, fast_user,
"fast-cookie", &enctype, &cookie_key); "fast-cookie", &enctype, &cookie_key);
else else
ret = hdb_enctype2key(r->context, &fast_user->entry, NULL, ret = hdb_enctype2key(r->context, fast_user, NULL,
enctype, &cookie_key); enctype, &cookie_key);
if (ret) if (ret)
goto out; goto out;
@@ -563,7 +563,7 @@ fast_unwrap_request(astgs_request_t r,
goto out; goto out;
} }
ret = hdb_enctype2key(r->context, &r->armor_server->entry, NULL, ret = hdb_enctype2key(r->context, r->armor_server, NULL,
ap_req.ticket.enc_part.etype, ap_req.ticket.enc_part.etype,
&r->armor_key); &r->armor_key);
if (ret) { if (ret) {
@@ -836,7 +836,7 @@ _kdc_fast_check_armor_pac(astgs_request_t r)
krb5_pac mspac = NULL; krb5_pac mspac = NULL;
krb5_principal armor_client_principal = NULL; krb5_principal armor_client_principal = NULL;
HDB *armor_db; HDB *armor_db;
hdb_entry_ex *armor_client = NULL; hdb_entry *armor_client = NULL;
char *armor_client_principal_name = NULL; char *armor_client_principal_name = NULL;
flags = HDB_F_FOR_TGS_REQ; flags = HDB_F_FOR_TGS_REQ;

12
kdc/gss_preauth.c
View File

@@ -584,7 +584,7 @@ pa_gss_authorize_default(astgs_request_t r,
{ {
krb5_error_code ret; krb5_error_code ret;
krb5_principal principal; krb5_principal principal;
krb5_const_realm realm = r->server->entry.principal->realm; krb5_const_realm realm = r->server->principal->realm;
int flags = 0, cross_realm_allowed = 0, unauth_anon; int flags = 0, cross_realm_allowed = 0, unauth_anon;
/* /*
@@ -680,7 +680,7 @@ _kdc_gss_check_client(astgs_request_t r,
{ {
krb5_error_code ret; krb5_error_code ret;
krb5_principal initiator_princ = NULL; krb5_principal initiator_princ = NULL;
hdb_entry_ex *initiator = NULL; hdb_entry *initiator = NULL;
krb5_boolean authorized = FALSE; krb5_boolean authorized = FALSE;
HDB *clientdb = r->clientdb; HDB *clientdb = r->clientdb;
@@ -740,15 +740,15 @@ _kdc_gss_check_client(astgs_request_t r,
* two principals must match, noting that GSS pre-authentication is * two principals must match, noting that GSS pre-authentication is
* for authentication, not general purpose impersonation. * for authentication, not general purpose impersonation.
*/ */
if (krb5_principal_is_federated(r->context, r->client->entry.principal)) { if (krb5_principal_is_federated(r->context, r->client->principal)) {
initiator->entry.flags.force_canonicalize = 1; initiator->flags.force_canonicalize = 1;
_kdc_free_ent(r->context, clientdb, r->client); _kdc_free_ent(r->context, clientdb, r->client);
r->client = initiator; r->client = initiator;
initiator = NULL; initiator = NULL;
} else if (!krb5_principal_compare(r->context, } else if (!krb5_principal_compare(r->context,
r->client->entry.principal, r->client->principal,
initiator->entry.principal)) { initiator->principal)) {
kdc_log(r->context, r->config, 2, kdc_log(r->context, r->config, 2,
"GSS %s initiator %.*s does not match principal %s", "GSS %s initiator %.*s does not match principal %s",
gss_oid_to_name(gcp->mech_type), gss_oid_to_name(gcp->mech_type),

8
kdc/hprop.c
View File

@@ -87,28 +87,28 @@ open_socket(krb5_context context, const char *hostname, const char *port)
} }
krb5_error_code krb5_error_code
v5_prop(krb5_context context, HDB *db, hdb_entry_ex *entry, void *appdata) v5_prop(krb5_context context, HDB *db, hdb_entry *entry, void *appdata)
{ {
krb5_error_code ret; krb5_error_code ret;
struct prop_data *pd = appdata; struct prop_data *pd = appdata;
krb5_data data; krb5_data data;
if(encrypt_flag) { if(encrypt_flag) {
ret = hdb_seal_keys_mkey(context, &entry->entry, mkey5); ret = hdb_seal_keys_mkey(context, entry, mkey5);
if (ret) { if (ret) {
krb5_warn(context, ret, "hdb_seal_keys_mkey"); krb5_warn(context, ret, "hdb_seal_keys_mkey");
return ret; return ret;
} }
} }
if(decrypt_flag) { if(decrypt_flag) {
ret = hdb_unseal_keys_mkey(context, &entry->entry, mkey5); ret = hdb_unseal_keys_mkey(context, entry, mkey5);
if (ret) { if (ret) {
krb5_warn(context, ret, "hdb_unseal_keys_mkey"); krb5_warn(context, ret, "hdb_unseal_keys_mkey");
return ret; return ret;
} }
} }
ret = hdb_entry2value(context, &entry->entry, &data); ret = hdb_entry2value(context, entry, &data);
if(ret) { if(ret) {
krb5_warn(context, ret, "hdb_entry2value"); krb5_warn(context, ret, "hdb_entry2value");
return ret; return ret;

2
kdc/hprop.h
View File

@@ -53,7 +53,7 @@ struct prop_data{
#define NEVERDATE ((1U << 31) - 1) #define NEVERDATE ((1U << 31) - 1)
#endif #endif
krb5_error_code v5_prop(krb5_context, HDB*, hdb_entry_ex*, void*); krb5_error_code v5_prop(krb5_context, HDB*, hdb_entry*, void*);
int mit_prop_dump(void*, const char*); int mit_prop_dump(void*, const char*);
#endif /* __HPROP_H__ */ #endif /* __HPROP_H__ */

6
kdc/hpropd.c
View File

@@ -226,7 +226,7 @@ main(int argc, char **argv)
nprincs = 0; nprincs = 0;
while (1){ while (1){
krb5_data data; krb5_data data;
hdb_entry_ex entry; hdb_entry entry;
if (from_stdin) { if (from_stdin) {
ret = krb5_read_message(context, &sock, &data); ret = krb5_read_message(context, &sock, &data);
@@ -255,7 +255,7 @@ main(int argc, char **argv)
break; break;
} }
memset(&entry, 0, sizeof(entry)); memset(&entry, 0, sizeof(entry));
ret = hdb_value2entry(context, &data, &entry.entry); ret = hdb_value2entry(context, &data, &entry);
krb5_data_free(&data); krb5_data_free(&data);
if (ret) if (ret)
krb5_err(context, 1, ret, "hdb_value2entry"); krb5_err(context, 1, ret, "hdb_value2entry");
@@ -269,7 +269,7 @@ main(int argc, char **argv)
ret = db->hdb_store(context, db, 0, &entry); ret = db->hdb_store(context, db, 0, &entry);
if (ret == HDB_ERR_EXISTS) { if (ret == HDB_ERR_EXISTS) {
char *s; char *s;
ret = krb5_unparse_name(context, entry.entry.principal, &s); ret = krb5_unparse_name(context, entry.principal, &s);
if (ret) if (ret)
s = strdup(unparseable_name); s = strdup(unparseable_name);
krb5_warnx(context, "Entry exists: %s", s); krb5_warnx(context, "Entry exists: %s", s);

38
kdc/kdc-plugin.c
View File

@@ -49,7 +49,7 @@ static const char *kdc_plugin_deps[] = {
static struct heim_plugin_data kdc_plugin_data = { static struct heim_plugin_data kdc_plugin_data = {
"krb5", "krb5",
"kdc", "kdc",
KRB5_PLUGIN_KDC_VERSION_9, KRB5_PLUGIN_KDC_VERSION_10,
kdc_plugin_deps, kdc_plugin_deps,
kdc_get_instance kdc_get_instance
}; };
@@ -70,8 +70,9 @@ krb5_kdc_plugin_init(krb5_context context)
} }
struct generate_uc { struct generate_uc {
hdb_entry_ex *client; krb5_kdc_configuration *config;
hdb_entry_ex *server; hdb_entry *client;
hdb_entry *server;
const krb5_keyblock *reply_key; const krb5_keyblock *reply_key;
uint64_t pac_attributes; uint64_t pac_attributes;
krb5_pac *pac; krb5_pac *pac;
@@ -86,7 +87,9 @@ generate(krb5_context context, const void *plug, void *plugctx, void *userctx)
if (ft->pac_generate == NULL) if (ft->pac_generate == NULL)
return KRB5_PLUGIN_NO_HANDLE; return KRB5_PLUGIN_NO_HANDLE;
return ft->pac_generate((void *)plug, context, return ft->pac_generate((void *)plug,
context,
uc->config,
uc->client, uc->client,
uc->server, uc->server,
uc->reply_key, uc->reply_key,
@@ -97,8 +100,9 @@ generate(krb5_context context, const void *plug, void *plugctx, void *userctx)
krb5_error_code krb5_error_code
_kdc_pac_generate(krb5_context context, _kdc_pac_generate(krb5_context context,
hdb_entry_ex *client, krb5_kdc_configuration *config,
hdb_entry_ex *server, hdb_entry *client,
hdb_entry *server,
const krb5_keyblock *reply_key, const krb5_keyblock *reply_key,
uint64_t pac_attributes, uint64_t pac_attributes,
krb5_pac *pac) krb5_pac *pac)
@@ -109,11 +113,12 @@ _kdc_pac_generate(krb5_context context,
*pac = NULL; *pac = NULL;
if (krb5_config_get_bool_default(context, NULL, FALSE, "realms", if (krb5_config_get_bool_default(context, NULL, FALSE, "realms",
client->entry.principal->realm, client->principal->realm,
"disable_pac", NULL)) "disable_pac", NULL))
return 0; return 0;
if (have_plugin) { if (have_plugin) {
uc.config = config;
uc.client = client; uc.client = client;
uc.server = server; uc.server = server;
uc.reply_key = reply_key; uc.reply_key = reply_key;
@@ -134,11 +139,12 @@ _kdc_pac_generate(krb5_context context,
} }
struct verify_uc { struct verify_uc {
krb5_kdc_configuration *config;
krb5_principal client_principal; krb5_principal client_principal;
krb5_principal delegated_proxy_principal; krb5_principal delegated_proxy_principal;
hdb_entry_ex *client; hdb_entry *client;
hdb_entry_ex *server; hdb_entry *server;
hdb_entry_ex *krbtgt; hdb_entry *krbtgt;
krb5_pac *pac; krb5_pac *pac;
}; };
@@ -152,7 +158,9 @@ verify(krb5_context context, const void *plug, void *plugctx, void *userctx)
if (ft->pac_verify == NULL) if (ft->pac_verify == NULL)
return KRB5_PLUGIN_NO_HANDLE; return KRB5_PLUGIN_NO_HANDLE;
ret = ft->pac_verify((void *)plug, context, ret = ft->pac_verify((void *)plug,
context,
uc->config,
uc->client_principal, uc->client_principal,
uc->delegated_proxy_principal, uc->delegated_proxy_principal,
uc->client, uc->server, uc->krbtgt, uc->pac); uc->client, uc->server, uc->krbtgt, uc->pac);
@@ -161,11 +169,12 @@ verify(krb5_context context, const void *plug, void *plugctx, void *userctx)
krb5_error_code krb5_error_code
_kdc_pac_verify(krb5_context context, _kdc_pac_verify(krb5_context context,
krb5_kdc_configuration *config,
const krb5_principal client_principal, const krb5_principal client_principal,
const krb5_principal delegated_proxy_principal, const krb5_principal delegated_proxy_principal,
hdb_entry_ex *client, hdb_entry *client,
hdb_entry_ex *server, hdb_entry *server,
hdb_entry_ex *krbtgt, hdb_entry *krbtgt,
krb5_pac *pac) krb5_pac *pac)
{ {
struct verify_uc uc; struct verify_uc uc;
@@ -173,6 +182,7 @@ _kdc_pac_verify(krb5_context context,
if (!have_plugin) if (!have_plugin)
return KRB5_PLUGIN_NO_HANDLE; return KRB5_PLUGIN_NO_HANDLE;
uc.config = config;
uc.client_principal = client_principal; uc.client_principal = client_principal;
uc.delegated_proxy_principal = delegated_proxy_principal; uc.delegated_proxy_principal = delegated_proxy_principal;
uc.client = client; uc.client = client;

23
kdc/kdc-plugin.h
View File

@@ -38,8 +38,7 @@
#include <krb5.h> #include <krb5.h>
#include <kdc.h> #include <kdc.h>
#include <hdb.h>
struct hdb_entry_ex;
/* /*
* Allocate a PAC for the given client with krb5_pac_init(), * Allocate a PAC for the given client with krb5_pac_init(),
@@ -47,9 +46,11 @@ struct hdb_entry_ex;
*/ */
typedef krb5_error_code typedef krb5_error_code
(KRB5_CALLCONV *krb5plugin_kdc_pac_generate)(void *, krb5_context, (KRB5_CALLCONV *krb5plugin_kdc_pac_generate)(void *,
struct hdb_entry_ex *, /* client */ krb5_context, /* context */
struct hdb_entry_ex *, /* server */ krb5_kdc_configuration *, /* configuration */
hdb_entry *, /* client */
hdb_entry *, /* server */
const krb5_keyblock *, /* pk_replykey */ const krb5_keyblock *, /* pk_replykey */
uint64_t, /* pac_attributes */ uint64_t, /* pac_attributes */
krb5_pac *); krb5_pac *);
@@ -61,12 +62,14 @@ typedef krb5_error_code
*/ */
typedef krb5_error_code typedef krb5_error_code
(KRB5_CALLCONV *krb5plugin_kdc_pac_verify)(void *, krb5_context, (KRB5_CALLCONV *krb5plugin_kdc_pac_verify)(void *,
krb5_context, /* context */
krb5_kdc_configuration *, /* configuration */
const krb5_principal, /* new ticket client */ const krb5_principal, /* new ticket client */
const krb5_principal, /* delegation proxy */ const krb5_principal, /* delegation proxy */
struct hdb_entry_ex *,/* client */ hdb_entry *,/* client */
struct hdb_entry_ex *,/* server */ hdb_entry *,/* server */
struct hdb_entry_ex *,/* krbtgt */ hdb_entry *,/* krbtgt */
krb5_pac *); krb5_pac *);
/* /*
@@ -115,7 +118,7 @@ typedef krb5_error_code
* Plugins should carefully check API contract notes for changes * Plugins should carefully check API contract notes for changes
* between plugin API versions. * between plugin API versions.
*/ */
#define KRB5_PLUGIN_KDC_VERSION_9 9 #define KRB5_PLUGIN_KDC_VERSION_10 10
typedef struct krb5plugin_kdc_ftable { typedef struct krb5plugin_kdc_ftable {
int minor_version; int minor_version;

6
kdc/kdc.h
View File

@@ -141,18 +141,18 @@ typedef struct krb5_kdc_configuration {
\ \
/* client principal (AS) or TGT/S4U principal (TGS) */ \ /* client principal (AS) or TGT/S4U principal (TGS) */ \
krb5_principal client_princ; \ krb5_principal client_princ; \
hdb_entry_ex *client; \ hdb_entry *client; \
HDB *clientdb; \ HDB *clientdb; \
krb5_principal canon_client_princ; \ krb5_principal canon_client_princ; \
\ \
/* server principal */ \ /* server principal */ \
krb5_principal server_princ; \ krb5_principal server_princ; \
hdb_entry_ex *server; \ hdb_entry *server; \
HDB *serverdb; \ HDB *serverdb; \
\ \
/* presented ticket in TGS-REQ (unused by AS) */ \ /* presented ticket in TGS-REQ (unused by AS) */ \
krb5_principal *krbtgt_princ; \ krb5_principal *krbtgt_princ; \
hdb_entry_ex *krbtgt; \ hdb_entry *krbtgt; \
HDB *krbtgtdb; \ HDB *krbtgtdb; \
krb5_ticket *ticket; \ krb5_ticket *ticket; \
\ \

2
kdc/kdc_locl.h
View File

@@ -87,7 +87,7 @@ struct astgs_request_desc {
unsigned int fast_asserted : 1; unsigned int fast_asserted : 1;
krb5_crypto armor_crypto; krb5_crypto armor_crypto;
hdb_entry_ex *armor_server; hdb_entry *armor_server;
HDB *armor_serverdb; HDB *armor_serverdb;
krb5_ticket *armor_ticket; krb5_ticket *armor_ticket;
Key *armor_key; Key *armor_key;

139
kdc/kerberos5.c
View File

@@ -161,7 +161,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
krb5_boolean use_strongest_session_key; krb5_boolean use_strongest_session_key;
krb5_boolean is_preauth = flags & KFE_IS_PREAUTH; krb5_boolean is_preauth = flags & KFE_IS_PREAUTH;
krb5_boolean is_tgs = flags & KFE_IS_TGS; krb5_boolean is_tgs = flags & KFE_IS_TGS;
hdb_entry_ex *princ; hdb_entry *princ;
krb5_principal request_princ; krb5_principal request_princ;
krb5_error_code ret; krb5_error_code ret;
krb5_salt def_salt; krb5_salt def_salt;
@@ -171,15 +171,15 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
size_t i, k, m; size_t i, k, m;
if (is_preauth && (flags & KFE_USE_CLIENT) && if (is_preauth && (flags & KFE_USE_CLIENT) &&
r->client->entry.flags.synthetic) r->client->flags.synthetic)
return KRB5KDC_ERR_ETYPE_NOSUPP; return KRB5KDC_ERR_ETYPE_NOSUPP;
if ((flags & KFE_USE_CLIENT) && !r->client->entry.flags.synthetic) { if ((flags & KFE_USE_CLIENT) && !r->client->flags.synthetic) {
princ = r->client; princ = r->client;
request_princ = r->client_princ; request_princ = r->client_princ;
} else { } else {
princ = r->server; princ = r->server;
request_princ = r->server->entry.principal; request_princ = r->server->principal;
} }
use_strongest_session_key = use_strongest_session_key =
@@ -227,7 +227,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
p[i] != (krb5_enctype)ETYPE_NULL && enctype == (krb5_enctype)ETYPE_NULL; p[i] != (krb5_enctype)ETYPE_NULL && enctype == (krb5_enctype)ETYPE_NULL;
i++) { i++) {
if (krb5_enctype_valid(r->context, p[i]) != 0 && if (krb5_enctype_valid(r->context, p[i]) != 0 &&
!_kdc_is_weak_exception(princ->entry.principal, p[i])) !_kdc_is_weak_exception(princ->principal, p[i]))
continue; continue;
/* check that the client supports it too */ /* check that the client supports it too */
@@ -248,15 +248,15 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
/* check target princ support */ /* check target princ support */
key = NULL; key = NULL;
if (!(flags & KFE_USE_CLIENT) && princ->entry.etypes) { if (!(flags & KFE_USE_CLIENT) && princ->etypes) {
/* /*
* Use the etypes list from the server's HDB entry instead * Use the etypes list from the server's HDB entry instead
* of deriving it from its long-term keys. This allows an * of deriving it from its long-term keys. This allows an
* entry to have just one long-term key but record support * entry to have just one long-term key but record support
* for multiple enctypes. * for multiple enctypes.
*/ */
for (m = 0; m < princ->entry.etypes->len; m++) { for (m = 0; m < princ->etypes->len; m++) {
if (p[i] == princ->entry.etypes->val[m]) { if (p[i] == princ->etypes->val[m]) {
ret = 0; ret = 0;
break; break;
} }
@@ -268,7 +268,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
* PA-ETYPE-INFO* or because we're selecting a session key * PA-ETYPE-INFO* or because we're selecting a session key
* enctype. * enctype.
*/ */
while (hdb_next_enctype2key(r->context, &princ->entry, NULL, while (hdb_next_enctype2key(r->context, princ, NULL,
p[i], &key) == 0) { p[i], &key) == 0) {
if (key->key.keyvalue.length == 0) { if (key->key.keyvalue.length == 0) {
ret = KRB5KDC_ERR_NULL_KEY; ret = KRB5KDC_ERR_NULL_KEY;
@@ -296,12 +296,12 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
for(i = 0; ret != 0 && i < len; i++) { for(i = 0; ret != 0 && i < len; i++) {
if (krb5_enctype_valid(r->context, etypes[i]) != 0 && if (krb5_enctype_valid(r->context, etypes[i]) != 0 &&
!_kdc_is_weak_exception(princ->entry.principal, etypes[i])) !_kdc_is_weak_exception(princ->principal, etypes[i]))
continue; continue;
key = NULL; key = NULL;
while (ret != 0 && while (ret != 0 &&
hdb_next_enctype2key(r->context, &princ->entry, NULL, hdb_next_enctype2key(r->context, princ, NULL,
etypes[i], &key) == 0) { etypes[i], &key) == 0) {
if (key->key.keyvalue.length == 0) { if (key->key.keyvalue.length == 0) {
ret = KRB5KDC_ERR_NULL_KEY; ret = KRB5KDC_ERR_NULL_KEY;
@@ -323,7 +323,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
* the service key list, provide a DES-CBC-CRC key. * the service key list, provide a DES-CBC-CRC key.
*/ */
if (ret_key == NULL && if (ret_key == NULL &&
_kdc_is_weak_exception(princ->entry.principal, ETYPE_DES_CBC_CRC)) { _kdc_is_weak_exception(princ->principal, ETYPE_DES_CBC_CRC)) {
ret = 0; ret = 0;
enctype = ETYPE_DES_CBC_CRC; enctype = ETYPE_DES_CBC_CRC;
} else { } else {
@@ -504,7 +504,7 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa)
} }
r->pa_endtime = _kdc_pk_endtime(pkp); r->pa_endtime = _kdc_pk_endtime(pkp);
if (!r->client->entry.flags.synthetic) if (!r->client->flags.synthetic)
r->pa_max_life = _kdc_pk_max_life(pkp); r->pa_max_life = _kdc_pk_max_life(pkp);
_kdc_r_log(r, 4, "PKINIT pre-authentication succeeded -- %s using %s", _kdc_r_log(r, 4, "PKINIT pre-authentication succeeded -- %s using %s",
@@ -621,7 +621,7 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
return ret; return ret;
} }
if (r->client->entry.flags.locked_out) { if (r->client->flags.locked_out) {
ret = KRB5KDC_ERR_CLIENT_REVOKED; ret = KRB5KDC_ERR_CLIENT_REVOKED;
kdc_log(r->context, r->config, 0, kdc_log(r->context, r->config, 0,
"Client (%s) is locked out", r->cname); "Client (%s) is locked out", r->cname);
@@ -650,11 +650,11 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
kdc_log(r->context, r->config, 5, "FAST armor enctype is: %d", (int)aenctype); kdc_log(r->context, r->config, 5, "FAST armor enctype is: %d", (int)aenctype);
for (i = 0; i < r->client->entry.keys.len; i++) { for (i = 0; i < r->client->keys.len; i++) {
krb5_crypto challengecrypto, longtermcrypto; krb5_crypto challengecrypto, longtermcrypto;
krb5_keyblock challengekey; krb5_keyblock challengekey;
k = &r->client->entry.keys.val[i]; k = &r->client->keys.val[i];
ret = krb5_crypto_init(r->context, &k->key, 0, &longtermcrypto); ret = krb5_crypto_init(r->context, &k->key, 0, &longtermcrypto);
if (ret) if (ret)
@@ -794,7 +794,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
return ret; return ret;
} }
if (r->client->entry.flags.locked_out) { if (r->client->flags.locked_out) {
ret = KRB5KDC_ERR_CLIENT_REVOKED; ret = KRB5KDC_ERR_CLIENT_REVOKED;
kdc_log(r->context, r->config, 0, kdc_log(r->context, r->config, 0,
"Client (%s) is locked out", r->cname); "Client (%s) is locked out", r->cname);
@@ -814,7 +814,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
goto out; goto out;
} }
ret = hdb_enctype2key(r->context, &r->client->entry, NULL, ret = hdb_enctype2key(r->context, r->client, NULL,
enc_data.etype, &pa_key); enc_data.etype, &pa_key);
if(ret){ if(ret){
char *estr; char *estr;
@@ -873,7 +873,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
pa_key->key.keytype); pa_key->key.keytype);
_kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, _kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY); KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY);
if(hdb_next_enctype2key(r->context, &r->client->entry, NULL, if(hdb_next_enctype2key(r->context, r->client, NULL,
enc_data.etype, &pa_key) == 0) enc_data.etype, &pa_key) == 0)
goto try_next_key; goto try_next_key;
@@ -1612,12 +1612,10 @@ _log_astgs_req(astgs_request_t r, krb5_enctype setype)
KDC_LIB_FUNCTION krb5_error_code KDC_LIB_CALL KDC_LIB_FUNCTION krb5_error_code KDC_LIB_CALL
kdc_check_flags(astgs_request_t r, kdc_check_flags(astgs_request_t r,
krb5_boolean is_as_req, krb5_boolean is_as_req,
hdb_entry_ex *client_ex, hdb_entry *client,
hdb_entry_ex *server_ex) hdb_entry *server)
{ {
if (client_ex != NULL) { if (client != NULL) {
hdb_entry *client = &client_ex->entry;
/* check client */ /* check client */
if (client->flags.locked_out) { if (client->flags.locked_out) {
_kdc_audit_addreason((kdc_request_t)r, "Client is locked out"); _kdc_audit_addreason((kdc_request_t)r, "Client is locked out");
@@ -1655,11 +1653,11 @@ kdc_check_flags(astgs_request_t r,
} }
if (client->flags.require_pwchange && if (client->flags.require_pwchange &&
(server_ex == NULL || !server_ex->entry.flags.change_pw)) (server == NULL || !server->flags.change_pw))
return KRB5KDC_ERR_KEY_EXPIRED; return KRB5KDC_ERR_KEY_EXPIRED;
if (client->pw_end && *client->pw_end < kdc_time if (client->pw_end && *client->pw_end < kdc_time
&& (server_ex == NULL || !server_ex->entry.flags.change_pw)) { && (server == NULL || !server->flags.change_pw)) {
char pwend_str[100]; char pwend_str[100];
krb5_format_time(r->context, *client->pw_end, krb5_format_time(r->context, *client->pw_end,
pwend_str, sizeof(pwend_str), TRUE); pwend_str, sizeof(pwend_str), TRUE);
@@ -1671,9 +1669,7 @@ kdc_check_flags(astgs_request_t r,
/* check server */ /* check server */
if (server_ex != NULL) { if (server != NULL) {
hdb_entry *server = &server_ex->entry;
if (server->flags.locked_out) { if (server->flags.locked_out) {
_kdc_audit_addreason((kdc_request_t)r, "Server locked out"); _kdc_audit_addreason((kdc_request_t)r, "Server locked out");
return KRB5KDC_ERR_SERVICE_REVOKED; return KRB5KDC_ERR_SERVICE_REVOKED;
@@ -1851,6 +1847,7 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
*/ */
ret = _kdc_pac_generate(r->context, ret = _kdc_pac_generate(r->context,
r->config,
r->client, r->client,
r->server, r->server,
r->pa_used && !pa_used_flag_isset(r, PA_USES_LONG_TERM_KEY) r->pa_used && !pa_used_flag_isset(r, PA_USES_LONG_TERM_KEY)
@@ -1865,7 +1862,7 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
if (r->pac == NULL) if (r->pac == NULL)
return 0; return 0;
rodc_id = r->server->entry.kvno >> 16; rodc_id = r->server->kvno >> 16;
/* libkrb5 expects ticket and PAC client names to match */ /* libkrb5 expects ticket and PAC client names to match */
ret = _krb5_principalname2krb5_principal(r->context, &client, ret = _krb5_principalname2krb5_principal(r->context, &client,
@@ -1950,8 +1947,8 @@ static int
require_preauth_p(astgs_request_t r) require_preauth_p(astgs_request_t r)
{ {
return r->config->require_preauth return r->config->require_preauth
|| r->client->entry.flags.require_preauth || r->client->flags.require_preauth
|| r->server->entry.flags.require_preauth; || r->server->flags.require_preauth;
} }
@@ -2023,7 +2020,7 @@ get_local_tgs(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
krb5_const_realm realm, krb5_const_realm realm,
HDB **krbtgtdb, HDB **krbtgtdb,
hdb_entry_ex **krbtgt) hdb_entry **krbtgt)
{ {
krb5_error_code ret; krb5_error_code ret;
krb5_principal tgs_name; krb5_principal tgs_name;
@@ -2151,7 +2148,7 @@ _kdc_as_rep(astgs_request_t r)
case HDB_ERR_WRONG_REALM: { case HDB_ERR_WRONG_REALM: {
char *fixed_client_name = NULL; char *fixed_client_name = NULL;
ret = krb5_unparse_name(r->context, r->client->entry.principal, ret = krb5_unparse_name(r->context, r->client->principal,
&fixed_client_name); &fixed_client_name);
if (ret) { if (ret) {
goto out; goto out;
@@ -2165,7 +2162,7 @@ _kdc_as_rep(astgs_request_t r)
ret = _kdc_fast_mk_error(r, r->rep.padata, r->armor_crypto, ret = _kdc_fast_mk_error(r, r->rep.padata, r->armor_crypto,
&req->req_body, &req->req_body,
r->ret = KRB5_KDC_ERR_WRONG_REALM, r->ret = KRB5_KDC_ERR_WRONG_REALM,
r->client->entry.principal, r->server_princ, r->client->principal, r->server_princ,
NULL, NULL, r->reply); NULL, NULL, r->reply);
goto out; goto out;
} }
@@ -2237,7 +2234,7 @@ _kdc_as_rep(astgs_request_t r)
i = 0; i = 0;
pa = _kdc_find_padata(req, &i, pat[n].type); pa = _kdc_find_padata(req, &i, pat[n].type);
if (pa) { if (pa) {
if (r->client->entry.flags.synthetic && if (r->client->flags.synthetic &&
!(pat[n].flags & PA_SYNTHETIC_OK)) { !(pat[n].flags & PA_SYNTHETIC_OK)) {
kdc_log(r->context, config, 4, "UNKNOWN -- %s", r->cname); kdc_log(r->context, config, 4, "UNKNOWN -- %s", r->cname);
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
@@ -2288,7 +2285,7 @@ _kdc_as_rep(astgs_request_t r)
size_t n; size_t n;
krb5_boolean default_salt; krb5_boolean default_salt;
if (r->client->entry.flags.synthetic) { if (r->client->flags.synthetic) {
kdc_log(r->context, config, 4, "UNKNOWN -- %s", r->cname); kdc_log(r->context, config, 4, "UNKNOWN -- %s", r->cname);
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto out; goto out;
@@ -2347,7 +2344,7 @@ _kdc_as_rep(astgs_request_t r)
goto out; goto out;
} }
r->canon_client_princ = r->client->entry.principal; r->canon_client_princ = r->client->principal;
/* /*
* Verify flags after the user been required to prove its identity * Verify flags after the user been required to prove its identity
@@ -2414,7 +2411,7 @@ _kdc_as_rep(astgs_request_t r)
_kdc_is_anonymous(r->context, r->client_princ)) { _kdc_is_anonymous(r->context, r->client_princ)) {
Realm anon_realm = KRB5_ANON_REALM; Realm anon_realm = KRB5_ANON_REALM;
ret = copy_Realm(&anon_realm, &rep->crealm); ret = copy_Realm(&anon_realm, &rep->crealm);
} else if (f.canonicalize || r->client->entry.flags.force_canonicalize) } else if (f.canonicalize || r->client->flags.force_canonicalize)
ret = copy_Realm(&r->canon_client_princ->realm, &rep->crealm); ret = copy_Realm(&r->canon_client_princ->realm, &rep->crealm);
else else
ret = copy_Realm(&r->client_princ->realm, &rep->crealm); ret = copy_Realm(&r->client_princ->realm, &rep->crealm);
@@ -2422,7 +2419,7 @@ _kdc_as_rep(astgs_request_t r)
goto out; goto out;
if (r->et.flags.anonymous) if (r->et.flags.anonymous)
ret = _kdc_make_anonymous_principalname(&rep->cname); ret = _kdc_make_anonymous_principalname(&rep->cname);
else if (f.canonicalize || r->client->entry.flags.force_canonicalize) else if (f.canonicalize || r->client->flags.force_canonicalize)
ret = _krb5_principal2principalname(&rep->cname, r->canon_client_princ); ret = _krb5_principal2principalname(&rep->cname, r->canon_client_princ);
else else
ret = _krb5_principal2principalname(&rep->cname, r->client_princ); ret = _krb5_principal2principalname(&rep->cname, r->client_princ);
@@ -2430,15 +2427,15 @@ _kdc_as_rep(astgs_request_t r)
goto out; goto out;
rep->ticket.tkt_vno = 5; rep->ticket.tkt_vno = 5;
if (f.canonicalize || r->server->entry.flags.force_canonicalize) if (f.canonicalize || r->server->flags.force_canonicalize)
ret = copy_Realm(&r->server->entry.principal->realm, &rep->ticket.realm); ret = copy_Realm(&r->server->principal->realm, &rep->ticket.realm);
else else
ret = copy_Realm(&r->server_princ->realm, &rep->ticket.realm); ret = copy_Realm(&r->server_princ->realm, &rep->ticket.realm);
if (ret) if (ret)
goto out; goto out;
if (f.canonicalize || r->server->entry.flags.force_canonicalize) if (f.canonicalize || r->server->flags.force_canonicalize)
_krb5_principal2principalname(&rep->ticket.sname, _krb5_principal2principalname(&rep->ticket.sname,
r->server->entry.principal); r->server->principal);
else else
_krb5_principal2principalname(&rep->ticket.sname, _krb5_principal2principalname(&rep->ticket.sname,
r->server_princ); r->server_princ);
@@ -2450,16 +2447,16 @@ _kdc_as_rep(astgs_request_t r)
#undef CNT #undef CNT
r->et.flags.initial = 1; r->et.flags.initial = 1;
if(r->client->entry.flags.forwardable && r->server->entry.flags.forwardable) if(r->client->flags.forwardable && r->server->flags.forwardable)
r->et.flags.forwardable = f.forwardable; r->et.flags.forwardable = f.forwardable;
if(r->client->entry.flags.proxiable && r->server->entry.flags.proxiable) if(r->client->flags.proxiable && r->server->flags.proxiable)
r->et.flags.proxiable = f.proxiable; r->et.flags.proxiable = f.proxiable;
else if (f.proxiable) { else if (f.proxiable) {
_kdc_set_e_text(r, "Ticket may not be proxiable"); _kdc_set_e_text(r, "Ticket may not be proxiable");
ret = KRB5KDC_ERR_POLICY; ret = KRB5KDC_ERR_POLICY;
goto out; goto out;
} }
if(r->client->entry.flags.postdate && r->server->entry.flags.postdate) if(r->client->flags.postdate && r->server->flags.postdate)
r->et.flags.may_postdate = f.allow_postdate; r->et.flags.may_postdate = f.allow_postdate;
else if (f.allow_postdate){ else if (f.allow_postdate){
_kdc_set_e_text(r, "Ticket may not be postdate"); _kdc_set_e_text(r, "Ticket may not be postdate");
@@ -2506,18 +2503,18 @@ _kdc_as_rep(astgs_request_t r)
/* be careful not overflowing */ /* be careful not overflowing */
/* /*
* Pre-auth can override r->client->entry.max_life if configured. * Pre-auth can override r->client->max_life if configured.
* *
* See pre-auth methods, specifically PKINIT, which can get or derive * See pre-auth methods, specifically PKINIT, which can get or derive
* this from the client's certificate. * this from the client's certificate.
*/ */
if (r->pa_max_life > 0) if (r->pa_max_life > 0)
t = start + min(t - start, r->pa_max_life); t = start + min(t - start, r->pa_max_life);
else if (r->client->entry.max_life) else if (r->client->max_life)
t = start + min(t - start, *r->client->entry.max_life); t = start + min(t - start, *r->client->max_life);
if (r->server->entry.max_life) if (r->server->max_life)
t = start + min(t - start, *r->server->entry.max_life); t = start + min(t - start, *r->server->max_life);
/* Pre-auth can bound endtime as well */ /* Pre-auth can bound endtime as well */
if (r->pa_endtime > 0) if (r->pa_endtime > 0)
@@ -2539,10 +2536,10 @@ _kdc_as_rep(astgs_request_t r)
t = *b->rtime; t = *b->rtime;
if(t == 0) if(t == 0)
t = MAX_TIME; t = MAX_TIME;
if(r->client->entry.max_renew) if(r->client->max_renew)
t = start + min(t - start, *r->client->entry.max_renew); t = start + min(t - start, *r->client->max_renew);
if(r->server->entry.max_renew) if(r->server->max_renew)
t = start + min(t - start, *r->server->entry.max_renew); t = start + min(t - start, *r->server->max_renew);
#if 0 #if 0
t = min(t, start + realm->max_renew); t = min(t, start + realm->max_renew);
#endif #endif
@@ -2575,16 +2572,16 @@ _kdc_as_rep(astgs_request_t r)
goto out; goto out;
} }
r->ek.last_req.len = 0; r->ek.last_req.len = 0;
if (r->client->entry.pw_end if (r->client->pw_end
&& (config->kdc_warn_pwexpire == 0 && (config->kdc_warn_pwexpire == 0
|| kdc_time + config->kdc_warn_pwexpire >= *r->client->entry.pw_end)) { || kdc_time + config->kdc_warn_pwexpire >= *r->client->pw_end)) {
r->ek.last_req.val[r->ek.last_req.len].lr_type = LR_PW_EXPTIME; r->ek.last_req.val[r->ek.last_req.len].lr_type = LR_PW_EXPTIME;
r->ek.last_req.val[r->ek.last_req.len].lr_value = *r->client->entry.pw_end; r->ek.last_req.val[r->ek.last_req.len].lr_value = *r->client->pw_end;
++r->ek.last_req.len; ++r->ek.last_req.len;
} }
if (r->client->entry.valid_end) { if (r->client->valid_end) {
r->ek.last_req.val[r->ek.last_req.len].lr_type = LR_ACCT_EXPTIME; r->ek.last_req.val[r->ek.last_req.len].lr_type = LR_ACCT_EXPTIME;
r->ek.last_req.val[r->ek.last_req.len].lr_value = *r->client->entry.valid_end; r->ek.last_req.val[r->ek.last_req.len].lr_value = *r->client->valid_end;
++r->ek.last_req.len; ++r->ek.last_req.len;
} }
if (r->ek.last_req.len == 0) { if (r->ek.last_req.len == 0) {
@@ -2593,16 +2590,16 @@ _kdc_as_rep(astgs_request_t r)
++r->ek.last_req.len; ++r->ek.last_req.len;
} }
r->ek.nonce = b->nonce; r->ek.nonce = b->nonce;
if (r->client->entry.valid_end || r->client->entry.pw_end) { if (r->client->valid_end || r->client->pw_end) {
ALLOC(r->ek.key_expiration); ALLOC(r->ek.key_expiration);
if (r->client->entry.valid_end) { if (r->client->valid_end) {
if (r->client->entry.pw_end) if (r->client->pw_end)
*r->ek.key_expiration = min(*r->client->entry.valid_end, *r->ek.key_expiration = min(*r->client->valid_end,
*r->client->entry.pw_end); *r->client->pw_end);
else else
*r->ek.key_expiration = *r->client->entry.valid_end; *r->ek.key_expiration = *r->client->valid_end;
} else } else
*r->ek.key_expiration = *r->client->entry.pw_end; *r->ek.key_expiration = *r->client->pw_end;
} else } else
r->ek.key_expiration = NULL; r->ek.key_expiration = NULL;
r->ek.flags = r->et.flags; r->ek.flags = r->et.flags;
@@ -2656,7 +2653,7 @@ _kdc_as_rep(astgs_request_t r)
generate_pac(r, skey, krbtgt_key, is_tgs); generate_pac(r, skey, krbtgt_key, is_tgs);
} }
if (r->client->entry.flags.synthetic) { if (r->client->flags.synthetic) {
ret = add_synthetic_princ_ad(r); ret = add_synthetic_princ_ad(r);
if (ret) if (ret)
goto out; goto out;
@@ -2713,8 +2710,8 @@ _kdc_as_rep(astgs_request_t r)
ret = _kdc_encode_reply(r->context, config, ret = _kdc_encode_reply(r->context, config,
r, req->req_body.nonce, setype, r, req->req_body.nonce, setype,
r->server->entry.kvno, &skey->key, r->server->kvno, &skey->key,
pa_used_flag_isset(r, PA_REPLACE_REPLY_KEY) ? 0 : r->client->entry.kvno, pa_used_flag_isset(r, PA_REPLACE_REPLY_KEY) ? 0 : r->client->kvno,
0, r->reply); 0, r->reply);
if (ret) if (ret)
goto out; goto out;

