oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

hdb: decorate HDB_entry with context member

Browse Source 
Decorate HDB_entry with context and move free_entry callback into HDB structure
itself. Requires updating hdb_free_entry() signature to include HDB parameter.
A follow-up commit will consolidate hdb_entry_ex (which has a single hdb_entry
member) into hdb_entry.
This commit is contained in:
Luke Howard
2022-01-07 12:15:55 +11:00
parent 923067e099
commit c5551775e2
40 changed files with 150 additions and 137 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
kdc/digest-service.c
View File

@@ -61,6 +61,7 @@ ntlm_service(void *ctx, const heim_idata *req,
heim_idata rep = { 0, NULL };
krb5_context context = ctx;
hdb_entry_ex *user = NULL;
HDB *db = NULL;
Key *key = NULL;
NTLMReply ntp;
size_t size;
@@ -113,7 +114,7 @@ ntlm_service(void *ctx, const heim_idata *req,
krb5_principal_set_type(context, client, KRB5_NT_NTLM);
ret = _kdc_db_fetch(context, config, client,
HDB_F_GET_CLIENT, NULL, NULL, &user);
HDB_F_GET_CLIENT, NULL, &db, &user);
krb5_free_principal(context, client);
if (ret)
goto failed;
@@ -213,7 +214,7 @@ ntlm_service(void *ctx, const heim_idata *req,
free_NTLMRequest2(&ntq);
if (user)
_kdc_free_ent (context, user);
_kdc_free_ent (context, db, user);
}
static int help_flag;

18
kdc/digest.c
View File

@@ -190,7 +190,7 @@ get_password_entry(krb5_context context,
}
memset(user, 0, sizeof(*user));
}
_kdc_free_ent (context, user);
_kdc_free_ent (context, db, user);
return ret;
}
@@ -217,7 +217,9 @@ _kdc_do_digest(krb5_context context,
size_t size;
krb5_storage *sp = NULL;
Checksum res;
HDB *serverdb, *userdb;
hdb_entry_ex *server = NULL, *user = NULL;
HDB *clientdb;
hdb_entry_ex *client = NULL;
char *client_name = NULL, *password = NULL;
krb5_data serverNonce;
@@ -292,7 +294,7 @@ _kdc_do_digest(krb5_context context,
krb5_clear_error_message(context);
ret = _kdc_db_fetch(context, config, principal,
HDB_F_GET_SERVER, NULL, NULL, &server);
HDB_F_GET_SERVER, NULL, &serverdb, &server);
if (ret)
goto out;
@@ -314,7 +316,7 @@ _kdc_do_digest(krb5_context context,
}
ret = _kdc_db_fetch(context, config, principal,
HDB_F_GET_CLIENT, NULL, NULL, &client);
HDB_F_GET_CLIENT, NULL, &clientdb, &client);
krb5_free_principal(context, principal);
if (ret)
goto out;
@@ -877,7 +879,7 @@ _kdc_do_digest(krb5_context context,
goto failed;
ret = _kdc_db_fetch(context, config, clientprincipal,
HDB_F_GET_CLIENT, NULL, NULL, &user);
HDB_F_GET_CLIENT, NULL, &userdb, &user);
krb5_free_principal(context, clientprincipal);
if (ret) {
krb5_set_error_message(context, ret,
@@ -1163,7 +1165,7 @@ _kdc_do_digest(krb5_context context,
goto failed;
ret = _kdc_db_fetch(context, config, clientprincipal,
HDB_F_GET_CLIENT, NULL, NULL, &user);
HDB_F_GET_CLIENT, NULL, &userdb, &user);
krb5_free_principal(context, clientprincipal);
if (ret) {
krb5_set_error_message(context, ret, "NTLM user %s not in database",
@@ -1494,11 +1496,11 @@ _kdc_do_digest(krb5_context context,
if (sp)
krb5_storage_free(sp);
if (user)
_kdc_free_ent (context, user);
_kdc_free_ent (context, userdb, user);
if (server)
_kdc_free_ent (context, server);
_kdc_free_ent (context, serverdb, server);
if (client)
_kdc_free_ent (context, client);
_kdc_free_ent (context, clientdb, client);
if (password) {
memset(password, 0, strlen(password));
free (password);

