oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

hdb: eliminate hdb_entry_ex

Browse Source 
Remove hdb_entry_ex and revert to the original design of hdb_entry (except with
an additional context member in hdb_entry which is managed by the free_entry
method in HDB).
This commit is contained in:
Luke Howard
2022-01-07 12:54:40 +11:00
parent c5551775e2
commit 0e8c4ccc6e
50 changed files with 1035 additions and 1032 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
kadmin/load.c
View File

@@ -418,7 +418,7 @@ doit(const char *filename, int mergep)
int lineno;
int flags = O_RDWR;
struct entry e;
hdb_entry_ex ent;
hdb_entry ent;
HDB *db = _kadm5_s_get_db(kadm_handle);
f = fopen(filename, "r");
@@ -506,7 +506,7 @@ doit(const char *filename, int mergep)
skip_next(p);
memset(&ent, 0, sizeof(ent));
ret2 = krb5_parse_name(context, e.principal, &ent.entry.principal);
ret2 = krb5_parse_name(context, e.principal, &ent.principal);
if (ret2) {
const char *msg = krb5_get_error_message(context, ret);
fprintf(stderr, "%s:%d:%s (%s)\n",
@@ -516,7 +516,7 @@ doit(const char *filename, int mergep)
continue;
}
if (parse_keys(&ent.entry, e.key)) {
if (parse_keys(&ent, e.key)) {
fprintf (stderr, "%s:%d:error parsing keys (%s)\n",
filename, lineno, e.key);
hdb_free_entry (context, db, &ent);
@@ -524,35 +524,35 @@ doit(const char *filename, int mergep)
continue;
}
if (parse_event(&ent.entry.created_by, e.created) == -1) {
if (parse_event(&ent.created_by, e.created) == -1) {
fprintf (stderr, "%s:%d:error parsing created event (%s)\n",
filename, lineno, e.created);
hdb_free_entry (context, db, &ent);
ret = 1;
continue;
}
if (parse_event_alloc (&ent.entry.modified_by, e.modified) == -1) {
if (parse_event_alloc (&ent.modified_by, e.modified) == -1) {
fprintf (stderr, "%s:%d:error parsing event (%s)\n",
filename, lineno, e.modified);
hdb_free_entry (context, db, &ent);
ret = 1;
continue;
}
if (parse_time_string_alloc (&ent.entry.valid_start, e.valid_start) == -1) {
if (parse_time_string_alloc (&ent.valid_start, e.valid_start) == -1) {
fprintf (stderr, "%s:%d:error parsing time (%s)\n",
filename, lineno, e.valid_start);
hdb_free_entry (context, db, &ent);
ret = 1;
continue;
}
if (parse_time_string_alloc (&ent.entry.valid_end, e.valid_end) == -1) {
if (parse_time_string_alloc (&ent.valid_end, e.valid_end) == -1) {
fprintf (stderr, "%s:%d:error parsing time (%s)\n",
filename, lineno, e.valid_end);
hdb_free_entry (context, db, &ent);
ret = 1;
continue;
}
if (parse_time_string_alloc (&ent.entry.pw_end, e.pw_end) == -1) {
if (parse_time_string_alloc (&ent.pw_end, e.pw_end) == -1) {
fprintf (stderr, "%s:%d:error parsing time (%s)\n",
filename, lineno, e.pw_end);
hdb_free_entry (context, db, &ent);
@@ -560,7 +560,7 @@ doit(const char *filename, int mergep)
continue;
}
if (parse_integer_alloc (&ent.entry.max_life, e.max_life) == -1) {
if (parse_integer_alloc (&ent.max_life, e.max_life) == -1) {
fprintf (stderr, "%s:%d:error parsing lifetime (%s)\n",
filename, lineno, e.max_life);
hdb_free_entry (context, db, &ent);
@@ -568,7 +568,7 @@ doit(const char *filename, int mergep)
continue;
}
if (parse_integer_alloc (&ent.entry.max_renew, e.max_renew) == -1) {
if (parse_integer_alloc (&ent.max_renew, e.max_renew) == -1) {
fprintf (stderr, "%s:%d:error parsing lifetime (%s)\n",
filename, lineno, e.max_renew);
hdb_free_entry (context, db, &ent);
@@ -576,7 +576,7 @@ doit(const char *filename, int mergep)
continue;
}
if (parse_hdbflags2int (&ent.entry.flags, e.flags) != 1) {
if (parse_hdbflags2int (&ent.flags, e.flags) != 1) {
fprintf (stderr, "%s:%d:error parsing flags (%s)\n",
filename, lineno, e.flags);
hdb_free_entry (context, db, &ent);
@@ -584,7 +584,7 @@ doit(const char *filename, int mergep)
continue;
}
if(parse_generation(e.generation, &ent.entry.generation) == -1) {
if(parse_generation(e.generation, &ent.generation) == -1) {
fprintf (stderr, "%s:%d:error parsing generation (%s)\n",
filename, lineno, e.generation);
hdb_free_entry (context, db, &ent);
@@ -592,7 +592,7 @@ doit(const char *filename, int mergep)
continue;
}
if (parse_extensions(&e.extensions, &ent.entry.extensions) == -1) {
if (parse_extensions(&e.extensions, &ent.extensions) == -1) {
fprintf (stderr, "%s:%d:error parsing extension (%s)\n",
filename, lineno, e.extensions);
hdb_free_entry (context, db, &ent);

4
kdc/altsecid_gss_preauth_authorizer.c
View File

@@ -397,7 +397,7 @@ authorize(void *ctx,
struct altsecid_gss_preauth_authorizer_context *c = ctx;
struct ad_server_tuple *server = NULL;
krb5_error_code ret;
krb5_const_realm realm = krb5_principal_get_realm(r->context, r->client->entry.principal);
krb5_const_realm realm = krb5_principal_get_realm(r->context, r->client->principal);
krb5_boolean reconnect_p = FALSE;
krb5_boolean is_tgs;
heim_data_t requestor_sid = NULL;
@@ -405,7 +405,7 @@ authorize(void *ctx,
*authorized = FALSE;
*mapped_name = NULL;
if (!krb5_principal_is_federated(r->context, r->client->entry.principal) ||
if (!krb5_principal_is_federated(r->context, r->client->principal) ||
(ret_flags & GSS_C_ANON_FLAG))
return KRB5_PLUGIN_NO_HANDLE;

4
kdc/digest-service.c
View File

@@ -60,7 +60,7 @@ ntlm_service(void *ctx, const heim_idata *req,
unsigned char sessionkey[16];
heim_idata rep = { 0, NULL };
krb5_context context = ctx;
hdb_entry_ex *user = NULL;
hdb_entry *user = NULL;
HDB *db = NULL;
Key *key = NULL;
NTLMReply ntp;
@@ -119,7 +119,7 @@ ntlm_service(void *ctx, const heim_idata *req,
if (ret)
goto failed;
ret = hdb_enctype2key(context, &user->entry, NULL,
ret = hdb_enctype2key(context, user, NULL,
ETYPE_ARCFOUR_HMAC_MD5, &key);
if (ret) {
krb5_set_error_message(context, ret, "NTLM missing arcfour key");

24
kdc/digest.c
View File

@@ -57,7 +57,7 @@ const struct units _kdc_digestunits[] = {
static krb5_error_code
get_digest_key(krb5_context context,
krb5_kdc_configuration *config,
hdb_entry_ex *server,
hdb_entry *server,
krb5_crypto *crypto)
{
krb5_error_code ret;
@@ -81,12 +81,12 @@ get_digest_key(krb5_context context,
static char *
get_ntlm_targetname(krb5_context context,
hdb_entry_ex *client)
hdb_entry *client)
{
char *targetname, *p;
targetname = strdup(krb5_principal_get_realm(context,
client->entry.principal));
client->principal));
if (targetname == NULL)
return NULL;
@@ -101,7 +101,7 @@ get_ntlm_targetname(krb5_context context,
static krb5_error_code
fill_targetinfo(krb5_context context,
char *targetname,
hdb_entry_ex *client,
hdb_entry *client,
krb5_data *data)
{
struct ntlm_targetinfo ti;
@@ -113,7 +113,7 @@ fill_targetinfo(krb5_context context,
memset(&ti, 0, sizeof(ti));
ti.domainname = targetname;
p = client->entry.principal;
p = client->principal;
str = krb5_principal_get_comp_string(context, p, 0);
if (str != NULL &&
(strcmp("host", str) == 0 ||
@@ -168,7 +168,7 @@ get_password_entry(krb5_context context,
{
krb5_principal clientprincipal;
krb5_error_code ret;
hdb_entry_ex *user;
hdb_entry *user;
HDB *db;
/* get username */
@@ -182,7 +182,7 @@ get_password_entry(krb5_context context,
if (ret)
return ret;
ret = hdb_entry_get_password(context, db, &user->entry, password);
ret = hdb_entry_get_password(context, db, user, password);
if (ret || password == NULL) {
if (ret == 0) {
ret = EINVAL;
@@ -218,9 +218,9 @@ _kdc_do_digest(krb5_context context,
krb5_storage *sp = NULL;
Checksum res;
HDB *serverdb, *userdb;
hdb_entry_ex *server = NULL, *user = NULL;
hdb_entry *server = NULL, *user = NULL;
HDB *clientdb;
hdb_entry_ex *client = NULL;
hdb_entry *client = NULL;
char *client_name = NULL, *password = NULL;
krb5_data serverNonce;
@@ -321,7 +321,7 @@ _kdc_do_digest(krb5_context context,
if (ret)
goto out;
if (client->entry.flags.allow_digest == 0) {
if (client->flags.allow_digest == 0) {
kdc_log(context, config, 2,
"Client %s tried to use digest "
"but is not allowed to",
@@ -888,7 +888,7 @@ _kdc_do_digest(krb5_context context,
goto failed;
}
ret = hdb_enctype2key(context, &user->entry, NULL,
ret = hdb_enctype2key(context, user, NULL,
ETYPE_ARCFOUR_HMAC_MD5, &key);
if (ret) {
krb5_set_error_message(context, ret,
@@ -1216,7 +1216,7 @@ _kdc_do_digest(krb5_context context,
goto out;
}
ret = hdb_enctype2key(context, &user->entry, NULL,
ret = hdb_enctype2key(context, user, NULL,
ETYPE_ARCFOUR_HMAC_MD5, &key);
if (ret) {
krb5_set_error_message(context, ret, "NTLM missing arcfour key");

8
kdc/fast.c
View File

@@ -109,7 +109,7 @@ get_fastuser_crypto(astgs_request_t r,
{
krb5_principal fast_princ;
HDB *fast_db;
hdb_entry_ex *fast_user = NULL;
hdb_entry *fast_user = NULL;
Key *cookie_key = NULL;
krb5_crypto fast_crypto = NULL;
krb5_error_code ret;
@@ -131,7 +131,7 @@ get_fastuser_crypto(astgs_request_t r,
ret = _kdc_get_preferred_key(r->context, r->config, fast_user,
"fast-cookie", &enctype, &cookie_key);
else
ret = hdb_enctype2key(r->context, &fast_user->entry, NULL,
ret = hdb_enctype2key(r->context, fast_user, NULL,
enctype, &cookie_key);
if (ret)
goto out;
@@ -563,7 +563,7 @@ fast_unwrap_request(astgs_request_t r,
goto out;
}
ret = hdb_enctype2key(r->context, &r->armor_server->entry, NULL,
ret = hdb_enctype2key(r->context, r->armor_server, NULL,
ap_req.ticket.enc_part.etype,
&r->armor_key);
if (ret) {
@@ -836,7 +836,7 @@ _kdc_fast_check_armor_pac(astgs_request_t r)
krb5_pac mspac = NULL;
krb5_principal armor_client_principal = NULL;
HDB *armor_db;
hdb_entry_ex *armor_client = NULL;
hdb_entry *armor_client = NULL;
char *armor_client_principal_name = NULL;
flags = HDB_F_FOR_TGS_REQ;

12
kdc/gss_preauth.c
View File

@@ -584,7 +584,7 @@ pa_gss_authorize_default(astgs_request_t r,
{
krb5_error_code ret;
krb5_principal principal;
krb5_const_realm realm = r->server->entry.principal->realm;
krb5_const_realm realm = r->server->principal->realm;
int flags = 0, cross_realm_allowed = 0, unauth_anon;
/*
@@ -680,7 +680,7 @@ _kdc_gss_check_client(astgs_request_t r,
{
krb5_error_code ret;
krb5_principal initiator_princ = NULL;
hdb_entry_ex *initiator = NULL;
hdb_entry *initiator = NULL;
krb5_boolean authorized = FALSE;
HDB *clientdb = r->clientdb;
@@ -740,15 +740,15 @@ _kdc_gss_check_client(astgs_request_t r,
* two principals must match, noting that GSS pre-authentication is
* for authentication, not general purpose impersonation.
*/
if (krb5_principal_is_federated(r->context, r->client->entry.principal)) {
initiator->entry.flags.force_canonicalize = 1;
if (krb5_principal_is_federated(r->context, r->client->principal)) {
initiator->flags.force_canonicalize = 1;
_kdc_free_ent(r->context, clientdb, r->client);
r->client = initiator;
initiator = NULL;
} else if (!krb5_principal_compare(r->context,
r->client->entry.principal,
initiator->entry.principal)) {
r->client->principal,
initiator->principal)) {
kdc_log(r->context, r->config, 2,
"GSS %s initiator %.*s does not match principal %s",
gss_oid_to_name(gcp->mech_type),

8
kdc/hprop.c
View File

@@ -87,28 +87,28 @@ open_socket(krb5_context context, const char *hostname, const char *port)
}
krb5_error_code
v5_prop(krb5_context context, HDB *db, hdb_entry_ex *entry, void *appdata)
v5_prop(krb5_context context, HDB *db, hdb_entry *entry, void *appdata)
{
krb5_error_code ret;
struct prop_data *pd = appdata;
krb5_data data;
if(encrypt_flag) {
ret = hdb_seal_keys_mkey(context, &entry->entry, mkey5);
ret = hdb_seal_keys_mkey(context, entry, mkey5);
if (ret) {
krb5_warn(context, ret, "hdb_seal_keys_mkey");
return ret;
}
}
if(decrypt_flag) {
ret = hdb_unseal_keys_mkey(context, &entry->entry, mkey5);
ret = hdb_unseal_keys_mkey(context, entry, mkey5);
if (ret) {
krb5_warn(context, ret, "hdb_unseal_keys_mkey");
return ret;
}
}
ret = hdb_entry2value(context, &entry->entry, &data);
ret = hdb_entry2value(context, entry, &data);
if(ret) {
krb5_warn(context, ret, "hdb_entry2value");
return ret;

2
kdc/hprop.h
View File

@@ -53,7 +53,7 @@ struct prop_data{
#define NEVERDATE ((1U << 31) - 1)
#endif
krb5_error_code v5_prop(krb5_context, HDB*, hdb_entry_ex*, void*);
krb5_error_code v5_prop(krb5_context, HDB*, hdb_entry*, void*);
int mit_prop_dump(void*, const char*);
#endif /* __HPROP_H__ */

6
kdc/hpropd.c
View File

@@ -226,7 +226,7 @@ main(int argc, char **argv)
nprincs = 0;
while (1){
krb5_data data;
hdb_entry_ex entry;
hdb_entry entry;
if (from_stdin) {
ret = krb5_read_message(context, &sock, &data);
@@ -255,7 +255,7 @@ main(int argc, char **argv)
break;
}
memset(&entry, 0, sizeof(entry));
ret = hdb_value2entry(context, &data, &entry.entry);
ret = hdb_value2entry(context, &data, &entry);
krb5_data_free(&data);
if (ret)
krb5_err(context, 1, ret, "hdb_value2entry");
@@ -269,7 +269,7 @@ main(int argc, char **argv)
ret = db->hdb_store(context, db, 0, &entry);
if (ret == HDB_ERR_EXISTS) {
char *s;
ret = krb5_unparse_name(context, entry.entry.principal, &s);
ret = krb5_unparse_name(context, entry.principal, &s);
if (ret)
s = strdup(unparseable_name);
krb5_warnx(context, "Entry exists: %s", s);

38
kdc/kdc-plugin.c
View File

@@ -49,7 +49,7 @@ static const char *kdc_plugin_deps[] = {
static struct heim_plugin_data kdc_plugin_data = {
"krb5",
"kdc",
KRB5_PLUGIN_KDC_VERSION_9,
KRB5_PLUGIN_KDC_VERSION_10,
kdc_plugin_deps,
kdc_get_instance
};
@@ -70,8 +70,9 @@ krb5_kdc_plugin_init(krb5_context context)
}
struct generate_uc {
hdb_entry_ex *client;
hdb_entry_ex *server;
krb5_kdc_configuration *config;
hdb_entry *client;
hdb_entry *server;
const krb5_keyblock *reply_key;
uint64_t pac_attributes;
krb5_pac *pac;
@@ -86,7 +87,9 @@ generate(krb5_context context, const void *plug, void *plugctx, void *userctx)
if (ft->pac_generate == NULL)
return KRB5_PLUGIN_NO_HANDLE;
return ft->pac_generate((void *)plug, context,
return ft->pac_generate((void *)plug,
context,
uc->config,
uc->client,
uc->server,
uc->reply_key,
@@ -97,8 +100,9 @@ generate(krb5_context context, const void *plug, void *plugctx, void *userctx)
krb5_error_code
_kdc_pac_generate(krb5_context context,
hdb_entry_ex *client,
hdb_entry_ex *server,
krb5_kdc_configuration *config,
hdb_entry *client,
hdb_entry *server,
const krb5_keyblock *reply_key,
uint64_t pac_attributes,
krb5_pac *pac)
@@ -109,11 +113,12 @@ _kdc_pac_generate(krb5_context context,
*pac = NULL;
if (krb5_config_get_bool_default(context, NULL, FALSE, "realms",
client->entry.principal->realm,
client->principal->realm,
"disable_pac", NULL))
return 0;
if (have_plugin) {
uc.config = config;
uc.client = client;
uc.server = server;
uc.reply_key = reply_key;
@@ -134,11 +139,12 @@ _kdc_pac_generate(krb5_context context,
}
struct verify_uc {
krb5_kdc_configuration *config;
krb5_principal client_principal;
krb5_principal delegated_proxy_principal;
hdb_entry_ex *client;
hdb_entry_ex *server;
hdb_entry_ex *krbtgt;
hdb_entry *client;
hdb_entry *server;
hdb_entry *krbtgt;
krb5_pac *pac;
};
@@ -152,7 +158,9 @@ verify(krb5_context context, const void *plug, void *plugctx, void *userctx)
if (ft->pac_verify == NULL)
return KRB5_PLUGIN_NO_HANDLE;
ret = ft->pac_verify((void *)plug, context,
ret = ft->pac_verify((void *)plug,
context,
uc->config,
uc->client_principal,
uc->delegated_proxy_principal,
uc->client, uc->server, uc->krbtgt, uc->pac);
@@ -161,11 +169,12 @@ verify(krb5_context context, const void *plug, void *plugctx, void *userctx)
krb5_error_code
_kdc_pac_verify(krb5_context context,
krb5_kdc_configuration *config,
const krb5_principal client_principal,
const krb5_principal delegated_proxy_principal,
hdb_entry_ex *client,
hdb_entry_ex *server,
hdb_entry_ex *krbtgt,
hdb_entry *client,
hdb_entry *server,
hdb_entry *krbtgt,
krb5_pac *pac)
{
struct verify_uc uc;
@@ -173,6 +182,7 @@ _kdc_pac_verify(krb5_context context,
if (!have_plugin)
return KRB5_PLUGIN_NO_HANDLE;
uc.config = config;
uc.client_principal = client_principal;
uc.delegated_proxy_principal = delegated_proxy_principal;
uc.client = client;

23
kdc/kdc-plugin.h
View File

@@ -38,8 +38,7 @@
#include <krb5.h>
#include <kdc.h>
struct hdb_entry_ex;
#include <hdb.h>
/*
* Allocate a PAC for the given client with krb5_pac_init(),
@@ -47,9 +46,11 @@ struct hdb_entry_ex;
*/
typedef krb5_error_code
(KRB5_CALLCONV *krb5plugin_kdc_pac_generate)(void *, krb5_context,
struct hdb_entry_ex *, /* client */
struct hdb_entry_ex *, /* server */
(KRB5_CALLCONV *krb5plugin_kdc_pac_generate)(void *,
krb5_context, /* context */
krb5_kdc_configuration *, /* configuration */
hdb_entry *, /* client */
hdb_entry *, /* server */
const krb5_keyblock *, /* pk_replykey */
uint64_t, /* pac_attributes */
krb5_pac *);
@@ -61,12 +62,14 @@ typedef krb5_error_code
*/
typedef krb5_error_code
(KRB5_CALLCONV *krb5plugin_kdc_pac_verify)(void *, krb5_context,
(KRB5_CALLCONV *krb5plugin_kdc_pac_verify)(void *,
krb5_context, /* context */
krb5_kdc_configuration *, /* configuration */
const krb5_principal, /* new ticket client */
const krb5_principal, /* delegation proxy */
struct hdb_entry_ex *,/* client */
struct hdb_entry_ex *,/* server */
struct hdb_entry_ex *,/* krbtgt */
hdb_entry *,/* client */
hdb_entry *,/* server */
hdb_entry *,/* krbtgt */
krb5_pac *);
/*
@@ -115,7 +118,7 @@ typedef krb5_error_code
* Plugins should carefully check API contract notes for changes
* between plugin API versions.
*/
#define KRB5_PLUGIN_KDC_VERSION_9 9
#define KRB5_PLUGIN_KDC_VERSION_10 10
typedef struct krb5plugin_kdc_ftable {
int minor_version;

6
kdc/kdc.h
View File

@@ -141,18 +141,18 @@ typedef struct krb5_kdc_configuration {
\
/* client principal (AS) or TGT/S4U principal (TGS) */ \
krb5_principal client_princ; \
hdb_entry_ex *client; \
hdb_entry *client; \
HDB *clientdb; \
krb5_principal canon_client_princ; \
\
/* server principal */ \
krb5_principal server_princ; \
hdb_entry_ex *server; \
hdb_entry *server; \
HDB *serverdb; \
\
/* presented ticket in TGS-REQ (unused by AS) */ \
krb5_principal *krbtgt_princ; \
hdb_entry_ex *krbtgt; \
hdb_entry *krbtgt; \
HDB *krbtgtdb; \
krb5_ticket *ticket; \
\

2
kdc/kdc_locl.h
View File

@@ -87,7 +87,7 @@ struct astgs_request_desc {
unsigned int fast_asserted : 1;
krb5_crypto armor_crypto;
hdb_entry_ex *armor_server;
hdb_entry *armor_server;
HDB *armor_serverdb;
krb5_ticket *armor_ticket;
Key *armor_key;

