krb5_error_code krb5_db_unlock ( krb5_context kcontext );
krb5_error_code krb5_db_get_principal ( krb5_context kcontext,
krb5_const_principal search_for,
- krb5_db_entry *entries,
- int *nentries,
- krb5_boolean *more );
-krb5_error_code krb5_db_get_principal_ext ( krb5_context kcontext,
- krb5_const_principal search_for,
- unsigned int flags,
- krb5_db_entry *entries,
- int *nentries,
- krb5_boolean *more );
-void krb5_db_free_principal ( krb5_context kcontext, krb5_db_entry *entry,
- int count );
+ unsigned int flags,
+ krb5_db_entry **entry );
+void krb5_db_free_principal ( krb5_context kcontext, krb5_db_entry *entry );
krb5_error_code krb5_db_put_principal ( krb5_context kcontext,
- krb5_db_entry *entries,
- int *nentries);
+ krb5_db_entry *entry );
krb5_error_code krb5_db_delete_principal ( krb5_context kcontext,
- krb5_principal search_for,
- int *nentries );
+ krb5_principal search_for );
krb5_error_code krb5_db_iterate ( krb5_context kcontext,
char *match_entry,
int (*func) (krb5_pointer, krb5_db_entry *),
krb5_error_code
krb5_db_get_policy ( krb5_context kcontext,
char *name,
- osa_policy_ent_t *policy,
- int *nentries);
+ osa_policy_ent_t *policy );
krb5_error_code
krb5_db_put_policy( krb5_context kcontext,
krb5_error_code (*unlock)(krb5_context kcontext);
/*
- * Mandatory: Fill in *entries with the entry for the principal search_for.
- * The module must allocate each entry field separately, as callers may
- * free individual fields using db_free. If the principal is not found,
- * set *nentries to 0 and return success.
- *
- * The nentries and more arguments appear to be intended to account for
- * multiple entries for a principal, but this functionality is neither
- * implemented nor used. *nentries is set to 1 by all callers and should
- * be set to 0 or 1 on return; *more sould be set to FALSE on return.
- * Callers will typically error out if modules behave otherwise.
+ * Mandatory: Set *entry to an allocated entry for the principal
+ * search_for. If the principal is not found, return KRB5_KDB_NOENTRY.
*
* The meaning of flags are as follows (some of these may be processed by
* db_invoke methods such as KRB5_KDB_METHOD_SIGN_AUTH_DATA rather than by
krb5_error_code (*get_principal)(krb5_context kcontext,
krb5_const_principal search_for,
unsigned int flags,
- krb5_db_entry *entries, int *nentries,
- krb5_boolean *more);
+ krb5_db_entry **entry);
/*
- * Mandatory: Free the memory associated with principal entries. Do not
- * free entry itself. All callers ignore the return value. Entries may
- * have been constructed by the caller (using the db_alloc function to
- * allocate associated memory); thus, a plugin must allocate each field
- * of a principal entry separately.
+ * Mandatory: Free a database entry. The entry may have been constructed
+ * by the caller (using the db_alloc function to allocate associated
+ * memory); thus, a plugin must allocate each field of a principal entry
+ * separately.
*/
- void (*free_principal)(krb5_context kcontext, krb5_db_entry *entry,
- int count);
+ void (*free_principal)(krb5_context kcontext, krb5_db_entry *entry);
/*
- * Optional: Create or modify one or more principal entries. All callers
- * operate on a single entry. db_args communicates command-line arguments
- * for module-specific flags.
+ * Optional: Create or modify a principal entry. db_args communicates
+ * command-line arguments for module-specific flags.
*
* The mask field of an entry indicates the changed fields. Mask values
* are defined in kadmin's admin.h header. If KADM5_PRINCIPAL is set in
* ignore the mask and update the entire entry.
*/
krb5_error_code (*put_principal)(krb5_context kcontext,
- krb5_db_entry *entries, int *nentries,
- char **db_args);
+ krb5_db_entry *entry, char **db_args);
/*
* Optional: Delete the entry for the principal search_for. If the
- * principal does not exist, set *nentries to 0 and return success; if it
- * did exist, set *nentries to 1.
+ * principal did not exist, return KRB5_KDB_NOENTRY.
*/
krb5_error_code (*delete_principal)(krb5_context kcontext,
- krb5_const_principal search_for,
- int *nentries);
+ krb5_const_principal search_for);
/*
* Optional: For each principal entry in the database, invoke func with the
osa_policy_ent_t policy);
/*
- * Optional: If a password policy entry exists with the name name, allocate
- * a policy entry in *policy, fill it in with the policy information, and
- * set *cnt to 1. If the entry does not exist, set *cnt to 0 and return
- * success, or return an error (existing module implementations are not
- * consistent).
+ * Optional: Set *policy to the policy entry of the specified name. If the
+ * entry does not exist, return KRB5_KDB_NOENTRY.
*/
krb5_error_code (*get_policy)(krb5_context kcontext, char *name,
- osa_policy_ent_t *policy, int *cnt);
+ osa_policy_ent_t *policy);
/*
* Optional: Modify an existing password policy entry to match the values
ulog_replay(krb5_context context, kdb_incr_result_t *incr_ret, char **db_args);
extern krb5_error_code
-ulog_conv_2logentry(krb5_context context, krb5_db_entry *entries,
- kdb_incr_update_t *updates, int nentries);
+ulog_conv_2logentry(krb5_context context, krb5_db_entry *entry,
+ kdb_incr_update_t *update);
extern krb5_error_code
-ulog_conv_2dbentry(krb5_context context, krb5_db_entry *entries,
- kdb_incr_update_t *updates, int nentries);
+ulog_conv_2dbentry(krb5_context context, krb5_db_entry **entry,
+ kdb_incr_update_t *update);
extern void ulog_free_entries(kdb_incr_update_t *updates, int no_of_updates);
extern krb5_error_code ulog_set_role(krb5_context ctx, iprop_role role);
extern int exit_status;
extern krb5_context util_context;
extern kadm5_config_params global_params;
-extern krb5_db_entry master_entry;
+extern krb5_db_entry *master_entry;
/* Strings */
* get new master key vno that will be used to protect princs, used
* later on.
*/
- new_mkvno = get_next_kvno(util_context, &master_entry);
+ new_mkvno = get_next_kvno(util_context, master_entry);
}
kret = 0;
{
int nmatched;
int retval;
- krb5_db_entry dbent;
+ krb5_db_entry *dbent;
int name_len, mod_name_len, key_len;
int alt_key_len, salt_len, alt_salt_len;
char *name;
try2read = (char *) NULL;
(*linenop)++;
retval = 1;
- memset(&dbent, 0, sizeof(dbent));
+ dbent = krb5_db_alloc(kcontext, NULL, sizeof(*dbent));
+ if (dbent == NULL)
+ return(1);
+ memset(dbent, 0, sizeof(*dbent));
/* Make sure we've got key_data entries */
- if (krb5_dbe_create_key_data(kcontext, &dbent) ||
- krb5_dbe_create_key_data(kcontext, &dbent)) {
- krb5_db_free_principal(kcontext, &dbent, 1);
+ if (krb5_dbe_create_key_data(kcontext, dbent) ||
+ krb5_dbe_create_key_data(kcontext, dbent)) {
+ krb5_db_free_principal(kcontext, dbent);
return(1);
}
- pkey = &dbent.key_data[0];
- akey = &dbent.key_data[1];
+ pkey = &dbent->key_data[0];
+ akey = &dbent->key_data[1];
/*
* Match the sizes. 6 tokens to match.
/* Read principal attributes */
if (!error && (fscanf(filep,
"\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t",
- &tmpint1, &dbent.max_life,
- &dbent.max_renewable_life,
- &tmpint2, &dbent.expiration,
- &dbent.pw_expiration, &last_pwd_change,
- &dbent.last_success, &dbent.last_failed,
+ &tmpint1, &dbent->max_life,
+ &dbent->max_renewable_life,
+ &tmpint2, &dbent->expiration,
+ &dbent->pw_expiration, &last_pwd_change,
+ &dbent->last_success, &dbent->last_failed,
&tmpint3) != 10)) {
try2read = read_pr_data1;
error++;
}
pkey->key_data_kvno = tmpint1;
- dbent.fail_auth_count = tmpint3;
+ dbent->fail_auth_count = tmpint3;
/* Read modifier name */
if (!error && read_string(filep,
mod_name,
}
/* Read second set of attributes */
if (!error && (fscanf(filep, "\t%u\t%u\t%u\t",
- &mod_date, &dbent.attributes,
+ &mod_date, &dbent->attributes,
&tmpint1) != 3)) {
try2read = read_pr_data2;
error++;
if (!error) {
if (!(kret = krb5_parse_name(kcontext,
name,
- &dbent.princ))) {
+ &dbent->princ))) {
if (!(kret = krb5_parse_name(kcontext,
mod_name,
&mod_princ))) {
if (!(kret =
krb5_dbe_update_mod_princ_data(kcontext,
- &dbent,
+ dbent,
mod_date,
mod_princ)) &&
!(kret =
krb5_dbe_update_last_pwd_change(kcontext,
- &dbent,
+ dbent,
last_pwd_change))) {
- int one = 1;
-
- dbent.len = KRB5_KDB_V1_BASE_LENGTH;
+ dbent->len = KRB5_KDB_V1_BASE_LENGTH;
pkey->key_data_ver = (pkey->key_data_type[1] || pkey->key_data_length[1]) ?
2 : 1;
akey->key_data_ver = (akey->key_data_type[1] || akey->key_data_length[1]) ?
akey->key_data_type[0]) &&
(pkey->key_data_type[1] ==
akey->key_data_type[1]))
- dbent.n_key_data--;
+ dbent->n_key_data--;
else if ((akey->key_data_type[0] == 0)
&& (akey->key_data_length[0] == 0)
&& (akey->key_data_type[1] == 0)
&& (akey->key_data_length[1] == 0))
- dbent.n_key_data--;
+ dbent->n_key_data--;
- dbent.mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES |
+ dbent->mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES |
KADM5_MAX_LIFE | KADM5_MAX_RLIFE | KADM5_KEY_DATA |
KADM5_PRINC_EXPIRE_TIME | KADM5_LAST_SUCCESS |
KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT;
if ((kret = krb5_db_put_principal(kcontext,
- &dbent,
- &one)) ||
- (one != 1)) {
+ dbent))) {
fprintf(stderr, store_err_fmt,
fname, *linenop, name,
error_message(kret));
fprintf(stderr, add_princ_fmt, name);
retval = 0;
}
- dbent.n_key_data = 2;
+ dbent->n_key_data = 2;
}
krb5_free_principal(kcontext, mod_princ);
}
fprintf(stderr, no_mem_fmt, fname, *linenop);
}
- krb5_db_free_principal(kcontext, &dbent, 1);
+ krb5_db_free_principal(kcontext, dbent);
if (mod_name)
free(mod_name);
if (name)
int *linenop;
{
int retval;
- krb5_db_entry dbentry;
+ krb5_db_entry *dbentry;
krb5_int32 t1, t2, t3, t4, t5, t6, t7, t8, t9;
int nread;
int error;
- int i, j, one;
+ int i, j;
char *name;
krb5_key_data *kp, *kdatap;
krb5_tl_data **tlp, *tl;
const char *try2read;
try2read = (char *) NULL;
- memset(&dbentry, 0, sizeof(dbentry));
+ dbentry = krb5_db_alloc(kcontext, NULL, sizeof(*dbentry));
+ if (dbentry == NULL)
+ return(1);
+ memset(dbentry, 0, sizeof(*dbentry));
(*linenop)++;
retval = 1;
name = (char *) NULL;
error++;
/* Get memory for and form tagged data linked list */
- tlp = &dbentry.tl_data;
+ tlp = &dbentry->tl_data;
for (i=0; i<t3; i++) {
if ((*tlp = (krb5_tl_data *) malloc(sizeof(krb5_tl_data)))) {
memset(*tlp, 0, sizeof(krb5_tl_data));
tlp = &((*tlp)->tl_data_next);
- dbentry.n_tl_data++;
+ dbentry->n_tl_data++;
}
else {
error++;
error++;
if (!error) {
- dbentry.len = t1;
- dbentry.n_key_data = t4;
- dbentry.e_length = t5;
+ dbentry->len = t1;
+ dbentry->n_key_data = t4;
+ dbentry->e_length = t5;
if (kp) {
memset(kp, 0, (size_t) (t4*sizeof(krb5_key_data)));
- dbentry.key_data = kp;
+ dbentry->key_data = kp;
kp = (krb5_key_data *) NULL;
}
if (op) {
memset(op, 0, (size_t) t5);
- dbentry.e_data = op;
+ dbentry->e_data = op;
op = (krb5_octet *) NULL;
}
/* Read in and parse the principal name */
if (!read_string(filep, name, t2, linenop) &&
- !(kret = krb5_parse_name(kcontext, name, &dbentry.princ))) {
+ !(kret = krb5_parse_name(kcontext, name, &dbentry->princ))) {
/* Get the fixed principal attributes */
nread = fscanf(filep, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t",
&t2, &t3, &t4, &t5, &t6, &t7, &t8, &t9);
if (nread == 8) {
- dbentry.attributes = (krb5_flags) t2;
- dbentry.max_life = (krb5_deltat) t3;
- dbentry.max_renewable_life = (krb5_deltat) t4;
- dbentry.expiration = (krb5_timestamp) t5;
- dbentry.pw_expiration = (krb5_timestamp) t6;
- dbentry.last_success = (krb5_timestamp) t7;
- dbentry.last_failed = (krb5_timestamp) t8;
- dbentry.fail_auth_count = (krb5_kvno) t9;
- dbentry.mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES |
+ dbentry->attributes = (krb5_flags) t2;
+ dbentry->max_life = (krb5_deltat) t3;
+ dbentry->max_renewable_life = (krb5_deltat) t4;
+ dbentry->expiration = (krb5_timestamp) t5;
+ dbentry->pw_expiration = (krb5_timestamp) t6;
+ dbentry->last_success = (krb5_timestamp) t7;
+ dbentry->last_failed = (krb5_timestamp) t8;
+ dbentry->fail_auth_count = (krb5_kvno) t9;
+ dbentry->mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES |
KADM5_MAX_LIFE | KADM5_MAX_RLIFE |
KADM5_PRINC_EXPIRE_TIME | KADM5_LAST_SUCCESS |
KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT;
* it at dump time has almost as good an effect, so
* that's what I did. [krb5-admin/89]
*/
- if (!error && dbentry.n_tl_data) {
- for (tl = dbentry.tl_data; tl; tl = tl->tl_data_next) {
+ if (!error && dbentry->n_tl_data) {
+ for (tl = dbentry->tl_data; tl; tl = tl->tl_data_next) {
nread = fscanf(filep, "%d\t%d\t", &t1, &t2);
if (nread == 2) {
tl->tl_data_type = (krb5_int16) t1;
* Assuming aux_attributes will always be
* there
*/
- dbentry.mask |= KADM5_AUX_ATTRIBUTES;
+ dbentry->mask |= KADM5_AUX_ATTRIBUTES;
/* test for an actual policy reference */
memset(&osa_princ_ent, 0, sizeof(osa_princ_ent));
(osa_princ_ent.aux_attributes & KADM5_POLICY) &&
osa_princ_ent.policy != NULL) {
- dbentry.mask |= KADM5_POLICY;
+ dbentry->mask |= KADM5_POLICY;
kdb_free_entry(NULL, NULL, &osa_princ_ent);
}
xdr_destroy(&xdrs);
}
}
if (!error)
- dbentry.mask |= KADM5_TL_DATA;
+ dbentry->mask |= KADM5_TL_DATA;
}
/* Get the key data */
- if (!error && dbentry.n_key_data) {
- for (i=0; !error && (i<dbentry.n_key_data); i++) {
- kdatap = &dbentry.key_data[i];
+ if (!error && dbentry->n_key_data) {
+ for (i=0; !error && (i<dbentry->n_key_data); i++) {
+ kdatap = &dbentry->key_data[i];
nread = fscanf(filep, "%d\t%d\t", &t1, &t2);
if (nread == 2) {
kdatap->key_data_ver = (krb5_int16) t1;
}
}
if (!error)
- dbentry.mask |= KADM5_KEY_DATA;
+ dbentry->mask |= KADM5_KEY_DATA;
}
/* Get the extra data */
- if (!error && dbentry.e_length) {
+ if (!error && dbentry->e_length) {
if (read_octet_string(filep,
- dbentry.e_data,
- (int) dbentry.e_length)) {
+ dbentry->e_data,
+ (int) dbentry->e_length)) {
try2read = read_econtents;
error++;
}
* We have either read in all the data or choked.
*/
if (!error) {
- one = 1;
- if ((kret = krb5_db_put_principal(kcontext,
- &dbentry,
- &one))) {
+ if ((kret = krb5_db_put_principal(kcontext, dbentry))) {
fprintf(stderr, store_err_fmt,
fname, *linenop,
name, error_message(kret));
free(kp);
if (name)
free(name);
- krb5_db_free_principal(kcontext, &dbentry, 1);
+ krb5_db_free_principal(kcontext, dbentry);
}
else {
if (nread == EOF)
struct realm_info *pblock;
{
krb5_error_code retval;
- krb5_db_entry entry;
+ krb5_db_entry *entry;
krb5_kvno mkey_kvno;
krb5_timestamp now;
struct iterate_args iargs;
- int nentries = 1;
krb5_actkvno_node actkvno;
- memset(&entry, 0, sizeof(entry));
+ entry = krb5_db_alloc(context, NULL, sizeof(*entry));
+ if (entry == NULL)
+ return ENOMEM;
+ memset(entry, 0, sizeof(*entry));
- entry.len = KRB5_KDB_V1_BASE_LENGTH;
- entry.attributes = pblock->flags;
- entry.max_life = pblock->max_life;
- entry.max_renewable_life = pblock->max_rlife;
- entry.expiration = pblock->expiration;
+ entry->len = KRB5_KDB_V1_BASE_LENGTH;
+ entry->attributes = pblock->flags;
+ entry->max_life = pblock->max_life;
+ entry->max_renewable_life = pblock->max_rlife;
+ entry->expiration = pblock->expiration;
- if ((retval = krb5_copy_principal(context, princ, &entry.princ)))
+ if ((retval = krb5_copy_principal(context, princ, &entry->princ)))
goto error_out;
if ((retval = krb5_timeofday(context, &now)))
goto error_out;
- if ((retval = krb5_dbe_update_mod_princ_data(context, &entry,
+ if ((retval = krb5_dbe_update_mod_princ_data(context, entry,
now, &db_create_princ)))
goto error_out;
switch (op) {
case MASTER_KEY:
- if ((entry.key_data=(krb5_key_data*)malloc(sizeof(krb5_key_data)))
+ if ((entry->key_data=(krb5_key_data*)malloc(sizeof(krb5_key_data)))
== NULL)
goto error_out;
- memset(entry.key_data, 0, sizeof(krb5_key_data));
- entry.n_key_data = 1;
+ memset(entry->key_data, 0, sizeof(krb5_key_data));
+ entry->n_key_data = 1;
if (global_params.mask & KADM5_CONFIG_KVNO)
mkey_kvno = global_params.kvno; /* user specified */
else
mkey_kvno = 1; /* Default */
- entry.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
if ((retval = krb5_dbe_encrypt_key_data(context, pblock->key,
&master_keyblock, NULL,
- mkey_kvno, entry.key_data)))
+ mkey_kvno, entry->key_data)))
return retval;
/*
* There should always be at least one "active" mkey so creating the
actkvno.act_kvno = mkey_kvno;
/* earliest possible time in case system clock is set back */
actkvno.act_time = 0;
- if ((retval = krb5_dbe_update_actkvno(context, &entry, &actkvno)))
+ if ((retval = krb5_dbe_update_actkvno(context, entry, &actkvno)))
return retval;
/* so getprinc shows the right kvno */
- if ((retval = krb5_dbe_update_mkvno(context, &entry, mkey_kvno)))
+ if ((retval = krb5_dbe_update_mkvno(context, entry, mkey_kvno)))
return retval;
break;
case TGT_KEY:
iargs.ctx = context;
iargs.rblock = pblock;
- iargs.dbentp = &entry;
+ iargs.dbentp = entry;
/*
* Iterate through the key/salt list, ignoring salt types.