107
kdc/krb5tgs.c
View File

@@ -80,10 +80,10 @@ _kdc_check_pac(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
const krb5_principal client_principal, const krb5_principal client_principal,
const krb5_principal delegated_proxy_principal, const krb5_principal delegated_proxy_principal,
hdb_entry_ex *client, hdb_entry *client,
hdb_entry_ex *server, hdb_entry *server,
hdb_entry_ex *krbtgt, hdb_entry *krbtgt,
hdb_entry_ex *ticket_server, hdb_entry *ticket_server,
const EncryptionKey *server_check_key, const EncryptionKey *server_check_key,
const EncryptionKey *krbtgt_check_key, const EncryptionKey *krbtgt_check_key,
EncTicketPart *tkt, EncTicketPart *tkt,
@@ -122,7 +122,8 @@ _kdc_check_pac(krb5_context context,
} }
/* Verify the KDC signatures. */ /* Verify the KDC signatures. */
ret = _kdc_pac_verify(context, client_principal, delegated_proxy_principal, ret = _kdc_pac_verify(context, config,
client_principal, delegated_proxy_principal,
client, server, krbtgt, &pac); client, server, krbtgt, &pac);
if (ret == 0) { if (ret == 0) {
if (pac_canon_name) { if (pac_canon_name) {
@@ -140,8 +141,8 @@ _kdc_check_pac(krb5_context context,
* We can't verify the KDC signatures if the ticket was issued by * We can't verify the KDC signatures if the ticket was issued by
* another realm's KDC. * another realm's KDC.
*/ */
if (krb5_realm_compare(context, server->entry.principal, if (krb5_realm_compare(context, server->principal,
ticket_server->entry.principal)) { ticket_server->principal)) {
ret = krb5_pac_verify(context, pac, 0, NULL, NULL, ret = krb5_pac_verify(context, pac, 0, NULL, NULL,
krbtgt_check_key); krbtgt_check_key);
if (ret) { if (ret) {
@@ -173,7 +174,7 @@ _kdc_check_pac(krb5_context context,
*kdc_issued = signedticket || *kdc_issued = signedticket ||
krb5_principal_is_krbtgt(context, krb5_principal_is_krbtgt(context,
ticket_server->entry.principal); ticket_server->principal);
*ppac = pac; *ppac = pac;
return 0; return 0;
@@ -359,8 +360,8 @@ krb5_error_code
_kdc_check_client_matches_target_service(krb5_context context, _kdc_check_client_matches_target_service(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
HDB *clientdb, HDB *clientdb,
hdb_entry_ex *client, hdb_entry *client,
hdb_entry_ex *target_server, hdb_entry *target_server,
krb5_const_principal target_server_principal) krb5_const_principal target_server_principal)
{ {
krb5_error_code ret; krb5_error_code ret;
@@ -378,7 +379,7 @@ _kdc_check_client_matches_target_service(krb5_context context,
if (ret == 0) if (ret == 0)
return 0; return 0;
} else if (krb5_principal_compare(context, } else if (krb5_principal_compare(context,
client->entry.principal, client->principal,
target_server_principal) == TRUE) { target_server_principal) == TRUE) {
/* if client does a s4u2self to itself, and there is no plugin, that is ok */ /* if client does a s4u2self to itself, and there is no plugin, that is ok */
return 0; return 0;
@@ -536,9 +537,9 @@ tgs_make_reply(astgs_request_t r,
const krb5_keyblock *sessionkey, const krb5_keyblock *sessionkey,
krb5_kvno kvno, krb5_kvno kvno,
AuthorizationData *auth_data, AuthorizationData *auth_data,
hdb_entry_ex *server, hdb_entry *server,
krb5_principal server_principal, krb5_principal server_principal,
hdb_entry_ex *client, hdb_entry *client,
krb5_principal client_principal, krb5_principal client_principal,
const char *tgt_realm, const char *tgt_realm,
uint16_t rodc_id, uint16_t rodc_id,
@@ -596,7 +597,7 @@ tgs_make_reply(astgs_request_t r,
GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK), GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
&tgt->transited, et, &tgt->transited, et,
krb5_principal_get_realm(r->context, client_principal), krb5_principal_get_realm(r->context, client_principal),
krb5_principal_get_realm(r->context, server->entry.principal), krb5_principal_get_realm(r->context, server->principal),
tgt_realm); tgt_realm);
if(ret) if(ret)
goto out; goto out;
@@ -628,10 +629,10 @@ tgs_make_reply(astgs_request_t r,
{ {
time_t life; time_t life;
life = et->endtime - *et->starttime; life = et->endtime - *et->starttime;
if(client && client->entry.max_life) if(client && client->max_life)
life = min(life, *client->entry.max_life); life = min(life, *client->max_life);
if(server->entry.max_life) if(server->max_life)
life = min(life, *server->entry.max_life); life = min(life, *server->max_life);
et->endtime = *et->starttime + life; et->endtime = *et->starttime + life;
} }
if(f.renewable_ok && tgt->flags.renewable && if(f.renewable_ok && tgt->flags.renewable &&
@@ -645,10 +646,10 @@ tgs_make_reply(astgs_request_t r,
if(et->renew_till){ if(et->renew_till){
time_t renew; time_t renew;
renew = *et->renew_till - *et->starttime; renew = *et->renew_till - *et->starttime;
if(client && client->entry.max_renew) if(client && client->max_renew)
renew = min(renew, *client->entry.max_renew); renew = min(renew, *client->max_renew);
if(server->entry.max_renew) if(server->max_renew)
renew = min(renew, *server->entry.max_renew); renew = min(renew, *server->max_renew);
*et->renew_till = *et->starttime + renew; *et->renew_till = *et->starttime + renew;
} }
@@ -672,12 +673,12 @@ tgs_make_reply(astgs_request_t r,
et->flags.pre_authent = tgt->flags.pre_authent; et->flags.pre_authent = tgt->flags.pre_authent;
et->flags.hw_authent = tgt->flags.hw_authent; et->flags.hw_authent = tgt->flags.hw_authent;
et->flags.ok_as_delegate = server->entry.flags.ok_as_delegate; et->flags.ok_as_delegate = server->flags.ok_as_delegate;
/* See MS-KILE 3.3.5.1 */ /* See MS-KILE 3.3.5.1 */
if (!server->entry.flags.forwardable) if (!server->flags.forwardable)
et->flags.forwardable = 0; et->flags.forwardable = 0;
if (!server->entry.flags.proxiable) if (!server->flags.proxiable)
et->flags.proxiable = 0; et->flags.proxiable = 0;
if (auth_data) { if (auth_data) {
@@ -729,7 +730,7 @@ tgs_make_reply(astgs_request_t r,
et->endtime, et->renew_till); et->endtime, et->renew_till);
if (krb5_enctype_valid(r->context, serverkey->keytype) != 0 if (krb5_enctype_valid(r->context, serverkey->keytype) != 0
&& _kdc_is_weak_exception(server->entry.principal, serverkey->keytype)) && _kdc_is_weak_exception(server->principal, serverkey->keytype))
{ {
krb5_enctype_enable(r->context, serverkey->keytype); krb5_enctype_enable(r->context, serverkey->keytype);
is_weak = 1; is_weak = 1;
@@ -761,7 +762,7 @@ tgs_make_reply(astgs_request_t r,
*/ */
if (_kdc_include_pac_p(r)) { if (_kdc_include_pac_p(r)) {
krb5_boolean is_tgs = krb5_boolean is_tgs =
krb5_principal_is_krbtgt(r->context, server->entry.principal); krb5_principal_is_krbtgt(r->context, server->principal);
ret = _krb5_kdc_pac_sign_ticket(r->context, r->pac, r->client_princ, serverkey, ret = _krb5_kdc_pac_sign_ticket(r->context, r->pac, r->client_princ, serverkey,
krbtgtkey, rodc_id, NULL, r->canon_client_princ, krbtgtkey, rodc_id, NULL, r->canon_client_princ,
@@ -1016,12 +1017,12 @@ tgs_parse_request(astgs_request_t r,
goto out; goto out;
} }
krbtgt_kvno_try = krbtgt_kvno ? krbtgt_kvno : r->krbtgt->entry.kvno; krbtgt_kvno_try = krbtgt_kvno ? krbtgt_kvno : r->krbtgt->kvno;
*krbtgt_etype = ap_req.ticket.enc_part.etype; *krbtgt_etype = ap_req.ticket.enc_part.etype;
next_kvno: next_kvno:
krbtgt_keys = hdb_kvno2keys(r->context, &r->krbtgt->entry, krbtgt_kvno_try); krbtgt_keys = hdb_kvno2keys(r->context, r->krbtgt, krbtgt_kvno_try);
ret = hdb_enctype2key(r->context, &r->krbtgt->entry, krbtgt_keys, ret = hdb_enctype2key(r->context, r->krbtgt, krbtgt_keys,
ap_req.ticket.enc_part.etype, &tkey); ap_req.ticket.enc_part.etype, &tkey);
if (ret && krbtgt_kvno == 0 && kvno_search_tries > 0) { if (ret && krbtgt_kvno == 0 && kvno_search_tries > 0) {
kvno_search_tries--; kvno_search_tries--;
@@ -1301,10 +1302,10 @@ _kdc_db_fetch_client(krb5_context context,
const char *cpn, const char *cpn,
const char *krbtgt_realm, const char *krbtgt_realm,
HDB **clientdb, HDB **clientdb,
hdb_entry_ex **client_out) hdb_entry **client_out)
{ {
krb5_error_code ret; krb5_error_code ret;
hdb_entry_ex *client = NULL; hdb_entry *client = NULL;
*client_out = NULL; *client_out = NULL;
@@ -1333,7 +1334,7 @@ _kdc_db_fetch_client(krb5_context context,
msg = krb5_get_error_message(context, ret); msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 4, "Client not found in database: %s", msg); kdc_log(context, config, 4, "Client not found in database: %s", msg);
krb5_free_error_message(context, msg); krb5_free_error_message(context, msg);
} else if (client->entry.flags.invalid || !client->entry.flags.client) { } else if (client->flags.invalid || !client->flags.client) {
kdc_log(context, config, 4, "Client has invalid bit set"); kdc_log(context, config, 4, "Client has invalid bit set");
_kdc_free_ent(context, *clientdb, client); _kdc_free_ent(context, *clientdb, client);
return KRB5KDC_ERR_POLICY; return KRB5KDC_ERR_POLICY;
@@ -1360,9 +1361,9 @@ tgs_build_reply(astgs_request_t priv,
krb5_principal user2user_princ = NULL; krb5_principal user2user_princ = NULL;
char *spn = NULL, *cpn = NULL, *krbtgt_out_n = NULL; char *spn = NULL, *cpn = NULL, *krbtgt_out_n = NULL;
char *user2user_name = NULL; char *user2user_name = NULL;
hdb_entry_ex *server = NULL, *client = NULL; hdb_entry *server = NULL, *client = NULL;
HDB *user2user_krbtgtdb; HDB *user2user_krbtgtdb;
hdb_entry_ex *user2user_krbtgt = NULL; hdb_entry *user2user_krbtgt = NULL;
HDB *clientdb; HDB *clientdb;
HDB *serverdb = NULL; HDB *serverdb = NULL;
krb5_realm ref_realm = NULL; krb5_realm ref_realm = NULL;
@@ -1374,14 +1375,14 @@ tgs_build_reply(astgs_request_t priv,
uint16_t rodc_id; uint16_t rodc_id;
krb5_boolean add_ticket_sig = FALSE; krb5_boolean add_ticket_sig = FALSE;
const char *tgt_realm = /* Realm of TGT issuer */ const char *tgt_realm = /* Realm of TGT issuer */
krb5_principal_get_realm(context, priv->krbtgt->entry.principal); krb5_principal_get_realm(context, priv->krbtgt->principal);
const char *our_realm = /* Realm of this KDC */ const char *our_realm = /* Realm of this KDC */
krb5_principal_get_comp_string(context, priv->krbtgt->entry.principal, 1); krb5_principal_get_comp_string(context, priv->krbtgt->principal, 1);
char **capath = NULL; char **capath = NULL;
size_t num_capath = 0; size_t num_capath = 0;
HDB *krbtgt_outdb; HDB *krbtgt_outdb;
hdb_entry_ex *krbtgt_out = NULL; hdb_entry *krbtgt_out = NULL;
PrincipalName *s; PrincipalName *s;
Realm r; Realm r;
@@ -1457,7 +1458,7 @@ server_lookup:
goto out; goto out;
} else if (ret == HDB_ERR_WRONG_REALM) { } else if (ret == HDB_ERR_WRONG_REALM) {
free(ref_realm); free(ref_realm);
ref_realm = strdup(server->entry.principal->realm); ref_realm = strdup(server->principal->realm);
if (ref_realm == NULL) { if (ref_realm == NULL) {
ret = krb5_enomem(context); ret = krb5_enomem(context);
goto out; goto out;
@@ -1579,8 +1580,8 @@ server_lookup:
* backend to override this by setting the force-canonicalize HDB * backend to override this by setting the force-canonicalize HDB
* flag in the server entry. * flag in the server entry.
*/ */
if (server->entry.flags.force_canonicalize) if (server->flags.force_canonicalize)
rsp = server->entry.principal; rsp = server->principal;
else else
rsp = priv->server_princ; rsp = priv->server_princ;
@@ -1614,7 +1615,7 @@ server_lookup:
HDB_F_GET_KRBTGT, NULL, &krbtgt_outdb, &krbtgt_out); HDB_F_GET_KRBTGT, NULL, &krbtgt_outdb, &krbtgt_out);
if (ret) { if (ret) {
char *ktpn = NULL; char *ktpn = NULL;
ret = krb5_unparse_name(context, priv->krbtgt->entry.principal, &ktpn); ret = krb5_unparse_name(context, priv->krbtgt->principal, &ktpn);
kdc_log(context, config, 4, kdc_log(context, config, 4,
"No such principal %s (needed for authz-data signature keys) " "No such principal %s (needed for authz-data signature keys) "
"while processing TGS-REQ for service %s with krbtg %s", "while processing TGS-REQ for service %s with krbtg %s",
@@ -1639,7 +1640,7 @@ server_lookup:
krb5uint32 *kvno_ptr = NULL; krb5uint32 *kvno_ptr = NULL;
size_t i; size_t i;
HDB *user2user_db; HDB *user2user_db;
hdb_entry_ex *user2user_client = NULL; hdb_entry *user2user_client = NULL;
krb5_boolean user2user_kdc_issued = FALSE; krb5_boolean user2user_kdc_issued = FALSE;
char *tpn; char *tpn;
@@ -1684,7 +1685,7 @@ server_lookup:
krb5_xfree(tpn); krb5_xfree(tpn);
goto out; goto out;
} }
ret = hdb_enctype2key(context, &user2user_krbtgt->entry, NULL, ret = hdb_enctype2key(context, user2user_krbtgt, NULL,
t->enc_part.etype, &uukey); t->enc_part.etype, &uukey);
if(ret){ if(ret){
ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */ ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
@@ -1832,7 +1833,7 @@ server_lookup:
goto out; goto out;
} }
ekey = &skey->key; ekey = &skey->key;
kvno = server->entry.kvno; kvno = server->kvno;
} }
ret = krb5_generate_random_keyblock(context, etype, &sessionkey); ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
@@ -1853,10 +1854,10 @@ server_lookup:
* the DB to possibly correct the case of the realm (Samba4 does * the DB to possibly correct the case of the realm (Samba4 does
* this) before the strcmp() * this) before the strcmp()
*/ */
if (strcmp(krb5_principal_get_realm(context, server->entry.principal), if (strcmp(krb5_principal_get_realm(context, server->principal),
krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) { krb5_principal_get_realm(context, krbtgt_out->principal)) != 0) {
char *ktpn; char *ktpn;
ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &ktpn); ret = krb5_unparse_name(context, krbtgt_out->principal, &ktpn);
kdc_log(context, config, 4, kdc_log(context, config, 4,
"Request with wrong krbtgt: %s", "Request with wrong krbtgt: %s",
(ret == 0) ? ktpn : "<unknown>"); (ret == 0) ? ktpn : "<unknown>");
@@ -1876,7 +1877,7 @@ server_lookup:
"Failed to find key for krbtgt PAC signature"); "Failed to find key for krbtgt PAC signature");
goto out; goto out;
} }
ret = hdb_enctype2key(context, &krbtgt_out->entry, NULL, ret = hdb_enctype2key(context, krbtgt_out, NULL,
tkey_sign->key.keytype, &tkey_sign); tkey_sign->key.keytype, &tkey_sign);
if(ret) { if(ret) {
kdc_log(context, config, 4, kdc_log(context, config, 4,
@@ -1935,8 +1936,8 @@ server_lookup:
if((b->kdc_options.validate || b->kdc_options.renew) && if((b->kdc_options.validate || b->kdc_options.renew) &&
!krb5_principal_compare(context, !krb5_principal_compare(context,
priv->krbtgt->entry.principal, priv->krbtgt->principal,
priv->server->entry.principal)){ priv->server->principal)){
_kdc_audit_addreason((kdc_request_t)priv, "Inconsistent request"); _kdc_audit_addreason((kdc_request_t)priv, "Inconsistent request");
kdc_log(context, config, 4, "Inconsistent request."); kdc_log(context, config, 4, "Inconsistent request.");
ret = KRB5KDC_ERR_SERVER_NOMATCH; ret = KRB5KDC_ERR_SERVER_NOMATCH;
@@ -2007,7 +2008,7 @@ server_lookup:
*/ */
if (kdc_issued && if (kdc_issued &&
!krb5_principal_is_krbtgt(context, server->entry.principal)) { !krb5_principal_is_krbtgt(context, server->principal)) {
/* Validate armor TGT before potentially including device claims */ /* Validate armor TGT before potentially including device claims */
if (priv->armor_ticket) { if (priv->armor_ticket) {
@@ -2024,7 +2025,7 @@ server_lookup:
* read-only-dc identifier, we need to embed it in the PAC KDC signatures. * read-only-dc identifier, we need to embed it in the PAC KDC signatures.
*/ */
rodc_id = krbtgt_out->entry.kvno >> 16; rodc_id = krbtgt_out->kvno >> 16;
/* /*
* *

2
kdc/kx509.c
View File

@@ -254,7 +254,7 @@ is_local_realm(krb5_context context,
krb5_error_code ret; krb5_error_code ret;
krb5_principal tgs; krb5_principal tgs;
HDB *db; HDB *db;
hdb_entry_ex *ent = NULL; hdb_entry *ent = NULL;
ret = krb5_make_principal(context, &tgs, realm, KRB5_TGS_NAME, realm, ret = krb5_make_principal(context, &tgs, realm, KRB5_TGS_NAME, realm,
NULL); NULL);

74
kdc/misc.c
View File

@@ -67,11 +67,11 @@ synthesize_client(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
krb5_const_principal princ, krb5_const_principal princ,
HDB **db, HDB **db,
hdb_entry_ex **h) hdb_entry **h)
{ {
static HDB null_db; static HDB null_db;
krb5_error_code ret; krb5_error_code ret;
hdb_entry_ex *e; hdb_entry *e;
/* Hope this works! */ /* Hope this works! */
null_db.hdb_destroy = synthesize_hdb_close; null_db.hdb_destroy = synthesize_hdb_close;
@@ -81,40 +81,40 @@ synthesize_client(krb5_context context,
ret = (e = calloc(1, sizeof(*e))) ? 0 : krb5_enomem(context); ret = (e = calloc(1, sizeof(*e))) ? 0 : krb5_enomem(context);
if (ret == 0) { if (ret == 0) {
e->entry.flags.client = 1; e->flags.client = 1;
e->entry.flags.immutable = 1; e->flags.immutable = 1;
e->entry.flags.virtual = 1; e->flags.virtual = 1;
e->entry.flags.synthetic = 1; e->flags.synthetic = 1;
e->entry.flags.do_not_store = 1; e->flags.do_not_store = 1;
e->entry.kvno = 1; e->kvno = 1;
e->entry.keys.len = 0; e->keys.len = 0;
e->entry.keys.val = NULL; e->keys.val = NULL;
e->entry.created_by.time = time(NULL); e->created_by.time = time(NULL);
e->entry.modified_by = NULL; e->modified_by = NULL;
e->entry.valid_start = NULL; e->valid_start = NULL;
e->entry.valid_end = NULL; e->valid_end = NULL;
e->entry.pw_end = NULL; e->pw_end = NULL;
e->entry.etypes = NULL; e->etypes = NULL;
e->entry.generation = NULL; e->generation = NULL;
e->entry.extensions = NULL; e->extensions = NULL;
} }
if (ret == 0) if (ret == 0)
ret = (e->entry.max_renew = calloc(1, sizeof(*e->entry.max_renew))) ? ret = (e->max_renew = calloc(1, sizeof(*e->max_renew))) ?
0 : krb5_enomem(context); 0 : krb5_enomem(context);
if (ret == 0) if (ret == 0)
ret = (e->entry.max_life = calloc(1, sizeof(*e->entry.max_life))) ? ret = (e->max_life = calloc(1, sizeof(*e->max_life))) ?
0 : krb5_enomem(context); 0 : krb5_enomem(context);
if (ret == 0) if (ret == 0)
ret = krb5_copy_principal(context, princ, &e->entry.principal); ret = krb5_copy_principal(context, princ, &e->principal);
if (ret == 0) if (ret == 0)
ret = krb5_copy_principal(context, princ, &e->entry.created_by.principal); ret = krb5_copy_principal(context, princ, &e->created_by.principal);
if (ret == 0) { if (ret == 0) {
/* /*
* We can't check OCSP in the TGS path, so we can't let tickets for * We can't check OCSP in the TGS path, so we can't let tickets for
* synthetic principals live very long. * synthetic principals live very long.
*/ */
*(e->entry.max_renew) = config->synthetic_clients_max_renew; *(e->max_renew) = config->synthetic_clients_max_renew;
*(e->entry.max_life) = config->synthetic_clients_max_life; *(e->max_life) = config->synthetic_clients_max_life;
*h = e; *h = e;
} else { } else {
hdb_free_entry(context, &null_db, e); hdb_free_entry(context, &null_db, e);
@@ -129,9 +129,9 @@ _kdc_db_fetch(krb5_context context,
unsigned flags, unsigned flags,
krb5uint32 *kvno_ptr, krb5uint32 *kvno_ptr,
HDB **db, HDB **db,
hdb_entry_ex **h) hdb_entry **h)
{ {
hdb_entry_ex *ent = NULL; hdb_entry *ent = NULL;
krb5_error_code ret = HDB_ERR_NOENTRY; krb5_error_code ret = HDB_ERR_NOENTRY;
int i; int i;
unsigned kvno = 0; unsigned kvno = 0;
@@ -246,7 +246,7 @@ out:
} }
KDC_LIB_FUNCTION void KDC_LIB_CALL KDC_LIB_FUNCTION void KDC_LIB_CALL
_kdc_free_ent(krb5_context context, HDB *db, hdb_entry_ex *ent) _kdc_free_ent(krb5_context context, HDB *db, hdb_entry *ent)
{ {
hdb_free_entry (context, db, ent); hdb_free_entry (context, db, ent);
free (ent); free (ent);
@@ -260,7 +260,7 @@ _kdc_free_ent(krb5_context context, HDB *db, hdb_entry_ex *ent)
krb5_error_code krb5_error_code
_kdc_get_preferred_key(krb5_context context, _kdc_get_preferred_key(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
hdb_entry_ex *h, hdb_entry *h,
const char *name, const char *name,
krb5_enctype *enctype, krb5_enctype *enctype,
Key **key) Key **key)
@@ -273,9 +273,9 @@ _kdc_get_preferred_key(krb5_context context,
for (i = 0; p[i] != (krb5_enctype)ETYPE_NULL; i++) { for (i = 0; p[i] != (krb5_enctype)ETYPE_NULL; i++) {
if (krb5_enctype_valid(context, p[i]) != 0 && if (krb5_enctype_valid(context, p[i]) != 0 &&
!_kdc_is_weak_exception(h->entry.principal, p[i])) !_kdc_is_weak_exception(h->principal, p[i]))
continue; continue;
ret = hdb_enctype2key(context, &h->entry, NULL, p[i], key); ret = hdb_enctype2key(context, h, NULL, p[i], key);
if (ret != 0) if (ret != 0)
continue; continue;
if (enctype != NULL) if (enctype != NULL)
@@ -285,12 +285,12 @@ _kdc_get_preferred_key(krb5_context context,
} else { } else {
*key = NULL; *key = NULL;
for (i = 0; i < h->entry.keys.len; i++) { for (i = 0; i < h->keys.len; i++) {
if (krb5_enctype_valid(context, h->entry.keys.val[i].key.keytype) != 0 && if (krb5_enctype_valid(context, h->keys.val[i].key.keytype) != 0 &&
!_kdc_is_weak_exception(h->entry.principal, h->entry.keys.val[i].key.keytype)) !_kdc_is_weak_exception(h->principal, h->keys.val[i].key.keytype))
continue; continue;
ret = hdb_enctype2key(context, &h->entry, NULL, ret = hdb_enctype2key(context, h, NULL,
h->entry.keys.val[i].key.keytype, key); h->keys.val[i].key.keytype, key);
if (ret != 0) if (ret != 0)
continue; continue;
if (enctype != NULL) if (enctype != NULL)
@@ -334,9 +334,9 @@ _kdc_verify_checksum(krb5_context context,
krb5_boolean krb5_boolean
_kdc_include_pac_p(astgs_request_t r) _kdc_include_pac_p(astgs_request_t r)
{ {
if (krb5_principal_is_krbtgt(r->context, r->server->entry.principal)) if (krb5_principal_is_krbtgt(r->context, r->server->principal))
return TRUE; return TRUE;
else if (r->server->entry.flags.no_auth_data_reqd) else if (r->server->flags.no_auth_data_reqd)
return FALSE; return FALSE;
return !!(r->pac_attributes & (KRB5_PAC_WAS_REQUESTED | KRB5_PAC_WAS_GIVEN_IMPLICITLY)); return !!(r->pac_attributes & (KRB5_PAC_WAS_REQUESTED | KRB5_PAC_WAS_GIVEN_IMPLICITLY));

4
kdc/mit_dump.c
View File

@@ -146,7 +146,7 @@ mit_prop_dump(void *arg, const char *file)
char *line = NULL; char *line = NULL;
int lineno = 0; int lineno = 0;
FILE *f; FILE *f;
struct hdb_entry_ex ent; hdb_entry ent;
struct prop_data *pd = arg; struct prop_data *pd = arg;
krb5_storage *sp = NULL; krb5_storage *sp = NULL;
krb5_data kdb_ent; krb5_data kdb_ent;
@@ -202,7 +202,7 @@ mit_prop_dump(void *arg, const char *file)
} }
ret = krb5_storage_to_data(sp, &kdb_ent); ret = krb5_storage_to_data(sp, &kdb_ent);
if (ret) break; if (ret) break;
ret = _hdb_mdb_value2entry(pd->context, &kdb_ent, 0, &ent.entry); ret = _hdb_mdb_value2entry(pd->context, &kdb_ent, 0, &ent);
krb5_data_free(&kdb_ent); krb5_data_free(&kdb_ent);
if (ret) { if (ret) {
warnx("line: %d: failed to store; ignoring", lineno); warnx("line: %d: failed to store; ignoring", lineno);