139
kdc/kerberos5.c
View File

@@ -161,7 +161,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
krb5_boolean use_strongest_session_key;
krb5_boolean is_preauth = flags & KFE_IS_PREAUTH;
krb5_boolean is_tgs = flags & KFE_IS_TGS;
hdb_entry_ex *princ;
hdb_entry *princ;
krb5_principal request_princ;
krb5_error_code ret;
krb5_salt def_salt;
@@ -171,15 +171,15 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
size_t i, k, m;
if (is_preauth && (flags & KFE_USE_CLIENT) &&
r->client->entry.flags.synthetic)
r->client->flags.synthetic)
return KRB5KDC_ERR_ETYPE_NOSUPP;
if ((flags & KFE_USE_CLIENT) && !r->client->entry.flags.synthetic) {
if ((flags & KFE_USE_CLIENT) && !r->client->flags.synthetic) {
princ = r->client;
request_princ = r->client_princ;
} else {
princ = r->server;
request_princ = r->server->entry.principal;
request_princ = r->server->principal;
}
use_strongest_session_key =
@@ -227,7 +227,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
p[i] != (krb5_enctype)ETYPE_NULL && enctype == (krb5_enctype)ETYPE_NULL;
i++) {
if (krb5_enctype_valid(r->context, p[i]) != 0 &&
!_kdc_is_weak_exception(princ->entry.principal, p[i]))
!_kdc_is_weak_exception(princ->principal, p[i]))
continue;
/* check that the client supports it too */
@@ -248,15 +248,15 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
/* check target princ support */
key = NULL;
if (!(flags & KFE_USE_CLIENT) && princ->entry.etypes) {
if (!(flags & KFE_USE_CLIENT) && princ->etypes) {
/*
* Use the etypes list from the server's HDB entry instead
* of deriving it from its long-term keys. This allows an
* entry to have just one long-term key but record support
* for multiple enctypes.
*/
for (m = 0; m < princ->entry.etypes->len; m++) {
if (p[i] == princ->entry.etypes->val[m]) {
for (m = 0; m < princ->etypes->len; m++) {
if (p[i] == princ->etypes->val[m]) {
ret = 0;
break;
}
@@ -268,7 +268,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
* PA-ETYPE-INFO* or because we're selecting a session key
* enctype.
*/
while (hdb_next_enctype2key(r->context, &princ->entry, NULL,
while (hdb_next_enctype2key(r->context, princ, NULL,
p[i], &key) == 0) {
if (key->key.keyvalue.length == 0) {
ret = KRB5KDC_ERR_NULL_KEY;
@@ -296,12 +296,12 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
for(i = 0; ret != 0 && i < len; i++) {
if (krb5_enctype_valid(r->context, etypes[i]) != 0 &&
!_kdc_is_weak_exception(princ->entry.principal, etypes[i]))
!_kdc_is_weak_exception(princ->principal, etypes[i]))
continue;
key = NULL;
while (ret != 0 &&
hdb_next_enctype2key(r->context, &princ->entry, NULL,
hdb_next_enctype2key(r->context, princ, NULL,
etypes[i], &key) == 0) {
if (key->key.keyvalue.length == 0) {
ret = KRB5KDC_ERR_NULL_KEY;
@@ -323,7 +323,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
* the service key list, provide a DES-CBC-CRC key.
*/
if (ret_key == NULL &&
_kdc_is_weak_exception(princ->entry.principal, ETYPE_DES_CBC_CRC)) {
_kdc_is_weak_exception(princ->principal, ETYPE_DES_CBC_CRC)) {
ret = 0;
enctype = ETYPE_DES_CBC_CRC;
} else {
@@ -504,7 +504,7 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa)
}
r->pa_endtime = _kdc_pk_endtime(pkp);
if (!r->client->entry.flags.synthetic)
if (!r->client->flags.synthetic)
r->pa_max_life = _kdc_pk_max_life(pkp);
_kdc_r_log(r, 4, "PKINIT pre-authentication succeeded -- %s using %s",
@@ -621,7 +621,7 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
return ret;
}
if (r->client->entry.flags.locked_out) {
if (r->client->flags.locked_out) {
ret = KRB5KDC_ERR_CLIENT_REVOKED;
kdc_log(r->context, r->config, 0,
"Client (%s) is locked out", r->cname);
@@ -650,11 +650,11 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
kdc_log(r->context, r->config, 5, "FAST armor enctype is: %d", (int)aenctype);
for (i = 0; i < r->client->entry.keys.len; i++) {
for (i = 0; i < r->client->keys.len; i++) {
krb5_crypto challengecrypto, longtermcrypto;
krb5_keyblock challengekey;
k = &r->client->entry.keys.val[i];
k = &r->client->keys.val[i];
ret = krb5_crypto_init(r->context, &k->key, 0, &longtermcrypto);
if (ret)
@@ -794,7 +794,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
return ret;
}
if (r->client->entry.flags.locked_out) {
if (r->client->flags.locked_out) {
ret = KRB5KDC_ERR_CLIENT_REVOKED;
kdc_log(r->context, r->config, 0,
"Client (%s) is locked out", r->cname);
@@ -814,7 +814,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
goto out;
}
ret = hdb_enctype2key(r->context, &r->client->entry, NULL,
ret = hdb_enctype2key(r->context, r->client, NULL,
enc_data.etype, &pa_key);
if(ret){
char *estr;
@@ -873,7 +873,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
pa_key->key.keytype);
_kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY);
if(hdb_next_enctype2key(r->context, &r->client->entry, NULL,
if(hdb_next_enctype2key(r->context, r->client, NULL,
enc_data.etype, &pa_key) == 0)
goto try_next_key;
@@ -1612,12 +1612,10 @@ _log_astgs_req(astgs_request_t r, krb5_enctype setype)
KDC_LIB_FUNCTION krb5_error_code KDC_LIB_CALL
kdc_check_flags(astgs_request_t r,
krb5_boolean is_as_req,
hdb_entry_ex *client_ex,
hdb_entry_ex *server_ex)
hdb_entry *client,
hdb_entry *server)
{
if (client_ex != NULL) {
hdb_entry *client = &client_ex->entry;
if (client != NULL) {
/* check client */
if (client->flags.locked_out) {
_kdc_audit_addreason((kdc_request_t)r, "Client is locked out");
@@ -1655,11 +1653,11 @@ kdc_check_flags(astgs_request_t r,
}
if (client->flags.require_pwchange &&
(server_ex == NULL || !server_ex->entry.flags.change_pw))
(server == NULL || !server->flags.change_pw))
return KRB5KDC_ERR_KEY_EXPIRED;
if (client->pw_end && *client->pw_end < kdc_time
&& (server_ex == NULL || !server_ex->entry.flags.change_pw)) {
&& (server == NULL || !server->flags.change_pw)) {
char pwend_str[100];
krb5_format_time(r->context, *client->pw_end,
pwend_str, sizeof(pwend_str), TRUE);
@@ -1671,9 +1669,7 @@ kdc_check_flags(astgs_request_t r,
/* check server */
if (server_ex != NULL) {
hdb_entry *server = &server_ex->entry;
if (server != NULL) {
if (server->flags.locked_out) {
_kdc_audit_addreason((kdc_request_t)r, "Server locked out");
return KRB5KDC_ERR_SERVICE_REVOKED;
@@ -1851,6 +1847,7 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
*/
ret = _kdc_pac_generate(r->context,
r->config,
r->client,
r->server,
r->pa_used && !pa_used_flag_isset(r, PA_USES_LONG_TERM_KEY)
@@ -1865,7 +1862,7 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
if (r->pac == NULL)
return 0;
rodc_id = r->server->entry.kvno >> 16;
rodc_id = r->server->kvno >> 16;
/* libkrb5 expects ticket and PAC client names to match */
ret = _krb5_principalname2krb5_principal(r->context, &client,
@@ -1950,8 +1947,8 @@ static int
require_preauth_p(astgs_request_t r)
{
return r->config->require_preauth
|| r->client->entry.flags.require_preauth
|| r->server->entry.flags.require_preauth;
|| r->client->flags.require_preauth
|| r->server->flags.require_preauth;
}
@@ -2023,7 +2020,7 @@ get_local_tgs(krb5_context context,
krb5_kdc_configuration *config,
krb5_const_realm realm,
HDB **krbtgtdb,
hdb_entry_ex **krbtgt)
hdb_entry **krbtgt)
{
krb5_error_code ret;
krb5_principal tgs_name;
@@ -2151,7 +2148,7 @@ _kdc_as_rep(astgs_request_t r)
case HDB_ERR_WRONG_REALM: {
char *fixed_client_name = NULL;
ret = krb5_unparse_name(r->context, r->client->entry.principal,
ret = krb5_unparse_name(r->context, r->client->principal,
&fixed_client_name);
if (ret) {
goto out;
@@ -2165,7 +2162,7 @@ _kdc_as_rep(astgs_request_t r)
ret = _kdc_fast_mk_error(r, r->rep.padata, r->armor_crypto,
&req->req_body,
r->ret = KRB5_KDC_ERR_WRONG_REALM,
r->client->entry.principal, r->server_princ,
r->client->principal, r->server_princ,
NULL, NULL, r->reply);
goto out;
}
@@ -2237,7 +2234,7 @@ _kdc_as_rep(astgs_request_t r)
i = 0;
pa = _kdc_find_padata(req, &i, pat[n].type);
if (pa) {
if (r->client->entry.flags.synthetic &&
if (r->client->flags.synthetic &&
!(pat[n].flags & PA_SYNTHETIC_OK)) {
kdc_log(r->context, config, 4, "UNKNOWN -- %s", r->cname);
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
@@ -2288,7 +2285,7 @@ _kdc_as_rep(astgs_request_t r)
size_t n;
krb5_boolean default_salt;
if (r->client->entry.flags.synthetic) {
if (r->client->flags.synthetic) {
kdc_log(r->context, config, 4, "UNKNOWN -- %s", r->cname);
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto out;
@@ -2347,7 +2344,7 @@ _kdc_as_rep(astgs_request_t r)
goto out;
}
r->canon_client_princ = r->client->entry.principal;
r->canon_client_princ = r->client->principal;
/*
* Verify flags after the user been required to prove its identity
@@ -2414,7 +2411,7 @@ _kdc_as_rep(astgs_request_t r)
_kdc_is_anonymous(r->context, r->client_princ)) {
Realm anon_realm = KRB5_ANON_REALM;
ret = copy_Realm(&anon_realm, &rep->crealm);
} else if (f.canonicalize || r->client->entry.flags.force_canonicalize)
} else if (f.canonicalize || r->client->flags.force_canonicalize)
ret = copy_Realm(&r->canon_client_princ->realm, &rep->crealm);
else
ret = copy_Realm(&r->client_princ->realm, &rep->crealm);
@@ -2422,7 +2419,7 @@ _kdc_as_rep(astgs_request_t r)
goto out;
if (r->et.flags.anonymous)
ret = _kdc_make_anonymous_principalname(&rep->cname);
else if (f.canonicalize || r->client->entry.flags.force_canonicalize)
else if (f.canonicalize || r->client->flags.force_canonicalize)
ret = _krb5_principal2principalname(&rep->cname, r->canon_client_princ);
else
ret = _krb5_principal2principalname(&rep->cname, r->client_princ);
@@ -2430,15 +2427,15 @@ _kdc_as_rep(astgs_request_t r)
goto out;
rep->ticket.tkt_vno = 5;
if (f.canonicalize || r->server->entry.flags.force_canonicalize)
ret = copy_Realm(&r->server->entry.principal->realm, &rep->ticket.realm);
if (f.canonicalize || r->server->flags.force_canonicalize)
ret = copy_Realm(&r->server->principal->realm, &rep->ticket.realm);
else
ret = copy_Realm(&r->server_princ->realm, &rep->ticket.realm);
if (ret)
goto out;
if (f.canonicalize || r->server->entry.flags.force_canonicalize)
if (f.canonicalize || r->server->flags.force_canonicalize)
_krb5_principal2principalname(&rep->ticket.sname,
r->server->entry.principal);
r->server->principal);
else
_krb5_principal2principalname(&rep->ticket.sname,
r->server_princ);
@@ -2450,16 +2447,16 @@ _kdc_as_rep(astgs_request_t r)
#undef CNT
r->et.flags.initial = 1;
if(r->client->entry.flags.forwardable && r->server->entry.flags.forwardable)
if(r->client->flags.forwardable && r->server->flags.forwardable)
r->et.flags.forwardable = f.forwardable;
if(r->client->entry.flags.proxiable && r->server->entry.flags.proxiable)
if(r->client->flags.proxiable && r->server->flags.proxiable)
r->et.flags.proxiable = f.proxiable;
else if (f.proxiable) {
_kdc_set_e_text(r, "Ticket may not be proxiable");
ret = KRB5KDC_ERR_POLICY;
goto out;
}
if(r->client->entry.flags.postdate && r->server->entry.flags.postdate)
if(r->client->flags.postdate && r->server->flags.postdate)
r->et.flags.may_postdate = f.allow_postdate;
else if (f.allow_postdate){
_kdc_set_e_text(r, "Ticket may not be postdate");
@@ -2506,18 +2503,18 @@ _kdc_as_rep(astgs_request_t r)
/* be careful not overflowing */
/*
* Pre-auth can override r->client->entry.max_life if configured.
* Pre-auth can override r->client->max_life if configured.
*
* See pre-auth methods, specifically PKINIT, which can get or derive
* this from the client's certificate.
*/
if (r->pa_max_life > 0)
t = start + min(t - start, r->pa_max_life);
else if (r->client->entry.max_life)
t = start + min(t - start, *r->client->entry.max_life);
else if (r->client->max_life)
t = start + min(t - start, *r->client->max_life);
if (r->server->entry.max_life)
t = start + min(t - start, *r->server->entry.max_life);
if (r->server->max_life)
t = start + min(t - start, *r->server->max_life);
/* Pre-auth can bound endtime as well */
if (r->pa_endtime > 0)
@@ -2539,10 +2536,10 @@ _kdc_as_rep(astgs_request_t r)
t = *b->rtime;
if(t == 0)
t = MAX_TIME;
if(r->client->entry.max_renew)
t = start + min(t - start, *r->client->entry.max_renew);
if(r->server->entry.max_renew)
t = start + min(t - start, *r->server->entry.max_renew);
if(r->client->max_renew)
t = start + min(t - start, *r->client->max_renew);
if(r->server->max_renew)
t = start + min(t - start, *r->server->max_renew);
#if 0
t = min(t, start + realm->max_renew);
#endif
@@ -2575,16 +2572,16 @@ _kdc_as_rep(astgs_request_t r)
goto out;
}
r->ek.last_req.len = 0;
if (r->client->entry.pw_end
if (r->client->pw_end
&& (config->kdc_warn_pwexpire == 0
|| kdc_time + config->kdc_warn_pwexpire >= *r->client->entry.pw_end)) {
|| kdc_time + config->kdc_warn_pwexpire >= *r->client->pw_end)) {
r->ek.last_req.val[r->ek.last_req.len].lr_type = LR_PW_EXPTIME;
r->ek.last_req.val[r->ek.last_req.len].lr_value = *r->client->entry.pw_end;
r->ek.last_req.val[r->ek.last_req.len].lr_value = *r->client->pw_end;
++r->ek.last_req.len;
}
if (r->client->entry.valid_end) {
if (r->client->valid_end) {
r->ek.last_req.val[r->ek.last_req.len].lr_type = LR_ACCT_EXPTIME;
r->ek.last_req.val[r->ek.last_req.len].lr_value = *r->client->entry.valid_end;
r->ek.last_req.val[r->ek.last_req.len].lr_value = *r->client->valid_end;
++r->ek.last_req.len;
}
if (r->ek.last_req.len == 0) {
@@ -2593,16 +2590,16 @@ _kdc_as_rep(astgs_request_t r)
++r->ek.last_req.len;
}
r->ek.nonce = b->nonce;
if (r->client->entry.valid_end || r->client->entry.pw_end) {
if (r->client->valid_end || r->client->pw_end) {
ALLOC(r->ek.key_expiration);
if (r->client->entry.valid_end) {
if (r->client->entry.pw_end)
*r->ek.key_expiration = min(*r->client->entry.valid_end,
*r->client->entry.pw_end);
if (r->client->valid_end) {
if (r->client->pw_end)
*r->ek.key_expiration = min(*r->client->valid_end,
*r->client->pw_end);
else
*r->ek.key_expiration = *r->client->entry.valid_end;
*r->ek.key_expiration = *r->client->valid_end;
} else
*r->ek.key_expiration = *r->client->entry.pw_end;
*r->ek.key_expiration = *r->client->pw_end;
} else
r->ek.key_expiration = NULL;
r->ek.flags = r->et.flags;
@@ -2656,7 +2653,7 @@ _kdc_as_rep(astgs_request_t r)
generate_pac(r, skey, krbtgt_key, is_tgs);
}
if (r->client->entry.flags.synthetic) {
if (r->client->flags.synthetic) {
ret = add_synthetic_princ_ad(r);
if (ret)
goto out;
@@ -2713,8 +2710,8 @@ _kdc_as_rep(astgs_request_t r)
ret = _kdc_encode_reply(r->context, config,
r, req->req_body.nonce, setype,
r->server->entry.kvno, &skey->key,
pa_used_flag_isset(r, PA_REPLACE_REPLY_KEY) ? 0 : r->client->entry.kvno,
r->server->kvno, &skey->key,
pa_used_flag_isset(r, PA_REPLACE_REPLY_KEY) ? 0 : r->client->kvno,
0, r->reply);
if (ret)
goto out;

107
kdc/krb5tgs.c
View File

@@ -80,10 +80,10 @@ _kdc_check_pac(krb5_context context,
krb5_kdc_configuration *config,
const krb5_principal client_principal,
const krb5_principal delegated_proxy_principal,
hdb_entry_ex *client,
hdb_entry_ex *server,
hdb_entry_ex *krbtgt,
hdb_entry_ex *ticket_server,
hdb_entry *client,
hdb_entry *server,
hdb_entry *krbtgt,
hdb_entry *ticket_server,
const EncryptionKey *server_check_key,
const EncryptionKey *krbtgt_check_key,
EncTicketPart *tkt,
@@ -122,7 +122,8 @@ _kdc_check_pac(krb5_context context,
}
/* Verify the KDC signatures. */
ret = _kdc_pac_verify(context, client_principal, delegated_proxy_principal,
ret = _kdc_pac_verify(context, config,
client_principal, delegated_proxy_principal,
client, server, krbtgt, &pac);
if (ret == 0) {
if (pac_canon_name) {
@@ -140,8 +141,8 @@ _kdc_check_pac(krb5_context context,
* We can't verify the KDC signatures if the ticket was issued by
* another realm's KDC.
*/
if (krb5_realm_compare(context, server->entry.principal,
ticket_server->entry.principal)) {
if (krb5_realm_compare(context, server->principal,
ticket_server->principal)) {
ret = krb5_pac_verify(context, pac, 0, NULL, NULL,
krbtgt_check_key);
if (ret) {
@@ -173,7 +174,7 @@ _kdc_check_pac(krb5_context context,
*kdc_issued = signedticket ||
krb5_principal_is_krbtgt(context,
ticket_server->entry.principal);
ticket_server->principal);
*ppac = pac;
return 0;
@@ -359,8 +360,8 @@ krb5_error_code
_kdc_check_client_matches_target_service(krb5_context context,
krb5_kdc_configuration *config,
HDB *clientdb,
hdb_entry_ex *client,
hdb_entry_ex *target_server,
hdb_entry *client,
hdb_entry *target_server,
krb5_const_principal target_server_principal)
{
krb5_error_code ret;
@@ -378,7 +379,7 @@ _kdc_check_client_matches_target_service(krb5_context context,
if (ret == 0)
return 0;
} else if (krb5_principal_compare(context,
client->entry.principal,
client->principal,
target_server_principal) == TRUE) {
/* if client does a s4u2self to itself, and there is no plugin, that is ok */
return 0;
@@ -536,9 +537,9 @@ tgs_make_reply(astgs_request_t r,
const krb5_keyblock *sessionkey,
krb5_kvno kvno,
AuthorizationData *auth_data,
hdb_entry_ex *server,
hdb_entry *server,
krb5_principal server_principal,
hdb_entry_ex *client,
hdb_entry *client,
krb5_principal client_principal,
const char *tgt_realm,
uint16_t rodc_id,
@@ -596,7 +597,7 @@ tgs_make_reply(astgs_request_t r,
GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
&tgt->transited, et,
krb5_principal_get_realm(r->context, client_principal),
krb5_principal_get_realm(r->context, server->entry.principal),
krb5_principal_get_realm(r->context, server->principal),
tgt_realm);
if(ret)
goto out;
@@ -628,10 +629,10 @@ tgs_make_reply(astgs_request_t r,
{
time_t life;
life = et->endtime - *et->starttime;
if(client && client->entry.max_life)
life = min(life, *client->entry.max_life);
if(server->entry.max_life)
life = min(life, *server->entry.max_life);
if(client && client->max_life)
life = min(life, *client->max_life);
if(server->max_life)
life = min(life, *server->max_life);
et->endtime = *et->starttime + life;
}
if(f.renewable_ok && tgt->flags.renewable &&
@@ -645,10 +646,10 @@ tgs_make_reply(astgs_request_t r,
if(et->renew_till){
time_t renew;
renew = *et->renew_till - *et->starttime;
if(client && client->entry.max_renew)
renew = min(renew, *client->entry.max_renew);
if(server->entry.max_renew)
renew = min(renew, *server->entry.max_renew);
if(client && client->max_renew)
renew = min(renew, *client->max_renew);
if(server->max_renew)
renew = min(renew, *server->max_renew);
*et->renew_till = *et->starttime + renew;
}
@@ -672,12 +673,12 @@ tgs_make_reply(astgs_request_t r,
et->flags.pre_authent = tgt->flags.pre_authent;
et->flags.hw_authent = tgt->flags.hw_authent;
et->flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
et->flags.ok_as_delegate = server->flags.ok_as_delegate;
/* See MS-KILE 3.3.5.1 */
if (!server->entry.flags.forwardable)
if (!server->flags.forwardable)
et->flags.forwardable = 0;
if (!server->entry.flags.proxiable)
if (!server->flags.proxiable)
et->flags.proxiable = 0;
if (auth_data) {
@@ -729,7 +730,7 @@ tgs_make_reply(astgs_request_t r,
et->endtime, et->renew_till);
if (krb5_enctype_valid(r->context, serverkey->keytype) != 0
&& _kdc_is_weak_exception(server->entry.principal, serverkey->keytype))
&& _kdc_is_weak_exception(server->principal, serverkey->keytype))
{
krb5_enctype_enable(r->context, serverkey->keytype);
is_weak = 1;
@@ -761,7 +762,7 @@ tgs_make_reply(astgs_request_t r,
*/
if (_kdc_include_pac_p(r)) {
krb5_boolean is_tgs =
krb5_principal_is_krbtgt(r->context, server->entry.principal);
krb5_principal_is_krbtgt(r->context, server->principal);
ret = _krb5_kdc_pac_sign_ticket(r->context, r->pac, r->client_princ, serverkey,
krbtgtkey, rodc_id, NULL, r->canon_client_princ,
@@ -1016,12 +1017,12 @@ tgs_parse_request(astgs_request_t r,
goto out;
}
krbtgt_kvno_try = krbtgt_kvno ? krbtgt_kvno : r->krbtgt->entry.kvno;
krbtgt_kvno_try = krbtgt_kvno ? krbtgt_kvno : r->krbtgt->kvno;
*krbtgt_etype = ap_req.ticket.enc_part.etype;
next_kvno:
krbtgt_keys = hdb_kvno2keys(r->context, &r->krbtgt->entry, krbtgt_kvno_try);
ret = hdb_enctype2key(r->context, &r->krbtgt->entry, krbtgt_keys,
krbtgt_keys = hdb_kvno2keys(r->context, r->krbtgt, krbtgt_kvno_try);
ret = hdb_enctype2key(r->context, r->krbtgt, krbtgt_keys,
ap_req.ticket.enc_part.etype, &tkey);
if (ret && krbtgt_kvno == 0 && kvno_search_tries > 0) {
kvno_search_tries--;
@@ -1301,10 +1302,10 @@ _kdc_db_fetch_client(krb5_context context,
const char *cpn,
const char *krbtgt_realm,
HDB **clientdb,
hdb_entry_ex **client_out)
hdb_entry **client_out)
{
krb5_error_code ret;
hdb_entry_ex *client = NULL;
hdb_entry *client = NULL;
*client_out = NULL;
@@ -1333,7 +1334,7 @@ _kdc_db_fetch_client(krb5_context context,
msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 4, "Client not found in database: %s", msg);
krb5_free_error_message(context, msg);
} else if (client->entry.flags.invalid || !client->entry.flags.client) {
} else if (client->flags.invalid || !client->flags.client) {
kdc_log(context, config, 4, "Client has invalid bit set");
_kdc_free_ent(context, *clientdb, client);
return KRB5KDC_ERR_POLICY;
@@ -1360,9 +1361,9 @@ tgs_build_reply(astgs_request_t priv,
krb5_principal user2user_princ = NULL;
char *spn = NULL, *cpn = NULL, *krbtgt_out_n = NULL;
char *user2user_name = NULL;
hdb_entry_ex *server = NULL, *client = NULL;
hdb_entry *server = NULL, *client = NULL;
HDB *user2user_krbtgtdb;
hdb_entry_ex *user2user_krbtgt = NULL;
hdb_entry *user2user_krbtgt = NULL;
HDB *clientdb;
HDB *serverdb = NULL;
krb5_realm ref_realm = NULL;
@@ -1374,14 +1375,14 @@ tgs_build_reply(astgs_request_t priv,
uint16_t rodc_id;
krb5_boolean add_ticket_sig = FALSE;
const char *tgt_realm = /* Realm of TGT issuer */
krb5_principal_get_realm(context, priv->krbtgt->entry.principal);
krb5_principal_get_realm(context, priv->krbtgt->principal);
const char *our_realm = /* Realm of this KDC */
krb5_principal_get_comp_string(context, priv->krbtgt->entry.principal, 1);
krb5_principal_get_comp_string(context, priv->krbtgt->principal, 1);
char **capath = NULL;
size_t num_capath = 0;
HDB *krbtgt_outdb;
hdb_entry_ex *krbtgt_out = NULL;
hdb_entry *krbtgt_out = NULL;
PrincipalName *s;
Realm r;
@@ -1457,7 +1458,7 @@ server_lookup:
goto out;
} else if (ret == HDB_ERR_WRONG_REALM) {
free(ref_realm);
ref_realm = strdup(server->entry.principal->realm);
ref_realm = strdup(server->principal->realm);
if (ref_realm == NULL) {
ret = krb5_enomem(context);
goto out;
@@ -1579,8 +1580,8 @@ server_lookup:
* backend to override this by setting the force-canonicalize HDB
* flag in the server entry.
*/
if (server->entry.flags.force_canonicalize)
rsp = server->entry.principal;
if (server->flags.force_canonicalize)
rsp = server->principal;
else
rsp = priv->server_princ;
@@ -1614,7 +1615,7 @@ server_lookup:
HDB_F_GET_KRBTGT, NULL, &krbtgt_outdb, &krbtgt_out);
if (ret) {
char *ktpn = NULL;
ret = krb5_unparse_name(context, priv->krbtgt->entry.principal, &ktpn);
ret = krb5_unparse_name(context, priv->krbtgt->principal, &ktpn);
kdc_log(context, config, 4,
"No such principal %s (needed for authz-data signature keys) "
"while processing TGS-REQ for service %s with krbtg %s",
@@ -1639,7 +1640,7 @@ server_lookup:
krb5uint32 *kvno_ptr = NULL;
size_t i;
HDB *user2user_db;
hdb_entry_ex *user2user_client = NULL;
hdb_entry *user2user_client = NULL;
krb5_boolean user2user_kdc_issued = FALSE;
char *tpn;
@@ -1684,7 +1685,7 @@ server_lookup:
krb5_xfree(tpn);
goto out;
}
ret = hdb_enctype2key(context, &user2user_krbtgt->entry, NULL,
ret = hdb_enctype2key(context, user2user_krbtgt, NULL,
t->enc_part.etype, &uukey);
if(ret){
ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
@@ -1832,7 +1833,7 @@ server_lookup:
goto out;
}
ekey = &skey->key;
kvno = server->entry.kvno;
kvno = server->kvno;
}
ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
@@ -1853,10 +1854,10 @@ server_lookup:
* the DB to possibly correct the case of the realm (Samba4 does
* this) before the strcmp()
*/
if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) {
if (strcmp(krb5_principal_get_realm(context, server->principal),
krb5_principal_get_realm(context, krbtgt_out->principal)) != 0) {
char *ktpn;
ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &ktpn);
ret = krb5_unparse_name(context, krbtgt_out->principal, &ktpn);
kdc_log(context, config, 4,
"Request with wrong krbtgt: %s",
(ret == 0) ? ktpn : "<unknown>");
@@ -1876,7 +1877,7 @@ server_lookup:
"Failed to find key for krbtgt PAC signature");
goto out;
}
ret = hdb_enctype2key(context, &krbtgt_out->entry, NULL,
ret = hdb_enctype2key(context, krbtgt_out, NULL,
tkey_sign->key.keytype, &tkey_sign);
if(ret) {
kdc_log(context, config, 4,
@@ -1935,8 +1936,8 @@ server_lookup:
if((b->kdc_options.validate || b->kdc_options.renew) &&
!krb5_principal_compare(context,
priv->krbtgt->entry.principal,
priv->server->entry.principal)){
priv->krbtgt->principal,
priv->server->principal)){
_kdc_audit_addreason((kdc_request_t)priv, "Inconsistent request");
kdc_log(context, config, 4, "Inconsistent request.");
ret = KRB5KDC_ERR_SERVER_NOMATCH;
@@ -2007,7 +2008,7 @@ server_lookup:
*/
if (kdc_issued &&
!krb5_principal_is_krbtgt(context, server->entry.principal)) {
!krb5_principal_is_krbtgt(context, server->principal)) {
/* Validate armor TGT before potentially including device claims */
if (priv->armor_ticket) {
@@ -2024,7 +2025,7 @@ server_lookup:
* read-only-dc identifier, we need to embed it in the PAC KDC signatures.
*/
rodc_id = krbtgt_out->entry.kvno >> 16;
rodc_id = krbtgt_out->kvno >> 16;
/*
*

2
kdc/kx509.c
View File

@@ -254,7 +254,7 @@ is_local_realm(krb5_context context,
krb5_error_code ret;
krb5_principal tgs;
HDB *db;
hdb_entry_ex *ent = NULL;
hdb_entry *ent = NULL;
ret = krb5_make_principal(context, &tgs, realm, KRB5_TGS_NAME, realm,
NULL);