*/
break;
}
- entry.mask = (KADM5_KEY_DATA | KADM5_PRINCIPAL | KADM5_ATTRIBUTES |
- KADM5_MAX_LIFE | KADM5_MAX_RLIFE | KADM5_TL_DATA |
- KADM5_PRINC_EXPIRE_TIME);
+ entry->mask = (KADM5_KEY_DATA | KADM5_PRINCIPAL | KADM5_ATTRIBUTES |
+ KADM5_MAX_LIFE | KADM5_MAX_RLIFE | KADM5_TL_DATA |
+ KADM5_PRINC_EXPIRE_TIME);
- retval = krb5_db_put_principal(context, &entry, &nentries);
+ retval = krb5_db_put_principal(context, entry);
-error_out:;
- krb5_db_free_principal(context, &entry, 1);
+error_out:
+ krb5_db_free_principal(context, entry);
return retval;
}
char *mkey_fullname;
char *pw_str = 0;
unsigned int pw_size = 0;
- int do_stash = 0, nentries = 0;
- krb5_boolean more = 0;
+ int do_stash = 0;
krb5_data pwd;
krb5_kvno new_mkey_kvno;
krb5_keyblock new_mkeyblock;
krb5_enctype new_master_enctype = ENCTYPE_UNKNOWN;
char *new_mkey_password;
- krb5_db_entry master_entry;
+ krb5_db_entry *master_entry;
krb5_timestamp now;
/*
return;
}
- retval = krb5_db_get_principal(util_context, master_princ, &master_entry,
- &nentries, &more);
+ retval = krb5_db_get_principal(util_context, master_princ, 0,
+ &master_entry);
if (retval != 0) {
com_err(progname, retval,
"while getting master key principal %s",
mkey_fullname);
exit_status++;
goto cleanup_return;
- } else if (nentries == 0) {
- com_err(progname, KRB5_KDB_NOENTRY,
- "principal %s not found in Kerberos database",
- mkey_fullname);
- exit_status++;
- goto cleanup_return;
- } else if (nentries > 1) {
- com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
- "principal %s has multiple entries in Kerberos database",
- mkey_fullname);
- exit_status++;
- goto cleanup_return;
}
printf("Creating new master key for master key principal '%s'\n",
goto cleanup_return;
}
- retval = add_new_mkey(util_context, &master_entry, &new_mkeyblock, 0);
+ retval = add_new_mkey(util_context, master_entry, &new_mkeyblock, 0);
if (retval) {
com_err(progname, retval, "adding new master key to master principal");
exit_status++;
goto cleanup_return;
}
- if ((retval = krb5_dbe_update_mod_princ_data(util_context, &master_entry,
+ if ((retval = krb5_dbe_update_mod_princ_data(util_context, master_entry,
now, master_princ))) {
com_err(progname, retval, "while updating the master key principal modification time");
exit_status++;
goto cleanup_return;
}
- if ((retval = krb5_db_put_principal(util_context, &master_entry, &nentries))) {
+ if ((retval = krb5_db_put_principal(util_context, master_entry))) {
(void) krb5_db_fini(util_context);
com_err(progname, retval, "while adding master key entry to the database");
exit_status++;
krb5_timestamp now, start_time;
krb5_actkvno_node *actkvno_list = NULL, *new_actkvno = NULL,
*prev_actkvno, *cur_actkvno;
- krb5_db_entry master_entry;
- int nentries = 0;
- krb5_boolean more = FALSE;
+ krb5_db_entry *master_entry;
krb5_keylist_node *keylist_node;
krb5_boolean inserted = FALSE;
goto cleanup_return;
}
- retval = krb5_db_get_principal(util_context, master_princ, &master_entry,
- &nentries, &more);
+ retval = krb5_db_get_principal(util_context, master_princ, 0,
+ &master_entry);
if (retval != 0) {
com_err(progname, retval,
"while getting master key principal %s",
mkey_fullname);
exit_status++;
goto cleanup_return;
- } else if (nentries == 0) {
- com_err(progname, KRB5_KDB_NOENTRY,
- "principal %s not found in Kerberos database",
- mkey_fullname);
- exit_status++;
- goto cleanup_return;
- } else if (nentries > 1) {
- com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
- "principal %s has multiple entries in Kerberos database",
- mkey_fullname);
- exit_status++;
- goto cleanup_return;
}
- retval = krb5_dbe_lookup_actkvno(util_context, &master_entry, &actkvno_list);
+ retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list);
if (retval != 0) {
com_err(progname, retval,
"while looking up active version of master key");
goto cleanup_return;
}
- if ((retval = krb5_dbe_update_actkvno(util_context, &master_entry,
+ if ((retval = krb5_dbe_update_actkvno(util_context, master_entry,
actkvno_list))) {
com_err(progname, retval, "while updating actkvno data for master principal entry");
exit_status++;
goto cleanup_return;
}
- if ((retval = krb5_dbe_update_mod_princ_data(util_context, &master_entry,
+ if ((retval = krb5_dbe_update_mod_princ_data(util_context, master_entry,
now, master_princ))) {
com_err(progname, retval, "while updating the master key principal modification time");
exit_status++;
goto cleanup_return;
}
- if ((retval = krb5_db_put_principal(util_context, &master_entry, &nentries))) {
+ if ((retval = krb5_db_put_principal(util_context, master_entry))) {
(void) krb5_db_fini(util_context);
com_err(progname, retval, "while adding master key entry to the database");
exit_status++;
krb5_kvno act_kvno;
krb5_timestamp act_time;
krb5_actkvno_node *actkvno_list = NULL, *cur_actkvno;
- krb5_db_entry master_entry;
- int nentries = 0;
- krb5_boolean more = FALSE;
+ krb5_db_entry *master_entry;
krb5_keylist_node *cur_kb_node;
krb5_keyblock *act_mkey;
return;
}
- retval = krb5_db_get_principal(util_context, master_princ, &master_entry,
- &nentries, &more);
+ retval = krb5_db_get_principal(util_context, master_princ, 0,
+ &master_entry);
if (retval != 0) {
com_err(progname, retval,
"while getting master key principal %s",
mkey_fullname);
exit_status++;
goto cleanup_return;
- } else if (nentries == 0) {
- com_err(progname, KRB5_KDB_NOENTRY,
- "principal %s not found in Kerberos database",
- mkey_fullname);
- exit_status++;
- goto cleanup_return;
- } else if (nentries > 1) {
- com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
- "principal %s has multiple entries in Kerberos database",
- mkey_fullname);
- exit_status++;
- goto cleanup_return;
}
- retval = krb5_dbe_lookup_actkvno(util_context, &master_entry, &actkvno_list);
+ retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list);
if (retval != 0) {
com_err(progname, retval, "while looking up active kvno list");
exit_status++;
}
if (actkvno_list == NULL) {
- act_kvno = master_entry.key_data[0].key_data_kvno;
+ act_kvno = master_entry->key_data[0].key_data_kvno;
} else {
retval = krb5_dbe_find_act_mkey(util_context, master_keylist,
actkvno_list, &act_kvno, &act_mkey);
krb5_error_code retval;
int match;
krb5_timestamp now;
- int nentries = 1;
int result;
krb5_kvno old_mkvno;
ent->mask |= KADM5_KEY_DATA;
- if ((retval = krb5_db_put_principal(util_context, ent, &nentries))) {
+ if ((retval = krb5_db_put_principal(util_context, ent))) {
com_err(progname, retval,
"while updating principal '%s' key data in the database",
pname);
int optchar;
krb5_error_code retval;
krb5_actkvno_node *actkvno_list = 0;
- krb5_db_entry master_entry;
- int nentries = 1;
- krb5_boolean more = FALSE;
+ krb5_db_entry *master_entry;
char *mkey_fullname = 0;
#ifdef BSD_REGEXPS
char *msg;
goto cleanup;
}
- retval = krb5_db_get_principal(util_context, master_princ, &master_entry,
- &nentries, &more);
+ retval = krb5_db_get_principal(util_context, master_princ, 0,
+ &master_entry);
if (retval != 0) {
com_err(progname, retval, "while getting master key principal %s",
mkey_fullname);
exit_status++;
goto cleanup;
}
- if (nentries != 1) {
- com_err(progname, 0,
- "cannot find master key principal %s in database!",
- mkey_fullname);
- exit_status++;
- goto cleanup;
- }
- retval = krb5_dbe_lookup_actkvno(util_context, &master_entry, &actkvno_list);
+ retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list);
if (retval != 0) {
com_err(progname, retval, "while looking up active kvno list");
exit_status++;
/* Master key is always stored encrypted in the latest version of
itself. */
new_mkvno = krb5_db_get_key_data_kvno(util_context,
- master_entry.n_key_data,
- master_entry.key_data);
+ master_entry->n_key_data,
+ master_entry->key_data);
retval = krb5_dbe_find_mkey(util_context, master_keylist,
- &master_entry, &tmp_keyblock);
+ master_entry, &tmp_keyblock);
if (retval) {
com_err(progname, retval, "retrieving the most recent master key");
exit_status++;
krb5_error_code retval;
char *mkey_fullname = NULL;
krb5_timestamp now;
- krb5_db_entry master_entry;
- int nentries = 0;
- krb5_boolean more = FALSE;
+ krb5_db_entry *master_entry;
krb5_boolean force = FALSE, dry_run = FALSE, verbose = FALSE;
struct purge_args args;
char buf[5];
return;
}
- retval = krb5_db_get_principal(util_context, master_princ, &master_entry,
- &nentries, &more);
+ retval = krb5_db_get_principal(util_context, master_princ, 0,
+ &master_entry);
if (retval != 0) {
com_err(progname, retval,
"while getting master key principal %s",
mkey_fullname);
exit_status++;
goto cleanup_return;
- } else if (nentries == 0) {
- com_err(progname, KRB5_KDB_NOENTRY,
- "principal %s not found in Kerberos database",
- mkey_fullname);
- exit_status++;
- goto cleanup_return;
- } else if (nentries > 1) {
- com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
- "principal %s has multiple entries in Kerberos database",
- mkey_fullname);
- exit_status++;
- goto cleanup_return;
}
if (!force) {
}
/* save the old keydata */
- old_key_data_count = master_entry.n_key_data;
+ old_key_data_count = master_entry->n_key_data;
if (old_key_data_count == 1) {
if (verbose)
printf("There is only one master key which can not be purged.\n");
goto cleanup_return;
}
- old_key_data = master_entry.key_data;
+ old_key_data = master_entry->key_data;
args.kvnos = (struct kvnos_in_use *) malloc(sizeof(struct kvnos_in_use) * old_key_data_count);
if (args.kvnos == NULL) {
/* populate the kvnos array with all the current mkvnos */
for (i = 0; i < old_key_data_count; i++)
- args.kvnos[i].kvno = master_entry.key_data[i].key_data_kvno;
+ args.kvnos[i].kvno = master_entry->key_data[i].key_data_kvno;
if ((retval = krb5_db_iterate(util_context,
NULL,
goto cleanup_return;
}
- retval = krb5_dbe_lookup_actkvno(util_context, &master_entry, &actkvno_list);
+ retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list);
if (retval != 0) {
com_err(progname, retval, "while looking up active kvno list");
exit_status++;
goto cleanup_return;
}
- retval = krb5_dbe_lookup_mkey_aux(util_context, &master_entry, &mkey_aux_list);
+ retval = krb5_dbe_lookup_mkey_aux(util_context, master_entry, &mkey_aux_list);
if (retval != 0) {
com_err(progname, retval, "while looking up mkey aux data list");
exit_status++;
goto cleanup_return;
}
- master_entry.key_data = (krb5_key_data *) malloc(sizeof(krb5_key_data) * num_kvnos_inuse);
- if (master_entry.key_data == NULL) {
+ master_entry->key_data = (krb5_key_data *) malloc(sizeof(krb5_key_data) * num_kvnos_inuse);
+ if (master_entry->key_data == NULL) {
retval = ENOMEM;
com_err(progname, ENOMEM, "while allocating key_data");
exit_status++;
goto cleanup_return;
}
- memset(master_entry.key_data, 0, sizeof(krb5_key_data) * num_kvnos_inuse);
- master_entry.n_key_data = num_kvnos_inuse; /* there's only 1 mkey per kvno */
+ memset(master_entry->key_data, 0, sizeof(krb5_key_data) * num_kvnos_inuse);
+ master_entry->n_key_data = num_kvnos_inuse; /* there's only 1 mkey per kvno */
/*
* Assuming that the latest mkey will not be purged because it will always
for (j = 0; j < args.num_kvnos; j++) {
if (args.kvnos[j].kvno == (krb5_kvno) old_key_data[i].key_data_kvno) {
if (args.kvnos[j].use_count != 0) {
- master_entry.key_data[k++] = old_key_data[i];
+ master_entry->key_data[k++] = old_key_data[i];
break;
} else {
/* remove unused mkey */
}
assert(k == num_kvnos_inuse);
- if ((retval = krb5_dbe_update_actkvno(util_context, &master_entry,
+ if ((retval = krb5_dbe_update_actkvno(util_context, master_entry,
actkvno_list))) {
com_err(progname, retval,
"while updating actkvno data for master principal entry");
goto cleanup_return;
}
- if ((retval = krb5_dbe_update_mkey_aux(util_context, &master_entry,
+ if ((retval = krb5_dbe_update_mkey_aux(util_context, master_entry,
mkey_aux_list))) {
com_err(progname, retval,
"while updating mkey_aux data for master principal entry");
goto cleanup_return;
}
- if ((retval = krb5_dbe_update_mod_princ_data(util_context, &master_entry,
+ if ((retval = krb5_dbe_update_mod_princ_data(util_context, master_entry,
now, master_princ))) {
com_err(progname, retval,
"while updating the master key principal modification time");
goto cleanup_return;
}
- master_entry.mask |= KADM5_KEY_DATA;
+ master_entry->mask |= KADM5_KEY_DATA;
- if ((retval = krb5_db_put_principal(util_context, &master_entry, &nentries))) {
+ if ((retval = krb5_db_put_principal(util_context, master_entry))) {
(void) krb5_db_fini(util_context);
com_err(progname, retval, "while adding master key entry to the database");
exit_status++;
krb5_kvno master_kvno; /* fetched */
extern krb5_keylist_node *master_keylist;
extern krb5_principal master_princ;
-krb5_db_entry master_entry;
+krb5_db_entry *master_entry = NULL;
int valid_master_key = 0;
char *progname;
static int open_db_and_mkey()
{
krb5_error_code retval;
- int nentries;
- krb5_boolean more;
krb5_data scratch, pwd, seed;
dbactive = FALSE;
exit_status++;
return(1);
}
- nentries = 1;
- if ((retval = krb5_db_get_principal(util_context, master_princ,
- &master_entry, &nentries, &more))) {
+ if ((retval = krb5_db_get_principal(util_context, master_princ, 0,
+ &master_entry))) {
com_err(progname, retval, "while retrieving master entry");
exit_status++;
(void) krb5_db_fini(util_context);
return(1);
- } else if (more) {
- com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
- "while retrieving master entry");
- exit_status++;
- (void) krb5_db_fini(util_context);
- return(1);
- } else if (!nentries) {
- com_err(progname, KRB5_KDB_NOENTRY, "while retrieving master entry");
- exit_status++;
- (void) krb5_db_fini(util_context);
- return(1);
}
if (global_params.mask & KADM5_CONFIG_KVNO)
{
krb5_error_code ret;
krb5_principal princ;
- krb5_db_entry dbent;
- int n;
- krb5_boolean more;
+ krb5_db_entry *dbent;
krb5_timestamp now;
krb5_key_salt_tuple *keysalts = NULL;
exit_status++;
return;
}
- n = 1;
- ret = krb5_db_get_principal(util_context, princ, &dbent,
- &n, &more);
+ ret = krb5_db_get_principal(util_context, princ, 0, &dbent);
if (ret) {
com_err(me, ret, "while fetching principal %s", pr_str);
exit_status++;
return;
}
- if (n != 1) {
- fprintf(stderr, "principal %s not found\n", pr_str);
- exit_status++;
- return;
- }
- if (more) {
- fprintf(stderr, "principal %s not unique\n", pr_str);
- krb5_db_free_principal(util_context, &dbent, 1);
- exit_status++;
- return;
- }
ret = krb5_string_to_keysalts(ks_str,
", \t", ":.-", 0,
&keysalts,
free_keysalts = 1;
/* Find the mkey used to protect the existing keys */
- ret = krb5_dbe_find_mkey(util_context, master_keylist, &dbent, &tmp_mkey);
+ ret = krb5_dbe_find_mkey(util_context, master_keylist, dbent, &tmp_mkey);
if (ret) {
com_err(me, ret, "while finding mkey");
+ krb5_db_free_principal(util_context, dbent);
exit_status++;
return;
}
- ret = krb5_dbe_ark(util_context, tmp_mkey,
- keysalts, num_keysalts,
- &dbent);
+ ret = krb5_dbe_ark(util_context, tmp_mkey, keysalts, num_keysalts, dbent);
if (free_keysalts)
free(keysalts);
if (ret) {
com_err(me, ret, "while randomizing principal %s", pr_str);
- krb5_db_free_principal(util_context, &dbent, 1);
+ krb5_db_free_principal(util_context, dbent);
exit_status++;
return;
}
- dbent.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
+ dbent->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
ret = krb5_timeofday(util_context, &now);
if (ret) {
com_err(me, ret, "while getting time");
- krb5_db_free_principal(util_context, &dbent, 1);
+ krb5_db_free_principal(util_context, dbent);
exit_status++;
return;
}
- ret = krb5_dbe_update_last_pwd_change(util_context, &dbent, now);
+ ret = krb5_dbe_update_last_pwd_change(util_context, dbent, now);
if (ret) {
com_err(me, ret, "while setting changetime");
- krb5_db_free_principal(util_context, &dbent, 1);
+ krb5_db_free_principal(util_context, dbent);
exit_status++;
return;
}
- ret = krb5_db_put_principal(util_context, &dbent, &n);
- krb5_db_free_principal(util_context, &dbent, 1);
+ ret = krb5_db_put_principal(util_context, dbent);
+ krb5_db_free_principal(util_context, dbent);
if (ret) {
com_err(me, ret, "while saving principal %s", pr_str);
exit_status++;
krb5_error_code ret;
krb5_tl_data tl_data;
krb5_principal princ;
- krb5_db_entry kdb;
+ krb5_db_entry *kdb = NULL;
char *current = 0;
char *cp;
- int x, one;
- krb5_boolean more;
+ int x;
char line[LINESIZE];
if (fgets(line, LINESIZE, filep) == (char *) NULL) {
tl_data.tl_data_length = xdr_getpos(&xdrs);
tl_data.tl_data_contents = (krb5_octet *) xdralloc_getdata(&xdrs);
- one = 1;
- ret = krb5_db_get_principal(kcontext, princ, &kdb, &one, &more);
+ ret = krb5_db_get_principal(kcontext, princ, 0, &kdb);
if (ret)
goto done;
- ret = krb5_dbe_update_tl_data(kcontext, &kdb, &tl_data);
+ ret = krb5_dbe_update_tl_data(kcontext, kdb, &tl_data);
if (ret)
goto done;
- ret = krb5_db_put_principal(kcontext, &kdb, &one);
+ ret = krb5_db_put_principal(kcontext, kdb);
if (ret)
goto done;
free(current);
krb5_free_principal(kcontext, princ);
osa_free_princ_ent(rec);
+ krb5_db_free_principal(kcontext, kdb);
return ret;
}
process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
const krb5_fulladdr *from, krb5_data **response)
{
- krb5_db_entry client, server;
+ krb5_db_entry *client = NULL, *server = NULL;
krb5_kdc_rep reply;
krb5_enc_kdc_rep_part reply_encpart;
krb5_ticket ticket_reply;
krb5_enc_tkt_part enc_tkt_reply;
krb5_error_code errcode;
- int c_nprincs = 0, s_nprincs = 0;
- krb5_boolean more;
krb5_timestamp kdc_time, authtime = 0;
krb5_keyblock session_key;
const char *status;
if (include_pac_p(kdc_context, request)) {
setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
}
- c_nprincs = 1;
- if ((errcode = krb5_db_get_principal_ext(kdc_context, request->client,
- c_flags, &client, &c_nprincs,
- &more))) {
- status = "LOOKING_UP_CLIENT";
- c_nprincs = 0;
- goto errout;
- }
-
- if (more) {
- status = "NON-UNIQUE_CLIENT";
- errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
- goto errout;
- } else if (c_nprincs != 1) {
+ errcode = krb5_db_get_principal(kdc_context, request->client,
+ c_flags, &client);
+ if (errcode == KRB5_KDB_NOENTRY) {
status = "CLIENT_NOT_FOUND";
if (vague_errors)
errcode = KRB5KRB_ERR_GENERIC;
else
errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto errout;
+ } else if (errcode) {
+ status = "LOOKING_UP_CLIENT";
+ goto errout;
}
/*
* If the backend returned a principal that is not in the local
* realm, then we need to refer the client to that realm.
*/
- if (!is_local_principal(client.princ)) {
+ if (!is_local_principal(client->princ)) {
/* Entry is a referral to another realm */
status = "REFERRAL";
errcode = KRB5KDC_ERR_WRONG_REALM;
* Turn off canonicalization if client is marked DES only
* (unless enterprise principal name was requested)
*/
- if (isflagset(client.attributes, KRB5_KDB_NON_MS_PRINCIPAL) &&
+ if (isflagset(client->attributes, KRB5_KDB_NON_MS_PRINCIPAL) &&
krb5_princ_type(kdc_context,
request->client) != KRB5_NT_ENTERPRISE_PRINCIPAL) {
clear(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
}
- s_nprincs = 1;
- if ((errcode = krb5_db_get_principal_ext(kdc_context, request->server,
- s_flags, &server,
- &s_nprincs, &more))) {
- status = "LOOKING_UP_SERVER";
- goto errout;
- }
- if (more) {
- status = "NON-UNIQUE_SERVER";
- errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
- goto errout;
- } else if (s_nprincs != 1) {
+ errcode = krb5_db_get_principal(kdc_context, request->server,
+ s_flags, &server);
+ if (errcode == KRB5_KDB_NOENTRY) {
status = "SERVER_NOT_FOUND";
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto errout;
+ } else if (errcode) {
+ status = "LOOKING_UP_SERVER";
+ goto errout;
}
if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) {
}
authtime = kdc_time; /* for audit_as_request() */
- if ((errcode = validate_as_request(request, client, server,
+ if ((errcode = validate_as_request(request, *client, *server,
kdc_time, &status, &e_data))) {
if (!status)
status = "UNKNOWN_REASON";
/*
* Select the keytype for the ticket session key.
*/
- if ((useenctype = select_session_keytype(kdc_context, &server,
+ if ((useenctype = select_session_keytype(kdc_context, server,
request->nktypes,
request->ktype)) == 0) {
/* unsupported ktype */
*/
if (isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE) &&
krb5_is_tgs_principal(request->server) &&
- krb5_is_tgs_principal(server.princ)) {
- ticket_reply.server = server.princ;
+ krb5_is_tgs_principal(server->princ)) {
+ ticket_reply.server = server->princ;
} else {
ticket_reply.server = request->server;
}
enc_tkt_reply.session = &session_key;
if (isflagset(c_flags, KRB5_KDB_FLAG_CANONICALIZE)) {
- client_princ = *(client.princ);
+ client_princ = *(client->princ);
} else {
client_princ = *(request->client);
/* The realm is always canonicalized */
- client_princ.realm = *(krb5_princ_realm(context, client.princ));
+ client_princ.realm = *(krb5_princ_realm(context, client->princ));
}
enc_tkt_reply.client = &client_princ;
enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
enc_tkt_reply.times.starttime,
kdc_infinity,
request->till,
- &client,
- &server,
+ client,
+ server,
&enc_tkt_reply.times.endtime);
if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
- !isflagset(client.attributes, KRB5_KDB_DISALLOW_RENEWABLE) &&
+ !isflagset(client->attributes, KRB5_KDB_DISALLOW_RENEWABLE) &&
(enc_tkt_reply.times.endtime < request->till)) {
/* we set the RENEWABLE option for later processing */
setflag(enc_tkt_reply.flags, TKT_FLG_RENEWABLE);
enc_tkt_reply.times.renew_till =
min(rtime, enc_tkt_reply.times.starttime +
- min(client.max_renewable_life,
- min(server.max_renewable_life,
+ min(client->max_renewable_life,
+ min(server->max_renewable_life,
max_renewable_life_for_realm)));
} else
enc_tkt_reply.times.renew_till = 0; /* XXX */
goto errout;
}
enc_tkt_reply.client = request->client;
- setflag(client.attributes, KRB5_KDB_REQUIRES_PRE_AUTH);
+ setflag(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH);
}
/*
* Check the preauthentication if it is there.
*/
if (request->padata) {
- errcode = check_padata(kdc_context, &client, req_pkt, request,
+ errcode = check_padata(kdc_context, client, req_pkt, request,
&enc_tkt_reply, &pa_context, &e_data);
if (errcode) {
if (errcode == KRB5KDC_ERR_PREAUTH_FAILED)
- get_preauth_hint_list(request, &client, &server, &e_data);
+ get_preauth_hint_list(request, client, server, &e_data);
status = "PREAUTH_FAILED";
if (vague_errors)
* preauthentication, verify that the proper kind of
* preauthentication was carried out.