37
kdc/mssfu.c
View File

@@ -47,8 +47,8 @@ static krb5_error_code
check_constrained_delegation(krb5_context context, check_constrained_delegation(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
HDB *clientdb, HDB *clientdb,
hdb_entry_ex *client, hdb_entry *client,
hdb_entry_ex *server, hdb_entry *server,
krb5_const_principal target) krb5_const_principal target)
{ {
const HDB_Ext_Constrained_delegation_acl *acl; const HDB_Ext_Constrained_delegation_acl *acl;
@@ -61,7 +61,7 @@ check_constrained_delegation(krb5_context context,
* of the principals here, while "target" is the principal * of the principals here, while "target" is the principal
* provided by the client. * provided by the client.
*/ */
if (!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) { if (!krb5_realm_compare(context, client->principal, server->principal)) {
ret = KRB5KDC_ERR_BADOPTION; ret = KRB5KDC_ERR_BADOPTION;
kdc_log(context, config, 4, kdc_log(context, config, 4,
"Bad request for constrained delegation"); "Bad request for constrained delegation");
@@ -74,10 +74,10 @@ check_constrained_delegation(krb5_context context,
return 0; return 0;
} else { } else {
/* if client delegates to itself, that ok */ /* if client delegates to itself, that ok */
if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE) if (krb5_principal_compare(context, client->principal, server->principal) == TRUE)
return 0; return 0;
ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl); ret = hdb_entry_get_ConstrainedDelegACL(client, &acl);
if (ret) { if (ret) {
krb5_clear_error_message(context); krb5_clear_error_message(context);
return ret; return ret;
@@ -101,7 +101,7 @@ update_client_names(astgs_request_t r,
char **s4ucname, char **s4ucname,
krb5_principal *s4u_client_name, krb5_principal *s4u_client_name,
HDB **s4u_clientdb, HDB **s4u_clientdb,
hdb_entry_ex **s4u_client, hdb_entry **s4u_client,
krb5_principal *s4u_canon_client_name, krb5_principal *s4u_canon_client_name,
krb5_pac *s4u_pac) krb5_pac *s4u_pac)
{ {
@@ -139,7 +139,7 @@ validate_protocol_transition(astgs_request_t r)
krb5_error_code ret; krb5_error_code ret;
KDC_REQ_BODY *b = &r->req.req_body; KDC_REQ_BODY *b = &r->req.req_body;
EncTicketPart *ticket = &r->ticket->ticket; EncTicketPart *ticket = &r->ticket->ticket;
hdb_entry_ex *s4u_client = NULL; hdb_entry *s4u_client = NULL;
HDB *s4u_clientdb; HDB *s4u_clientdb;
int flags = HDB_F_FOR_TGS_REQ; int flags = HDB_F_FOR_TGS_REQ;
krb5_principal s4u_client_name = NULL, s4u_canon_client_name = NULL; krb5_principal s4u_client_name = NULL, s4u_canon_client_name = NULL;
@@ -275,15 +275,16 @@ validate_protocol_transition(astgs_request_t r)
* Ignore require_pwchange and pw_end attributes (as Windows does), * Ignore require_pwchange and pw_end attributes (as Windows does),
* since S4U2Self is not password authentication. * since S4U2Self is not password authentication.
*/ */
s4u_client->entry.flags.require_pwchange = FALSE; s4u_client->flags.require_pwchange = FALSE;
free(s4u_client->entry.pw_end); free(s4u_client->pw_end);
s4u_client->entry.pw_end = NULL; s4u_client->pw_end = NULL;
ret = kdc_check_flags(r, FALSE, s4u_client, r->server); ret = kdc_check_flags(r, FALSE, s4u_client, r->server);
if (ret) if (ret)
goto out; /* kdc_check_flags() calls _kdc_audit_addreason() */ goto out; /* kdc_check_flags() calls _kdc_audit_addreason() */
ret = _kdc_pac_generate(r->context, ret = _kdc_pac_generate(r->context,
r->config,
s4u_client, s4u_client,
r->server, r->server,
NULL, NULL,
@@ -312,7 +313,7 @@ validate_protocol_transition(astgs_request_t r)
goto out; goto out;
} }
ret = krb5_copy_principal(r->context, s4u_client->entry.principal, ret = krb5_copy_principal(r->context, s4u_client->principal,
&s4u_canon_client_name); &s4u_canon_client_name);
if (ret) if (ret)
goto out; goto out;
@@ -322,8 +323,8 @@ validate_protocol_transition(astgs_request_t r)
* delegation or if the impersonate client is disallowed * delegation or if the impersonate client is disallowed
* forwardable, remove the forwardable flag. * forwardable, remove the forwardable flag.
*/ */
if (r->client->entry.flags.trusted_for_delegation && if (r->client->flags.trusted_for_delegation &&
s4u_client->entry.flags.forwardable) { s4u_client->flags.forwardable) {
str = "[forwardable]"; str = "[forwardable]";
} else { } else {
b->kdc_options.forwardable = 0; b->kdc_options.forwardable = 0;
@@ -373,7 +374,7 @@ validate_constrained_delegation(astgs_request_t r)
char *s4ucname = NULL, *s4usname = NULL; char *s4ucname = NULL, *s4usname = NULL;
EncTicketPart evidence_tkt; EncTicketPart evidence_tkt;
HDB *s4u_clientdb; HDB *s4u_clientdb;
hdb_entry_ex *s4u_client = NULL; hdb_entry *s4u_client = NULL;
krb5_boolean ad_kdc_issued = FALSE; krb5_boolean ad_kdc_issued = FALSE;
Key *clientkey; Key *clientkey;
Ticket *t; Ticket *t;
@@ -388,7 +389,7 @@ validate_constrained_delegation(astgs_request_t r)
memset(&evidence_tkt, 0, sizeof(evidence_tkt)); memset(&evidence_tkt, 0, sizeof(evidence_tkt));
local_realm = local_realm =
krb5_principal_get_comp_string(r->context, r->krbtgt->entry.principal, 1); krb5_principal_get_comp_string(r->context, r->krbtgt->principal, 1);
/* /*
* We require that the service's TGT has a PAC; this will have been * We require that the service's TGT has a PAC; this will have been
@@ -405,8 +406,8 @@ validate_constrained_delegation(astgs_request_t r)
t = &b->additional_tickets->val[0]; t = &b->additional_tickets->val[0];
ret = hdb_enctype2key(r->context, &r->client->entry, ret = hdb_enctype2key(r->context, r->client,
hdb_kvno2keys(r->context, &r->client->entry, hdb_kvno2keys(r->context, r->client,
t->enc_part.kvno ? * t->enc_part.kvno : 0), t->enc_part.kvno ? * t->enc_part.kvno : 0),
t->enc_part.etype, &clientkey); t->enc_part.etype, &clientkey);
if (ret) { if (ret) {
@@ -530,7 +531,7 @@ validate_constrained_delegation(astgs_request_t r)
* can insert the canonical client name ourselves. * can insert the canonical client name ourselves.
*/ */
if (s4u_canon_client_name == NULL && s4u_client != NULL) { if (s4u_canon_client_name == NULL && s4u_client != NULL) {
ret = krb5_copy_principal(r->context, s4u_client->entry.principal, ret = krb5_copy_principal(r->context, s4u_client->principal,
&s4u_canon_client_name); &s4u_canon_client_name);
if (ret) if (ret)
goto out; goto out;

26
kdc/pkinit.c
View File

@@ -388,7 +388,7 @@ _kdc_pk_rd_padata(astgs_request_t priv,
krb5_context context = priv->context; krb5_context context = priv->context;
krb5_kdc_configuration *config = priv->config; krb5_kdc_configuration *config = priv->config;
const KDC_REQ *req = &priv->req; const KDC_REQ *req = &priv->req;
hdb_entry_ex *client = priv->client; hdb_entry *client = priv->client;
pk_client_params *cp; pk_client_params *cp;
krb5_error_code ret; krb5_error_code ret;
heim_oid eContentType = { 0, NULL }, contentInfoOid = { 0, NULL }; heim_oid eContentType = { 0, NULL }, contentInfoOid = { 0, NULL };
@@ -431,7 +431,7 @@ _kdc_pk_rd_padata(astgs_request_t priv,
} }
/* Add any registered certificates for this client as trust anchors */ /* Add any registered certificates for this client as trust anchors */
ret = hdb_entry_get_pkinit_cert(&client->entry, &pc); ret = hdb_entry_get_pkinit_cert(client, &pc);
if (ret == 0 && pc != NULL) { if (ret == 0 && pc != NULL) {
hx509_cert cert; hx509_cert cert;
unsigned int i; unsigned int i;
@@ -467,7 +467,7 @@ _kdc_pk_rd_padata(astgs_request_t priv,
type = "PK-INIT-Win2k"; type = "PK-INIT-Win2k";
if (_kdc_is_anonymous(context, client->entry.principal)) { if (_kdc_is_anonymous(context, client->principal)) {
ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED; ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
krb5_set_error_message(context, ret, krb5_set_error_message(context, ret,
"Anonymous client not supported in RSA mode"); "Anonymous client not supported in RSA mode");
@@ -613,7 +613,7 @@ _kdc_pk_rd_padata(astgs_request_t priv,
hx509_certs signer_certs; hx509_certs signer_certs;
int flags = HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH; /* BTMM */ int flags = HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH; /* BTMM */
if (_kdc_is_anonymous(context, client->entry.principal) if (_kdc_is_anonymous(context, client->principal)
|| (config->historical_anon_realm && _kdc_is_anon_request(req))) || (config->historical_anon_realm && _kdc_is_anon_request(req)))
flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER; flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER;
@@ -699,7 +699,7 @@ _kdc_pk_rd_padata(astgs_request_t priv,
goto out; goto out;
} }
if (_kdc_is_anonymous(context, client->entry.principal) && if (_kdc_is_anonymous(context, client->principal) &&
ap.clientPublicValue == NULL) { ap.clientPublicValue == NULL) {
free_AuthPack(&ap); free_AuthPack(&ap);
ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED; ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
@@ -1598,7 +1598,7 @@ match_ms_upn_san(krb5_context context,
hx509_context hx509ctx, hx509_context hx509ctx,
hx509_cert client_cert, hx509_cert client_cert,
HDB *clientdb, HDB *clientdb,
hdb_entry_ex *client) hdb_entry *client)
{ {
hx509_octet_string_list list; hx509_octet_string_list list;
krb5_principal principal = NULL; krb5_principal principal = NULL;
@@ -1652,7 +1652,7 @@ match_ms_upn_san(krb5_context context,
*/ */
strupr(principal->realm); strupr(principal->realm);
if (krb5_principal_compare(context, principal, client->entry.principal) == FALSE) if (krb5_principal_compare(context, principal, client->principal) == FALSE)
ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
} }
@@ -1671,7 +1671,7 @@ _kdc_pk_check_client(astgs_request_t r,
{ {
krb5_kdc_configuration *config = r->config; krb5_kdc_configuration *config = r->config;
HDB *clientdb = r->clientdb; HDB *clientdb = r->clientdb;
hdb_entry_ex *client = r->client; hdb_entry *client = r->client;
const HDB_Ext_PKINIT_acl *acl; const HDB_Ext_PKINIT_acl *acl;
const HDB_Ext_PKINIT_cert *pc; const HDB_Ext_PKINIT_cert *pc;
krb5_error_code ret; krb5_error_code ret;
@@ -1679,7 +1679,7 @@ _kdc_pk_check_client(astgs_request_t r,
size_t i; size_t i;
if (cp->cert == NULL) { if (cp->cert == NULL) {
if (!_kdc_is_anonymous(r->context, client->entry.principal) if (!_kdc_is_anonymous(r->context, client->principal)
&& !config->historical_anon_realm) && !config->historical_anon_realm)
return KRB5KDC_ERR_BADOPTION; return KRB5KDC_ERR_BADOPTION;
@@ -1716,7 +1716,7 @@ _kdc_pk_check_client(astgs_request_t r,
"Trying to authorize PKINIT subject DN %s", "Trying to authorize PKINIT subject DN %s",
*subject_name); *subject_name);
ret = hdb_entry_get_pkinit_cert(&client->entry, &pc); ret = hdb_entry_get_pkinit_cert(client, &pc);
if (ret == 0 && pc) { if (ret == 0 && pc) {
hx509_cert cert; hx509_cert cert;
size_t j; size_t j;
@@ -1743,7 +1743,7 @@ _kdc_pk_check_client(astgs_request_t r,
ret = match_rfc_san(r->context, config, ret = match_rfc_san(r->context, config,
r->context->hx509ctx, r->context->hx509ctx,
cp->cert, cp->cert,
client->entry.principal); client->principal);
if (ret == 0) { if (ret == 0) {
kdc_log(r->context, config, 5, kdc_log(r->context, config, 5,
"Found matching PKINIT SAN in certificate"); "Found matching PKINIT SAN in certificate");
@@ -1761,7 +1761,7 @@ _kdc_pk_check_client(astgs_request_t r,
} }
} }
ret = hdb_entry_get_pkinit_acl(&client->entry, &acl); ret = hdb_entry_get_pkinit_acl(client, &acl);
if (ret == 0 && acl != NULL) { if (ret == 0 && acl != NULL) {
/* /*
* Cheat here and compare the generated name with the string * Cheat here and compare the generated name with the string
@@ -1787,7 +1787,7 @@ _kdc_pk_check_client(astgs_request_t r,
krb5_boolean b; krb5_boolean b;
b = krb5_principal_compare(r->context, b = krb5_principal_compare(r->context,
client->entry.principal, client->principal,
principal_mappings.val[i].principal); principal_mappings.val[i].principal);
if (b == FALSE) if (b == FALSE)
continue; continue;

172
lib/hdb/common.c
View File

@@ -148,7 +148,7 @@ fetch_entry_or_alias(krb5_context context,
HDB *db, HDB *db,
krb5_const_principal principal, krb5_const_principal principal,
unsigned flags, unsigned flags,
hdb_entry_ex *entry) hdb_entry *entry)
{ {
HDB_EntryOrAlias eoa; HDB_EntryOrAlias eoa;
krb5_principal enterprise_principal = NULL; krb5_principal enterprise_principal = NULL;
@@ -180,7 +180,7 @@ fetch_entry_or_alias(krb5_context context,
if (ret == 0) if (ret == 0)
ret = decode_HDB_EntryOrAlias(value.data, value.length, &eoa, NULL); ret = decode_HDB_EntryOrAlias(value.data, value.length, &eoa, NULL);
if (ret == 0 && eoa.element == choice_HDB_EntryOrAlias_entry) { if (ret == 0 && eoa.element == choice_HDB_EntryOrAlias_entry) {
entry->entry = eoa.u.entry; *entry = eoa.u.entry;
} else if (ret == 0 && eoa.element == choice_HDB_EntryOrAlias_alias) { } else if (ret == 0 && eoa.element == choice_HDB_EntryOrAlias_alias) {
krb5_data_free(&key); krb5_data_free(&key);
ret = hdb_principal2key(context, eoa.u.alias.principal, &key); ret = hdb_principal2key(context, eoa.u.alias.principal, &key);
@@ -190,7 +190,7 @@ fetch_entry_or_alias(krb5_context context,
} }
if (ret == 0) if (ret == 0)
/* No alias chaining */ /* No alias chaining */
ret = hdb_value2entry(context, &value, &entry->entry); ret = hdb_value2entry(context, &value, entry);
krb5_free_principal(context, eoa.u.alias.principal); krb5_free_principal(context, eoa.u.alias.principal);
} else if (ret == 0) } else if (ret == 0)
ret = ENOTSUP; ret = ENOTSUP;
@@ -200,7 +200,7 @@ fetch_entry_or_alias(krb5_context context,
* the canonicalize flag is unset, the original specification in * the canonicalize flag is unset, the original specification in
* draft-ietf-krb-wg-kerberos-referrals-03.txt says we should. * draft-ietf-krb-wg-kerberos-referrals-03.txt says we should.
*/ */
entry->entry.flags.force_canonicalize = 1; entry->flags.force_canonicalize = 1;
} }
/* HDB_F_GET_ANY indicates request originated from KDC (not kadmin) */ /* HDB_F_GET_ANY indicates request originated from KDC (not kadmin) */
@@ -208,7 +208,7 @@ fetch_entry_or_alias(krb5_context context,
(flags & (HDB_F_CANON|HDB_F_GET_ANY)) == 0) { (flags & (HDB_F_CANON|HDB_F_GET_ANY)) == 0) {
/* `principal' was alias but canon not req'd */ /* `principal' was alias but canon not req'd */
free_HDB_entry(&entry->entry); free_HDB_entry(entry);
ret = HDB_ERR_NOENTRY; ret = HDB_ERR_NOENTRY;
} }
@@ -221,7 +221,7 @@ fetch_entry_or_alias(krb5_context context,
krb5_error_code krb5_error_code
_hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal, _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
unsigned flags, krb5_kvno kvno, hdb_entry_ex *entry) unsigned flags, krb5_kvno kvno, hdb_entry *entry)
{ {
krb5_error_code ret; krb5_error_code ret;
@@ -231,21 +231,21 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
if ((flags & HDB_F_DECRYPT) && (flags & HDB_F_ALL_KVNOS)) { if ((flags & HDB_F_DECRYPT) && (flags & HDB_F_ALL_KVNOS)) {
/* Decrypt the current keys */ /* Decrypt the current keys */
ret = hdb_unseal_keys(context, db, &entry->entry); ret = hdb_unseal_keys(context, db, entry);
if (ret) { if (ret) {
hdb_free_entry(context, db, entry); hdb_free_entry(context, db, entry);
return ret; return ret;
} }
/* Decrypt the key history too */ /* Decrypt the key history too */
ret = hdb_unseal_keys_kvno(context, db, 0, flags, &entry->entry); ret = hdb_unseal_keys_kvno(context, db, 0, flags, entry);
if (ret) { if (ret) {
hdb_free_entry(context, db, entry); hdb_free_entry(context, db, entry);
return ret; return ret;
} }
} else if ((flags & HDB_F_DECRYPT)) { } else if ((flags & HDB_F_DECRYPT)) {
if ((flags & HDB_F_KVNO_SPECIFIED) == 0 || kvno == entry->entry.kvno) { if ((flags & HDB_F_KVNO_SPECIFIED) == 0 || kvno == entry->kvno) {
/* Decrypt the current keys */ /* Decrypt the current keys */
ret = hdb_unseal_keys(context, db, &entry->entry); ret = hdb_unseal_keys(context, db, entry);
if (ret) { if (ret) {
hdb_free_entry(context, db, entry); hdb_free_entry(context, db, entry);
return ret; return ret;
@@ -257,7 +257,7 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
* Find and decrypt the keys from the history that we want, * Find and decrypt the keys from the history that we want,
* and swap them with the current keys * and swap them with the current keys
*/ */
ret = hdb_unseal_keys_kvno(context, db, kvno, flags, &entry->entry); ret = hdb_unseal_keys_kvno(context, db, kvno, flags, entry);
if (ret) { if (ret) {
hdb_free_entry(context, db, entry); hdb_free_entry(context, db, entry);
return ret; return ret;
@@ -271,7 +271,7 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
* key was generated, but given the salt will be ignored by a keytab * key was generated, but given the salt will be ignored by a keytab
* client it doesn't hurt to include the default salt. * client it doesn't hurt to include the default salt.
*/ */
ret = add_default_salts(context, db, &entry->entry); ret = add_default_salts(context, db, entry);
if (ret) { if (ret) {
hdb_free_entry(context, db, entry); hdb_free_entry(context, db, entry);
return ret; return ret;
@@ -325,20 +325,20 @@ hdb_remove_aliases(krb5_context context, HDB *db, krb5_data *key)
static krb5_error_code static krb5_error_code
hdb_add_aliases(krb5_context context, HDB *db, hdb_add_aliases(krb5_context context, HDB *db,
unsigned flags, hdb_entry_ex *entry) unsigned flags, hdb_entry *entry)
{ {
const HDB_Ext_Aliases *aliases; const HDB_Ext_Aliases *aliases;
krb5_error_code code; krb5_error_code code;
krb5_data key, value; krb5_data key, value;
size_t i; size_t i;
code = hdb_entry_get_aliases(&entry->entry, &aliases); code = hdb_entry_get_aliases(entry, &aliases);
if (code || aliases == NULL) if (code || aliases == NULL)
return code; return code;
for (i = 0; i < aliases->aliases.len; i++) { for (i = 0; i < aliases->aliases.len; i++) {
hdb_entry_alias entryalias; hdb_entry_alias entryalias;
entryalias.principal = entry->entry.principal; entryalias.principal = entry->principal;
code = hdb_entry_alias2value(context, &entryalias, &value); code = hdb_entry_alias2value(context, &entryalias, &value);
if (code) if (code)
@@ -358,7 +358,7 @@ hdb_add_aliases(krb5_context context, HDB *db,
/* Check if new aliases are already used for other entries */ /* Check if new aliases are already used for other entries */
static krb5_error_code static krb5_error_code
hdb_check_aliases(krb5_context context, HDB *db, hdb_entry_ex *entry) hdb_check_aliases(krb5_context context, HDB *db, hdb_entry *entry)
{ {
const HDB_Ext_Aliases *aliases = NULL; const HDB_Ext_Aliases *aliases = NULL;
HDB_EntryOrAlias eoa; HDB_EntryOrAlias eoa;
@@ -370,7 +370,7 @@ hdb_check_aliases(krb5_context context, HDB *db, hdb_entry_ex *entry)
krb5_data_zero(&value); krb5_data_zero(&value);
akey = value; akey = value;
ret = hdb_entry_get_aliases(&entry->entry, &aliases); ret = hdb_entry_get_aliases(entry, &aliases);
for (i = 0; ret == 0 && aliases && i < aliases->aliases.len; i++) { for (i = 0; ret == 0 && aliases && i < aliases->aliases.len; i++) {
ret = hdb_principal2key(context, &aliases->aliases.val[i], &akey); ret = hdb_principal2key(context, &aliases->aliases.val[i], &akey);
if (ret == 0) if (ret == 0)
@@ -385,7 +385,7 @@ hdb_check_aliases(krb5_context context, HDB *db, hdb_entry_ex *entry)
ret = HDB_ERR_EXISTS; ret = HDB_ERR_EXISTS;
if (ret == 0 && eoa.element == choice_HDB_EntryOrAlias_alias && if (ret == 0 && eoa.element == choice_HDB_EntryOrAlias_alias &&
!krb5_principal_compare(context, eoa.u.alias.principal, !krb5_principal_compare(context, eoa.u.alias.principal,
entry->entry.principal)) entry->principal))
/* New alias names an existing alias of a different entry */ /* New alias names an existing alias of a different entry */
ret = HDB_ERR_EXISTS; ret = HDB_ERR_EXISTS;
if (ret == HDB_ERR_NOENTRY) /* from db->hdb__get */ if (ret == HDB_ERR_NOENTRY) /* from db->hdb__get */
@@ -459,13 +459,13 @@ hdb_derive_etypes(krb5_context context, hdb_entry *e, HDB_Ext_KeySet *base_keys)
} }
krb5_error_code krb5_error_code
_hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{ {
krb5_data key, value; krb5_data key, value;
int code; int code;
if (entry->entry.flags.do_not_store || if (entry->flags.do_not_store ||
entry->entry.flags.force_canonicalize) entry->flags.force_canonicalize)
return HDB_ERR_MISUSE; return HDB_ERR_MISUSE;
/* check if new aliases already is used */ /* check if new aliases already is used */
code = hdb_check_aliases(context, db, entry); code = hdb_check_aliases(context, db, entry);
@@ -476,7 +476,7 @@ _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
return 0; return 0;
if ((flags & HDB_F_PRECHECK)) { if ((flags & HDB_F_PRECHECK)) {
code = hdb_principal2key(context, entry->entry.principal, &key); code = hdb_principal2key(context, entry->principal, &key);
if (code) if (code)
return code; return code;
code = db->hdb__get(context, db, key, &value); code = db->hdb__get(context, db, key, &value);
@@ -488,29 +488,29 @@ _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
return code ? code : HDB_ERR_EXISTS; return code ? code : HDB_ERR_EXISTS;
} }
if ((entry->entry.etypes == NULL || entry->entry.etypes->len == 0) && if ((entry->etypes == NULL || entry->etypes->len == 0) &&
(code = hdb_derive_etypes(context, &entry->entry, NULL))) (code = hdb_derive_etypes(context, entry, NULL)))
return code; return code;
if (entry->entry.generation == NULL) { if (entry->generation == NULL) {
struct timeval t; struct timeval t;
entry->entry.generation = malloc(sizeof(*entry->entry.generation)); entry->generation = malloc(sizeof(*entry->generation));
if(entry->entry.generation == NULL) { if(entry->generation == NULL) {
krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM; return ENOMEM;
} }
gettimeofday(&t, NULL); gettimeofday(&t, NULL);
entry->entry.generation->time = t.tv_sec; entry->generation->time = t.tv_sec;
entry->entry.generation->usec = t.tv_usec; entry->generation->usec = t.tv_usec;
entry->entry.generation->gen = 0; entry->generation->gen = 0;
} else } else
entry->entry.generation->gen++; entry->generation->gen++;
code = hdb_seal_keys(context, db, &entry->entry); code = hdb_seal_keys(context, db, entry);
if (code) if (code)
return code; return code;
code = hdb_principal2key(context, entry->entry.principal, &key); code = hdb_principal2key(context, entry->principal, &key);
if (code) if (code)
return code; return code;
@@ -520,7 +520,7 @@ _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
krb5_data_free(&key); krb5_data_free(&key);
return code; return code;
} }
hdb_entry2value(context, &entry->entry, &value); hdb_entry2value(context, entry, &value);
code = db->hdb__put(context, db, flags & HDB_F_REPLACE, key, value); code = db->hdb__put(context, db, flags & HDB_F_REPLACE, key, value);
krb5_data_free(&value); krb5_data_free(&value);
krb5_data_free(&key); krb5_data_free(&key);
@@ -722,7 +722,7 @@ derive_keyset(krb5_context context,
/* Possibly derive and install in `h' a keyset identified by `t' */ /* Possibly derive and install in `h' a keyset identified by `t' */
static krb5_error_code static krb5_error_code
derive_keys_for_kr(krb5_context context, derive_keys_for_kr(krb5_context context,
hdb_entry_ex *h, hdb_entry *h,
HDB_Ext_KeySet *base_keys, HDB_Ext_KeySet *base_keys,
int is_current_keyset, int is_current_keyset,
int rotation_period_offset, int rotation_period_offset,
@@ -796,7 +796,7 @@ derive_keys_for_kr(krb5_context context,
ret = derive_keyset(context, &base_keys->val[i].keys, princ, etype, kvno, ret = derive_keyset(context, &base_keys->val[i].keys, princ, etype, kvno,
set_time, &dks); set_time, &dks);
if (ret == 0) if (ret == 0)
ret = hdb_install_keyset(context, &h->entry, is_current_keyset, &dks); ret = hdb_install_keyset(context, h, is_current_keyset, &dks);
free_HDB_keyset(&dks); free_HDB_keyset(&dks);
return ret; return ret;
@@ -805,7 +805,7 @@ derive_keys_for_kr(krb5_context context,
/* Derive and install current keys, and possibly preceding or next keys */ /* Derive and install current keys, and possibly preceding or next keys */
static krb5_error_code static krb5_error_code
derive_keys_for_current_kr(krb5_context context, derive_keys_for_current_kr(krb5_context context,
hdb_entry_ex *h, hdb_entry *h,
HDB_Ext_KeySet *base_keys, HDB_Ext_KeySet *base_keys,
const char *princ, const char *princ,
unsigned int flags, unsigned int flags,
@@ -871,12 +871,12 @@ derive_keys_for_current_kr(krb5_context context,
* Arguments: * Arguments:
* *
* - `flags' is the flags passed to `hdb_fetch_kvno()' * - `flags' is the flags passed to `hdb_fetch_kvno()'
* - `princ' is the name of the principal we'll end up with in `h->entry' * - `princ' is the name of the principal we'll end up with in `entry'
* - `h_is_namespace' indicates whether `h' is for a namespace or a concrete * - `h_is_namespace' indicates whether `h' is for a namespace or a concrete
* principal (that might nonetheless have virtual/derived keys) * principal (that might nonetheless have virtual/derived keys)
* - `t' is the time such that the derived keys are for kvnos needed at `t' * - `t' is the time such that the derived keys are for kvnos needed at `t'
* - `etype' indicates what enctype to derive keys for (0 for all enctypes in * - `etype' indicates what enctype to derive keys for (0 for all enctypes in
* `h->entry.etypes') * `entry->etypes')
* - `kvno' requests a particular kvno, or all if zero * - `kvno' requests a particular kvno, or all if zero
* *
* The caller doesn't know if the principal needs key derivation -- we make * The caller doesn't know if the principal needs key derivation -- we make
@@ -968,7 +968,7 @@ derive_keys(krb5_context context,
krb5_timestamp t, krb5_timestamp t,
krb5int32 etype, krb5int32 etype,
krb5uint32 kvno, krb5uint32 kvno,
hdb_entry_ex *h) hdb_entry *h)
{ {
HDB_Ext_KeyRotation kr; HDB_Ext_KeyRotation kr;
HDB_Ext_KeySet base_keys; HDB_Ext_KeySet base_keys;
@@ -977,9 +977,9 @@ derive_keys(krb5_context context,
char *p = NULL; char *p = NULL;
int valid = 1; int valid = 1;
if (!h_is_namespace && !h->entry.flags.virtual_keys) if (!h_is_namespace && !h->flags.virtual_keys)
return 0; return 0;
h->entry.flags.virtual = 1; h->flags.virtual = 1;
kr.len = 0; kr.len = 0;
kr.val = 0; kr.val = 0;
@@ -987,7 +987,7 @@ derive_keys(krb5_context context,
const HDB_Ext_KeyRotation *ckr; const HDB_Ext_KeyRotation *ckr;
/* Installing keys invalidates `ckr', so we copy it */ /* Installing keys invalidates `ckr', so we copy it */
ret = hdb_entry_get_key_rotation(context, &h->entry, &ckr); ret = hdb_entry_get_key_rotation(context, h, &ckr);
if (!ckr) if (!ckr)
return ret; return ret;
if (ret == 0) if (ret == 0)
@@ -998,11 +998,11 @@ derive_keys(krb5_context context,
base_keys.val = 0; base_keys.val = 0;
base_keys.len = 0; base_keys.len = 0;
if (ret == 0) if (ret == 0)
ret = hdb_remove_base_keys(context, &h->entry, &base_keys); ret = hdb_remove_base_keys(context, h, &base_keys);
/* Make sure we have h->entry.etypes */ /* Make sure we have h->etypes */
if (ret == 0 && !h->entry.etypes) if (ret == 0 && !h->etypes)
ret = hdb_derive_etypes(context, &h->entry, &base_keys); ret = hdb_derive_etypes(context, h, &base_keys);
/* Keys not desired? Don't derive them! */ /* Keys not desired? Don't derive them! */
if (ret || !(flags & HDB_F_DECRYPT)) { if (ret || !(flags & HDB_F_DECRYPT)) {
@@ -1094,10 +1094,10 @@ derive_keys(krb5_context context,
/* /*
* Derive and set in `h' its current kvno and current keys. * Derive and set in `h' its current kvno and current keys.
* *
* This will set h->entry.kvno as well. * This will set h->kvno as well.
* *
* This may set up to TWO keysets for the current key rotation period: * This may set up to TWO keysets for the current key rotation period:
* - current keys (h->entry.keys and h->entry.kvno) * - current keys (h->keys and h->kvno)
* - possibly one future * - possibly one future
* OR * OR
* possibly one past keyset in hist_keys for the current_kr * possibly one past keyset in hist_keys for the current_kr
@@ -1130,14 +1130,14 @@ derive_keys(krb5_context context,
kr.val[current_kr].epoch - 1, &kr.val[past_kr]); kr.val[current_kr].epoch - 1, &kr.val[past_kr]);
/* /*
* Impose a bound on h->entry.max_life so that [when the KDC is the caller] * Impose a bound on h->max_life so that [when the KDC is the caller]
* the KDC won't issue tickets longer lived than this. * the KDC won't issue tickets longer lived than this.
*/ */
if (ret == 0 && !h->entry.max_life && if (ret == 0 && !h->max_life &&
(h->entry.max_life = calloc(1, sizeof(h->entry.max_life[0]))) == NULL) (h->max_life = calloc(1, sizeof(h->max_life[0]))) == NULL)
ret = krb5_enomem(context); ret = krb5_enomem(context);
if (ret == 0 && *h->entry.max_life > kr.val[current_kr].period >> 1) if (ret == 0 && *h->max_life > kr.val[current_kr].period >> 1)
*h->entry.max_life = kr.val[current_kr].period >> 1; *h->max_life = kr.val[current_kr].period >> 1;
free_HDB_Ext_KeyRotation(&kr); free_HDB_Ext_KeyRotation(&kr);
free_HDB_Ext_KeySet(&base_keys); free_HDB_Ext_KeySet(&base_keys);
@@ -1177,7 +1177,7 @@ pick_kvno(krb5_context context,
unsigned flags, unsigned flags,
krb5_timestamp now, krb5_timestamp now,
krb5uint32 kvno, krb5uint32 kvno,
hdb_entry_ex *h) hdb_entry *h)
{ {
HDB_extension *ext; HDB_extension *ext;
HDB_Ext_KeySet keys; HDB_Ext_KeySet keys;
@@ -1190,25 +1190,25 @@ pick_kvno(krb5_context context,
* delayed, or if there's no new-key delay configured, or we're not * delayed, or if there's no new-key delay configured, or we're not
* fetching for use as a service principal, then we're out. * fetching for use as a service principal, then we're out.
*/ */
if (!(flags & HDB_F_DELAY_NEW_KEYS) || kvno || h->entry.flags.virtual || if (!(flags & HDB_F_DELAY_NEW_KEYS) || kvno || h->flags.virtual ||
h->entry.flags.virtual_keys || db->new_service_key_delay <= 0) h->flags.virtual_keys || db->new_service_key_delay <= 0)
return 0; return 0;
/* No history -> current keyset is the only one and therefore the best */ /* No history -> current keyset is the only one and therefore the best */
ext = hdb_find_extension(&h->entry, choice_HDB_extension_data_hist_keys); ext = hdb_find_extension(h, choice_HDB_extension_data_hist_keys);
if (!ext) if (!ext)
return 0; return 0;
/* Assume the current keyset is the best to start with */ /* Assume the current keyset is the best to start with */
(void) hdb_entry_get_pw_change_time(&h->entry, &current); (void) hdb_entry_get_pw_change_time(h, &current);
if (current == 0 && h->entry.modified_by) if (current == 0 && h->modified_by)
current = h->entry.modified_by->time; current = h->modified_by->time;
if (current == 0) if (current == 0)
current = h->entry.created_by.time; current = h->created_by.time;
/* Current keyset starts out as best */ /* Current keyset starts out as best */
best = current; best = current;
kvno = h->entry.kvno; kvno = h->kvno;
/* Look for a better keyset in the history */ /* Look for a better keyset in the history */
keys = ext->data.u.hist_keys; keys = ext->data.u.hist_keys;
@@ -1248,7 +1248,7 @@ pick_kvno(krb5_context context,
best = keys.val[i].set_time[0]; best = keys.val[i].set_time[0];
kvno = keys.val[i].kvno; kvno = keys.val[i].kvno;
} }
return hdb_change_kvno(context, kvno, &h->entry); return hdb_change_kvno(context, kvno, h);
} }
/* /*
@@ -1359,15 +1359,15 @@ rewrite_hostname(krb5_context context,
} }
/* /*
* Fix `h->entry.principal' to match the desired `princ' in the namespace * Fix `h->principal' to match the desired `princ' in the namespace
* `nsprinc' (which is either the same as `h->entry.principal' or an alias * `nsprinc' (which is either the same as `h->principal' or an alias
* of it). * of it).
*/ */
static krb5_error_code static krb5_error_code
fix_princ_name(krb5_context context, fix_princ_name(krb5_context context,
krb5_const_principal princ, krb5_const_principal princ,
krb5_const_principal nsprinc, krb5_const_principal nsprinc,
hdb_entry_ex *h) hdb_entry *h)
{ {
krb5_error_code ret = 0; krb5_error_code ret = 0;
char *s = NULL; char *s = NULL;
@@ -1379,7 +1379,7 @@ fix_princ_name(krb5_context context,
/* `nsprinc' must be a namespace principal */ /* `nsprinc' must be a namespace principal */
if (krb5_principal_compare(context, nsprinc, h->entry.principal)) { if (krb5_principal_compare(context, nsprinc, h->principal)) {
/* /*
* `h' is the HDB entry for `nsprinc', and `nsprinc' is its canonical * `h' is the HDB entry for `nsprinc', and `nsprinc' is its canonical
* name. * name.
@@ -1387,23 +1387,23 @@ fix_princ_name(krb5_context context,
* Set the entry's principal name to the desired name. The keys will * Set the entry's principal name to the desired name. The keys will
* be fixed next (upstairs, but don't forget to!). * be fixed next (upstairs, but don't forget to!).
*/ */
free_Principal(h->entry.principal); free_Principal(h->principal);
return copy_Principal(princ, h->entry.principal); return copy_Principal(princ, h->principal);
} }
if (!is_namespace_princ_p(context, h->entry.principal)) { if (!is_namespace_princ_p(context, h->principal)) {
/* /*
* The alias is a namespace, but the canonical name is not. WAT. * The alias is a namespace, but the canonical name is not. WAT.
* *
* Well, the KDC will just issue a referral anyways, so we can leave * Well, the KDC will just issue a referral anyways, so we can leave
* `h->entry.principal' as is... * `h->principal' as is...
* *
* Remove all of `h->entry's keys just in case, and leave * Remove all of `h's keys just in case, and leave
* `h->entry.principal' as-is. * `h->principal' as-is.
*/ */
free_Keys(&h->entry.keys); free_Keys(&h->keys);
(void) hdb_entry_clear_password(context, &h->entry); (void) hdb_entry_clear_password(context, h);
return hdb_clear_extension(context, &h->entry, return hdb_clear_extension(context, h,
choice_HDB_extension_data_hist_keys); choice_HDB_extension_data_hist_keys);
} }
@@ -1418,15 +1418,15 @@ fix_princ_name(krb5_context context,
* we'll want to treat host/foo.ns.test.h5l.se as an alias of * we'll want to treat host/foo.ns.test.h5l.se as an alias of
* host/foo.ns.example.org. * host/foo.ns.example.org.
*/ */
if (krb5_principal_get_num_comp(context, h->entry.principal) != if (krb5_principal_get_num_comp(context, h->principal) !=
2 + krb5_principal_get_num_comp(context, princ)) 2 + krb5_principal_get_num_comp(context, princ))
ret = HDB_ERR_NOENTRY; /* Only host-based services for now */ ret = HDB_ERR_NOENTRY; /* Only host-based services for now */
if (ret == 0) if (ret == 0)
ret = rewrite_hostname(context, princ, nsprinc, h->entry.principal, &s); ret = rewrite_hostname(context, princ, nsprinc, h->principal, &s);
if (ret == 0) { if (ret == 0) {
krb5_free_principal(context, h->entry.principal); krb5_free_principal(context, h->principal);
h->entry.principal = NULL; h->principal = NULL;
ret = krb5_make_principal(context, &h->entry.principal, ret = krb5_make_principal(context, &h->principal,
krb5_principal_get_realm(context, princ), krb5_principal_get_realm(context, princ),
krb5_principal_get_comp_string(context, krb5_principal_get_comp_string(context,
princ, 0), princ, 0),
@@ -1445,7 +1445,7 @@ fetch_it(krb5_context context,
krb5_timestamp t, krb5_timestamp t,
krb5int32 etype, krb5int32 etype,
krb5uint32 kvno, krb5uint32 kvno,
hdb_entry_ex *ent) hdb_entry *ent)
{ {
krb5_const_principal tmpprinc = princ; krb5_const_principal tmpprinc = princ;
krb5_principal nsprinc = NULL; krb5_principal nsprinc = NULL;
@@ -1604,7 +1604,7 @@ hdb_fetch_kvno(krb5_context context,
krb5_timestamp t, krb5_timestamp t,
krb5int32 etype, krb5int32 etype,
krb5uint32 kvno, krb5uint32 kvno,
hdb_entry_ex *h) hdb_entry *h)
{ {
krb5_error_code ret = HDB_ERR_NOENTRY; krb5_error_code ret = HDB_ERR_NOENTRY;
@@ -1621,8 +1621,8 @@ hdb_fetch_kvno(krb5_context context,
* independently of principal aliases (used by Samba). * independently of principal aliases (used by Samba).
*/ */
if (ret == 0 && !(flags & HDB_F_ADMIN_DATA) && if (ret == 0 && !(flags & HDB_F_ADMIN_DATA) &&
!h->entry.flags.force_canonicalize && !h->flags.force_canonicalize &&
!krb5_realm_compare(context, principal, h->entry.principal)) !krb5_realm_compare(context, principal, h->principal))
ret = HDB_ERR_WRONG_REALM; ret = HDB_ERR_WRONG_REALM;
return ret; return ret;
} }