74
kdc/misc.c
View File

@@ -67,11 +67,11 @@ synthesize_client(krb5_context context,
krb5_kdc_configuration *config,
krb5_const_principal princ,
HDB **db,
hdb_entry_ex **h)
hdb_entry **h)
{
static HDB null_db;
krb5_error_code ret;
hdb_entry_ex *e;
hdb_entry *e;
/* Hope this works! */
null_db.hdb_destroy = synthesize_hdb_close;
@@ -81,40 +81,40 @@ synthesize_client(krb5_context context,
ret = (e = calloc(1, sizeof(*e))) ? 0 : krb5_enomem(context);
if (ret == 0) {
e->entry.flags.client = 1;
e->entry.flags.immutable = 1;
e->entry.flags.virtual = 1;
e->entry.flags.synthetic = 1;
e->entry.flags.do_not_store = 1;
e->entry.kvno = 1;
e->entry.keys.len = 0;
e->entry.keys.val = NULL;
e->entry.created_by.time = time(NULL);
e->entry.modified_by = NULL;
e->entry.valid_start = NULL;
e->entry.valid_end = NULL;
e->entry.pw_end = NULL;
e->entry.etypes = NULL;
e->entry.generation = NULL;
e->entry.extensions = NULL;
e->flags.client = 1;
e->flags.immutable = 1;
e->flags.virtual = 1;
e->flags.synthetic = 1;
e->flags.do_not_store = 1;
e->kvno = 1;
e->keys.len = 0;
e->keys.val = NULL;
e->created_by.time = time(NULL);
e->modified_by = NULL;
e->valid_start = NULL;
e->valid_end = NULL;
e->pw_end = NULL;
e->etypes = NULL;
e->generation = NULL;
e->extensions = NULL;
}
if (ret == 0)
ret = (e->entry.max_renew = calloc(1, sizeof(*e->entry.max_renew))) ?
ret = (e->max_renew = calloc(1, sizeof(*e->max_renew))) ?
0 : krb5_enomem(context);
if (ret == 0)
ret = (e->entry.max_life = calloc(1, sizeof(*e->entry.max_life))) ?
ret = (e->max_life = calloc(1, sizeof(*e->max_life))) ?
0 : krb5_enomem(context);
if (ret == 0)
ret = krb5_copy_principal(context, princ, &e->entry.principal);
ret = krb5_copy_principal(context, princ, &e->principal);
if (ret == 0)
ret = krb5_copy_principal(context, princ, &e->entry.created_by.principal);
ret = krb5_copy_principal(context, princ, &e->created_by.principal);
if (ret == 0) {
/*
* We can't check OCSP in the TGS path, so we can't let tickets for
* synthetic principals live very long.
*/
*(e->entry.max_renew) = config->synthetic_clients_max_renew;
*(e->entry.max_life) = config->synthetic_clients_max_life;
*(e->max_renew) = config->synthetic_clients_max_renew;
*(e->max_life) = config->synthetic_clients_max_life;
*h = e;
} else {
hdb_free_entry(context, &null_db, e);
@@ -129,9 +129,9 @@ _kdc_db_fetch(krb5_context context,
unsigned flags,
krb5uint32 *kvno_ptr,
HDB **db,
hdb_entry_ex **h)
hdb_entry **h)
{
hdb_entry_ex *ent = NULL;
hdb_entry *ent = NULL;
krb5_error_code ret = HDB_ERR_NOENTRY;
int i;
unsigned kvno = 0;
@@ -246,7 +246,7 @@ out:
}
KDC_LIB_FUNCTION void KDC_LIB_CALL
_kdc_free_ent(krb5_context context, HDB *db, hdb_entry_ex *ent)
_kdc_free_ent(krb5_context context, HDB *db, hdb_entry *ent)
{
hdb_free_entry (context, db, ent);
free (ent);
@@ -260,7 +260,7 @@ _kdc_free_ent(krb5_context context, HDB *db, hdb_entry_ex *ent)
krb5_error_code
_kdc_get_preferred_key(krb5_context context,
krb5_kdc_configuration *config,
hdb_entry_ex *h,
hdb_entry *h,
const char *name,
krb5_enctype *enctype,
Key **key)
@@ -273,9 +273,9 @@ _kdc_get_preferred_key(krb5_context context,
for (i = 0; p[i] != (krb5_enctype)ETYPE_NULL; i++) {
if (krb5_enctype_valid(context, p[i]) != 0 &&
!_kdc_is_weak_exception(h->entry.principal, p[i]))
!_kdc_is_weak_exception(h->principal, p[i]))
continue;
ret = hdb_enctype2key(context, &h->entry, NULL, p[i], key);
ret = hdb_enctype2key(context, h, NULL, p[i], key);
if (ret != 0)
continue;
if (enctype != NULL)
@@ -285,12 +285,12 @@ _kdc_get_preferred_key(krb5_context context,
} else {
*key = NULL;
for (i = 0; i < h->entry.keys.len; i++) {
if (krb5_enctype_valid(context, h->entry.keys.val[i].key.keytype) != 0 &&
!_kdc_is_weak_exception(h->entry.principal, h->entry.keys.val[i].key.keytype))
for (i = 0; i < h->keys.len; i++) {
if (krb5_enctype_valid(context, h->keys.val[i].key.keytype) != 0 &&
!_kdc_is_weak_exception(h->principal, h->keys.val[i].key.keytype))
continue;
ret = hdb_enctype2key(context, &h->entry, NULL,
h->entry.keys.val[i].key.keytype, key);
ret = hdb_enctype2key(context, h, NULL,
h->keys.val[i].key.keytype, key);
if (ret != 0)
continue;
if (enctype != NULL)
@@ -334,9 +334,9 @@ _kdc_verify_checksum(krb5_context context,
krb5_boolean
_kdc_include_pac_p(astgs_request_t r)
{
if (krb5_principal_is_krbtgt(r->context, r->server->entry.principal))
if (krb5_principal_is_krbtgt(r->context, r->server->principal))
return TRUE;
else if (r->server->entry.flags.no_auth_data_reqd)
else if (r->server->flags.no_auth_data_reqd)
return FALSE;
return !!(r->pac_attributes & (KRB5_PAC_WAS_REQUESTED | KRB5_PAC_WAS_GIVEN_IMPLICITLY));

4
kdc/mit_dump.c
View File

@@ -146,7 +146,7 @@ mit_prop_dump(void *arg, const char *file)
char *line = NULL;
int lineno = 0;
FILE *f;
struct hdb_entry_ex ent;
hdb_entry ent;
struct prop_data *pd = arg;
krb5_storage *sp = NULL;
krb5_data kdb_ent;
@@ -202,7 +202,7 @@ mit_prop_dump(void *arg, const char *file)
}
ret = krb5_storage_to_data(sp, &kdb_ent);
if (ret) break;
ret = _hdb_mdb_value2entry(pd->context, &kdb_ent, 0, &ent.entry);
ret = _hdb_mdb_value2entry(pd->context, &kdb_ent, 0, &ent);
krb5_data_free(&kdb_ent);
if (ret) {
warnx("line: %d: failed to store; ignoring", lineno);

37
kdc/mssfu.c
View File

@@ -47,8 +47,8 @@ static krb5_error_code
check_constrained_delegation(krb5_context context,
krb5_kdc_configuration *config,
HDB *clientdb,
hdb_entry_ex *client,
hdb_entry_ex *server,
hdb_entry *client,
hdb_entry *server,
krb5_const_principal target)
{
const HDB_Ext_Constrained_delegation_acl *acl;
@@ -61,7 +61,7 @@ check_constrained_delegation(krb5_context context,
* of the principals here, while "target" is the principal
* provided by the client.
*/
if (!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) {
if (!krb5_realm_compare(context, client->principal, server->principal)) {
ret = KRB5KDC_ERR_BADOPTION;
kdc_log(context, config, 4,
"Bad request for constrained delegation");
@@ -74,10 +74,10 @@ check_constrained_delegation(krb5_context context,
return 0;
} else {
/* if client delegates to itself, that ok */
if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
if (krb5_principal_compare(context, client->principal, server->principal) == TRUE)
return 0;
ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
ret = hdb_entry_get_ConstrainedDelegACL(client, &acl);
if (ret) {
krb5_clear_error_message(context);
return ret;
@@ -101,7 +101,7 @@ update_client_names(astgs_request_t r,
char **s4ucname,
krb5_principal *s4u_client_name,
HDB **s4u_clientdb,
hdb_entry_ex **s4u_client,
hdb_entry **s4u_client,
krb5_principal *s4u_canon_client_name,
krb5_pac *s4u_pac)
{
@@ -139,7 +139,7 @@ validate_protocol_transition(astgs_request_t r)
krb5_error_code ret;
KDC_REQ_BODY *b = &r->req.req_body;
EncTicketPart *ticket = &r->ticket->ticket;
hdb_entry_ex *s4u_client = NULL;
hdb_entry *s4u_client = NULL;
HDB *s4u_clientdb;
int flags = HDB_F_FOR_TGS_REQ;
krb5_principal s4u_client_name = NULL, s4u_canon_client_name = NULL;
@@ -275,15 +275,16 @@ validate_protocol_transition(astgs_request_t r)
* Ignore require_pwchange and pw_end attributes (as Windows does),
* since S4U2Self is not password authentication.
*/
s4u_client->entry.flags.require_pwchange = FALSE;
free(s4u_client->entry.pw_end);
s4u_client->entry.pw_end = NULL;
s4u_client->flags.require_pwchange = FALSE;
free(s4u_client->pw_end);
s4u_client->pw_end = NULL;
ret = kdc_check_flags(r, FALSE, s4u_client, r->server);
if (ret)
goto out; /* kdc_check_flags() calls _kdc_audit_addreason() */
ret = _kdc_pac_generate(r->context,
r->config,
s4u_client,
r->server,
NULL,
@@ -312,7 +313,7 @@ validate_protocol_transition(astgs_request_t r)
goto out;
}
ret = krb5_copy_principal(r->context, s4u_client->entry.principal,
ret = krb5_copy_principal(r->context, s4u_client->principal,
&s4u_canon_client_name);
if (ret)
goto out;
@@ -322,8 +323,8 @@ validate_protocol_transition(astgs_request_t r)
* delegation or if the impersonate client is disallowed
* forwardable, remove the forwardable flag.
*/
if (r->client->entry.flags.trusted_for_delegation &&
s4u_client->entry.flags.forwardable) {
if (r->client->flags.trusted_for_delegation &&
s4u_client->flags.forwardable) {
str = "[forwardable]";
} else {
b->kdc_options.forwardable = 0;
@@ -373,7 +374,7 @@ validate_constrained_delegation(astgs_request_t r)
char *s4ucname = NULL, *s4usname = NULL;
EncTicketPart evidence_tkt;
HDB *s4u_clientdb;
hdb_entry_ex *s4u_client = NULL;
hdb_entry *s4u_client = NULL;
krb5_boolean ad_kdc_issued = FALSE;
Key *clientkey;
Ticket *t;
@@ -388,7 +389,7 @@ validate_constrained_delegation(astgs_request_t r)
memset(&evidence_tkt, 0, sizeof(evidence_tkt));
local_realm =
krb5_principal_get_comp_string(r->context, r->krbtgt->entry.principal, 1);
krb5_principal_get_comp_string(r->context, r->krbtgt->principal, 1);
/*
* We require that the service's TGT has a PAC; this will have been
@@ -405,8 +406,8 @@ validate_constrained_delegation(astgs_request_t r)
t = &b->additional_tickets->val[0];
ret = hdb_enctype2key(r->context, &r->client->entry,
hdb_kvno2keys(r->context, &r->client->entry,
ret = hdb_enctype2key(r->context, r->client,
hdb_kvno2keys(r->context, r->client,
t->enc_part.kvno ? * t->enc_part.kvno : 0),
t->enc_part.etype, &clientkey);
if (ret) {
@@ -530,7 +531,7 @@ validate_constrained_delegation(astgs_request_t r)
* can insert the canonical client name ourselves.
*/
if (s4u_canon_client_name == NULL && s4u_client != NULL) {
ret = krb5_copy_principal(r->context, s4u_client->entry.principal,
ret = krb5_copy_principal(r->context, s4u_client->principal,
&s4u_canon_client_name);
if (ret)
goto out;

26
kdc/pkinit.c
View File

@@ -388,7 +388,7 @@ _kdc_pk_rd_padata(astgs_request_t priv,
krb5_context context = priv->context;
krb5_kdc_configuration *config = priv->config;
const KDC_REQ *req = &priv->req;
hdb_entry_ex *client = priv->client;
hdb_entry *client = priv->client;
pk_client_params *cp;
krb5_error_code ret;
heim_oid eContentType = { 0, NULL }, contentInfoOid = { 0, NULL };
@@ -431,7 +431,7 @@ _kdc_pk_rd_padata(astgs_request_t priv,
}
/* Add any registered certificates for this client as trust anchors */
ret = hdb_entry_get_pkinit_cert(&client->entry, &pc);
ret = hdb_entry_get_pkinit_cert(client, &pc);
if (ret == 0 && pc != NULL) {
hx509_cert cert;
unsigned int i;
@@ -467,7 +467,7 @@ _kdc_pk_rd_padata(astgs_request_t priv,
type = "PK-INIT-Win2k";
if (_kdc_is_anonymous(context, client->entry.principal)) {
if (_kdc_is_anonymous(context, client->principal)) {
ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
krb5_set_error_message(context, ret,
"Anonymous client not supported in RSA mode");
@@ -613,7 +613,7 @@ _kdc_pk_rd_padata(astgs_request_t priv,
hx509_certs signer_certs;
int flags = HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH; /* BTMM */
if (_kdc_is_anonymous(context, client->entry.principal)
if (_kdc_is_anonymous(context, client->principal)
|| (config->historical_anon_realm && _kdc_is_anon_request(req)))
flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER;
@@ -699,7 +699,7 @@ _kdc_pk_rd_padata(astgs_request_t priv,
goto out;
}
if (_kdc_is_anonymous(context, client->entry.principal) &&
if (_kdc_is_anonymous(context, client->principal) &&
ap.clientPublicValue == NULL) {
free_AuthPack(&ap);
ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
@@ -1598,7 +1598,7 @@ match_ms_upn_san(krb5_context context,
hx509_context hx509ctx,
hx509_cert client_cert,
HDB *clientdb,
hdb_entry_ex *client)
hdb_entry *client)
{
hx509_octet_string_list list;
krb5_principal principal = NULL;
@@ -1652,7 +1652,7 @@ match_ms_upn_san(krb5_context context,
*/
strupr(principal->realm);
if (krb5_principal_compare(context, principal, client->entry.principal) == FALSE)
if (krb5_principal_compare(context, principal, client->principal) == FALSE)
ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
}
@@ -1671,7 +1671,7 @@ _kdc_pk_check_client(astgs_request_t r,
{
krb5_kdc_configuration *config = r->config;
HDB *clientdb = r->clientdb;
hdb_entry_ex *client = r->client;
hdb_entry *client = r->client;
const HDB_Ext_PKINIT_acl *acl;
const HDB_Ext_PKINIT_cert *pc;
krb5_error_code ret;
@@ -1679,7 +1679,7 @@ _kdc_pk_check_client(astgs_request_t r,
size_t i;
if (cp->cert == NULL) {
if (!_kdc_is_anonymous(r->context, client->entry.principal)
if (!_kdc_is_anonymous(r->context, client->principal)
&& !config->historical_anon_realm)
return KRB5KDC_ERR_BADOPTION;
@@ -1716,7 +1716,7 @@ _kdc_pk_check_client(astgs_request_t r,
"Trying to authorize PKINIT subject DN %s",
*subject_name);
ret = hdb_entry_get_pkinit_cert(&client->entry, &pc);
ret = hdb_entry_get_pkinit_cert(client, &pc);
if (ret == 0 && pc) {
hx509_cert cert;
size_t j;
@@ -1743,7 +1743,7 @@ _kdc_pk_check_client(astgs_request_t r,
ret = match_rfc_san(r->context, config,
r->context->hx509ctx,
cp->cert,
client->entry.principal);
client->principal);
if (ret == 0) {
kdc_log(r->context, config, 5,
"Found matching PKINIT SAN in certificate");
@@ -1761,7 +1761,7 @@ _kdc_pk_check_client(astgs_request_t r,
}
}
ret = hdb_entry_get_pkinit_acl(&client->entry, &acl);
ret = hdb_entry_get_pkinit_acl(client, &acl);
if (ret == 0 && acl != NULL) {
/*
* Cheat here and compare the generated name with the string
@@ -1787,7 +1787,7 @@ _kdc_pk_check_client(astgs_request_t r,
krb5_boolean b;
b = krb5_principal_compare(r->context,
client->entry.principal,
client->principal,
principal_mappings.val[i].principal);
if (b == FALSE)
continue;

172
lib/hdb/common.c
View File

@@ -148,7 +148,7 @@ fetch_entry_or_alias(krb5_context context,
HDB *db,
krb5_const_principal principal,
unsigned flags,
hdb_entry_ex *entry)
hdb_entry *entry)
{
HDB_EntryOrAlias eoa;
krb5_principal enterprise_principal = NULL;
@@ -180,7 +180,7 @@ fetch_entry_or_alias(krb5_context context,
if (ret == 0)
ret = decode_HDB_EntryOrAlias(value.data, value.length, &eoa, NULL);
if (ret == 0 && eoa.element == choice_HDB_EntryOrAlias_entry) {
entry->entry = eoa.u.entry;
*entry = eoa.u.entry;
} else if (ret == 0 && eoa.element == choice_HDB_EntryOrAlias_alias) {
krb5_data_free(&key);
ret = hdb_principal2key(context, eoa.u.alias.principal, &key);
@@ -190,7 +190,7 @@ fetch_entry_or_alias(krb5_context context,
}
if (ret == 0)
/* No alias chaining */
ret = hdb_value2entry(context, &value, &entry->entry);
ret = hdb_value2entry(context, &value, entry);
krb5_free_principal(context, eoa.u.alias.principal);
} else if (ret == 0)
ret = ENOTSUP;
@@ -200,7 +200,7 @@ fetch_entry_or_alias(krb5_context context,
* the canonicalize flag is unset, the original specification in
* draft-ietf-krb-wg-kerberos-referrals-03.txt says we should.
*/
entry->entry.flags.force_canonicalize = 1;
entry->flags.force_canonicalize = 1;
}
/* HDB_F_GET_ANY indicates request originated from KDC (not kadmin) */
@@ -208,7 +208,7 @@ fetch_entry_or_alias(krb5_context context,
(flags & (HDB_F_CANON|HDB_F_GET_ANY)) == 0) {
/* `principal' was alias but canon not req'd */
free_HDB_entry(&entry->entry);
free_HDB_entry(entry);
ret = HDB_ERR_NOENTRY;
}
@@ -221,7 +221,7 @@ fetch_entry_or_alias(krb5_context context,
krb5_error_code
_hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
unsigned flags, krb5_kvno kvno, hdb_entry_ex *entry)
unsigned flags, krb5_kvno kvno, hdb_entry *entry)
{
krb5_error_code ret;
@@ -231,21 +231,21 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
if ((flags & HDB_F_DECRYPT) && (flags & HDB_F_ALL_KVNOS)) {
/* Decrypt the current keys */
ret = hdb_unseal_keys(context, db, &entry->entry);
ret = hdb_unseal_keys(context, db, entry);
if (ret) {
hdb_free_entry(context, db, entry);
return ret;
}
/* Decrypt the key history too */
ret = hdb_unseal_keys_kvno(context, db, 0, flags, &entry->entry);
ret = hdb_unseal_keys_kvno(context, db, 0, flags, entry);
if (ret) {
hdb_free_entry(context, db, entry);
return ret;
}
} else if ((flags & HDB_F_DECRYPT)) {
if ((flags & HDB_F_KVNO_SPECIFIED) == 0 || kvno == entry->entry.kvno) {
if ((flags & HDB_F_KVNO_SPECIFIED) == 0 || kvno == entry->kvno) {
/* Decrypt the current keys */
ret = hdb_unseal_keys(context, db, &entry->entry);
ret = hdb_unseal_keys(context, db, entry);
if (ret) {
hdb_free_entry(context, db, entry);
return ret;
@@ -257,7 +257,7 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
* Find and decrypt the keys from the history that we want,
* and swap them with the current keys
*/
ret = hdb_unseal_keys_kvno(context, db, kvno, flags, &entry->entry);
ret = hdb_unseal_keys_kvno(context, db, kvno, flags, entry);
if (ret) {
hdb_free_entry(context, db, entry);
return ret;
@@ -271,7 +271,7 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
* key was generated, but given the salt will be ignored by a keytab
* client it doesn't hurt to include the default salt.
*/
ret = add_default_salts(context, db, &entry->entry);
ret = add_default_salts(context, db, entry);
if (ret) {
hdb_free_entry(context, db, entry);
return ret;
@@ -325,20 +325,20 @@ hdb_remove_aliases(krb5_context context, HDB *db, krb5_data *key)
static krb5_error_code
hdb_add_aliases(krb5_context context, HDB *db,
unsigned flags, hdb_entry_ex *entry)
unsigned flags, hdb_entry *entry)
{
const HDB_Ext_Aliases *aliases;
krb5_error_code code;
krb5_data key, value;
size_t i;
code = hdb_entry_get_aliases(&entry->entry, &aliases);
code = hdb_entry_get_aliases(entry, &aliases);
if (code || aliases == NULL)
return code;
for (i = 0; i < aliases->aliases.len; i++) {
hdb_entry_alias entryalias;
entryalias.principal = entry->entry.principal;
entryalias.principal = entry->principal;
code = hdb_entry_alias2value(context, &entryalias, &value);
if (code)
@@ -358,7 +358,7 @@ hdb_add_aliases(krb5_context context, HDB *db,
/* Check if new aliases are already used for other entries */
static krb5_error_code
hdb_check_aliases(krb5_context context, HDB *db, hdb_entry_ex *entry)
hdb_check_aliases(krb5_context context, HDB *db, hdb_entry *entry)
{
const HDB_Ext_Aliases *aliases = NULL;
HDB_EntryOrAlias eoa;
@@ -370,7 +370,7 @@ hdb_check_aliases(krb5_context context, HDB *db, hdb_entry_ex *entry)
krb5_data_zero(&value);
akey = value;
ret = hdb_entry_get_aliases(&entry->entry, &aliases);
ret = hdb_entry_get_aliases(entry, &aliases);
for (i = 0; ret == 0 && aliases && i < aliases->aliases.len; i++) {
ret = hdb_principal2key(context, &aliases->aliases.val[i], &akey);
if (ret == 0)
@@ -385,7 +385,7 @@ hdb_check_aliases(krb5_context context, HDB *db, hdb_entry_ex *entry)
ret = HDB_ERR_EXISTS;
if (ret == 0 && eoa.element == choice_HDB_EntryOrAlias_alias &&
!krb5_principal_compare(context, eoa.u.alias.principal,
entry->entry.principal))
entry->principal))
/* New alias names an existing alias of a different entry */
ret = HDB_ERR_EXISTS;
if (ret == HDB_ERR_NOENTRY) /* from db->hdb__get */
@@ -459,13 +459,13 @@ hdb_derive_etypes(krb5_context context, hdb_entry *e, HDB_Ext_KeySet *base_keys)
}
krb5_error_code
_hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
_hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
krb5_data key, value;
int code;
if (entry->entry.flags.do_not_store ||
entry->entry.flags.force_canonicalize)
if (entry->flags.do_not_store ||
entry->flags.force_canonicalize)
return HDB_ERR_MISUSE;
/* check if new aliases already is used */
code = hdb_check_aliases(context, db, entry);
@@ -476,7 +476,7 @@ _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
return 0;
if ((flags & HDB_F_PRECHECK)) {
code = hdb_principal2key(context, entry->entry.principal, &key);
code = hdb_principal2key(context, entry->principal, &key);
if (code)
return code;
code = db->hdb__get(context, db, key, &value);
@@ -488,29 +488,29 @@ _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
return code ? code : HDB_ERR_EXISTS;
}
if ((entry->entry.etypes == NULL || entry->entry.etypes->len == 0) &&
(code = hdb_derive_etypes(context, &entry->entry, NULL)))
if ((entry->etypes == NULL || entry->etypes->len == 0) &&
(code = hdb_derive_etypes(context, entry, NULL)))
return code;
if (entry->entry.generation == NULL) {
if (entry->generation == NULL) {
struct timeval t;
entry->entry.generation = malloc(sizeof(*entry->entry.generation));
if(entry->entry.generation == NULL) {
entry->generation = malloc(sizeof(*entry->generation));
if(entry->generation == NULL) {
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM;
}
gettimeofday(&t, NULL);
entry->entry.generation->time = t.tv_sec;
entry->entry.generation->usec = t.tv_usec;
entry->entry.generation->gen = 0;
entry->generation->time = t.tv_sec;
entry->generation->usec = t.tv_usec;
entry->generation->gen = 0;
} else
entry->entry.generation->gen++;
entry->generation->gen++;
code = hdb_seal_keys(context, db, &entry->entry);
code = hdb_seal_keys(context, db, entry);
if (code)
return code;
code = hdb_principal2key(context, entry->entry.principal, &key);
code = hdb_principal2key(context, entry->principal, &key);
if (code)
return code;
@@ -520,7 +520,7 @@ _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
krb5_data_free(&key);
return code;
}
hdb_entry2value(context, &entry->entry, &value);
hdb_entry2value(context, entry, &value);
code = db->hdb__put(context, db, flags & HDB_F_REPLACE, key, value);
krb5_data_free(&value);
krb5_data_free(&key);
@@ -722,7 +722,7 @@ derive_keyset(krb5_context context,
/* Possibly derive and install in `h' a keyset identified by `t' */
static krb5_error_code
derive_keys_for_kr(krb5_context context,
hdb_entry_ex *h,
hdb_entry *h,
HDB_Ext_KeySet *base_keys,
int is_current_keyset,
int rotation_period_offset,
@@ -796,7 +796,7 @@ derive_keys_for_kr(krb5_context context,
ret = derive_keyset(context, &base_keys->val[i].keys, princ, etype, kvno,
set_time, &dks);
if (ret == 0)
ret = hdb_install_keyset(context, &h->entry, is_current_keyset, &dks);
ret = hdb_install_keyset(context, h, is_current_keyset, &dks);
free_HDB_keyset(&dks);
return ret;
@@ -805,7 +805,7 @@ derive_keys_for_kr(krb5_context context,
/* Derive and install current keys, and possibly preceding or next keys */
static krb5_error_code
derive_keys_for_current_kr(krb5_context context,
hdb_entry_ex *h,
hdb_entry *h,
HDB_Ext_KeySet *base_keys,
const char *princ,
unsigned int flags,
@@ -871,12 +871,12 @@ derive_keys_for_current_kr(krb5_context context,
* Arguments:
*
* - `flags' is the flags passed to `hdb_fetch_kvno()'
* - `princ' is the name of the principal we'll end up with in `h->entry'
* - `princ' is the name of the principal we'll end up with in `entry'
* - `h_is_namespace' indicates whether `h' is for a namespace or a concrete
* principal (that might nonetheless have virtual/derived keys)
* - `t' is the time such that the derived keys are for kvnos needed at `t'
* - `etype' indicates what enctype to derive keys for (0 for all enctypes in
* `h->entry.etypes')
* `entry->etypes')
* - `kvno' requests a particular kvno, or all if zero
*
* The caller doesn't know if the principal needs key derivation -- we make
@@ -968,7 +968,7 @@ derive_keys(krb5_context context,
krb5_timestamp t,
krb5int32 etype,
krb5uint32 kvno,
hdb_entry_ex *h)
hdb_entry *h)
{
HDB_Ext_KeyRotation kr;
HDB_Ext_KeySet base_keys;
@@ -977,9 +977,9 @@ derive_keys(krb5_context context,
char *p = NULL;
int valid = 1;
if (!h_is_namespace && !h->entry.flags.virtual_keys)
if (!h_is_namespace && !h->flags.virtual_keys)
return 0;
h->entry.flags.virtual = 1;
h->flags.virtual = 1;
kr.len = 0;
kr.val = 0;
@@ -987,7 +987,7 @@ derive_keys(krb5_context context,
const HDB_Ext_KeyRotation *ckr;
/* Installing keys invalidates `ckr', so we copy it */
ret = hdb_entry_get_key_rotation(context, &h->entry, &ckr);
ret = hdb_entry_get_key_rotation(context, h, &ckr);
if (!ckr)
return ret;
if (ret == 0)
@@ -998,11 +998,11 @@ derive_keys(krb5_context context,
base_keys.val = 0;
base_keys.len = 0;
if (ret == 0)
ret = hdb_remove_base_keys(context, &h->entry, &base_keys);
ret = hdb_remove_base_keys(context, h, &base_keys);
/* Make sure we have h->entry.etypes */
if (ret == 0 && !h->entry.etypes)
ret = hdb_derive_etypes(context, &h->entry, &base_keys);
/* Make sure we have h->etypes */
if (ret == 0 && !h->etypes)
ret = hdb_derive_etypes(context, h, &base_keys);
/* Keys not desired? Don't derive them! */
if (ret || !(flags & HDB_F_DECRYPT)) {
@@ -1094,10 +1094,10 @@ derive_keys(krb5_context context,
/*
* Derive and set in `h' its current kvno and current keys.
*
* This will set h->entry.kvno as well.
* This will set h->kvno as well.
*
* This may set up to TWO keysets for the current key rotation period:
* - current keys (h->entry.keys and h->entry.kvno)
* - current keys (h->keys and h->kvno)
* - possibly one future
* OR
* possibly one past keyset in hist_keys for the current_kr
@@ -1130,14 +1130,14 @@ derive_keys(krb5_context context,
kr.val[current_kr].epoch - 1, &kr.val[past_kr]);
/*
* Impose a bound on h->entry.max_life so that [when the KDC is the caller]
* Impose a bound on h->max_life so that [when the KDC is the caller]
* the KDC won't issue tickets longer lived than this.
*/
if (ret == 0 && !h->entry.max_life &&
(h->entry.max_life = calloc(1, sizeof(h->entry.max_life[0]))) == NULL)
if (ret == 0 && !h->max_life &&
(h->max_life = calloc(1, sizeof(h->max_life[0]))) == NULL)
ret = krb5_enomem(context);
if (ret == 0 && *h->entry.max_life > kr.val[current_kr].period >> 1)
*h->entry.max_life = kr.val[current_kr].period >> 1;
if (ret == 0 && *h->max_life > kr.val[current_kr].period >> 1)
*h->max_life = kr.val[current_kr].period >> 1;
free_HDB_Ext_KeyRotation(&kr);
free_HDB_Ext_KeySet(&base_keys);
@@ -1177,7 +1177,7 @@ pick_kvno(krb5_context context,
unsigned flags,
krb5_timestamp now,
krb5uint32 kvno,
hdb_entry_ex *h)
hdb_entry *h)
{
HDB_extension *ext;
HDB_Ext_KeySet keys;
@@ -1190,25 +1190,25 @@ pick_kvno(krb5_context context,
* delayed, or if there's no new-key delay configured, or we're not
* fetching for use as a service principal, then we're out.
*/
if (!(flags & HDB_F_DELAY_NEW_KEYS) || kvno || h->entry.flags.virtual ||
h->entry.flags.virtual_keys || db->new_service_key_delay <= 0)
if (!(flags & HDB_F_DELAY_NEW_KEYS) || kvno || h->flags.virtual ||
h->flags.virtual_keys || db->new_service_key_delay <= 0)
return 0;
/* No history -> current keyset is the only one and therefore the best */
ext = hdb_find_extension(&h->entry, choice_HDB_extension_data_hist_keys);
ext = hdb_find_extension(h, choice_HDB_extension_data_hist_keys);
if (!ext)
return 0;
/* Assume the current keyset is the best to start with */
(void) hdb_entry_get_pw_change_time(&h->entry, &current);
if (current == 0 && h->entry.modified_by)
current = h->entry.modified_by->time;
(void) hdb_entry_get_pw_change_time(h, &current);
if (current == 0 && h->modified_by)
current = h->modified_by->time;
if (current == 0)
current = h->entry.created_by.time;
current = h->created_by.time;
/* Current keyset starts out as best */
best = current;
kvno = h->entry.kvno;
kvno = h->kvno;
/* Look for a better keyset in the history */
keys = ext->data.u.hist_keys;
@@ -1248,7 +1248,7 @@ pick_kvno(krb5_context context,
best = keys.val[i].set_time[0];
kvno = keys.val[i].kvno;
}
return hdb_change_kvno(context, kvno, &h->entry);
return hdb_change_kvno(context, kvno, h);
}
/*
@@ -1359,15 +1359,15 @@ rewrite_hostname(krb5_context context,
}
/*
* Fix `h->entry.principal' to match the desired `princ' in the namespace
* `nsprinc' (which is either the same as `h->entry.principal' or an alias
* Fix `h->principal' to match the desired `princ' in the namespace
* `nsprinc' (which is either the same as `h->principal' or an alias
* of it).
*/
static krb5_error_code
fix_princ_name(krb5_context context,
krb5_const_principal princ,
krb5_const_principal nsprinc,
hdb_entry_ex *h)
hdb_entry *h)
{
krb5_error_code ret = 0;
char *s = NULL;
@@ -1379,7 +1379,7 @@ fix_princ_name(krb5_context context,
/* `nsprinc' must be a namespace principal */
if (krb5_principal_compare(context, nsprinc, h->entry.principal)) {
if (krb5_principal_compare(context, nsprinc, h->principal)) {
/*
* `h' is the HDB entry for `nsprinc', and `nsprinc' is its canonical
* name.
@@ -1387,23 +1387,23 @@ fix_princ_name(krb5_context context,
* Set the entry's principal name to the desired name. The keys will
* be fixed next (upstairs, but don't forget to!).
*/
free_Principal(h->entry.principal);
return copy_Principal(princ, h->entry.principal);
free_Principal(h->principal);
return copy_Principal(princ, h->principal);
}
if (!is_namespace_princ_p(context, h->entry.principal)) {
if (!is_namespace_princ_p(context, h->principal)) {
/*
* The alias is a namespace, but the canonical name is not. WAT.
*
* Well, the KDC will just issue a referral anyways, so we can leave
* `h->entry.principal' as is...
* `h->principal' as is...
*
* Remove all of `h->entry's keys just in case, and leave
* `h->entry.principal' as-is.
* Remove all of `h's keys just in case, and leave
* `h->principal' as-is.
*/
free_Keys(&h->entry.keys);
(void) hdb_entry_clear_password(context, &h->entry);
return hdb_clear_extension(context, &h->entry,
free_Keys(&h->keys);
(void) hdb_entry_clear_password(context, h);
return hdb_clear_extension(context, h,
choice_HDB_extension_data_hist_keys);
}
@@ -1418,15 +1418,15 @@ fix_princ_name(krb5_context context,
* we'll want to treat host/foo.ns.test.h5l.se as an alias of
* host/foo.ns.example.org.
*/
if (krb5_principal_get_num_comp(context, h->entry.principal) !=
if (krb5_principal_get_num_comp(context, h->principal) !=
2 + krb5_principal_get_num_comp(context, princ))
ret = HDB_ERR_NOENTRY; /* Only host-based services for now */
if (ret == 0)
ret = rewrite_hostname(context, princ, nsprinc, h->entry.principal, &s);
ret = rewrite_hostname(context, princ, nsprinc, h->principal, &s);
if (ret == 0) {
krb5_free_principal(context, h->entry.principal);
h->entry.principal = NULL;
ret = krb5_make_principal(context, &h->entry.principal,
krb5_free_principal(context, h->principal);
h->principal = NULL;
ret = krb5_make_principal(context, &h->principal,
krb5_principal_get_realm(context, princ),
krb5_principal_get_comp_string(context,
princ, 0),
@@ -1445,7 +1445,7 @@ fetch_it(krb5_context context,
krb5_timestamp t,
krb5int32 etype,
krb5uint32 kvno,
hdb_entry_ex *ent)
hdb_entry *ent)
{
krb5_const_principal tmpprinc = princ;
krb5_principal nsprinc = NULL;
@@ -1604,7 +1604,7 @@ hdb_fetch_kvno(krb5_context context,
krb5_timestamp t,
krb5int32 etype,
krb5uint32 kvno,
hdb_entry_ex *h)
hdb_entry *h)
{
krb5_error_code ret = HDB_ERR_NOENTRY;
@@ -1621,8 +1621,8 @@ hdb_fetch_kvno(krb5_context context,
* independently of principal aliases (used by Samba).
*/
if (ret == 0 && !(flags & HDB_F_ADMIN_DATA) &&
!h->entry.flags.force_canonicalize &&
!krb5_realm_compare(context, principal, h->entry.principal))
!h->flags.force_canonicalize &&
!krb5_realm_compare(context, principal, h->principal))
ret = HDB_ERR_WRONG_REALM;
return ret;
}