*/
- status = missing_required_preauth(&client, &server, &enc_tkt_reply);
+ status = missing_required_preauth(client, server, &enc_tkt_reply);
if (status) {
errcode = KRB5KDC_ERR_PREAUTH_REQUIRED;
- get_preauth_hint_list(request, &client, &server, &e_data);
+ get_preauth_hint_list(request, client, server, &e_data);
goto errout;
}
- if ((errcode = validate_forwardable(request, client, server,
+ if ((errcode = validate_forwardable(request, *client, *server,
kdc_time, &status))) {
errcode += ERROR_TABLE_BASE_krb5;
goto errout;
/*
* Find the server key
*/
- if ((errcode = krb5_dbe_find_enctype(kdc_context, &server,
+ if ((errcode = krb5_dbe_find_enctype(kdc_context, server,
-1, /* ignore keytype */
-1, /* Ignore salttype */
0, /* Get highest kvno */
goto errout;
}
- if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server,
+ if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, server,
&mkey_ptr))) {
/* try refreshing master key list */
/* XXX it would nice if we had the mkvno here for optimization */
krb5_dbe_free_key_list(kdc_context, master_keylist);
master_keylist = tmp_mkey_list;
if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist,
- &server, &mkey_ptr))) {
+ server, &mkey_ptr))) {
status = "FINDING_MASTER_KEY";
goto errout;
}
}
/*
- * Convert server.key into a real key
+ * Convert server->key into a real key
* (it may be encrypted in the database)
*
* server_keyblock is later used to generate auth data signatures
if (!krb5_c_valid_enctype(useenctype))
continue;
- if (!krb5_dbe_find_enctype(kdc_context, &client, useenctype, -1,
+ if (!krb5_dbe_find_enctype(kdc_context, client, useenctype, -1,
0, &client_key))
break;
}
goto errout;
}
- if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &client,
+ if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, client,
&mkey_ptr))) {
/* try refreshing master key list */
/* XXX it would nice if we had the mkvno here for optimization */
krb5_dbe_free_key_list(kdc_context, master_keylist);
master_keylist = tmp_mkey_list;
if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist,
- &client, &mkey_ptr))) {
+ client, &mkey_ptr))) {
status = "FINDING_MASTER_KEY";
goto errout;
}
reply.client = enc_tkt_reply.client; /* post canonicalization */
reply.ticket = &ticket_reply;
reply_encpart.session = &session_key;
- if ((errcode = fetch_last_req_info(&client, &reply_encpart.last_req))) {
+ if ((errcode = fetch_last_req_info(client, &reply_encpart.last_req))) {
status = "FETCH_LAST_REQ";
goto errout;
}
reply_encpart.nonce = request->nonce;
- reply_encpart.key_exp = client.expiration;
+ reply_encpart.key_exp = client->expiration;
reply_encpart.flags = enc_tkt_reply.flags;
reply_encpart.server = ticket_reply.server;
/* Fetch the padata info to be returned (do this before
* authdata to handle possible replacement of reply key
*/
- errcode = return_padata(kdc_context, &client, req_pkt, request,
+ errcode = return_padata(kdc_context, client, req_pkt, request,
&reply, client_key, &client_keyblock, &pa_context);
if (errcode) {
status = "KDC_RETURN_PADATA";
errcode = handle_authdata(kdc_context,
c_flags,
- &client,
- &server,
- &server,
+ client,
+ server,
+ server,
&client_keyblock,
&server_keyblock,
&server_keyblock,
goto errout;
}
errcode = return_enc_padata(kdc_context, req_pkt, request,
- as_encrypting_key, &server, &reply_encpart,
+ as_encrypting_key, server, &reply_encpart,
FALSE);
if (errcode) {
status = "KDC_RETURN_ENC_PADATA";
memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length);
free(reply.enc_part.ciphertext.data);
- log_as_req(from, request, &reply, &client, cname, &server, sname,
+ log_as_req(from, request, &reply, client, cname, server, sname,
authtime, 0, 0, 0);
did_log = 1;
emsg = krb5_get_error_message(kdc_context, errcode);
if (status) {
- log_as_req(from, request, &reply, &client, cname, &server, sname,
+ log_as_req(from, request, &reply, client, cname, server, sname,
authtime, status, errcode, emsg);
did_log = 1;
}
errcode = KRB_ERR_GENERIC;
errcode = prepare_error_as(state, request, errcode, &e_data,
- c_nprincs ? client.princ : NULL,
+ (client != NULL) ? client->princ : NULL,
response, status);
status = 0;
}
free(cname);
if (sname != NULL)
free(sname);
- if (c_nprincs)
- krb5_db_free_principal(kdc_context, &client, c_nprincs);
- if (s_nprincs)
- krb5_db_free_principal(kdc_context, &server, s_nprincs);
+ krb5_db_free_principal(kdc_context, client);
+ krb5_db_free_principal(kdc_context, server);
if (session_key.contents != NULL)
krb5_free_keyblock_contents(kdc_context, &session_key);
if (ticket_reply.enc_part.ciphertext.data != NULL) {
#include "adm_proto.h"
#include <ctype.h>
-static void
-find_alternate_tgs(krb5_kdc_req *,krb5_db_entry *,
- krb5_boolean *,int *);
+static krb5_error_code
+find_alternate_tgs(krb5_kdc_req *,krb5_db_entry **);
static krb5_error_code
prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *,krb5_ticket *,int,
krb5_keyblock * subkey = 0;
krb5_keyblock * tgskey = 0;
krb5_kdc_req *request = 0;
- krb5_db_entry server;
+ krb5_db_entry *server = NULL;
krb5_kdc_rep reply;
krb5_enc_kdc_rep_part reply_encpart;
krb5_ticket ticket_reply, *header_ticket = 0;
int newtransited = 0;
krb5_error_code retval = 0;
krb5_keyblock encrypting_key;
- int nprincs = 0;
- krb5_boolean more;
krb5_timestamp kdc_time, authtime = 0;
krb5_keyblock session_key;
krb5_timestamp rtime;
const char *status = 0;
krb5_enc_tkt_part *header_enc_tkt = NULL; /* TGT */
krb5_enc_tkt_part *subject_tkt = NULL; /* TGT or evidence ticket */
- krb5_db_entry client, krbtgt;
- int c_nprincs = 0, k_nprincs = 0;
+ krb5_db_entry *client = NULL, *krbtgt = NULL;
krb5_pa_s4u_x509_user *s4u_x509_user = NULL; /* protocol transition request */
krb5_authdata **kdc_issued_auth_data = NULL; /* auth data issued by KDC */
unsigned int c_flags = 0, s_flags = 0; /* client/server KDB flags */
return retval;
}
errcode = kdc_process_tgs_req(request, from, pkt, &header_ticket,
- &krbtgt, &k_nprincs, &tgskey,
- &subkey, &pa_tgs_req);
+ &krbtgt, &tgskey, &subkey, &pa_tgs_req);
if (header_ticket && header_ticket->enc_part2 &&
(errcode2 = krb5_unparse_name(kdc_context,
header_ticket->enc_part2->client,
db_ref_done = FALSE;
ref_tgt_again:
- nprincs = 1;
if ((errcode = krb5_unparse_name(kdc_context, request->server, &sname))) {
status = "UNPARSING SERVER";
goto cleanup;
}
limit_string(sname);
- errcode = krb5_db_get_principal_ext(kdc_context,
- request->server,
- s_flags,
- &server,
- &nprincs,
- &more);
- if (errcode) {
+ errcode = krb5_db_get_principal(kdc_context, request->server,
+ s_flags, &server);
+ if (errcode && errcode != KRB5_KDB_NOENTRY) {
status = "LOOKING_UP_SERVER";
- nprincs = 0;
goto cleanup;
}
tgt_again:
- if (more) {
- status = "NON_UNIQUE_PRINCIPAL";
- errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
- goto cleanup;
- } else if (nprincs != 1) {
+ if (errcode == KRB5_KDB_NOENTRY) {
/*
* might be a request for a TGT for some other realm; we
* should do our best to find such a TGS in this db
tgs_1 = krb5_princ_component(kdc_context, tgs_server, 1);
if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
- krb5_db_free_principal(kdc_context, &server, nprincs);
- find_alternate_tgs(request, &server, &more, &nprincs);
+ errcode = find_alternate_tgs(request, &server);
firstpass = 0;
goto tgt_again;
}
}
- krb5_db_free_principal(kdc_context, &server, nprincs);
status = "UNKNOWN_SERVER";
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto cleanup;
}
}
- krb5_db_free_principal(kdc_context, &server, nprincs);
status = "UNKNOWN_SERVER";
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto cleanup;
goto cleanup;
}
- if ((retval = validate_tgs_request(request, server, header_ticket,
+ if ((retval = validate_tgs_request(request, *server, header_ticket,
kdc_time, &status, &e_data))) {
if (!status)
status = "UNKNOWN_REASON";
if (!is_local_principal(header_enc_tkt->client))
setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM);
- is_referral = krb5_is_tgs_principal(server.princ) &&
- !krb5_principal_compare(kdc_context, tgs_server, server.princ);
+ is_referral = krb5_is_tgs_principal(server->princ) &&
+ !krb5_principal_compare(kdc_context, tgs_server, server->princ);
/* Check for protocol transition */
errcode = kdc_process_s4u2self_req(kdc_context,
request,
header_enc_tkt->client,
- &server,
+ server,
subkey,
header_enc_tkt->session,
kdc_time,
&s4u_x509_user,
&client,
- &c_nprincs,
&status);
if (errcode)
goto cleanup;
krb5_keyblock * st_sealing_key;
krb5_kvno st_srv_kvno;
krb5_enctype etype;
- krb5_db_entry st_client;
- int st_nprincs = 0;
+ krb5_db_entry *st_client;
/*
* Get the key for the second ticket, and decrypt it.
c_flags,
TRUE, /* match_enctype */
&st_client,
- &st_nprincs,
&st_sealing_key,
&st_srv_kvno))) {
status = "2ND_TKT_SERVER";
krb5_free_keyblock(kdc_context, st_sealing_key);
if (errcode) {
status = "2ND_TKT_DECRYPT";
- krb5_db_free_principal(kdc_context, &st_client, st_nprincs);
+ krb5_db_free_principal(kdc_context, st_client);
goto cleanup;
}
if (!krb5_c_valid_enctype(etype)) {
status = "BAD_ETYPE_IN_2ND_TKT";
errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
- krb5_db_free_principal(kdc_context, &st_client, st_nprincs);
+ krb5_db_free_principal(kdc_context, st_client);
goto cleanup;
}
errcode = kdc_process_s4u2proxy_req(kdc_context,
request,
request->second_ticket[st_idx]->enc_part2,
- &st_client,
+ st_client,
header_ticket->enc_part2->client,
request->server,
&status);
assert(krb5_is_tgs_principal(header_ticket->server));
- assert(c_nprincs == 0); /* assured by kdc_process_s4u2self_req() */
-
+ assert(client == NULL); /* assured by kdc_process_s4u2self_req() */
client = st_client;
- c_nprincs = st_nprincs;
} else {
/* "client" is not used for user2user */
- krb5_db_free_principal(kdc_context, &st_client, st_nprincs);
+ krb5_db_free_principal(kdc_context, st_client);
}
}
* Select the keytype for the ticket session key.
*/
if ((useenctype == 0) &&
- (useenctype = select_session_keytype(kdc_context, &server,
+ (useenctype = select_session_keytype(kdc_context, server,
request->nktypes,
request->ktype)) == 0) {
/* unsupported ktype */
authtime = subject_tkt->times.authtime;
if (is_referral)
- ticket_reply.server = server.princ;
+ ticket_reply.server = server->princ;
else
ticket_reply.server = request->server; /* XXX careful for realm... */
enc_tkt_reply.flags = 0;
enc_tkt_reply.times.starttime = 0;
- if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE))
+ if (isflagset(server->attributes, KRB5_KDB_OK_AS_DELEGATE))
setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
/*
* Consider this block the S4U2Self equivalent to
* validate_forwardable().
*/
- if (c_nprincs &&
- isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
+ if (client != NULL &&
+ isflagset(client->attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
/*
* Forwardable flag is propagated along referral path.
* S4U2Self in order for forwardable tickets to be returned.
*/
else if (!is_referral &&
- !isflagset(server.attributes,
+ !isflagset(server->attributes,
KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
}
/* not a renew request */
enc_tkt_reply.times.starttime = kdc_time;
- kdc_get_ticket_endtime(kdc_context,
- enc_tkt_reply.times.starttime,
- header_enc_tkt->times.endtime,
- request->till,
- &client,
- &server,
- &enc_tkt_reply.times.endtime);
+ kdc_get_ticket_endtime(kdc_context, enc_tkt_reply.times.starttime,
+ header_enc_tkt->times.endtime, request->till,
+ client, server, &enc_tkt_reply.times.endtime);
if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
(enc_tkt_reply.times.endtime < request->till) &&
min(rtime,
min(header_enc_tkt->times.renew_till,
enc_tkt_reply.times.starttime +
- min(server.max_renewable_life,
+ min(server->max_renewable_life,
max_renewable_life_for_realm)));
} else {
enc_tkt_reply.times.renew_till = 0;
/*
* Find the server key
*/
- if ((errcode = krb5_dbe_find_enctype(kdc_context, &server,
+ if ((errcode = krb5_dbe_find_enctype(kdc_context, server,
-1, /* ignore keytype */
-1, /* Ignore salttype */
0, /* Get highest kvno */
goto cleanup;
}
- if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server,
+ if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, server,
&mkey_ptr))) {
krb5_keylist_node *tmp_mkey_list;
/* try refreshing master key list */
krb5_dbe_free_key_list(kdc_context, master_keylist);
master_keylist = tmp_mkey_list;
if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist,
- &server, &mkey_ptr))) {
+ server, &mkey_ptr))) {
status = "FINDING_MASTER_KEY";
goto cleanup;
}
* delegation is requested. We don't want to deny the server
* the ability to validate that delegation was used.
*/
- clear(server.attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED);
+ clear(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED);
}
- if (isflagset(server.attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED) == 0) {
+ if (isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED) == 0) {
/*
* If we are not doing protocol transition/constrained delegation
* try to lookup the client principal so plugins can add additional
/* Map principals from foreign (possibly non-AD) realms */
setflag(c_flags, KRB5_KDB_FLAG_MAP_PRINCIPALS);
- assert(c_nprincs == 0); /* should not have been looked up already */
+ assert(client == NULL); /* should not have been set already */
- c_nprincs = 1;
- errcode = krb5_db_get_principal_ext(kdc_context,
- subject_tkt->client,
- c_flags,
- &client,
- &c_nprincs,
- &more);
- /*
- * We can ignore errors because the principal may be a
- * valid cross-realm principal for which we have no local
- * mapping. But we do want to check that at most one entry
- * was returned.
- */
- if (errcode == 0 && (more || c_nprincs > 1)) {
- errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
- goto cleanup;
- } else if (errcode) {
- c_nprincs = 0;
- }
+ errcode = krb5_db_get_principal(kdc_context, subject_tkt->client,
+ c_flags, &client);
}
}
enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
- errcode = handle_authdata(kdc_context,
- c_flags,
- (c_nprincs != 0) ? &client : NULL,
- &server,
- (k_nprincs != 0) ? &krbtgt : NULL,
+ errcode = handle_authdata(kdc_context, c_flags, client, server, krbtgt,
subkey != NULL ? subkey :
header_ticket->enc_part2->session,
&encrypting_key, /* U2U or server key */
}
if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) {
errcode = validate_transit_path(kdc_context, header_enc_tkt->client,
- &server,
- (k_nprincs != 0) ? &krbtgt : NULL);
+ server, krbtgt);
if (errcode) {
status = "NON_TRANSITIVE";
goto cleanup;
goto cleanup;
}
errcode = return_enc_padata(kdc_context, pkt, request,
- reply_key, &server, &reply_encpart,
+ reply_key, server, &reply_encpart,
is_referral &&
isflagset(s_flags,
KRB5_KDB_FLAG_CANONICALIZE));
errcode = KRB_ERR_GENERIC;
retval = prepare_error_tgs(state, request, header_ticket, errcode,
- nprincs ? server.princ : NULL,
+ (server != NULL) ? server->princ : NULL,
response, status, &e_data);
if (got_err) {
krb5_free_error_message (kdc_context, status);
free(cname);
if (sname != NULL)
free(sname);
- if (nprincs != 0)
- krb5_db_free_principal(kdc_context, &server, 1);
+ krb5_db_free_principal(kdc_context, server);
+ krb5_db_free_principal(kdc_context, krbtgt);
+ krb5_db_free_principal(kdc_context, client);
if (session_key.contents != NULL)
krb5_free_keyblock_contents(kdc_context, &session_key);
if (newtransited)
free(enc_tkt_reply.transited.tr_contents.data);
- if (k_nprincs)
- krb5_db_free_principal(kdc_context, &krbtgt, k_nprincs);
- if (c_nprincs)
- krb5_db_free_principal(kdc_context, &client, c_nprincs);
if (s4u_x509_user != NULL)
krb5_free_pa_s4u_x509_user(kdc_context, s4u_x509_user);
if (kdc_issued_auth_data != NULL)
* but we don't have a ticket for the final TGS. Try to give the requestor
* some intermediate realm.
*/
-static void
-find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server,
- krb5_boolean *more, int *nprincs)
+static krb5_error_code
+find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry **server_ptr)
{
krb5_error_code retval;
- krb5_principal *plist, *pl2;
+ krb5_principal *plist = NULL, *pl2, tmpprinc;
krb5_data tmp;
+ krb5_db_entry *server = NULL;
- *nprincs = 0;
- *more = FALSE;
+ *server_ptr = NULL;
/*
* Call to krb5_princ_component is normally not safe but is so
krb5_princ_realm(kdc_context, request->server),
krb5_princ_component(kdc_context, request->server, 1),
&plist, KRB5_REALM_BRANCH_CHAR)))
- return;
+ return retval;
/* move to the end */
for (pl2 = plist; *pl2; pl2++);
/* the first entry in this array is for krbtgt/local@local, so we
ignore it */
while (--pl2 > plist) {
- *nprincs = 1;
tmp = *krb5_princ_realm(kdc_context, *pl2);
krb5_princ_set_realm(kdc_context, *pl2,
krb5_princ_realm(kdc_context, tgs_server));
- retval = get_principal(kdc_context, *pl2, server, nprincs, more);
+ retval = krb5_db_get_principal(kdc_context, *pl2, 0, &server);
krb5_princ_set_realm(kdc_context, *pl2, &tmp);
- if (retval) {
- *nprincs = 0;
- *more = FALSE;
- krb5_free_realm_tree(kdc_context, plist);
- return;
- }
- if (*more) {
- krb5_db_free_principal(kdc_context, server, *nprincs);
+ if (retval == KRB5_KDB_NOENTRY)
continue;
- } else if (*nprincs == 1) {
- /* Found it! */
- krb5_principal tmpprinc;
-
- tmp = *krb5_princ_realm(kdc_context, *pl2);
- krb5_princ_set_realm(kdc_context, *pl2,
- krb5_princ_realm(kdc_context, tgs_server));
- if ((retval = krb5_copy_principal(kdc_context, *pl2, &tmpprinc))) {
- krb5_db_free_principal(kdc_context, server, *nprincs);
- krb5_princ_set_realm(kdc_context, *pl2, &tmp);
- continue;
- }
- krb5_princ_set_realm(kdc_context, *pl2, &tmp);
+ else if (retval)
+ goto cleanup;
- krb5_free_principal(kdc_context, request->server);
- request->server = tmpprinc;
- log_tgs_alt_tgt(request->server);
- krb5_free_realm_tree(kdc_context, plist);
- return;
- }
- krb5_db_free_principal(kdc_context, server, *nprincs);
- continue;
+ /* Found it. */
+ tmp = *krb5_princ_realm(kdc_context, *pl2);
+ krb5_princ_set_realm(kdc_context, *pl2,
+ krb5_princ_realm(kdc_context, tgs_server));
+ retval = krb5_copy_principal(kdc_context, *pl2, &tmpprinc);
+ if (retval)
+ goto cleanup;
+ krb5_princ_set_realm(kdc_context, *pl2, &tmp);
+
+ krb5_free_principal(kdc_context, request->server);
+ request->server = tmpprinc;
+ log_tgs_alt_tgt(request->server);
+ *server_ptr = server;
+ server = NULL;
+ goto cleanup;
}
+ retval = KRB5_KDB_NOENTRY;
- *nprincs = 0;
- *more = FALSE;
+cleanup:
krb5_free_realm_tree(kdc_context, plist);
- return;
+ krb5_db_free_principal(kdc_context, server);
+ return retval;
}
static krb5_int32
*/
{
- int npr = 1;
- krb5_boolean more;
- krb5_db_entry assoc;
+ krb5_db_entry *assoc;
krb5_key_data *assoc_key;
krb5_principal newp;
int probeslot;
krb5_princ_component(kdc_context,newp,probeslot)->data = sam_ptr->name;
krb5_princ_component(kdc_context,newp,probeslot)->length =
strlen(sam_ptr->name);
- npr = 1;
- retval = get_principal(kdc_context, newp, &assoc, &npr, &more);
- if(!retval && npr) {
+ retval = krb5_db_get_principal(kdc_context, newp, 0, &assoc);
+ if(retval == 0) {
sc.sam_type = sam_ptr->sam_type;
break;
}
if (sc.sam_type) {
/* so use assoc to get the key out! */
{
- if ((retval = krb5_dbe_find_mkey(context, master_keylist, &assoc,
- &mkey_ptr))) {
+ if ((retval = krb5_dbe_find_mkey(context, master_keylist,
+ assoc, &mkey_ptr))) {
krb5_keylist_node *tmp_mkey_list;
/* try refreshing the mkey list in case it's been updated */
if (krb5_db_fetch_mkey_list(context, master_princ,
krb5_dbe_free_key_list(context, master_keylist);
master_keylist = tmp_mkey_list;
if ((retval = krb5_dbe_find_mkey(context, master_keylist,
- &assoc, &mkey_ptr))) {
+ assoc, &mkey_ptr))) {
return (retval);
}
} else {
}
/* here's what do_tgs_req does */
- retval = krb5_dbe_find_enctype(kdc_context, &assoc,
+ retval = krb5_dbe_find_enctype(kdc_context, assoc,
ENCTYPE_DES_CBC_RAW,
KRB5_KDB_SALTTYPE_NORMAL,
0, /* Get highest kvno */
krb5_error_code
kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from,
krb5_data *pkt, krb5_ticket **ticket,
- krb5_db_entry *krbtgt, int *nprincs,
+ krb5_db_entry **krbtgt_ptr,
krb5_keyblock **tgskey,
krb5_keyblock **subkey,
krb5_pa_data **pa_tgs_req)
krb5_authenticator * authenticator = NULL;
krb5_checksum * his_cksum = NULL;
krb5_kvno kvno = 0;
+ krb5_db_entry * krbtgt = NULL;
- *nprincs = 0;
+ *krbtgt_ptr = NULL;
*tgskey = NULL;
tmppa = find_pa_data(request->padata, KRB5_PADATA_AP_REQ);
#endif
if ((retval = kdc_get_server_key(apreq->ticket, 0, foreign_server,
- krbtgt, nprincs, tgskey, &kvno)))
+ &krbtgt, tgskey, &kvno)))
goto cleanup_auth_context;
/*
* We do not use the KDB keytab because other parts of the TGS need the TGT key.