18
lib/hdb/db.c
View File

@@ -114,7 +114,7 @@ DB_unlock(krb5_context context, HDB *db)
static krb5_error_code static krb5_error_code
DB_seq(krb5_context context, HDB *db, DB_seq(krb5_context context, HDB *db,
unsigned flags, hdb_entry_ex *entry, int flag) unsigned flags, hdb_entry *entry, int flag)
{ {
DB *d = (DB*)db->hdb_db; DB *d = (DB*)db->hdb_db;
DBT key, value; DBT key, value;
@@ -138,21 +138,21 @@ DB_seq(krb5_context context, HDB *db,
data.data = value.data; data.data = value.data;
data.length = value.size; data.length = value.size;
memset(entry, 0, sizeof(*entry)); memset(entry, 0, sizeof(*entry));
if (hdb_value2entry(context, &data, &entry->entry)) if (hdb_value2entry(context, &data, entry))
return DB_seq(context, db, flags, entry, R_NEXT); return DB_seq(context, db, flags, entry, R_NEXT);
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) { if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
code = hdb_unseal_keys (context, db, &entry->entry); code = hdb_unseal_keys (context, db, entry);
if (code) if (code)
hdb_free_entry (context, db, entry); hdb_free_entry (context, db, entry);
} }
if (code == 0 && entry->entry.principal == NULL) { if (code == 0 && entry->principal == NULL) {
entry->entry.principal = malloc(sizeof(*entry->entry.principal)); entry->principal = malloc(sizeof(*entry->principal));
if (entry->entry.principal == NULL) { if (entry->principal == NULL) {
code = ENOMEM; code = ENOMEM;
krb5_set_error_message(context, code, "malloc: out of memory"); krb5_set_error_message(context, code, "malloc: out of memory");
hdb_free_entry (context, db, entry); hdb_free_entry (context, db, entry);
} else { } else {
hdb_key2principal(context, &key_data, entry->entry.principal); hdb_key2principal(context, &key_data, entry->principal);
} }
} }
return code; return code;
@@ -160,14 +160,14 @@ DB_seq(krb5_context context, HDB *db,
static krb5_error_code static krb5_error_code
DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{ {
return DB_seq(context, db, flags, entry, R_FIRST); return DB_seq(context, db, flags, entry, R_FIRST);
} }
static krb5_error_code static krb5_error_code
DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{ {
return DB_seq(context, db, flags, entry, R_NEXT); return DB_seq(context, db, flags, entry, R_NEXT);
} }

18
lib/hdb/db3.c
View File

@@ -136,7 +136,7 @@ DB_unlock(krb5_context context, HDB *db)
static krb5_error_code static krb5_error_code
DB_seq(krb5_context context, HDB *db, DB_seq(krb5_context context, HDB *db,
unsigned flags, hdb_entry_ex *entry, int flag) unsigned flags, hdb_entry *entry, int flag)
{ {
DBT key, value; DBT key, value;
DBC *dbcp = db->hdb_dbc; DBC *dbcp = db->hdb_dbc;
@@ -156,21 +156,21 @@ DB_seq(krb5_context context, HDB *db,
data.data = value.data; data.data = value.data;
data.length = value.size; data.length = value.size;
memset(entry, 0, sizeof(*entry)); memset(entry, 0, sizeof(*entry));
if (hdb_value2entry(context, &data, &entry->entry)) if (hdb_value2entry(context, &data, entry))
return DB_seq(context, db, flags, entry, DB_NEXT); return DB_seq(context, db, flags, entry, DB_NEXT);
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) { if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
code = hdb_unseal_keys (context, db, &entry->entry); code = hdb_unseal_keys (context, db, entry);
if (code) if (code)
hdb_free_entry (context, db, entry); hdb_free_entry (context, db, entry);
} }
if (entry->entry.principal == NULL) { if (entry->principal == NULL) {
entry->entry.principal = malloc(sizeof(*entry->entry.principal)); entry->principal = malloc(sizeof(*entry->principal));
if (entry->entry.principal == NULL) { if (entry->principal == NULL) {
hdb_free_entry (context, db, entry); hdb_free_entry (context, db, entry);
krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM; return ENOMEM;
} else { } else {
hdb_key2principal(context, &key_data, entry->entry.principal); hdb_key2principal(context, &key_data, entry->principal);
} }
} }
return 0; return 0;
@@ -178,14 +178,14 @@ DB_seq(krb5_context context, HDB *db,
static krb5_error_code static krb5_error_code
DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{ {
return DB_seq(context, db, flags, entry, DB_FIRST); return DB_seq(context, db, flags, entry, DB_FIRST);
} }
static krb5_error_code static krb5_error_code
DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{ {
return DB_seq(context, db, flags, entry, DB_NEXT); return DB_seq(context, db, flags, entry, DB_NEXT);
} }

22
lib/hdb/hdb-keytab.c
View File

@@ -90,14 +90,14 @@ hkt_unlock(krb5_context context, HDB *db)
static krb5_error_code static krb5_error_code
hkt_firstkey(krb5_context context, HDB *db, hkt_firstkey(krb5_context context, HDB *db,
unsigned flags, hdb_entry_ex *entry) unsigned flags, hdb_entry *entry)
{ {
return HDB_ERR_DB_INUSE; return HDB_ERR_DB_INUSE;
} }
static krb5_error_code static krb5_error_code
hkt_nextkey(krb5_context context, HDB * db, unsigned flags, hkt_nextkey(krb5_context context, HDB * db, unsigned flags,
hdb_entry_ex * entry) hdb_entry * entry)
{ {
return HDB_ERR_DB_INUSE; return HDB_ERR_DB_INUSE;
} }
@@ -119,7 +119,7 @@ hkt_open(krb5_context context, HDB * db, int flags, mode_t mode)
static krb5_error_code static krb5_error_code
hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal, hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
unsigned flags, krb5_kvno kvno, hdb_entry_ex * entry) unsigned flags, krb5_kvno kvno, hdb_entry * entry)
{ {
hdb_keytab k = (hdb_keytab)db->hdb_db; hdb_keytab k = (hdb_keytab)db->hdb_db;
krb5_error_code ret; krb5_error_code ret;
@@ -132,13 +132,13 @@ hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
memset(&ktentry, 0, sizeof(ktentry)); memset(&ktentry, 0, sizeof(ktentry));
entry->entry.flags.server = 1; entry->flags.server = 1;
entry->entry.flags.forwardable = 1; entry->flags.forwardable = 1;
entry->entry.flags.renewable = 1; entry->flags.renewable = 1;
/* Not recorded in the OD backend, make something up */ /* Not recorded in the OD backend, make something up */
ret = krb5_parse_name(context, "hdb/keytab@WELL-KNOWN:KEYTAB-BACKEND", ret = krb5_parse_name(context, "hdb/keytab@WELL-KNOWN:KEYTAB-BACKEND",
&entry->entry.created_by.principal); &entry->created_by.principal);
if (ret) if (ret)
goto out; goto out;
@@ -155,7 +155,7 @@ hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
goto out; goto out;
} }
ret = krb5_copy_principal(context, principal, &entry->entry.principal); ret = krb5_copy_principal(context, principal, &entry->principal);
if (ret) if (ret)
goto out; goto out;
@@ -163,8 +163,8 @@ hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
out: out:
if (ret) { if (ret) {
free_HDB_entry(&entry->entry); free_HDB_entry(entry);
memset(&entry->entry, 0, sizeof(entry->entry)); memset(entry, 0, sizeof(*entry));
} }
krb5_kt_free_entry(context, &ktentry); krb5_kt_free_entry(context, &ktentry);
@@ -173,7 +173,7 @@ hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
static krb5_error_code static krb5_error_code
hkt_store(krb5_context context, HDB * db, unsigned flags, hkt_store(krb5_context context, HDB * db, unsigned flags,
hdb_entry_ex * entry) hdb_entry * entry)
{ {
return HDB_ERR_DB_INUSE; return HDB_ERR_DB_INUSE;
} }

348
lib/hdb/hdb-ldap.c
View File

@@ -47,7 +47,7 @@ static krb5_error_code LDAP_close(krb5_context context, HDB *);
static krb5_error_code static krb5_error_code
LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg, LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
int flags, hdb_entry_ex * ent); int flags, hdb_entry * ent);
static const char *default_structural_object = "account"; static const char *default_structural_object = "account";
static char *structural_object; static char *structural_object;
@@ -388,14 +388,14 @@ bervalstrcmp(struct berval *v, const char *str)
static krb5_error_code static krb5_error_code
LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent, LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry * ent,
LDAPMessage * msg, LDAPMod *** pmods, krb5_boolean *pis_new_entry) LDAPMessage * msg, LDAPMod *** pmods, krb5_boolean *pis_new_entry)
{ {
krb5_error_code ret; krb5_error_code ret;
krb5_boolean is_new_entry = FALSE; krb5_boolean is_new_entry = FALSE;
char *tmp = NULL; char *tmp = NULL;
LDAPMod **mods = NULL; LDAPMod **mods = NULL;
hdb_entry_ex orig; hdb_entry orig;
unsigned long oflags, nflags; unsigned long oflags, nflags;
int i; int i;
@@ -477,12 +477,12 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
} }
if (is_new_entry || if (is_new_entry ||
krb5_principal_compare(context, ent->entry.principal, orig.entry.principal) krb5_principal_compare(context, ent->principal, orig.principal)
== FALSE) == FALSE)
{ {
if (is_heimdal_principal || is_heimdal_entry) { if (is_heimdal_principal || is_heimdal_entry) {
ret = krb5_unparse_name(context, ent->entry.principal, &tmp); ret = krb5_unparse_name(context, ent->principal, &tmp);
if (ret) if (ret)
goto out; goto out;
@@ -496,7 +496,7 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
} }
if (is_account || is_samba_account) { if (is_account || is_samba_account) {
ret = krb5_unparse_name_short(context, ent->entry.principal, &tmp); ret = krb5_unparse_name_short(context, ent->principal, &tmp);
if (ret) if (ret)
goto out; goto out;
ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "uid", tmp); ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "uid", tmp);
@@ -508,15 +508,15 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
} }
} }
if (is_heimdal_entry && (ent->entry.kvno != orig.entry.kvno || is_new_entry)) { if (is_heimdal_entry && (ent->kvno != orig.kvno || is_new_entry)) {
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE, ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
"krb5KeyVersionNumber", "krb5KeyVersionNumber",
ent->entry.kvno); ent->kvno);
if (ret) if (ret)
goto out; goto out;
} }
if (is_heimdal_entry && ent->entry.extensions) { if (is_heimdal_entry && ent->extensions) {
if (!is_new_entry) { if (!is_new_entry) {
vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5ExtendedAttributes"); vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5ExtendedAttributes");
if (vals) { if (vals) {
@@ -527,11 +527,11 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
} }
} }
for (i = 0; i < ent->entry.extensions->len; i++) { for (i = 0; i < ent->extensions->len; i++) {
unsigned char *buf; unsigned char *buf;
size_t size, sz = 0; size_t size, sz = 0;
ASN1_MALLOC_ENCODE(HDB_extension, buf, size, &ent->entry.extensions->val[i], &sz, ret); ASN1_MALLOC_ENCODE(HDB_extension, buf, size, &ent->extensions->val[i], &sz, ret);
if (ret) if (ret)
goto out; goto out;
if (size != sz) if (size != sz)
@@ -543,42 +543,42 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
} }
} }
if (is_heimdal_entry && ent->entry.valid_start) { if (is_heimdal_entry && ent->valid_start) {
if (orig.entry.valid_end == NULL if (orig.valid_end == NULL
|| (*(ent->entry.valid_start) != *(orig.entry.valid_start))) { || (*(ent->valid_start) != *(orig.valid_start))) {
ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE, ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
"krb5ValidStart", "krb5ValidStart",
ent->entry.valid_start); ent->valid_start);
if (ret) if (ret)
goto out; goto out;
} }
} }
if (ent->entry.valid_end) { if (ent->valid_end) {
if (orig.entry.valid_end == NULL || (*(ent->entry.valid_end) != *(orig.entry.valid_end))) { if (orig.valid_end == NULL || (*(ent->valid_end) != *(orig.valid_end))) {
if (is_heimdal_entry) { if (is_heimdal_entry) {
ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE, ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
"krb5ValidEnd", "krb5ValidEnd",
ent->entry.valid_end); ent->valid_end);
if (ret) if (ret)
goto out; goto out;
} }
if (is_samba_account) { if (is_samba_account) {
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE, ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
"sambaKickoffTime", "sambaKickoffTime",
*(ent->entry.valid_end)); *(ent->valid_end));
if (ret) if (ret)
goto out; goto out;
} }
} }
} }
if (ent->entry.pw_end) { if (ent->pw_end) {
if (orig.entry.pw_end == NULL || (*(ent->entry.pw_end) != *(orig.entry.pw_end))) { if (orig.pw_end == NULL || (*(ent->pw_end) != *(orig.pw_end))) {
if (is_heimdal_entry) { if (is_heimdal_entry) {
ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE, ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
"krb5PasswordEnd", "krb5PasswordEnd",
ent->entry.pw_end); ent->pw_end);
if (ret) if (ret)
goto out; goto out;
} }
@@ -586,7 +586,7 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
if (is_samba_account) { if (is_samba_account) {
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE, ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
"sambaPwdMustChange", "sambaPwdMustChange",
*(ent->entry.pw_end)); *(ent->pw_end));
if (ret) if (ret)
goto out; goto out;
} }
@@ -595,43 +595,43 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
#if 0 /* we we have last_pw_change */ #if 0 /* we we have last_pw_change */
if (is_samba_account && ent->entry.last_pw_change) { if (is_samba_account && ent->last_pw_change) {
if (orig.entry.last_pw_change == NULL || (*(ent->entry.last_pw_change) != *(orig.entry.last_pw_change))) { if (orig.last_pw_change == NULL || (*(ent->last_pw_change) != *(orig.last_pw_change))) {
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE, ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
"sambaPwdLastSet", "sambaPwdLastSet",
*(ent->entry.last_pw_change)); *(ent->last_pw_change));
if (ret) if (ret)
goto out; goto out;
} }
} }
#endif #endif
if (is_heimdal_entry && ent->entry.max_life) { if (is_heimdal_entry && ent->max_life) {
if (orig.entry.max_life == NULL if (orig.max_life == NULL
|| (*(ent->entry.max_life) != *(orig.entry.max_life))) { || (*(ent->max_life) != *(orig.max_life))) {
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE, ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
"krb5MaxLife", "krb5MaxLife",
*(ent->entry.max_life)); *(ent->max_life));
if (ret) if (ret)
goto out; goto out;
} }
} }
if (is_heimdal_entry && ent->entry.max_renew) { if (is_heimdal_entry && ent->max_renew) {
if (orig.entry.max_renew == NULL if (orig.max_renew == NULL
|| (*(ent->entry.max_renew) != *(orig.entry.max_renew))) { || (*(ent->max_renew) != *(orig.max_renew))) {
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE, ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
"krb5MaxRenew", "krb5MaxRenew",
*(ent->entry.max_renew)); *(ent->max_renew));
if (ret) if (ret)
goto out; goto out;
} }
} }
oflags = HDBFlags2int(orig.entry.flags); oflags = HDBFlags2int(orig.flags);
nflags = HDBFlags2int(ent->entry.flags); nflags = HDBFlags2int(ent->flags);
if (is_heimdal_entry && oflags != nflags) { if (is_heimdal_entry && oflags != nflags) {
@@ -643,7 +643,7 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
} }
/* Remove keys if they exists, and then replace keys. */ /* Remove keys if they exists, and then replace keys. */
if (!is_new_entry && orig.entry.keys.len > 0) { if (!is_new_entry && orig.keys.len > 0) {
vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key"); vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key");
if (vals) { if (vals) {
ldap_value_free_len(vals); ldap_value_free_len(vals);
@@ -654,21 +654,21 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
} }
} }
for (i = 0; i < ent->entry.keys.len; i++) { for (i = 0; i < ent->keys.len; i++) {
if (is_samba_account if (is_samba_account
&& ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) { && ent->keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
char *ntHexPassword; char *ntHexPassword;
char *nt; char *nt;
time_t now = time(NULL); time_t now = time(NULL);
/* the key might have been 'sealed', but samba passwords /* the key might have been 'sealed', but samba passwords
are clear in the directory */ are clear in the directory */
ret = hdb_unseal_key(context, db, &ent->entry.keys.val[i]); ret = hdb_unseal_key(context, db, &ent->keys.val[i]);
if (ret) if (ret)
goto out; goto out;
nt = ent->entry.keys.val[i].key.keyvalue.data; nt = ent->keys.val[i].key.keyvalue.data;
/* store in ntPassword, not krb5key */ /* store in ntPassword, not krb5key */
ret = hex_encode(nt, 16, &ntHexPassword); ret = hex_encode(nt, 16, &ntHexPassword);
if (ret < 0) { if (ret < 0) {
@@ -701,7 +701,7 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
unsigned char *buf; unsigned char *buf;
size_t len, buf_size; size_t len, buf_size;
ASN1_MALLOC_ENCODE(Key, buf, buf_size, &ent->entry.keys.val[i], &len, ret); ASN1_MALLOC_ENCODE(Key, buf, buf_size, &ent->keys.val[i], &len, ret);
if (ret) if (ret)
goto out; goto out;
if(buf_size != len) if(buf_size != len)
@@ -714,7 +714,7 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
} }
} }
if (ent->entry.etypes) { if (ent->etypes) {
int add_krb5EncryptionType = 0; int add_krb5EncryptionType = 0;
/* /*
@@ -736,15 +736,15 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
add_krb5EncryptionType = 1; add_krb5EncryptionType = 1;
if (add_krb5EncryptionType) { if (add_krb5EncryptionType) {
for (i = 0; i < ent->entry.etypes->len; i++) { for (i = 0; i < ent->etypes->len; i++) {
if (is_samba_account && if (is_samba_account &&
ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) ent->keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5)
{ {
; ;
} else if (is_heimdal_entry) { } else if (is_heimdal_entry) {
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_ADD, ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_ADD,
"krb5EncryptionType", "krb5EncryptionType",
ent->entry.etypes->val[i]); ent->etypes->val[i]);
if (ret) if (ret)
goto out; goto out;
} }
@@ -1005,7 +1005,7 @@ LDAP_principal2message(krb5_context context, HDB * db,
*/ */
static krb5_error_code static krb5_error_code
LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg, LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
int flags, hdb_entry_ex * ent) int flags, hdb_entry * ent)
{ {
char *unparsed_name = NULL, *dn = NULL, *ntPasswordIN = NULL; char *unparsed_name = NULL, *dn = NULL, *ntPasswordIN = NULL;
char *samba_acct_flags = NULL; char *samba_acct_flags = NULL;
@@ -1015,18 +1015,18 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
int tmp, tmp_time, i, ret, have_arcfour = 0; int tmp, tmp_time, i, ret, have_arcfour = 0;
memset(ent, 0, sizeof(*ent)); memset(ent, 0, sizeof(*ent));
ent->entry.flags = int2HDBFlags(0); ent->flags = int2HDBFlags(0);
ret = LDAP_get_string_value(db, msg, "krb5PrincipalName", &unparsed_name); ret = LDAP_get_string_value(db, msg, "krb5PrincipalName", &unparsed_name);
if (ret == 0) { if (ret == 0) {
ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal); ret = krb5_parse_name(context, unparsed_name, &ent->principal);
if (ret) if (ret)
goto out; goto out;
} else { } else {
ret = LDAP_get_string_value(db, msg, "uid", ret = LDAP_get_string_value(db, msg, "uid",
&unparsed_name); &unparsed_name);
if (ret == 0) { if (ret == 0) {
ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal); ret = krb5_parse_name(context, unparsed_name, &ent->principal);
if (ret) if (ret)
goto out; goto out;
} else { } else {
@@ -1042,25 +1042,25 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
ret = LDAP_get_integer_value(db, msg, "krb5KeyVersionNumber", ret = LDAP_get_integer_value(db, msg, "krb5KeyVersionNumber",
&integer); &integer);
if (ret) if (ret)
ent->entry.kvno = 0; ent->kvno = 0;
else else
ent->entry.kvno = integer; ent->kvno = integer;
} }
keys = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key"); keys = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key");
if (keys != NULL) { if (keys != NULL) {
size_t l; size_t l;
ent->entry.keys.len = ldap_count_values_len(keys); ent->keys.len = ldap_count_values_len(keys);
ent->entry.keys.val = (Key *) calloc(ent->entry.keys.len, sizeof(Key)); ent->keys.val = (Key *) calloc(ent->keys.len, sizeof(Key));
if (ent->entry.keys.val == NULL) { if (ent->keys.val == NULL) {
ret = ENOMEM; ret = ENOMEM;
krb5_set_error_message(context, ret, "calloc: out of memory"); krb5_set_error_message(context, ret, "calloc: out of memory");
goto out; goto out;
} }
for (i = 0; i < ent->entry.keys.len; i++) { for (i = 0; i < ent->keys.len; i++) {
decode_Key((unsigned char *) keys[i]->bv_val, decode_Key((unsigned char *) keys[i]->bv_val,
(size_t) keys[i]->bv_len, &ent->entry.keys.val[i], &l); (size_t) keys[i]->bv_len, &ent->keys.val[i], &l);
} }
ber_bvecfree(keys); ber_bvecfree(keys);
} else { } else {
@@ -1070,8 +1070,8 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
* be related to a general directory entry without creating * be related to a general directory entry without creating
* the keys. Hopefully it's OK. * the keys. Hopefully it's OK.
*/ */
ent->entry.keys.len = 0; ent->keys.len = 0;
ent->entry.keys.val = NULL; ent->keys.val = NULL;
#else #else
ret = HDB_ERR_NOENTRY; ret = HDB_ERR_NOENTRY;
goto out; goto out;
@@ -1082,47 +1082,47 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
if (extensions != NULL) { if (extensions != NULL) {
size_t l; size_t l;
ent->entry.extensions = calloc(1, sizeof(*(ent->entry.extensions))); ent->extensions = calloc(1, sizeof(*(ent->extensions)));
if (ent->entry.extensions == NULL) { if (ent->extensions == NULL) {
ret = krb5_enomem(context); ret = krb5_enomem(context);
goto out; goto out;
} }
ent->entry.extensions->len = ldap_count_values_len(extensions); ent->extensions->len = ldap_count_values_len(extensions);
ent->entry.extensions->val = (HDB_extension *) calloc(ent->entry.extensions->len, sizeof(HDB_extension)); ent->extensions->val = (HDB_extension *) calloc(ent->extensions->len, sizeof(HDB_extension));
if (ent->entry.extensions->val == NULL) { if (ent->extensions->val == NULL) {
ent->entry.extensions->len = 0; ent->extensions->len = 0;
ret = krb5_enomem(context); ret = krb5_enomem(context);
goto out; goto out;
} }
for (i = 0; i < ent->entry.extensions->len; i++) { for (i = 0; i < ent->extensions->len; i++) {
ret = decode_HDB_extension((unsigned char *) extensions[i]->bv_val, ret = decode_HDB_extension((unsigned char *) extensions[i]->bv_val,
(size_t) extensions[i]->bv_len, &ent->entry.extensions->val[i], &l); (size_t) extensions[i]->bv_len, &ent->extensions->val[i], &l);
if (ret) if (ret)
krb5_set_error_message(context, ret, "decode_HDB_extension failed"); krb5_set_error_message(context, ret, "decode_HDB_extension failed");
} }
ber_bvecfree(extensions); ber_bvecfree(extensions);
} else { } else {
ent->entry.extensions = NULL; ent->extensions = NULL;
} }
vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5EncryptionType"); vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5EncryptionType");
if (vals != NULL) { if (vals != NULL) {
ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes))); ent->etypes = malloc(sizeof(*(ent->etypes)));
if (ent->entry.etypes == NULL) { if (ent->etypes == NULL) {
ret = ENOMEM; ret = ENOMEM;
krb5_set_error_message(context, ret,"malloc: out of memory"); krb5_set_error_message(context, ret,"malloc: out of memory");
goto out; goto out;
} }
ent->entry.etypes->len = ldap_count_values_len(vals); ent->etypes->len = ldap_count_values_len(vals);
ent->entry.etypes->val = calloc(ent->entry.etypes->len, ent->etypes->val = calloc(ent->etypes->len,
sizeof(ent->entry.etypes->val[0])); sizeof(ent->etypes->val[0]));
if (ent->entry.etypes->val == NULL) { if (ent->etypes->val == NULL) {
ret = ENOMEM; ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory"); krb5_set_error_message(context, ret, "malloc: out of memory");
ent->entry.etypes->len = 0; ent->etypes->len = 0;
goto out; goto out;
} }
for (i = 0; i < ent->entry.etypes->len; i++) { for (i = 0; i < ent->etypes->len; i++) {
char *buf; char *buf;
buf = malloc(vals[i]->bv_len + 1); buf = malloc(vals[i]->bv_len + 1);
@@ -1133,14 +1133,14 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
} }
memcpy(buf, vals[i]->bv_val, vals[i]->bv_len); memcpy(buf, vals[i]->bv_val, vals[i]->bv_len);
buf[vals[i]->bv_len] = '\0'; buf[vals[i]->bv_len] = '\0';
ent->entry.etypes->val[i] = atoi(buf); ent->etypes->val[i] = atoi(buf);
free(buf); free(buf);
} }
ldap_value_free_len(vals); ldap_value_free_len(vals);
} }
for (i = 0; i < ent->entry.keys.len; i++) { for (i = 0; i < ent->keys.len; i++) {
if (ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) { if (ent->keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
have_arcfour = 1; have_arcfour = 1;
break; break;
} }
@@ -1152,151 +1152,151 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
unsigned *etypes; unsigned *etypes;
Key *ks; Key *ks;
ks = realloc(ent->entry.keys.val, ks = realloc(ent->keys.val,
(ent->entry.keys.len + 1) * (ent->keys.len + 1) *
sizeof(ent->entry.keys.val[0])); sizeof(ent->keys.val[0]));
if (ks == NULL) { if (ks == NULL) {
ret = ENOMEM; ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory"); krb5_set_error_message(context, ret, "malloc: out of memory");
goto out; goto out;
} }
ent->entry.keys.val = ks; ent->keys.val = ks;
memset(&ent->entry.keys.val[ent->entry.keys.len], 0, sizeof(Key)); memset(&ent->keys.val[ent->keys.len], 0, sizeof(Key));
ent->entry.keys.val[ent->entry.keys.len].key.keytype = ETYPE_ARCFOUR_HMAC_MD5; ent->keys.val[ent->keys.len].key.keytype = ETYPE_ARCFOUR_HMAC_MD5;
ret = krb5_data_alloc (&ent->entry.keys.val[ent->entry.keys.len].key.keyvalue, 16); ret = krb5_data_alloc (&ent->keys.val[ent->keys.len].key.keyvalue, 16);
if (ret) { if (ret) {
krb5_set_error_message(context, ret, "malloc: out of memory"); krb5_set_error_message(context, ret, "malloc: out of memory");
ret = ENOMEM; ret = ENOMEM;
goto out; goto out;
} }
ret = hex_decode(ntPasswordIN, ret = hex_decode(ntPasswordIN,
ent->entry.keys.val[ent->entry.keys.len].key.keyvalue.data, 16); ent->keys.val[ent->keys.len].key.keyvalue.data, 16);
ent->entry.keys.len++; ent->keys.len++;
if (ret == -1) { if (ret == -1) {
krb5_set_error_message(context, ret = EINVAL, krb5_set_error_message(context, ret = EINVAL,
"invalid hex encoding of password"); "invalid hex encoding of password");
goto out; goto out;
} }
if (ent->entry.etypes == NULL) { if (ent->etypes == NULL) {
ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes))); ent->etypes = malloc(sizeof(*(ent->etypes)));
if (ent->entry.etypes == NULL) { if (ent->etypes == NULL) {
ret = ENOMEM; ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory"); krb5_set_error_message(context, ret, "malloc: out of memory");
goto out; goto out;
} }
ent->entry.etypes->val = NULL; ent->etypes->val = NULL;
ent->entry.etypes->len = 0; ent->etypes->len = 0;
} }
for (i = 0; i < ent->entry.etypes->len; i++) for (i = 0; i < ent->etypes->len; i++)
if (ent->entry.etypes->val[i] == ETYPE_ARCFOUR_HMAC_MD5) if (ent->etypes->val[i] == ETYPE_ARCFOUR_HMAC_MD5)
break; break;
/* If there is no ARCFOUR enctype, add one */ /* If there is no ARCFOUR enctype, add one */
if (i == ent->entry.etypes->len) { if (i == ent->etypes->len) {
etypes = realloc(ent->entry.etypes->val, etypes = realloc(ent->etypes->val,
(ent->entry.etypes->len + 1) * (ent->etypes->len + 1) *
sizeof(ent->entry.etypes->val[0])); sizeof(ent->etypes->val[0]));
if (etypes == NULL) { if (etypes == NULL) {
ret = ENOMEM; ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory"); krb5_set_error_message(context, ret, "malloc: out of memory");
goto out; goto out;
} }
ent->entry.etypes->val = etypes; ent->etypes->val = etypes;
ent->entry.etypes->val[ent->entry.etypes->len] = ent->etypes->val[ent->etypes->len] =
ETYPE_ARCFOUR_HMAC_MD5; ETYPE_ARCFOUR_HMAC_MD5;
ent->entry.etypes->len++; ent->etypes->len++;
} }
} }
ret = LDAP_get_generalized_time_value(db, msg, "createTimestamp", ret = LDAP_get_generalized_time_value(db, msg, "createTimestamp",
&ent->entry.created_by.time); &ent->created_by.time);
if (ret) if (ret)
ent->entry.created_by.time = time(NULL); ent->created_by.time = time(NULL);
ent->entry.created_by.principal = NULL; ent->created_by.principal = NULL;
if (flags & HDB_F_ADMIN_DATA) { if (flags & HDB_F_ADMIN_DATA) {
ret = LDAP_get_string_value(db, msg, "creatorsName", &dn); ret = LDAP_get_string_value(db, msg, "creatorsName", &dn);
if (ret == 0) { if (ret == 0) {
LDAP_dn2principal(context, db, dn, &ent->entry.created_by.principal); LDAP_dn2principal(context, db, dn, &ent->created_by.principal);
free(dn); free(dn);
} }
ent->entry.modified_by = calloc(1, sizeof(*ent->entry.modified_by)); ent->modified_by = calloc(1, sizeof(*ent->modified_by));
if (ent->entry.modified_by == NULL) { if (ent->modified_by == NULL) {
ret = ENOMEM; ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory"); krb5_set_error_message(context, ret, "malloc: out of memory");
goto out; goto out;
} }
ret = LDAP_get_generalized_time_value(db, msg, "modifyTimestamp", ret = LDAP_get_generalized_time_value(db, msg, "modifyTimestamp",
&ent->entry.modified_by->time); &ent->modified_by->time);
if (ret == 0) { if (ret == 0) {
ret = LDAP_get_string_value(db, msg, "modifiersName", &dn); ret = LDAP_get_string_value(db, msg, "modifiersName", &dn);
if (ret == 0) { if (ret == 0) {
LDAP_dn2principal(context, db, dn, &ent->entry.modified_by->principal); LDAP_dn2principal(context, db, dn, &ent->modified_by->principal);
free(dn); free(dn);
} else { } else {
free(ent->entry.modified_by); free(ent->modified_by);
ent->entry.modified_by = NULL; ent->modified_by = NULL;
} }
} }
} }
ent->entry.valid_start = malloc(sizeof(*ent->entry.valid_start)); ent->valid_start = malloc(sizeof(*ent->valid_start));
if (ent->entry.valid_start == NULL) { if (ent->valid_start == NULL) {
ret = ENOMEM; ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory"); krb5_set_error_message(context, ret, "malloc: out of memory");
goto out; goto out;
} }
ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidStart", ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidStart",
ent->entry.valid_start); ent->valid_start);
if (ret) { if (ret) {
/* OPTIONAL */ /* OPTIONAL */
free(ent->entry.valid_start); free(ent->valid_start);
ent->entry.valid_start = NULL; ent->valid_start = NULL;
} }
ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end)); ent->valid_end = malloc(sizeof(*ent->valid_end));
if (ent->entry.valid_end == NULL) { if (ent->valid_end == NULL) {
ret = ENOMEM; ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory"); krb5_set_error_message(context, ret, "malloc: out of memory");
goto out; goto out;
} }
ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidEnd", ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidEnd",
ent->entry.valid_end); ent->valid_end);
if (ret) { if (ret) {
/* OPTIONAL */ /* OPTIONAL */
free(ent->entry.valid_end); free(ent->valid_end);
ent->entry.valid_end = NULL; ent->valid_end = NULL;
} }
ret = LDAP_get_integer_value(db, msg, "sambaKickoffTime", &tmp_time); ret = LDAP_get_integer_value(db, msg, "sambaKickoffTime", &tmp_time);
if (ret == 0) { if (ret == 0) {
if (ent->entry.valid_end == NULL) { if (ent->valid_end == NULL) {
ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end)); ent->valid_end = malloc(sizeof(*ent->valid_end));
if (ent->entry.valid_end == NULL) { if (ent->valid_end == NULL) {
ret = ENOMEM; ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory"); krb5_set_error_message(context, ret, "malloc: out of memory");
goto out; goto out;
} }
} }
*ent->entry.valid_end = tmp_time; *ent->valid_end = tmp_time;
} }
ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end)); ent->pw_end = malloc(sizeof(*ent->pw_end));
if (ent->entry.pw_end == NULL) { if (ent->pw_end == NULL) {
ret = ENOMEM; ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory"); krb5_set_error_message(context, ret, "malloc: out of memory");
goto out; goto out;
} }
ret = LDAP_get_generalized_time_value(db, msg, "krb5PasswordEnd", ret = LDAP_get_generalized_time_value(db, msg, "krb5PasswordEnd",
ent->entry.pw_end); ent->pw_end);
if (ret) { if (ret) {
/* OPTIONAL */ /* OPTIONAL */
free(ent->entry.pw_end); free(ent->pw_end);
ent->entry.pw_end = NULL; ent->pw_end = NULL;
} }
ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time); ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time);
@@ -1310,76 +1310,76 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
NULL); NULL);
if (delta) { if (delta) {
if (ent->entry.pw_end == NULL) { if (ent->pw_end == NULL) {
ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end)); ent->pw_end = malloc(sizeof(*ent->pw_end));
if (ent->entry.pw_end == NULL) { if (ent->pw_end == NULL) {
ret = ENOMEM; ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory"); krb5_set_error_message(context, ret, "malloc: out of memory");
goto out; goto out;
} }
} }
*ent->entry.pw_end = tmp_time + delta; *ent->pw_end = tmp_time + delta;
} }
} }
ret = LDAP_get_integer_value(db, msg, "sambaPwdMustChange", &tmp_time); ret = LDAP_get_integer_value(db, msg, "sambaPwdMustChange", &tmp_time);
if (ret == 0) { if (ret == 0) {
if (ent->entry.pw_end == NULL) { if (ent->pw_end == NULL) {
ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end)); ent->pw_end = malloc(sizeof(*ent->pw_end));
if (ent->entry.pw_end == NULL) { if (ent->pw_end == NULL) {
ret = ENOMEM; ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory"); krb5_set_error_message(context, ret, "malloc: out of memory");
goto out; goto out;
} }
} }
*ent->entry.pw_end = tmp_time; *ent->pw_end = tmp_time;
} }
/* OPTIONAL */ /* OPTIONAL */
ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time); ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time);
if (ret == 0) if (ret == 0)
hdb_entry_set_pw_change_time(context, &ent->entry, tmp_time); hdb_entry_set_pw_change_time(context, ent, tmp_time);
{ {
int max_life; int max_life;
ent->entry.max_life = malloc(sizeof(*ent->entry.max_life)); ent->max_life = malloc(sizeof(*ent->max_life));
if (ent->entry.max_life == NULL) { if (ent->max_life == NULL) {
ret = ENOMEM; ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory"); krb5_set_error_message(context, ret, "malloc: out of memory");
goto out; goto out;
} }
ret = LDAP_get_integer_value(db, msg, "krb5MaxLife", &max_life); ret = LDAP_get_integer_value(db, msg, "krb5MaxLife", &max_life);
if (ret) { if (ret) {
free(ent->entry.max_life); free(ent->max_life);
ent->entry.max_life = NULL; ent->max_life = NULL;
} else } else
*ent->entry.max_life = max_life; *ent->max_life = max_life;
} }
{ {
int max_renew; int max_renew;
ent->entry.max_renew = malloc(sizeof(*ent->entry.max_renew)); ent->max_renew = malloc(sizeof(*ent->max_renew));
if (ent->entry.max_renew == NULL) { if (ent->max_renew == NULL) {
ret = ENOMEM; ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory"); krb5_set_error_message(context, ret, "malloc: out of memory");
goto out; goto out;
} }
ret = LDAP_get_integer_value(db, msg, "krb5MaxRenew", &max_renew); ret = LDAP_get_integer_value(db, msg, "krb5MaxRenew", &max_renew);
if (ret) { if (ret) {
free(ent->entry.max_renew); free(ent->max_renew);
ent->entry.max_renew = NULL; ent->max_renew = NULL;
} else } else
*ent->entry.max_renew = max_renew; *ent->max_renew = max_renew;
} }
ret = LDAP_get_integer_value(db, msg, "krb5KDCFlags", &tmp); ret = LDAP_get_integer_value(db, msg, "krb5KDCFlags", &tmp);
if (ret) if (ret)
tmp = 0; tmp = 0;
ent->entry.flags = int2HDBFlags(tmp); ent->flags = int2HDBFlags(tmp);
/* Try and find Samba flags to put into the mix */ /* Try and find Samba flags to put into the mix */
ret = LDAP_get_string_value(db, msg, "sambaAcctFlags", &samba_acct_flags); ret = LDAP_get_string_value(db, msg, "sambaAcctFlags", &samba_acct_flags);
@@ -1411,7 +1411,7 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
/* Allow forwarding */ /* Allow forwarding */
if (samba_forwardable) if (samba_forwardable)
ent->entry.flags.forwardable = TRUE; ent->flags.forwardable = TRUE;
for (i=0; i < flags_len; i++) { for (i=0; i < flags_len; i++) {
switch (samba_acct_flags[i]) { switch (samba_acct_flags[i]) {
@@ -1423,36 +1423,36 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
/* how to handle no password in kerberos? */ /* how to handle no password in kerberos? */
break; break;
case 'D': case 'D':
ent->entry.flags.invalid = TRUE; ent->flags.invalid = TRUE;
break; break;
case 'H': case 'H':
break; break;
case 'T': case 'T':
/* temp duplicate */ /* temp duplicate */
ent->entry.flags.invalid = TRUE; ent->flags.invalid = TRUE;
break; break;
case 'U': case 'U':
ent->entry.flags.client = TRUE; ent->flags.client = TRUE;
break; break;
case 'M': case 'M':
break; break;
case 'W': case 'W':
case 'S': case 'S':
ent->entry.flags.server = TRUE; ent->flags.server = TRUE;
ent->entry.flags.client = TRUE; ent->flags.client = TRUE;
break; break;
case 'L': case 'L':
ent->entry.flags.invalid = TRUE; ent->flags.invalid = TRUE;
break; break;
case 'X': case 'X':
if (ent->entry.pw_end) { if (ent->pw_end) {
free(ent->entry.pw_end); free(ent->pw_end);
ent->entry.pw_end = NULL; ent->pw_end = NULL;
} }
break; break;
case 'I': case 'I':
ent->entry.flags.server = TRUE; ent->flags.server = TRUE;
ent->entry.flags.client = TRUE; ent->flags.client = TRUE;
break; break;
} }
} }
@@ -1496,7 +1496,7 @@ LDAP_unlock(krb5_context context, HDB * db)
} }
static krb5_error_code static krb5_error_code
LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry_ex * entry) LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry * entry)
{ {
int msgid, rc, parserc; int msgid, rc, parserc;
krb5_error_code ret; krb5_error_code ret;
@@ -1550,7 +1550,7 @@ LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry_ex * entry)
if (ret == 0) { if (ret == 0) {
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) { if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
ret = hdb_unseal_keys(context, db, &entry->entry); ret = hdb_unseal_keys(context, db, entry);
if (ret) if (ret)
hdb_free_entry(context, db, entry); hdb_free_entry(context, db, entry);
} }
@@ -1561,7 +1561,7 @@ LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry_ex * entry)
static krb5_error_code static krb5_error_code
LDAP_firstkey(krb5_context context, HDB *db, unsigned flags, LDAP_firstkey(krb5_context context, HDB *db, unsigned flags,
hdb_entry_ex *entry) hdb_entry *entry)
{ {
krb5_error_code ret; krb5_error_code ret;
int msgid; int msgid;
@@ -1589,7 +1589,7 @@ LDAP_firstkey(krb5_context context, HDB *db, unsigned flags,
static krb5_error_code static krb5_error_code
LDAP_nextkey(krb5_context context, HDB * db, unsigned flags, LDAP_nextkey(krb5_context context, HDB * db, unsigned flags,
hdb_entry_ex * entry) hdb_entry * entry)
{ {
return LDAP_seq(context, db, flags, entry); return LDAP_seq(context, db, flags, entry);
} }
@@ -1692,7 +1692,7 @@ LDAP_open(krb5_context context, HDB * db, int flags, mode_t mode)
static krb5_error_code static krb5_error_code
LDAP_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal, LDAP_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
unsigned flags, krb5_kvno kvno, hdb_entry_ex * entry) unsigned flags, krb5_kvno kvno, hdb_entry * entry)
{ {
LDAPMessage *msg, *e; LDAPMessage *msg, *e;
krb5_error_code ret; krb5_error_code ret;
@@ -1710,7 +1710,7 @@ LDAP_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
ret = LDAP_message2entry(context, db, e, flags, entry); ret = LDAP_message2entry(context, db, e, flags, entry);
if (ret == 0) { if (ret == 0) {
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) { if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
ret = hdb_unseal_keys(context, db, &entry->entry); ret = hdb_unseal_keys(context, db, entry);
if (ret) if (ret)
hdb_free_entry(context, db, entry); hdb_free_entry(context, db, entry);
} }
@@ -1725,7 +1725,7 @@ LDAP_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
#if 0 #if 0
static krb5_error_code static krb5_error_code
LDAP_fetch(krb5_context context, HDB * db, krb5_const_principal principal, LDAP_fetch(krb5_context context, HDB * db, krb5_const_principal principal,
unsigned flags, hdb_entry_ex * entry) unsigned flags, hdb_entry * entry)
{ {
return LDAP_fetch_kvno(context, db, principal, return LDAP_fetch_kvno(context, db, principal,
flags & (~HDB_F_KVNO_SPECIFIED), 0, entry); flags & (~HDB_F_KVNO_SPECIFIED), 0, entry);
@@ -1734,7 +1734,7 @@ LDAP_fetch(krb5_context context, HDB * db, krb5_const_principal principal,
static krb5_error_code static krb5_error_code
LDAP_store(krb5_context context, HDB * db, unsigned flags, LDAP_store(krb5_context context, HDB * db, unsigned flags,
hdb_entry_ex * entry) hdb_entry * entry)
{ {
LDAPMod **mods = NULL; LDAPMod **mods = NULL;
krb5_error_code ret; krb5_error_code ret;
@@ -1747,17 +1747,17 @@ LDAP_store(krb5_context context, HDB * db, unsigned flags,
if ((flags & HDB_F_PRECHECK)) if ((flags & HDB_F_PRECHECK))
return 0; /* we can't guarantee whether we'll be able to perform it */ return 0; /* we can't guarantee whether we'll be able to perform it */
ret = LDAP_principal2message(context, db, entry->entry.principal, &msg); ret = LDAP_principal2message(context, db, entry->principal, &msg);
if (ret == 0) if (ret == 0)
e = ldap_first_entry(HDB2LDAP(db), msg); e = ldap_first_entry(HDB2LDAP(db), msg);
ret = krb5_unparse_name(context, entry->entry.principal, &name); ret = krb5_unparse_name(context, entry->principal, &name);
if (ret) { if (ret) {
free(name); free(name);
return ret; return ret;
} }
ret = hdb_seal_keys(context, db, &entry->entry); ret = hdb_seal_keys(context, db, entry);
if (ret) if (ret)
goto out; goto out;