12
kdc/fast.c
View File

@@ -108,6 +108,7 @@ get_fastuser_crypto(astgs_request_t r,
krb5_crypto *crypto)
{
krb5_principal fast_princ;
HDB *fast_db;
hdb_entry_ex *fast_user = NULL;
Key *cookie_key = NULL;
krb5_crypto fast_crypto = NULL;
@@ -122,7 +123,7 @@ get_fastuser_crypto(astgs_request_t r,
goto out;
ret = _kdc_db_fetch(r->context, r->config, fast_princ,
HDB_F_GET_FAST_COOKIE, NULL, NULL, &fast_user);
HDB_F_GET_FAST_COOKIE, NULL, &fast_db, &fast_user);
if (ret)
goto out;
@@ -148,7 +149,7 @@ get_fastuser_crypto(astgs_request_t r,
out:
if (fast_user)
_kdc_free_ent(r->context, fast_user);
_kdc_free_ent(r->context, fast_db, fast_user);
if (fast_crypto)
krb5_crypto_destroy(r->context, fast_crypto);
krb5_free_principal(r->context, fast_princ);
@@ -549,7 +550,7 @@ fast_unwrap_request(astgs_request_t r,
ret = _kdc_db_fetch(r->context, r->config, armor_server_principal,
HDB_F_GET_KRBTGT | HDB_F_DELAY_NEW_KEYS,
(krb5uint32 *)ap_req.ticket.enc_part.kvno,
NULL, &r->armor_server);
&r->armor_serverdb, &r->armor_server);
if(ret == HDB_ERR_NOT_FOUND_HERE) {
free_AP_REQ(&ap_req);
kdc_log(r->context, r->config, 5,
@@ -834,6 +835,7 @@ _kdc_fast_check_armor_pac(astgs_request_t r)
krb5_boolean ad_kdc_issued = FALSE;
krb5_pac mspac = NULL;
krb5_principal armor_client_principal = NULL;
HDB *armor_db;
hdb_entry_ex *armor_client = NULL;
char *armor_client_principal_name = NULL;
@@ -857,7 +859,7 @@ _kdc_fast_check_armor_pac(astgs_request_t r)
ret = _kdc_db_fetch_client(r->context, r->config, flags,
armor_client_principal, armor_client_principal_name,
r->req.req_body.realm, NULL, &armor_client);
r->req.req_body.realm, &armor_db, &armor_client);
if (ret)
goto out;
@@ -886,7 +888,7 @@ _kdc_fast_check_armor_pac(astgs_request_t r)
out:
krb5_xfree(armor_client_principal_name);
if (armor_client)
_kdc_free_ent(r->context, armor_client);
_kdc_free_ent(r->context, armor_db, armor_client);
krb5_free_principal(r->context, armor_client_principal);
krb5_pac_free(r->context, mspac);

5
kdc/gss_preauth.c
View File

@@ -682,6 +682,7 @@ _kdc_gss_check_client(astgs_request_t r,
krb5_principal initiator_princ = NULL;
hdb_entry_ex *initiator = NULL;
krb5_boolean authorized = FALSE;
HDB *clientdb = r->clientdb;
OM_uint32 minor;
gss_buffer_desc display_name = GSS_C_EMPTY_BUFFER;
@@ -742,7 +743,7 @@ _kdc_gss_check_client(astgs_request_t r,
if (krb5_principal_is_federated(r->context, r->client->entry.principal)) {
initiator->entry.flags.force_canonicalize = 1;
_kdc_free_ent(r->context, r->client);
_kdc_free_ent(r->context, clientdb, r->client);
r->client = initiator;
initiator = NULL;
} else if (!krb5_principal_compare(r->context,
@@ -760,7 +761,7 @@ _kdc_gss_check_client(astgs_request_t r,
out:
krb5_free_principal(r->context, initiator_princ);
if (initiator)
_kdc_free_ent(r->context, initiator);
_kdc_free_ent(r->context, r->clientdb, initiator);
gss_release_buffer(&minor, &display_name);
return ret;