18
lib/hdb/db.c
View File

@@ -114,7 +114,7 @@ DB_unlock(krb5_context context, HDB *db)
static krb5_error_code
DB_seq(krb5_context context, HDB *db,
unsigned flags, hdb_entry_ex *entry, int flag)
unsigned flags, hdb_entry *entry, int flag)
{
DB *d = (DB*)db->hdb_db;
DBT key, value;
@@ -138,21 +138,21 @@ DB_seq(krb5_context context, HDB *db,
data.data = value.data;
data.length = value.size;
memset(entry, 0, sizeof(*entry));
if (hdb_value2entry(context, &data, &entry->entry))
if (hdb_value2entry(context, &data, entry))
return DB_seq(context, db, flags, entry, R_NEXT);
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
code = hdb_unseal_keys (context, db, &entry->entry);
code = hdb_unseal_keys (context, db, entry);
if (code)
hdb_free_entry (context, db, entry);
}
if (code == 0 && entry->entry.principal == NULL) {
entry->entry.principal = malloc(sizeof(*entry->entry.principal));
if (entry->entry.principal == NULL) {
if (code == 0 && entry->principal == NULL) {
entry->principal = malloc(sizeof(*entry->principal));
if (entry->principal == NULL) {
code = ENOMEM;
krb5_set_error_message(context, code, "malloc: out of memory");
hdb_free_entry (context, db, entry);
} else {
hdb_key2principal(context, &key_data, entry->entry.principal);
hdb_key2principal(context, &key_data, entry->principal);
}
}
return code;
@@ -160,14 +160,14 @@ DB_seq(krb5_context context, HDB *db,
static krb5_error_code
DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
return DB_seq(context, db, flags, entry, R_FIRST);
}
static krb5_error_code
DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
return DB_seq(context, db, flags, entry, R_NEXT);
}

18
lib/hdb/db3.c
View File

@@ -136,7 +136,7 @@ DB_unlock(krb5_context context, HDB *db)
static krb5_error_code
DB_seq(krb5_context context, HDB *db,
unsigned flags, hdb_entry_ex *entry, int flag)
unsigned flags, hdb_entry *entry, int flag)
{
DBT key, value;
DBC *dbcp = db->hdb_dbc;
@@ -156,21 +156,21 @@ DB_seq(krb5_context context, HDB *db,
data.data = value.data;
data.length = value.size;
memset(entry, 0, sizeof(*entry));
if (hdb_value2entry(context, &data, &entry->entry))
if (hdb_value2entry(context, &data, entry))
return DB_seq(context, db, flags, entry, DB_NEXT);
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
code = hdb_unseal_keys (context, db, &entry->entry);
code = hdb_unseal_keys (context, db, entry);
if (code)
hdb_free_entry (context, db, entry);
}
if (entry->entry.principal == NULL) {
entry->entry.principal = malloc(sizeof(*entry->entry.principal));
if (entry->entry.principal == NULL) {
if (entry->principal == NULL) {
entry->principal = malloc(sizeof(*entry->principal));
if (entry->principal == NULL) {
hdb_free_entry (context, db, entry);
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM;
} else {
hdb_key2principal(context, &key_data, entry->entry.principal);
hdb_key2principal(context, &key_data, entry->principal);
}
}
return 0;
@@ -178,14 +178,14 @@ DB_seq(krb5_context context, HDB *db,
static krb5_error_code
DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
return DB_seq(context, db, flags, entry, DB_FIRST);
}
static krb5_error_code
DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
return DB_seq(context, db, flags, entry, DB_NEXT);
}

22
lib/hdb/hdb-keytab.c
View File

@@ -90,14 +90,14 @@ hkt_unlock(krb5_context context, HDB *db)
static krb5_error_code
hkt_firstkey(krb5_context context, HDB *db,
unsigned flags, hdb_entry_ex *entry)
unsigned flags, hdb_entry *entry)
{
return HDB_ERR_DB_INUSE;
}
static krb5_error_code
hkt_nextkey(krb5_context context, HDB * db, unsigned flags,
hdb_entry_ex * entry)
hdb_entry * entry)
{
return HDB_ERR_DB_INUSE;
}
@@ -119,7 +119,7 @@ hkt_open(krb5_context context, HDB * db, int flags, mode_t mode)
static krb5_error_code
hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
unsigned flags, krb5_kvno kvno, hdb_entry_ex * entry)
unsigned flags, krb5_kvno kvno, hdb_entry * entry)
{
hdb_keytab k = (hdb_keytab)db->hdb_db;
krb5_error_code ret;
@@ -132,13 +132,13 @@ hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
memset(&ktentry, 0, sizeof(ktentry));
entry->entry.flags.server = 1;
entry->entry.flags.forwardable = 1;
entry->entry.flags.renewable = 1;
entry->flags.server = 1;
entry->flags.forwardable = 1;
entry->flags.renewable = 1;
/* Not recorded in the OD backend, make something up */
ret = krb5_parse_name(context, "hdb/keytab@WELL-KNOWN:KEYTAB-BACKEND",
&entry->entry.created_by.principal);
&entry->created_by.principal);
if (ret)
goto out;
@@ -155,7 +155,7 @@ hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
goto out;
}
ret = krb5_copy_principal(context, principal, &entry->entry.principal);
ret = krb5_copy_principal(context, principal, &entry->principal);
if (ret)
goto out;
@@ -163,8 +163,8 @@ hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
out:
if (ret) {
free_HDB_entry(&entry->entry);
memset(&entry->entry, 0, sizeof(entry->entry));
free_HDB_entry(entry);
memset(entry, 0, sizeof(*entry));
}
krb5_kt_free_entry(context, &ktentry);
@@ -173,7 +173,7 @@ hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
static krb5_error_code
hkt_store(krb5_context context, HDB * db, unsigned flags,
hdb_entry_ex * entry)
hdb_entry * entry)
{
return HDB_ERR_DB_INUSE;
}

348
lib/hdb/hdb-ldap.c
View File

@@ -47,7 +47,7 @@ static krb5_error_code LDAP_close(krb5_context context, HDB *);
static krb5_error_code
LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
int flags, hdb_entry_ex * ent);
int flags, hdb_entry * ent);
static const char *default_structural_object = "account";
static char *structural_object;
@@ -388,14 +388,14 @@ bervalstrcmp(struct berval *v, const char *str)
static krb5_error_code
LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry * ent,
LDAPMessage * msg, LDAPMod *** pmods, krb5_boolean *pis_new_entry)
{
krb5_error_code ret;
krb5_boolean is_new_entry = FALSE;
char *tmp = NULL;
LDAPMod **mods = NULL;
hdb_entry_ex orig;
hdb_entry orig;
unsigned long oflags, nflags;
int i;
@@ -477,12 +477,12 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
}
if (is_new_entry ||
krb5_principal_compare(context, ent->entry.principal, orig.entry.principal)
krb5_principal_compare(context, ent->principal, orig.principal)
== FALSE)
{
if (is_heimdal_principal || is_heimdal_entry) {
ret = krb5_unparse_name(context, ent->entry.principal, &tmp);
ret = krb5_unparse_name(context, ent->principal, &tmp);
if (ret)
goto out;
@@ -496,7 +496,7 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
}
if (is_account || is_samba_account) {
ret = krb5_unparse_name_short(context, ent->entry.principal, &tmp);
ret = krb5_unparse_name_short(context, ent->principal, &tmp);
if (ret)
goto out;
ret = LDAP_addmod(&mods, LDAP_MOD_REPLACE, "uid", tmp);
@@ -508,15 +508,15 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
}
}
if (is_heimdal_entry && (ent->entry.kvno != orig.entry.kvno || is_new_entry)) {
if (is_heimdal_entry && (ent->kvno != orig.kvno || is_new_entry)) {
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
"krb5KeyVersionNumber",
ent->entry.kvno);
ent->kvno);
if (ret)
goto out;
}
if (is_heimdal_entry && ent->entry.extensions) {
if (is_heimdal_entry && ent->extensions) {
if (!is_new_entry) {
vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5ExtendedAttributes");
if (vals) {
@@ -527,11 +527,11 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
}
}
for (i = 0; i < ent->entry.extensions->len; i++) {
for (i = 0; i < ent->extensions->len; i++) {
unsigned char *buf;
size_t size, sz = 0;
ASN1_MALLOC_ENCODE(HDB_extension, buf, size, &ent->entry.extensions->val[i], &sz, ret);
ASN1_MALLOC_ENCODE(HDB_extension, buf, size, &ent->extensions->val[i], &sz, ret);
if (ret)
goto out;
if (size != sz)
@@ -543,42 +543,42 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
}
}
if (is_heimdal_entry && ent->entry.valid_start) {
if (orig.entry.valid_end == NULL
|| (*(ent->entry.valid_start) != *(orig.entry.valid_start))) {
if (is_heimdal_entry && ent->valid_start) {
if (orig.valid_end == NULL
|| (*(ent->valid_start) != *(orig.valid_start))) {
ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
"krb5ValidStart",
ent->entry.valid_start);
ent->valid_start);
if (ret)
goto out;
}
}
if (ent->entry.valid_end) {
if (orig.entry.valid_end == NULL || (*(ent->entry.valid_end) != *(orig.entry.valid_end))) {
if (ent->valid_end) {
if (orig.valid_end == NULL || (*(ent->valid_end) != *(orig.valid_end))) {
if (is_heimdal_entry) {
ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
"krb5ValidEnd",
ent->entry.valid_end);
ent->valid_end);
if (ret)
goto out;
}
if (is_samba_account) {
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
"sambaKickoffTime",
*(ent->entry.valid_end));
*(ent->valid_end));
if (ret)
goto out;
}
}
}
if (ent->entry.pw_end) {
if (orig.entry.pw_end == NULL || (*(ent->entry.pw_end) != *(orig.entry.pw_end))) {
if (ent->pw_end) {
if (orig.pw_end == NULL || (*(ent->pw_end) != *(orig.pw_end))) {
if (is_heimdal_entry) {
ret = LDAP_addmod_generalized_time(&mods, LDAP_MOD_REPLACE,
"krb5PasswordEnd",
ent->entry.pw_end);
ent->pw_end);
if (ret)
goto out;
}
@@ -586,7 +586,7 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
if (is_samba_account) {
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
"sambaPwdMustChange",
*(ent->entry.pw_end));
*(ent->pw_end));
if (ret)
goto out;
}
@@ -595,43 +595,43 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
#if 0 /* we we have last_pw_change */
if (is_samba_account && ent->entry.last_pw_change) {
if (orig.entry.last_pw_change == NULL || (*(ent->entry.last_pw_change) != *(orig.entry.last_pw_change))) {
if (is_samba_account && ent->last_pw_change) {
if (orig.last_pw_change == NULL || (*(ent->last_pw_change) != *(orig.last_pw_change))) {
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
"sambaPwdLastSet",
*(ent->entry.last_pw_change));
*(ent->last_pw_change));
if (ret)
goto out;
}
}
#endif
if (is_heimdal_entry && ent->entry.max_life) {
if (orig.entry.max_life == NULL
|| (*(ent->entry.max_life) != *(orig.entry.max_life))) {
if (is_heimdal_entry && ent->max_life) {
if (orig.max_life == NULL
|| (*(ent->max_life) != *(orig.max_life))) {
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
"krb5MaxLife",
*(ent->entry.max_life));
*(ent->max_life));
if (ret)
goto out;
}
}
if (is_heimdal_entry && ent->entry.max_renew) {
if (orig.entry.max_renew == NULL
|| (*(ent->entry.max_renew) != *(orig.entry.max_renew))) {
if (is_heimdal_entry && ent->max_renew) {
if (orig.max_renew == NULL
|| (*(ent->max_renew) != *(orig.max_renew))) {
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_REPLACE,
"krb5MaxRenew",
*(ent->entry.max_renew));
*(ent->max_renew));
if (ret)
goto out;
}
}
oflags = HDBFlags2int(orig.entry.flags);
nflags = HDBFlags2int(ent->entry.flags);
oflags = HDBFlags2int(orig.flags);
nflags = HDBFlags2int(ent->flags);
if (is_heimdal_entry && oflags != nflags) {
@@ -643,7 +643,7 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
}
/* Remove keys if they exists, and then replace keys. */
if (!is_new_entry && orig.entry.keys.len > 0) {
if (!is_new_entry && orig.keys.len > 0) {
vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key");
if (vals) {
ldap_value_free_len(vals);
@@ -654,21 +654,21 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
}
}
for (i = 0; i < ent->entry.keys.len; i++) {
for (i = 0; i < ent->keys.len; i++) {
if (is_samba_account
&& ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
&& ent->keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
char *ntHexPassword;
char *nt;
time_t now = time(NULL);
/* the key might have been 'sealed', but samba passwords
are clear in the directory */
ret = hdb_unseal_key(context, db, &ent->entry.keys.val[i]);
ret = hdb_unseal_key(context, db, &ent->keys.val[i]);
if (ret)
goto out;
nt = ent->entry.keys.val[i].key.keyvalue.data;
nt = ent->keys.val[i].key.keyvalue.data;
/* store in ntPassword, not krb5key */
ret = hex_encode(nt, 16, &ntHexPassword);
if (ret < 0) {
@@ -701,7 +701,7 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
unsigned char *buf;
size_t len, buf_size;
ASN1_MALLOC_ENCODE(Key, buf, buf_size, &ent->entry.keys.val[i], &len, ret);
ASN1_MALLOC_ENCODE(Key, buf, buf_size, &ent->keys.val[i], &len, ret);
if (ret)
goto out;
if(buf_size != len)
@@ -714,7 +714,7 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
}
}
if (ent->entry.etypes) {
if (ent->etypes) {
int add_krb5EncryptionType = 0;
/*
@@ -736,15 +736,15 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry_ex * ent,
add_krb5EncryptionType = 1;
if (add_krb5EncryptionType) {
for (i = 0; i < ent->entry.etypes->len; i++) {
for (i = 0; i < ent->etypes->len; i++) {
if (is_samba_account &&
ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5)
ent->keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5)
{
;
} else if (is_heimdal_entry) {
ret = LDAP_addmod_integer(context, &mods, LDAP_MOD_ADD,
"krb5EncryptionType",
ent->entry.etypes->val[i]);
ent->etypes->val[i]);
if (ret)
goto out;
}
@@ -1005,7 +1005,7 @@ LDAP_principal2message(krb5_context context, HDB * db,
*/
static krb5_error_code
LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
int flags, hdb_entry_ex * ent)
int flags, hdb_entry * ent)
{
char *unparsed_name = NULL, *dn = NULL, *ntPasswordIN = NULL;
char *samba_acct_flags = NULL;
@@ -1015,18 +1015,18 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
int tmp, tmp_time, i, ret, have_arcfour = 0;
memset(ent, 0, sizeof(*ent));
ent->entry.flags = int2HDBFlags(0);
ent->flags = int2HDBFlags(0);
ret = LDAP_get_string_value(db, msg, "krb5PrincipalName", &unparsed_name);
if (ret == 0) {
ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal);
ret = krb5_parse_name(context, unparsed_name, &ent->principal);
if (ret)
goto out;
} else {
ret = LDAP_get_string_value(db, msg, "uid",
&unparsed_name);
if (ret == 0) {
ret = krb5_parse_name(context, unparsed_name, &ent->entry.principal);
ret = krb5_parse_name(context, unparsed_name, &ent->principal);
if (ret)
goto out;
} else {
@@ -1042,25 +1042,25 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
ret = LDAP_get_integer_value(db, msg, "krb5KeyVersionNumber",
&integer);
if (ret)
ent->entry.kvno = 0;
ent->kvno = 0;
else
ent->entry.kvno = integer;
ent->kvno = integer;
}
keys = ldap_get_values_len(HDB2LDAP(db), msg, "krb5Key");
if (keys != NULL) {
size_t l;
ent->entry.keys.len = ldap_count_values_len(keys);
ent->entry.keys.val = (Key *) calloc(ent->entry.keys.len, sizeof(Key));
if (ent->entry.keys.val == NULL) {
ent->keys.len = ldap_count_values_len(keys);
ent->keys.val = (Key *) calloc(ent->keys.len, sizeof(Key));
if (ent->keys.val == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "calloc: out of memory");
goto out;
}
for (i = 0; i < ent->entry.keys.len; i++) {
for (i = 0; i < ent->keys.len; i++) {
decode_Key((unsigned char *) keys[i]->bv_val,
(size_t) keys[i]->bv_len, &ent->entry.keys.val[i], &l);
(size_t) keys[i]->bv_len, &ent->keys.val[i], &l);
}
ber_bvecfree(keys);
} else {
@@ -1070,8 +1070,8 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
* be related to a general directory entry without creating
* the keys. Hopefully it's OK.
*/
ent->entry.keys.len = 0;
ent->entry.keys.val = NULL;
ent->keys.len = 0;
ent->keys.val = NULL;
#else
ret = HDB_ERR_NOENTRY;
goto out;
@@ -1082,47 +1082,47 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
if (extensions != NULL) {
size_t l;
ent->entry.extensions = calloc(1, sizeof(*(ent->entry.extensions)));
if (ent->entry.extensions == NULL) {
ent->extensions = calloc(1, sizeof(*(ent->extensions)));
if (ent->extensions == NULL) {
ret = krb5_enomem(context);
goto out;
}
ent->entry.extensions->len = ldap_count_values_len(extensions);
ent->entry.extensions->val = (HDB_extension *) calloc(ent->entry.extensions->len, sizeof(HDB_extension));
if (ent->entry.extensions->val == NULL) {
ent->entry.extensions->len = 0;
ent->extensions->len = ldap_count_values_len(extensions);
ent->extensions->val = (HDB_extension *) calloc(ent->extensions->len, sizeof(HDB_extension));
if (ent->extensions->val == NULL) {
ent->extensions->len = 0;
ret = krb5_enomem(context);
goto out;
}
for (i = 0; i < ent->entry.extensions->len; i++) {
for (i = 0; i < ent->extensions->len; i++) {
ret = decode_HDB_extension((unsigned char *) extensions[i]->bv_val,
(size_t) extensions[i]->bv_len, &ent->entry.extensions->val[i], &l);
(size_t) extensions[i]->bv_len, &ent->extensions->val[i], &l);
if (ret)
krb5_set_error_message(context, ret, "decode_HDB_extension failed");
}
ber_bvecfree(extensions);
} else {
ent->entry.extensions = NULL;
ent->extensions = NULL;
}
vals = ldap_get_values_len(HDB2LDAP(db), msg, "krb5EncryptionType");
if (vals != NULL) {
ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes)));
if (ent->entry.etypes == NULL) {
ent->etypes = malloc(sizeof(*(ent->etypes)));
if (ent->etypes == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret,"malloc: out of memory");
goto out;
}
ent->entry.etypes->len = ldap_count_values_len(vals);
ent->entry.etypes->val = calloc(ent->entry.etypes->len,
sizeof(ent->entry.etypes->val[0]));
if (ent->entry.etypes->val == NULL) {
ent->etypes->len = ldap_count_values_len(vals);
ent->etypes->val = calloc(ent->etypes->len,
sizeof(ent->etypes->val[0]));
if (ent->etypes->val == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
ent->entry.etypes->len = 0;
ent->etypes->len = 0;
goto out;
}
for (i = 0; i < ent->entry.etypes->len; i++) {
for (i = 0; i < ent->etypes->len; i++) {
char *buf;
buf = malloc(vals[i]->bv_len + 1);
@@ -1133,14 +1133,14 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
}
memcpy(buf, vals[i]->bv_val, vals[i]->bv_len);
buf[vals[i]->bv_len] = '\0';
ent->entry.etypes->val[i] = atoi(buf);
ent->etypes->val[i] = atoi(buf);
free(buf);
}
ldap_value_free_len(vals);
}
for (i = 0; i < ent->entry.keys.len; i++) {
if (ent->entry.keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
for (i = 0; i < ent->keys.len; i++) {
if (ent->keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
have_arcfour = 1;
break;
}
@@ -1152,151 +1152,151 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
unsigned *etypes;
Key *ks;
ks = realloc(ent->entry.keys.val,
(ent->entry.keys.len + 1) *
sizeof(ent->entry.keys.val[0]));
ks = realloc(ent->keys.val,
(ent->keys.len + 1) *
sizeof(ent->keys.val[0]));
if (ks == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ent->entry.keys.val = ks;
memset(&ent->entry.keys.val[ent->entry.keys.len], 0, sizeof(Key));
ent->entry.keys.val[ent->entry.keys.len].key.keytype = ETYPE_ARCFOUR_HMAC_MD5;
ret = krb5_data_alloc (&ent->entry.keys.val[ent->entry.keys.len].key.keyvalue, 16);
ent->keys.val = ks;
memset(&ent->keys.val[ent->keys.len], 0, sizeof(Key));
ent->keys.val[ent->keys.len].key.keytype = ETYPE_ARCFOUR_HMAC_MD5;
ret = krb5_data_alloc (&ent->keys.val[ent->keys.len].key.keyvalue, 16);
if (ret) {
krb5_set_error_message(context, ret, "malloc: out of memory");
ret = ENOMEM;
goto out;
}
ret = hex_decode(ntPasswordIN,
ent->entry.keys.val[ent->entry.keys.len].key.keyvalue.data, 16);
ent->entry.keys.len++;
ent->keys.val[ent->keys.len].key.keyvalue.data, 16);
ent->keys.len++;
if (ret == -1) {
krb5_set_error_message(context, ret = EINVAL,
"invalid hex encoding of password");
goto out;
}
if (ent->entry.etypes == NULL) {
ent->entry.etypes = malloc(sizeof(*(ent->entry.etypes)));
if (ent->entry.etypes == NULL) {
if (ent->etypes == NULL) {
ent->etypes = malloc(sizeof(*(ent->etypes)));
if (ent->etypes == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ent->entry.etypes->val = NULL;
ent->entry.etypes->len = 0;
ent->etypes->val = NULL;
ent->etypes->len = 0;
}
for (i = 0; i < ent->entry.etypes->len; i++)
if (ent->entry.etypes->val[i] == ETYPE_ARCFOUR_HMAC_MD5)
for (i = 0; i < ent->etypes->len; i++)
if (ent->etypes->val[i] == ETYPE_ARCFOUR_HMAC_MD5)
break;
/* If there is no ARCFOUR enctype, add one */
if (i == ent->entry.etypes->len) {
etypes = realloc(ent->entry.etypes->val,
(ent->entry.etypes->len + 1) *
sizeof(ent->entry.etypes->val[0]));
if (i == ent->etypes->len) {
etypes = realloc(ent->etypes->val,
(ent->etypes->len + 1) *
sizeof(ent->etypes->val[0]));
if (etypes == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ent->entry.etypes->val = etypes;
ent->entry.etypes->val[ent->entry.etypes->len] =
ent->etypes->val = etypes;
ent->etypes->val[ent->etypes->len] =
ETYPE_ARCFOUR_HMAC_MD5;
ent->entry.etypes->len++;
ent->etypes->len++;
}
}
ret = LDAP_get_generalized_time_value(db, msg, "createTimestamp",
&ent->entry.created_by.time);
&ent->created_by.time);
if (ret)
ent->entry.created_by.time = time(NULL);
ent->created_by.time = time(NULL);
ent->entry.created_by.principal = NULL;
ent->created_by.principal = NULL;
if (flags & HDB_F_ADMIN_DATA) {
ret = LDAP_get_string_value(db, msg, "creatorsName", &dn);
if (ret == 0) {
LDAP_dn2principal(context, db, dn, &ent->entry.created_by.principal);
LDAP_dn2principal(context, db, dn, &ent->created_by.principal);
free(dn);
}
ent->entry.modified_by = calloc(1, sizeof(*ent->entry.modified_by));
if (ent->entry.modified_by == NULL) {
ent->modified_by = calloc(1, sizeof(*ent->modified_by));
if (ent->modified_by == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ret = LDAP_get_generalized_time_value(db, msg, "modifyTimestamp",
&ent->entry.modified_by->time);
&ent->modified_by->time);
if (ret == 0) {
ret = LDAP_get_string_value(db, msg, "modifiersName", &dn);
if (ret == 0) {
LDAP_dn2principal(context, db, dn, &ent->entry.modified_by->principal);
LDAP_dn2principal(context, db, dn, &ent->modified_by->principal);
free(dn);
} else {
free(ent->entry.modified_by);
ent->entry.modified_by = NULL;
free(ent->modified_by);
ent->modified_by = NULL;
}
}
}
ent->entry.valid_start = malloc(sizeof(*ent->entry.valid_start));
if (ent->entry.valid_start == NULL) {
ent->valid_start = malloc(sizeof(*ent->valid_start));
if (ent->valid_start == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidStart",
ent->entry.valid_start);
ent->valid_start);
if (ret) {
/* OPTIONAL */
free(ent->entry.valid_start);
ent->entry.valid_start = NULL;
free(ent->valid_start);
ent->valid_start = NULL;
}
ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end));
if (ent->entry.valid_end == NULL) {
ent->valid_end = malloc(sizeof(*ent->valid_end));
if (ent->valid_end == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ret = LDAP_get_generalized_time_value(db, msg, "krb5ValidEnd",
ent->entry.valid_end);
ent->valid_end);
if (ret) {
/* OPTIONAL */
free(ent->entry.valid_end);
ent->entry.valid_end = NULL;
free(ent->valid_end);
ent->valid_end = NULL;
}
ret = LDAP_get_integer_value(db, msg, "sambaKickoffTime", &tmp_time);
if (ret == 0) {
if (ent->entry.valid_end == NULL) {
ent->entry.valid_end = malloc(sizeof(*ent->entry.valid_end));
if (ent->entry.valid_end == NULL) {
if (ent->valid_end == NULL) {
ent->valid_end = malloc(sizeof(*ent->valid_end));
if (ent->valid_end == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
}
*ent->entry.valid_end = tmp_time;
*ent->valid_end = tmp_time;
}
ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
if (ent->entry.pw_end == NULL) {
ent->pw_end = malloc(sizeof(*ent->pw_end));
if (ent->pw_end == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ret = LDAP_get_generalized_time_value(db, msg, "krb5PasswordEnd",
ent->entry.pw_end);
ent->pw_end);
if (ret) {
/* OPTIONAL */
free(ent->entry.pw_end);
ent->entry.pw_end = NULL;
free(ent->pw_end);
ent->pw_end = NULL;
}
ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time);
@@ -1310,76 +1310,76 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
NULL);
if (delta) {
if (ent->entry.pw_end == NULL) {
ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
if (ent->entry.pw_end == NULL) {
if (ent->pw_end == NULL) {
ent->pw_end = malloc(sizeof(*ent->pw_end));
if (ent->pw_end == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
}
*ent->entry.pw_end = tmp_time + delta;
*ent->pw_end = tmp_time + delta;
}
}
ret = LDAP_get_integer_value(db, msg, "sambaPwdMustChange", &tmp_time);
if (ret == 0) {
if (ent->entry.pw_end == NULL) {
ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
if (ent->entry.pw_end == NULL) {
if (ent->pw_end == NULL) {
ent->pw_end = malloc(sizeof(*ent->pw_end));
if (ent->pw_end == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
}
*ent->entry.pw_end = tmp_time;
*ent->pw_end = tmp_time;
}
/* OPTIONAL */
ret = LDAP_get_integer_value(db, msg, "sambaPwdLastSet", &tmp_time);
if (ret == 0)
hdb_entry_set_pw_change_time(context, &ent->entry, tmp_time);
hdb_entry_set_pw_change_time(context, ent, tmp_time);
{
int max_life;
ent->entry.max_life = malloc(sizeof(*ent->entry.max_life));
if (ent->entry.max_life == NULL) {
ent->max_life = malloc(sizeof(*ent->max_life));
if (ent->max_life == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ret = LDAP_get_integer_value(db, msg, "krb5MaxLife", &max_life);
if (ret) {
free(ent->entry.max_life);
ent->entry.max_life = NULL;
free(ent->max_life);
ent->max_life = NULL;
} else
*ent->entry.max_life = max_life;
*ent->max_life = max_life;
}
{
int max_renew;
ent->entry.max_renew = malloc(sizeof(*ent->entry.max_renew));
if (ent->entry.max_renew == NULL) {
ent->max_renew = malloc(sizeof(*ent->max_renew));
if (ent->max_renew == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ret = LDAP_get_integer_value(db, msg, "krb5MaxRenew", &max_renew);
if (ret) {
free(ent->entry.max_renew);
ent->entry.max_renew = NULL;
free(ent->max_renew);
ent->max_renew = NULL;
} else
*ent->entry.max_renew = max_renew;
*ent->max_renew = max_renew;
}
ret = LDAP_get_integer_value(db, msg, "krb5KDCFlags", &tmp);
if (ret)
tmp = 0;
ent->entry.flags = int2HDBFlags(tmp);
ent->flags = int2HDBFlags(tmp);
/* Try and find Samba flags to put into the mix */
ret = LDAP_get_string_value(db, msg, "sambaAcctFlags", &samba_acct_flags);
@@ -1411,7 +1411,7 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
/* Allow forwarding */
if (samba_forwardable)
ent->entry.flags.forwardable = TRUE;
ent->flags.forwardable = TRUE;
for (i=0; i < flags_len; i++) {
switch (samba_acct_flags[i]) {
@@ -1423,36 +1423,36 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
/* how to handle no password in kerberos? */
break;
case 'D':
ent->entry.flags.invalid = TRUE;
ent->flags.invalid = TRUE;
break;
case 'H':
break;
case 'T':
/* temp duplicate */
ent->entry.flags.invalid = TRUE;
ent->flags.invalid = TRUE;
break;
case 'U':
ent->entry.flags.client = TRUE;
ent->flags.client = TRUE;
break;
case 'M':
break;
case 'W':
case 'S':
ent->entry.flags.server = TRUE;
ent->entry.flags.client = TRUE;
ent->flags.server = TRUE;
ent->flags.client = TRUE;
break;
case 'L':
ent->entry.flags.invalid = TRUE;
ent->flags.invalid = TRUE;
break;
case 'X':
if (ent->entry.pw_end) {
free(ent->entry.pw_end);
ent->entry.pw_end = NULL;
if (ent->pw_end) {
free(ent->pw_end);
ent->pw_end = NULL;
}
break;
case 'I':
ent->entry.flags.server = TRUE;
ent->entry.flags.client = TRUE;
ent->flags.server = TRUE;
ent->flags.client = TRUE;
break;
}
}
@@ -1496,7 +1496,7 @@ LDAP_unlock(krb5_context context, HDB * db)
}
static krb5_error_code
LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry_ex * entry)
LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry * entry)
{
int msgid, rc, parserc;
krb5_error_code ret;
@@ -1550,7 +1550,7 @@ LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry_ex * entry)
if (ret == 0) {
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
ret = hdb_unseal_keys(context, db, &entry->entry);
ret = hdb_unseal_keys(context, db, entry);
if (ret)
hdb_free_entry(context, db, entry);
}
@@ -1561,7 +1561,7 @@ LDAP_seq(krb5_context context, HDB * db, unsigned flags, hdb_entry_ex * entry)
static krb5_error_code
LDAP_firstkey(krb5_context context, HDB *db, unsigned flags,
hdb_entry_ex *entry)
hdb_entry *entry)
{
krb5_error_code ret;
int msgid;
@@ -1589,7 +1589,7 @@ LDAP_firstkey(krb5_context context, HDB *db, unsigned flags,
static krb5_error_code
LDAP_nextkey(krb5_context context, HDB * db, unsigned flags,
hdb_entry_ex * entry)
hdb_entry * entry)
{
return LDAP_seq(context, db, flags, entry);
}
@@ -1692,7 +1692,7 @@ LDAP_open(krb5_context context, HDB * db, int flags, mode_t mode)
static krb5_error_code
LDAP_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
unsigned flags, krb5_kvno kvno, hdb_entry_ex * entry)
unsigned flags, krb5_kvno kvno, hdb_entry * entry)
{
LDAPMessage *msg, *e;
krb5_error_code ret;
@@ -1710,7 +1710,7 @@ LDAP_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
ret = LDAP_message2entry(context, db, e, flags, entry);
if (ret == 0) {
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
ret = hdb_unseal_keys(context, db, &entry->entry);
ret = hdb_unseal_keys(context, db, entry);
if (ret)
hdb_free_entry(context, db, entry);
}
@@ -1725,7 +1725,7 @@ LDAP_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
#if 0
static krb5_error_code
LDAP_fetch(krb5_context context, HDB * db, krb5_const_principal principal,
unsigned flags, hdb_entry_ex * entry)
unsigned flags, hdb_entry * entry)
{
return LDAP_fetch_kvno(context, db, principal,
flags & (~HDB_F_KVNO_SPECIFIED), 0, entry);
@@ -1734,7 +1734,7 @@ LDAP_fetch(krb5_context context, HDB * db, krb5_const_principal principal,
static krb5_error_code
LDAP_store(krb5_context context, HDB * db, unsigned flags,
hdb_entry_ex * entry)
hdb_entry * entry)
{
LDAPMod **mods = NULL;
krb5_error_code ret;
@@ -1747,17 +1747,17 @@ LDAP_store(krb5_context context, HDB * db, unsigned flags,
if ((flags & HDB_F_PRECHECK))
return 0; /* we can't guarantee whether we'll be able to perform it */
ret = LDAP_principal2message(context, db, entry->entry.principal, &msg);
ret = LDAP_principal2message(context, db, entry->principal, &msg);
if (ret == 0)
e = ldap_first_entry(HDB2LDAP(db), msg);
ret = krb5_unparse_name(context, entry->entry.principal, &name);
ret = krb5_unparse_name(context, entry->principal, &name);
if (ret) {
free(name);
return ret;
}
ret = hdb_seal_keys(context, db, &entry->entry);
ret = hdb_seal_keys(context, db, entry);
if (ret)
goto out;