18
lib/hdb/hdb-mdb.c
View File

@@ -383,7 +383,7 @@ DB_unlock(krb5_context context, HDB *db)
static krb5_error_code static krb5_error_code
DB_seq(krb5_context context, HDB *db, DB_seq(krb5_context context, HDB *db,
unsigned flags, hdb_entry_ex *entry, int flag) unsigned flags, hdb_entry *entry, int flag)
{ {
mdb_info *mi = db->hdb_db; mdb_info *mi = db->hdb_db;
MDB_val key, value; MDB_val key, value;
@@ -406,21 +406,21 @@ DB_seq(krb5_context context, HDB *db,
data.data = value.mv_data; data.data = value.mv_data;
data.length = value.mv_size; data.length = value.mv_size;
memset(entry, 0, sizeof(*entry)); memset(entry, 0, sizeof(*entry));
if (hdb_value2entry(context, &data, &entry->entry)) if (hdb_value2entry(context, &data, entry))
return DB_seq(context, db, flags, entry, MDB_NEXT); return DB_seq(context, db, flags, entry, MDB_NEXT);
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) { if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
code = hdb_unseal_keys (context, db, &entry->entry); code = hdb_unseal_keys (context, db, entry);
if (code) if (code)
hdb_free_entry (context, db, entry); hdb_free_entry (context, db, entry);
} }
if (entry->entry.principal == NULL) { if (entry->principal == NULL) {
entry->entry.principal = malloc(sizeof(*entry->entry.principal)); entry->principal = malloc(sizeof(*entry->principal));
if (entry->entry.principal == NULL) { if (entry->principal == NULL) {
hdb_free_entry (context, db, entry); hdb_free_entry (context, db, entry);
krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM; return ENOMEM;
} else { } else {
hdb_key2principal(context, &key_data, entry->entry.principal); hdb_key2principal(context, &key_data, entry->principal);
} }
} }
return 0; return 0;
@@ -428,7 +428,7 @@ DB_seq(krb5_context context, HDB *db,
static krb5_error_code static krb5_error_code
DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{ {
krb5_error_code ret = 0; krb5_error_code ret = 0;
mdb_info *mi = db->hdb_db; mdb_info *mi = db->hdb_db;
@@ -462,7 +462,7 @@ DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
static krb5_error_code static krb5_error_code
DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{ {
return DB_seq(context, db, flags, entry, MDB_NEXT); return DB_seq(context, db, flags, entry, MDB_NEXT);
} }

26
lib/hdb/hdb-mitdb.c
View File

@@ -765,7 +765,7 @@ mdb_unlock(krb5_context context, HDB *db)
static krb5_error_code static krb5_error_code
mdb_seq(krb5_context context, HDB *db, mdb_seq(krb5_context context, HDB *db,
unsigned flags, hdb_entry_ex *entry, int flag) unsigned flags, hdb_entry *entry, int flag)
{ {
DB *d = (DB*)db->hdb_db; DB *d = (DB*)db->hdb_db;
DBT key, value; DBT key, value;
@@ -796,11 +796,11 @@ mdb_seq(krb5_context context, HDB *db,
data.length = value.size; data.length = value.size;
memset(entry, 0, sizeof(*entry)); memset(entry, 0, sizeof(*entry));
if (_hdb_mdb_value2entry(context, &data, 0, &entry->entry)) if (_hdb_mdb_value2entry(context, &data, 0, entry))
return mdb_seq(context, db, flags, entry, R_NEXT); return mdb_seq(context, db, flags, entry, R_NEXT);
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) { if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
code = hdb_unseal_keys (context, db, &entry->entry); code = hdb_unseal_keys (context, db, entry);
if (code) if (code)
hdb_free_entry (context, db, entry); hdb_free_entry (context, db, entry);
} }
@@ -810,14 +810,14 @@ mdb_seq(krb5_context context, HDB *db,
static krb5_error_code static krb5_error_code
mdb_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) mdb_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{ {
return mdb_seq(context, db, flags, entry, R_FIRST); return mdb_seq(context, db, flags, entry, R_FIRST);
} }
static krb5_error_code static krb5_error_code
mdb_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) mdb_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{ {
return mdb_seq(context, db, flags, entry, R_NEXT); return mdb_seq(context, db, flags, entry, R_NEXT);
} }
@@ -941,7 +941,7 @@ mdb__del(krb5_context context, HDB *db, krb5_data key)
static krb5_error_code static krb5_error_code
mdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal, mdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
unsigned flags, krb5_kvno kvno, hdb_entry_ex *entry) unsigned flags, krb5_kvno kvno, hdb_entry *entry)
{ {
krb5_data key, value; krb5_data key, value;
krb5_error_code ret; krb5_error_code ret;
@@ -953,13 +953,13 @@ mdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
krb5_data_free(&key); krb5_data_free(&key);
if(ret) if(ret)
return ret; return ret;
ret = _hdb_mdb_value2entry(context, &value, kvno, &entry->entry); ret = _hdb_mdb_value2entry(context, &value, kvno, entry);
krb5_data_free(&value); krb5_data_free(&value);
if (ret) if (ret)
return ret; return ret;
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) { if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
ret = hdb_unseal_keys (context, db, &entry->entry); ret = hdb_unseal_keys (context, db, entry);
if (ret) { if (ret) {
hdb_free_entry(context, db, entry); hdb_free_entry(context, db, entry);
return ret; return ret;
@@ -970,7 +970,7 @@ mdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
} }
static krb5_error_code static krb5_error_code
mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{ {
krb5_error_code ret; krb5_error_code ret;
krb5_storage *sp = NULL; krb5_storage *sp = NULL;
@@ -985,7 +985,7 @@ mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
return 0; return 0;
if ((flags & HDB_F_PRECHECK)) { if ((flags & HDB_F_PRECHECK)) {
ret = mdb_principal2key(context, entry->entry.principal, &key); ret = mdb_principal2key(context, entry->principal, &key);
if (ret) return ret; if (ret) return ret;
ret = db->hdb__get(context, db, key, &value); ret = db->hdb__get(context, db, key, &value);
krb5_data_free(&key); krb5_data_free(&key);
@@ -999,9 +999,9 @@ mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
sp = krb5_storage_emem(); sp = krb5_storage_emem();
if (!sp) return ENOMEM; if (!sp) return ENOMEM;
ret = _hdb_set_master_key_usage(context, db, 0); /* MIT KDB uses KU 0 */ ret = _hdb_set_master_key_usage(context, db, 0); /* MIT KDB uses KU 0 */
ret = hdb_seal_keys(context, db, &entry->entry); ret = hdb_seal_keys(context, db, entry);
if (ret) return ret; if (ret) return ret;
ret = entry2mit_string_int(context, sp, &entry->entry); ret = entry2mit_string_int(context, sp, entry);
if (ret) goto out; if (ret) goto out;
sz = krb5_storage_write(sp, "\n", 2); /* NUL-terminate */ sz = krb5_storage_write(sp, "\n", 2); /* NUL-terminate */
ret = ENOMEM; ret = ENOMEM;
@@ -1016,7 +1016,7 @@ mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
if (ret) goto out; if (ret) goto out;
ret = krb5_storage_to_data(spent, &kdb_ent); ret = krb5_storage_to_data(spent, &kdb_ent);
if (ret) goto out; if (ret) goto out;
ret = mdb_principal2key(context, entry->entry.principal, &key); ret = mdb_principal2key(context, entry->principal, &key);
if (ret) goto out; if (ret) goto out;
ret = mdb__put(context, db, 1, key, kdb_ent); ret = mdb__put(context, db, 1, key, kdb_ent);

24
lib/hdb/hdb-sqlite.c
View File

@@ -495,7 +495,7 @@ hdb_sqlite_make_database(krb5_context context, HDB *db, const char *filename)
*/ */
static krb5_error_code static krb5_error_code
hdb_sqlite_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal, hdb_sqlite_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
unsigned flags, krb5_kvno kvno, hdb_entry_ex *entry) unsigned flags, krb5_kvno kvno, hdb_entry *entry)
{ {
int sqlite_error; int sqlite_error;
krb5_error_code ret; krb5_error_code ret;
@@ -541,12 +541,12 @@ hdb_sqlite_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal princi
value.length = sqlite3_column_bytes(fetch, 0); value.length = sqlite3_column_bytes(fetch, 0);
value.data = (void *) sqlite3_column_blob(fetch, 0); value.data = (void *) sqlite3_column_blob(fetch, 0);
ret = hdb_value2entry(context, &value, &entry->entry); ret = hdb_value2entry(context, &value, entry);
if(ret) if(ret)
goto out; goto out;
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) { if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
ret = hdb_unseal_keys(context, db, &entry->entry); ret = hdb_unseal_keys(context, db, entry);
if(ret) { if(ret) {
hdb_free_entry(context, db, entry); hdb_free_entry(context, db, entry);
goto out; goto out;
@@ -600,7 +600,7 @@ hdb_sqlite_step_once(krb5_context context, HDB *db, sqlite3_stmt *statement)
*/ */
static krb5_error_code static krb5_error_code
hdb_sqlite_store(krb5_context context, HDB *db, unsigned flags, hdb_sqlite_store(krb5_context context, HDB *db, unsigned flags,
hdb_entry_ex *entry) hdb_entry *entry)
{ {
int ret; int ret;
int i; int i;
@@ -624,17 +624,17 @@ hdb_sqlite_store(krb5_context context, HDB *db, unsigned flags,
goto rollback; goto rollback;
} }
ret = hdb_seal_keys(context, db, &entry->entry); ret = hdb_seal_keys(context, db, entry);
if(ret) { if(ret) {
goto rollback; goto rollback;
} }
ret = hdb_entry2value(context, &entry->entry, &value); ret = hdb_entry2value(context, entry, &value);
if(ret) { if(ret) {
goto rollback; goto rollback;
} }
ret = bind_principal(context, entry->entry.principal, get_ids, 1); ret = bind_principal(context, entry->principal, get_ids, 1);
if (ret) if (ret)
goto rollback; goto rollback;
@@ -656,7 +656,7 @@ hdb_sqlite_store(krb5_context context, HDB *db, unsigned flags,
goto rollback; goto rollback;
} }
ret = bind_principal(context, entry->entry.principal, hsdb->add_principal, 1); ret = bind_principal(context, entry->principal, hsdb->add_principal, 1);
if (ret) if (ret)
goto rollback; goto rollback;
@@ -711,7 +711,7 @@ hdb_sqlite_store(krb5_context context, HDB *db, unsigned flags,
goto rollback; goto rollback;
} }
ret = hdb_entry_get_aliases(&entry->entry, &aliases); ret = hdb_entry_get_aliases(entry, &aliases);
if(ret || aliases == NULL) if(ret || aliases == NULL)
goto commit; goto commit;
@@ -862,7 +862,7 @@ hdb_sqlite_unlock(krb5_context context, HDB *db)
*/ */
static krb5_error_code static krb5_error_code
hdb_sqlite_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_sqlite_nextkey(krb5_context context, HDB *db, unsigned flags,
hdb_entry_ex *entry) hdb_entry *entry)
{ {
krb5_error_code ret = 0; krb5_error_code ret = 0;
int sqlite_error; int sqlite_error;
@@ -876,7 +876,7 @@ hdb_sqlite_nextkey(krb5_context context, HDB *db, unsigned flags,
value.length = sqlite3_column_bytes(hsdb->get_all_entries, 0); value.length = sqlite3_column_bytes(hsdb->get_all_entries, 0);
value.data = (void *) sqlite3_column_blob(hsdb->get_all_entries, 0); value.data = (void *) sqlite3_column_blob(hsdb->get_all_entries, 0);
memset(entry, 0, sizeof(*entry)); memset(entry, 0, sizeof(*entry));
ret = hdb_value2entry(context, &value, &entry->entry); ret = hdb_value2entry(context, &value, entry);
} }
else if(sqlite_error == SQLITE_DONE) { else if(sqlite_error == SQLITE_DONE) {
/* No more entries */ /* No more entries */
@@ -900,7 +900,7 @@ hdb_sqlite_nextkey(krb5_context context, HDB *db, unsigned flags,
*/ */
static krb5_error_code static krb5_error_code
hdb_sqlite_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_sqlite_firstkey(krb5_context context, HDB *db, unsigned flags,
hdb_entry_ex *entry) hdb_entry *entry)
{ {
hdb_sqlite_db *hsdb = (hdb_sqlite_db *) db->hdb_db; hdb_sqlite_db *hsdb = (hdb_sqlite_db *) db->hdb_db;
krb5_error_code ret; krb5_error_code ret;

28
lib/hdb/hdb.c
View File

@@ -397,7 +397,7 @@ hdb_unlock(int fd)
} }
void void
hdb_free_entry(krb5_context context, HDB *db, hdb_entry_ex *ent) hdb_free_entry(krb5_context context, HDB *db, hdb_entry *ent)
{ {
Key *k; Key *k;
size_t i; size_t i;
@@ -405,15 +405,15 @@ hdb_free_entry(krb5_context context, HDB *db, hdb_entry_ex *ent)
if (db && db->hdb_free_entry_context) if (db && db->hdb_free_entry_context)
db->hdb_free_entry_context(context, db, ent); db->hdb_free_entry_context(context, db, ent);
for(i = 0; i < ent->entry.keys.len; i++) { for(i = 0; i < ent->keys.len; i++) {
k = &ent->entry.keys.val[i]; k = &ent->keys.val[i];
memset_s(k->key.keyvalue.data, memset_s(k->key.keyvalue.data,
k->key.keyvalue.length, k->key.keyvalue.length,
0, 0,
k->key.keyvalue.length); k->key.keyvalue.length);
} }
free_HDB_entry(&ent->entry); free_HDB_entry(ent);
} }
krb5_error_code krb5_error_code
@@ -424,7 +424,7 @@ hdb_foreach(krb5_context context,
void *data) void *data)
{ {
krb5_error_code ret; krb5_error_code ret;
hdb_entry_ex entry; hdb_entry entry;
ret = db->hdb_firstkey(context, db, flags, &entry); ret = db->hdb_firstkey(context, db, flags, &entry);
if (ret == 0) if (ret == 0)
krb5_clear_error_message(context); krb5_clear_error_message(context);
@@ -665,22 +665,22 @@ hdb_list_builtin(krb5_context context, char **list)
krb5_error_code krb5_error_code
_hdb_keytab2hdb_entry(krb5_context context, _hdb_keytab2hdb_entry(krb5_context context,
const krb5_keytab_entry *ktentry, const krb5_keytab_entry *ktentry,
hdb_entry_ex *entry) hdb_entry *entry)
{ {
entry->entry.kvno = ktentry->vno; entry->kvno = ktentry->vno;
entry->entry.created_by.time = ktentry->timestamp; entry->created_by.time = ktentry->timestamp;
entry->entry.keys.val = calloc(1, sizeof(entry->entry.keys.val[0])); entry->keys.val = calloc(1, sizeof(entry->keys.val[0]));
if (entry->entry.keys.val == NULL) if (entry->keys.val == NULL)
return ENOMEM; return ENOMEM;
entry->entry.keys.len = 1; entry->keys.len = 1;
entry->entry.keys.val[0].mkvno = NULL; entry->keys.val[0].mkvno = NULL;
entry->entry.keys.val[0].salt = NULL; entry->keys.val[0].salt = NULL;
return krb5_copy_keyblock_contents(context, return krb5_copy_keyblock_contents(context,
&ktentry->keyblock, &ktentry->keyblock,
&entry->entry.keys.val[0].key); &entry->keys.val[0].key);
} }
static krb5_error_code static krb5_error_code

34
lib/hdb/hdb.h
View File

@@ -102,18 +102,6 @@ typedef struct hdb_request_desc {
typedef struct hdb_master_key_data *hdb_master_key; typedef struct hdb_master_key_data *hdb_master_key;
/**
* hdb_entry_ex is a wrapper structure around the hdb_entry structure
* that allows backends to keep a pointer to the backing store, ie in
* ->hdb_fetch_kvno(), so that we the kadmin/kpasswd backend gets around to
* ->hdb_store(), the backend doesn't need to lookup the entry again.
*/
typedef struct hdb_entry_ex {
hdb_entry entry;
} hdb_entry_ex;
/** /**
* HDB backend function pointer structure * HDB backend function pointer structure
* *
@@ -165,7 +153,7 @@ typedef struct HDB {
/** /**
* Free backend-specific entry context. * Free backend-specific entry context.
*/ */
void (*hdb_free_entry_context)(krb5_context, struct HDB*, hdb_entry_ex*); void (*hdb_free_entry_context)(krb5_context, struct HDB*, hdb_entry*);
/** /**
* Fetch an entry from the backend * Fetch an entry from the backend
* *
@@ -175,12 +163,12 @@ typedef struct HDB {
*/ */
krb5_error_code (*hdb_fetch_kvno)(krb5_context, struct HDB*, krb5_error_code (*hdb_fetch_kvno)(krb5_context, struct HDB*,
krb5_const_principal, unsigned, krb5_kvno, krb5_const_principal, unsigned, krb5_kvno,
hdb_entry_ex*); hdb_entry*);
/** /**
* Store an entry to database * Store an entry to database
*/ */
krb5_error_code (*hdb_store)(krb5_context, struct HDB*, krb5_error_code (*hdb_store)(krb5_context, struct HDB*,
unsigned, hdb_entry_ex*); unsigned, hdb_entry*);
/** /**
* Remove an entry from the database. * Remove an entry from the database.
*/ */
@@ -190,12 +178,12 @@ typedef struct HDB {
* As part of iteration, fetch one entry * As part of iteration, fetch one entry
*/ */
krb5_error_code (*hdb_firstkey)(krb5_context, struct HDB*, krb5_error_code (*hdb_firstkey)(krb5_context, struct HDB*,
unsigned, hdb_entry_ex*); unsigned, hdb_entry*);
/** /**
* As part of iteration, fetch next entry * As part of iteration, fetch next entry
*/ */
krb5_error_code (*hdb_nextkey)(krb5_context, struct HDB*, krb5_error_code (*hdb_nextkey)(krb5_context, struct HDB*,
unsigned, hdb_entry_ex*); unsigned, hdb_entry*);
/** /**
* Lock database * Lock database
* *
@@ -274,7 +262,7 @@ typedef struct HDB {
* The backend needs to call _kadm5_set_keys() and perform password * The backend needs to call _kadm5_set_keys() and perform password
* quality checks. * quality checks.
*/ */
krb5_error_code (*hdb_password)(krb5_context, struct HDB*, hdb_entry_ex*, const char *, int); krb5_error_code (*hdb_password)(krb5_context, struct HDB*, hdb_entry*, const char *, int);
/** /**
* Authentication auditing. Note that this function is called by * Authentication auditing. Note that this function is called by
@@ -287,22 +275,22 @@ typedef struct HDB {
* In case the entry is locked out, the backend should set the * In case the entry is locked out, the backend should set the
* hdb_entry.flags.locked-out flag. * hdb_entry.flags.locked-out flag.
*/ */
krb5_error_code (*hdb_audit)(krb5_context, struct HDB *, hdb_entry_ex *, hdb_request_t); krb5_error_code (*hdb_audit)(krb5_context, struct HDB *, hdb_entry *, hdb_request_t);
/** /**
* Check if delegation is allowed. * Check if delegation is allowed.
*/ */
krb5_error_code (*hdb_check_constrained_delegation)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal); krb5_error_code (*hdb_check_constrained_delegation)(krb5_context, struct HDB *, hdb_entry *, krb5_const_principal);
/** /**
* Check if this name is an alias for the supplied client for PKINIT userPrinicpalName logins * Check if this name is an alias for the supplied client for PKINIT userPrinicpalName logins
*/ */
krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal); krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry *, krb5_const_principal);
/** /**
* Check if s4u2self is allowed from this client to this server or the SPN is a valid SPN of this client (for user2user) * Check if s4u2self is allowed from this client to this server or the SPN is a valid SPN of this client (for user2user)
*/ */
krb5_error_code (*hdb_check_client_matches_target_service)(krb5_context, struct HDB *, hdb_entry_ex *, hdb_entry_ex *); krb5_error_code (*hdb_check_client_matches_target_service)(krb5_context, struct HDB *, hdb_entry *, hdb_entry *);
/** /**
* Enable/disable synchronous updates * Enable/disable synchronous updates
@@ -337,7 +325,7 @@ struct hdb_print_entry_arg {
}; };
typedef krb5_error_code (*hdb_foreach_func_t)(krb5_context, HDB*, typedef krb5_error_code (*hdb_foreach_func_t)(krb5_context, HDB*,
hdb_entry_ex*, void*); hdb_entry*, void*);
extern krb5_kt_ops hdb_kt_ops; extern krb5_kt_ops hdb_kt_ops;
extern krb5_kt_ops hdb_get_kt_ops; extern krb5_kt_ops hdb_get_kt_ops;

30
lib/hdb/keytab.c
View File

@@ -42,7 +42,7 @@ struct hdb_data {
struct hdb_cursor { struct hdb_cursor {
HDB *db; HDB *db;
hdb_entry_ex hdb_entry; hdb_entry hdb_entry;
int first, next; int first, next;
int key_idx; int key_idx;
}; };
@@ -181,7 +181,7 @@ hdb_get_entry(krb5_context context,
krb5_enctype enctype, krb5_enctype enctype,
krb5_keytab_entry *entry) krb5_keytab_entry *entry)
{ {
hdb_entry_ex ent; hdb_entry ent;
krb5_error_code ret; krb5_error_code ret;
struct hdb_data *d = id->data; struct hdb_data *d = id->data;
const char *dbname = d->dbname; const char *dbname = d->dbname;
@@ -226,21 +226,21 @@ hdb_get_entry(krb5_context context,
}else if(ret) }else if(ret)
goto out; goto out;
if(kvno && (krb5_kvno)ent.entry.kvno != kvno) { if(kvno && (krb5_kvno)ent.kvno != kvno) {
hdb_free_entry(context, db, &ent); hdb_free_entry(context, db, &ent);
ret = KRB5_KT_NOTFOUND; ret = KRB5_KT_NOTFOUND;
goto out; goto out;
} }
if(enctype == 0) if(enctype == 0)
if(ent.entry.keys.len > 0) if(ent.keys.len > 0)
enctype = ent.entry.keys.val[0].key.keytype; enctype = ent.keys.val[0].key.keytype;
ret = KRB5_KT_NOTFOUND; ret = KRB5_KT_NOTFOUND;
for(i = 0; i < ent.entry.keys.len; i++) { for(i = 0; i < ent.keys.len; i++) {
if(ent.entry.keys.val[i].key.keytype == enctype) { if(ent.keys.val[i].key.keytype == enctype) {
krb5_copy_principal(context, principal, &entry->principal); krb5_copy_principal(context, principal, &entry->principal);
entry->vno = ent.entry.kvno; entry->vno = ent.kvno;
krb5_copy_keyblock_contents(context, krb5_copy_keyblock_contents(context,
&ent.entry.keys.val[i].key, &ent.keys.val[i].key,
&entry->keyblock); &entry->keyblock);
ret = 0; ret = 0;
break; break;
@@ -336,7 +336,7 @@ hdb_next_entry(krb5_context context,
else if (ret) else if (ret)
return ret; return ret;
if (c->hdb_entry.entry.keys.len == 0) if (c->hdb_entry.keys.len == 0)
hdb_free_entry(context, c->db, &c->hdb_entry); hdb_free_entry(context, c->db, &c->hdb_entry);
else else
c->next = FALSE; c->next = FALSE;
@@ -353,7 +353,7 @@ hdb_next_entry(krb5_context context,
return ret; return ret;
/* If no keys on this entry, try again */ /* If no keys on this entry, try again */
if (c->hdb_entry.entry.keys.len == 0) if (c->hdb_entry.keys.len == 0)
hdb_free_entry(context, c->db, &c->hdb_entry); hdb_free_entry(context, c->db, &c->hdb_entry);
else else
c->next = FALSE; c->next = FALSE;
@@ -365,14 +365,14 @@ hdb_next_entry(krb5_context context,
*/ */
ret = krb5_copy_principal(context, ret = krb5_copy_principal(context,
c->hdb_entry.entry.principal, c->hdb_entry.principal,
&entry->principal); &entry->principal);
if (ret) if (ret)
return ret; return ret;
entry->vno = c->hdb_entry.entry.kvno; entry->vno = c->hdb_entry.kvno;
ret = krb5_copy_keyblock_contents(context, ret = krb5_copy_keyblock_contents(context,
&c->hdb_entry.entry.keys.val[c->key_idx].key, &c->hdb_entry.keys.val[c->key_idx].key,
&entry->keyblock); &entry->keyblock);
if (ret) { if (ret) {
krb5_free_principal(context, entry->principal); krb5_free_principal(context, entry->principal);
@@ -386,7 +386,7 @@ hdb_next_entry(krb5_context context,
* next entry * next entry
*/ */
if ((size_t)c->key_idx == c->hdb_entry.entry.keys.len) { if ((size_t)c->key_idx == c->hdb_entry.keys.len) {
hdb_free_entry(context, c->db, &c->hdb_entry); hdb_free_entry(context, c->db, &c->hdb_entry);
c->next = TRUE; c->next = TRUE;
c->key_idx = 0; c->key_idx = 0;