if (!(retval = encode_krb5_kdc_req_body(request, &scratch)))
retval = comp_cksum(kdc_context, scratch, *ticket, his_cksum);
krb5_free_data(kdc_context, scratch);
+ if (retval)
+ goto cleanup_authenticator;
}
}
- if (retval == 0)
- *pa_tgs_req = tmppa;
+ *pa_tgs_req = tmppa;
+ *krbtgt_ptr = krbtgt;
+ krbtgt = NULL;
+
cleanup_authenticator:
krb5_free_authenticator(kdc_context, authenticator);
*tgskey = NULL;
}
krb5_free_ap_req(kdc_context, apreq);
+ krb5_db_free_principal(kdc_context, krbtgt);
return retval;
}
*/
krb5_error_code
kdc_get_server_key(krb5_ticket *ticket, unsigned int flags,
- krb5_boolean match_enctype, krb5_db_entry *server,
- int *nprincs, krb5_keyblock **key, krb5_kvno *kvno)
+ krb5_boolean match_enctype, krb5_db_entry **server_ptr,
+ krb5_keyblock **key, krb5_kvno *kvno)
{
krb5_error_code retval;
- krb5_boolean more, similar;
+ krb5_boolean similar;
krb5_key_data * server_key;
krb5_keyblock * mkey_ptr;
+ krb5_db_entry * server = NULL;
- *nprincs = 1;
+ *server_ptr = NULL;
- retval = krb5_db_get_principal_ext(kdc_context,
- ticket->server,
- flags,
- server,
- nprincs,
- &more);
- if (retval) {
- return(retval);
- }
- if (more) {
- return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
- } else if (*nprincs != 1) {
+ retval = krb5_db_get_principal(kdc_context, ticket->server, flags,
+ &server);
+ if (retval == KRB5_KDB_NOENTRY) {
char *sname;
-
if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) {
limit_string(sname);
krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'",
sname);
free(sname);
}
- return(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN);
- }
+ return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+ } else if (retval)
+ return retval;
if (server->attributes & KRB5_KDB_DISALLOW_SVR ||
server->attributes & KRB5_KDB_DISALLOW_ALL_TIX) {
retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
}
(*key)->enctype = ticket->enc_part.enctype;
*kvno = server_key->key_data_kvno;
+ *server_ptr = server;
+ server = NULL;
errout:
- if (retval != 0) {
- krb5_db_free_principal(kdc_context, server, *nprincs);
- *nprincs = 0;
- }
-
+ krb5_db_free_principal(kdc_context, server);
return retval;
}
return;
}
-krb5_error_code
-get_principal_locked (krb5_context kcontext,
- krb5_const_principal search_for,
- krb5_db_entry *entries, int *nentries,
- krb5_boolean *more)
-{
- return krb5_db_get_principal (kcontext, search_for, entries, nentries,
- more);
-}
-
-krb5_error_code
-get_principal (krb5_context kcontext,
- krb5_const_principal search_for,
- krb5_db_entry *entries, int *nentries, krb5_boolean *more)
-{
- /* Eventually this will be used to manage locking while looking up
- principals in the database. */
- return get_principal_locked (kcontext, search_for, entries, nentries,
- more);
-}
-
-
krb5_error_code
sign_db_authdata (krb5_context context,
unsigned int flags,
krb5_keyblock *tgs_session,
krb5_timestamp kdc_time,
krb5_pa_s4u_x509_user **s4u_x509_user,
- krb5_db_entry *princ,
- int *nprincs,
+ krb5_db_entry **princ_ptr,
const char **status)
{
krb5_error_code code;
krb5_pa_data *pa_data;
- krb5_boolean more;
int flags;
+ krb5_db_entry *princ;
- *nprincs = 0;
- memset(princ, 0, sizeof(*princ));
+ *princ_ptr = NULL;
pa_data = find_pa_data(request->padata, KRB5_PADATA_S4U_X509_USER);
if (pa_data != NULL) {
krb5_data e_data;
e_data.data = NULL;
- *nprincs = 1;
- code = krb5_db_get_principal_ext(context,
- (*s4u_x509_user)->user_id.user,
- KRB5_KDB_FLAG_INCLUDE_PAC,
- princ, nprincs, &more);
- if (code) {
- *status = "LOOKING_UP_S4U2SELF_PRINCIPAL";
- *nprincs = 0;
- return code; /* caller can free for_user */
- }
-
- if (more) {
- *status = "NON_UNIQUE_S4U2SELF_PRINCIPAL";
- return KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
- } else if (*nprincs != 1) {
+ code = krb5_db_get_principal(context, (*s4u_x509_user)->user_id.user,
+ KRB5_KDB_FLAG_INCLUDE_PAC, &princ);
+ if (code == KRB5_KDB_NOENTRY) {
*status = "UNKNOWN_S4U2SELF_PRINCIPAL";
return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+ } else if (code) {
+ *status = "LOOKING_UP_S4U2SELF_PRINCIPAL";
+ return code; /* caller can free for_user */
}
memset(&no_server, 0, sizeof(no_server));
code = validate_as_request(request, *princ,
no_server, kdc_time, status, &e_data);
if (code) {
+ krb5_db_free_principal(context, princ);
krb5_free_data_contents(context, &e_data);
return code;
}
+
+ *princ_ptr = princ;
}
return 0;
life = until - starttime;
- if (client->max_life != 0)
+ if (client != NULL && client->max_life != 0)
life = min(life, client->max_life);
if (server->max_life != 0)
life = min(life, server->max_life);
const krb5_fulladdr *,
krb5_data *,
krb5_ticket **,
- krb5_db_entry *krbtgt,
- int *nprincs,
+ krb5_db_entry **krbtgt_ptr,
krb5_keyblock **, krb5_keyblock **,
krb5_pa_data **pa_tgs_req);
krb5_error_code
kdc_get_server_key (krb5_ticket *, unsigned int,
krb5_boolean match_enctype,
- krb5_db_entry *, int *,
- krb5_keyblock **, krb5_kvno *);
+ krb5_db_entry **, krb5_keyblock **, krb5_kvno *);
int
validate_as_request (krb5_kdc_req *, krb5_db_entry,
/* kdc_util.c */
void reset_for_hangup(void);
-krb5_error_code
-get_principal_locked (krb5_context kcontext,
- krb5_const_principal search_for,
- krb5_db_entry *entries, int *nentries,
- krb5_boolean *more);
-krb5_error_code
-get_principal (krb5_context kcontext,
- krb5_const_principal search_for,
- krb5_db_entry *entries, int *nentries, krb5_boolean *more);
-
krb5_boolean
include_pac_p(krb5_context context, krb5_kdc_req *request);
krb5_keyblock *tgs_session,
krb5_timestamp kdc_time,
krb5_pa_s4u_x509_user **s4u2self_req,
- krb5_db_entry *princ,
- int *nprincs,
+ krb5_db_entry **princ_ptr,
const char **status);
krb5_error_code
krb5_keyblock *hist_keyblock,
krb5_kvno *hist_kvno);
krb5_error_code kdb_get_entry(kadm5_server_handle_t handle,
- krb5_principal principal, krb5_db_entry *kdb,
- osa_princ_ent_rec *adb);
+ krb5_principal principal,
+ krb5_db_entry **kdb, osa_princ_ent_rec *adb);
krb5_error_code kdb_free_entry(kadm5_server_handle_t handle,
krb5_db_entry *kdb, osa_princ_ent_rec *adb);
krb5_error_code kdb_put_entry(kadm5_server_handle_t handle,
kadm5_unlock
kdb_delete_entry
kdb_free_entry
-kdb_get_entry
kdb_init_hist
kdb_init_master
kdb_iter_entry
krb5_kvno *hist_kvno)
{
krb5_error_code ret;
- krb5_db_entry kdb;
+ krb5_db_entry *kdb;
krb5_keyblock *mkey;
/* Fetch the history principal, creating it if necessary. */
if (ret)
return ret;
- if (kdb.n_key_data <= 0) {
+ if (kdb->n_key_data <= 0) {
ret = KRB5_KDB_NO_MATCHING_KEY;
krb5_set_error_message(handle->context, ret,
"History entry contains no key data");
goto done;
}
- ret = krb5_dbe_find_mkey(handle->context, master_keylist, &kdb,
- &mkey);
+ ret = krb5_dbe_find_mkey(handle->context, master_keylist, kdb, &mkey);
if (ret)
goto done;
- ret = krb5_dbe_decrypt_key_data(handle->context, mkey, &kdb.key_data[0],
+ ret = krb5_dbe_decrypt_key_data(handle->context, mkey, &kdb->key_data[0],
hist_keyblock, NULL);
if (ret)
goto done;
- *hist_kvno = kdb.key_data[0].key_data_kvno;
+ *hist_kvno = kdb->key_data[0].key_data_kvno;
done:
- kdb_free_entry(handle, &kdb, NULL);
+ kdb_free_entry(handle, kdb, NULL);
return ret;
}
*
* handle (r) the server_handle
* principal (r) the principal to get
- * kdb (w) krb5_db_entry to fill in
+ * kdb (w) krb5_db_entry to create
* adb (w) osa_princ_ent_rec to fill in
*
* when the caller is done with kdb and adb, kdb_free_entry must be
*/
krb5_error_code
kdb_get_entry(kadm5_server_handle_t handle,
- krb5_principal principal, krb5_db_entry *kdb,
+ krb5_principal principal, krb5_db_entry **kdb_ptr,
osa_princ_ent_rec *adb)
{
krb5_error_code ret;
- int nprincs;
- krb5_boolean more;
krb5_tl_data tl_data;
XDR xdrs;
+ krb5_db_entry *kdb;
- ret = krb5_db_get_principal(handle->context, principal, kdb, &nprincs,
- &more);
- if (ret)
- return(ret);
+ *kdb_ptr = NULL;
- if (more) {
- krb5_db_free_principal(handle->context, kdb, nprincs);
- return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
- } else if (nprincs != 1) {
- krb5_db_free_principal(handle->context, kdb, nprincs);
+ ret = krb5_db_get_principal(handle->context, principal, 0, &kdb);
+ if (ret == KRB5_KDB_NOENTRY)
return(KADM5_UNK_PRINC);
- }
+ if (ret)
+ return(ret);
if (adb) {
memset(adb, 0, sizeof(*adb));
data will get stored correctly. */
adb->admin_history_kvno = INITIAL_HIST_KVNO;
-
+ *kdb_ptr = kdb;
return(ret);
}
tl_data.tl_data_length, XDR_DECODE);
if (! xdr_osa_princ_ent_rec(&xdrs, adb)) {
xdr_destroy(&xdrs);
- krb5_db_free_principal(handle->context, kdb, 1);
+ krb5_db_free_principal(handle->context, kdb);
return(KADM5_XDR_FAILURE);
}
xdr_destroy(&xdrs);
}
+ *kdb_ptr = kdb;
return(0);
}
if (kdb)
- krb5_db_free_principal(handle->context, kdb, 1);
+ krb5_db_free_principal(handle->context, kdb);
if (adb) {
xdrmem_create(&xdrs, NULL, 0, XDR_FREE);
krb5_int32 now;
XDR xdrs;
krb5_tl_data tl_data;
- int one;
ret = krb5_timeofday(handle->context, &now);
if (ret)
if (ret)
return(ret);
- one = 1;
-
/* we are always updating TL data */
kdb->mask |= KADM5_TL_DATA;
- ret = krb5_db_put_principal(handle->context, kdb, &one);
+ ret = krb5_db_put_principal(handle->context, kdb);
if (ret)
return(ret);
krb5_error_code
kdb_delete_entry(kadm5_server_handle_t handle, krb5_principal name)
{
- int one = 1;
krb5_error_code ret;
- ret = krb5_db_delete_principal(handle->context, name, &one);
-
+ ret = krb5_db_delete_principal(handle->context, name);
+ if (ret == KRB5_KDB_NOENTRY)
+ ret = 0;
return ret;
}
kadm5_server_handle_t handle = server_handle;
osa_policy_ent_t entry;
int ret;
- int cnt=1;
CHECK_HANDLE(server_handle);
return EINVAL;
if(strlen(name) == 0)
return KADM5_BAD_POLICY;
- if((ret = krb5_db_get_policy(handle->context, name, &entry,&cnt)))
- return ret;
- if( cnt != 1 )
+ ret = krb5_db_get_policy(handle->context, name, &entry);
+ if (ret == KRB5_KDB_NOENTRY)
return KADM5_UNK_POLICY;
+ else if (ret)
+ return ret;
if(entry->policy_refcnt != 0) {
krb5_db_free_policy(handle->context, entry);
kadm5_server_handle_t handle = server_handle;
osa_policy_ent_t p;
int ret;
- int cnt=1;
CHECK_HANDLE(server_handle);
if((mask & KADM5_POLICY))
return KADM5_BAD_MASK;
- if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt)))
- return ret;
- if (cnt != 1)
+ ret = krb5_db_get_policy(handle->context, entry->policy, &p);
+ if (ret == KRB5_KDB_NOENTRY)
return KADM5_UNK_POLICY;
+ else if (ret)
+ return ret;
if ((mask & KADM5_PW_MAX_LIFE))
p->pw_max_life = entry->pw_max_life;
osa_policy_ent_t t;
int ret;
kadm5_server_handle_t handle = server_handle;
- int cnt=1;
CHECK_HANDLE(server_handle);
return EINVAL;
if(strlen(name) == 0)
return KADM5_BAD_POLICY;
- if((ret = krb5_db_get_policy(handle->context, name, &t, &cnt)))
- return ret;
-
- if( cnt != 1 )
+ ret = krb5_db_get_policy(handle->context, name, &t);
+ if (ret == KRB5_KDB_NOENTRY)
return KADM5_UNK_POLICY;
+ else if (ret)
+ return ret;
if ((entry->policy = strdup(t->name)) == NULL) {
krb5_db_free_policy(handle->context, t);
int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
char *password)
{
- krb5_db_entry kdb;
+ krb5_db_entry *kdb;
osa_princ_ent_rec adb;
kadm5_policy_ent_rec polent;
+ krb5_boolean have_polent = FALSE;
krb5_int32 now;
krb5_tl_data *tl_data_orig, *tl_data_tail;
unsigned int ret;
case KADM5_UNK_PRINC:
break;
case 0:
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
return KADM5_DUP;
default:
return ret;
}
- memset(&kdb, 0, sizeof(krb5_db_entry));
+ kdb = krb5_db_alloc(handle->context, NULL, sizeof(*kdb));
+ if (kdb == NULL)
+ return ENOMEM;
+ memset(kdb, 0, sizeof(*kdb));
memset(&adb, 0, sizeof(osa_princ_ent_rec));
/*
if ((mask & KADM5_POLICY)) {
if ((ret = kadm5_get_policy(handle->lhandle, entry->policy,
&polent)) != KADM5_OK) {
- if(ret == EINVAL)
- return KADM5_BAD_POLICY;
- else
- return ret;
+ if (ret == EINVAL)
+ ret = KADM5_BAD_POLICY;
+ if (ret)
+ goto cleanup;
}
+ have_polent = TRUE;
}
if (password) {
- ret = passwd_check(handle, password, (mask & KADM5_POLICY),
- &polent, entry->principal);
- if (ret) {
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return ret;
- }
+ ret = passwd_check(handle, password, have_polent, &polent,
+ entry->principal);
+ if (ret)
+ goto cleanup;
}
/*
* Start populating the various DB fields, using the
* "defaults" for fields that were not specified by the
* mask.
*/
- if ((ret = krb5_timeofday(handle->context, &now))) {
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return ret;
- }
+ if ((ret = krb5_timeofday(handle->context, &now)))
+ goto cleanup;
- kdb.magic = KRB5_KDB_MAGIC_NUMBER;
- kdb.len = KRB5_KDB_V1_BASE_LENGTH; /* gag me with a chainsaw */
+ kdb->magic = KRB5_KDB_MAGIC_NUMBER;
+ kdb->len = KRB5_KDB_V1_BASE_LENGTH; /* gag me with a chainsaw */
if ((mask & KADM5_ATTRIBUTES))
- kdb.attributes = entry->attributes;
+ kdb->attributes = entry->attributes;
else
- kdb.attributes = handle->params.flags;
+ kdb->attributes = handle->params.flags;
if ((mask & KADM5_MAX_LIFE))
- kdb.max_life = entry->max_life;
+ kdb->max_life = entry->max_life;
else
- kdb.max_life = handle->params.max_life;
+ kdb->max_life = handle->params.max_life;
if (mask & KADM5_MAX_RLIFE)
- kdb.max_renewable_life = entry->max_renewable_life;
+ kdb->max_renewable_life = entry->max_renewable_life;
else
- kdb.max_renewable_life = handle->params.max_rlife;
+ kdb->max_renewable_life = handle->params.max_rlife;
if ((mask & KADM5_PRINC_EXPIRE_TIME))
- kdb.expiration = entry->princ_expire_time;
+ kdb->expiration = entry->princ_expire_time;
else
- kdb.expiration = handle->params.expiration;
+ kdb->expiration = handle->params.expiration;
- kdb.pw_expiration = 0;
- if ((mask & KADM5_POLICY)) {
+ kdb->pw_expiration = 0;
+ if (have_polent) {
if(polent.pw_max_life)
- kdb.pw_expiration = now + polent.pw_max_life;
+ kdb->pw_expiration = now + polent.pw_max_life;
else
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
}
if ((mask & KADM5_PW_EXPIRATION))
- kdb.pw_expiration = entry->pw_expiration;
+ kdb->pw_expiration = entry->pw_expiration;
- kdb.last_success = 0;
- kdb.last_failed = 0;
- kdb.fail_auth_count = 0;
+ kdb->last_success = 0;
+ kdb->last_failed = 0;
+ kdb->fail_auth_count = 0;
/* this is kind of gross, but in order to free the tl data, I need
to free the entire kdb entry, and that will try to free the
principal. */
if ((ret = kadm5_copy_principal(handle->context,
- entry->principal, &(kdb.princ)))) {
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return(ret);
- }
+ entry->principal, &(kdb->princ))))
+ goto cleanup;
- if ((ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now))) {
- krb5_db_free_principal(handle->context, &kdb, 1);
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return(ret);
- }
+ if ((ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now)))
+ goto cleanup;
if (mask & KADM5_TL_DATA) {
- /* splice entry->tl_data onto the front of kdb.tl_data */
- tl_data_orig = kdb.tl_data;
+ /* splice entry->tl_data onto the front of kdb->tl_data */
+ tl_data_orig = kdb->tl_data;
for (tl_data_tail = entry->tl_data; tl_data_tail;
tl_data_tail = tl_data_tail->tl_data_next)
{
- ret = krb5_dbe_update_tl_data(handle->context, &kdb, tl_data_tail);
+ ret = krb5_dbe_update_tl_data(handle->context, kdb, tl_data_tail);
if( ret )
- {
- krb5_db_free_principal(handle->context, &kdb, 1);
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return ret;
- }
+ goto cleanup;
}
}
ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
active_mkey_list, &act_kvno, &act_mkey);
- if (ret) {
- krb5_db_free_principal(handle->context, &kdb, 1);
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return (ret);
- }
+ if (ret)
+ goto cleanup;
if (password) {
ret = krb5_dbe_cpw(handle->context, act_mkey,
n_ks_tuple?ks_tuple:handle->params.keysalts,
n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
password, (mask & KADM5_KVNO)?entry->kvno:1,
- FALSE, &kdb);
+ FALSE, kdb);
} else {
/* Null password means create with random key (new in 1.8). */
ret = krb5_dbe_crk(handle->context, &master_keyblock,
n_ks_tuple?ks_tuple:handle->params.keysalts,
n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
- FALSE, &kdb);
- }
- if (ret) {
- krb5_db_free_principal(handle->context, &kdb, 1);
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return(ret);
+ FALSE, kdb);
}
+ if (ret)
+ goto cleanup;
/* Record the master key VNO used to encrypt this entry's keys */
- ret = krb5_dbe_update_mkvno(handle->context, &kdb, act_kvno);
+ ret = krb5_dbe_update_mkvno(handle->context, kdb, act_kvno);
if (ret)
- {
- krb5_db_free_principal(handle->context, &kdb, 1);
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return ret;
- }
+ goto cleanup;
/* populate the admin-server-specific fields. In the OV server,
this used to be in a separate database. Since there's already
single tl_data record, */
adb.admin_history_kvno = INITIAL_HIST_KVNO;
- if ((mask & KADM5_POLICY)) {
+ if (have_polent) {
adb.aux_attributes = KADM5_POLICY;
/* this does *not* need to be strdup'ed, because adb is xdr */
/* increment the policy ref count, if any */
- if ((mask & KADM5_POLICY)) {
+ if (have_polent) {
polent.policy_refcnt++;
if ((ret = kadm5_modify_policy_internal(handle->lhandle, &polent,
KADM5_REF_COUNT))
- != KADM5_OK) {
- krb5_db_free_principal(handle->context, &kdb, 1);
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return(ret);
- }
+ != KADM5_OK)
+ goto cleanup;
}
/* In all cases key and the principal data is set, let the database provider know */
- kdb.mask = mask | KADM5_KEY_DATA | KADM5_PRINCIPAL ;
+ kdb->mask = mask | KADM5_KEY_DATA | KADM5_PRINCIPAL ;
/* store the new db entry */
- ret = kdb_put_entry(handle, &kdb, &adb);
+ ret = kdb_put_entry(handle, kdb, &adb);
- krb5_db_free_principal(handle->context, &kdb, 1);
if (ret) {
- if ((mask & KADM5_POLICY)) {
+ if (have_polent) {
/* decrement the policy ref count */
polent.policy_refcnt--;
(void) kadm5_modify_policy_internal(handle->lhandle, &polent,
KADM5_REF_COUNT);
}
-
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return(ret);
}
- if (mask & KADM5_POLICY)
+cleanup:
+ krb5_db_free_principal(handle->context, kdb);
+ if (have_polent)
(void) kadm5_free_policy_ent(handle->lhandle, &polent);
-
- return KADM5_OK;
+ return ret;
}
{
unsigned int ret;
kadm5_policy_ent_rec polent;
- krb5_db_entry kdb;
+ krb5_db_entry *kdb;
osa_princ_ent_rec adb;
kadm5_server_handle_t handle = server_handle;
KADM5_REF_COUNT))
!= KADM5_OK) {
(void) kadm5_free_policy_ent(handle->lhandle, &polent);
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
return(ret);
}
}
if ((ret = kadm5_free_policy_ent(handle->lhandle, &polent))) {
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
return ret;
}
}
ret = kdb_delete_entry(handle, principal);
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
return ret;
}
int ret, ret2, i;
kadm5_policy_ent_rec npol, opol;
int have_npol = 0, have_opol = 0;
- krb5_db_entry kdb;
+ krb5_db_entry *kdb;
krb5_tl_data *tl_data_orig;
osa_princ_ent_rec adb;
kadm5_server_handle_t handle = server_handle;
/* set pw_max_life based on new policy */
if (npol.pw_max_life) {
- ret = krb5_dbe_lookup_last_pwd_change(handle->context, &kdb,
- &(kdb.pw_expiration));
+ ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb,
+ &(kdb->pw_expiration));
if (ret)
goto done;
- kdb.pw_expiration += npol.pw_max_life;
+ kdb->pw_expiration += npol.pw_max_life;
} else {
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
}
}
free(adb.policy);
adb.policy = NULL;
adb.aux_attributes &= ~KADM5_POLICY;
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
opol.policy_refcnt--;
break;
default:
goto done;
if ((mask & KADM5_ATTRIBUTES))
- kdb.attributes = entry->attributes;
+ kdb->attributes = entry->attributes;
if ((mask & KADM5_MAX_LIFE))
- kdb.max_life = entry->max_life;
+ kdb->max_life = entry->max_life;
if ((mask & KADM5_PRINC_EXPIRE_TIME))
- kdb.expiration = entry->princ_expire_time;
+ kdb->expiration = entry->princ_expire_time;
if (mask & KADM5_PW_EXPIRATION)
- kdb.pw_expiration = entry->pw_expiration;
+ kdb->pw_expiration = entry->pw_expiration;
if (mask & KADM5_MAX_RLIFE)
- kdb.max_renewable_life = entry->max_renewable_life;
+ kdb->max_renewable_life = entry->max_renewable_life;
if((mask & KADM5_KVNO)) {
- for (i = 0; i < kdb.n_key_data; i++)
- kdb.key_data[i].key_data_kvno = entry->kvno;
+ for (i = 0; i < kdb->n_key_data; i++)
+ kdb->key_data[i].key_data_kvno = entry->kvno;
}
if (mask & KADM5_TL_DATA) {
for (tl = entry->tl_data; tl;
tl = tl->tl_data_next)
{
- ret = krb5_dbe_update_tl_data(handle->context, &kdb, tl);
+ ret = krb5_dbe_update_tl_data(handle->context, kdb, tl);
if( ret )
{
goto done;
goto done;
}
- kdb.fail_auth_count = 0;
+ kdb->fail_auth_count = 0;
}
/* let the mask propagate to the database provider */
- kdb.mask = mask;
+ kdb->mask = mask;
- ret = kdb_put_entry(handle, &kdb, &adb);
+ ret = kdb_put_entry(handle, kdb, &adb);
if (ret) goto done;
ret = KADM5_OK;
ret2 = kadm5_free_policy_ent(handle->lhandle, &npol);
ret = ret ? ret : ret2;
}
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
return ret;
}
kadm5_rename_principal(void *server_handle,
krb5_principal source, krb5_principal target)
{
- krb5_db_entry kdb;
+ krb5_db_entry *kdb;
osa_princ_ent_rec adb;
int ret, i;
kadm5_server_handle_t handle = server_handle;
return EINVAL;
if ((ret = kdb_get_entry(handle, target, &kdb, &adb)) == 0) {
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
return(KADM5_DUP);
}
/* this is kinda gross, but unavoidable */
- for (i=0; i<kdb.n_key_data; i++) {
- if ((kdb.key_data[i].key_data_ver == 1) ||
- (kdb.key_data[i].key_data_type[1] == KRB5_KDB_SALTTYPE_NORMAL)) {
+ for (i=0; i<kdb->n_key_data; i++) {
+ if ((kdb->key_data[i].key_data_ver == 1) ||
+ (kdb->key_data[i].key_data_type[1] == KRB5_KDB_SALTTYPE_NORMAL)) {
ret = KADM5_NO_RENAME_SALT;
goto done;
}
}
- kadm5_free_principal(handle->context, kdb.princ);
- ret = kadm5_copy_principal(handle->context, target, &kdb.princ);
+ kadm5_free_principal(handle->context, kdb->princ);
+ ret = kadm5_copy_principal(handle->context, target, &kdb->princ);
if (ret) {
- kdb.princ = NULL; /* so freeing the dbe doesn't lose */
+ kdb->princ = NULL; /* so freeing the dbe doesn't lose */
goto done;
}
- if ((ret = kdb_put_entry(handle, &kdb, &adb)))
+ if ((ret = kdb_put_entry(handle, kdb, &adb)))
goto done;
ret = kdb_delete_entry(handle, source);
done:
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
return ret;
}
kadm5_principal_ent_t entry,
long in_mask)
{
- krb5_db_entry kdb;