18
lib/hdb/hdb-mdb.c
View File

@@ -383,7 +383,7 @@ DB_unlock(krb5_context context, HDB *db)
static krb5_error_code
DB_seq(krb5_context context, HDB *db,
unsigned flags, hdb_entry_ex *entry, int flag)
unsigned flags, hdb_entry *entry, int flag)
{
mdb_info *mi = db->hdb_db;
MDB_val key, value;
@@ -406,21 +406,21 @@ DB_seq(krb5_context context, HDB *db,
data.data = value.mv_data;
data.length = value.mv_size;
memset(entry, 0, sizeof(*entry));
if (hdb_value2entry(context, &data, &entry->entry))
if (hdb_value2entry(context, &data, entry))
return DB_seq(context, db, flags, entry, MDB_NEXT);
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
code = hdb_unseal_keys (context, db, &entry->entry);
code = hdb_unseal_keys (context, db, entry);
if (code)
hdb_free_entry (context, db, entry);
}
if (entry->entry.principal == NULL) {
entry->entry.principal = malloc(sizeof(*entry->entry.principal));
if (entry->entry.principal == NULL) {
if (entry->principal == NULL) {
entry->principal = malloc(sizeof(*entry->principal));
if (entry->principal == NULL) {
hdb_free_entry (context, db, entry);
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM;
} else {
hdb_key2principal(context, &key_data, entry->entry.principal);
hdb_key2principal(context, &key_data, entry->principal);
}
}
return 0;
@@ -428,7 +428,7 @@ DB_seq(krb5_context context, HDB *db,
static krb5_error_code
DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
krb5_error_code ret = 0;
mdb_info *mi = db->hdb_db;
@@ -462,7 +462,7 @@ DB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
static krb5_error_code
DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
DB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
return DB_seq(context, db, flags, entry, MDB_NEXT);
}

26
lib/hdb/hdb-mitdb.c
View File

@@ -765,7 +765,7 @@ mdb_unlock(krb5_context context, HDB *db)
static krb5_error_code
mdb_seq(krb5_context context, HDB *db,
unsigned flags, hdb_entry_ex *entry, int flag)
unsigned flags, hdb_entry *entry, int flag)
{
DB *d = (DB*)db->hdb_db;
DBT key, value;
@@ -796,11 +796,11 @@ mdb_seq(krb5_context context, HDB *db,
data.length = value.size;
memset(entry, 0, sizeof(*entry));
if (_hdb_mdb_value2entry(context, &data, 0, &entry->entry))
if (_hdb_mdb_value2entry(context, &data, 0, entry))
return mdb_seq(context, db, flags, entry, R_NEXT);
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
code = hdb_unseal_keys (context, db, &entry->entry);
code = hdb_unseal_keys (context, db, entry);
if (code)
hdb_free_entry (context, db, entry);
}
@@ -810,14 +810,14 @@ mdb_seq(krb5_context context, HDB *db,
static krb5_error_code
mdb_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
mdb_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
return mdb_seq(context, db, flags, entry, R_FIRST);
}
static krb5_error_code
mdb_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
mdb_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
return mdb_seq(context, db, flags, entry, R_NEXT);
}
@@ -941,7 +941,7 @@ mdb__del(krb5_context context, HDB *db, krb5_data key)
static krb5_error_code
mdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
unsigned flags, krb5_kvno kvno, hdb_entry_ex *entry)
unsigned flags, krb5_kvno kvno, hdb_entry *entry)
{
krb5_data key, value;
krb5_error_code ret;
@@ -953,13 +953,13 @@ mdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
krb5_data_free(&key);
if(ret)
return ret;
ret = _hdb_mdb_value2entry(context, &value, kvno, &entry->entry);
ret = _hdb_mdb_value2entry(context, &value, kvno, entry);
krb5_data_free(&value);
if (ret)
return ret;
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
ret = hdb_unseal_keys (context, db, &entry->entry);
ret = hdb_unseal_keys (context, db, entry);
if (ret) {
hdb_free_entry(context, db, entry);
return ret;
@@ -970,7 +970,7 @@ mdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
}
static krb5_error_code
mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
krb5_error_code ret;
krb5_storage *sp = NULL;
@@ -985,7 +985,7 @@ mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
return 0;
if ((flags & HDB_F_PRECHECK)) {
ret = mdb_principal2key(context, entry->entry.principal, &key);
ret = mdb_principal2key(context, entry->principal, &key);
if (ret) return ret;
ret = db->hdb__get(context, db, key, &value);
krb5_data_free(&key);
@@ -999,9 +999,9 @@ mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
sp = krb5_storage_emem();
if (!sp) return ENOMEM;
ret = _hdb_set_master_key_usage(context, db, 0); /* MIT KDB uses KU 0 */
ret = hdb_seal_keys(context, db, &entry->entry);
ret = hdb_seal_keys(context, db, entry);
if (ret) return ret;
ret = entry2mit_string_int(context, sp, &entry->entry);
ret = entry2mit_string_int(context, sp, entry);
if (ret) goto out;
sz = krb5_storage_write(sp, "\n", 2); /* NUL-terminate */
ret = ENOMEM;
@@ -1016,7 +1016,7 @@ mdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
if (ret) goto out;
ret = krb5_storage_to_data(spent, &kdb_ent);
if (ret) goto out;
ret = mdb_principal2key(context, entry->entry.principal, &key);
ret = mdb_principal2key(context, entry->principal, &key);
if (ret) goto out;
ret = mdb__put(context, db, 1, key, kdb_ent);

24
lib/hdb/hdb-sqlite.c
View File

@@ -495,7 +495,7 @@ hdb_sqlite_make_database(krb5_context context, HDB *db, const char *filename)
*/
static krb5_error_code
hdb_sqlite_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
unsigned flags, krb5_kvno kvno, hdb_entry_ex *entry)
unsigned flags, krb5_kvno kvno, hdb_entry *entry)
{
int sqlite_error;
krb5_error_code ret;
@@ -541,12 +541,12 @@ hdb_sqlite_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal princi
value.length = sqlite3_column_bytes(fetch, 0);
value.data = (void *) sqlite3_column_blob(fetch, 0);
ret = hdb_value2entry(context, &value, &entry->entry);
ret = hdb_value2entry(context, &value, entry);
if(ret)
goto out;
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
ret = hdb_unseal_keys(context, db, &entry->entry);
ret = hdb_unseal_keys(context, db, entry);
if(ret) {
hdb_free_entry(context, db, entry);
goto out;
@@ -600,7 +600,7 @@ hdb_sqlite_step_once(krb5_context context, HDB *db, sqlite3_stmt *statement)
*/
static krb5_error_code
hdb_sqlite_store(krb5_context context, HDB *db, unsigned flags,
hdb_entry_ex *entry)
hdb_entry *entry)
{
int ret;
int i;
@@ -624,17 +624,17 @@ hdb_sqlite_store(krb5_context context, HDB *db, unsigned flags,
goto rollback;
}
ret = hdb_seal_keys(context, db, &entry->entry);
ret = hdb_seal_keys(context, db, entry);
if(ret) {
goto rollback;
}
ret = hdb_entry2value(context, &entry->entry, &value);
ret = hdb_entry2value(context, entry, &value);
if(ret) {
goto rollback;
}
ret = bind_principal(context, entry->entry.principal, get_ids, 1);
ret = bind_principal(context, entry->principal, get_ids, 1);
if (ret)
goto rollback;
@@ -656,7 +656,7 @@ hdb_sqlite_store(krb5_context context, HDB *db, unsigned flags,
goto rollback;
}
ret = bind_principal(context, entry->entry.principal, hsdb->add_principal, 1);
ret = bind_principal(context, entry->principal, hsdb->add_principal, 1);
if (ret)
goto rollback;
@@ -711,7 +711,7 @@ hdb_sqlite_store(krb5_context context, HDB *db, unsigned flags,
goto rollback;
}
ret = hdb_entry_get_aliases(&entry->entry, &aliases);
ret = hdb_entry_get_aliases(entry, &aliases);
if(ret || aliases == NULL)
goto commit;
@@ -862,7 +862,7 @@ hdb_sqlite_unlock(krb5_context context, HDB *db)
*/
static krb5_error_code
hdb_sqlite_nextkey(krb5_context context, HDB *db, unsigned flags,
hdb_entry_ex *entry)
hdb_entry *entry)
{
krb5_error_code ret = 0;
int sqlite_error;
@@ -876,7 +876,7 @@ hdb_sqlite_nextkey(krb5_context context, HDB *db, unsigned flags,
value.length = sqlite3_column_bytes(hsdb->get_all_entries, 0);
value.data = (void *) sqlite3_column_blob(hsdb->get_all_entries, 0);
memset(entry, 0, sizeof(*entry));
ret = hdb_value2entry(context, &value, &entry->entry);
ret = hdb_value2entry(context, &value, entry);
}
else if(sqlite_error == SQLITE_DONE) {
/* No more entries */
@@ -900,7 +900,7 @@ hdb_sqlite_nextkey(krb5_context context, HDB *db, unsigned flags,
*/
static krb5_error_code
hdb_sqlite_firstkey(krb5_context context, HDB *db, unsigned flags,
hdb_entry_ex *entry)
hdb_entry *entry)
{
hdb_sqlite_db *hsdb = (hdb_sqlite_db *) db->hdb_db;
krb5_error_code ret;

28
lib/hdb/hdb.c
View File

@@ -397,7 +397,7 @@ hdb_unlock(int fd)
}
void
hdb_free_entry(krb5_context context, HDB *db, hdb_entry_ex *ent)
hdb_free_entry(krb5_context context, HDB *db, hdb_entry *ent)
{
Key *k;
size_t i;
@@ -405,15 +405,15 @@ hdb_free_entry(krb5_context context, HDB *db, hdb_entry_ex *ent)
if (db && db->hdb_free_entry_context)
db->hdb_free_entry_context(context, db, ent);
for(i = 0; i < ent->entry.keys.len; i++) {
k = &ent->entry.keys.val[i];
for(i = 0; i < ent->keys.len; i++) {
k = &ent->keys.val[i];
memset_s(k->key.keyvalue.data,
k->key.keyvalue.length,
0,
k->key.keyvalue.length);
}
free_HDB_entry(&ent->entry);
free_HDB_entry(ent);
}
krb5_error_code
@@ -424,7 +424,7 @@ hdb_foreach(krb5_context context,
void *data)
{
krb5_error_code ret;
hdb_entry_ex entry;
hdb_entry entry;
ret = db->hdb_firstkey(context, db, flags, &entry);
if (ret == 0)
krb5_clear_error_message(context);
@@ -665,22 +665,22 @@ hdb_list_builtin(krb5_context context, char **list)
krb5_error_code
_hdb_keytab2hdb_entry(krb5_context context,
const krb5_keytab_entry *ktentry,
hdb_entry_ex *entry)
hdb_entry *entry)
{
entry->entry.kvno = ktentry->vno;
entry->entry.created_by.time = ktentry->timestamp;
entry->kvno = ktentry->vno;
entry->created_by.time = ktentry->timestamp;
entry->entry.keys.val = calloc(1, sizeof(entry->entry.keys.val[0]));
if (entry->entry.keys.val == NULL)
entry->keys.val = calloc(1, sizeof(entry->keys.val[0]));
if (entry->keys.val == NULL)
return ENOMEM;
entry->entry.keys.len = 1;
entry->keys.len = 1;
entry->entry.keys.val[0].mkvno = NULL;
entry->entry.keys.val[0].salt = NULL;
entry->keys.val[0].mkvno = NULL;
entry->keys.val[0].salt = NULL;
return krb5_copy_keyblock_contents(context,
&ktentry->keyblock,
&entry->entry.keys.val[0].key);
&entry->keys.val[0].key);
}
static krb5_error_code

34
lib/hdb/hdb.h
View File

@@ -102,18 +102,6 @@ typedef struct hdb_request_desc {
typedef struct hdb_master_key_data *hdb_master_key;
/**
* hdb_entry_ex is a wrapper structure around the hdb_entry structure
* that allows backends to keep a pointer to the backing store, ie in
* ->hdb_fetch_kvno(), so that we the kadmin/kpasswd backend gets around to
* ->hdb_store(), the backend doesn't need to lookup the entry again.
*/
typedef struct hdb_entry_ex {
hdb_entry entry;
} hdb_entry_ex;
/**
* HDB backend function pointer structure
*
@@ -165,7 +153,7 @@ typedef struct HDB {
/**
* Free backend-specific entry context.
*/
void (*hdb_free_entry_context)(krb5_context, struct HDB*, hdb_entry_ex*);
void (*hdb_free_entry_context)(krb5_context, struct HDB*, hdb_entry*);
/**
* Fetch an entry from the backend
*
@@ -175,12 +163,12 @@ typedef struct HDB {
*/
krb5_error_code (*hdb_fetch_kvno)(krb5_context, struct HDB*,
krb5_const_principal, unsigned, krb5_kvno,
hdb_entry_ex*);
hdb_entry*);
/**
* Store an entry to database
*/
krb5_error_code (*hdb_store)(krb5_context, struct HDB*,
unsigned, hdb_entry_ex*);
unsigned, hdb_entry*);
/**
* Remove an entry from the database.
*/
@@ -190,12 +178,12 @@ typedef struct HDB {
* As part of iteration, fetch one entry
*/
krb5_error_code (*hdb_firstkey)(krb5_context, struct HDB*,
unsigned, hdb_entry_ex*);
unsigned, hdb_entry*);
/**
* As part of iteration, fetch next entry
*/
krb5_error_code (*hdb_nextkey)(krb5_context, struct HDB*,
unsigned, hdb_entry_ex*);
unsigned, hdb_entry*);
/**
* Lock database
*
@@ -274,7 +262,7 @@ typedef struct HDB {
* The backend needs to call _kadm5_set_keys() and perform password
* quality checks.
*/
krb5_error_code (*hdb_password)(krb5_context, struct HDB*, hdb_entry_ex*, const char *, int);
krb5_error_code (*hdb_password)(krb5_context, struct HDB*, hdb_entry*, const char *, int);
/**
* Authentication auditing. Note that this function is called by
@@ -287,22 +275,22 @@ typedef struct HDB {
* In case the entry is locked out, the backend should set the
* hdb_entry.flags.locked-out flag.
*/
krb5_error_code (*hdb_audit)(krb5_context, struct HDB *, hdb_entry_ex *, hdb_request_t);
krb5_error_code (*hdb_audit)(krb5_context, struct HDB *, hdb_entry *, hdb_request_t);
/**
* Check if delegation is allowed.
*/
krb5_error_code (*hdb_check_constrained_delegation)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
krb5_error_code (*hdb_check_constrained_delegation)(krb5_context, struct HDB *, hdb_entry *, krb5_const_principal);
/**
* Check if this name is an alias for the supplied client for PKINIT userPrinicpalName logins
*/
krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry *, krb5_const_principal);
/**
* Check if s4u2self is allowed from this client to this server or the SPN is a valid SPN of this client (for user2user)
*/
krb5_error_code (*hdb_check_client_matches_target_service)(krb5_context, struct HDB *, hdb_entry_ex *, hdb_entry_ex *);
krb5_error_code (*hdb_check_client_matches_target_service)(krb5_context, struct HDB *, hdb_entry *, hdb_entry *);
/**
* Enable/disable synchronous updates
@@ -337,7 +325,7 @@ struct hdb_print_entry_arg {
};
typedef krb5_error_code (*hdb_foreach_func_t)(krb5_context, HDB*,
hdb_entry_ex*, void*);
hdb_entry*, void*);
extern krb5_kt_ops hdb_kt_ops;
extern krb5_kt_ops hdb_get_kt_ops;