18
lib/hdb/ndbm.c
View File

@@ -76,7 +76,7 @@ NDBM_unlock(krb5_context context, HDB *db)
static krb5_error_code static krb5_error_code
NDBM_seq(krb5_context context, HDB *db, NDBM_seq(krb5_context context, HDB *db,
unsigned flags, hdb_entry_ex *entry, int first) unsigned flags, hdb_entry *entry, int first)
{ {
struct ndbm_db *d = (struct ndbm_db *)db->hdb_db; struct ndbm_db *d = (struct ndbm_db *)db->hdb_db;
@@ -99,21 +99,21 @@ NDBM_seq(krb5_context context, HDB *db,
data.data = value.dptr; data.data = value.dptr;
data.length = value.dsize; data.length = value.dsize;
memset(entry, 0, sizeof(*entry)); memset(entry, 0, sizeof(*entry));
if(hdb_value2entry(context, &data, &entry->entry)) if(hdb_value2entry(context, &data, entry))
return NDBM_seq(context, db, flags, entry, 0); return NDBM_seq(context, db, flags, entry, 0);
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) { if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
ret = hdb_unseal_keys (context, db, &entry->entry); ret = hdb_unseal_keys (context, db, entry);
if (ret) if (ret)
hdb_free_entry (context, db, entry); hdb_free_entry (context, db, entry);
} }
if (ret == 0 && entry->entry.principal == NULL) { if (ret == 0 && entry->principal == NULL) {
entry->entry.principal = malloc (sizeof(*entry->entry.principal)); entry->principal = malloc (sizeof(*entry->principal));
if (entry->entry.principal == NULL) { if (entry->principal == NULL) {
hdb_free_entry (context, db, entry); hdb_free_entry (context, db, entry);
ret = ENOMEM; ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory"); krb5_set_error_message(context, ret, "malloc: out of memory");
} else { } else {
hdb_key2principal (context, &key_data, entry->entry.principal); hdb_key2principal (context, &key_data, entry->principal);
} }
} }
return ret; return ret;
@@ -121,14 +121,14 @@ NDBM_seq(krb5_context context, HDB *db,
static krb5_error_code static krb5_error_code
NDBM_firstkey(krb5_context context, HDB *db,unsigned flags,hdb_entry_ex *entry) NDBM_firstkey(krb5_context context, HDB *db,unsigned flags,hdb_entry *entry)
{ {
return NDBM_seq(context, db, flags, entry, 1); return NDBM_seq(context, db, flags, entry, 1);
} }
static krb5_error_code static krb5_error_code
NDBM_nextkey(krb5_context context, HDB *db, unsigned flags,hdb_entry_ex *entry) NDBM_nextkey(krb5_context context, HDB *db, unsigned flags,hdb_entry *entry)
{ {
return NDBM_seq(context, db, flags, entry, 0); return NDBM_seq(context, db, flags, entry, 0);
} }

6
lib/hdb/print.c
View File

@@ -556,7 +556,7 @@ hdb_entry2string(krb5_context context, hdb_entry *ent, char **str)
/* print a hdb_entry to (FILE*)data; suitable for hdb_foreach */ /* print a hdb_entry to (FILE*)data; suitable for hdb_foreach */
krb5_error_code krb5_error_code
hdb_print_entry(krb5_context context, HDB *db, hdb_entry_ex *entry, hdb_print_entry(krb5_context context, HDB *db, hdb_entry *entry,
void *data) void *data)
{ {
struct hdb_print_entry_arg *parg = data; struct hdb_print_entry_arg *parg = data;
@@ -572,10 +572,10 @@ hdb_print_entry(krb5_context context, HDB *db, hdb_entry_ex *entry,
switch (parg->fmt) { switch (parg->fmt) {
case HDB_DUMP_HEIMDAL: case HDB_DUMP_HEIMDAL:
ret = entry2string_int(context, sp, &entry->entry); ret = entry2string_int(context, sp, entry);
break; break;
case HDB_DUMP_MIT: case HDB_DUMP_MIT:
ret = entry2mit_string_int(context, sp, &entry->entry); ret = entry2mit_string_int(context, sp, entry);
break; break;
default: default:
heim_abort("Only two dump formats supported: Heimdal and MIT"); heim_abort("Only two dump formats supported: Heimdal and MIT");

52
lib/hdb/test_concurrency.c
View File

@@ -70,7 +70,7 @@ threaded_reader(void *d)
krb5_error_code ret; krb5_error_code ret;
krb5_context context; krb5_context context;
struct tsync *s = d; struct tsync *s = d;
hdb_entry_ex entr; hdb_entry entr;
HDB *dbr = NULL; HDB *dbr = NULL;
printf("Reader thread opening HDB\n"); printf("Reader thread opening HDB\n");
@@ -101,7 +101,7 @@ threaded_reader(void *d)
//(void) unlink(s->fname); //(void) unlink(s->fname);
krb5_err(context, 1, ret, "Could not iterate HDB %s", s->hdb_name); krb5_err(context, 1, ret, "Could not iterate HDB %s", s->hdb_name);
} }
free_HDB_entry(&entr.entry); free_HDB_entry(&entr);
/* Tell the writer to go ahead and write */ /* Tell the writer to go ahead and write */
printf("Reader thread iterated one entry; telling writer to write more\n"); printf("Reader thread iterated one entry; telling writer to write more\n");
@@ -124,7 +124,7 @@ threaded_reader(void *d)
"Could not iterate while writing to HDB %s", s->hdb_name); "Could not iterate while writing to HDB %s", s->hdb_name);
} }
printf("Reader thread iterated another entry\n"); printf("Reader thread iterated another entry\n");
free_HDB_entry(&entr.entry); free_HDB_entry(&entr);
if ((ret = dbr->hdb_nextkey(context, dbr, 0, &entr)) == 0) { if ((ret = dbr->hdb_nextkey(context, dbr, 0, &entr)) == 0) {
//(void) unlink(s->fname); //(void) unlink(s->fname);
krb5_warn(context, ret, krb5_warn(context, ret,
@@ -154,7 +154,7 @@ forked_reader(struct tsync *s)
{ {
krb5_error_code ret; krb5_error_code ret;
krb5_context context; krb5_context context;
hdb_entry_ex entr; hdb_entry entr;
ssize_t bytes; ssize_t bytes;
char b[1]; char b[1];
HDB *dbr = NULL; HDB *dbr = NULL;
@@ -190,7 +190,7 @@ forked_reader(struct tsync *s)
krb5_err(context, 1, ret, "Could not iterate HDB %s", s->hdb_name); krb5_err(context, 1, ret, "Could not iterate HDB %s", s->hdb_name);
} }
printf("Reader process iterated one entry\n"); printf("Reader process iterated one entry\n");
free_HDB_entry(&entr.entry); free_HDB_entry(&entr);
/* Tell the writer to go ahead and write */ /* Tell the writer to go ahead and write */
printf("Reader process iterated one entry; telling writer to write more\n"); printf("Reader process iterated one entry; telling writer to write more\n");
@@ -217,13 +217,13 @@ forked_reader(struct tsync *s)
krb5_err(context, 1, ret, krb5_err(context, 1, ret,
"Could not iterate while writing to HDB %s", s->hdb_name); "Could not iterate while writing to HDB %s", s->hdb_name);
} }
free_HDB_entry(&entr.entry); free_HDB_entry(&entr);
printf("Reader process iterated another entry\n"); printf("Reader process iterated another entry\n");
if ((ret = dbr->hdb_nextkey(context, dbr, 0, &entr)) == 0) { if ((ret = dbr->hdb_nextkey(context, dbr, 0, &entr)) == 0) {
//(void) unlink(s->fname); //(void) unlink(s->fname);
krb5_warn(context, ret, krb5_warn(context, ret,
"HDB %s sees writes committed since starting iteration (%s)", "HDB %s sees writes committed since starting iteration (%s)",
s->hdb_name, entr.entry.principal->name.name_string.val[0]); s->hdb_name, entr.principal->name.name_string.val[0]);
} else if (ret != HDB_ERR_NOENTRY) { } else if (ret != HDB_ERR_NOENTRY) {
//(void) unlink(s->fname); //(void) unlink(s->fname);
krb5_err(context, 1, ret, krb5_err(context, 1, ret,
@@ -248,27 +248,27 @@ forked_reader(struct tsync *s)
} }
static krb5_error_code static krb5_error_code
make_entry(krb5_context context, hdb_entry_ex *entry, const char *name) make_entry(krb5_context context, hdb_entry *entry, const char *name)
{ {
krb5_error_code ret; krb5_error_code ret;
memset(entry, 0, sizeof(*entry)); memset(entry, 0, sizeof(*entry));
entry->entry.kvno = 2; entry->kvno = 2;
entry->entry.keys.len = 0; entry->keys.len = 0;
entry->entry.keys.val = NULL; entry->keys.val = NULL;
entry->entry.created_by.time = time(NULL); entry->created_by.time = time(NULL);
entry->entry.modified_by = NULL; entry->modified_by = NULL;
entry->entry.valid_start = NULL; entry->valid_start = NULL;
entry->entry.valid_end = NULL; entry->valid_end = NULL;
entry->entry.max_life = NULL; entry->max_life = NULL;
entry->entry.max_renew = NULL; entry->max_renew = NULL;
entry->entry.etypes = NULL; entry->etypes = NULL;
entry->entry.generation = NULL; entry->generation = NULL;
entry->entry.extensions = NULL; entry->extensions = NULL;
if ((ret = krb5_make_principal(context, &entry->entry.principal, if ((ret = krb5_make_principal(context, &entry->principal,
"TEST.H5L.SE", name, NULL))) "TEST.H5L.SE", name, NULL)))
return ret; return ret;
if ((ret = krb5_make_principal(context, &entry->entry.created_by.principal, if ((ret = krb5_make_principal(context, &entry->created_by.principal,
"TEST.H5L.SE", "tester", NULL))) "TEST.H5L.SE", "tester", NULL)))
return ret; return ret;
return 0; return 0;
@@ -326,7 +326,7 @@ test_hdb_concurrency(char *name, const char *ext, int threaded)
char *fname_ext = NULL; char *fname_ext = NULL;
pthread_t reader_thread; pthread_t reader_thread;
struct tsync ts; struct tsync ts;
hdb_entry_ex entw; hdb_entry entw;
pid_t child = getpid(); pid_t child = getpid();
HDB *dbw = NULL; HDB *dbw = NULL;
int status; int status;
@@ -393,14 +393,14 @@ test_hdb_concurrency(char *name, const char *ext, int threaded)
krb5_err(context, 1, ret, krb5_err(context, 1, ret,
"Could not store entry for \"foo\" in HDB %s", name); "Could not store entry for \"foo\" in HDB %s", name);
} }
free_HDB_entry(&entw.entry); free_HDB_entry(&entw);
if ((ret = make_entry(context, &entw, "bar")) || if ((ret = make_entry(context, &entw, "bar")) ||
(ret = dbw->hdb_store(context, dbw, 0, &entw))) { (ret = dbw->hdb_store(context, dbw, 0, &entw))) {
(void) unlink(fname_ext); (void) unlink(fname_ext);
krb5_err(context, 1, ret, krb5_err(context, 1, ret,
"Could not store entry for \"foo\" in HDB %s", name); "Could not store entry for \"foo\" in HDB %s", name);
} }
free_HDB_entry(&entw.entry); free_HDB_entry(&entw);
/* Tell the reader to start reading */ /* Tell the reader to start reading */
readers_turn(&ts, child, threaded); readers_turn(&ts, child, threaded);
@@ -413,7 +413,7 @@ test_hdb_concurrency(char *name, const char *ext, int threaded)
"Could not store entry for \"foobar\" in HDB %s " "Could not store entry for \"foobar\" in HDB %s "
"while iterating it", name); "while iterating it", name);
} }
free_HDB_entry(&entw.entry); free_HDB_entry(&entw);
/* Tell the reader to go again */ /* Tell the reader to go again */
readers_turn(&ts, child, threaded); readers_turn(&ts, child, threaded);

145
lib/hdb/test_namespace.c
View File

@@ -106,7 +106,7 @@ TDB_unlock(krb5_context context, HDB *db)
} }
static krb5_error_code static krb5_error_code
TDB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) TDB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{ {
/* XXX Implement */ /* XXX Implement */
/* Tricky thing: heim_dict_iterate_f() is inconvenient here */ /* Tricky thing: heim_dict_iterate_f() is inconvenient here */
@@ -115,7 +115,7 @@ TDB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
} }
static krb5_error_code static krb5_error_code
TDB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) TDB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{ {
/* XXX Implement */ /* XXX Implement */
/* Tricky thing: heim_dict_iterate_f() is inconvenient here */ /* Tricky thing: heim_dict_iterate_f() is inconvenient here */
@@ -337,7 +337,7 @@ static void
make_namespace(krb5_context context, HDB *db, const char *name) make_namespace(krb5_context context, HDB *db, const char *name)
{ {
krb5_error_code ret = 0; krb5_error_code ret = 0;
hdb_entry_ex e; hdb_entry e;
Key k; Key k;
memset(&k, 0, sizeof(k)); memset(&k, 0, sizeof(k));
@@ -346,76 +346,76 @@ make_namespace(krb5_context context, HDB *db, const char *name)
/* Setup the HDB entry */ /* Setup the HDB entry */
memset(&e, 0, sizeof(e)); memset(&e, 0, sizeof(e));
e.entry.created_by.time = krs[0].epoch; e.created_by.time = krs[0].epoch;
e.entry.valid_start = e.entry.valid_end = e.entry.pw_end = 0; e.valid_start = e.valid_end = e.pw_end = 0;
e.entry.generation = 0; e.generation = 0;
e.entry.flags = int2HDBFlags(0); e.flags = int2HDBFlags(0);
e.entry.flags.server = e.entry.flags.client = 1; e.flags.server = e.flags.client = 1;
e.entry.flags.virtual = 1; e.flags.virtual = 1;
/* Setup etypes */ /* Setup etypes */
if (ret == 0 && if (ret == 0 &&
(e.entry.etypes = malloc(sizeof(*e.entry.etypes))) == NULL) (e.etypes = malloc(sizeof(*e.etypes))) == NULL)
ret = krb5_enomem(context); ret = krb5_enomem(context);
if (ret == 0) if (ret == 0)
e.entry.etypes->len = 3; e.etypes->len = 3;
if (ret == 0 && if (ret == 0 &&
(e.entry.etypes->val = calloc(e.entry.etypes->len, (e.etypes->val = calloc(e.etypes->len,
sizeof(e.entry.etypes->val[0]))) == NULL) sizeof(e.etypes->val[0]))) == NULL)
ret = krb5_enomem(context); ret = krb5_enomem(context);
if (ret == 0) { if (ret == 0) {
e.entry.etypes->val[0] = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128; e.etypes->val[0] = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128;
e.entry.etypes->val[1] = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192; e.etypes->val[1] = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192;
e.entry.etypes->val[2] = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96; e.etypes->val[2] = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96;
} }
/* Setup max_life and max_renew */ /* Setup max_life and max_renew */
if (ret == 0 && if (ret == 0 &&
(e.entry.max_life = malloc(sizeof(*e.entry.max_life))) == NULL) (e.max_life = malloc(sizeof(*e.max_life))) == NULL)
ret = krb5_enomem(context); ret = krb5_enomem(context);
if (ret == 0 && if (ret == 0 &&
(e.entry.max_renew = malloc(sizeof(*e.entry.max_renew))) == NULL) (e.max_renew = malloc(sizeof(*e.max_renew))) == NULL)
ret = krb5_enomem(context); ret = krb5_enomem(context);
if (ret == 0) if (ret == 0)
/* Make it long, so we see the clamped max */ /* Make it long, so we see the clamped max */
*e.entry.max_renew = 2 * ((*e.entry.max_life = 15 * 24 * 3600)); *e.max_renew = 2 * ((*e.max_life = 15 * 24 * 3600));
/* Setup principal name and created_by */ /* Setup principal name and created_by */
if (ret == 0) if (ret == 0)
ret = krb5_parse_name(context, name, &e.entry.principal); ret = krb5_parse_name(context, name, &e.principal);
if (ret == 0) if (ret == 0)
ret = krb5_parse_name(context, "admin@BAR.EXAMPLE", ret = krb5_parse_name(context, "admin@BAR.EXAMPLE",
&e.entry.created_by.principal); &e.created_by.principal);
/* Make base keys for first epoch */ /* Make base keys for first epoch */
if (ret == 0) if (ret == 0)
ret = make_base_key(context, e.entry.principal, base_pw[0], &k.key); ret = make_base_key(context, e.principal, base_pw[0], &k.key);
if (ret == 0) if (ret == 0)
add_Keys(&e.entry.keys, &k); add_Keys(&e.keys, &k);
if (ret == 0) if (ret == 0)
ret = hdb_entry_set_pw_change_time(context, &e.entry, krs[0].epoch); ret = hdb_entry_set_pw_change_time(context, &e, krs[0].epoch);
free_Key(&k); free_Key(&k);
e.entry.kvno = krs[0].base_key_kvno; e.kvno = krs[0].base_key_kvno;
/* Move them to history */ /* Move them to history */
if (ret == 0) if (ret == 0)
ret = hdb_add_current_keys_to_history(context, &e.entry); ret = hdb_add_current_keys_to_history(context, &e);
free_Keys(&e.entry.keys); free_Keys(&e.keys);
/* Make base keys for second epoch */ /* Make base keys for second epoch */
if (ret == 0) if (ret == 0)
ret = make_base_key(context, e.entry.principal, base_pw[1], &k.key); ret = make_base_key(context, e.principal, base_pw[1], &k.key);
if (ret == 0) if (ret == 0)
add_Keys(&e.entry.keys, &k); add_Keys(&e.keys, &k);
e.entry.kvno = krs[1].base_key_kvno; e.kvno = krs[1].base_key_kvno;
if (ret == 0) if (ret == 0)
ret = hdb_entry_set_pw_change_time(context, &e.entry, krs[1].epoch); ret = hdb_entry_set_pw_change_time(context, &e, krs[1].epoch);
/* Add the key rotation metadata */ /* Add the key rotation metadata */
if (ret == 0) if (ret == 0)
ret = hdb_entry_add_key_rotation(context, &e.entry, 0, &krs[0]); ret = hdb_entry_add_key_rotation(context, &e, 0, &krs[0]);
if (ret == 0) if (ret == 0)
ret = hdb_entry_add_key_rotation(context, &e.entry, 0, &krs[1]); ret = hdb_entry_add_key_rotation(context, &e, 0, &krs[1]);
if (ret == 0) if (ret == 0)
ret = db->hdb_store(context, db, 0, &e); ret = db->hdb_store(context, db, 0, &e);
@@ -447,7 +447,7 @@ static const char *unexpected[] = {
* different time offsets in each period. * different time offsets in each period.
*/ */
#define NUM_OFFSETS 5 #define NUM_OFFSETS 5
static hdb_entry_ex e[ static hdb_entry e[
(sizeof(expected) / sizeof(expected[0])) * (sizeof(expected) / sizeof(expected[0])) *
(sizeof(krs) / sizeof(krs[0])) * (sizeof(krs) / sizeof(krs[0])) *
NUM_OFFSETS NUM_OFFSETS
@@ -479,8 +479,8 @@ fetch_entries(krb5_context context,
krb5_error_code ret = 0; krb5_error_code ret = 0;
krb5_principal p = NULL; krb5_principal p = NULL;
krb5_keyblock base_key, dk; krb5_keyblock base_key, dk;
hdb_entry_ex *ep; hdb_entry *ep;
hdb_entry_ex no; hdb_entry no;
size_t i, b; size_t i, b;
int toffset = 0; int toffset = 0;
@@ -541,14 +541,14 @@ fetch_entries(krb5_context context,
} }
} else { } else {
if (ret == 0 && if (ret == 0 &&
!krb5_principal_compare(context, p, ep->entry.principal)) !krb5_principal_compare(context, p, ep->principal))
krb5_errx(context, 1, "wrong principal in fetched entry"); krb5_errx(context, 1, "wrong principal in fetched entry");
} }
{ {
HDB_Ext_KeySet *hist_keys; HDB_Ext_KeySet *hist_keys;
HDB_extension *ext; HDB_extension *ext;
ext = hdb_find_extension(&ep->entry, ext = hdb_find_extension(ep,
choice_HDB_extension_data_hist_keys); choice_HDB_extension_data_hist_keys);
if (ext) { if (ext) {
/* Sort key history by kvno, why not */ /* Sort key history by kvno, why not */
@@ -611,23 +611,23 @@ fetch_entries(krb5_context context,
if (ret) if (ret)
krb5_err(context, 1, ret, "deriving keys for comparison"); krb5_err(context, 1, ret, "deriving keys for comparison");
if (kvno != ep->entry.kvno) if (kvno != ep->kvno)
krb5_errx(context, 1, "kvno mismatch (%u != %u)", kvno, ep->entry.kvno); krb5_errx(context, 1, "kvno mismatch (%u != %u)", kvno, ep->kvno);
(void) hdb_entry_get_pw_change_time(&ep->entry, &chg_time); (void) hdb_entry_get_pw_change_time(ep, &chg_time);
if (set_time != chg_time) if (set_time != chg_time)
krb5_errx(context, 1, "key change time mismatch"); krb5_errx(context, 1, "key change time mismatch");
if (ep->entry.keys.len == 0) if (ep->keys.len == 0)
krb5_errx(context, 1, "no keys!"); krb5_errx(context, 1, "no keys!");
if (ep->entry.keys.val[0].key.keytype != dk.keytype) if (ep->keys.val[0].key.keytype != dk.keytype)
krb5_errx(context, 1, "enctype mismatch!"); krb5_errx(context, 1, "enctype mismatch!");
if (ep->entry.keys.val[0].key.keyvalue.length != if (ep->keys.val[0].key.keyvalue.length !=
dk.keyvalue.length) dk.keyvalue.length)
krb5_errx(context, 1, "key length mismatch!"); krb5_errx(context, 1, "key length mismatch!");
if (memcmp(ep->entry.keys.val[0].key.keyvalue.data, if (memcmp(ep->keys.val[0].key.keyvalue.data,
dk.keyvalue.data, dk.keyvalue.length) != 0) dk.keyvalue.data, dk.keyvalue.length) != 0)
krb5_errx(context, 1, "key mismatch!"); krb5_errx(context, 1, "key mismatch!");
if (memcmp(ep->entry.keys.val[0].key.keyvalue.data, if (memcmp(ep->keys.val[0].key.keyvalue.data,
e[b + i - 1].entry.keys.val[0].key.keyvalue.data, e[b + i - 1].keys.val[0].key.keyvalue.data,
dk.keyvalue.length) == 0) dk.keyvalue.length) == 0)
krb5_errx(context, 1, "different virtual principals have the same keys!"); krb5_errx(context, 1, "different virtual principals have the same keys!");
/* XXX Add check that we have the expected number of history keys */ /* XXX Add check that we have the expected number of history keys */
@@ -653,14 +653,14 @@ check_kvnos(krb5_context context)
for (k = 0; k < sizeof(e)/sizeof(e[0]); k++) { for (k = 0; k < sizeof(e)/sizeof(e[0]); k++) {
HDB_Ext_KeySet *hist_keys; HDB_Ext_KeySet *hist_keys;
HDB_extension *ext; HDB_extension *ext;
hdb_entry_ex *ep; hdb_entry *ep;
int match = 0; int match = 0;
if ((k % NUM_OFFSETS) != i) if ((k % NUM_OFFSETS) != i)
continue; continue;
ep = &e[k]; ep = &e[k];
if (ep->entry.principal == NULL) if (ep->principal == NULL)
continue; /* Didn't fetch this one */ continue; /* Didn't fetch this one */
/* /*
@@ -668,15 +668,15 @@ check_kvnos(krb5_context context)
* or else add them to `keysets'. * or else add them to `keysets'.
*/ */
for (m = 0; m < keysets.len; m++) { for (m = 0; m < keysets.len; m++) {
if (ep->entry.kvno == keysets.val[m].kvno) { if (ep->kvno == keysets.val[m].kvno) {
/* Check the key is the same */ /* Check the key is the same */
if (ep->entry.keys.val[0].key.keytype != if (ep->keys.val[0].key.keytype !=
keysets.val[m].keys.val[0].key.keytype || keysets.val[m].keys.val[0].key.keytype ||
ep->entry.keys.val[0].key.keyvalue.length != ep->keys.val[0].key.keyvalue.length !=
keysets.val[m].keys.val[0].key.keyvalue.length || keysets.val[m].keys.val[0].key.keyvalue.length ||
memcmp(ep->entry.keys.val[0].key.keyvalue.data, memcmp(ep->keys.val[0].key.keyvalue.data,
keysets.val[m].keys.val[0].key.keyvalue.data, keysets.val[m].keys.val[0].key.keyvalue.data,
ep->entry.keys.val[0].key.keyvalue.length) != 0) ep->keys.val[0].key.keyvalue.length) != 0)
krb5_errx(context, 1, krb5_errx(context, 1,
"key mismatch for same princ & kvno"); "key mismatch for same princ & kvno");
match = 1; match = 1;
@@ -685,8 +685,8 @@ check_kvnos(krb5_context context)
if (m == keysets.len) { if (m == keysets.len) {
hdb_keyset ks; hdb_keyset ks;
ks.kvno = ep->entry.kvno; ks.kvno = ep->kvno;
ks.keys = ep->entry.keys; ks.keys = ep->keys;
ks.set_time = 0; ks.set_time = 0;
if (add_HDB_Ext_KeySet(&keysets, &ks)) if (add_HDB_Ext_KeySet(&keysets, &ks))
krb5_err(context, 1, ENOMEM, "out of memory"); krb5_err(context, 1, ENOMEM, "out of memory");
@@ -696,7 +696,7 @@ check_kvnos(krb5_context context)
continue; continue;
/* For all non-current keysets, repeat the above */ /* For all non-current keysets, repeat the above */
ext = hdb_find_extension(&ep->entry, ext = hdb_find_extension(ep,
choice_HDB_extension_data_hist_keys); choice_HDB_extension_data_hist_keys);
if (!ext) if (!ext)
continue; continue;
@@ -704,20 +704,20 @@ check_kvnos(krb5_context context)
for (p = 0; p < hist_keys->len; p++) { for (p = 0; p < hist_keys->len; p++) {
for (m = 0; m < keysets.len; m++) { for (m = 0; m < keysets.len; m++) {
if (keysets.val[m].kvno == hist_keys->val[p].kvno) if (keysets.val[m].kvno == hist_keys->val[p].kvno)
if (ep->entry.keys.val[0].key.keytype != if (ep->keys.val[0].key.keytype !=
keysets.val[m].keys.val[0].key.keytype || keysets.val[m].keys.val[0].key.keytype ||
ep->entry.keys.val[0].key.keyvalue.length != ep->keys.val[0].key.keyvalue.length !=
keysets.val[m].keys.val[0].key.keyvalue.length || keysets.val[m].keys.val[0].key.keyvalue.length ||
memcmp(ep->entry.keys.val[0].key.keyvalue.data, memcmp(ep->keys.val[0].key.keyvalue.data,
keysets.val[m].keys.val[0].key.keyvalue.data, keysets.val[m].keys.val[0].key.keyvalue.data,
ep->entry.keys.val[0].key.keyvalue.length) != 0) ep->keys.val[0].key.keyvalue.length) != 0)
krb5_errx(context, 1, krb5_errx(context, 1,
"key mismatch for same princ & kvno"); "key mismatch for same princ & kvno");
} }
if (m == keysets.len) { if (m == keysets.len) {
hdb_keyset ks; hdb_keyset ks;
ks.kvno = ep->entry.kvno; ks.kvno = ep->kvno;
ks.keys = ep->entry.keys; ks.keys = ep->keys;
ks.set_time = 0; ks.set_time = 0;
if (add_HDB_Ext_KeySet(&keysets, &ks)) if (add_HDB_Ext_KeySet(&keysets, &ks))
krb5_err(context, 1, ENOMEM, "out of memory"); krb5_err(context, 1, ENOMEM, "out of memory");
@@ -741,15 +741,14 @@ print_em(krb5_context context)
if (0 == i % (sizeof(expected)/sizeof(expected[0]))) if (0 == i % (sizeof(expected)/sizeof(expected[0])))
continue; continue;
if (e[i].entry.principal == NULL) if (e[i].principal == NULL)
continue; continue;
hex_encode(e[i].entry.keys.val[0].key.keyvalue.data, hex_encode(e[i].keys.val[0].key.keyvalue.data,
e[i].entry.keys.val[0].key.keyvalue.length, &x); e[i].keys.val[0].key.keyvalue.length, &x);
printf("%s %u %s\n", x, e[i].entry.kvno, name); printf("%s %u %s\n", x, e[i].kvno, name);
free(x); free(x);
ext = hdb_find_extension(&e[i].entry, ext = hdb_find_extension(&e[i], choice_HDB_extension_data_hist_keys);
choice_HDB_extension_data_hist_keys);
if (!ext) if (!ext)
continue; continue;
hist_keys = &ext->data.u.hist_keys; hist_keys = &ext->data.u.hist_keys;
@@ -771,12 +770,12 @@ check_expected_kvnos(krb5_context context)
for (i = 0; i < sizeof(expected)/sizeof(expected[0]); i++) { for (i = 0; i < sizeof(expected)/sizeof(expected[0]); i++) {
for (k = 0; k < sizeof(krs)/sizeof(krs[0]); k++) { for (k = 0; k < sizeof(krs)/sizeof(krs[0]); k++) {
hdb_entry_ex *ep = &e[k * sizeof(expected)/sizeof(expected[0]) + i]; hdb_entry *ep = &e[k * sizeof(expected)/sizeof(expected[0]) + i];
if (ep->entry.principal == NULL) if (ep->principal == NULL)
continue; continue;
for (m = 0; m < NUM_OFFSETS; m++) { for (m = 0; m < NUM_OFFSETS; m++) {
ext = hdb_find_extension(&ep->entry, ext = hdb_find_extension(ep,
choice_HDB_extension_data_hist_keys); choice_HDB_extension_data_hist_keys);
if (!ext) if (!ext)
continue; continue;
@@ -787,7 +786,7 @@ check_expected_kvnos(krb5_context context)
} }
} }
fprintf(stderr, "%s at %lu: kvno %u\n", expected[i], k, fprintf(stderr, "%s at %lu: kvno %u\n", expected[i], k,
ep->entry.kvno); ep->kvno);
} }
} }
} }