2
kdc/hpropd.c
View File

@@ -279,7 +279,7 @@ main(int argc, char **argv)
else
nprincs++;
}
hdb_free_entry(context, &entry);
hdb_free_entry(context, db, &entry);
}
if (!print_dump)
krb5_log(context, fac, 0, "Received %d principals", nprincs);

2
kdc/kdc.h
View File

@@ -148,10 +148,12 @@ typedef struct krb5_kdc_configuration {
/* server principal */ \
krb5_principal server_princ; \
hdb_entry_ex *server; \
HDB *serverdb; \
\
/* presented ticket in TGS-REQ (unused by AS) */ \
krb5_principal *krbtgt_princ; \
hdb_entry_ex *krbtgt; \
HDB *krbtgtdb; \
krb5_ticket *ticket; \
\
krb5_keyblock reply_key; \

1
kdc/kdc_locl.h
View File

@@ -88,6 +88,7 @@ struct astgs_request_desc {
krb5_crypto armor_crypto;
hdb_entry_ex *armor_server;
HDB *armor_serverdb;
krb5_ticket *armor_ticket;
Key *armor_key;

21
kdc/kerberos5.c
View File

@@ -2022,11 +2022,13 @@ static krb5_error_code
get_local_tgs(krb5_context context,
krb5_kdc_configuration *config,
krb5_const_realm realm,
HDB **krbtgtdb,
hdb_entry_ex **krbtgt)
{
krb5_error_code ret;
krb5_principal tgs_name;
*krbtgtdb = NULL;
*krbtgt = NULL;
ret = krb5_make_principal(context,
@@ -2039,7 +2041,7 @@ get_local_tgs(krb5_context context,
return ret;
ret = _kdc_db_fetch(context, config, tgs_name,
HDB_F_GET_KRBTGT, NULL, NULL, krbtgt);
HDB_F_GET_KRBTGT, NULL, krbtgtdb, krbtgt);
krb5_free_principal(context, tgs_name);
return ret;
@@ -2066,7 +2068,6 @@ _kdc_as_rep(astgs_request_t r)
const PA_DATA *pa;
krb5_boolean is_tgs;
const char *msg;
hdb_entry_ex *krbtgt = NULL;
Key *krbtgt_key;
memset(rep, 0, sizeof(*rep));
@@ -2182,7 +2183,7 @@ _kdc_as_rep(astgs_request_t r)
ret = _kdc_db_fetch(r->context, config, r->server_princ,
HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS |
flags | (is_tgs ? HDB_F_GET_KRBTGT : 0),
NULL, NULL, &r->server);
NULL, &r->serverdb, &r->server);
switch (ret) {
case 0: /* Success */
break;
@@ -2386,11 +2387,11 @@ _kdc_as_rep(astgs_request_t r)
krbtgt_key = skey;
} else {
ret = get_local_tgs(r->context, config, r->server_princ->realm,
&krbtgt);
&r->krbtgtdb, &r->krbtgt);
if (ret)
goto out;
ret = _kdc_get_preferred_key(r->context, config, krbtgt,
ret = _kdc_get_preferred_key(r->context, config, r->krbtgt,
r->server_princ->realm,
NULL, &krbtgt_key);
if (ret)
@@ -2762,11 +2763,11 @@ out:
r->server_princ = NULL;
}
if (r->client)
_kdc_free_ent(r->context, r->client);
_kdc_free_ent(r->context, r->clientdb, r->client);
if (r->server)
_kdc_free_ent(r->context, r->server);
if (krbtgt)
_kdc_free_ent(r->context, krbtgt);
_kdc_free_ent(r->context, r->serverdb, r->server);
if (r->krbtgt)
_kdc_free_ent(r->context, r->krbtgtdb, r->krbtgt);
if (r->armor_crypto) {
krb5_crypto_destroy(r->context, r->armor_crypto);
r->armor_crypto = NULL;
@@ -2774,7 +2775,7 @@ out:
if (r->armor_ticket)
krb5_free_ticket(r->context, r->armor_ticket);
if (r->armor_server)
_kdc_free_ent(r->context, r->armor_server);
_kdc_free_ent(r->context, r->armor_serverdb, r->armor_server);
krb5_free_keyblock_contents(r->context, &r->reply_key);
krb5_free_keyblock_contents(r->context, &r->session_key);
krb5_free_keyblock_contents(r->context, &r->strengthen_key);