30
lib/hdb/keytab.c
View File

@@ -42,7 +42,7 @@ struct hdb_data {
struct hdb_cursor {
HDB *db;
hdb_entry_ex hdb_entry;
hdb_entry hdb_entry;
int first, next;
int key_idx;
};
@@ -181,7 +181,7 @@ hdb_get_entry(krb5_context context,
krb5_enctype enctype,
krb5_keytab_entry *entry)
{
hdb_entry_ex ent;
hdb_entry ent;
krb5_error_code ret;
struct hdb_data *d = id->data;
const char *dbname = d->dbname;
@@ -226,21 +226,21 @@ hdb_get_entry(krb5_context context,
}else if(ret)
goto out;
if(kvno && (krb5_kvno)ent.entry.kvno != kvno) {
if(kvno && (krb5_kvno)ent.kvno != kvno) {
hdb_free_entry(context, db, &ent);
ret = KRB5_KT_NOTFOUND;
goto out;
}
if(enctype == 0)
if(ent.entry.keys.len > 0)
enctype = ent.entry.keys.val[0].key.keytype;
if(ent.keys.len > 0)
enctype = ent.keys.val[0].key.keytype;
ret = KRB5_KT_NOTFOUND;
for(i = 0; i < ent.entry.keys.len; i++) {
if(ent.entry.keys.val[i].key.keytype == enctype) {
for(i = 0; i < ent.keys.len; i++) {
if(ent.keys.val[i].key.keytype == enctype) {
krb5_copy_principal(context, principal, &entry->principal);
entry->vno = ent.entry.kvno;
entry->vno = ent.kvno;
krb5_copy_keyblock_contents(context,
&ent.entry.keys.val[i].key,
&ent.keys.val[i].key,
&entry->keyblock);
ret = 0;
break;
@@ -336,7 +336,7 @@ hdb_next_entry(krb5_context context,
else if (ret)
return ret;
if (c->hdb_entry.entry.keys.len == 0)
if (c->hdb_entry.keys.len == 0)
hdb_free_entry(context, c->db, &c->hdb_entry);
else
c->next = FALSE;
@@ -353,7 +353,7 @@ hdb_next_entry(krb5_context context,
return ret;
/* If no keys on this entry, try again */
if (c->hdb_entry.entry.keys.len == 0)
if (c->hdb_entry.keys.len == 0)
hdb_free_entry(context, c->db, &c->hdb_entry);
else
c->next = FALSE;
@@ -365,14 +365,14 @@ hdb_next_entry(krb5_context context,
*/
ret = krb5_copy_principal(context,
c->hdb_entry.entry.principal,
c->hdb_entry.principal,
&entry->principal);
if (ret)
return ret;
entry->vno = c->hdb_entry.entry.kvno;
entry->vno = c->hdb_entry.kvno;
ret = krb5_copy_keyblock_contents(context,
&c->hdb_entry.entry.keys.val[c->key_idx].key,
&c->hdb_entry.keys.val[c->key_idx].key,
&entry->keyblock);
if (ret) {
krb5_free_principal(context, entry->principal);
@@ -386,7 +386,7 @@ hdb_next_entry(krb5_context context,
* next entry
*/
if ((size_t)c->key_idx == c->hdb_entry.entry.keys.len) {
if ((size_t)c->key_idx == c->hdb_entry.keys.len) {
hdb_free_entry(context, c->db, &c->hdb_entry);
c->next = TRUE;
c->key_idx = 0;

18
lib/hdb/ndbm.c
View File

@@ -76,7 +76,7 @@ NDBM_unlock(krb5_context context, HDB *db)
static krb5_error_code
NDBM_seq(krb5_context context, HDB *db,
unsigned flags, hdb_entry_ex *entry, int first)
unsigned flags, hdb_entry *entry, int first)
{
struct ndbm_db *d = (struct ndbm_db *)db->hdb_db;
@@ -99,21 +99,21 @@ NDBM_seq(krb5_context context, HDB *db,
data.data = value.dptr;
data.length = value.dsize;
memset(entry, 0, sizeof(*entry));
if(hdb_value2entry(context, &data, &entry->entry))
if(hdb_value2entry(context, &data, entry))
return NDBM_seq(context, db, flags, entry, 0);
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
ret = hdb_unseal_keys (context, db, &entry->entry);
ret = hdb_unseal_keys (context, db, entry);
if (ret)
hdb_free_entry (context, db, entry);
}
if (ret == 0 && entry->entry.principal == NULL) {
entry->entry.principal = malloc (sizeof(*entry->entry.principal));
if (entry->entry.principal == NULL) {
if (ret == 0 && entry->principal == NULL) {
entry->principal = malloc (sizeof(*entry->principal));
if (entry->principal == NULL) {
hdb_free_entry (context, db, entry);
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
} else {
hdb_key2principal (context, &key_data, entry->entry.principal);
hdb_key2principal (context, &key_data, entry->principal);
}
}
return ret;
@@ -121,14 +121,14 @@ NDBM_seq(krb5_context context, HDB *db,
static krb5_error_code
NDBM_firstkey(krb5_context context, HDB *db,unsigned flags,hdb_entry_ex *entry)
NDBM_firstkey(krb5_context context, HDB *db,unsigned flags,hdb_entry *entry)
{
return NDBM_seq(context, db, flags, entry, 1);
}
static krb5_error_code
NDBM_nextkey(krb5_context context, HDB *db, unsigned flags,hdb_entry_ex *entry)
NDBM_nextkey(krb5_context context, HDB *db, unsigned flags,hdb_entry *entry)
{
return NDBM_seq(context, db, flags, entry, 0);
}

6
lib/hdb/print.c
View File

@@ -556,7 +556,7 @@ hdb_entry2string(krb5_context context, hdb_entry *ent, char **str)
/* print a hdb_entry to (FILE*)data; suitable for hdb_foreach */
krb5_error_code
hdb_print_entry(krb5_context context, HDB *db, hdb_entry_ex *entry,
hdb_print_entry(krb5_context context, HDB *db, hdb_entry *entry,
void *data)
{
struct hdb_print_entry_arg *parg = data;
@@ -572,10 +572,10 @@ hdb_print_entry(krb5_context context, HDB *db, hdb_entry_ex *entry,
switch (parg->fmt) {
case HDB_DUMP_HEIMDAL:
ret = entry2string_int(context, sp, &entry->entry);
ret = entry2string_int(context, sp, entry);
break;
case HDB_DUMP_MIT:
ret = entry2mit_string_int(context, sp, &entry->entry);
ret = entry2mit_string_int(context, sp, entry);
break;
default:
heim_abort("Only two dump formats supported: Heimdal and MIT");

52
lib/hdb/test_concurrency.c
View File

@@ -70,7 +70,7 @@ threaded_reader(void *d)
krb5_error_code ret;
krb5_context context;
struct tsync *s = d;
hdb_entry_ex entr;
hdb_entry entr;
HDB *dbr = NULL;
printf("Reader thread opening HDB\n");
@@ -101,7 +101,7 @@ threaded_reader(void *d)
//(void) unlink(s->fname);
krb5_err(context, 1, ret, "Could not iterate HDB %s", s->hdb_name);
}
free_HDB_entry(&entr.entry);
free_HDB_entry(&entr);
/* Tell the writer to go ahead and write */
printf("Reader thread iterated one entry; telling writer to write more\n");
@@ -124,7 +124,7 @@ threaded_reader(void *d)
"Could not iterate while writing to HDB %s", s->hdb_name);
}
printf("Reader thread iterated another entry\n");
free_HDB_entry(&entr.entry);
free_HDB_entry(&entr);
if ((ret = dbr->hdb_nextkey(context, dbr, 0, &entr)) == 0) {
//(void) unlink(s->fname);
krb5_warn(context, ret,
@@ -154,7 +154,7 @@ forked_reader(struct tsync *s)
{
krb5_error_code ret;
krb5_context context;
hdb_entry_ex entr;
hdb_entry entr;
ssize_t bytes;
char b[1];
HDB *dbr = NULL;
@@ -190,7 +190,7 @@ forked_reader(struct tsync *s)
krb5_err(context, 1, ret, "Could not iterate HDB %s", s->hdb_name);
}
printf("Reader process iterated one entry\n");
free_HDB_entry(&entr.entry);
free_HDB_entry(&entr);
/* Tell the writer to go ahead and write */
printf("Reader process iterated one entry; telling writer to write more\n");
@@ -217,13 +217,13 @@ forked_reader(struct tsync *s)
krb5_err(context, 1, ret,
"Could not iterate while writing to HDB %s", s->hdb_name);
}
free_HDB_entry(&entr.entry);
free_HDB_entry(&entr);
printf("Reader process iterated another entry\n");
if ((ret = dbr->hdb_nextkey(context, dbr, 0, &entr)) == 0) {
//(void) unlink(s->fname);
krb5_warn(context, ret,
"HDB %s sees writes committed since starting iteration (%s)",
s->hdb_name, entr.entry.principal->name.name_string.val[0]);
s->hdb_name, entr.principal->name.name_string.val[0]);
} else if (ret != HDB_ERR_NOENTRY) {
//(void) unlink(s->fname);
krb5_err(context, 1, ret,
@@ -248,27 +248,27 @@ forked_reader(struct tsync *s)
}
static krb5_error_code
make_entry(krb5_context context, hdb_entry_ex *entry, const char *name)
make_entry(krb5_context context, hdb_entry *entry, const char *name)
{
krb5_error_code ret;
memset(entry, 0, sizeof(*entry));
entry->entry.kvno = 2;
entry->entry.keys.len = 0;
entry->entry.keys.val = NULL;
entry->entry.created_by.time = time(NULL);
entry->entry.modified_by = NULL;
entry->entry.valid_start = NULL;
entry->entry.valid_end = NULL;
entry->entry.max_life = NULL;
entry->entry.max_renew = NULL;
entry->entry.etypes = NULL;
entry->entry.generation = NULL;
entry->entry.extensions = NULL;
if ((ret = krb5_make_principal(context, &entry->entry.principal,
entry->kvno = 2;
entry->keys.len = 0;
entry->keys.val = NULL;
entry->created_by.time = time(NULL);
entry->modified_by = NULL;
entry->valid_start = NULL;
entry->valid_end = NULL;
entry->max_life = NULL;
entry->max_renew = NULL;
entry->etypes = NULL;
entry->generation = NULL;
entry->extensions = NULL;
if ((ret = krb5_make_principal(context, &entry->principal,
"TEST.H5L.SE", name, NULL)))
return ret;
if ((ret = krb5_make_principal(context, &entry->entry.created_by.principal,
if ((ret = krb5_make_principal(context, &entry->created_by.principal,
"TEST.H5L.SE", "tester", NULL)))
return ret;
return 0;
@@ -326,7 +326,7 @@ test_hdb_concurrency(char *name, const char *ext, int threaded)
char *fname_ext = NULL;
pthread_t reader_thread;
struct tsync ts;
hdb_entry_ex entw;
hdb_entry entw;
pid_t child = getpid();
HDB *dbw = NULL;
int status;
@@ -393,14 +393,14 @@ test_hdb_concurrency(char *name, const char *ext, int threaded)
krb5_err(context, 1, ret,
"Could not store entry for \"foo\" in HDB %s", name);
}
free_HDB_entry(&entw.entry);
free_HDB_entry(&entw);
if ((ret = make_entry(context, &entw, "bar")) ||
(ret = dbw->hdb_store(context, dbw, 0, &entw))) {
(void) unlink(fname_ext);
krb5_err(context, 1, ret,
"Could not store entry for \"foo\" in HDB %s", name);
}
free_HDB_entry(&entw.entry);
free_HDB_entry(&entw);
/* Tell the reader to start reading */
readers_turn(&ts, child, threaded);
@@ -413,7 +413,7 @@ test_hdb_concurrency(char *name, const char *ext, int threaded)
"Could not store entry for \"foobar\" in HDB %s "
"while iterating it", name);
}
free_HDB_entry(&entw.entry);
free_HDB_entry(&entw);
/* Tell the reader to go again */
readers_turn(&ts, child, threaded);

145
lib/hdb/test_namespace.c
View File

@@ -106,7 +106,7 @@ TDB_unlock(krb5_context context, HDB *db)
}
static krb5_error_code
TDB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
TDB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
/* XXX Implement */
/* Tricky thing: heim_dict_iterate_f() is inconvenient here */
@@ -115,7 +115,7 @@ TDB_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
}
static krb5_error_code
TDB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
TDB_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
/* XXX Implement */
/* Tricky thing: heim_dict_iterate_f() is inconvenient here */
@@ -337,7 +337,7 @@ static void
make_namespace(krb5_context context, HDB *db, const char *name)
{
krb5_error_code ret = 0;
hdb_entry_ex e;
hdb_entry e;
Key k;
memset(&k, 0, sizeof(k));
@@ -346,76 +346,76 @@ make_namespace(krb5_context context, HDB *db, const char *name)
/* Setup the HDB entry */
memset(&e, 0, sizeof(e));
e.entry.created_by.time = krs[0].epoch;
e.entry.valid_start = e.entry.valid_end = e.entry.pw_end = 0;
e.entry.generation = 0;
e.entry.flags = int2HDBFlags(0);
e.entry.flags.server = e.entry.flags.client = 1;
e.entry.flags.virtual = 1;
e.created_by.time = krs[0].epoch;
e.valid_start = e.valid_end = e.pw_end = 0;
e.generation = 0;
e.flags = int2HDBFlags(0);
e.flags.server = e.flags.client = 1;
e.flags.virtual = 1;
/* Setup etypes */
if (ret == 0 &&
(e.entry.etypes = malloc(sizeof(*e.entry.etypes))) == NULL)
(e.etypes = malloc(sizeof(*e.etypes))) == NULL)
ret = krb5_enomem(context);
if (ret == 0)
e.entry.etypes->len = 3;
e.etypes->len = 3;
if (ret == 0 &&
(e.entry.etypes->val = calloc(e.entry.etypes->len,
sizeof(e.entry.etypes->val[0]))) == NULL)
(e.etypes->val = calloc(e.etypes->len,
sizeof(e.etypes->val[0]))) == NULL)
ret = krb5_enomem(context);
if (ret == 0) {
e.entry.etypes->val[0] = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128;
e.entry.etypes->val[1] = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192;
e.entry.etypes->val[2] = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96;
e.etypes->val[0] = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128;
e.etypes->val[1] = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192;
e.etypes->val[2] = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96;
}
/* Setup max_life and max_renew */
if (ret == 0 &&
(e.entry.max_life = malloc(sizeof(*e.entry.max_life))) == NULL)
(e.max_life = malloc(sizeof(*e.max_life))) == NULL)
ret = krb5_enomem(context);
if (ret == 0 &&
(e.entry.max_renew = malloc(sizeof(*e.entry.max_renew))) == NULL)
(e.max_renew = malloc(sizeof(*e.max_renew))) == NULL)
ret = krb5_enomem(context);
if (ret == 0)
/* Make it long, so we see the clamped max */
*e.entry.max_renew = 2 * ((*e.entry.max_life = 15 * 24 * 3600));
*e.max_renew = 2 * ((*e.max_life = 15 * 24 * 3600));
/* Setup principal name and created_by */
if (ret == 0)
ret = krb5_parse_name(context, name, &e.entry.principal);
ret = krb5_parse_name(context, name, &e.principal);
if (ret == 0)
ret = krb5_parse_name(context, "admin@BAR.EXAMPLE",
&e.entry.created_by.principal);
&e.created_by.principal);
/* Make base keys for first epoch */
if (ret == 0)
ret = make_base_key(context, e.entry.principal, base_pw[0], &k.key);
ret = make_base_key(context, e.principal, base_pw[0], &k.key);
if (ret == 0)
add_Keys(&e.entry.keys, &k);
add_Keys(&e.keys, &k);
if (ret == 0)
ret = hdb_entry_set_pw_change_time(context, &e.entry, krs[0].epoch);
ret = hdb_entry_set_pw_change_time(context, &e, krs[0].epoch);
free_Key(&k);
e.entry.kvno = krs[0].base_key_kvno;
e.kvno = krs[0].base_key_kvno;
/* Move them to history */
if (ret == 0)
ret = hdb_add_current_keys_to_history(context, &e.entry);
free_Keys(&e.entry.keys);
ret = hdb_add_current_keys_to_history(context, &e);
free_Keys(&e.keys);
/* Make base keys for second epoch */
if (ret == 0)
ret = make_base_key(context, e.entry.principal, base_pw[1], &k.key);
ret = make_base_key(context, e.principal, base_pw[1], &k.key);
if (ret == 0)
add_Keys(&e.entry.keys, &k);
e.entry.kvno = krs[1].base_key_kvno;
add_Keys(&e.keys, &k);
e.kvno = krs[1].base_key_kvno;
if (ret == 0)
ret = hdb_entry_set_pw_change_time(context, &e.entry, krs[1].epoch);
ret = hdb_entry_set_pw_change_time(context, &e, krs[1].epoch);
/* Add the key rotation metadata */
if (ret == 0)
ret = hdb_entry_add_key_rotation(context, &e.entry, 0, &krs[0]);
ret = hdb_entry_add_key_rotation(context, &e, 0, &krs[0]);
if (ret == 0)
ret = hdb_entry_add_key_rotation(context, &e.entry, 0, &krs[1]);
ret = hdb_entry_add_key_rotation(context, &e, 0, &krs[1]);
if (ret == 0)
ret = db->hdb_store(context, db, 0, &e);
@@ -447,7 +447,7 @@ static const char *unexpected[] = {
* different time offsets in each period.
*/
#define NUM_OFFSETS 5
static hdb_entry_ex e[
static hdb_entry e[
(sizeof(expected) / sizeof(expected[0])) *
(sizeof(krs) / sizeof(krs[0])) *
NUM_OFFSETS
@@ -479,8 +479,8 @@ fetch_entries(krb5_context context,
krb5_error_code ret = 0;
krb5_principal p = NULL;
krb5_keyblock base_key, dk;
hdb_entry_ex *ep;
hdb_entry_ex no;
hdb_entry *ep;
hdb_entry no;
size_t i, b;
int toffset = 0;
@@ -541,14 +541,14 @@ fetch_entries(krb5_context context,
}
} else {
if (ret == 0 &&
!krb5_principal_compare(context, p, ep->entry.principal))
!krb5_principal_compare(context, p, ep->principal))
krb5_errx(context, 1, "wrong principal in fetched entry");
}
{
HDB_Ext_KeySet *hist_keys;
HDB_extension *ext;
ext = hdb_find_extension(&ep->entry,
ext = hdb_find_extension(ep,
choice_HDB_extension_data_hist_keys);
if (ext) {
/* Sort key history by kvno, why not */
@@ -611,23 +611,23 @@ fetch_entries(krb5_context context,
if (ret)
krb5_err(context, 1, ret, "deriving keys for comparison");
if (kvno != ep->entry.kvno)
krb5_errx(context, 1, "kvno mismatch (%u != %u)", kvno, ep->entry.kvno);
(void) hdb_entry_get_pw_change_time(&ep->entry, &chg_time);
if (kvno != ep->kvno)
krb5_errx(context, 1, "kvno mismatch (%u != %u)", kvno, ep->kvno);
(void) hdb_entry_get_pw_change_time(ep, &chg_time);
if (set_time != chg_time)
krb5_errx(context, 1, "key change time mismatch");
if (ep->entry.keys.len == 0)
if (ep->keys.len == 0)
krb5_errx(context, 1, "no keys!");
if (ep->entry.keys.val[0].key.keytype != dk.keytype)
if (ep->keys.val[0].key.keytype != dk.keytype)
krb5_errx(context, 1, "enctype mismatch!");
if (ep->entry.keys.val[0].key.keyvalue.length !=
if (ep->keys.val[0].key.keyvalue.length !=
dk.keyvalue.length)
krb5_errx(context, 1, "key length mismatch!");
if (memcmp(ep->entry.keys.val[0].key.keyvalue.data,
if (memcmp(ep->keys.val[0].key.keyvalue.data,
dk.keyvalue.data, dk.keyvalue.length) != 0)
krb5_errx(context, 1, "key mismatch!");
if (memcmp(ep->entry.keys.val[0].key.keyvalue.data,
e[b + i - 1].entry.keys.val[0].key.keyvalue.data,
if (memcmp(ep->keys.val[0].key.keyvalue.data,
e[b + i - 1].keys.val[0].key.keyvalue.data,
dk.keyvalue.length) == 0)
krb5_errx(context, 1, "different virtual principals have the same keys!");
/* XXX Add check that we have the expected number of history keys */
@@ -653,14 +653,14 @@ check_kvnos(krb5_context context)
for (k = 0; k < sizeof(e)/sizeof(e[0]); k++) {
HDB_Ext_KeySet *hist_keys;
HDB_extension *ext;
hdb_entry_ex *ep;
hdb_entry *ep;
int match = 0;
if ((k % NUM_OFFSETS) != i)
continue;
ep = &e[k];
if (ep->entry.principal == NULL)
if (ep->principal == NULL)
continue; /* Didn't fetch this one */
/*
@@ -668,15 +668,15 @@ check_kvnos(krb5_context context)
* or else add them to `keysets'.
*/
for (m = 0; m < keysets.len; m++) {
if (ep->entry.kvno == keysets.val[m].kvno) {
if (ep->kvno == keysets.val[m].kvno) {
/* Check the key is the same */
if (ep->entry.keys.val[0].key.keytype !=
if (ep->keys.val[0].key.keytype !=
keysets.val[m].keys.val[0].key.keytype ||
ep->entry.keys.val[0].key.keyvalue.length !=
ep->keys.val[0].key.keyvalue.length !=
keysets.val[m].keys.val[0].key.keyvalue.length ||
memcmp(ep->entry.keys.val[0].key.keyvalue.data,
memcmp(ep->keys.val[0].key.keyvalue.data,
keysets.val[m].keys.val[0].key.keyvalue.data,
ep->entry.keys.val[0].key.keyvalue.length) != 0)
ep->keys.val[0].key.keyvalue.length) != 0)
krb5_errx(context, 1,
"key mismatch for same princ & kvno");
match = 1;
@@ -685,8 +685,8 @@ check_kvnos(krb5_context context)
if (m == keysets.len) {
hdb_keyset ks;
ks.kvno = ep->entry.kvno;
ks.keys = ep->entry.keys;
ks.kvno = ep->kvno;
ks.keys = ep->keys;
ks.set_time = 0;
if (add_HDB_Ext_KeySet(&keysets, &ks))
krb5_err(context, 1, ENOMEM, "out of memory");
@@ -696,7 +696,7 @@ check_kvnos(krb5_context context)
continue;
/* For all non-current keysets, repeat the above */
ext = hdb_find_extension(&ep->entry,
ext = hdb_find_extension(ep,
choice_HDB_extension_data_hist_keys);
if (!ext)
continue;
@@ -704,20 +704,20 @@ check_kvnos(krb5_context context)
for (p = 0; p < hist_keys->len; p++) {
for (m = 0; m < keysets.len; m++) {
if (keysets.val[m].kvno == hist_keys->val[p].kvno)
if (ep->entry.keys.val[0].key.keytype !=
if (ep->keys.val[0].key.keytype !=
keysets.val[m].keys.val[0].key.keytype ||
ep->entry.keys.val[0].key.keyvalue.length !=
ep->keys.val[0].key.keyvalue.length !=
keysets.val[m].keys.val[0].key.keyvalue.length ||
memcmp(ep->entry.keys.val[0].key.keyvalue.data,
memcmp(ep->keys.val[0].key.keyvalue.data,
keysets.val[m].keys.val[0].key.keyvalue.data,
ep->entry.keys.val[0].key.keyvalue.length) != 0)
ep->keys.val[0].key.keyvalue.length) != 0)
krb5_errx(context, 1,
"key mismatch for same princ & kvno");
}
if (m == keysets.len) {
hdb_keyset ks;
ks.kvno = ep->entry.kvno;
ks.keys = ep->entry.keys;
ks.kvno = ep->kvno;
ks.keys = ep->keys;
ks.set_time = 0;
if (add_HDB_Ext_KeySet(&keysets, &ks))
krb5_err(context, 1, ENOMEM, "out of memory");
@@ -741,15 +741,14 @@ print_em(krb5_context context)
if (0 == i % (sizeof(expected)/sizeof(expected[0])))
continue;
if (e[i].entry.principal == NULL)
if (e[i].principal == NULL)
continue;
hex_encode(e[i].entry.keys.val[0].key.keyvalue.data,
e[i].entry.keys.val[0].key.keyvalue.length, &x);
printf("%s %u %s\n", x, e[i].entry.kvno, name);
hex_encode(e[i].keys.val[0].key.keyvalue.data,
e[i].keys.val[0].key.keyvalue.length, &x);
printf("%s %u %s\n", x, e[i].kvno, name);
free(x);
ext = hdb_find_extension(&e[i].entry,
choice_HDB_extension_data_hist_keys);
ext = hdb_find_extension(&e[i], choice_HDB_extension_data_hist_keys);
if (!ext)
continue;
hist_keys = &ext->data.u.hist_keys;
@@ -771,12 +770,12 @@ check_expected_kvnos(krb5_context context)
for (i = 0; i < sizeof(expected)/sizeof(expected[0]); i++) {
for (k = 0; k < sizeof(krs)/sizeof(krs[0]); k++) {
hdb_entry_ex *ep = &e[k * sizeof(expected)/sizeof(expected[0]) + i];
hdb_entry *ep = &e[k * sizeof(expected)/sizeof(expected[0]) + i];
if (ep->entry.principal == NULL)
if (ep->principal == NULL)
continue;
for (m = 0; m < NUM_OFFSETS; m++) {
ext = hdb_find_extension(&ep->entry,
ext = hdb_find_extension(ep,
choice_HDB_extension_data_hist_keys);
if (!ext)
continue;
@@ -787,7 +786,7 @@ check_expected_kvnos(krb5_context context)
}
}
fprintf(stderr, "%s at %lu: kvno %u\n", expected[i], k,
ep->entry.kvno);
ep->kvno);
}
}
}