+ krb5_db_entry *kdb;
osa_princ_ent_rec adb;
krb5_error_code ret = 0;
long mask;
entry->aux_attributes = adb.aux_attributes;
if ((mask & KADM5_PRINCIPAL) &&
- (ret = krb5_copy_principal(handle->context, kdb.princ,
+ (ret = krb5_copy_principal(handle->context, kdb->princ,
&entry->principal))) {
goto done;
}
if (mask & KADM5_PRINC_EXPIRE_TIME)
- entry->princ_expire_time = kdb.expiration;
+ entry->princ_expire_time = kdb->expiration;
if ((mask & KADM5_LAST_PWD_CHANGE) &&
- (ret = krb5_dbe_lookup_last_pwd_change(handle->context, &kdb,
+ (ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb,
&(entry->last_pwd_change)))) {
goto done;
}
if (mask & KADM5_PW_EXPIRATION)
- entry->pw_expiration = kdb.pw_expiration;
+ entry->pw_expiration = kdb->pw_expiration;
if (mask & KADM5_MAX_LIFE)
- entry->max_life = kdb.max_life;
+ entry->max_life = kdb->max_life;
/* this is a little non-sensical because the function returns two */
/* values that must be checked separately against the mask */
if ((mask & KADM5_MOD_NAME) || (mask & KADM5_MOD_TIME)) {
- ret = krb5_dbe_lookup_mod_princ_data(handle->context, &kdb,
+ ret = krb5_dbe_lookup_mod_princ_data(handle->context, kdb,
&(entry->mod_date),
&(entry->mod_name));
if (ret) {
}
if (mask & KADM5_ATTRIBUTES)
- entry->attributes = kdb.attributes;
+ entry->attributes = kdb->attributes;
if (mask & KADM5_KVNO)
- for (entry->kvno = 0, i=0; i<kdb.n_key_data; i++)
- if (kdb.key_data[i].key_data_kvno > entry->kvno)
- entry->kvno = kdb.key_data[i].key_data_kvno;
+ for (entry->kvno = 0, i=0; i<kdb->n_key_data; i++)
+ if (kdb->key_data[i].key_data_kvno > entry->kvno)
+ entry->kvno = kdb->key_data[i].key_data_kvno;
if (mask & KADM5_MKVNO) {
- ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist,
+ ret = krb5_dbe_get_mkvno(handle->context, kdb, master_keylist,
&entry->mkvno);
if (ret)
goto done;
}
if (mask & KADM5_MAX_RLIFE)
- entry->max_renewable_life = kdb.max_renewable_life;
+ entry->max_renewable_life = kdb->max_renewable_life;
if (mask & KADM5_LAST_SUCCESS)
- entry->last_success = kdb.last_success;
+ entry->last_success = kdb->last_success;
if (mask & KADM5_LAST_FAILED)
- entry->last_failed = kdb.last_failed;
+ entry->last_failed = kdb->last_failed;
if (mask & KADM5_FAIL_AUTH_COUNT)
- entry->fail_auth_count = kdb.fail_auth_count;
+ entry->fail_auth_count = kdb->fail_auth_count;
if (mask & KADM5_TL_DATA) {
krb5_tl_data *tl, *tl2;
entry->tl_data = NULL;
- tl = kdb.tl_data;
+ tl = kdb->tl_data;
while (tl) {
if (tl->tl_data_type > 255) {
if ((tl2 = dup_tl_data(tl)) == NULL) {
}
}
if (mask & KADM5_KEY_DATA) {
- entry->n_key_data = kdb.n_key_data;
+ entry->n_key_data = kdb->n_key_data;
if(entry->n_key_data) {
entry->key_data = malloc(entry->n_key_data*sizeof(krb5_key_data));
if (entry->key_data == NULL) {
for (i = 0; i < entry->n_key_data; i++)
ret = krb5_copy_key_data_contents(handle->context,
- &kdb.key_data[i],
+ &kdb->key_data[i],
&entry->key_data[i]);
if (ret)
goto done;
krb5_free_principal(handle->context, entry->principal);
entry->principal = NULL;
}
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
return ret;
}
krb5_int32 now;
kadm5_policy_ent_rec pol;
osa_princ_ent_rec adb;
- krb5_db_entry kdb, kdb_save;
+ krb5_db_entry *kdb, *kdb_save;
int ret, ret2, last_pwd, hist_added;
int have_pol = 0;
kadm5_server_handle_t handle = server_handle;
/* we are going to need the current keys after the new keys are set */
if ((ret = kdb_get_entry(handle, principal, &kdb_save, NULL))) {
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
return(ret);
}
n_ks_tuple?ks_tuple:handle->params.keysalts,
n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
password, 0 /* increment kvno */,
- keepold, &kdb);
+ keepold, kdb);
if (ret)
goto done;
- ret = krb5_dbe_update_mkvno(handle->context, &kdb, act_kvno);
+ ret = krb5_dbe_update_mkvno(handle->context, kdb, act_kvno);
if (ret)
goto done;
- kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
+ kdb->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
ret = krb5_timeofday(handle->context, &now);
if (ret)
if ((adb.aux_attributes & KADM5_POLICY)) {
/* the policy was loaded before */
- ret = krb5_dbe_lookup_last_pwd_change(handle->context,
- &kdb, &last_pwd);
+ ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
if (ret)
goto done;
* local caller implicitly has all authorization bits.
*/
if ((now - last_pwd) < pol.pw_min_life &&
- !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
+ !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
ret = KADM5_PASS_TOOSOON;
goto done;
}
ret = create_history_entry(handle->context,
act_mkey, &hist_keyblock,
- kdb_save.n_key_data,
- kdb_save.key_data, &hist);
+ kdb_save->n_key_data,
+ kdb_save->key_data, &hist);
if (ret)
goto done;
ret = check_pw_reuse(handle->context, act_mkey, &hist_keyblock,
- kdb.n_key_data, kdb.key_data,
+ kdb->n_key_data, kdb->key_data,
1, &hist);
if (ret)
goto done;
* can't check the history. */
if (adb.admin_history_kvno == hist_kvno) {
ret = check_pw_reuse(handle->context, act_mkey, &hist_keyblock,
- kdb.n_key_data, kdb.key_data,
+ kdb->n_key_data, kdb->key_data,
adb.old_key_len, adb.old_keys);
if (ret)
goto done;
}
if (pol.pw_max_life)
- kdb.pw_expiration = now + pol.pw_max_life;
+ kdb->pw_expiration = now + pol.pw_max_life;
else
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
} else {
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
}
#ifdef USE_PASSWORD_SERVER
}
#endif
- ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now);
+ ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now);
if (ret)
goto done;
/* unlock principal on this KDC */
- kdb.fail_auth_count = 0;
+ kdb->fail_auth_count = 0;
/* key data and attributes changed, let the database provider know */
- kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES |
+ kdb->mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES |
KADM5_FAIL_AUTH_COUNT;
/* | KADM5_CPW_FUNCTION */
- if ((ret = kdb_put_entry(handle, &kdb, &adb)))
+ if ((ret = kdb_put_entry(handle, kdb, &adb)))
goto done;
ret = KADM5_OK;
done:
if (!hist_added && hist.key_data)
free_history_entry(handle->context, &hist);
- kdb_free_entry(handle, &kdb, &adb);
- kdb_free_entry(handle, &kdb_save, NULL);
- krb5_db_free_principal(handle->context, &kdb, 1);
+ kdb_free_entry(handle, kdb, &adb);
+ kdb_free_entry(handle, kdb_save, NULL);
krb5_free_keyblock_contents(handle->context, &hist_keyblock);
if (have_pol && (ret2 = kadm5_free_policy_ent(handle->lhandle, &pol))
krb5_keyblock **keyblocks,
int *n_keys)
{
- krb5_db_entry kdb;
+ krb5_db_entry *kdb;
osa_princ_ent_rec adb;
krb5_int32 now;
kadm5_policy_ent_rec pol;
n_ks_tuple?ks_tuple:handle->params.keysalts,
n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
keepold,
- &kdb);
+ kdb);
if (ret)
goto done;
- kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
+ kdb->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
ret = krb5_timeofday(handle->context, &now);
if (ret)
goto done;
have_pol = 1;
- ret = krb5_dbe_lookup_last_pwd_change(handle->context,
- &kdb, &last_pwd);
+ ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
if (ret)
goto done;
* local caller implicitly has all authorization bits.
*/
if((now - last_pwd) < pol.pw_min_life &&
- !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
+ !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
ret = KADM5_PASS_TOOSOON;
goto done;
}
#endif
if (pol.pw_max_life)
- kdb.pw_expiration = now + pol.pw_max_life;
+ kdb->pw_expiration = now + pol.pw_max_life;
else
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
} else {
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
}
- ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now);
+ ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now);
if (ret)
goto done;
/* unlock principal on this KDC */
- kdb.fail_auth_count = 0;
+ kdb->fail_auth_count = 0;
if (keyblocks) {
ret = decrypt_key_data(handle->context, act_mkey,
- kdb.n_key_data, kdb.key_data,
+ kdb->n_key_data, kdb->key_data,
keyblocks, n_keys);
if (ret)
goto done;
}
/* key data changed, let the database provider know */
- kdb.mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT;
+ kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT;
/* | KADM5_RANDKEY_USED */;
- if ((ret = kdb_put_entry(handle, &kdb, &adb)))
+ if ((ret = kdb_put_entry(handle, kdb, &adb)))
goto done;
ret = KADM5_OK;
done:
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
if (have_pol)
kadm5_free_policy_ent(handle->lhandle, &pol);
krb5_principal principal,
krb5_keyblock *keyblock)
{
- krb5_db_entry kdb;
+ krb5_db_entry *kdb;
osa_princ_ent_rec adb;
krb5_int32 now;
kadm5_policy_ent_rec pol;
if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
return(ret);
- for (kvno = 0, i=0; i<kdb.n_key_data; i++)
- if (kdb.key_data[i].key_data_kvno > kvno)
- kvno = kdb.key_data[i].key_data_kvno;
+ for (kvno = 0, i=0; i<kdb->n_key_data; i++)
+ if (kdb->key_data[i].key_data_kvno > kvno)
+ kvno = kdb->key_data[i].key_data_kvno;
- if (kdb.key_data != NULL)
- cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data);
+ if (kdb->key_data != NULL)
+ cleanup_key_data(handle->context, kdb->n_key_data, kdb->key_data);
- kdb.key_data = (krb5_key_data*)krb5_db_alloc(handle->context, NULL, sizeof(krb5_key_data));
- if (kdb.key_data == NULL)
+ kdb->key_data = (krb5_key_data*)krb5_db_alloc(handle->context, NULL, sizeof(krb5_key_data));
+ if (kdb->key_data == NULL)
return ENOMEM;
- memset(kdb.key_data, 0, sizeof(krb5_key_data));
- kdb.n_key_data = 1;
+ memset(kdb->key_data, 0, sizeof(krb5_key_data));
+ kdb->n_key_data = 1;
keysalt.type = KRB5_KDB_SALTTYPE_V4;
/* XXX data.magic? */
keysalt.data.length = 0;
}
for (k = 0; k < tmp_key_data.key_data_ver; k++) {
- kdb.key_data->key_data_type[k] = tmp_key_data.key_data_type[k];
- kdb.key_data->key_data_length[k] = tmp_key_data.key_data_length[k];
+ kdb->key_data->key_data_type[k] = tmp_key_data.key_data_type[k];
+ kdb->key_data->key_data_length[k] = tmp_key_data.key_data_length[k];
if (tmp_key_data.key_data_contents[k]) {
- kdb.key_data->key_data_contents[k] = krb5_db_alloc(handle->context, NULL, tmp_key_data.key_data_length[k]);
- if (kdb.key_data->key_data_contents[k] == NULL) {
- cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data);
- kdb.key_data = NULL;
- kdb.n_key_data = 0;
+ kdb->key_data->key_data_contents[k] = krb5_db_alloc(handle->context, NULL, tmp_key_data.key_data_length[k]);
+ if (kdb->key_data->key_data_contents[k] == NULL) {
+ cleanup_key_data(handle->context, kdb->n_key_data, kdb->key_data);
+ kdb->key_data = NULL;
+ kdb->n_key_data = 0;
ret = ENOMEM;
goto done;
}
- memcpy (kdb.key_data->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]);
+ memcpy (kdb->key_data->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]);
memset (tmp_key_data.key_data_contents[k], 0, tmp_key_data.key_data_length[k]);
free (tmp_key_data.key_data_contents[k]);
- kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
+ kdb->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
ret = krb5_timeofday(handle->context, &now);
if (ret)
* local caller implicitly has all authorization bits.
*/
if (ret = krb5_dbe_lookup_last_pwd_change(handle->context,
- &kdb, &last_pwd))
+ kdb, &last_pwd))
goto done;
if((now - last_pwd) < pol.pw_min_life &&
- !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
+ !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
ret = KADM5_PASS_TOOSOON;
goto done;
}
#endif
if (pol.pw_max_life)
- kdb.pw_expiration = now + pol.pw_max_life;
+ kdb->pw_expiration = now + pol.pw_max_life;
else
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
} else {
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
}
- ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now);
+ ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now);
if (ret)
goto done;
/* unlock principal on this KDC */
- kdb.fail_auth_count = 0;
+ kdb->fail_auth_count = 0;
- if ((ret = kdb_put_entry(handle, &kdb, &adb)))
+ if ((ret = kdb_put_entry(handle, kdb, &adb)))
goto done;
ret = KADM5_OK;
}
}
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
if (have_pol)
kadm5_free_policy_ent(handle->lhandle, &pol);
krb5_keyblock *keyblocks,
int n_keys)
{
- krb5_db_entry kdb;
+ krb5_db_entry *kdb;
osa_princ_ent_rec adb;
krb5_int32 now;
kadm5_policy_ent_rec pol;
if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
return(ret);
- for (kvno = 0, i=0; i<kdb.n_key_data; i++)
- if (kdb.key_data[i].key_data_kvno > kvno)
- kvno = kdb.key_data[i].key_data_kvno;
+ for (kvno = 0, i=0; i<kdb->n_key_data; i++)
+ if (kdb->key_data[i].key_data_kvno > kvno)
+ kvno = kdb->key_data[i].key_data_kvno;
if (keepold) {
- old_key_data = kdb.key_data;
- n_old_keys = kdb.n_key_data;
+ old_key_data = kdb->key_data;
+ n_old_keys = kdb->n_key_data;
} else {
- if (kdb.key_data != NULL)
- cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data);
+ if (kdb->key_data != NULL)
+ cleanup_key_data(handle->context, kdb->n_key_data, kdb->key_data);
n_old_keys = 0;
old_key_data = NULL;
}
- kdb.key_data = (krb5_key_data*)krb5_db_alloc(handle->context, NULL, (n_keys+n_old_keys)
- *sizeof(krb5_key_data));
- if (kdb.key_data == NULL) {
+ kdb->key_data = (krb5_key_data*)krb5_db_alloc(handle->context, NULL, (n_keys+n_old_keys)
+ *sizeof(krb5_key_data));
+ if (kdb->key_data == NULL) {
ret = ENOMEM;
goto done;
}
- memset(kdb.key_data, 0, (n_keys+n_old_keys)*sizeof(krb5_key_data));
- kdb.n_key_data = 0;
+ memset(kdb->key_data, 0, (n_keys+n_old_keys)*sizeof(krb5_key_data));
+ kdb->n_key_data = 0;
for (i = 0; i < n_keys; i++) {
if (n_ks_tuple) {
if (ret)
goto done;
- tptr = &kdb.key_data[i];
+ tptr = &kdb->key_data[i];
tptr->key_data_ver = tmp_key_data.key_data_ver;
tptr->key_data_kvno = tmp_key_data.key_data_kvno;
for (k = 0; k < tmp_key_data.key_data_ver; k++) {
tmp_key_data.key_data_contents[k] = NULL;
}
}
- kdb.n_key_data++;
+ kdb->n_key_data++;
}
/* copy old key data if necessary */
for (i = 0; i < n_old_keys; i++) {
- kdb.key_data[i+n_keys] = old_key_data[i];
+ kdb->key_data[i+n_keys] = old_key_data[i];
memset(&old_key_data[i], 0, sizeof (krb5_key_data));
- kdb.n_key_data++;
+ kdb->n_key_data++;
}
if (old_key_data)
krb5_db_free(handle->context, old_key_data);
- /* assert(kdb.n_key_data == n_keys + n_old_keys) */
- kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
+ /* assert(kdb->n_key_data == n_keys + n_old_keys) */
+ kdb->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
if ((ret = krb5_timeofday(handle->context, &now)))
goto done;
* local caller implicitly has all authorization bits.
*/
if (ret = krb5_dbe_lookup_last_pwd_change(handle->context,
- &kdb, &last_pwd))
+ kdb, &last_pwd))
goto done;
if((now - last_pwd) < pol.pw_min_life &&
- !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
+ !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
ret = KADM5_PASS_TOOSOON;
goto done;
}
#endif
if (pol.pw_max_life)
- kdb.pw_expiration = now + pol.pw_max_life;
+ kdb->pw_expiration = now + pol.pw_max_life;
else
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
} else {
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
}
- if ((ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now)))
+ if ((ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now)))
goto done;
/* unlock principal on this KDC */
- kdb.fail_auth_count = 0;
+ kdb->fail_auth_count = 0;
- if ((ret = kdb_put_entry(handle, &kdb, &adb)))
+ if ((ret = kdb_put_entry(handle, kdb, &adb)))
goto done;
ret = KADM5_OK;
done:
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
if (have_pol)
kadm5_free_policy_ent(handle->lhandle, &pol);
krb5_keyblock **keyblocks /* OUT */,
int *n_keys /* OUT */)
{
- krb5_db_entry kdb;
+ krb5_db_entry *kdb;
osa_princ_ent_rec adb;
kadm5_ret_t ret;
kadm5_server_handle_t handle = server_handle;
return(ret);
if (keyblocks) {
- if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, &kdb,
+ if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, kdb,
&mkey_ptr))) {
krb5_keylist_node *tmp_mkey_list;
/* try refreshing master key list */
krb5_dbe_free_key_list(handle->context, master_keylist);
master_keylist = tmp_mkey_list;
if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist,
- &kdb, &mkey_ptr))) {
+ kdb, &mkey_ptr))) {
goto done;
}
} else {
}
ret = decrypt_key_data(handle->context, mkey_ptr,
- kdb.n_key_data, kdb.key_data,
+ kdb->n_key_data, kdb->key_data,
keyblocks, n_keys);
if (ret)
goto done;
ret = KADM5_OK;
done:
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
return ret;
}
else
printf("released\n");
} else if (strcmp(*argv, "get") == 0) {
- int cnt = 1;
argc--; argv++;
if (!argc) usage();
- if ((ret = krb5_db_get_policy(context, *argv,
- &entry, &cnt)) ) {
+ if ((ret = krb5_db_get_policy(context, *argv, &entry))) {
com_err(whoami, ret, "while getting policy");
} else {
printf("retrieved\n");
}
krb5_error_code
-krb5_db_get_principal(krb5_context kcontext,
- krb5_const_principal search_for,
- krb5_db_entry * entries,
- int *nentries, krb5_boolean * more)
+krb5_db_get_principal(krb5_context kcontext, krb5_const_principal search_for,
+ unsigned int flags, krb5_db_entry **entry)
{
krb5_error_code status = 0;
kdb_vftabl *v;
+ *entry = NULL;
status = get_vftabl(kcontext, &v);
if (status)
return status;
if (v->get_principal == NULL)
return KRB5_PLUGIN_OP_NOTSUPP;
- return v->get_principal(kcontext, search_for, 0, entries, nentries, more);
-}
-
-krb5_error_code
-krb5_db_get_principal_ext(krb5_context kcontext,
- krb5_const_principal search_for,
- unsigned int flags,
- krb5_db_entry * entries,
- int *nentries, krb5_boolean * more)
-{
- krb5_error_code status = 0;
- kdb_vftabl *v;
-
- status = get_vftabl(kcontext, &v);
- if (status)
- return status;
- if (v->get_principal == NULL)
- return KRB5_PLUGIN_OP_NOTSUPP;
- return v->get_principal(kcontext, search_for, flags, entries, nentries,
- more);
+ return v->get_principal(kcontext, search_for, flags, entry);
}
void
-krb5_db_free_principal(krb5_context kcontext, krb5_db_entry * entry, int count)
+krb5_db_free_principal(krb5_context kcontext, krb5_db_entry *entry)
{
krb5_error_code status = 0;
kdb_vftabl *v;
status = get_vftabl(kcontext, &v);
if (status)
return;
- v->free_principal(kcontext, entry, count);
+ v->free_principal(kcontext, entry);
}
static void
}
krb5_error_code
-krb5int_put_principal_no_log(krb5_context kcontext,
- krb5_db_entry *entries, int *nentries)
+krb5int_put_principal_no_log(krb5_context kcontext, krb5_db_entry *entry)
{
kdb_vftabl *v;
krb5_error_code status;
return status;
if (v->put_principal == NULL)
return KRB5_PLUGIN_OP_NOTSUPP;
- status = extract_db_args_from_tl_data(kcontext, &entries->tl_data,
- &entries->n_tl_data,
+ status = extract_db_args_from_tl_data(kcontext, &entry->tl_data,
+ &entry->n_tl_data,
&db_args);
if (status)
return status;
- status = v->put_principal(kcontext, entries, nentries, db_args);
+ status = v->put_principal(kcontext, entry, db_args);
free_db_args(kcontext, db_args);
return status;
}
krb5_error_code
-krb5_db_put_principal(krb5_context kcontext,
- krb5_db_entry * entries, int *nentries)
+krb5_db_put_principal(krb5_context kcontext, krb5_db_entry *entry)
{
krb5_error_code status = 0;
kdb_vftabl *v;
char **db_args = NULL;
- kdb_incr_update_t *upd, *fupd = 0;
+ kdb_incr_update_t *upd = NULL;
char *princ_name = NULL;
kdb_log_context *log_ctx;
- int i;
int ulog_locked = 0;
log_ctx = kcontext->kdblog_context;
status = get_vftabl(kcontext, &v);
if (status)
- goto clean_n_exit;
+ return status;
+ if (v->put_principal == NULL)
+ return KRB5_PLUGIN_OP_NOTSUPP;
- status = extract_db_args_from_tl_data(kcontext, &entries->tl_data,
- &entries->n_tl_data,
+ status = extract_db_args_from_tl_data(kcontext, &entry->tl_data,
+ &entry->n_tl_data,
&db_args);
if (status)
goto clean_n_exit;
if (log_ctx && (log_ctx->iproprole == IPROP_MASTER)) {
- if (!(upd = (kdb_incr_update_t *)
- malloc(sizeof (kdb_incr_update_t)* *nentries))) {
- status = errno;
- goto err_lock;
- }
- fupd = upd;
-
- (void) memset(upd, 0, sizeof(kdb_incr_update_t)* *nentries);
-
- if ((status = ulog_conv_2logentry(kcontext, entries, upd, *nentries)))
- goto err_lock;
+ upd = k5alloc(sizeof(*upd), &status);
+ if (upd == NULL)
+ goto clean_n_exit;
+ if ((status = ulog_conv_2logentry(kcontext, entry, upd)))
+ goto clean_n_exit;
}
status = ulog_lock(kcontext, KRB5_LOCKMODE_EXCLUSIVE);
goto err_lock;
ulog_locked = 1;
- for (i = 0; i < *nentries; i++) {
- if (fupd) {
- if ((status = krb5_unparse_name(kcontext, entries->princ,
- &princ_name)))
- goto err_lock;
+ if (upd != NULL) {
+ status = krb5_unparse_name(kcontext, entry->princ, &princ_name);
+ if (status != 0)
+ goto err_lock;
- upd->kdb_princ_name.utf8str_t_val = princ_name;
- upd->kdb_princ_name.utf8str_t_len = strlen(princ_name);
+ upd->kdb_princ_name.utf8str_t_val = princ_name;
+ upd->kdb_princ_name.utf8str_t_len = strlen(princ_name);
- if ((status = ulog_add_update(kcontext, upd)) != 0)
- goto err_lock;
- upd++;
- }
+ if ((status = ulog_add_update(kcontext, upd)) != 0)
+ goto err_lock;
}
- if (v->put_principal == NULL) {
- status = KRB5_PLUGIN_OP_NOTSUPP;
- goto err_lock;
- }
+ status = v->put_principal(kcontext, entry, db_args);
+ if (status == 0 && upd != NULL)
+ (void) ulog_finish_update(kcontext, upd);
- status = v->put_principal(kcontext, entries, nentries, db_args);
- if (status == 0 && fupd) {
- upd = fupd;
- for (i = 0; i < *nentries; i++) {
- (void) ulog_finish_update(kcontext, upd);
- upd++;
- }
- }
err_lock:
if (ulog_locked)
ulog_lock(kcontext, KRB5_LOCKMODE_UNLOCK);
clean_n_exit:
free_db_args(kcontext, db_args);
-
- if (log_ctx && (log_ctx->iproprole == IPROP_MASTER))
- ulog_free_entries(fupd, *nentries);
-
+ ulog_free_entries(upd, 1);
return status;
}
krb5_error_code
krb5int_delete_principal_no_log(krb5_context kcontext,
- krb5_principal search_for,
- int *nentries)
+ krb5_principal search_for)
{
kdb_vftabl *v;
krb5_error_code status;
return status;
if (v->delete_principal == NULL)
return KRB5_PLUGIN_OP_NOTSUPP;
- return v->delete_principal(kcontext, search_for, nentries);
+ return v->delete_principal(kcontext, search_for);
}
krb5_error_code
krb5_db_delete_principal(krb5_context kcontext,
- krb5_principal search_for, int *nentries)
+ krb5_principal search_for)
{
krb5_error_code status = 0;
kdb_vftabl *v;
if (v->delete_principal == NULL)
return KRB5_PLUGIN_OP_NOTSUPP;
- status = v->delete_principal(kcontext, search_for, nentries);
+ status = v->delete_principal(kcontext, search_for);
/*
* We need to commit our update upon success
* princ.