52
lib/kadm5/chpass_s.c
View File

@@ -111,7 +111,7 @@ change(void *server_handle,
int cond) int cond)
{ {
kadm5_server_context *context = server_handle; kadm5_server_context *context = server_handle;
hdb_entry_ex ent; hdb_entry ent;
kadm5_ret_t ret; kadm5_ret_t ret;
Key *keys; Key *keys;
size_t num_keys; size_t num_keys;
@@ -167,7 +167,7 @@ change(void *server_handle,
* We save these for now so we can handle password history checking; * We save these for now so we can handle password history checking;
* we handle keepold further below. * we handle keepold further below.
*/ */
ret = hdb_add_current_keys_to_history(context->context, &ent.entry); ret = hdb_add_current_keys_to_history(context->context, &ent);
if (ret) if (ret)
goto out3; goto out3;
} }
@@ -179,13 +179,13 @@ change(void *server_handle,
goto out3; goto out3;
} else { } else {
num_keys = ent.entry.keys.len; num_keys = ent.keys.len;
keys = ent.entry.keys.val; keys = ent.keys.val;
ent.entry.keys.len = 0; ent.keys.len = 0;
ent.entry.keys.val = NULL; ent.keys.val = NULL;
ret = _kadm5_set_keys(context, &ent.entry, n_ks_tuple, ks_tuple, ret = _kadm5_set_keys(context, &ent, n_ks_tuple, ks_tuple,
password); password);
if(ret) { if(ret) {
_kadm5_free_keys(context->context, num_keys, keys); _kadm5_free_keys(context->context, num_keys, keys);
@@ -196,10 +196,10 @@ change(void *server_handle,
if (cond) { if (cond) {
HDB_extension *ext; HDB_extension *ext;
ext = hdb_find_extension(&ent.entry, choice_HDB_extension_data_hist_keys); ext = hdb_find_extension(&ent, choice_HDB_extension_data_hist_keys);
if (ext != NULL) if (ext != NULL)
existsp = _kadm5_exists_keys_hist(ent.entry.keys.val, existsp = _kadm5_exists_keys_hist(ent.keys.val,
ent.entry.keys.len, ent.keys.len,
&ext->data.u.hist_keys); &ext->data.u.hist_keys);
} }
@@ -210,9 +210,9 @@ change(void *server_handle,
goto out3; goto out3;
} }
} }
ent.entry.kvno++; ent.kvno++;
ent.entry.flags.require_pwchange = 0; ent.flags.require_pwchange = 0;
if (!keepold) { if (!keepold) {
HDB_extension ext; HDB_extension ext;
@@ -220,25 +220,25 @@ change(void *server_handle,
memset(&ext, 0, sizeof (ext)); memset(&ext, 0, sizeof (ext));
ext.mandatory = FALSE; ext.mandatory = FALSE;
ext.data.element = choice_HDB_extension_data_hist_keys; ext.data.element = choice_HDB_extension_data_hist_keys;
ret = hdb_replace_extension(context->context, &ent.entry, &ext); ret = hdb_replace_extension(context->context, &ent, &ext);
if (ret) if (ret)
goto out3; goto out3;
} }
ret = hdb_seal_keys(context->context, context->db, &ent.entry); ret = hdb_seal_keys(context->context, context->db, &ent);
if (ret) if (ret)
goto out3; goto out3;
ret = _kadm5_set_modifier(context, &ent.entry); ret = _kadm5_set_modifier(context, &ent);
if(ret) if(ret)
goto out3; goto out3;
ret = _kadm5_bump_pw_expire(context, &ent.entry); ret = _kadm5_bump_pw_expire(context, &ent);
if (ret) if (ret)
goto out3; goto out3;
/* This logs the change for iprop and writes to the HDB */ /* This logs the change for iprop and writes to the HDB */
ret = kadm5_log_modify(context, &ent.entry, ret = kadm5_log_modify(context, &ent,
KADM5_ATTRIBUTES | KADM5_PRINCIPAL | KADM5_ATTRIBUTES | KADM5_PRINCIPAL |
KADM5_MOD_NAME | KADM5_MOD_TIME | KADM5_MOD_NAME | KADM5_MOD_TIME |
KADM5_KEY_DATA | KADM5_KVNO | KADM5_KEY_DATA | KADM5_KVNO |
@@ -367,7 +367,7 @@ kadm5_s_chpass_principal_with_key(void *server_handle,
krb5_key_data *key_data) krb5_key_data *key_data)
{ {
kadm5_server_context *context = server_handle; kadm5_server_context *context = server_handle;
hdb_entry_ex ent; hdb_entry ent;
kadm5_ret_t ret; kadm5_ret_t ret;
uint32_t hook_flags = 0; uint32_t hook_flags = 0;
@@ -396,23 +396,23 @@ kadm5_s_chpass_principal_with_key(void *server_handle,
goto out3; goto out3;
if (keepold) { if (keepold) {
ret = hdb_add_current_keys_to_history(context->context, &ent.entry); ret = hdb_add_current_keys_to_history(context->context, &ent);
if (ret) if (ret)
goto out3; goto out3;
} }
ret = _kadm5_set_keys2(context, &ent.entry, n_key_data, key_data); ret = _kadm5_set_keys2(context, &ent, n_key_data, key_data);
if (ret) if (ret)
goto out3; goto out3;
ent.entry.kvno++; ent.kvno++;
ret = _kadm5_set_modifier(context, &ent.entry); ret = _kadm5_set_modifier(context, &ent);
if (ret) if (ret)
goto out3; goto out3;
ret = _kadm5_bump_pw_expire(context, &ent.entry); ret = _kadm5_bump_pw_expire(context, &ent);
if (ret) if (ret)
goto out3; goto out3;
if (keepold) { if (keepold) {
ret = hdb_seal_keys(context->context, context->db, &ent.entry); ret = hdb_seal_keys(context->context, context->db, &ent);
if (ret) if (ret)
goto out3; goto out3;
} else { } else {
@@ -423,11 +423,11 @@ kadm5_s_chpass_principal_with_key(void *server_handle,
ext.data.element = choice_HDB_extension_data_hist_keys; ext.data.element = choice_HDB_extension_data_hist_keys;
ext.data.u.hist_keys.len = 0; ext.data.u.hist_keys.len = 0;
ext.data.u.hist_keys.val = NULL; ext.data.u.hist_keys.val = NULL;
hdb_replace_extension(context->context, &ent.entry, &ext); hdb_replace_extension(context->context, &ent, &ext);
} }
/* This logs the change for iprop and writes to the HDB */ /* This logs the change for iprop and writes to the HDB */
ret = kadm5_log_modify(context, &ent.entry, ret = kadm5_log_modify(context, &ent,
KADM5_PRINCIPAL | KADM5_MOD_NAME | KADM5_PRINCIPAL | KADM5_MOD_NAME |
KADM5_MOD_TIME | KADM5_KEY_DATA | KADM5_KVNO | KADM5_MOD_TIME | KADM5_KEY_DATA | KADM5_KVNO |
KADM5_PW_EXPIRATION | KADM5_TL_DATA); KADM5_PW_EXPIRATION | KADM5_TL_DATA);

24
lib/kadm5/create_s.c
View File

@@ -57,7 +57,7 @@ static kadm5_ret_t
create_principal(kadm5_server_context *context, create_principal(kadm5_server_context *context,
kadm5_principal_ent_t princ, kadm5_principal_ent_t princ,
uint32_t mask, uint32_t mask,
hdb_entry_ex *ent, hdb_entry *ent,
uint32_t required_mask, uint32_t required_mask,
uint32_t forbidden_mask) uint32_t forbidden_mask)
{ {
@@ -74,7 +74,7 @@ create_principal(kadm5_server_context *context,
/* XXX no real policies for now */ /* XXX no real policies for now */
return KADM5_UNK_POLICY; return KADM5_UNK_POLICY;
ret = krb5_copy_principal(context->context, princ->principal, ret = krb5_copy_principal(context->context, princ->principal,
&ent->entry.principal); &ent->principal);
if(ret) if(ret)
return ret; return ret;
@@ -96,10 +96,10 @@ create_principal(kadm5_server_context *context,
if (ret) if (ret)
return ret; return ret;
ent->entry.created_by.time = time(NULL); ent->created_by.time = time(NULL);
return krb5_copy_principal(context->context, context->caller, return krb5_copy_principal(context->context, context->caller,
&ent->entry.created_by.principal); &ent->created_by.principal);
} }
struct create_principal_hook_ctx { struct create_principal_hook_ctx {
@@ -167,7 +167,7 @@ kadm5_s_create_principal_with_key(void *server_handle,
uint32_t mask) uint32_t mask)
{ {
kadm5_ret_t ret; kadm5_ret_t ret;
hdb_entry_ex ent; hdb_entry ent;
kadm5_server_context *context = server_handle; kadm5_server_context *context = server_handle;
if ((mask & KADM5_KVNO) == 0) { if ((mask & KADM5_KVNO) == 0) {
@@ -203,7 +203,7 @@ kadm5_s_create_principal_with_key(void *server_handle,
if (ret) if (ret)
goto out; goto out;
ret = hdb_seal_keys(context->context, context->db, &ent.entry); ret = hdb_seal_keys(context->context, context->db, &ent);
if (ret) if (ret)
goto out2; goto out2;
@@ -213,7 +213,7 @@ kadm5_s_create_principal_with_key(void *server_handle,
* Creation of would-be virtual principals w/o the materialize flag will be * Creation of would-be virtual principals w/o the materialize flag will be
* rejected in kadm5_log_create(). * rejected in kadm5_log_create().
*/ */
ret = kadm5_log_create(context, &ent.entry); ret = kadm5_log_create(context, &ent);
(void) create_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT, (void) create_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT,
ret, princ, mask, NULL); ret, princ, mask, NULL);
@@ -241,7 +241,7 @@ kadm5_s_create_principal(void *server_handle,
const char *password) const char *password)
{ {
kadm5_ret_t ret; kadm5_ret_t ret;
hdb_entry_ex ent; hdb_entry ent;
kadm5_server_context *context = server_handle; kadm5_server_context *context = server_handle;
int use_pw = 1; int use_pw = 1;
@@ -324,20 +324,20 @@ kadm5_s_create_principal(void *server_handle,
if (ret) if (ret)
goto out; goto out;
free_Keys(&ent.entry.keys); free_Keys(&ent.keys);
if (use_pw) { if (use_pw) {
ret = _kadm5_set_keys(context, &ent.entry, n_ks_tuple, ks_tuple, password); ret = _kadm5_set_keys(context, &ent, n_ks_tuple, ks_tuple, password);
if (ret) if (ret)
goto out2; goto out2;
} }
ret = hdb_seal_keys(context->context, context->db, &ent.entry); ret = hdb_seal_keys(context->context, context->db, &ent);
if (ret) if (ret)
goto out2; goto out2;
/* This logs the change for iprop and writes to the HDB */ /* This logs the change for iprop and writes to the HDB */
ret = kadm5_log_create(context, &ent.entry); ret = kadm5_log_create(context, &ent);
(void) create_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT, (void) create_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT,
ret, princ, mask, password); ret, princ, mask, password);

6
lib/kadm5/delete_s.c
View File

@@ -92,7 +92,7 @@ kadm5_s_delete_principal(void *server_handle, krb5_principal princ)
{ {
kadm5_server_context *context = server_handle; kadm5_server_context *context = server_handle;
kadm5_ret_t ret; kadm5_ret_t ret;
hdb_entry_ex ent; hdb_entry ent;
memset(&ent, 0, sizeof(ent)); memset(&ent, 0, sizeof(ent));
if (!context->keep_open) { if (!context->keep_open) {
@@ -112,7 +112,7 @@ kadm5_s_delete_principal(void *server_handle, krb5_principal princ)
0, &ent); 0, &ent);
if (ret == HDB_ERR_NOENTRY) if (ret == HDB_ERR_NOENTRY)
goto out2; goto out2;
if (ent.entry.flags.immutable) { if (ent.flags.immutable) {
ret = KADM5_PROTECT_PRINCIPAL; ret = KADM5_PROTECT_PRINCIPAL;
goto out3; goto out3;
} }
@@ -121,7 +121,7 @@ kadm5_s_delete_principal(void *server_handle, krb5_principal princ)
if (ret) if (ret)
goto out3; goto out3;
ret = hdb_seal_keys(context->context, context->db, &ent.entry); ret = hdb_seal_keys(context->context, context->db, &ent);
if (ret) if (ret)
goto out3; goto out3;

78
lib/kadm5/ent_setup.c
View File

@@ -73,7 +73,7 @@ attr_to_flags(unsigned attr, HDBFlags *flags)
static kadm5_ret_t static kadm5_ret_t
perform_tl_data(krb5_context context, perform_tl_data(krb5_context context,
HDB *db, HDB *db,
hdb_entry_ex *ent, hdb_entry *ent,
const krb5_tl_data *tl_data) const krb5_tl_data *tl_data)
{ {
kadm5_ret_t ret = 0; kadm5_ret_t ret = 0;
@@ -84,7 +84,7 @@ perform_tl_data(krb5_context context,
if (pw[tl_data->tl_data_length] != '\0') if (pw[tl_data->tl_data_length] != '\0')
return KADM5_BAD_TL_TYPE; return KADM5_BAD_TL_TYPE;
ret = hdb_entry_set_password(context, db, &ent->entry, pw); ret = hdb_entry_set_password(context, db, ent, pw);
} else if (tl_data->tl_data_type == KRB5_TL_LAST_PWD_CHANGE) { } else if (tl_data->tl_data_type == KRB5_TL_LAST_PWD_CHANGE) {
unsigned long t; unsigned long t;
@@ -96,7 +96,7 @@ perform_tl_data(krb5_context context,
s = tl_data->tl_data_contents; s = tl_data->tl_data_contents;
(void) _krb5_get_int(s, &t, tl_data->tl_data_length); (void) _krb5_get_int(s, &t, tl_data->tl_data_length);
ret = hdb_entry_set_pw_change_time(context, &ent->entry, t); ret = hdb_entry_set_pw_change_time(context, ent, t);
} else if (tl_data->tl_data_type == KRB5_TL_KEY_ROTATION) { } else if (tl_data->tl_data_type == KRB5_TL_KEY_ROTATION) {
HDB_Ext_KeyRotation *prev_kr = 0; HDB_Ext_KeyRotation *prev_kr = 0;
@@ -105,7 +105,7 @@ perform_tl_data(krb5_context context,
ext.mandatory = 0; ext.mandatory = 0;
ext.data.element = choice_HDB_extension_data_key_rotation; ext.data.element = choice_HDB_extension_data_key_rotation;
prev_ext = hdb_find_extension(&ent->entry, ext.data.element); prev_ext = hdb_find_extension(ent, ext.data.element);
if (prev_ext) if (prev_ext)
prev_kr = &prev_ext->data.u.key_rotation; prev_kr = &prev_ext->data.u.key_rotation;
ret = decode_HDB_Ext_KeyRotation(tl_data->tl_data_contents, ret = decode_HDB_Ext_KeyRotation(tl_data->tl_data_contents,
@@ -115,7 +115,7 @@ perform_tl_data(krb5_context context,
ret = hdb_validate_key_rotations(context, prev_kr, ret = hdb_validate_key_rotations(context, prev_kr,
&ext.data.u.key_rotation); &ext.data.u.key_rotation);
if (ret == 0) if (ret == 0)
ret = hdb_replace_extension(context, &ent->entry, &ext); ret = hdb_replace_extension(context, ent, &ext);
free_HDB_extension(&ext); free_HDB_extension(&ext);
} else if (tl_data->tl_data_type == KRB5_TL_EXTENSION) { } else if (tl_data->tl_data_type == KRB5_TL_EXTENSION) {
HDB_extension ext; HDB_extension ext;
@@ -128,7 +128,7 @@ perform_tl_data(krb5_context context,
return KADM5_BAD_TL_TYPE; return KADM5_BAD_TL_TYPE;
if (ext.data.element == choice_HDB_extension_data_key_rotation) { if (ext.data.element == choice_HDB_extension_data_key_rotation) {
HDB_extension *prev_ext = hdb_find_extension(&ent->entry, HDB_extension *prev_ext = hdb_find_extension(ent,
ext.data.element); ext.data.element);
HDB_Ext_KeyRotation *prev_kr = 0; HDB_Ext_KeyRotation *prev_kr = 0;
@@ -140,19 +140,19 @@ perform_tl_data(krb5_context context,
if (ret) if (ret)
ret = KADM5_BAD_TL_TYPE; /* XXX Need new error code */ ret = KADM5_BAD_TL_TYPE; /* XXX Need new error code */
if (ret == 0) if (ret == 0)
ret = hdb_replace_extension(context, &ent->entry, &ext); ret = hdb_replace_extension(context, ent, &ext);
free_HDB_extension(&ext); free_HDB_extension(&ext);
} else if (tl_data->tl_data_type == KRB5_TL_ETYPES) { } else if (tl_data->tl_data_type == KRB5_TL_ETYPES) {
if (!ent->entry.etypes && if (!ent->etypes &&
(ent->entry.etypes = calloc(1, (ent->etypes = calloc(1,
sizeof(ent->entry.etypes[0]))) == NULL) sizeof(ent->etypes[0]))) == NULL)
ret = krb5_enomem(context); ret = krb5_enomem(context);
if (ent->entry.etypes) if (ent->etypes)
free_HDB_EncTypeList(ent->entry.etypes); free_HDB_EncTypeList(ent->etypes);
if (ret == 0) if (ret == 0)
ret = decode_HDB_EncTypeList(tl_data->tl_data_contents, ret = decode_HDB_EncTypeList(tl_data->tl_data_contents,
tl_data->tl_data_length, tl_data->tl_data_length,
ent->entry.etypes, NULL); ent->etypes, NULL);
if (ret) if (ret)
return KADM5_BAD_TL_TYPE; return KADM5_BAD_TL_TYPE;
} else if (tl_data->tl_data_type == KRB5_TL_ALIASES) { } else if (tl_data->tl_data_type == KRB5_TL_ALIASES) {
@@ -164,14 +164,14 @@ perform_tl_data(krb5_context context,
} }
static void static void
default_flags(hdb_entry_ex *ent) default_flags(hdb_entry *ent)
{ {
ent->entry.flags.client = 1; ent->flags.client = 1;
ent->entry.flags.server = 1; ent->flags.server = 1;
ent->entry.flags.forwardable = 1; ent->flags.forwardable = 1;
ent->entry.flags.proxiable = 1; ent->flags.proxiable = 1;
ent->entry.flags.renewable = 1; ent->flags.renewable = 1;
ent->entry.flags.postdate = 1; ent->flags.postdate = 1;
} }
@@ -183,7 +183,7 @@ default_flags(hdb_entry_ex *ent)
kadm5_ret_t kadm5_ret_t
_kadm5_setup_entry(kadm5_server_context *context, _kadm5_setup_entry(kadm5_server_context *context,
hdb_entry_ex *ent, hdb_entry *ent,
uint32_t mask, uint32_t mask,
kadm5_principal_ent_t princ, kadm5_principal_ent_t princ,
uint32_t princ_mask, uint32_t princ_mask,
@@ -193,23 +193,23 @@ _kadm5_setup_entry(kadm5_server_context *context,
if(mask & KADM5_PRINC_EXPIRE_TIME if(mask & KADM5_PRINC_EXPIRE_TIME
&& princ_mask & KADM5_PRINC_EXPIRE_TIME) { && princ_mask & KADM5_PRINC_EXPIRE_TIME) {
if (princ->princ_expire_time) if (princ->princ_expire_time)
set_value(ent->entry.valid_end, princ->princ_expire_time); set_value(ent->valid_end, princ->princ_expire_time);
else else
set_null(ent->entry.valid_end); set_null(ent->valid_end);
} }
if(mask & KADM5_PW_EXPIRATION if(mask & KADM5_PW_EXPIRATION
&& princ_mask & KADM5_PW_EXPIRATION) { && princ_mask & KADM5_PW_EXPIRATION) {
if (princ->pw_expiration) if (princ->pw_expiration)
set_value(ent->entry.pw_end, princ->pw_expiration); set_value(ent->pw_end, princ->pw_expiration);
else else
set_null(ent->entry.pw_end); set_null(ent->pw_end);
} }
if(mask & KADM5_ATTRIBUTES) { if(mask & KADM5_ATTRIBUTES) {
if (princ_mask & KADM5_ATTRIBUTES) { if (princ_mask & KADM5_ATTRIBUTES) {
attr_to_flags(princ->attributes, &ent->entry.flags); attr_to_flags(princ->attributes, &ent->flags);
} else if(def_mask & KADM5_ATTRIBUTES) { } else if(def_mask & KADM5_ATTRIBUTES) {
attr_to_flags(def->attributes, &ent->entry.flags); attr_to_flags(def->attributes, &ent->flags);
ent->entry.flags.invalid = 0; ent->flags.invalid = 0;
} else { } else {
default_flags(ent); default_flags(ent);
} }
@@ -218,41 +218,41 @@ _kadm5_setup_entry(kadm5_server_context *context,
if(mask & KADM5_MAX_LIFE) { if(mask & KADM5_MAX_LIFE) {
if(princ_mask & KADM5_MAX_LIFE) { if(princ_mask & KADM5_MAX_LIFE) {
if(princ->max_life) if(princ->max_life)
set_value(ent->entry.max_life, princ->max_life); set_value(ent->max_life, princ->max_life);
else else
set_null(ent->entry.max_life); set_null(ent->max_life);
} else if(def_mask & KADM5_MAX_LIFE) { } else if(def_mask & KADM5_MAX_LIFE) {
if(def->max_life) if(def->max_life)
set_value(ent->entry.max_life, def->max_life); set_value(ent->max_life, def->max_life);
else else
set_null(ent->entry.max_life); set_null(ent->max_life);
} }
} }
if(mask & KADM5_KVNO if(mask & KADM5_KVNO
&& (princ_mask & KADM5_KVNO)) { && (princ_mask & KADM5_KVNO)) {
krb5_error_code ret; krb5_error_code ret;
ret = hdb_change_kvno(context->context, princ->kvno, &ent->entry); ret = hdb_change_kvno(context->context, princ->kvno, ent);
if (ret && ret != HDB_ERR_KVNO_NOT_FOUND) if (ret && ret != HDB_ERR_KVNO_NOT_FOUND)
return ret; return ret;
ent->entry.kvno = princ->kvno; /* force it */ ent->kvno = princ->kvno; /* force it */
} }
if(mask & KADM5_MAX_RLIFE) { if(mask & KADM5_MAX_RLIFE) {
if(princ_mask & KADM5_MAX_RLIFE) { if(princ_mask & KADM5_MAX_RLIFE) {
if(princ->max_renewable_life) if(princ->max_renewable_life)
set_value(ent->entry.max_renew, princ->max_renewable_life); set_value(ent->max_renew, princ->max_renewable_life);
else else
set_null(ent->entry.max_renew); set_null(ent->max_renew);
} else if(def_mask & KADM5_MAX_RLIFE) { } else if(def_mask & KADM5_MAX_RLIFE) {
if(def->max_renewable_life) if(def->max_renewable_life)
set_value(ent->entry.max_renew, def->max_renewable_life); set_value(ent->max_renew, def->max_renewable_life);
else else
set_null(ent->entry.max_renew); set_null(ent->max_renew);
} }
} }
if(mask & KADM5_KEY_DATA if(mask & KADM5_KEY_DATA
&& princ_mask & KADM5_KEY_DATA) { && princ_mask & KADM5_KEY_DATA) {
_kadm5_set_keys2(context, &ent->entry, _kadm5_set_keys2(context, ent,
princ->n_key_data, princ->key_data); princ->n_key_data, princ->key_data);
} }
if(mask & KADM5_TL_DATA) { if(mask & KADM5_TL_DATA) {

4
lib/kadm5/get_princs_s.c
View File

@@ -55,12 +55,12 @@ add_princ(krb5_context context, struct foreach_data *d, char *princ)
} }
static krb5_error_code static krb5_error_code
foreach(krb5_context context, HDB *db, hdb_entry_ex *ent, void *data) foreach(krb5_context context, HDB *db, hdb_entry *ent, void *data)
{ {
struct foreach_data *d = data; struct foreach_data *d = data;
char *princ; char *princ;
krb5_error_code ret; krb5_error_code ret;
ret = krb5_unparse_name(context, ent->entry.principal, &princ); ret = krb5_unparse_name(context, ent->principal, &princ);
if(ret) if(ret)
return ret; return ret;
if(d->exp){ if(d->exp){

112
lib/kadm5/get_s.c
View File

@@ -122,7 +122,7 @@ kadm5_s_get_principal(void *server_handle,
{ {
kadm5_server_context *context = server_handle; kadm5_server_context *context = server_handle;
kadm5_ret_t ret; kadm5_ret_t ret;
hdb_entry_ex ent; hdb_entry ent;
unsigned int flags = HDB_F_GET_ANY | HDB_F_ADMIN_DATA; unsigned int flags = HDB_F_GET_ANY | HDB_F_ADMIN_DATA;
if ((mask & KADM5_KEY_DATA) || (mask & KADM5_KVNO)) if ((mask & KADM5_KEY_DATA) || (mask & KADM5_KVNO))
@@ -157,57 +157,57 @@ kadm5_s_get_principal(void *server_handle,
return _kadm5_error_code(ret); return _kadm5_error_code(ret);
if(mask & KADM5_PRINCIPAL) if(mask & KADM5_PRINCIPAL)
ret = krb5_copy_principal(context->context, ent.entry.principal, ret = krb5_copy_principal(context->context, ent.principal,
&out->principal); &out->principal);
if(ret) if(ret)
goto out; goto out;
if(mask & KADM5_PRINC_EXPIRE_TIME && ent.entry.valid_end) if(mask & KADM5_PRINC_EXPIRE_TIME && ent.valid_end)
out->princ_expire_time = *ent.entry.valid_end; out->princ_expire_time = *ent.valid_end;
if(mask & KADM5_PW_EXPIRATION && ent.entry.pw_end) if(mask & KADM5_PW_EXPIRATION && ent.pw_end)
out->pw_expiration = *ent.entry.pw_end; out->pw_expiration = *ent.pw_end;
if(mask & KADM5_LAST_PWD_CHANGE) if(mask & KADM5_LAST_PWD_CHANGE)
hdb_entry_get_pw_change_time(&ent.entry, &out->last_pwd_change); hdb_entry_get_pw_change_time(&ent, &out->last_pwd_change);
if(mask & KADM5_ATTRIBUTES){ if(mask & KADM5_ATTRIBUTES){
out->attributes |= ent.entry.flags.postdate ? 0 : KRB5_KDB_DISALLOW_POSTDATED; out->attributes |= ent.flags.postdate ? 0 : KRB5_KDB_DISALLOW_POSTDATED;
out->attributes |= ent.entry.flags.forwardable ? 0 : KRB5_KDB_DISALLOW_FORWARDABLE; out->attributes |= ent.flags.forwardable ? 0 : KRB5_KDB_DISALLOW_FORWARDABLE;
out->attributes |= ent.entry.flags.initial ? KRB5_KDB_DISALLOW_TGT_BASED : 0; out->attributes |= ent.flags.initial ? KRB5_KDB_DISALLOW_TGT_BASED : 0;
out->attributes |= ent.entry.flags.renewable ? 0 : KRB5_KDB_DISALLOW_RENEWABLE; out->attributes |= ent.flags.renewable ? 0 : KRB5_KDB_DISALLOW_RENEWABLE;
out->attributes |= ent.entry.flags.proxiable ? 0 : KRB5_KDB_DISALLOW_PROXIABLE; out->attributes |= ent.flags.proxiable ? 0 : KRB5_KDB_DISALLOW_PROXIABLE;
out->attributes |= ent.entry.flags.invalid ? KRB5_KDB_DISALLOW_ALL_TIX : 0; out->attributes |= ent.flags.invalid ? KRB5_KDB_DISALLOW_ALL_TIX : 0;
out->attributes |= ent.entry.flags.require_preauth ? KRB5_KDB_REQUIRES_PRE_AUTH : 0; out->attributes |= ent.flags.require_preauth ? KRB5_KDB_REQUIRES_PRE_AUTH : 0;
out->attributes |= ent.entry.flags.require_pwchange ? KRB5_KDB_REQUIRES_PWCHANGE : 0; out->attributes |= ent.flags.require_pwchange ? KRB5_KDB_REQUIRES_PWCHANGE : 0;
out->attributes |= ent.entry.flags.client ? 0 : KRB5_KDB_DISALLOW_CLIENT; out->attributes |= ent.flags.client ? 0 : KRB5_KDB_DISALLOW_CLIENT;
out->attributes |= ent.entry.flags.server ? 0 : KRB5_KDB_DISALLOW_SVR; out->attributes |= ent.flags.server ? 0 : KRB5_KDB_DISALLOW_SVR;
out->attributes |= ent.entry.flags.change_pw ? KRB5_KDB_PWCHANGE_SERVICE : 0; out->attributes |= ent.flags.change_pw ? KRB5_KDB_PWCHANGE_SERVICE : 0;
out->attributes |= ent.entry.flags.ok_as_delegate ? KRB5_KDB_OK_AS_DELEGATE : 0; out->attributes |= ent.flags.ok_as_delegate ? KRB5_KDB_OK_AS_DELEGATE : 0;
out->attributes |= ent.entry.flags.trusted_for_delegation ? KRB5_KDB_TRUSTED_FOR_DELEGATION : 0; out->attributes |= ent.flags.trusted_for_delegation ? KRB5_KDB_TRUSTED_FOR_DELEGATION : 0;
out->attributes |= ent.entry.flags.allow_kerberos4 ? KRB5_KDB_ALLOW_KERBEROS4 : 0; out->attributes |= ent.flags.allow_kerberos4 ? KRB5_KDB_ALLOW_KERBEROS4 : 0;
out->attributes |= ent.entry.flags.allow_digest ? KRB5_KDB_ALLOW_DIGEST : 0; out->attributes |= ent.flags.allow_digest ? KRB5_KDB_ALLOW_DIGEST : 0;
out->attributes |= ent.entry.flags.virtual_keys ? KRB5_KDB_VIRTUAL_KEYS : 0; out->attributes |= ent.flags.virtual_keys ? KRB5_KDB_VIRTUAL_KEYS : 0;
out->attributes |= ent.entry.flags.virtual ? KRB5_KDB_VIRTUAL : 0; out->attributes |= ent.flags.virtual ? KRB5_KDB_VIRTUAL : 0;
out->attributes |= ent.entry.flags.no_auth_data_reqd ? KRB5_KDB_NO_AUTH_DATA_REQUIRED : 0; out->attributes |= ent.flags.no_auth_data_reqd ? KRB5_KDB_NO_AUTH_DATA_REQUIRED : 0;
} }
if(mask & KADM5_MAX_LIFE) { if(mask & KADM5_MAX_LIFE) {
if(ent.entry.max_life) if(ent.max_life)
out->max_life = *ent.entry.max_life; out->max_life = *ent.max_life;
else else
out->max_life = INT_MAX; out->max_life = INT_MAX;
} }
if(mask & KADM5_MOD_TIME) { if(mask & KADM5_MOD_TIME) {
if(ent.entry.modified_by) if(ent.modified_by)
out->mod_date = ent.entry.modified_by->time; out->mod_date = ent.modified_by->time;
else else
out->mod_date = ent.entry.created_by.time; out->mod_date = ent.created_by.time;
} }
if(mask & KADM5_MOD_NAME) { if(mask & KADM5_MOD_NAME) {
if(ent.entry.modified_by) { if(ent.modified_by) {
if (ent.entry.modified_by->principal != NULL) if (ent.modified_by->principal != NULL)
ret = krb5_copy_principal(context->context, ret = krb5_copy_principal(context->context,
ent.entry.modified_by->principal, ent.modified_by->principal,
&out->mod_name); &out->mod_name);
} else if(ent.entry.created_by.principal != NULL) } else if(ent.created_by.principal != NULL)
ret = krb5_copy_principal(context->context, ret = krb5_copy_principal(context->context,
ent.entry.created_by.principal, ent.created_by.principal,
&out->mod_name); &out->mod_name);
else else
out->mod_name = NULL; out->mod_name = NULL;
@@ -216,13 +216,13 @@ kadm5_s_get_principal(void *server_handle,
goto out; goto out;
if(mask & KADM5_KVNO) if(mask & KADM5_KVNO)
out->kvno = ent.entry.kvno; out->kvno = ent.kvno;
if(mask & KADM5_MKVNO) { if(mask & KADM5_MKVNO) {
size_t n; size_t n;
out->mkvno = 0; /* XXX */ out->mkvno = 0; /* XXX */
for(n = 0; n < ent.entry.keys.len; n++) for(n = 0; n < ent.keys.len; n++)
if(ent.entry.keys.val[n].mkvno) { if(ent.keys.val[n].mkvno) {
out->mkvno = *ent.entry.keys.val[n].mkvno; /* XXX this isn't right */ out->mkvno = *ent.keys.val[n].mkvno; /* XXX this isn't right */
break; break;
} }
} }
@@ -239,7 +239,7 @@ kadm5_s_get_principal(void *server_handle,
if(mask & KADM5_POLICY) { if(mask & KADM5_POLICY) {
HDB_extension *ext; HDB_extension *ext;
ext = hdb_find_extension(&ent.entry, choice_HDB_extension_data_policy); ext = hdb_find_extension(&ent, choice_HDB_extension_data_policy);
if (ext == NULL) { if (ext == NULL) {
out->policy = strdup("default"); out->policy = strdup("default");
/* It's OK if we retun NULL instead of "default" */ /* It's OK if we retun NULL instead of "default" */
@@ -252,27 +252,27 @@ kadm5_s_get_principal(void *server_handle,
} }
} }
if(mask & KADM5_MAX_RLIFE) { if(mask & KADM5_MAX_RLIFE) {
if(ent.entry.max_renew) if(ent.max_renew)
out->max_renewable_life = *ent.entry.max_renew; out->max_renewable_life = *ent.max_renew;
else else
out->max_renewable_life = INT_MAX; out->max_renewable_life = INT_MAX;
} }
if(mask & KADM5_KEY_DATA){ if(mask & KADM5_KEY_DATA){
size_t i; size_t i;
size_t n_keys = ent.entry.keys.len; size_t n_keys = ent.keys.len;
krb5_salt salt; krb5_salt salt;
HDB_extension *ext; HDB_extension *ext;
HDB_Ext_KeySet *hist_keys = NULL; HDB_Ext_KeySet *hist_keys = NULL;
/* Don't return stale keys to kadm5 clients */ /* Don't return stale keys to kadm5 clients */
ret = hdb_prune_keys(context->context, &ent.entry); ret = hdb_prune_keys(context->context, &ent);
if (ret) if (ret)
goto out; goto out;
ext = hdb_find_extension(&ent.entry, choice_HDB_extension_data_hist_keys); ext = hdb_find_extension(&ent, choice_HDB_extension_data_hist_keys);
if (ext != NULL) if (ext != NULL)
hist_keys = &ext->data.u.hist_keys; hist_keys = &ext->data.u.hist_keys;
krb5_get_pw_salt(context->context, ent.entry.principal, &salt); krb5_get_pw_salt(context->context, ent.principal, &salt);
for (i = 0; hist_keys != NULL && i < hist_keys->len; i++) for (i = 0; hist_keys != NULL && i < hist_keys->len; i++)
n_keys += hist_keys->val[i].keys.len; n_keys += hist_keys->val[i].keys.len;
out->key_data = malloc(n_keys * sizeof(*out->key_data)); out->key_data = malloc(n_keys * sizeof(*out->key_data));
@@ -281,8 +281,8 @@ kadm5_s_get_principal(void *server_handle,
goto out; goto out;
} }
out->n_key_data = 0; out->n_key_data = 0;
ret = copy_keyset_to_kadm5(context, ent.entry.kvno, ent.entry.keys.len, ret = copy_keyset_to_kadm5(context, ent.kvno, ent.keys.len,
ent.entry.keys.val, &salt, out); ent.keys.val, &salt, out);
if (ret) if (ret)
goto out; goto out;
for (i = 0; hist_keys != NULL && i < hist_keys->len; i++) { for (i = 0; hist_keys != NULL && i < hist_keys->len; i++) {
@@ -305,12 +305,12 @@ kadm5_s_get_principal(void *server_handle,
const HDB_Ext_KeyRotation *kr; const HDB_Ext_KeyRotation *kr;
heim_octet_string krb5_config; heim_octet_string krb5_config;
if (ent.entry.etypes) { if (ent.etypes) {
krb5_data buf; krb5_data buf;
size_t len; size_t len;
ASN1_MALLOC_ENCODE(HDB_EncTypeList, buf.data, buf.length, ASN1_MALLOC_ENCODE(HDB_EncTypeList, buf.data, buf.length,
ent.entry.etypes, &len, ret); ent.etypes, &len, ret);
if (ret == 0) { if (ret == 0) {
ret = add_tl_data(out, KRB5_TL_ETYPES, buf.data, buf.length); ret = add_tl_data(out, KRB5_TL_ETYPES, buf.data, buf.length);
free(buf.data); free(buf.data);
@@ -319,14 +319,14 @@ kadm5_s_get_principal(void *server_handle,
goto out; goto out;
} }
ret = hdb_entry_get_pw_change_time(&ent.entry, &last_pw_expire); ret = hdb_entry_get_pw_change_time(&ent, &last_pw_expire);
if (ret == 0 && last_pw_expire) { if (ret == 0 && last_pw_expire) {
unsigned char buf[4]; unsigned char buf[4];
_krb5_put_int(buf, last_pw_expire, sizeof(buf)); _krb5_put_int(buf, last_pw_expire, sizeof(buf));
ret = add_tl_data(out, KRB5_TL_LAST_PWD_CHANGE, buf, sizeof(buf)); ret = add_tl_data(out, KRB5_TL_LAST_PWD_CHANGE, buf, sizeof(buf));
} }
ret = hdb_entry_get_krb5_config(&ent.entry, &krb5_config); ret = hdb_entry_get_krb5_config(&ent, &krb5_config);
if (ret == 0 && krb5_config.length) { if (ret == 0 && krb5_config.length) {
ret = add_tl_data(out, KRB5_TL_KRB5_CONFIG, krb5_config.data, ret = add_tl_data(out, KRB5_TL_KRB5_CONFIG, krb5_config.data,
krb5_config.length); krb5_config.length);
@@ -342,7 +342,7 @@ kadm5_s_get_principal(void *server_handle,
/* XXX But not if the client doesn't have ext-keys */ /* XXX But not if the client doesn't have ext-keys */
ret = hdb_entry_get_password(context->context, ret = hdb_entry_get_password(context->context,
context->db, &ent.entry, &pw); context->db, &ent, &pw);
if (ret == 0) { if (ret == 0) {
ret = add_tl_data(out, KRB5_TL_PASSWORD, pw, strlen(pw) + 1); ret = add_tl_data(out, KRB5_TL_PASSWORD, pw, strlen(pw) + 1);
free(pw); free(pw);
@@ -352,7 +352,7 @@ kadm5_s_get_principal(void *server_handle,
krb5_clear_error_message(context->context); krb5_clear_error_message(context->context);
} }
ret = hdb_entry_get_pkinit_acl(&ent.entry, &acl); ret = hdb_entry_get_pkinit_acl(&ent, &acl);
if (ret == 0 && acl) { if (ret == 0 && acl) {
krb5_data buf; krb5_data buf;
size_t len; size_t len;
@@ -370,7 +370,7 @@ kadm5_s_get_principal(void *server_handle,
goto out; goto out;
} }
ret = hdb_entry_get_aliases(&ent.entry, &aliases); ret = hdb_entry_get_aliases(&ent, &aliases);
if (ret == 0 && aliases) { if (ret == 0 && aliases) {
krb5_data buf; krb5_data buf;
size_t len; size_t len;
@@ -388,7 +388,7 @@ kadm5_s_get_principal(void *server_handle,
goto out; goto out;
} }
ret = hdb_entry_get_key_rotation(context->context, &ent.entry, &kr); ret = hdb_entry_get_key_rotation(context->context, &ent, &kr);
if (ret == 0 && kr) { if (ret == 0 && kr) {
krb5_data buf; krb5_data buf;
size_t len; size_t len;