52
lib/kadm5/chpass_s.c
View File

@@ -111,7 +111,7 @@ change(void *server_handle,
int cond)
{
kadm5_server_context *context = server_handle;
hdb_entry_ex ent;
hdb_entry ent;
kadm5_ret_t ret;
Key *keys;
size_t num_keys;
@@ -167,7 +167,7 @@ change(void *server_handle,
* We save these for now so we can handle password history checking;
* we handle keepold further below.
*/
ret = hdb_add_current_keys_to_history(context->context, &ent.entry);
ret = hdb_add_current_keys_to_history(context->context, &ent);
if (ret)
goto out3;
}
@@ -179,13 +179,13 @@ change(void *server_handle,
goto out3;
} else {
num_keys = ent.entry.keys.len;
keys = ent.entry.keys.val;
num_keys = ent.keys.len;
keys = ent.keys.val;
ent.entry.keys.len = 0;
ent.entry.keys.val = NULL;
ent.keys.len = 0;
ent.keys.val = NULL;
ret = _kadm5_set_keys(context, &ent.entry, n_ks_tuple, ks_tuple,
ret = _kadm5_set_keys(context, &ent, n_ks_tuple, ks_tuple,
password);
if(ret) {
_kadm5_free_keys(context->context, num_keys, keys);
@@ -196,10 +196,10 @@ change(void *server_handle,
if (cond) {
HDB_extension *ext;
ext = hdb_find_extension(&ent.entry, choice_HDB_extension_data_hist_keys);
ext = hdb_find_extension(&ent, choice_HDB_extension_data_hist_keys);
if (ext != NULL)
existsp = _kadm5_exists_keys_hist(ent.entry.keys.val,
ent.entry.keys.len,
existsp = _kadm5_exists_keys_hist(ent.keys.val,
ent.keys.len,
&ext->data.u.hist_keys);
}
@@ -210,9 +210,9 @@ change(void *server_handle,
goto out3;
}
}
ent.entry.kvno++;
ent.kvno++;
ent.entry.flags.require_pwchange = 0;
ent.flags.require_pwchange = 0;
if (!keepold) {
HDB_extension ext;
@@ -220,25 +220,25 @@ change(void *server_handle,
memset(&ext, 0, sizeof (ext));
ext.mandatory = FALSE;
ext.data.element = choice_HDB_extension_data_hist_keys;
ret = hdb_replace_extension(context->context, &ent.entry, &ext);
ret = hdb_replace_extension(context->context, &ent, &ext);
if (ret)
goto out3;
}
ret = hdb_seal_keys(context->context, context->db, &ent.entry);
ret = hdb_seal_keys(context->context, context->db, &ent);
if (ret)
goto out3;
ret = _kadm5_set_modifier(context, &ent.entry);
ret = _kadm5_set_modifier(context, &ent);
if(ret)
goto out3;
ret = _kadm5_bump_pw_expire(context, &ent.entry);
ret = _kadm5_bump_pw_expire(context, &ent);
if (ret)
goto out3;
/* This logs the change for iprop and writes to the HDB */
ret = kadm5_log_modify(context, &ent.entry,
ret = kadm5_log_modify(context, &ent,
KADM5_ATTRIBUTES | KADM5_PRINCIPAL |
KADM5_MOD_NAME | KADM5_MOD_TIME |
KADM5_KEY_DATA | KADM5_KVNO |
@@ -367,7 +367,7 @@ kadm5_s_chpass_principal_with_key(void *server_handle,
krb5_key_data *key_data)
{
kadm5_server_context *context = server_handle;
hdb_entry_ex ent;
hdb_entry ent;
kadm5_ret_t ret;
uint32_t hook_flags = 0;
@@ -396,23 +396,23 @@ kadm5_s_chpass_principal_with_key(void *server_handle,
goto out3;
if (keepold) {
ret = hdb_add_current_keys_to_history(context->context, &ent.entry);
ret = hdb_add_current_keys_to_history(context->context, &ent);
if (ret)
goto out3;
}
ret = _kadm5_set_keys2(context, &ent.entry, n_key_data, key_data);
ret = _kadm5_set_keys2(context, &ent, n_key_data, key_data);
if (ret)
goto out3;
ent.entry.kvno++;
ret = _kadm5_set_modifier(context, &ent.entry);
ent.kvno++;
ret = _kadm5_set_modifier(context, &ent);
if (ret)
goto out3;
ret = _kadm5_bump_pw_expire(context, &ent.entry);
ret = _kadm5_bump_pw_expire(context, &ent);
if (ret)
goto out3;
if (keepold) {
ret = hdb_seal_keys(context->context, context->db, &ent.entry);
ret = hdb_seal_keys(context->context, context->db, &ent);
if (ret)
goto out3;
} else {
@@ -423,11 +423,11 @@ kadm5_s_chpass_principal_with_key(void *server_handle,
ext.data.element = choice_HDB_extension_data_hist_keys;
ext.data.u.hist_keys.len = 0;
ext.data.u.hist_keys.val = NULL;
hdb_replace_extension(context->context, &ent.entry, &ext);
hdb_replace_extension(context->context, &ent, &ext);
}
/* This logs the change for iprop and writes to the HDB */
ret = kadm5_log_modify(context, &ent.entry,
ret = kadm5_log_modify(context, &ent,
KADM5_PRINCIPAL | KADM5_MOD_NAME |
KADM5_MOD_TIME | KADM5_KEY_DATA | KADM5_KVNO |
KADM5_PW_EXPIRATION | KADM5_TL_DATA);

24
lib/kadm5/create_s.c
View File

@@ -57,7 +57,7 @@ static kadm5_ret_t
create_principal(kadm5_server_context *context,
kadm5_principal_ent_t princ,
uint32_t mask,
hdb_entry_ex *ent,
hdb_entry *ent,
uint32_t required_mask,
uint32_t forbidden_mask)
{
@@ -74,7 +74,7 @@ create_principal(kadm5_server_context *context,
/* XXX no real policies for now */
return KADM5_UNK_POLICY;
ret = krb5_copy_principal(context->context, princ->principal,
&ent->entry.principal);
&ent->principal);
if(ret)
return ret;
@@ -96,10 +96,10 @@ create_principal(kadm5_server_context *context,
if (ret)
return ret;
ent->entry.created_by.time = time(NULL);
ent->created_by.time = time(NULL);
return krb5_copy_principal(context->context, context->caller,
&ent->entry.created_by.principal);
&ent->created_by.principal);
}
struct create_principal_hook_ctx {
@@ -167,7 +167,7 @@ kadm5_s_create_principal_with_key(void *server_handle,
uint32_t mask)
{
kadm5_ret_t ret;
hdb_entry_ex ent;
hdb_entry ent;
kadm5_server_context *context = server_handle;
if ((mask & KADM5_KVNO) == 0) {
@@ -203,7 +203,7 @@ kadm5_s_create_principal_with_key(void *server_handle,
if (ret)
goto out;
ret = hdb_seal_keys(context->context, context->db, &ent.entry);
ret = hdb_seal_keys(context->context, context->db, &ent);
if (ret)
goto out2;
@@ -213,7 +213,7 @@ kadm5_s_create_principal_with_key(void *server_handle,
* Creation of would-be virtual principals w/o the materialize flag will be
* rejected in kadm5_log_create().
*/
ret = kadm5_log_create(context, &ent.entry);
ret = kadm5_log_create(context, &ent);
(void) create_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT,
ret, princ, mask, NULL);
@@ -241,7 +241,7 @@ kadm5_s_create_principal(void *server_handle,
const char *password)
{
kadm5_ret_t ret;
hdb_entry_ex ent;
hdb_entry ent;
kadm5_server_context *context = server_handle;
int use_pw = 1;
@@ -324,20 +324,20 @@ kadm5_s_create_principal(void *server_handle,
if (ret)
goto out;
free_Keys(&ent.entry.keys);
free_Keys(&ent.keys);
if (use_pw) {
ret = _kadm5_set_keys(context, &ent.entry, n_ks_tuple, ks_tuple, password);
ret = _kadm5_set_keys(context, &ent, n_ks_tuple, ks_tuple, password);
if (ret)
goto out2;
}
ret = hdb_seal_keys(context->context, context->db, &ent.entry);
ret = hdb_seal_keys(context->context, context->db, &ent);
if (ret)
goto out2;
/* This logs the change for iprop and writes to the HDB */
ret = kadm5_log_create(context, &ent.entry);
ret = kadm5_log_create(context, &ent);
(void) create_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT,
ret, princ, mask, password);

6
lib/kadm5/delete_s.c
View File

@@ -92,7 +92,7 @@ kadm5_s_delete_principal(void *server_handle, krb5_principal princ)
{
kadm5_server_context *context = server_handle;
kadm5_ret_t ret;
hdb_entry_ex ent;
hdb_entry ent;
memset(&ent, 0, sizeof(ent));
if (!context->keep_open) {
@@ -112,7 +112,7 @@ kadm5_s_delete_principal(void *server_handle, krb5_principal princ)
0, &ent);
if (ret == HDB_ERR_NOENTRY)
goto out2;
if (ent.entry.flags.immutable) {
if (ent.flags.immutable) {
ret = KADM5_PROTECT_PRINCIPAL;
goto out3;
}
@@ -121,7 +121,7 @@ kadm5_s_delete_principal(void *server_handle, krb5_principal princ)
if (ret)
goto out3;
ret = hdb_seal_keys(context->context, context->db, &ent.entry);
ret = hdb_seal_keys(context->context, context->db, &ent);
if (ret)
goto out3;

78
lib/kadm5/ent_setup.c
View File

@@ -73,7 +73,7 @@ attr_to_flags(unsigned attr, HDBFlags *flags)
static kadm5_ret_t
perform_tl_data(krb5_context context,
HDB *db,
hdb_entry_ex *ent,
hdb_entry *ent,
const krb5_tl_data *tl_data)
{
kadm5_ret_t ret = 0;
@@ -84,7 +84,7 @@ perform_tl_data(krb5_context context,
if (pw[tl_data->tl_data_length] != '\0')
return KADM5_BAD_TL_TYPE;
ret = hdb_entry_set_password(context, db, &ent->entry, pw);
ret = hdb_entry_set_password(context, db, ent, pw);
} else if (tl_data->tl_data_type == KRB5_TL_LAST_PWD_CHANGE) {
unsigned long t;
@@ -96,7 +96,7 @@ perform_tl_data(krb5_context context,
s = tl_data->tl_data_contents;
(void) _krb5_get_int(s, &t, tl_data->tl_data_length);
ret = hdb_entry_set_pw_change_time(context, &ent->entry, t);
ret = hdb_entry_set_pw_change_time(context, ent, t);
} else if (tl_data->tl_data_type == KRB5_TL_KEY_ROTATION) {
HDB_Ext_KeyRotation *prev_kr = 0;
@@ -105,7 +105,7 @@ perform_tl_data(krb5_context context,
ext.mandatory = 0;
ext.data.element = choice_HDB_extension_data_key_rotation;
prev_ext = hdb_find_extension(&ent->entry, ext.data.element);
prev_ext = hdb_find_extension(ent, ext.data.element);
if (prev_ext)
prev_kr = &prev_ext->data.u.key_rotation;
ret = decode_HDB_Ext_KeyRotation(tl_data->tl_data_contents,
@@ -115,7 +115,7 @@ perform_tl_data(krb5_context context,
ret = hdb_validate_key_rotations(context, prev_kr,
&ext.data.u.key_rotation);
if (ret == 0)
ret = hdb_replace_extension(context, &ent->entry, &ext);
ret = hdb_replace_extension(context, ent, &ext);
free_HDB_extension(&ext);
} else if (tl_data->tl_data_type == KRB5_TL_EXTENSION) {
HDB_extension ext;
@@ -128,7 +128,7 @@ perform_tl_data(krb5_context context,
return KADM5_BAD_TL_TYPE;
if (ext.data.element == choice_HDB_extension_data_key_rotation) {
HDB_extension *prev_ext = hdb_find_extension(&ent->entry,
HDB_extension *prev_ext = hdb_find_extension(ent,
ext.data.element);
HDB_Ext_KeyRotation *prev_kr = 0;
@@ -140,19 +140,19 @@ perform_tl_data(krb5_context context,
if (ret)
ret = KADM5_BAD_TL_TYPE; /* XXX Need new error code */
if (ret == 0)
ret = hdb_replace_extension(context, &ent->entry, &ext);
ret = hdb_replace_extension(context, ent, &ext);
free_HDB_extension(&ext);
} else if (tl_data->tl_data_type == KRB5_TL_ETYPES) {
if (!ent->entry.etypes &&
(ent->entry.etypes = calloc(1,
sizeof(ent->entry.etypes[0]))) == NULL)
if (!ent->etypes &&
(ent->etypes = calloc(1,
sizeof(ent->etypes[0]))) == NULL)
ret = krb5_enomem(context);
if (ent->entry.etypes)
free_HDB_EncTypeList(ent->entry.etypes);
if (ent->etypes)
free_HDB_EncTypeList(ent->etypes);
if (ret == 0)
ret = decode_HDB_EncTypeList(tl_data->tl_data_contents,
tl_data->tl_data_length,
ent->entry.etypes, NULL);
ent->etypes, NULL);
if (ret)
return KADM5_BAD_TL_TYPE;
} else if (tl_data->tl_data_type == KRB5_TL_ALIASES) {
@@ -164,14 +164,14 @@ perform_tl_data(krb5_context context,
}
static void
default_flags(hdb_entry_ex *ent)
default_flags(hdb_entry *ent)
{
ent->entry.flags.client = 1;
ent->entry.flags.server = 1;
ent->entry.flags.forwardable = 1;
ent->entry.flags.proxiable = 1;
ent->entry.flags.renewable = 1;
ent->entry.flags.postdate = 1;
ent->flags.client = 1;
ent->flags.server = 1;
ent->flags.forwardable = 1;
ent->flags.proxiable = 1;
ent->flags.renewable = 1;
ent->flags.postdate = 1;
}
@@ -183,7 +183,7 @@ default_flags(hdb_entry_ex *ent)
kadm5_ret_t
_kadm5_setup_entry(kadm5_server_context *context,
hdb_entry_ex *ent,
hdb_entry *ent,
uint32_t mask,
kadm5_principal_ent_t princ,
uint32_t princ_mask,
@@ -193,23 +193,23 @@ _kadm5_setup_entry(kadm5_server_context *context,
if(mask & KADM5_PRINC_EXPIRE_TIME
&& princ_mask & KADM5_PRINC_EXPIRE_TIME) {
if (princ->princ_expire_time)
set_value(ent->entry.valid_end, princ->princ_expire_time);
set_value(ent->valid_end, princ->princ_expire_time);
else
set_null(ent->entry.valid_end);
set_null(ent->valid_end);
}
if(mask & KADM5_PW_EXPIRATION
&& princ_mask & KADM5_PW_EXPIRATION) {
if (princ->pw_expiration)
set_value(ent->entry.pw_end, princ->pw_expiration);
set_value(ent->pw_end, princ->pw_expiration);
else
set_null(ent->entry.pw_end);
set_null(ent->pw_end);
}
if(mask & KADM5_ATTRIBUTES) {
if (princ_mask & KADM5_ATTRIBUTES) {
attr_to_flags(princ->attributes, &ent->entry.flags);
attr_to_flags(princ->attributes, &ent->flags);
} else if(def_mask & KADM5_ATTRIBUTES) {
attr_to_flags(def->attributes, &ent->entry.flags);
ent->entry.flags.invalid = 0;
attr_to_flags(def->attributes, &ent->flags);
ent->flags.invalid = 0;
} else {
default_flags(ent);
}
@@ -218,41 +218,41 @@ _kadm5_setup_entry(kadm5_server_context *context,
if(mask & KADM5_MAX_LIFE) {
if(princ_mask & KADM5_MAX_LIFE) {
if(princ->max_life)
set_value(ent->entry.max_life, princ->max_life);
set_value(ent->max_life, princ->max_life);
else
set_null(ent->entry.max_life);
set_null(ent->max_life);
} else if(def_mask & KADM5_MAX_LIFE) {
if(def->max_life)
set_value(ent->entry.max_life, def->max_life);
set_value(ent->max_life, def->max_life);
else
set_null(ent->entry.max_life);
set_null(ent->max_life);
}
}
if(mask & KADM5_KVNO
&& (princ_mask & KADM5_KVNO)) {
krb5_error_code ret;
ret = hdb_change_kvno(context->context, princ->kvno, &ent->entry);
ret = hdb_change_kvno(context->context, princ->kvno, ent);
if (ret && ret != HDB_ERR_KVNO_NOT_FOUND)
return ret;
ent->entry.kvno = princ->kvno; /* force it */
ent->kvno = princ->kvno; /* force it */
}
if(mask & KADM5_MAX_RLIFE) {
if(princ_mask & KADM5_MAX_RLIFE) {
if(princ->max_renewable_life)
set_value(ent->entry.max_renew, princ->max_renewable_life);
set_value(ent->max_renew, princ->max_renewable_life);
else
set_null(ent->entry.max_renew);
set_null(ent->max_renew);
} else if(def_mask & KADM5_MAX_RLIFE) {
if(def->max_renewable_life)
set_value(ent->entry.max_renew, def->max_renewable_life);
set_value(ent->max_renew, def->max_renewable_life);
else
set_null(ent->entry.max_renew);
set_null(ent->max_renew);
}
}
if(mask & KADM5_KEY_DATA
&& princ_mask & KADM5_KEY_DATA) {
_kadm5_set_keys2(context, &ent->entry,
_kadm5_set_keys2(context, ent,
princ->n_key_data, princ->key_data);
}
if(mask & KADM5_TL_DATA) {

4
lib/kadm5/get_princs_s.c
View File

@@ -55,12 +55,12 @@ add_princ(krb5_context context, struct foreach_data *d, char *princ)
}
static krb5_error_code
foreach(krb5_context context, HDB *db, hdb_entry_ex *ent, void *data)
foreach(krb5_context context, HDB *db, hdb_entry *ent, void *data)
{
struct foreach_data *d = data;
char *princ;
krb5_error_code ret;
ret = krb5_unparse_name(context, ent->entry.principal, &princ);
ret = krb5_unparse_name(context, ent->principal, &princ);
if(ret)
return ret;
if(d->exp){

112
lib/kadm5/get_s.c
View File

@@ -122,7 +122,7 @@ kadm5_s_get_principal(void *server_handle,
{
kadm5_server_context *context = server_handle;
kadm5_ret_t ret;
hdb_entry_ex ent;
hdb_entry ent;
unsigned int flags = HDB_F_GET_ANY | HDB_F_ADMIN_DATA;
if ((mask & KADM5_KEY_DATA) || (mask & KADM5_KVNO))
@@ -157,57 +157,57 @@ kadm5_s_get_principal(void *server_handle,
return _kadm5_error_code(ret);
if(mask & KADM5_PRINCIPAL)
ret = krb5_copy_principal(context->context, ent.entry.principal,
ret = krb5_copy_principal(context->context, ent.principal,
&out->principal);
if(ret)
goto out;
if(mask & KADM5_PRINC_EXPIRE_TIME && ent.entry.valid_end)
out->princ_expire_time = *ent.entry.valid_end;
if(mask & KADM5_PW_EXPIRATION && ent.entry.pw_end)
out->pw_expiration = *ent.entry.pw_end;
if(mask & KADM5_PRINC_EXPIRE_TIME && ent.valid_end)
out->princ_expire_time = *ent.valid_end;
if(mask & KADM5_PW_EXPIRATION && ent.pw_end)
out->pw_expiration = *ent.pw_end;
if(mask & KADM5_LAST_PWD_CHANGE)
hdb_entry_get_pw_change_time(&ent.entry, &out->last_pwd_change);
hdb_entry_get_pw_change_time(&ent, &out->last_pwd_change);
if(mask & KADM5_ATTRIBUTES){
out->attributes |= ent.entry.flags.postdate ? 0 : KRB5_KDB_DISALLOW_POSTDATED;
out->attributes |= ent.entry.flags.forwardable ? 0 : KRB5_KDB_DISALLOW_FORWARDABLE;
out->attributes |= ent.entry.flags.initial ? KRB5_KDB_DISALLOW_TGT_BASED : 0;
out->attributes |= ent.entry.flags.renewable ? 0 : KRB5_KDB_DISALLOW_RENEWABLE;
out->attributes |= ent.entry.flags.proxiable ? 0 : KRB5_KDB_DISALLOW_PROXIABLE;
out->attributes |= ent.entry.flags.invalid ? KRB5_KDB_DISALLOW_ALL_TIX : 0;
out->attributes |= ent.entry.flags.require_preauth ? KRB5_KDB_REQUIRES_PRE_AUTH : 0;
out->attributes |= ent.entry.flags.require_pwchange ? KRB5_KDB_REQUIRES_PWCHANGE : 0;
out->attributes |= ent.entry.flags.client ? 0 : KRB5_KDB_DISALLOW_CLIENT;
out->attributes |= ent.entry.flags.server ? 0 : KRB5_KDB_DISALLOW_SVR;
out->attributes |= ent.entry.flags.change_pw ? KRB5_KDB_PWCHANGE_SERVICE : 0;
out->attributes |= ent.entry.flags.ok_as_delegate ? KRB5_KDB_OK_AS_DELEGATE : 0;
out->attributes |= ent.entry.flags.trusted_for_delegation ? KRB5_KDB_TRUSTED_FOR_DELEGATION : 0;
out->attributes |= ent.entry.flags.allow_kerberos4 ? KRB5_KDB_ALLOW_KERBEROS4 : 0;
out->attributes |= ent.entry.flags.allow_digest ? KRB5_KDB_ALLOW_DIGEST : 0;
out->attributes |= ent.entry.flags.virtual_keys ? KRB5_KDB_VIRTUAL_KEYS : 0;
out->attributes |= ent.entry.flags.virtual ? KRB5_KDB_VIRTUAL : 0;
out->attributes |= ent.entry.flags.no_auth_data_reqd ? KRB5_KDB_NO_AUTH_DATA_REQUIRED : 0;
out->attributes |= ent.flags.postdate ? 0 : KRB5_KDB_DISALLOW_POSTDATED;
out->attributes |= ent.flags.forwardable ? 0 : KRB5_KDB_DISALLOW_FORWARDABLE;
out->attributes |= ent.flags.initial ? KRB5_KDB_DISALLOW_TGT_BASED : 0;
out->attributes |= ent.flags.renewable ? 0 : KRB5_KDB_DISALLOW_RENEWABLE;
out->attributes |= ent.flags.proxiable ? 0 : KRB5_KDB_DISALLOW_PROXIABLE;
out->attributes |= ent.flags.invalid ? KRB5_KDB_DISALLOW_ALL_TIX : 0;
out->attributes |= ent.flags.require_preauth ? KRB5_KDB_REQUIRES_PRE_AUTH : 0;
out->attributes |= ent.flags.require_pwchange ? KRB5_KDB_REQUIRES_PWCHANGE : 0;
out->attributes |= ent.flags.client ? 0 : KRB5_KDB_DISALLOW_CLIENT;
out->attributes |= ent.flags.server ? 0 : KRB5_KDB_DISALLOW_SVR;
out->attributes |= ent.flags.change_pw ? KRB5_KDB_PWCHANGE_SERVICE : 0;
out->attributes |= ent.flags.ok_as_delegate ? KRB5_KDB_OK_AS_DELEGATE : 0;
out->attributes |= ent.flags.trusted_for_delegation ? KRB5_KDB_TRUSTED_FOR_DELEGATION : 0;
out->attributes |= ent.flags.allow_kerberos4 ? KRB5_KDB_ALLOW_KERBEROS4 : 0;
out->attributes |= ent.flags.allow_digest ? KRB5_KDB_ALLOW_DIGEST : 0;
out->attributes |= ent.flags.virtual_keys ? KRB5_KDB_VIRTUAL_KEYS : 0;
out->attributes |= ent.flags.virtual ? KRB5_KDB_VIRTUAL : 0;
out->attributes |= ent.flags.no_auth_data_reqd ? KRB5_KDB_NO_AUTH_DATA_REQUIRED : 0;
}
if(mask & KADM5_MAX_LIFE) {
if(ent.entry.max_life)
out->max_life = *ent.entry.max_life;
if(ent.max_life)
out->max_life = *ent.max_life;
else
out->max_life = INT_MAX;
}
if(mask & KADM5_MOD_TIME) {
if(ent.entry.modified_by)
out->mod_date = ent.entry.modified_by->time;
if(ent.modified_by)
out->mod_date = ent.modified_by->time;
else
out->mod_date = ent.entry.created_by.time;
out->mod_date = ent.created_by.time;
}
if(mask & KADM5_MOD_NAME) {
if(ent.entry.modified_by) {
if (ent.entry.modified_by->principal != NULL)
if(ent.modified_by) {
if (ent.modified_by->principal != NULL)
ret = krb5_copy_principal(context->context,
ent.entry.modified_by->principal,
ent.modified_by->principal,
&out->mod_name);
} else if(ent.entry.created_by.principal != NULL)
} else if(ent.created_by.principal != NULL)
ret = krb5_copy_principal(context->context,
ent.entry.created_by.principal,
ent.created_by.principal,
&out->mod_name);
else
out->mod_name = NULL;
@@ -216,13 +216,13 @@ kadm5_s_get_principal(void *server_handle,
goto out;
if(mask & KADM5_KVNO)
out->kvno = ent.entry.kvno;
out->kvno = ent.kvno;
if(mask & KADM5_MKVNO) {
size_t n;
out->mkvno = 0; /* XXX */
for(n = 0; n < ent.entry.keys.len; n++)
if(ent.entry.keys.val[n].mkvno) {
out->mkvno = *ent.entry.keys.val[n].mkvno; /* XXX this isn't right */
for(n = 0; n < ent.keys.len; n++)
if(ent.keys.val[n].mkvno) {
out->mkvno = *ent.keys.val[n].mkvno; /* XXX this isn't right */
break;
}
}
@@ -239,7 +239,7 @@ kadm5_s_get_principal(void *server_handle,
if(mask & KADM5_POLICY) {
HDB_extension *ext;
ext = hdb_find_extension(&ent.entry, choice_HDB_extension_data_policy);
ext = hdb_find_extension(&ent, choice_HDB_extension_data_policy);
if (ext == NULL) {
out->policy = strdup("default");
/* It's OK if we retun NULL instead of "default" */
@@ -252,27 +252,27 @@ kadm5_s_get_principal(void *server_handle,
}
}
if(mask & KADM5_MAX_RLIFE) {
if(ent.entry.max_renew)
out->max_renewable_life = *ent.entry.max_renew;
if(ent.max_renew)
out->max_renewable_life = *ent.max_renew;
else
out->max_renewable_life = INT_MAX;
}
if(mask & KADM5_KEY_DATA){
size_t i;
size_t n_keys = ent.entry.keys.len;
size_t n_keys = ent.keys.len;
krb5_salt salt;
HDB_extension *ext;
HDB_Ext_KeySet *hist_keys = NULL;
/* Don't return stale keys to kadm5 clients */
ret = hdb_prune_keys(context->context, &ent.entry);
ret = hdb_prune_keys(context->context, &ent);
if (ret)
goto out;
ext = hdb_find_extension(&ent.entry, choice_HDB_extension_data_hist_keys);
ext = hdb_find_extension(&ent, choice_HDB_extension_data_hist_keys);
if (ext != NULL)
hist_keys = &ext->data.u.hist_keys;
krb5_get_pw_salt(context->context, ent.entry.principal, &salt);
krb5_get_pw_salt(context->context, ent.principal, &salt);
for (i = 0; hist_keys != NULL && i < hist_keys->len; i++)
n_keys += hist_keys->val[i].keys.len;
out->key_data = malloc(n_keys * sizeof(*out->key_data));
@@ -281,8 +281,8 @@ kadm5_s_get_principal(void *server_handle,
goto out;
}
out->n_key_data = 0;
ret = copy_keyset_to_kadm5(context, ent.entry.kvno, ent.entry.keys.len,
ent.entry.keys.val, &salt, out);
ret = copy_keyset_to_kadm5(context, ent.kvno, ent.keys.len,
ent.keys.val, &salt, out);
if (ret)
goto out;
for (i = 0; hist_keys != NULL && i < hist_keys->len; i++) {
@@ -305,12 +305,12 @@ kadm5_s_get_principal(void *server_handle,
const HDB_Ext_KeyRotation *kr;
heim_octet_string krb5_config;
if (ent.entry.etypes) {
if (ent.etypes) {
krb5_data buf;
size_t len;
ASN1_MALLOC_ENCODE(HDB_EncTypeList, buf.data, buf.length,
ent.entry.etypes, &len, ret);
ent.etypes, &len, ret);
if (ret == 0) {
ret = add_tl_data(out, KRB5_TL_ETYPES, buf.data, buf.length);
free(buf.data);
@@ -319,14 +319,14 @@ kadm5_s_get_principal(void *server_handle,
goto out;
}
ret = hdb_entry_get_pw_change_time(&ent.entry, &last_pw_expire);
ret = hdb_entry_get_pw_change_time(&ent, &last_pw_expire);
if (ret == 0 && last_pw_expire) {
unsigned char buf[4];
_krb5_put_int(buf, last_pw_expire, sizeof(buf));
ret = add_tl_data(out, KRB5_TL_LAST_PWD_CHANGE, buf, sizeof(buf));
}
ret = hdb_entry_get_krb5_config(&ent.entry, &krb5_config);
ret = hdb_entry_get_krb5_config(&ent, &krb5_config);
if (ret == 0 && krb5_config.length) {
ret = add_tl_data(out, KRB5_TL_KRB5_CONFIG, krb5_config.data,
krb5_config.length);
@@ -342,7 +342,7 @@ kadm5_s_get_principal(void *server_handle,
/* XXX But not if the client doesn't have ext-keys */
ret = hdb_entry_get_password(context->context,
context->db, &ent.entry, &pw);
context->db, &ent, &pw);
if (ret == 0) {
ret = add_tl_data(out, KRB5_TL_PASSWORD, pw, strlen(pw) + 1);
free(pw);
@@ -352,7 +352,7 @@ kadm5_s_get_principal(void *server_handle,
krb5_clear_error_message(context->context);
}
ret = hdb_entry_get_pkinit_acl(&ent.entry, &acl);
ret = hdb_entry_get_pkinit_acl(&ent, &acl);
if (ret == 0 && acl) {
krb5_data buf;
size_t len;
@@ -370,7 +370,7 @@ kadm5_s_get_principal(void *server_handle,
goto out;
}
ret = hdb_entry_get_aliases(&ent.entry, &aliases);
ret = hdb_entry_get_aliases(&ent, &aliases);
if (ret == 0 && aliases) {
krb5_data buf;
size_t len;
@@ -388,7 +388,7 @@ kadm5_s_get_principal(void *server_handle,
goto out;
}
ret = hdb_entry_get_key_rotation(context->context, &ent.entry, &kr);
ret = hdb_entry_get_key_rotation(context->context, &ent, &kr);
if (ret == 0 && kr) {
krb5_data buf;
size_t len;