34
kdc/krb5tgs.c
View File

@@ -958,7 +958,7 @@ tgs_parse_request(astgs_request_t r,
krbtgt_kvno = ap_req.ticket.enc_part.kvno ? *ap_req.ticket.enc_part.kvno : 0;
ret = _kdc_db_fetch(r->context, config, princ, HDB_F_GET_KRBTGT,
&krbtgt_kvno, NULL, &r->krbtgt);
&krbtgt_kvno, &r->krbtgtdb, &r->krbtgt);
if (ret == HDB_ERR_NOT_FOUND_HERE) {
/* XXX Factor out this unparsing of the same princ all over */
@@ -1335,7 +1335,7 @@ _kdc_db_fetch_client(krb5_context context,
krb5_free_error_message(context, msg);
} else if (client->entry.flags.invalid || !client->entry.flags.client) {
kdc_log(context, config, 4, "Client has invalid bit set");
_kdc_free_ent(context, client);
_kdc_free_ent(context, *clientdb, client);
return KRB5KDC_ERR_POLICY;
}
@@ -1361,6 +1361,7 @@ tgs_build_reply(astgs_request_t priv,
char *spn = NULL, *cpn = NULL, *krbtgt_out_n = NULL;
char *user2user_name = NULL;
hdb_entry_ex *server = NULL, *client = NULL;
HDB *user2user_krbtgtdb;
hdb_entry_ex *user2user_krbtgt = NULL;
HDB *clientdb;
HDB *serverdb = NULL;
@@ -1379,6 +1380,7 @@ tgs_build_reply(astgs_request_t priv,
char **capath = NULL;
size_t num_capath = 0;
HDB *krbtgt_outdb;
hdb_entry_ex *krbtgt_out = NULL;
PrincipalName *s;
@@ -1442,12 +1444,13 @@ tgs_build_reply(astgs_request_t priv,
server_lookup:
priv->server = NULL;
if (server)
_kdc_free_ent(context, server);
_kdc_free_ent(context, serverdb, server);
server = NULL;
ret = _kdc_db_fetch(context, config, priv->server_princ,
HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags,
NULL, &serverdb, &server);
priv->server = server;
priv->serverdb = serverdb;
if (ret == HDB_ERR_NOT_FOUND_HERE) {
kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", spn);
_kdc_audit_addreason((kdc_request_t)priv, "Target not found here");
@@ -1608,7 +1611,7 @@ server_lookup:
}
ret = _kdc_db_fetch(context, config, krbtgt_out_principal,
HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
HDB_F_GET_KRBTGT, NULL, &krbtgt_outdb, &krbtgt_out);
if (ret) {
char *ktpn = NULL;
ret = krb5_unparse_name(context, priv->krbtgt->entry.principal, &ktpn);
@@ -1635,6 +1638,7 @@ server_lookup:
krb5uint32 second_kvno = 0;
krb5uint32 *kvno_ptr = NULL;
size_t i;
HDB *user2user_db;
hdb_entry_ex *user2user_client = NULL;
krb5_boolean user2user_kdc_issued = FALSE;
char *tpn;
@@ -1670,7 +1674,7 @@ server_lookup:
}
ret = _kdc_db_fetch(context, config, p,
HDB_F_GET_KRBTGT, kvno_ptr,
NULL, &user2user_krbtgt);
