diff --git a/kadmin/kadmin-commands.in b/kadmin/kadmin-commands.in index 8fc300825..89e67610d 100644 --- a/kadmin/kadmin-commands.in +++ b/kadmin/kadmin-commands.in @@ -176,15 +176,17 @@ command = { } option = { long = "hist-kvno-diff-clnt" - type = "string" + type = "integer" argument = "kvno diff" help = "historic keys allowed for client" + default = "-1" } option = { long = "hist-kvno-diff-svc" - type = "string" + type = "integer" argument = "kvno diff" help = "historic keys allowed for service" + default = "-1" } option = { long = "use-defaults" @@ -379,15 +381,17 @@ command = { } option = { long = "hist-kvno-diff-clnt" - type = "string" + type = "integer" argument = "kvno diff" help = "historic keys allowed for client" + default = "-1" } option = { long = "hist-kvno-diff-svc" - type = "string" + type = "integer" argument = "kvno diff" help = "historic keys allowed for service" + default = "-1" } argument = "principal" min_args = "1" diff --git a/kadmin/mod.c b/kadmin/mod.c index 017e4ac84..615105f9d 100644 --- a/kadmin/mod.c +++ b/kadmin/mod.c @@ -41,7 +41,7 @@ add_tl(kadm5_principal_ent_rec *princ, int type, krb5_data *data) tl = ecalloc(1, sizeof(*tl)); tl->tl_data_next = NULL; - tl->tl_data_type = KRB5_TL_EXTENSION; + tl->tl_data_type = type; tl->tl_data_length = data->length; tl->tl_data_contents = data->data; @@ -99,7 +99,7 @@ add_constrained_delegation(krb5_context contextp, if (buf.length != size) abort(); - add_tl(princ, KRB5_TL_EXTENSION, &buf); + add_tl(princ, KRB5_TL_EXTENSION, &buf); /* XXX wrong type */ } static void @@ -142,7 +142,7 @@ add_aliases(krb5_context contextp, kadm5_principal_ent_rec *princ, if (buf.length != size) abort(); - add_tl(princ, KRB5_TL_EXTENSION, &buf); + add_tl(princ, KRB5_TL_ALIASES, &buf); } static void @@ -182,7 +182,41 @@ add_pkinit_acl(krb5_context contextp, kadm5_principal_ent_rec *princ, if (buf.length != size) abort(); - add_tl(princ, KRB5_TL_EXTENSION, &buf); + add_tl(princ, KRB5_TL_PKINIT_ACL, &buf); +} + +static void +add_kvno_diff(krb5_context context, kadm5_principal_ent_rec *princ, + int is_svc_diff, krb5_kvno kvno_diff) +{ + krb5_error_code ret; + HDB_extension ext; + krb5_data buf; + size_t size = 0; + int type; + + if (kvno_diff < 0) + return; + if (kvno_diff > 2048) + kvno_diff = 2048; + + if (is_svc_diff) { + ext.data.element = choice_HDB_extension_data_hist_kvno_diff_svc; + ext.data.u.hist_kvno_diff_svc = (unsigned int)kvno_diff; + type = KRB5_TL_HIST_KVNO_DIFF_SVC; + } else { + ext.data.element = choice_HDB_extension_data_hist_kvno_diff_clnt; + ext.data.u.hist_kvno_diff_clnt = (unsigned int)kvno_diff; + type = KRB5_TL_HIST_KVNO_DIFF_CLNT; + } + ASN1_MALLOC_ENCODE(HDB_extension, buf.data, buf.length, + &ext, &size, ret); + if (ret) + abort(); + if (buf.length != size) + abort(); + + add_tl(princ, type, &buf); } static int @@ -211,7 +245,9 @@ do_mod_entry(krb5_principal principal, void *data) e->kvno_integer != -1 || e->constrained_delegation_strings.num_strings || e->alias_strings.num_strings || - e->pkinit_acl_strings.num_strings) { + e->pkinit_acl_strings.num_strings || + e->hist_kvno_diff_clnt_integer != -1 || + e->hist_kvno_diff_svc_integer != -1) { ret = set_entry(context, &princ, &mask, e->max_ticket_life_string, e->max_renewable_life_string, @@ -236,7 +272,14 @@ do_mod_entry(krb5_principal principal, void *data) add_pkinit_acl(context, &princ, &e->pkinit_acl_strings); mask |= KADM5_TL_DATA; } - + if (e->hist_kvno_diff_clnt_integer != -1) { + add_kvno_diff(context, &princ, 0, e->hist_kvno_diff_clnt_integer); + mask |= KADM5_TL_DATA; + } + if (e->hist_kvno_diff_svc_integer != -1) { + add_kvno_diff(context, &princ, 1, e->hist_kvno_diff_clnt_integer); + mask |= KADM5_TL_DATA; + } } else ret = edit_entry(&princ, &mask, NULL, 0); if(ret == 0) {