4
lib/kadm5/ipropd_master.c
View File

@@ -392,14 +392,14 @@ error:
} }
static int static int
dump_one (krb5_context context, HDB *db, hdb_entry_ex *entry, void *v) dump_one (krb5_context context, HDB *db, hdb_entry *entry, void *v)
{ {
krb5_error_code ret; krb5_error_code ret;
krb5_storage *dump = (krb5_storage *)v; krb5_storage *dump = (krb5_storage *)v;
krb5_storage *sp; krb5_storage *sp;
krb5_data data; krb5_data data;
ret = hdb_entry2value (context, &entry->entry, &data); ret = hdb_entry2value (context, entry, &data);
if (ret) if (ret)
return ret; return ret;
ret = krb5_data_realloc (&data, data.length + 4); ret = krb5_data_realloc (&data, data.length + 4);

4
lib/kadm5/ipropd_slave.c
View File

@@ -571,7 +571,7 @@ receive_everything(krb5_context context, int fd,
krb5_ret_uint32(sp, &opcode); krb5_ret_uint32(sp, &opcode);
if (opcode == ONE_PRINC) { if (opcode == ONE_PRINC) {
krb5_data fake_data; krb5_data fake_data;
hdb_entry_ex entry; hdb_entry entry;
krb5_storage_free(sp); krb5_storage_free(sp);
@@ -580,7 +580,7 @@ receive_everything(krb5_context context, int fd,
memset(&entry, 0, sizeof(entry)); memset(&entry, 0, sizeof(entry));
ret = hdb_value2entry(context, &fake_data, &entry.entry); ret = hdb_value2entry(context, &fake_data, &entry);
if (ret) if (ret)
krb5_err(context, IPROPD_RESTART, ret, "hdb_value2entry"); krb5_err(context, IPROPD_RESTART, ret, "hdb_value2entry");
ret = mydb->hdb_store(server_context->context, ret = mydb->hdb_store(server_context->context,

154
lib/kadm5/log.c
View File

@@ -974,12 +974,12 @@ kadm5_log_create(kadm5_server_context *context, hdb_entry *entry)
krb5_ssize_t bytes; krb5_ssize_t bytes;
kadm5_ret_t ret; kadm5_ret_t ret;
krb5_data value; krb5_data value;
hdb_entry_ex ent, existing; hdb_entry ent, existing;
kadm5_log_context *log_context = &context->log_context; kadm5_log_context *log_context = &context->log_context;
memset(&existing, 0, sizeof(existing)); memset(&existing, 0, sizeof(existing));
memset(&ent, 0, sizeof(ent)); memset(&ent, 0, sizeof(ent));
ent.entry = *entry; ent = *entry;
/* /*
* Do not allow creation of concrete entries within namespaces unless * Do not allow creation of concrete entries within namespaces unless
@@ -989,14 +989,14 @@ kadm5_log_create(kadm5_server_context *context, hdb_entry *entry)
0, 0, 0, &existing); 0, 0, 0, &existing);
if (ret != 0 && ret != HDB_ERR_NOENTRY) if (ret != 0 && ret != HDB_ERR_NOENTRY)
return ret; return ret;
if (ret == 0 && !ent.entry.flags.materialize && if (ret == 0 && !ent.flags.materialize &&
(existing.entry.flags.virtual || existing.entry.flags.virtual_keys)) { (existing.flags.virtual || existing.flags.virtual_keys)) {
hdb_free_entry(context->context, context->db, &existing); hdb_free_entry(context->context, context->db, &existing);
return HDB_ERR_EXISTS; return HDB_ERR_EXISTS;
} }
if (ret == 0) if (ret == 0)
hdb_free_entry(context->context, context->db, &existing); hdb_free_entry(context->context, context->db, &existing);
ent.entry.flags.materialize = 0; /* Clear in stored entry */ ent.flags.materialize = 0; /* Clear in stored entry */
/* /*
* If we're not logging then we can't recover-to-perform, so just * If we're not logging then we can't recover-to-perform, so just
@@ -1055,7 +1055,7 @@ kadm5_log_replay_create(kadm5_server_context *context,
{ {
krb5_error_code ret; krb5_error_code ret;
krb5_data data; krb5_data data;
hdb_entry_ex ent; hdb_entry ent;
memset(&ent, 0, sizeof(ent)); memset(&ent, 0, sizeof(ent));
@@ -1065,7 +1065,7 @@ kadm5_log_replay_create(kadm5_server_context *context,
return ret; return ret;
} }
krb5_storage_read(sp, data.data, len); krb5_storage_read(sp, data.data, len);
ret = hdb_value2entry(context->context, &data, &ent.entry); ret = hdb_value2entry(context->context, &data, &ent);
krb5_data_free(&data); krb5_data_free(&data);
if (ret) { if (ret) {
krb5_set_error_message(context->context, ret, krb5_set_error_message(context->context, ret,
@@ -1196,11 +1196,11 @@ kadm5_log_rename(kadm5_server_context *context,
off_t end_off = 0; /* Ditto; this allows de-indentation by two levels */ off_t end_off = 0; /* Ditto; this allows de-indentation by two levels */
off_t off; off_t off;
krb5_data value; krb5_data value;
hdb_entry_ex ent; hdb_entry ent;
kadm5_log_context *log_context = &context->log_context; kadm5_log_context *log_context = &context->log_context;
memset(&ent, 0, sizeof(ent)); memset(&ent, 0, sizeof(ent));
ent.entry = *entry; ent = *entry;
if (strcmp(log_context->log_file, "/dev/null") == 0) { if (strcmp(log_context->log_file, "/dev/null") == 0) {
ret = context->db->hdb_store(context->context, context->db, 0, &ent); ret = context->db->hdb_store(context->context, context->db, 0, &ent);
@@ -1306,7 +1306,7 @@ kadm5_log_replay_rename(kadm5_server_context *context,
{ {
krb5_error_code ret; krb5_error_code ret;
krb5_principal source; krb5_principal source;
hdb_entry_ex target_ent; hdb_entry target_ent;
krb5_data value; krb5_data value;
off_t off; off_t off;
size_t princ_len, data_len; size_t princ_len, data_len;
@@ -1328,7 +1328,7 @@ kadm5_log_replay_rename(kadm5_server_context *context,
return ret; return ret;
} }
krb5_storage_read(sp, value.data, data_len); krb5_storage_read(sp, value.data, data_len);
ret = hdb_value2entry(context->context, &value, &target_ent.entry); ret = hdb_value2entry(context->context, &value, &target_ent);
krb5_data_free(&value); krb5_data_free(&value);
if (ret) { if (ret) {
krb5_free_principal(context->context, source); krb5_free_principal(context->context, source);
@@ -1360,11 +1360,11 @@ kadm5_log_modify(kadm5_server_context *context,
kadm5_ret_t ret; kadm5_ret_t ret;
krb5_data value; krb5_data value;
uint32_t len; uint32_t len;
hdb_entry_ex ent; hdb_entry ent;
kadm5_log_context *log_context = &context->log_context; kadm5_log_context *log_context = &context->log_context;
memset(&ent, 0, sizeof(ent)); memset(&ent, 0, sizeof(ent));
ent.entry = *entry; ent = *entry;
if (strcmp(log_context->log_file, "/dev/null") == 0) if (strcmp(log_context->log_file, "/dev/null") == 0)
return context->db->hdb_store(context->context, context->db, return context->db->hdb_store(context->context, context->db,
@@ -1428,7 +1428,7 @@ kadm5_log_replay_modify(kadm5_server_context *context,
krb5_error_code ret; krb5_error_code ret;
uint32_t mask; uint32_t mask;
krb5_data value; krb5_data value;
hdb_entry_ex ent, log_ent; hdb_entry ent, log_ent;
memset(&log_ent, 0, sizeof(log_ent)); memset(&log_ent, 0, sizeof(log_ent));
@@ -1446,7 +1446,7 @@ kadm5_log_replay_modify(kadm5_server_context *context,
ret = errno ? errno : EIO; ret = errno ? errno : EIO;
return ret; return ret;
} }
ret = hdb_value2entry (context->context, &value, &log_ent.entry); ret = hdb_value2entry (context->context, &value, &log_ent);
krb5_data_free(&value); krb5_data_free(&value);
if (ret) if (ret)
return ret; return ret;
@@ -1454,37 +1454,37 @@ kadm5_log_replay_modify(kadm5_server_context *context,
memset(&ent, 0, sizeof(ent)); memset(&ent, 0, sizeof(ent));
/* NOTE: We do not use hdb_fetch_kvno() here */ /* NOTE: We do not use hdb_fetch_kvno() here */
ret = context->db->hdb_fetch_kvno(context->context, context->db, ret = context->db->hdb_fetch_kvno(context->context, context->db,
log_ent.entry.principal, log_ent.principal,
HDB_F_DECRYPT|HDB_F_ALL_KVNOS| HDB_F_DECRYPT|HDB_F_ALL_KVNOS|
HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent); HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent);
if (ret) if (ret)
goto out; goto out;
if (mask & KADM5_PRINC_EXPIRE_TIME) { if (mask & KADM5_PRINC_EXPIRE_TIME) {
if (log_ent.entry.valid_end == NULL) { if (log_ent.valid_end == NULL) {
ent.entry.valid_end = NULL; ent.valid_end = NULL;
} else { } else {
if (ent.entry.valid_end == NULL) { if (ent.valid_end == NULL) {
ent.entry.valid_end = malloc(sizeof(*ent.entry.valid_end)); ent.valid_end = malloc(sizeof(*ent.valid_end));
if (ent.entry.valid_end == NULL) { if (ent.valid_end == NULL) {
ret = krb5_enomem(context->context); ret = krb5_enomem(context->context);
goto out; goto out;
} }
} }
*ent.entry.valid_end = *log_ent.entry.valid_end; *ent.valid_end = *log_ent.valid_end;
} }
} }
if (mask & KADM5_PW_EXPIRATION) { if (mask & KADM5_PW_EXPIRATION) {
if (log_ent.entry.pw_end == NULL) { if (log_ent.pw_end == NULL) {
ent.entry.pw_end = NULL; ent.pw_end = NULL;
} else { } else {
if (ent.entry.pw_end == NULL) { if (ent.pw_end == NULL) {
ent.entry.pw_end = malloc(sizeof(*ent.entry.pw_end)); ent.pw_end = malloc(sizeof(*ent.pw_end));
if (ent.entry.pw_end == NULL) { if (ent.pw_end == NULL) {
ret = krb5_enomem(context->context); ret = krb5_enomem(context->context);
goto out; goto out;
} }
} }
*ent.entry.pw_end = *log_ent.entry.pw_end; *ent.pw_end = *log_ent.pw_end;
} }
} }
if (mask & KADM5_LAST_PWD_CHANGE) { if (mask & KADM5_LAST_PWD_CHANGE) {
@@ -1492,39 +1492,39 @@ kadm5_log_replay_modify(kadm5_server_context *context,
"Unimplemented mask KADM5_LAST_PWD_CHANGE"); "Unimplemented mask KADM5_LAST_PWD_CHANGE");
} }
if (mask & KADM5_ATTRIBUTES) { if (mask & KADM5_ATTRIBUTES) {
ent.entry.flags = log_ent.entry.flags; ent.flags = log_ent.flags;
} }
if (mask & KADM5_MAX_LIFE) { if (mask & KADM5_MAX_LIFE) {
if (log_ent.entry.max_life == NULL) { if (log_ent.max_life == NULL) {
ent.entry.max_life = NULL; ent.max_life = NULL;
} else { } else {
if (ent.entry.max_life == NULL) { if (ent.max_life == NULL) {
ent.entry.max_life = malloc (sizeof(*ent.entry.max_life)); ent.max_life = malloc (sizeof(*ent.max_life));
if (ent.entry.max_life == NULL) { if (ent.max_life == NULL) {
ret = krb5_enomem(context->context); ret = krb5_enomem(context->context);
goto out; goto out;
} }
} }
*ent.entry.max_life = *log_ent.entry.max_life; *ent.max_life = *log_ent.max_life;
} }
} }
if ((mask & KADM5_MOD_TIME) && (mask & KADM5_MOD_NAME)) { if ((mask & KADM5_MOD_TIME) && (mask & KADM5_MOD_NAME)) {
if (ent.entry.modified_by == NULL) { if (ent.modified_by == NULL) {
ent.entry.modified_by = malloc(sizeof(*ent.entry.modified_by)); ent.modified_by = malloc(sizeof(*ent.modified_by));
if (ent.entry.modified_by == NULL) { if (ent.modified_by == NULL) {
ret = krb5_enomem(context->context); ret = krb5_enomem(context->context);
goto out; goto out;
} }
} else } else
free_Event(ent.entry.modified_by); free_Event(ent.modified_by);
ret = copy_Event(log_ent.entry.modified_by, ent.entry.modified_by); ret = copy_Event(log_ent.modified_by, ent.modified_by);
if (ret) { if (ret) {
ret = krb5_enomem(context->context); ret = krb5_enomem(context->context);
goto out; goto out;
} }
} }
if (mask & KADM5_KVNO) { if (mask & KADM5_KVNO) {
ent.entry.kvno = log_ent.entry.kvno; ent.kvno = log_ent.kvno;
} }
if (mask & KADM5_MKVNO) { if (mask & KADM5_MKVNO) {
krb5_warnx(context->context, "Unimplemented mask KADM5_KVNO"); krb5_warnx(context->context, "Unimplemented mask KADM5_KVNO");
@@ -1537,17 +1537,17 @@ kadm5_log_replay_modify(kadm5_server_context *context,
krb5_warnx(context->context, "Unimplemented mask KADM5_POLICY_CLR"); krb5_warnx(context->context, "Unimplemented mask KADM5_POLICY_CLR");
} }
if (mask & KADM5_MAX_RLIFE) { if (mask & KADM5_MAX_RLIFE) {
if (log_ent.entry.max_renew == NULL) { if (log_ent.max_renew == NULL) {
ent.entry.max_renew = NULL; ent.max_renew = NULL;
} else { } else {
if (ent.entry.max_renew == NULL) { if (ent.max_renew == NULL) {
ent.entry.max_renew = malloc (sizeof(*ent.entry.max_renew)); ent.max_renew = malloc (sizeof(*ent.max_renew));
if (ent.entry.max_renew == NULL) { if (ent.max_renew == NULL) {
ret = krb5_enomem(context->context); ret = krb5_enomem(context->context);
goto out; goto out;
} }
} }
*ent.entry.max_renew = *log_ent.entry.max_renew; *ent.max_renew = *log_ent.max_renew;
} }
} }
if (mask & KADM5_LAST_SUCCESS) { if (mask & KADM5_LAST_SUCCESS) {
@@ -1573,62 +1573,62 @@ kadm5_log_replay_modify(kadm5_server_context *context,
*/ */
mask |= KADM5_TL_DATA; mask |= KADM5_TL_DATA;
for (i = 0; i < ent.entry.keys.len; ++i) for (i = 0; i < ent.keys.len; ++i)
free_Key(&ent.entry.keys.val[i]); free_Key(&ent.keys.val[i]);
free (ent.entry.keys.val); free (ent.keys.val);
num = log_ent.entry.keys.len; num = log_ent.keys.len;
ent.entry.keys.len = num; ent.keys.len = num;
ent.entry.keys.val = malloc(len * sizeof(*ent.entry.keys.val)); ent.keys.val = malloc(len * sizeof(*ent.keys.val));
if (ent.entry.keys.val == NULL) { if (ent.keys.val == NULL) {
krb5_enomem(context->context); krb5_enomem(context->context);
goto out; goto out;
} }
for (i = 0; i < ent.entry.keys.len; ++i) { for (i = 0; i < ent.keys.len; ++i) {
ret = copy_Key(&log_ent.entry.keys.val[i], ret = copy_Key(&log_ent.keys.val[i],
&ent.entry.keys.val[i]); &ent.keys.val[i]);
if (ret) { if (ret) {
krb5_set_error_message(context->context, ret, "out of memory"); krb5_set_error_message(context->context, ret, "out of memory");
goto out; goto out;
} }
} }
} }
if ((mask & KADM5_TL_DATA) && log_ent.entry.etypes) { if ((mask & KADM5_TL_DATA) && log_ent.etypes) {
if (ent.entry.etypes) if (ent.etypes)
free_HDB_EncTypeList(ent.entry.etypes); free_HDB_EncTypeList(ent.etypes);
free(ent.entry.etypes); free(ent.etypes);
ent.entry.etypes = calloc(1, sizeof(*ent.entry.etypes)); ent.etypes = calloc(1, sizeof(*ent.etypes));
if (ent.entry.etypes == NULL) if (ent.etypes == NULL)
ret = ENOMEM; ret = ENOMEM;
if (ret == 0) if (ret == 0)
ret = copy_HDB_EncTypeList(log_ent.entry.etypes, ent.entry.etypes); ret = copy_HDB_EncTypeList(log_ent.etypes, ent.etypes);
if (ret) { if (ret) {
ret = krb5_enomem(context->context); ret = krb5_enomem(context->context);
free(ent.entry.etypes); free(ent.etypes);
ent.entry.etypes = NULL; ent.etypes = NULL;
goto out; goto out;
} }
} }
if ((mask & KADM5_TL_DATA) && log_ent.entry.extensions) { if ((mask & KADM5_TL_DATA) && log_ent.extensions) {
if (ent.entry.extensions) { if (ent.extensions) {
free_HDB_extensions(ent.entry.extensions); free_HDB_extensions(ent.extensions);
free(ent.entry.extensions); free(ent.extensions);
ent.entry.extensions = NULL; ent.extensions = NULL;
} }
ent.entry.extensions = calloc(1, sizeof(*ent.entry.extensions)); ent.extensions = calloc(1, sizeof(*ent.extensions));
if (ent.entry.extensions == NULL) if (ent.extensions == NULL)
ret = ENOMEM; ret = ENOMEM;
if (ret == 0) if (ret == 0)
ret = copy_HDB_extensions(log_ent.entry.extensions, ret = copy_HDB_extensions(log_ent.extensions,
ent.entry.extensions); ent.extensions);
if (ret) { if (ret) {
ret = krb5_enomem(context->context); ret = krb5_enomem(context->context);
free(ent.entry.extensions); free(ent.extensions);
ent.entry.extensions = NULL; ent.extensions = NULL;
goto out; goto out;
} }
} }

10
lib/kadm5/modify_s.c
View File

@@ -97,7 +97,7 @@ modify_principal(void *server_handle,
uint32_t forbidden_mask) uint32_t forbidden_mask)
{ {
kadm5_server_context *context = server_handle; kadm5_server_context *context = server_handle;
hdb_entry_ex ent; hdb_entry ent;
kadm5_ret_t ret; kadm5_ret_t ret;
memset(&ent, 0, sizeof(ent)); memset(&ent, 0, sizeof(ent));
@@ -139,7 +139,7 @@ modify_principal(void *server_handle,
ret = _kadm5_setup_entry(context, &ent, mask, princ, mask, NULL, 0); ret = _kadm5_setup_entry(context, &ent, mask, princ, mask, NULL, 0);
if (ret) if (ret)
goto out3; goto out3;
ret = _kadm5_set_modifier(context, &ent.entry); ret = _kadm5_set_modifier(context, &ent);
if (ret) if (ret)
goto out3; goto out3;
@@ -157,7 +157,7 @@ modify_principal(void *server_handle,
goto out3; goto out3;
} }
ret = hdb_seal_keys(context->context, context->db, &ent.entry); ret = hdb_seal_keys(context->context, context->db, &ent);
if (ret) if (ret)
goto out3; goto out3;
@@ -174,14 +174,14 @@ modify_principal(void *server_handle,
goto out3; goto out3;
} }
/* This calls free_HDB_extension(), freeing ext.data.u.policy */ /* This calls free_HDB_extension(), freeing ext.data.u.policy */
ret = hdb_replace_extension(context->context, &ent.entry, &ext); ret = hdb_replace_extension(context->context, &ent, &ext);
free(ext.data.u.policy); free(ext.data.u.policy);
if (ret) if (ret)
goto out3; goto out3;
} }
/* This logs the change for iprop and writes to the HDB */ /* This logs the change for iprop and writes to the HDB */
ret = kadm5_log_modify(context, &ent.entry, ret = kadm5_log_modify(context, &ent,
mask | KADM5_MOD_NAME | KADM5_MOD_TIME); mask | KADM5_MOD_NAME | KADM5_MOD_TIME);
(void) modify_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT, (void) modify_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT,

8
lib/kadm5/prune_s.c
View File

@@ -95,7 +95,7 @@ kadm5_s_prune_principal(void *server_handle,
int kvno) int kvno)
{ {
kadm5_server_context *context = server_handle; kadm5_server_context *context = server_handle;
hdb_entry_ex ent; hdb_entry ent;
kadm5_ret_t ret; kadm5_ret_t ret;
memset(&ent, 0, sizeof(ent)); memset(&ent, 0, sizeof(ent));
@@ -121,15 +121,15 @@ kadm5_s_prune_principal(void *server_handle,
if (ret) if (ret)
goto out3; goto out3;
ret = hdb_prune_keys_kvno(context->context, &ent.entry, kvno); ret = hdb_prune_keys_kvno(context->context, &ent, kvno);
if (ret) if (ret)
goto out3; goto out3;
ret = hdb_seal_keys(context->context, context->db, &ent.entry); ret = hdb_seal_keys(context->context, context->db, &ent);
if (ret) if (ret)
goto out3; goto out3;
ret = kadm5_log_modify(context, &ent.entry, KADM5_KEY_DATA); ret = kadm5_log_modify(context, &ent, KADM5_KEY_DATA);
(void) prune_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT, (void) prune_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT,
ret, princ, kvno); ret, princ, kvno);

24
lib/kadm5/randkey_s.c
View File

@@ -102,7 +102,7 @@ kadm5_s_randkey_principal(void *server_handle,
int *n_keys) int *n_keys)
{ {
kadm5_server_context *context = server_handle; kadm5_server_context *context = server_handle;
hdb_entry_ex ent; hdb_entry ent;
kadm5_ret_t ret; kadm5_ret_t ret;
size_t i; size_t i;
@@ -129,36 +129,36 @@ kadm5_s_randkey_principal(void *server_handle,
goto out3; goto out3;
if (keepold) { if (keepold) {
ret = hdb_add_current_keys_to_history(context->context, &ent.entry); ret = hdb_add_current_keys_to_history(context->context, &ent);
if (ret == 0 && keepold == 1) if (ret == 0 && keepold == 1)
ret = hdb_prune_keys_kvno(context->context, &ent.entry, 0); ret = hdb_prune_keys_kvno(context->context, &ent, 0);
if (ret) if (ret)
goto out3; goto out3;
} else { } else {
/* Remove all key history */ /* Remove all key history */
ret = hdb_clear_extension(context->context, &ent.entry, ret = hdb_clear_extension(context->context, &ent,
choice_HDB_extension_data_hist_keys); choice_HDB_extension_data_hist_keys);
if (ret) if (ret)
goto out3; goto out3;
} }
ret = _kadm5_set_keys_randomly(context, &ent.entry, n_ks_tuple, ks_tuple, ret = _kadm5_set_keys_randomly(context, &ent, n_ks_tuple, ks_tuple,
new_keys, n_keys); new_keys, n_keys);
if (ret) if (ret)
goto out3; goto out3;
ent.entry.kvno++; ent.kvno++;
ent.entry.flags.require_pwchange = 0; ent.flags.require_pwchange = 0;
ret = _kadm5_set_modifier(context, &ent.entry); ret = _kadm5_set_modifier(context, &ent);
if(ret) if(ret)
goto out4; goto out4;
ret = _kadm5_bump_pw_expire(context, &ent.entry); ret = _kadm5_bump_pw_expire(context, &ent);
if (ret) if (ret)
goto out4; goto out4;
if (keepold) { if (keepold) {
ret = hdb_seal_keys(context->context, context->db, &ent.entry); ret = hdb_seal_keys(context->context, context->db, &ent);
if (ret) if (ret)
goto out4; goto out4;
} else { } else {
@@ -169,11 +169,11 @@ kadm5_s_randkey_principal(void *server_handle,
ext.data.element = choice_HDB_extension_data_hist_keys; ext.data.element = choice_HDB_extension_data_hist_keys;
ext.data.u.hist_keys.len = 0; ext.data.u.hist_keys.len = 0;
ext.data.u.hist_keys.val = NULL; ext.data.u.hist_keys.val = NULL;
hdb_replace_extension(context->context, &ent.entry, &ext); hdb_replace_extension(context->context, &ent, &ext);
} }
/* This logs the change for iprop and writes to the HDB */ /* This logs the change for iprop and writes to the HDB */
ret = kadm5_log_modify(context, &ent.entry, ret = kadm5_log_modify(context, &ent,
KADM5_ATTRIBUTES | KADM5_PRINCIPAL | KADM5_ATTRIBUTES | KADM5_PRINCIPAL |
KADM5_MOD_NAME | KADM5_MOD_TIME | KADM5_MOD_NAME | KADM5_MOD_TIME |
KADM5_KEY_DATA | KADM5_KVNO | KADM5_KEY_DATA | KADM5_KVNO |

26
lib/kadm5/rename_s.c
View File

@@ -97,7 +97,7 @@ kadm5_s_rename_principal(void *server_handle,
{ {
kadm5_server_context *context = server_handle; kadm5_server_context *context = server_handle;
kadm5_ret_t ret; kadm5_ret_t ret;
hdb_entry_ex ent; hdb_entry ent;
krb5_principal oldname; krb5_principal oldname;
size_t i; size_t i;
@@ -121,14 +121,14 @@ kadm5_s_rename_principal(void *server_handle,
0, &ent); 0, &ent);
if (ret) if (ret)
goto out2; goto out2;
oldname = ent.entry.principal; oldname = ent.principal;
ret = rename_principal_hook(context, KADM5_HOOK_STAGE_PRECOMMIT, ret = rename_principal_hook(context, KADM5_HOOK_STAGE_PRECOMMIT,
0, source, target); 0, source, target);
if (ret) if (ret)
goto out3; goto out3;
ret = _kadm5_set_modifier(context, &ent.entry); ret = _kadm5_set_modifier(context, &ent);
if (ret) if (ret)
goto out3; goto out3;
{ {
@@ -139,14 +139,14 @@ kadm5_s_rename_principal(void *server_handle,
krb5_get_pw_salt(context->context, source, &salt2); krb5_get_pw_salt(context->context, source, &salt2);
salt.type = hdb_pw_salt; salt.type = hdb_pw_salt;
salt.salt = salt2.saltvalue; salt.salt = salt2.saltvalue;
for(i = 0; i < ent.entry.keys.len; i++){ for(i = 0; i < ent.keys.len; i++){
if(ent.entry.keys.val[i].salt == NULL){ if(ent.keys.val[i].salt == NULL){
ent.entry.keys.val[i].salt = ent.keys.val[i].salt =
malloc(sizeof(*ent.entry.keys.val[i].salt)); malloc(sizeof(*ent.keys.val[i].salt));
if (ent.entry.keys.val[i].salt == NULL) if (ent.keys.val[i].salt == NULL)
ret = krb5_enomem(context->context); ret = krb5_enomem(context->context);
else else
ret = copy_Salt(&salt, ent.entry.keys.val[i].salt); ret = copy_Salt(&salt, ent.keys.val[i].salt);
if (ret) if (ret)
break; break;
} }
@@ -157,19 +157,19 @@ kadm5_s_rename_principal(void *server_handle,
goto out3; goto out3;
/* Borrow target */ /* Borrow target */
ent.entry.principal = target; ent.principal = target;
ret = hdb_seal_keys(context->context, context->db, &ent.entry); ret = hdb_seal_keys(context->context, context->db, &ent);
if (ret) if (ret)
goto out3; goto out3;
/* This logs the change for iprop and writes to the HDB */ /* This logs the change for iprop and writes to the HDB */
ret = kadm5_log_rename(context, source, &ent.entry); ret = kadm5_log_rename(context, source, &ent);
(void) rename_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT, (void) rename_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT,
ret, source, target); ret, source, target);
out3: out3:
ent.entry.principal = oldname; /* Unborrow target */ ent.principal = oldname; /* Unborrow target */
hdb_free_entry(context->context, context->db, &ent); hdb_free_entry(context->context, context->db, &ent);
out2: out2:

26
lib/kadm5/setkey3_s.c
View File

@@ -115,7 +115,7 @@ kadm5_s_setkey_principal_3(void *server_handle,
krb5_keyblock *keyblocks, int n_keys) krb5_keyblock *keyblocks, int n_keys)
{ {
kadm5_server_context *context = server_handle; kadm5_server_context *context = server_handle;
hdb_entry_ex ent; hdb_entry ent;
kadm5_ret_t ret = 0; kadm5_ret_t ret = 0;
size_t i; size_t i;
@@ -154,9 +154,9 @@ kadm5_s_setkey_principal_3(void *server_handle,
} }
if (keepold) { if (keepold) {
ret = hdb_add_current_keys_to_history(context->context, &ent.entry); ret = hdb_add_current_keys_to_history(context->context, &ent);
} else } else
ret = hdb_clear_extension(context->context, &ent.entry, ret = hdb_clear_extension(context->context, &ent,
choice_HDB_extension_data_hist_keys); choice_HDB_extension_data_hist_keys);
/* /*
@@ -167,7 +167,7 @@ kadm5_s_setkey_principal_3(void *server_handle,
* each ks_tuple's enctype matches the corresponding key enctype. * each ks_tuple's enctype matches the corresponding key enctype.
*/ */
if (ret == 0) { if (ret == 0) {
free_Keys(&ent.entry.keys); free_Keys(&ent.keys);
for (i = 0; i < n_keys; ++i) { for (i = 0; i < n_keys; ++i) {
Key k; Key k;
Salt s; Salt s;
@@ -186,22 +186,22 @@ kadm5_s_setkey_principal_3(void *server_handle,
s.opaque = 0; s.opaque = 0;
k.salt = &s; k.salt = &s;
} }
if ((ret = add_Keys(&ent.entry.keys, &k)) != 0) if ((ret = add_Keys(&ent.keys, &k)) != 0)
break; break;
} }
} }
if (ret == 0) { if (ret == 0) {
ent.entry.kvno++; ent.kvno++;
ent.entry.flags.require_pwchange = 0; ent.flags.require_pwchange = 0;
hdb_entry_set_pw_change_time(context->context, &ent.entry, 0); hdb_entry_set_pw_change_time(context->context, &ent, 0);
hdb_entry_clear_password(context->context, &ent.entry); hdb_entry_clear_password(context->context, &ent);
if ((ret = hdb_seal_keys(context->context, context->db, if ((ret = hdb_seal_keys(context->context, context->db,
&ent.entry)) == 0 &ent)) == 0
&& (ret = _kadm5_set_modifier(context, &ent.entry)) == 0 && (ret = _kadm5_set_modifier(context, &ent)) == 0
&& (ret = _kadm5_bump_pw_expire(context, &ent.entry)) == 0) && (ret = _kadm5_bump_pw_expire(context, &ent)) == 0)
ret = kadm5_log_modify(context, &ent.entry, ret = kadm5_log_modify(context, &ent,
KADM5_ATTRIBUTES | KADM5_PRINCIPAL | KADM5_ATTRIBUTES | KADM5_PRINCIPAL |
KADM5_MOD_NAME | KADM5_MOD_TIME | KADM5_MOD_NAME | KADM5_MOD_TIME |
KADM5_KEY_DATA | KADM5_KVNO | KADM5_KEY_DATA | KADM5_KVNO |

24
tests/plugin/kdc_test_plugin.c
View File

@@ -19,9 +19,11 @@ fini(void *ctx)
} }
static krb5_error_code KRB5_CALLCONV static krb5_error_code KRB5_CALLCONV
pac_generate(void *ctx, krb5_context context, pac_generate(void *ctx,
struct hdb_entry_ex *client, krb5_context context,
struct hdb_entry_ex *server, krb5_kdc_configuration *config,
hdb_entry *client,
hdb_entry *server,
const krb5_keyblock *pk_replykey, const krb5_keyblock *pk_replykey,
uint64_t pac_attributes, uint64_t pac_attributes,
krb5_pac *pac) krb5_pac *pac)
@@ -52,12 +54,14 @@ pac_generate(void *ctx, krb5_context context,
} }
static krb5_error_code KRB5_CALLCONV static krb5_error_code KRB5_CALLCONV
pac_verify(void *ctx, krb5_context context, pac_verify(void *ctx,
krb5_context context,
krb5_kdc_configuration *config,
const krb5_principal new_ticket_client, const krb5_principal new_ticket_client,
const krb5_principal delegation_proxy, const krb5_principal delegation_proxy,
struct hdb_entry_ex * client, hdb_entry * client,
struct hdb_entry_ex * server, hdb_entry * server,
struct hdb_entry_ex * krbtgt, hdb_entry * krbtgt,
krb5_pac *pac) krb5_pac *pac)
{ {
krb5_error_code ret; krb5_error_code ret;
@@ -78,7 +82,7 @@ pac_verify(void *ctx, krb5_context context,
if (ret) if (ret)
return ret; return ret;
if (rodc_id == 0 || rodc_id != krbtgt->entry.kvno >> 16) { if (rodc_id == 0 || rodc_id != krbtgt->kvno >> 16) {
krb5_warnx(context, "Wrong RODCIdentifier"); krb5_warnx(context, "Wrong RODCIdentifier");
return EINVAL; return EINVAL;
} }
@@ -87,7 +91,7 @@ pac_verify(void *ctx, krb5_context context,
if (ret) if (ret)
return ret; return ret;
ret = hdb_enctype2key(context, &krbtgt->entry, NULL, etype, &key); ret = hdb_enctype2key(context, krbtgt, NULL, etype, &key);
if (ret) if (ret)
return ret; return ret;
@@ -152,7 +156,7 @@ audit(void *ctx, astgs_request_t r)
} }
static krb5plugin_kdc_ftable kdc_plugin = { static krb5plugin_kdc_ftable kdc_plugin = {
KRB5_PLUGIN_KDC_VERSION_9, KRB5_PLUGIN_KDC_VERSION_10,
init, init,
fini, fini,
pac_generate, pac_generate,