*/
if (kvno != NULL && *kvno == IGNORE_VNO) {
- int nentries = 1;
- krb5_boolean more;
krb5_error_code rc;
- krb5_db_entry master_entry;
-
- rc = krb5_db_get_principal(context, mname,
- &master_entry, &nentries, &more);
+ krb5_db_entry *master_entry;
- if (rc == 0 && nentries == 1 && more == FALSE)
- *kvno = (krb5_kvno) master_entry.key_data->key_data_kvno;
- else
+ rc = krb5_db_get_principal(context, mname, 0, &master_entry);
+ if (rc == 0) {
+ *kvno = (krb5_kvno) master_entry->key_data->key_data_kvno;
+ krb5_db_free_principal(context, master_entry);
+ } else
*kvno = 1;
-
- if (rc == 0 && nentries)
- krb5_db_free_principal(context, &master_entry, nentries);
}
if (!salt)
krb5_actkvno_node **act_key_list)
{
krb5_error_code retval = 0;
- krb5_db_entry entry;
- int nprinc;
- krb5_boolean more;
+ krb5_db_entry *entry;
if (act_key_list == NULL)
return (EINVAL);
- nprinc = 1;
- if ((retval = krb5_db_get_principal(context, princ, &entry,
- &nprinc, &more))) {
- return (retval);
- }
-
- if (nprinc != 1) {
- if (nprinc) {
- krb5_db_free_principal(context, &entry, nprinc);
- return (KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
- } else {
- return(KRB5_KDB_NOMASTERKEY);
- }
- } else if (more) {
- krb5_db_free_principal(context, &entry, nprinc);
- return (KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
- }
+ retval = krb5_db_get_principal(context, princ, 0, &entry);
+ if (retval == KRB5_KDB_NOENTRY)
+ return KRB5_KDB_NOMASTERKEY;
+ else if (retval)
+ return retval;
- retval = krb5_dbe_lookup_actkvno(context, &entry, act_key_list);
+ retval = krb5_dbe_lookup_actkvno(context, entry, act_key_list);
if (*act_key_list == NULL) {
krb5_actkvno_node *tmp_actkvno;
*/
tmp_actkvno = (krb5_actkvno_node *) malloc(sizeof(krb5_actkvno_node));
- if (tmp_actkvno == NULL)
- return (ENOMEM);
+ if (tmp_actkvno == NULL) {
+ krb5_db_free_principal(context, entry);
+ return ENOMEM;
+ }
memset(tmp_actkvno, 0, sizeof(krb5_actkvno_node));
tmp_actkvno->act_time = 0; /* earliest time possible */
/* use most current key */
- tmp_actkvno->act_kvno = entry.key_data[0].key_data_kvno;
+ tmp_actkvno->act_kvno = entry->key_data[0].key_data_kvno;
*act_key_list = tmp_actkvno;
}
- krb5_db_free_principal(context, &entry, nprinc);
+ krb5_db_free_principal(context, entry);
return retval;
}
}
krb5_error_code
-krb5_db_get_policy(krb5_context kcontext, char *name,
- osa_policy_ent_t * policy, int *cnt)
+krb5_db_get_policy(krb5_context kcontext, char *name, osa_policy_ent_t *policy)
{
krb5_error_code status = 0;
kdb_vftabl *v;
return status;
if (v->get_policy == NULL)
return KRB5_PLUGIN_OP_NOTSUPP;
- return v->get_policy(kcontext, name, policy, cnt);
+ return v->get_policy(kcontext, name, policy);
}
krb5_error_code
krb5_error_code
krb5int_put_principal_no_log(krb5_context kcontext,
- krb5_db_entry *entries, int *nentries);
+ krb5_db_entry *entries);
krb5_error_code
krb5int_delete_principal_no_log(krb5_context kcontext,
- krb5_principal search_for,
- int *nentries);
+ krb5_principal search_for);
#endif /* __KDB5INT_H__ */
/*
- * This routine converts one or more krb5 db2 records into update
- * log (ulog) entry format. Space for the update log entries should
- * be allocated prior to invocation of this routine.
+ * This routine converts a krb5 DB record into update log (ulog) entry format.
+ * Space for the update log entry should be allocated prior to invocation of
+ * this routine.
*/
krb5_error_code
-ulog_conv_2logentry(krb5_context context, krb5_db_entry *entries,
- kdb_incr_update_t *updates,
- int nentries)
+ulog_conv_2logentry(krb5_context context, krb5_db_entry *entry,
+ kdb_incr_update_t *update)
{
- int i, j, k, cnt, final, nattrs, tmpint, nprincs;
- unsigned int more;
+ int i, j, cnt, final, nattrs, tmpint;
krb5_principal tmpprinc;
krb5_tl_data *newtl;
- krb5_db_entry curr;
+ krb5_db_entry *curr;
krb5_error_code ret;
kdbe_attr_type_t *attr_types;
- kdb_incr_update_t *upd;
- krb5_db_entry *ent;
int kadm_data_yes;
/* always exclude non-replicated attributes, for now */
krb5_boolean exclude_nra = TRUE;
- if ((updates == NULL) || (entries == NULL))
- return (KRB5KRB_ERR_GENERIC);
+ nattrs = tmpint = 0;
+ final = -1;
+ kadm_data_yes = 0;
+ attr_types = NULL;
- upd = updates;
- ent = entries;
+ /*
+ * XXX we rely on the good behaviour of the database not to
+ * exceed this limit.
+ */
+ if ((update->kdb_update.kdbe_t_val = (kdbe_val_t *)
+ malloc(MAXENTRY_SIZE)) == NULL) {
+ return (ENOMEM);
+ }
- for (k = 0; k < nentries; k++) {
- nprincs = nattrs = tmpint = 0;
- final = -1;
- kadm_data_yes = 0;
- attr_types = NULL;
+ /*
+ * Find out which attrs have been modified
+ */
+ if ((attr_types = (kdbe_attr_type_t *)malloc(
+ sizeof (kdbe_attr_type_t) * MAXATTRS_SIZE))
+ == NULL) {
+ return (ENOMEM);
+ }
- /*
- * XXX we rely on the good behaviour of the database not to
- * exceed this limit.
- */
- if ((upd->kdb_update.kdbe_t_val = (kdbe_val_t *)
- malloc(MAXENTRY_SIZE)) == NULL) {
- return (ENOMEM);
- }
+ ret = krb5_db_get_principal(context, entry->princ, 0, &curr);
+ if (ret && ret != KRB5_KDB_NOENTRY) {
+ free(attr_types);
+ return (ret);
+ }
+ if (ret == KRB5_KDB_NOENTRY) {
/*
- * Find out which attrs have been modified
+ * This is a new entry to the database, hence will
+ * include all the attribute-value pairs
+ *
+ * We leave out the TL_DATA types which we model as
+ * attrs in kdbe_attr_type_t, since listing AT_TL_DATA
+ * encompasses these other types-turned-attributes
+ *
+ * So, we do *NOT* consider AT_MOD_PRINC, AT_MOD_TIME,
+ * AT_MOD_WHERE, AT_PW_LAST_CHANGE, AT_PW_POLICY,
+ * AT_PW_POLICY_SWITCH, AT_PW_HIST_KVNO and AT_PW_HIST,
+ * totalling 8 attrs.
*/
- if ((attr_types = (kdbe_attr_type_t *)malloc(
- sizeof (kdbe_attr_type_t) * MAXATTRS_SIZE))
- == NULL) {
- return (ENOMEM);
- }
-
- if ((ret = krb5_db_get_principal(context, ent->princ, &curr,
- &nprincs, &more))) {
- free(attr_types);
- return (ret);
+ while (nattrs < MAXATTRS_SIZE - 8) {
+ attr_types[nattrs] = nattrs;
+ nattrs++;
}
+ } else {
+ find_changed_attrs(curr, entry, exclude_nra, attr_types, &nattrs);
+ krb5_db_free_principal(context, curr);
+ }
- if (nprincs == 0) {
- /*
- * This is a new entry to the database, hence will
- * include all the attribute-value pairs
- *
- * We leave out the TL_DATA types which we model as
- * attrs in kdbe_attr_type_t, since listing AT_TL_DATA
- * encompasses these other types-turned-attributes
- *
- * So, we do *NOT* consider AT_MOD_PRINC, AT_MOD_TIME,
- * AT_MOD_WHERE, AT_PW_LAST_CHANGE, AT_PW_POLICY,
- * AT_PW_POLICY_SWITCH, AT_PW_HIST_KVNO and AT_PW_HIST,
- * totalling 8 attrs.
- */
- while (nattrs < MAXATTRS_SIZE - 8) {
- attr_types[nattrs] = nattrs;
- nattrs++;
+ for (i = 0; i < nattrs; i++) {
+ switch (attr_types[i]) {
+ case AT_ATTRFLAGS:
+ if (entry->attributes >= 0) {
+ ULOG_ENTRY_TYPE(update, ++final).av_type =
+ AT_ATTRFLAGS;
+ ULOG_ENTRY(update, final).av_attrflags =
+ (uint32_t)entry->attributes;
}
- } else {
- find_changed_attrs(&curr, ent, exclude_nra, attr_types, &nattrs);
+ break;
- krb5_db_free_principal(context, &curr, nprincs);
- }
+ case AT_MAX_LIFE:
+ if (entry->max_life >= 0) {
+ ULOG_ENTRY_TYPE(update, ++final).av_type = AT_MAX_LIFE;
+ ULOG_ENTRY(update, final).av_max_life =
+ (uint32_t)entry->max_life;
+ }
+ break;
- for (i = 0; i < nattrs; i++) {
- switch (attr_types[i]) {
- case AT_ATTRFLAGS:
- if (ent->attributes >= 0) {
- ULOG_ENTRY_TYPE(upd, ++final).av_type =
- AT_ATTRFLAGS;
- ULOG_ENTRY(upd, final).av_attrflags =
- (uint32_t)ent->attributes;
- }
- break;
+ case AT_MAX_RENEW_LIFE:
+ if (entry->max_renewable_life >= 0) {
+ ULOG_ENTRY_TYPE(update, ++final).av_type = AT_MAX_RENEW_LIFE;
+ ULOG_ENTRY(update, final).av_max_renew_life =
+ (uint32_t)entry->max_renewable_life;
+ }
+ break;
- case AT_MAX_LIFE:
- if (ent->max_life >= 0) {
- ULOG_ENTRY_TYPE(upd, ++final).av_type =
- AT_MAX_LIFE;
- ULOG_ENTRY(upd, final).av_max_life =
- (uint32_t)ent->max_life;
- }
- break;
+ case AT_EXP:
+ if (entry->expiration >= 0) {
+ ULOG_ENTRY_TYPE(update, ++final).av_type = AT_EXP;
+ ULOG_ENTRY(update, final).av_exp = (uint32_t)entry->expiration;
+ }
+ break;
- case AT_MAX_RENEW_LIFE:
- if (ent->max_renewable_life >= 0) {
- ULOG_ENTRY_TYPE(upd, ++final).av_type =
- AT_MAX_RENEW_LIFE;
- ULOG_ENTRY(upd,
- final).av_max_renew_life =
- (uint32_t)ent->max_renewable_life;
- }
- break;
+ case AT_PW_EXP:
+ if (entry->pw_expiration >= 0) {
+ ULOG_ENTRY_TYPE(update, ++final).av_type = AT_PW_EXP;
+ ULOG_ENTRY(update, final).av_pw_exp =
+ (uint32_t)entry->pw_expiration;
+ }
+ break;
- case AT_EXP:
- if (ent->expiration >= 0) {
- ULOG_ENTRY_TYPE(upd, ++final).av_type =
- AT_EXP;
- ULOG_ENTRY(upd, final).av_exp =
- (uint32_t)ent->expiration;
- }
- break;
+ case AT_LAST_SUCCESS:
+ if (!exclude_nra && entry->last_success >= 0) {
+ ULOG_ENTRY_TYPE(update, ++final).av_type = AT_LAST_SUCCESS;
+ ULOG_ENTRY(update, final).av_last_success =
+ (uint32_t)entry->last_success;
+ }
+ break;
- case AT_PW_EXP:
- if (ent->pw_expiration >= 0) {
- ULOG_ENTRY_TYPE(upd, ++final).av_type =
- AT_PW_EXP;
- ULOG_ENTRY(upd, final).av_pw_exp =
- (uint32_t)ent->pw_expiration;
+ case AT_LAST_FAILED:
+ if (!exclude_nra && entry->last_failed >= 0) {
+ ULOG_ENTRY_TYPE(update, ++final).av_type = AT_LAST_FAILED;
+ ULOG_ENTRY(update, final).av_last_failed =
+ (uint32_t)entry->last_failed;
+ }
+ break;
+
+ case AT_FAIL_AUTH_COUNT:
+ if (!exclude_nra && entry->fail_auth_count >= (krb5_kvno)0) {
+ ULOG_ENTRY_TYPE(update, ++final).av_type =
+ AT_FAIL_AUTH_COUNT;
+ ULOG_ENTRY(update, final).av_fail_auth_count =
+ (uint32_t)entry->fail_auth_count;
+ }
+ break;
+
+ case AT_PRINC:
+ if (entry->princ->length > 0) {
+ ULOG_ENTRY_TYPE(update, ++final).av_type = AT_PRINC;
+ if ((ret = conv_princ_2ulog(entry->princ,
+ update, final, REG_PRINC))) {
+ free(attr_types);
+ return (ret);
}
- break;
+ }
+ break;
- case AT_LAST_SUCCESS:
- if (!exclude_nra && ent->last_success >= 0) {
- ULOG_ENTRY_TYPE(upd, ++final).av_type =
- AT_LAST_SUCCESS;
- ULOG_ENTRY(upd,
- final).av_last_success =
- (uint32_t)ent->last_success;
+ case AT_KEYDATA:
+/* BEGIN CSTYLED */
+ if (entry->n_key_data >= 0) {
+ ULOG_ENTRY_TYPE(update, ++final).av_type = AT_KEYDATA;
+ ULOG_ENTRY(update, final).av_keydata.av_keydata_len =
+ entry->n_key_data;
+ ULOG_ENTRY(update, final).av_keydata.av_keydata_val =
+ malloc(entry->n_key_data * sizeof (kdbe_key_t));
+ if (ULOG_ENTRY(update, final).av_keydata.av_keydata_val ==
+ NULL) {
+ free(attr_types);
+ return (ENOMEM);
}
- break;
- case AT_LAST_FAILED:
- if (!exclude_nra && ent->last_failed >= 0) {
- ULOG_ENTRY_TYPE(upd, ++final).av_type =
- AT_LAST_FAILED;
- ULOG_ENTRY(upd,
- final).av_last_failed =
- (uint32_t)ent->last_failed;
- }
- break;
+ for (j = 0; j < entry->n_key_data; j++) {
+ ULOG_ENTRY_KEYVAL(update, final, j).k_ver =
+ entry->key_data[j].key_data_ver;
+ ULOG_ENTRY_KEYVAL(update, final, j).k_kvno =
+ entry->key_data[j].key_data_kvno;
+ ULOG_ENTRY_KEYVAL(update, final, j).k_enctype.k_enctype_len = entry->key_data[j].key_data_ver;
+ ULOG_ENTRY_KEYVAL(update, final, j).k_contents.k_contents_len = entry->key_data[j].key_data_ver;
- case AT_FAIL_AUTH_COUNT:
- if (!exclude_nra && ent->fail_auth_count >= (krb5_kvno)0) {
- ULOG_ENTRY_TYPE(upd, ++final).av_type =
- AT_FAIL_AUTH_COUNT;
- ULOG_ENTRY(upd,
- final).av_fail_auth_count =
- (uint32_t)ent->fail_auth_count;
- }
- break;
-
- case AT_PRINC:
- if (ent->princ->length > 0) {
- ULOG_ENTRY_TYPE(upd, ++final).av_type =
- AT_PRINC;
- if ((ret = conv_princ_2ulog(ent->princ,
- upd, final, REG_PRINC))) {
+ ULOG_ENTRY_KEYVAL(update, final, j).k_enctype.k_enctype_val = malloc(entry->key_data[j].key_data_ver * sizeof(int32_t));
+ if (ULOG_ENTRY_KEYVAL(update, final, j).k_enctype.k_enctype_val == NULL) {
free(attr_types);
- return (ret);
+ return (ENOMEM);
}
- }
- break;
- case AT_KEYDATA:
-/* BEGIN CSTYLED */
- if (ent->n_key_data >= 0) {
- ULOG_ENTRY_TYPE(upd, ++final).av_type =
- AT_KEYDATA;
- ULOG_ENTRY(upd, final).av_keydata.av_keydata_len = ent->n_key_data;
-
- ULOG_ENTRY(upd, final).av_keydata.av_keydata_val = malloc(ent->n_key_data * sizeof (kdbe_key_t));
- if (ULOG_ENTRY(upd, final).av_keydata.av_keydata_val == NULL) {
+ ULOG_ENTRY_KEYVAL(update, final, j).k_contents.k_contents_val = malloc(entry->key_data[j].key_data_ver * sizeof(utf8str_t));
+ if (ULOG_ENTRY_KEYVAL(update, final, j).k_contents.k_contents_val == NULL) {
free(attr_types);
return (ENOMEM);
}
- for (j = 0; j < ent->n_key_data; j++) {
- ULOG_ENTRY_KEYVAL(upd, final, j).k_ver = ent->key_data[j].key_data_ver;
- ULOG_ENTRY_KEYVAL(upd, final, j).k_kvno = ent->key_data[j].key_data_kvno;
- ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_len = ent->key_data[j].key_data_ver;
- ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_len = ent->key_data[j].key_data_ver;
-
- ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_val = malloc(ent->key_data[j].key_data_ver * sizeof(int32_t));
- if (ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_val == NULL) {
- free(attr_types);
- return (ENOMEM);
- }
-
- ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val = malloc(ent->key_data[j].key_data_ver * sizeof(utf8str_t));
- if (ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val == NULL) {
+ for (cnt = 0; cnt < entry->key_data[j].key_data_ver;
+ cnt++) {
+ ULOG_ENTRY_KEYVAL(update, final, j).k_enctype.k_enctype_val[cnt] = entry->key_data[j].key_data_type[cnt];
+ ULOG_ENTRY_KEYVAL(update, final, j).k_contents.k_contents_val[cnt].utf8str_t_len = entry->key_data[j].key_data_length[cnt];
+ ULOG_ENTRY_KEYVAL(update, final, j).k_contents.k_contents_val[cnt].utf8str_t_val = malloc(entry->key_data[j].key_data_length[cnt] * sizeof (char));
+ if (ULOG_ENTRY_KEYVAL(update, final, j).k_contents.k_contents_val[cnt].utf8str_t_val == NULL) {
free(attr_types);
return (ENOMEM);
}
-
- for (cnt = 0; cnt < ent->key_data[j].key_data_ver; cnt++) {
- ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_val[cnt] = ent->key_data[j].key_data_type[cnt];
- ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_len = ent->key_data[j].key_data_length[cnt];
- ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_val = malloc(ent->key_data[j].key_data_length[cnt] * sizeof (char));
- if (ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_val == NULL) {
- free(attr_types);
- return (ENOMEM);
- }
- (void) memcpy(ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_val, ent->key_data[j].key_data_contents[cnt], ent->key_data[j].key_data_length[cnt]);
- }
+ (void) memcpy(ULOG_ENTRY_KEYVAL(update, final, j).k_contents.k_contents_val[cnt].utf8str_t_val, entry->key_data[j].key_data_contents[cnt], entry->key_data[j].key_data_length[cnt]);
}
}
- break;
+ }
+ break;
- case AT_TL_DATA:
- ret = krb5_dbe_lookup_last_pwd_change(context,
- ent, &tmpint);
- if (ret == 0) {
- ULOG_ENTRY_TYPE(upd, ++final).av_type =
- AT_PW_LAST_CHANGE;
- ULOG_ENTRY(upd, final).av_pw_last_change = tmpint;
- }
- tmpint = 0;
+ case AT_TL_DATA:
+ ret = krb5_dbe_lookup_last_pwd_change(context, entry, &tmpint);
+ if (ret == 0) {
+ ULOG_ENTRY_TYPE(update, ++final).av_type = AT_PW_LAST_CHANGE;
+ ULOG_ENTRY(update, final).av_pw_last_change = tmpint;
+ }
+ tmpint = 0;
- if(!(ret = krb5_dbe_lookup_mod_princ_data(
- context, ent, &tmpint, &tmpprinc))) {
+ if(!(ret = krb5_dbe_lookup_mod_princ_data(context, entry, &tmpint,
+ &tmpprinc))) {
- ULOG_ENTRY_TYPE(upd, ++final).av_type =
- AT_MOD_PRINC;
+ ULOG_ENTRY_TYPE(update, ++final).av_type = AT_MOD_PRINC;
- ret = conv_princ_2ulog(tmpprinc,
- upd, final, MOD_PRINC);
- krb5_free_principal(context, tmpprinc);
- if (ret) {
- free(attr_types);
- return (ret);
- }
- ULOG_ENTRY_TYPE(upd, ++final).av_type =
- AT_MOD_TIME;
- ULOG_ENTRY(upd, final).av_mod_time =
- tmpint;
+ ret = conv_princ_2ulog(tmpprinc, update, final, MOD_PRINC);
+ krb5_free_principal(context, tmpprinc);
+ if (ret) {
+ free(attr_types);
+ return (ret);
}
+ ULOG_ENTRY_TYPE(update, ++final).av_type = AT_MOD_TIME;
+ ULOG_ENTRY(update, final).av_mod_time =
+ tmpint;
+ }
- newtl = ent->tl_data;
- while (newtl) {
- switch (newtl->tl_data_type) {
- case KRB5_TL_LAST_PWD_CHANGE:
- case KRB5_TL_MOD_PRINC:
- break;
-
- case KRB5_TL_KADM_DATA:
- default:
- if (kadm_data_yes == 0) {
- ULOG_ENTRY_TYPE(upd, ++final).av_type = AT_TL_DATA;
- ULOG_ENTRY(upd, final).av_tldata.av_tldata_len = 0;
- ULOG_ENTRY(upd, final).av_tldata.av_tldata_val = malloc(ent->n_tl_data * sizeof(kdbe_tl_t));
-
- if (ULOG_ENTRY(upd, final).av_tldata.av_tldata_val == NULL) {
- free(attr_types);
- return (ENOMEM);
- }
- kadm_data_yes = 1;
- }
+ newtl = entry->tl_data;
+ while (newtl) {
+ switch (newtl->tl_data_type) {
+ case KRB5_TL_LAST_PWD_CHANGE:
+ case KRB5_TL_MOD_PRINC:
+ break;
- tmpint = ULOG_ENTRY(upd, final).av_tldata.av_tldata_len;
- ULOG_ENTRY(upd, final).av_tldata.av_tldata_len++;
- ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_type = newtl->tl_data_type;
- ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_len = newtl->tl_data_length;
- ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val = malloc(newtl->tl_data_length * sizeof (char));
- if (ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val == NULL) {
+ case KRB5_TL_KADM_DATA:
+ default:
+ if (kadm_data_yes == 0) {
+ ULOG_ENTRY_TYPE(update, ++final).av_type = AT_TL_DATA;
+ ULOG_ENTRY(update, final).av_tldata.av_tldata_len = 0;
+ ULOG_ENTRY(update, final).av_tldata.av_tldata_val =
+ malloc(entry->n_tl_data * sizeof(kdbe_tl_t));
+
+ if (ULOG_ENTRY(update, final).av_tldata.av_tldata_val
+ == NULL) {
free(attr_types);
return (ENOMEM);
}
- (void) memcpy(ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val, newtl->tl_data_contents, newtl->tl_data_length);
- break;
+ kadm_data_yes = 1;
}
- newtl = newtl->tl_data_next;
- }
- break;
-/* END CSTYLED */
- case AT_LEN:
- if (ent->len >= 0) {
- ULOG_ENTRY_TYPE(upd, ++final).av_type =
- AT_LEN;
- ULOG_ENTRY(upd, final).av_len =
- (int16_t)ent->len;
+ tmpint = ULOG_ENTRY(update, final).av_tldata.av_tldata_len;
+ ULOG_ENTRY(update, final).av_tldata.av_tldata_len++;
+ ULOG_ENTRY(update, final).av_tldata.av_tldata_val[tmpint].tl_type = newtl->tl_data_type;
+ ULOG_ENTRY(update, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_len = newtl->tl_data_length;
+ ULOG_ENTRY(update, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val = malloc(newtl->tl_data_length * sizeof (char));
+ if (ULOG_ENTRY(update, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val == NULL) {
+ free(attr_types);
+ return (ENOMEM);
+ }
+ (void) memcpy(ULOG_ENTRY(update, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val, newtl->tl_data_contents, newtl->tl_data_length);
+ break;
}
- break;
+ newtl = newtl->tl_data_next;
+ }
+ break;
+/* END CSTYLED */
- default:
- break;
+ case AT_LEN:
+ if (entry->len >= 0) {
+ ULOG_ENTRY_TYPE(update, ++final).av_type = AT_LEN;
+ ULOG_ENTRY(update, final).av_len = (int16_t)entry->len;
}
+ break;
+ default:
+ break;
}
- free(attr_types);
+ }
- /*
- * Update len field in kdb_update
- */
- upd->kdb_update.kdbe_t_len = ++final;
+ free(attr_types);
- /*
- * Bump up to next struct
- */
- upd++;
- ent++;
- }
+ /*
+ * Update len field in kdb_update
+ */
+ update->kdb_update.kdbe_t_len = ++final;
return (0);
}
-/*
- * This routine converts one or more update log (ulog) entries into
- * kerberos db2 records. Required memory should be allocated
- * for the db2 records (pointed to by krb5_db_entry *ent), prior
- * to calling this routine.