&user2user_krbtgtdb, &user2user_krbtgt);
krb5_free_principal(context, p);
if(ret){
if (ret == HDB_ERR_NOENTRY)
@@ -1724,7 +1728,7 @@ server_lookup:
*/
ret = _kdc_db_fetch(context, config, user2user_princ,
HDB_F_GET_CLIENT | flags,
NULL, NULL, &user2user_client);
NULL, &user2user_db, &user2user_client);
if (ret == HDB_ERR_NOENTRY)
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
if (ret)
@@ -1745,7 +1749,7 @@ server_lookup:
user2user_client,
NULL);
if (ret) {
_kdc_free_ent(context, user2user_client);
_kdc_free_ent(context, user2user_db, user2user_client);
goto out;
}
@@ -1760,7 +1764,7 @@ server_lookup:
user2user_client,
user2user_princ);
if (ret) {
_kdc_free_ent(context, user2user_client);
_kdc_free_ent(context, user2user_db, user2user_client);
goto out;
}
@@ -1769,7 +1773,7 @@ server_lookup:
user2user_client, user2user_krbtgt, user2user_krbtgt, user2user_krbtgt,
&uukey->key, &priv->ticket_key->key, &adtkt,
&user2user_kdc_issued, &user2user_pac, NULL, NULL);
_kdc_free_ent(context, user2user_client);
_kdc_free_ent(context, user2user_db, user2user_client);
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0,
@@ -2048,9 +2052,9 @@ out:
krb5_free_keyblock_contents(context, &sessionkey);
if(krbtgt_out)
_kdc_free_ent(context, krbtgt_out);
_kdc_free_ent(context, krbtgt_outdb, krbtgt_out);
if(user2user_krbtgt)
_kdc_free_ent(context, user2user_krbtgt);
_kdc_free_ent(context, user2user_krbtgtdb, user2user_krbtgt);
krb5_free_principal(context, user2user_princ);
krb5_free_principal(context, krbtgt_out_principal);
@@ -2202,20 +2206,20 @@ out:
if (r->armor_ticket)
krb5_free_ticket(r->context, r->armor_ticket);
if (r->armor_server)
_kdc_free_ent(r->context, r->armor_server);
_kdc_free_ent(r->context, r->armor_serverdb, r->armor_server);
krb5_free_keyblock_contents(r->context, &r->reply_key);
krb5_free_keyblock_contents(r->context, &r->strengthen_key);
if (r->ticket)
krb5_free_ticket(r->context, r->ticket);
if (r->krbtgt)
_kdc_free_ent(r->context, r->krbtgt);
_kdc_free_ent(r->context, r->krbtgtdb, r->krbtgt);
if (r->client)
_kdc_free_ent(r->context, r->client);
_kdc_free_ent(r->context, r->clientdb, r->client);
krb5_free_principal(r->context, r->client_princ);
if (r->server)
_kdc_free_ent(r->context, r->server);
_kdc_free_ent(r->context, r->serverdb, r->server);
krb5_free_principal(r->context, r->server_princ);
_kdc_free_fast_state(&r->fast);
krb5_pac_free(r->context, r->pac);