4
lib/kadm5/ipropd_master.c
View File

@@ -392,14 +392,14 @@ error:
}
static int
dump_one (krb5_context context, HDB *db, hdb_entry_ex *entry, void *v)
dump_one (krb5_context context, HDB *db, hdb_entry *entry, void *v)
{
krb5_error_code ret;
krb5_storage *dump = (krb5_storage *)v;
krb5_storage *sp;
krb5_data data;
ret = hdb_entry2value (context, &entry->entry, &data);
ret = hdb_entry2value (context, entry, &data);
if (ret)
return ret;
ret = krb5_data_realloc (&data, data.length + 4);

4
lib/kadm5/ipropd_slave.c
View File

@@ -571,7 +571,7 @@ receive_everything(krb5_context context, int fd,
krb5_ret_uint32(sp, &opcode);
if (opcode == ONE_PRINC) {
krb5_data fake_data;
hdb_entry_ex entry;
hdb_entry entry;
krb5_storage_free(sp);
@@ -580,7 +580,7 @@ receive_everything(krb5_context context, int fd,
memset(&entry, 0, sizeof(entry));
ret = hdb_value2entry(context, &fake_data, &entry.entry);
ret = hdb_value2entry(context, &fake_data, &entry);
if (ret)
krb5_err(context, IPROPD_RESTART, ret, "hdb_value2entry");
ret = mydb->hdb_store(server_context->context,

154
lib/kadm5/log.c
View File

@@ -974,12 +974,12 @@ kadm5_log_create(kadm5_server_context *context, hdb_entry *entry)
krb5_ssize_t bytes;
kadm5_ret_t ret;
krb5_data value;
hdb_entry_ex ent, existing;
hdb_entry ent, existing;
kadm5_log_context *log_context = &context->log_context;
memset(&existing, 0, sizeof(existing));
memset(&ent, 0, sizeof(ent));
ent.entry = *entry;
ent = *entry;
/*
* Do not allow creation of concrete entries within namespaces unless
@@ -989,14 +989,14 @@ kadm5_log_create(kadm5_server_context *context, hdb_entry *entry)
0, 0, 0, &existing);
if (ret != 0 && ret != HDB_ERR_NOENTRY)
return ret;
if (ret == 0 && !ent.entry.flags.materialize &&
(existing.entry.flags.virtual || existing.entry.flags.virtual_keys)) {
if (ret == 0 && !ent.flags.materialize &&
(existing.flags.virtual || existing.flags.virtual_keys)) {
hdb_free_entry(context->context, context->db, &existing);
return HDB_ERR_EXISTS;
}
if (ret == 0)
hdb_free_entry(context->context, context->db, &existing);
ent.entry.flags.materialize = 0; /* Clear in stored entry */
ent.flags.materialize = 0; /* Clear in stored entry */
/*
* If we're not logging then we can't recover-to-perform, so just
@@ -1055,7 +1055,7 @@ kadm5_log_replay_create(kadm5_server_context *context,
{
krb5_error_code ret;
krb5_data data;
hdb_entry_ex ent;
hdb_entry ent;
memset(&ent, 0, sizeof(ent));
@@ -1065,7 +1065,7 @@ kadm5_log_replay_create(kadm5_server_context *context,
return ret;
}
krb5_storage_read(sp, data.data, len);
ret = hdb_value2entry(context->context, &data, &ent.entry);
ret = hdb_value2entry(context->context, &data, &ent);
krb5_data_free(&data);
if (ret) {
krb5_set_error_message(context->context, ret,
@@ -1196,11 +1196,11 @@ kadm5_log_rename(kadm5_server_context *context,
off_t end_off = 0; /* Ditto; this allows de-indentation by two levels */
off_t off;
krb5_data value;
hdb_entry_ex ent;
hdb_entry ent;
kadm5_log_context *log_context = &context->log_context;
memset(&ent, 0, sizeof(ent));
ent.entry = *entry;
ent = *entry;
if (strcmp(log_context->log_file, "/dev/null") == 0) {
ret = context->db->hdb_store(context->context, context->db, 0, &ent);
@@ -1306,7 +1306,7 @@ kadm5_log_replay_rename(kadm5_server_context *context,
{
krb5_error_code ret;
krb5_principal source;
hdb_entry_ex target_ent;
hdb_entry target_ent;
krb5_data value;
off_t off;
size_t princ_len, data_len;
@@ -1328,7 +1328,7 @@ kadm5_log_replay_rename(kadm5_server_context *context,
return ret;
}
krb5_storage_read(sp, value.data, data_len);
ret = hdb_value2entry(context->context, &value, &target_ent.entry);
ret = hdb_value2entry(context->context, &value, &target_ent);
krb5_data_free(&value);
if (ret) {
krb5_free_principal(context->context, source);
@@ -1360,11 +1360,11 @@ kadm5_log_modify(kadm5_server_context *context,
kadm5_ret_t ret;
krb5_data value;
uint32_t len;
hdb_entry_ex ent;
hdb_entry ent;
kadm5_log_context *log_context = &context->log_context;
memset(&ent, 0, sizeof(ent));
ent.entry = *entry;
ent = *entry;
if (strcmp(log_context->log_file, "/dev/null") == 0)
return context->db->hdb_store(context->context, context->db,
@@ -1428,7 +1428,7 @@ kadm5_log_replay_modify(kadm5_server_context *context,
krb5_error_code ret;
uint32_t mask;
krb5_data value;
hdb_entry_ex ent, log_ent;
hdb_entry ent, log_ent;
memset(&log_ent, 0, sizeof(log_ent));
@@ -1446,7 +1446,7 @@ kadm5_log_replay_modify(kadm5_server_context *context,
ret = errno ? errno : EIO;
return ret;
}
ret = hdb_value2entry (context->context, &value, &log_ent.entry);
ret = hdb_value2entry (context->context, &value, &log_ent);
krb5_data_free(&value);
if (ret)
return ret;
@@ -1454,37 +1454,37 @@ kadm5_log_replay_modify(kadm5_server_context *context,
memset(&ent, 0, sizeof(ent));
/* NOTE: We do not use hdb_fetch_kvno() here */
ret = context->db->hdb_fetch_kvno(context->context, context->db,
log_ent.entry.principal,
log_ent.principal,
HDB_F_DECRYPT|HDB_F_ALL_KVNOS|
HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent);
if (ret)
goto out;
if (mask & KADM5_PRINC_EXPIRE_TIME) {
if (log_ent.entry.valid_end == NULL) {
ent.entry.valid_end = NULL;
if (log_ent.valid_end == NULL) {
ent.valid_end = NULL;
} else {
if (ent.entry.valid_end == NULL) {
ent.entry.valid_end = malloc(sizeof(*ent.entry.valid_end));
if (ent.entry.valid_end == NULL) {
if (ent.valid_end == NULL) {
ent.valid_end = malloc(sizeof(*ent.valid_end));
if (ent.valid_end == NULL) {
ret = krb5_enomem(context->context);
goto out;
}
}
*ent.entry.valid_end = *log_ent.entry.valid_end;
*ent.valid_end = *log_ent.valid_end;
}
}
if (mask & KADM5_PW_EXPIRATION) {
if (log_ent.entry.pw_end == NULL) {
ent.entry.pw_end = NULL;
if (log_ent.pw_end == NULL) {
ent.pw_end = NULL;
} else {
if (ent.entry.pw_end == NULL) {
ent.entry.pw_end = malloc(sizeof(*ent.entry.pw_end));
if (ent.entry.pw_end == NULL) {
if (ent.pw_end == NULL) {
ent.pw_end = malloc(sizeof(*ent.pw_end));
if (ent.pw_end == NULL) {
ret = krb5_enomem(context->context);
goto out;
}
}
*ent.entry.pw_end = *log_ent.entry.pw_end;
*ent.pw_end = *log_ent.pw_end;
}
}
if (mask & KADM5_LAST_PWD_CHANGE) {
@@ -1492,39 +1492,39 @@ kadm5_log_replay_modify(kadm5_server_context *context,
"Unimplemented mask KADM5_LAST_PWD_CHANGE");
}
if (mask & KADM5_ATTRIBUTES) {
ent.entry.flags = log_ent.entry.flags;
ent.flags = log_ent.flags;
}
if (mask & KADM5_MAX_LIFE) {
if (log_ent.entry.max_life == NULL) {
ent.entry.max_life = NULL;
if (log_ent.max_life == NULL) {
ent.max_life = NULL;
} else {
if (ent.entry.max_life == NULL) {
ent.entry.max_life = malloc (sizeof(*ent.entry.max_life));
if (ent.entry.max_life == NULL) {
if (ent.max_life == NULL) {
ent.max_life = malloc (sizeof(*ent.max_life));
if (ent.max_life == NULL) {
ret = krb5_enomem(context->context);
goto out;
}
}
*ent.entry.max_life = *log_ent.entry.max_life;
*ent.max_life = *log_ent.max_life;
}
}
if ((mask & KADM5_MOD_TIME) && (mask & KADM5_MOD_NAME)) {
if (ent.entry.modified_by == NULL) {
ent.entry.modified_by = malloc(sizeof(*ent.entry.modified_by));
if (ent.entry.modified_by == NULL) {
if (ent.modified_by == NULL) {
ent.modified_by = malloc(sizeof(*ent.modified_by));
if (ent.modified_by == NULL) {
ret = krb5_enomem(context->context);
goto out;
}
} else
free_Event(ent.entry.modified_by);
ret = copy_Event(log_ent.entry.modified_by, ent.entry.modified_by);
free_Event(ent.modified_by);
ret = copy_Event(log_ent.modified_by, ent.modified_by);
if (ret) {
ret = krb5_enomem(context->context);
goto out;
}
}
if (mask & KADM5_KVNO) {
ent.entry.kvno = log_ent.entry.kvno;
ent.kvno = log_ent.kvno;
}
if (mask & KADM5_MKVNO) {
krb5_warnx(context->context, "Unimplemented mask KADM5_KVNO");
@@ -1537,17 +1537,17 @@ kadm5_log_replay_modify(kadm5_server_context *context,
krb5_warnx(context->context, "Unimplemented mask KADM5_POLICY_CLR");
}
if (mask & KADM5_MAX_RLIFE) {
if (log_ent.entry.max_renew == NULL) {
ent.entry.max_renew = NULL;
if (log_ent.max_renew == NULL) {
ent.max_renew = NULL;
} else {
if (ent.entry.max_renew == NULL) {
ent.entry.max_renew = malloc (sizeof(*ent.entry.max_renew));
if (ent.entry.max_renew == NULL) {
if (ent.max_renew == NULL) {
ent.max_renew = malloc (sizeof(*ent.max_renew));
if (ent.max_renew == NULL) {
ret = krb5_enomem(context->context);
goto out;
}
}
*ent.entry.max_renew = *log_ent.entry.max_renew;
*ent.max_renew = *log_ent.max_renew;
}
}
if (mask & KADM5_LAST_SUCCESS) {
@@ -1573,62 +1573,62 @@ kadm5_log_replay_modify(kadm5_server_context *context,
*/
mask |= KADM5_TL_DATA;
for (i = 0; i < ent.entry.keys.len; ++i)
free_Key(&ent.entry.keys.val[i]);
free (ent.entry.keys.val);
for (i = 0; i < ent.keys.len; ++i)
free_Key(&ent.keys.val[i]);
free (ent.keys.val);
num = log_ent.entry.keys.len;
num = log_ent.keys.len;
ent.entry.keys.len = num;
ent.entry.keys.val = malloc(len * sizeof(*ent.entry.keys.val));
if (ent.entry.keys.val == NULL) {
ent.keys.len = num;
ent.keys.val = malloc(len * sizeof(*ent.keys.val));
if (ent.keys.val == NULL) {
krb5_enomem(context->context);
goto out;
}
for (i = 0; i < ent.entry.keys.len; ++i) {
ret = copy_Key(&log_ent.entry.keys.val[i],
&ent.entry.keys.val[i]);
for (i = 0; i < ent.keys.len; ++i) {
ret = copy_Key(&log_ent.keys.val[i],
&ent.keys.val[i]);
if (ret) {
krb5_set_error_message(context->context, ret, "out of memory");
goto out;
}
}
}
if ((mask & KADM5_TL_DATA) && log_ent.entry.etypes) {
if (ent.entry.etypes)
free_HDB_EncTypeList(ent.entry.etypes);
free(ent.entry.etypes);
ent.entry.etypes = calloc(1, sizeof(*ent.entry.etypes));
if (ent.entry.etypes == NULL)
if ((mask & KADM5_TL_DATA) && log_ent.etypes) {
if (ent.etypes)
free_HDB_EncTypeList(ent.etypes);
free(ent.etypes);
ent.etypes = calloc(1, sizeof(*ent.etypes));
if (ent.etypes == NULL)
ret = ENOMEM;
if (ret == 0)
ret = copy_HDB_EncTypeList(log_ent.entry.etypes, ent.entry.etypes);
ret = copy_HDB_EncTypeList(log_ent.etypes, ent.etypes);
if (ret) {
ret = krb5_enomem(context->context);
free(ent.entry.etypes);
ent.entry.etypes = NULL;
free(ent.etypes);
ent.etypes = NULL;
goto out;
}
}
if ((mask & KADM5_TL_DATA) && log_ent.entry.extensions) {
if (ent.entry.extensions) {
free_HDB_extensions(ent.entry.extensions);
free(ent.entry.extensions);
ent.entry.extensions = NULL;
if ((mask & KADM5_TL_DATA) && log_ent.extensions) {
if (ent.extensions) {
free_HDB_extensions(ent.extensions);
free(ent.extensions);
ent.extensions = NULL;
}
ent.entry.extensions = calloc(1, sizeof(*ent.entry.extensions));
if (ent.entry.extensions == NULL)
ent.extensions = calloc(1, sizeof(*ent.extensions));
if (ent.extensions == NULL)
ret = ENOMEM;
if (ret == 0)
ret = copy_HDB_extensions(log_ent.entry.extensions,
ent.entry.extensions);
ret = copy_HDB_extensions(log_ent.extensions,
ent.extensions);
if (ret) {
ret = krb5_enomem(context->context);
free(ent.entry.extensions);
ent.entry.extensions = NULL;
free(ent.extensions);
ent.extensions = NULL;
goto out;
}
}

10
lib/kadm5/modify_s.c
View File

@@ -97,7 +97,7 @@ modify_principal(void *server_handle,
uint32_t forbidden_mask)
{
kadm5_server_context *context = server_handle;
hdb_entry_ex ent;
hdb_entry ent;
kadm5_ret_t ret;
memset(&ent, 0, sizeof(ent));
@@ -139,7 +139,7 @@ modify_principal(void *server_handle,
ret = _kadm5_setup_entry(context, &ent, mask, princ, mask, NULL, 0);
if (ret)
goto out3;
ret = _kadm5_set_modifier(context, &ent.entry);
ret = _kadm5_set_modifier(context, &ent);
if (ret)
goto out3;
@@ -157,7 +157,7 @@ modify_principal(void *server_handle,
goto out3;
}
ret = hdb_seal_keys(context->context, context->db, &ent.entry);
ret = hdb_seal_keys(context->context, context->db, &ent);
if (ret)
goto out3;
@@ -174,14 +174,14 @@ modify_principal(void *server_handle,
goto out3;
}
/* This calls free_HDB_extension(), freeing ext.data.u.policy */
ret = hdb_replace_extension(context->context, &ent.entry, &ext);
ret = hdb_replace_extension(context->context, &ent, &ext);
free(ext.data.u.policy);
if (ret)
goto out3;
}
/* This logs the change for iprop and writes to the HDB */
ret = kadm5_log_modify(context, &ent.entry,
ret = kadm5_log_modify(context, &ent,
mask | KADM5_MOD_NAME | KADM5_MOD_TIME);
(void) modify_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT,

8
lib/kadm5/prune_s.c
View File

@@ -95,7 +95,7 @@ kadm5_s_prune_principal(void *server_handle,
int kvno)
{
kadm5_server_context *context = server_handle;
hdb_entry_ex ent;
hdb_entry ent;
kadm5_ret_t ret;
memset(&ent, 0, sizeof(ent));
@@ -121,15 +121,15 @@ kadm5_s_prune_principal(void *server_handle,
if (ret)
goto out3;
ret = hdb_prune_keys_kvno(context->context, &ent.entry, kvno);
ret = hdb_prune_keys_kvno(context->context, &ent, kvno);
if (ret)
goto out3;
ret = hdb_seal_keys(context->context, context->db, &ent.entry);
ret = hdb_seal_keys(context->context, context->db, &ent);
if (ret)
goto out3;
ret = kadm5_log_modify(context, &ent.entry, KADM5_KEY_DATA);
ret = kadm5_log_modify(context, &ent, KADM5_KEY_DATA);
(void) prune_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT,
ret, princ, kvno);

24
lib/kadm5/randkey_s.c
View File

@@ -102,7 +102,7 @@ kadm5_s_randkey_principal(void *server_handle,
int *n_keys)
{
kadm5_server_context *context = server_handle;
hdb_entry_ex ent;
hdb_entry ent;
kadm5_ret_t ret;
size_t i;
@@ -129,36 +129,36 @@ kadm5_s_randkey_principal(void *server_handle,
goto out3;
if (keepold) {
ret = hdb_add_current_keys_to_history(context->context, &ent.entry);
ret = hdb_add_current_keys_to_history(context->context, &ent);
if (ret == 0 && keepold == 1)
ret = hdb_prune_keys_kvno(context->context, &ent.entry, 0);
ret = hdb_prune_keys_kvno(context->context, &ent, 0);
if (ret)
goto out3;
} else {
/* Remove all key history */
ret = hdb_clear_extension(context->context, &ent.entry,
ret = hdb_clear_extension(context->context, &ent,
choice_HDB_extension_data_hist_keys);
if (ret)
goto out3;
}
ret = _kadm5_set_keys_randomly(context, &ent.entry, n_ks_tuple, ks_tuple,
ret = _kadm5_set_keys_randomly(context, &ent, n_ks_tuple, ks_tuple,
new_keys, n_keys);
if (ret)
goto out3;
ent.entry.kvno++;
ent.kvno++;
ent.entry.flags.require_pwchange = 0;
ent.flags.require_pwchange = 0;
ret = _kadm5_set_modifier(context, &ent.entry);
ret = _kadm5_set_modifier(context, &ent);
if(ret)
goto out4;
ret = _kadm5_bump_pw_expire(context, &ent.entry);
ret = _kadm5_bump_pw_expire(context, &ent);
if (ret)
goto out4;
if (keepold) {
ret = hdb_seal_keys(context->context, context->db, &ent.entry);
ret = hdb_seal_keys(context->context, context->db, &ent);
if (ret)
goto out4;
} else {
@@ -169,11 +169,11 @@ kadm5_s_randkey_principal(void *server_handle,
ext.data.element = choice_HDB_extension_data_hist_keys;
ext.data.u.hist_keys.len = 0;
ext.data.u.hist_keys.val = NULL;
hdb_replace_extension(context->context, &ent.entry, &ext);
hdb_replace_extension(context->context, &ent, &ext);
}
/* This logs the change for iprop and writes to the HDB */
ret = kadm5_log_modify(context, &ent.entry,
ret = kadm5_log_modify(context, &ent,
KADM5_ATTRIBUTES | KADM5_PRINCIPAL |
KADM5_MOD_NAME | KADM5_MOD_TIME |
KADM5_KEY_DATA | KADM5_KVNO |

26
lib/kadm5/rename_s.c
View File

@@ -97,7 +97,7 @@ kadm5_s_rename_principal(void *server_handle,
{
kadm5_server_context *context = server_handle;
kadm5_ret_t ret;
hdb_entry_ex ent;
hdb_entry ent;
krb5_principal oldname;
size_t i;
@@ -121,14 +121,14 @@ kadm5_s_rename_principal(void *server_handle,
0, &ent);
if (ret)
goto out2;
oldname = ent.entry.principal;
oldname = ent.principal;
ret = rename_principal_hook(context, KADM5_HOOK_STAGE_PRECOMMIT,
0, source, target);
if (ret)
goto out3;
ret = _kadm5_set_modifier(context, &ent.entry);
ret = _kadm5_set_modifier(context, &ent);
if (ret)
goto out3;
{
@@ -139,14 +139,14 @@ kadm5_s_rename_principal(void *server_handle,
krb5_get_pw_salt(context->context, source, &salt2);
salt.type = hdb_pw_salt;
salt.salt = salt2.saltvalue;
for(i = 0; i < ent.entry.keys.len; i++){
if(ent.entry.keys.val[i].salt == NULL){
ent.entry.keys.val[i].salt =
malloc(sizeof(*ent.entry.keys.val[i].salt));
if (ent.entry.keys.val[i].salt == NULL)
for(i = 0; i < ent.keys.len; i++){
if(ent.keys.val[i].salt == NULL){
ent.keys.val[i].salt =
malloc(sizeof(*ent.keys.val[i].salt));
if (ent.keys.val[i].salt == NULL)
ret = krb5_enomem(context->context);
else
ret = copy_Salt(&salt, ent.entry.keys.val[i].salt);
ret = copy_Salt(&salt, ent.keys.val[i].salt);
if (ret)
break;
}
@@ -157,19 +157,19 @@ kadm5_s_rename_principal(void *server_handle,
goto out3;
/* Borrow target */
ent.entry.principal = target;
ret = hdb_seal_keys(context->context, context->db, &ent.entry);
ent.principal = target;
ret = hdb_seal_keys(context->context, context->db, &ent);
if (ret)
goto out3;
/* This logs the change for iprop and writes to the HDB */
ret = kadm5_log_rename(context, source, &ent.entry);
ret = kadm5_log_rename(context, source, &ent);
(void) rename_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT,
ret, source, target);
out3:
ent.entry.principal = oldname; /* Unborrow target */
ent.principal = oldname; /* Unborrow target */
hdb_free_entry(context->context, context->db, &ent);
out2:

26
lib/kadm5/setkey3_s.c
View File

@@ -115,7 +115,7 @@ kadm5_s_setkey_principal_3(void *server_handle,
krb5_keyblock *keyblocks, int n_keys)
{
kadm5_server_context *context = server_handle;
hdb_entry_ex ent;
hdb_entry ent;
kadm5_ret_t ret = 0;
size_t i;
@@ -154,9 +154,9 @@ kadm5_s_setkey_principal_3(void *server_handle,
}
if (keepold) {
ret = hdb_add_current_keys_to_history(context->context, &ent.entry);
ret = hdb_add_current_keys_to_history(context->context, &ent);
} else
ret = hdb_clear_extension(context->context, &ent.entry,
ret = hdb_clear_extension(context->context, &ent,
choice_HDB_extension_data_hist_keys);
/*
@@ -167,7 +167,7 @@ kadm5_s_setkey_principal_3(void *server_handle,
* each ks_tuple's enctype matches the corresponding key enctype.
*/
if (ret == 0) {
free_Keys(&ent.entry.keys);
free_Keys(&ent.keys);
for (i = 0; i < n_keys; ++i) {
Key k;
Salt s;
@@ -186,22 +186,22 @@ kadm5_s_setkey_principal_3(void *server_handle,
s.opaque = 0;
k.salt = &s;
}
if ((ret = add_Keys(&ent.entry.keys, &k)) != 0)
if ((ret = add_Keys(&ent.keys, &k)) != 0)
break;
}
}
if (ret == 0) {
ent.entry.kvno++;
ent.entry.flags.require_pwchange = 0;
hdb_entry_set_pw_change_time(context->context, &ent.entry, 0);
hdb_entry_clear_password(context->context, &ent.entry);
ent.kvno++;
ent.flags.require_pwchange = 0;
hdb_entry_set_pw_change_time(context->context, &ent, 0);
hdb_entry_clear_password(context->context, &ent);
if ((ret = hdb_seal_keys(context->context, context->db,
&ent.entry)) == 0
&& (ret = _kadm5_set_modifier(context, &ent.entry)) == 0
&& (ret = _kadm5_bump_pw_expire(context, &ent.entry)) == 0)
ret = kadm5_log_modify(context, &ent.entry,
&ent)) == 0
&& (ret = _kadm5_set_modifier(context, &ent)) == 0
&& (ret = _kadm5_bump_pw_expire(context, &ent)) == 0)
ret = kadm5_log_modify(context, &ent,
KADM5_ATTRIBUTES | KADM5_PRINCIPAL |
KADM5_MOD_NAME | KADM5_MOD_TIME |
KADM5_KEY_DATA | KADM5_KVNO |

24
tests/plugin/kdc_test_plugin.c
View File

@@ -19,9 +19,11 @@ fini(void *ctx)
}
static krb5_error_code KRB5_CALLCONV
pac_generate(void *ctx, krb5_context context,
struct hdb_entry_ex *client,
struct hdb_entry_ex *server,
pac_generate(void *ctx,
krb5_context context,
krb5_kdc_configuration *config,
hdb_entry *client,
hdb_entry *server,
const krb5_keyblock *pk_replykey,
uint64_t pac_attributes,
krb5_pac *pac)
@@ -52,12 +54,14 @@ pac_generate(void *ctx, krb5_context context,
}
static krb5_error_code KRB5_CALLCONV
pac_verify(void *ctx, krb5_context context,
pac_verify(void *ctx,
krb5_context context,
krb5_kdc_configuration *config,
const krb5_principal new_ticket_client,
const krb5_principal delegation_proxy,
struct hdb_entry_ex * client,
struct hdb_entry_ex * server,
struct hdb_entry_ex * krbtgt,
hdb_entry * client,
hdb_entry * server,
hdb_entry * krbtgt,
krb5_pac *pac)
{
krb5_error_code ret;
@@ -78,7 +82,7 @@ pac_verify(void *ctx, krb5_context context,
if (ret)
return ret;
if (rodc_id == 0 || rodc_id != krbtgt->entry.kvno >> 16) {
if (rodc_id == 0 || rodc_id != krbtgt->kvno >> 16) {
krb5_warnx(context, "Wrong RODCIdentifier");
return EINVAL;
}
@@ -87,7 +91,7 @@ pac_verify(void *ctx, krb5_context context,
if (ret)
return ret;
ret = hdb_enctype2key(context, &krbtgt->entry, NULL, etype, &key);
ret = hdb_enctype2key(context, krbtgt, NULL, etype, &key);
if (ret)
return ret;
@@ -152,7 +156,7 @@ audit(void *ctx, astgs_request_t r)
}
static krb5plugin_kdc_ftable kdc_plugin = {
KRB5_PLUGIN_KDC_VERSION_9,
KRB5_PLUGIN_KDC_VERSION_10,
init,
fini,
pac_generate,