- */
+/* Convert an update log (ulog) entry into a kerberos record. */
krb5_error_code
-ulog_conv_2dbentry(krb5_context context, krb5_db_entry *entries,
- kdb_incr_update_t *updates,
- int nentries)
+ulog_conv_2dbentry(krb5_context context, krb5_db_entry **entry,
+ kdb_incr_update_t *update)
{
- int k;
krb5_db_entry *ent;
- kdb_incr_update_t *upd;
int slave;
+ krb5_principal mod_princ = NULL;
+ int i, j, cnt = 0, mod_time = 0, nattrs;
+ krb5_principal dbprinc;
+ char *dbprincstr = NULL;
+ krb5_tl_data *newtl = NULL;
+ krb5_error_code ret;
+ unsigned int prev_n_keys = 0;
+ krb5_boolean is_add;
- if ((updates == NULL) || (entries == NULL))
- return (KRB5KRB_ERR_GENERIC);
-
- ent = entries;
- upd = updates;
+ *entry = NULL;
slave = (context->kdblog_context != NULL) &&
(context->kdblog_context->iproprole == IPROP_SLAVE);
- for (k = 0; k < nentries; k++) {
- krb5_principal mod_princ = NULL;
- int i, j, cnt = 0, mod_time = 0, nattrs, nprincs = 0;
- krb5_principal dbprinc;
- char *dbprincstr = NULL;
-
- krb5_tl_data *newtl = NULL;
- krb5_error_code ret;
- unsigned int more;
- unsigned int prev_n_keys = 0;
-
- /*
- * If the ulog entry represents a DELETE update,
- * just skip to the next entry.
- */
- if (upd->kdb_deleted == TRUE)
- goto next;
-
- /*
- * Store the no. of changed attributes in nattrs
- */
- nattrs = upd->kdb_update.kdbe_t_len;
+ /*
+ * Store the no. of changed attributes in nattrs
+ */
+ nattrs = update->kdb_update.kdbe_t_len;
+
+ dbprincstr = malloc((update->kdb_princ_name.utf8str_t_len + 1)
+ * sizeof (char));
+ if (dbprincstr == NULL)
+ return (ENOMEM);
+ strncpy(dbprincstr, (char *)update->kdb_princ_name.utf8str_t_val,
+ update->kdb_princ_name.utf8str_t_len);
+ dbprincstr[update->kdb_princ_name.utf8str_t_len] = 0;
+
+ ret = krb5_parse_name(context, dbprincstr, &dbprinc);
+ free(dbprincstr);
+ if (ret)
+ return (ret);
+
+ ret = krb5_db_get_principal(context, dbprinc, 0, &ent);
+ krb5_free_principal(context, dbprinc);
+ if (ret && ret != KRB5_KDB_NOENTRY)
+ return (ret);
+ is_add = (ret == KRB5_KDB_NOENTRY);
- dbprincstr = malloc((upd->kdb_princ_name.utf8str_t_len + 1)
- * sizeof (char));
- if (dbprincstr == NULL)
+ /*
+ * Set ent->n_tl_data = 0 initially, if this is an ADD update
+ */
+ if (is_add) {
+ ent = krb5_db_alloc(context, NULL, sizeof(*ent));
+ if (ent == NULL)
return (ENOMEM);
- strncpy(dbprincstr, (char *)upd->kdb_princ_name.utf8str_t_val,
- upd->kdb_princ_name.utf8str_t_len);
- dbprincstr[upd->kdb_princ_name.utf8str_t_len] = 0;
-
- ret = krb5_parse_name(context, dbprincstr, &dbprinc);
- free(dbprincstr);
- if (ret)
- return (ret);
-
- ret = krb5_db_get_principal(context, dbprinc, ent, &nprincs,
- &more);
- krb5_free_principal(context, dbprinc);
- if (ret)
- return (ret);
-
- /*
- * Set ent->n_tl_data = 0 initially, if this is an ADD update
- */
- if (nprincs == 0)
- ent->n_tl_data = 0;
-
- for (i = 0; i < nattrs; i++) {
- krb5_principal tmpprinc = NULL;
-
-#define u (ULOG_ENTRY(upd, i))
- switch (ULOG_ENTRY_TYPE(upd, i).av_type) {
- case AT_ATTRFLAGS:
- ent->attributes = (krb5_flags) u.av_attrflags;
- break;
-
- case AT_MAX_LIFE:
- ent->max_life = (krb5_deltat) u.av_max_life;
- break;
-
- case AT_MAX_RENEW_LIFE:
- ent->max_renewable_life = (krb5_deltat) u.av_max_renew_life;
- break;
-
- case AT_EXP:
- ent->expiration = (krb5_timestamp) u.av_exp;
- break;
-
- case AT_PW_EXP:
- ent->pw_expiration = (krb5_timestamp) u.av_pw_exp;
- break;
-
- case AT_LAST_SUCCESS:
- if (!slave)
- ent->last_success = (krb5_timestamp) u.av_last_success;
- break;
-
- case AT_LAST_FAILED:
- if (!slave)
- ent->last_failed = (krb5_timestamp) u.av_last_failed;
- break;
-
- case AT_FAIL_AUTH_COUNT:
- if (!slave)
- ent->fail_auth_count = (krb5_kvno) u.av_fail_auth_count;
- break;
-
- case AT_PRINC:
- tmpprinc = conv_princ_2db(context, &u.av_princ);
- if (tmpprinc == NULL)
- return ENOMEM;
- if (nprincs)
- krb5_free_principal(context, ent->princ);
- ent->princ = tmpprinc;
- break;
+ memset(ent, 0, sizeof(*ent));
+ ent->n_tl_data = 0;
+ }
- case AT_KEYDATA:
- if (nprincs != 0)
- prev_n_keys = ent->n_key_data;
- else
- prev_n_keys = 0;
- ent->n_key_data = (krb5_int16)u.av_keydata.av_keydata_len;
- if (nprincs == 0)
- ent->key_data = NULL;
-
- ent->key_data = (krb5_key_data *)realloc(ent->key_data,
- (ent->n_key_data *
- sizeof (krb5_key_data)));
- /* XXX Memory leak: Old key data in
- records eliminated by resizing to
- smaller size. */
- if (ent->key_data == NULL)
- /* XXX Memory leak: old storage. */
- return (ENOMEM);
+ for (i = 0; i < nattrs; i++) {
+ krb5_principal tmpprinc = NULL;
+
+#define u (ULOG_ENTRY(update, i))
+ switch (ULOG_ENTRY_TYPE(update, i).av_type) {
+ case AT_ATTRFLAGS:
+ ent->attributes = (krb5_flags) u.av_attrflags;
+ break;
+
+ case AT_MAX_LIFE:
+ ent->max_life = (krb5_deltat) u.av_max_life;
+ break;
+
+ case AT_MAX_RENEW_LIFE:
+ ent->max_renewable_life = (krb5_deltat) u.av_max_renew_life;
+ break;
+
+ case AT_EXP:
+ ent->expiration = (krb5_timestamp) u.av_exp;
+ break;
+
+ case AT_PW_EXP:
+ ent->pw_expiration = (krb5_timestamp) u.av_pw_exp;
+ break;
+
+ case AT_LAST_SUCCESS:
+ if (!slave)
+ ent->last_success = (krb5_timestamp) u.av_last_success;
+ break;
+
+ case AT_LAST_FAILED:
+ if (!slave)
+ ent->last_failed = (krb5_timestamp) u.av_last_failed;
+ break;
+
+ case AT_FAIL_AUTH_COUNT:
+ if (!slave)
+ ent->fail_auth_count = (krb5_kvno) u.av_fail_auth_count;
+ break;
+
+ case AT_PRINC:
+ tmpprinc = conv_princ_2db(context, &u.av_princ);
+ if (tmpprinc == NULL)
+ return ENOMEM;
+ krb5_free_principal(context, ent->princ);
+ ent->princ = tmpprinc;
+ break;
+
+ case AT_KEYDATA:
+ if (!is_add)
+ prev_n_keys = ent->n_key_data;
+ else
+ prev_n_keys = 0;
+ ent->n_key_data = (krb5_int16)u.av_keydata.av_keydata_len;
+ if (is_add)
+ ent->key_data = NULL;
+
+ ent->key_data = (krb5_key_data *)realloc(ent->key_data,
+ (ent->n_key_data *
+ sizeof (krb5_key_data)));
+ /* XXX Memory leak: Old key data in
+ records eliminated by resizing to
+ smaller size. */
+ if (ent->key_data == NULL)
+ /* XXX Memory leak: old storage. */
+ return (ENOMEM);
/* BEGIN CSTYLED */
- for (j = prev_n_keys; j < ent->n_key_data; j++) {
- for (cnt = 0; cnt < 2; cnt++) {
- ent->key_data[j].key_data_contents[cnt] = NULL;
- }
+ for (j = prev_n_keys; j < ent->n_key_data; j++) {
+ for (cnt = 0; cnt < 2; cnt++) {
+ ent->key_data[j].key_data_contents[cnt] = NULL;
}
- for (j = 0; j < ent->n_key_data; j++) {
- krb5_key_data *kp = &ent->key_data[j];
- kdbe_key_t *kv = &ULOG_ENTRY_KEYVAL(upd, i, j);
- kp->key_data_ver = (krb5_int16)kv->k_ver;
- kp->key_data_kvno = (krb5_int16)kv->k_kvno;
- if (kp->key_data_ver > 2) {
- return EINVAL; /* XXX ? */
- }
-
- for (cnt = 0; cnt < kp->key_data_ver; cnt++) {
- void *newptr;
- kp->key_data_type[cnt] = (krb5_int16)kv->k_enctype.k_enctype_val[cnt];
- kp->key_data_length[cnt] = (krb5_int16)kv->k_contents.k_contents_val[cnt].utf8str_t_len;
- newptr = realloc(kp->key_data_contents[cnt],
- kp->key_data_length[cnt]);
- if (newptr == NULL)
- return ENOMEM;
- kp->key_data_contents[cnt] = newptr;
-
- (void) memset(kp->key_data_contents[cnt], 0,
- kp->key_data_length[cnt]);
- (void) memcpy(kp->key_data_contents[cnt],
- kv->k_contents.k_contents_val[cnt].utf8str_t_val,
- kp->key_data_length[cnt]);
- }
+ }
+ for (j = 0; j < ent->n_key_data; j++) {
+ krb5_key_data *kp = &ent->key_data[j];
+ kdbe_key_t *kv = &ULOG_ENTRY_KEYVAL(update, i, j);
+ kp->key_data_ver = (krb5_int16)kv->k_ver;
+ kp->key_data_kvno = (krb5_int16)kv->k_kvno;
+ if (kp->key_data_ver > 2) {
+ return EINVAL; /* XXX ? */
}
- break;
-
- case AT_TL_DATA: {
- int t;
- cnt = u.av_tldata.av_tldata_len;
- newtl = calloc(cnt, sizeof (krb5_tl_data));
- if (newtl == NULL)
+ for (cnt = 0; cnt < kp->key_data_ver; cnt++) {
+ void *newptr;
+ kp->key_data_type[cnt] = (krb5_int16)kv->k_enctype.k_enctype_val[cnt];
+ kp->key_data_length[cnt] = (krb5_int16)kv->k_contents.k_contents_val[cnt].utf8str_t_len;
+ newptr = realloc(kp->key_data_contents[cnt],
+ kp->key_data_length[cnt]);
+ if (newptr == NULL)
+ return ENOMEM;
+ kp->key_data_contents[cnt] = newptr;
+
+ (void) memset(kp->key_data_contents[cnt], 0,
+ kp->key_data_length[cnt]);
+ (void) memcpy(kp->key_data_contents[cnt],
+ kv->k_contents.k_contents_val[cnt].utf8str_t_val,
+ kp->key_data_length[cnt]);
+ }
+ }
+ break;
+
+ case AT_TL_DATA: {
+ int t;
+
+ cnt = u.av_tldata.av_tldata_len;
+ newtl = calloc(cnt, sizeof (krb5_tl_data));
+ if (newtl == NULL)
+ return (ENOMEM);
+
+ for (j = 0, t = 0; j < cnt; j++) {
+ newtl[t].tl_data_type = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_type;
+ newtl[t].tl_data_length = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_data.tl_data_len;
+ newtl[t].tl_data_contents = malloc(newtl[t].tl_data_length * sizeof (krb5_octet));
+ if (newtl[t].tl_data_contents == NULL)
+ /* XXX Memory leak: newtl
+ and previously
+ allocated elements. */
return (ENOMEM);
- for (j = 0, t = 0; j < cnt; j++) {
- newtl[t].tl_data_type = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_type;
- newtl[t].tl_data_length = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_data.tl_data_len;
- newtl[t].tl_data_contents = malloc(newtl[t].tl_data_length * sizeof (krb5_octet));
- if (newtl[t].tl_data_contents == NULL)
- /* XXX Memory leak: newtl
- and previously
- allocated elements. */
- return (ENOMEM);
-
- (void) memcpy(newtl[t].tl_data_contents, u.av_tldata.av_tldata_val[t].tl_data.tl_data_val, newtl[t].tl_data_length);
- newtl[t].tl_data_next = NULL;
- if (t > 0)
- newtl[t - 1].tl_data_next = &newtl[t];
- t++;
- }
+ (void) memcpy(newtl[t].tl_data_contents, u.av_tldata.av_tldata_val[t].tl_data.tl_data_val, newtl[t].tl_data_length);
+ newtl[t].tl_data_next = NULL;
+ if (t > 0)
+ newtl[t - 1].tl_data_next = &newtl[t];
+ t++;
+ }
- if ((ret = krb5_dbe_update_tl_data(context, ent, newtl)))
- return (ret);
- for (j = 0; j < t; j++)
- if (newtl[j].tl_data_contents) {
- free(newtl[j].tl_data_contents);
- newtl[j].tl_data_contents = NULL;
- }
- if (newtl) {
- free(newtl);
- newtl = NULL;
+ if ((ret = krb5_dbe_update_tl_data(context, ent, newtl)))
+ return (ret);
+ for (j = 0; j < t; j++)
+ if (newtl[j].tl_data_contents) {
+ free(newtl[j].tl_data_contents);
+ newtl[j].tl_data_contents = NULL;
}
- break;
-/* END CSTYLED */
+ if (newtl) {
+ free(newtl);
+ newtl = NULL;
}
- case AT_PW_LAST_CHANGE:
- if ((ret = krb5_dbe_update_last_pwd_change(context, ent,
- u.av_pw_last_change)))
- return (ret);
- break;
-
- case AT_MOD_PRINC:
- tmpprinc = conv_princ_2db(context, &u.av_mod_princ);
- if (tmpprinc == NULL)
- return ENOMEM;
- mod_princ = tmpprinc;
- break;
+ break;
+/* END CSTYLED */
+ }
+ case AT_PW_LAST_CHANGE:
+ if ((ret = krb5_dbe_update_last_pwd_change(context, ent,
+ u.av_pw_last_change)))
+ return (ret);
+ break;
- case AT_MOD_TIME:
- mod_time = u.av_mod_time;
- break;
+ case AT_MOD_PRINC:
+ tmpprinc = conv_princ_2db(context, &u.av_mod_princ);
+ if (tmpprinc == NULL)
+ return ENOMEM;
+ mod_princ = tmpprinc;
+ break;
- case AT_LEN:
- ent->len = (krb5_int16) u.av_len;
- break;
+ case AT_MOD_TIME:
+ mod_time = u.av_mod_time;
+ break;
- default:
- break;
- }
-#undef u
- }
+ case AT_LEN:
+ ent->len = (krb5_int16) u.av_len;
+ break;
- /*
- * process mod_princ_data request
- */
- if (mod_time && mod_princ) {
- ret = krb5_dbe_update_mod_princ_data(context, ent,
- mod_time, mod_princ);
- krb5_free_principal(context, mod_princ);
- mod_princ = NULL;
- if (ret)
- return (ret);
+ default:
+ break;
}
+#undef u
+ }
- next:
- /*
- * Bump up to next struct
- */
- upd++;
- ent++;
+ /*
+ * process mod_princ_data request
+ */
+ if (mod_time && mod_princ) {
+ ret = krb5_dbe_update_mod_princ_data(context, ent,
+ mod_time, mod_princ);
+ krb5_free_principal(context, mod_princ);
+ mod_princ = NULL;
+ if (ret)
+ return (ret);
}
+
+ *entry = ent;
return (0);
}
{
krb5_principal krbtgt_princ;
krb5_keyblock key;
- krb5_db_entry krbtgt_entry;
- krb5_boolean more;
- int max_kvno, one, i, j, k;
+ krb5_db_entry *krbtgt_entry;
+ int max_kvno, i, j, k;
krb5_error_code retval;
krb5_key_data tmp_key_data;
krb5_key_data *tptr;
return retval;
/* Get tgt from database */
- retval = krb5_db_get_principal(context, krbtgt_princ, &krbtgt_entry,
- &one, &more);
+ retval = krb5_db_get_principal(context, krbtgt_princ, 0, &krbtgt_entry);
krb5_free_principal(context, krbtgt_princ); /* don't need it anymore */
if (retval)
return(retval);
- if ((one > 1) || (more)) {
- krb5_db_free_principal(context, &krbtgt_entry, one);
- return KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
- }
- if (!one)
- return KRB5_KDB_NOENTRY;
/* Get max kvno */
- for (max_kvno = j = 0; j < krbtgt_entry.n_key_data; j++) {
- if (max_kvno < krbtgt_entry.key_data[j].key_data_kvno) {
- max_kvno = krbtgt_entry.key_data[j].key_data_kvno;
+ for (max_kvno = j = 0; j < krbtgt_entry->n_key_data; j++) {
+ if (max_kvno < krbtgt_entry->key_data[j].key_data_kvno) {
+ max_kvno = krbtgt_entry->key_data[j].key_data_kvno;
}
}
}
add_key_rnd_err:
- krb5_db_free_principal(context, &krbtgt_entry, one);
+ krb5_db_free_principal(context, krbtgt_entry);
for( i = 0; i < tmp_key_data.key_data_ver; i++ )
{
krb5_keylist_node **mkeys_list)
{
krb5_error_code retval;
- krb5_db_entry master_entry;
- int nprinc;
- krb5_boolean more, found_key = FALSE;
+ krb5_db_entry *master_entry;
+ krb5_boolean found_key = FALSE;
krb5_keyblock cur_mkey;
krb5_keylist_node *mkey_list_head = NULL, **mkey_list_node;
krb5_key_data *key_data;
return (EINVAL);
memset(&cur_mkey, 0, sizeof(cur_mkey));
- memset(&master_entry, 0, sizeof(master_entry));
- nprinc = 1;
- if ((retval = krb5_db_get_principal(context, mprinc,
- &master_entry, &nprinc, &more)))
+ retval = krb5_db_get_principal(context, mprinc, 0, &master_entry);
+ if (retval == KRB5_KDB_NOENTRY)
+ return (KRB5_KDB_NOMASTERKEY);
+ if (retval)
return (retval);
- if (nprinc != 1) {
- if (nprinc)
- krb5_db_free_principal(context, &master_entry, nprinc);
- return(KRB5_KDB_NOMASTERKEY);
- } else if (more) {
- krb5_db_free_principal(context, &master_entry, nprinc);
- return (KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
- }
-
/*
* Check if the input mkey is the latest key and if it isn't then find the
* latest mkey.