5
kdc/kx509.c
View File

@@ -253,6 +253,7 @@ is_local_realm(krb5_context context,
{
krb5_error_code ret;
krb5_principal tgs;
HDB *db;
hdb_entry_ex *ent = NULL;
ret = krb5_make_principal(context, &tgs, realm, KRB5_TGS_NAME, realm,
@@ -261,9 +262,9 @@ is_local_realm(krb5_context context,
return ret;
if (ret == 0)
ret = _kdc_db_fetch(context, reqctx->config, tgs, HDB_F_GET_KRBTGT,
NULL, NULL, &ent);
NULL, &db, &ent);
if (ent)
_kdc_free_ent(context, ent);
_kdc_free_ent(context, db, ent);
krb5_free_principal(context, tgs);
if (ret == HDB_ERR_NOENTRY || ret == HDB_ERR_NOT_FOUND_HERE)
return KRB5KRB_AP_ERR_NOT_US;

6
kdc/misc.c
View File

@@ -117,7 +117,7 @@ synthesize_client(krb5_context context,
*(e->entry.max_life) = config->synthetic_clients_max_life;
*h = e;
} else {
hdb_free_entry(context, e);
hdb_free_entry(context, &null_db, e);
}
return ret;
}
@@ -246,9 +246,9 @@ out:
}
KDC_LIB_FUNCTION void KDC_LIB_CALL
_kdc_free_ent(krb5_context context, hdb_entry_ex *ent)
_kdc_free_ent(krb5_context context, HDB *db, hdb_entry_ex *ent)
{
hdb_free_entry (context, ent);
hdb_free_entry (context, db, ent);
free (ent);
}

2
kdc/mit_dump.c
View File

@@ -209,7 +209,7 @@ mit_prop_dump(void *arg, const char *file)
continue;
}
ret = v5_prop(pd->context, NULL, &ent, arg);
hdb_free_entry(pd->context, &ent);
hdb_free_entry(pd->context, NULL, &ent); /* XXX */
if (ret) break;
}

18
kdc/mssfu.c
View File

@@ -100,6 +100,7 @@ static void
update_client_names(astgs_request_t r,
char **s4ucname,
krb5_principal *s4u_client_name,
HDB **s4u_clientdb,
hdb_entry_ex **s4u_client,
krb5_principal *s4u_canon_client_name,
krb5_pac *s4u_pac)
@@ -111,9 +112,11 @@ update_client_names(astgs_request_t r,
r->client_princ = *s4u_client_name;
*s4u_client_name = NULL;
_kdc_free_ent(r->context, r->client);
_kdc_free_ent(r->context, r->clientdb, r->client);
r->client = *s4u_client;
*s4u_client = NULL;
r->clientdb = *s4u_clientdb;
*s4u_clientdb = NULL;
krb5_free_principal(r->context, r->canon_client_princ);
r->canon_client_princ = *s4u_canon_client_name;
@@ -334,12 +337,13 @@ validate_protocol_transition(astgs_request_t r)
* impersonated client. (The audit entry containing the original
* client name will have been created before this point.)
*/
update_client_names(r, &s4ucname, &s4u_client_name, &s4u_client,
update_client_names(r, &s4ucname, &s4u_client_name,
&s4u_clientdb, &s4u_client,
&s4u_canon_client_name, &s4u_pac);
out:
if (s4u_client)
_kdc_free_ent(r->context, s4u_client);
_kdc_free_ent(r->context, s4u_clientdb, s4u_client);
krb5_free_principal(r->context, s4u_client_name);
krb5_xfree(s4ucname);
krb5_free_principal(r->context, s4u_canon_client_name);
@@ -368,6 +372,7 @@ validate_constrained_delegation(astgs_request_t r)
uint64_t s4u_pac_attributes;
char *s4ucname = NULL, *s4usname = NULL;
EncTicketPart evidence_tkt;
HDB *s4u_clientdb;
hdb_entry_ex *s4u_client = NULL;
krb5_boolean ad_kdc_issued = FALSE;
Key *clientkey;
@@ -476,7 +481,7 @@ validate_constrained_delegation(astgs_request_t r)
/* Try lookup the delegated client in DB */
ret = _kdc_db_fetch_client(r->context, r->config, flags,
s4u_client_name, s4ucname, local_realm,
NULL, &s4u_client);
&s4u_clientdb, &s4u_client);
if (ret)
goto out;
@@ -539,13 +544,14 @@ validate_constrained_delegation(astgs_request_t r)
* impersonated client. (The audit entry containing the original
* client name will have been created before this point.)
*/
update_client_names(r, &s4ucname, &s4u_client_name, &s4u_client,
update_client_names(r, &s4ucname, &s4u_client_name,
&s4u_clientdb, &s4u_client,
&s4u_canon_client_name, &s4u_pac);
r->pac_attributes = s4u_pac_attributes;
out:
if (s4u_client)
_kdc_free_ent(r->context, s4u_client);
_kdc_free_ent(r->context, s4u_clientdb, s4u_client);
krb5_free_principal(r->context, s4u_client_name);
krb5_xfree(s4ucname);
krb5_free_principal(r->context, s4u_server_name);