*/
- if (mkey->enctype == master_entry.key_data[0].key_data_type[0]) {
- if (krb5_dbe_decrypt_key_data(context, mkey, &master_entry.key_data[0],
+ if (mkey->enctype == master_entry->key_data[0].key_data_type[0]) {
+ if (krb5_dbe_decrypt_key_data(context, mkey,
+ &master_entry->key_data[0],
&cur_mkey, NULL) == 0) {
found_key = TRUE;
}
}
if (!found_key) {
- if ((retval = krb5_dbe_lookup_mkey_aux(context, &master_entry,
+ if ((retval = krb5_dbe_lookup_mkey_aux(context, master_entry,
&mkey_aux_data_list)))
goto clean_n_exit;
/* Set mkey_list_head to the current mkey as an optimization. */
/* mkvno may not be latest so ... */
- mkey_list_head->kvno = master_entry.key_data[0].key_data_kvno;
+ mkey_list_head->kvno = master_entry->key_data[0].key_data_kvno;
/* this is the latest clear mkey (avoids a redundant decrypt) */
mkey_list_head->keyblock = cur_mkey;
/* loop through any other master keys creating a list of krb5_keylist_nodes */
mkey_list_node = &mkey_list_head->next;
- for (i = 1; i < master_entry.n_key_data; i++) {
+ for (i = 1; i < master_entry->n_key_data; i++) {
if (*mkey_list_node == NULL) {
/* *mkey_list_node points to next field of previous node */
*mkey_list_node = (krb5_keylist_node *) malloc(sizeof(krb5_keylist_node));
}
memset(*mkey_list_node, 0, sizeof(krb5_keylist_node));
}
- key_data = &master_entry.key_data[i];
+ key_data = &master_entry->key_data[i];
retval = krb5_dbe_decrypt_key_data(context, &cur_mkey, key_data,
&((*mkey_list_node)->keyblock),
NULL);
*mkeys_list = mkey_list_head;
clean_n_exit:
- krb5_db_free_principal(context, &master_entry, nprinc);
+ krb5_db_free_principal(context, master_entry);
krb5_dbe_free_mkey_aux_list(context, mkey_aux_data_list);
if (retval != 0)
krb5_dbe_free_key_list(context, mkey_list_head);
goto cleanup;
for (i = 0; i < no_of_updates; i++) {
- int nentry = 1;
-
if (!upd->kdb_commit)
continue;
free(dbprincstr);
- retval = krb5int_delete_principal_no_log(context,
- dbprinc,
- &nentry);
+ retval = krb5int_delete_principal_no_log(context, dbprinc);
if (dbprinc) {
krb5_free_principal(context, dbprinc);
(void) memset(entry, 0, sizeof (krb5_db_entry));
- if ((retval = ulog_conv_2dbentry(context, entry, upd, 1)))
+ if ((retval = ulog_conv_2dbentry(context, &entry, upd)))
goto cleanup;
- retval = krb5int_put_principal_no_log(context, entry,
- &nentry);
+ retval = krb5int_put_principal_no_log(context, entry);
if (entry) {
- krb5_db_free_principal(context, entry, nentry);
- free(entry);
+ krb5_db_free_principal(context, entry);
entry = NULL;
}
if (retval)
krb5_keyblock * master_key;
krb5_error_code kerror = 0;
krb5_key_data * key_data;
- krb5_db_entry db_entry;
- krb5_boolean more = 0;
- int n = 0;
+ krb5_db_entry * db_entry;
int xrealm_tgt;
krb5_boolean similar;
return(kerror);
/* get_principal */
- kerror = krb5_db_get_principal(context, principal, &
- db_entry, &n, &more);
- if (kerror) {
- /* krb5_db_close_database(context); */
+ kerror = krb5_db_get_principal(context, principal, 0, &db_entry);
+ if (kerror == KRB5_KDB_NOENTRY)
+ return(KRB5_KT_NOTFOUND);
+ if (kerror)
return(kerror);
- }
- if (n != 1) {
- /* krb5_db_close_database(context); */
- return KRB5_KT_NOTFOUND;
- }
- if (db_entry.attributes & KRB5_KDB_DISALLOW_SVR
- || db_entry.attributes & KRB5_KDB_DISALLOW_ALL_TIX) {
+ if (db_entry->attributes & KRB5_KDB_DISALLOW_SVR
+ || db_entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX) {
kerror = KRB5_KT_NOTFOUND;
goto error;
}
if (kerror)
goto error;
- kerror = krb5_dbe_find_mkey(context, master_keylist, &db_entry, &master_key);
+ kerror = krb5_dbe_find_mkey(context, master_keylist, db_entry, &master_key);
if (kerror)
goto error;
* for other principals, we only match the first enctype that is
* found. Since the TGS and AS code do the same thing, then we
* will only successfully decrypt tickets we have issued.*/
- kerror = krb5_dbe_find_enctype(context, &db_entry,
+ kerror = krb5_dbe_find_enctype(context, db_entry,
xrealm_tgt?enctype:-1,
-1, kvno, &key_data);
if (kerror == KRB5_KDB_NO_MATCHING_KEY)
/* Close database */
error:
- krb5_db_free_principal(context, &db_entry, 1);
+ krb5_db_free_principal(context, db_entry);
/* krb5_db_close_database(context); */
return(kerror);
}
krb5_db_get_mkey_list
krb5_db_get_context
krb5_db_get_principal
-krb5_db_get_principal_ext
krb5_db_invoke
krb5_db_iterate
krb5_db_lock
*/
krb5_error_code
osa_adb_get_policy(osa_adb_policy_t db, char *name,
- osa_policy_ent_t *entry, int *cnt)
+ osa_policy_ent_t *entry)
{
DBT dbkey;
DBT dbdata;
OPENLOCK(db, KRB5_DB_LOCKMODE_SHARED);
- *cnt = 1;
-
if(name == NULL) {
ret = EINVAL;
goto error;
dbdata.size = 0;
switch((db->db->get(db->db, &dbkey, &dbdata, 0))) {
case 1:
- ret = 0;
- *cnt = 0;
+ ret = KRB5_KDB_NOENTRY;
goto error;
case 0:
break;
WRAP_K (krb5_db2_get_principal,
(krb5_context ctx,
krb5_const_principal p,
- unsigned int flags,
- krb5_db_entry *d,
- int * i,
- krb5_boolean *b),
- (ctx, p, d, i, b));
+ unsigned int f,
+ krb5_db_entry **d),
+ (ctx, p, f, d));
WRAP_VOID (krb5_db2_free_principal,
(krb5_context ctx,
- krb5_db_entry *d,
- int i),
- (ctx, d, i));
+ krb5_db_entry *d),
+ (ctx, d));
WRAP_K (krb5_db2_put_principal,
(krb5_context ctx,
krb5_db_entry *d,
- int *i,
char **db_args),
- (ctx, d, i, db_args));
+ (ctx, d, db_args));
WRAP_K (krb5_db2_delete_principal,
(krb5_context context,
- krb5_const_principal searchfor,
- int *nentries),
- (context, searchfor, nentries));
+ krb5_const_principal searchfor),
+ (context, searchfor));
WRAP_K (krb5_db2_iterate,
(krb5_context ctx, char *s,
WRAP_K (krb5_db2_get_policy,
( krb5_context kcontext,
char *name,
- osa_policy_ent_t *policy,
- int *cnt),
- (kcontext, name, policy, cnt));
+ osa_policy_ent_t *policy),
+ (kcontext, name, policy));
WRAP_K (krb5_db2_put_policy,
( krb5_context kcontext, osa_policy_ent_t policy ),
(kcontext, policy));
return retval1;
}
-/*
- * look up a principal in the data base.
- * returns number of entries found, and whether there were
- * more than requested.
- */
-
krb5_error_code
-krb5_db2_get_principal(krb5_context context,
- krb5_const_principal searchfor,
- krb5_db_entry *entries, /* filled in */
- int *nentries, /* how much room/how many found */
- krb5_boolean *more) /* are there more? */
+krb5_db2_get_principal(krb5_context context, krb5_const_principal searchfor,
+ unsigned int flags, krb5_db_entry **entry)
{
krb5_db2_context *db_ctx;
krb5_error_code retval;
krb5_data keydata, contdata;
int trynum, dbret;
- *more = FALSE;
- *nentries = 0;
-
+ *entry = NULL;
if (!k5db2_inited(context))
return KRB5_KDB_DBNOTINITED;
key.size = keydata.length;
db = db_ctx->db;
- dbret = (*db->get) (db, &key, &contents, 0);
+ dbret = (*db->get)(db, &key, &contents, 0);
retval = errno;
krb5_free_data_contents(context, &keydata);
switch (dbret) {
case 1:
- retval = 0;
+ retval = KRB5_KDB_NOENTRY;
+ /* Fall through. */
case -1:
default:
- *nentries = 0;
goto cleanup;
case 0:
contdata.data = contents.data;
contdata.length = contents.size;
- retval = krb5_decode_princ_contents(context, &contdata, entries);
- if (!retval)
- *nentries = 1;
+ retval = krb5_decode_princ_entry(context, &contdata, entry);
break;
}
return retval;
}
-/*
- Free stuff returned by krb5_db2_get_principal.
-*/
+/* Free an entry returned by krb5_db2_get_principal. */
void
-krb5_db2_free_principal(krb5_context context, krb5_db_entry *entries,
- int nentries)
+krb5_db2_free_principal(krb5_context context, krb5_db_entry *entry)
{
- register int i;
- for (i = 0; i < nentries; i++)
- krb5_dbe_free_contents(context, &entries[i]);
+ krb5_dbe_free(context, entry);
}
-/*
- Stores the *"nentries" entry structures pointed to by "entries" in the
- database.
-
- *"nentries" is updated upon return to reflect the number of records
- acutally stored; the first *"nstored" records will have been stored in the
- database (even if an error occurs).
-
-*/
-
krb5_error_code
-krb5_db2_put_principal(krb5_context context, krb5_db_entry *entries,
- int *nentries, /* number of entry structs to update */
+krb5_db2_put_principal(krb5_context context, krb5_db_entry *entry,
char **db_args)
{
- int i, n, dbret;
+ int dbret;
DB *db;
DBT key, contents;
krb5_data contdata, keydata;
return EINVAL;
}
- n = *nentries;
- *nentries = 0;
if (!k5db2_inited(context))
return KRB5_KDB_DBNOTINITED;
return retval;
}
- /* for each one, stuff temps, and do replace/append */
- for (i = 0; i < n; i++) {
- retval = krb5_encode_princ_contents(context, &contdata, entries);
- if (retval)
- break;
- contents.data = contdata.data;
- contents.size = contdata.length;
- retval = krb5_encode_princ_dbkey(context, &keydata, entries->princ);
- if (retval) {
- krb5_free_data_contents(context, &contdata);
- break;
- }
-
- key.data = keydata.data;
- key.size = keydata.length;
- dbret = (*db->put) (db, &key, &contents, 0);
- retval = dbret ? errno : 0;
- krb5_free_data_contents(context, &keydata);
+ retval = krb5_encode_princ_entry(context, &contdata, entry);
+ if (retval)
+ goto cleanup;
+ contents.data = contdata.data;
+ contents.size = contdata.length;
+ retval = krb5_encode_princ_dbkey(context, &keydata, entry->princ);
+ if (retval) {
krb5_free_data_contents(context, &contdata);
- if (retval)
- break;
- entries++; /* bump to next struct */
+ goto cleanup;
}
+ key.data = keydata.data;
+ key.size = keydata.length;
+ dbret = (*db->put)(db, &key, &contents, 0);
+ retval = dbret ? errno : 0;
+ krb5_free_data_contents(context, &keydata);
+ krb5_free_data_contents(context, &contdata);
+
+cleanup:
(void) krb5_db2_end_update(context);
(void) krb5_db2_unlock(context); /* unlock database */
- *nentries = i;
return (retval);
}
-/*
- * delete a principal from the data base.
- * returns number of entries removed
- */
-
krb5_error_code
-krb5_db2_delete_principal(krb5_context context, krb5_const_principal searchfor,
- int *nentries) /* how many found & deleted */
+krb5_db2_delete_principal(krb5_context context, krb5_const_principal searchfor)
{
krb5_error_code retval;
- krb5_db_entry entry;
+ krb5_db_entry *entry;
krb5_db2_context *db_ctx;
DB *db;
DBT key, contents;
switch (dbret) {
case 1:
retval = KRB5_KDB_NOENTRY;
+ /* Fall through. */
case -1:
default:
- *nentries = 0;
goto cleankey;
case 0:
;
}
- memset(&entry, 0, sizeof(entry));
contdata.data = contents.data;
contdata.length = contents.size;
- retval = krb5_decode_princ_contents(context, &contdata, &entry);
+ retval = krb5_decode_princ_entry(context, &contdata, &entry);
if (retval)
goto cleankey;
- *nentries = 1;
/* Clear encrypted key contents */
- for (i = 0; i < entry.n_key_data; i++) {
- if (entry.key_data[i].key_data_length[0]) {
- memset(entry.key_data[i].key_data_contents[0], 0,
- (unsigned) entry.key_data[i].key_data_length[0]);
+ for (i = 0; i < entry->n_key_data; i++) {
+ if (entry->key_data[i].key_data_length[0]) {
+ memset(entry->key_data[i].key_data_contents[0], 0,
+ (unsigned) entry->key_data[i].key_data_length[0]);
}
}
- retval = krb5_encode_princ_contents(context, &contdata, &entry);
- krb5_dbe_free_contents(context, &entry);
+ retval = krb5_encode_princ_entry(context, &contdata, entry);
+ krb5_dbe_free(context, entry);
if (retval)
goto cleankey;
DB *db;
DBT key, contents;
krb5_data contdata;
- krb5_db_entry entries;
+ krb5_db_entry *entry;
krb5_error_code retval;
int dbret;
void *cookie;
contdata.data = contents.data;
contdata.length = contents.size;
- retval = krb5_decode_princ_contents(context, &contdata, &entries);
+ retval = krb5_decode_princ_entry(context, &contdata, &entry);
if (retval)
break;
retval = k5_mutex_unlock(krb5_db2_mutex);
if (retval)
break;
- retval = (*func) (func_arg, &entries);
- krb5_dbe_free_contents(context, &entries);
+ retval = (*func)(func_arg, entry);
+ krb5_dbe_free(context, entry);
retval2 = k5_mutex_lock(krb5_db2_mutex);
/* Note: If re-locking fails, the wrapper in db2_exp.c will
still try to unlock it again. That would be a bug. Fix
krb5_error_code
krb5_db2_get_policy(krb5_context context,
- char *name, osa_policy_ent_t * policy, int *cnt)
+ char *name, osa_policy_ent_t *policy)
{
krb5_db2_context *dbc = context->dal_handle->db_context;
- return osa_adb_get_policy(dbc->policy_db, name, policy, cnt);
+ return osa_adb_get_policy(dbc->policy_db, name, policy);
}
krb5_error_code
struct nra_context *nra = (struct nra_context *)ptr;
kdb5_dal_handle *dal_handle = nra->kcontext->dal_handle;
krb5_error_code retval;
- int n_entries = 0, changed;
- krb5_db_entry s_entry;
- krb5_boolean more;
+ int changed;
+ krb5_db_entry *s_entry;
krb5_db2_context *dst_db;
memset(&s_entry, 0, sizeof(s_entry));
dal_handle->db_context = nra->db_context;
/* look up the new principal in the old DB */
- retval = krb5_db2_get_principal(nra->kcontext, entry->princ, &s_entry,
- &n_entries, &more);
- if (retval != 0 || n_entries == 0) {
+ retval = krb5_db2_get_principal(nra->kcontext, entry->princ, 0, &s_entry);
+ if (retval != 0) {
/* principal may be newly created, so ignore */
dal_handle->db_context = dst_db;
return 0;
}
/* merge non-replicated attributes from the old entry in */
- krb5_db2_merge_principal(nra->kcontext, &s_entry, entry, &changed);
+ krb5_db2_merge_principal(nra->kcontext, s_entry, entry, &changed);
dal_handle->db_context = dst_db;
/* if necessary, commit the modified new entry to the new DB */
if (changed) {
- retval = krb5_db2_put_principal(nra->kcontext, entry, &n_entries,
- NULL);
+ retval = krb5_db2_put_principal(nra->kcontext, entry, NULL);
} else {
retval = 0;
}
krb5_error_code krb5_db2_get_age(krb5_context, char *, time_t *);
krb5_error_code krb5_db2_rename(krb5_context, char *, char *, int );
krb5_error_code krb5_db2_get_principal(krb5_context, krb5_const_principal,
- krb5_db_entry *, int *, krb5_boolean *);
-void krb5_db2_free_principal(krb5_context, krb5_db_entry *, int);
-krb5_error_code krb5_db2_put_principal(krb5_context, krb5_db_entry *, int *,
+ unsigned int, krb5_db_entry **);
+void krb5_db2_free_principal(krb5_context, krb5_db_entry *);
+krb5_error_code krb5_db2_put_principal(krb5_context, krb5_db_entry *,
char **db_args);
krb5_error_code krb5_db2_iterate_ext(krb5_context,
krb5_error_code (*)(krb5_pointer,
krb5_db2_get_mkey_list(krb5_context context, krb5_keylist_node **keylist);
krb5_error_code
-krb5_db2_put_principal(krb5_context context, krb5_db_entry *entries,
- register int *nentries, char **db_args);
-
-krb5_error_code
-krb5_db2_delete_principal(krb5_context context, krb5_const_principal searchfor,
- int *nentries);
+krb5_db2_delete_principal(krb5_context context,
+ krb5_const_principal searchfor);
krb5_error_code krb5_db2_lib_init(void);
krb5_error_code krb5_db2_lib_cleanup(void);
krb5_db2_create_policy(krb5_context context, osa_policy_ent_t entry);
krb5_error_code krb5_db2_get_policy(krb5_context kcontext,
- char *name, osa_policy_ent_t *policy,
- int *cnt);
+ char *name, osa_policy_ent_t *policy);
krb5_error_code krb5_db2_put_policy(krb5_context kcontext,
osa_policy_ent_t policy);
return(retval);
}
-void
-krb5_free_princ_dbkey(krb5_context context, krb5_data *key)
-{
- (void) krb5_free_data_contents(context, key);
-}
-
krb5_error_code
-krb5_encode_princ_contents(krb5_context context, krb5_data *content,
- krb5_db_entry *entry)
+krb5_encode_princ_entry(krb5_context context, krb5_data *content,
+ krb5_db_entry *entry)
{
int i, j;
unsigned int unparse_princ_size;
return retval;
}
-void
-krb5_free_princ_contents(krb5_context context, krb5_data *contents)
-{
- krb5_free_data_contents(context, contents);
- return;
-}
-
krb5_error_code
-krb5_decode_princ_contents(krb5_context context, krb5_data *content,
- krb5_db_entry *entry)
+krb5_decode_princ_entry(krb5_context context, krb5_data *content,
+ krb5_db_entry **entry_ptr)
{
int sizeleft, i;
unsigned char * nextloc;
krb5_tl_data ** tl_data;
krb5_int16 i16;
-
+ krb5_db_entry * entry;
krb5_error_code retval;
- /* Zero out entry and NULL pointers */
- memset(entry, 0, sizeof(krb5_db_entry));
+ entry = k5alloc(sizeof(*entry), &retval);
+ if (entry == NULL)
+ return retval;
/*
- * undo the effects of encode_princ_contents.
+ * Reverse the encoding of encode_princ_entry.
*
* The first part is decoding the base type. If the base type is
* bigger than the original base type then the additional fields
/* First do the easy stuff */
nextloc = (unsigned char *)content->data;
sizeleft = content->length;
- if ((sizeleft -= KRB5_KDB_V1_BASE_LENGTH) < 0)
- return KRB5_KDB_TRUNCATED_RECORD;
+ if ((sizeleft -= KRB5_KDB_V1_BASE_LENGTH) < 0) {
+ retval = KRB5_KDB_TRUNCATED_RECORD;
+ goto error_out;
+ }
/* Base Length */
krb5_kdb_decode_int16(nextloc, entry->len);
krb5_kdb_decode_int16(nextloc, entry->n_tl_data);
nextloc += 2;
- if (entry->n_tl_data < 0)
- return KRB5_KDB_TRUNCATED_RECORD;
+ if (entry->n_tl_data < 0) {
+ retval = KRB5_KDB_TRUNCATED_RECORD;
+ goto error_out;
+ }
/* # key_data strutures */
krb5_kdb_decode_int16(nextloc, entry->n_key_data);
nextloc += 2;
- if (entry->n_key_data < 0)
- return KRB5_KDB_TRUNCATED_RECORD;
+ if (entry->n_key_data < 0) {
+ retval = KRB5_KDB_TRUNCATED_RECORD;
+ goto error_out;
+ }
/* Check for extra data */
if (entry->len > KRB5_KDB_V1_BASE_LENGTH) {
entry->e_length = entry->len - KRB5_KDB_V1_BASE_LENGTH;
- if ((entry->e_data = (krb5_octet *)malloc(entry->e_length))) {
- memcpy(entry->e_data, nextloc, entry->e_length);
- nextloc += entry->e_length;
- } else {
- return ENOMEM;
- }
+ entry->e_data = k5alloc(entry->e_length, &retval);
+ if (entry->e_data == NULL)
+ goto error_out;
+ memcpy(entry->e_data, nextloc, entry->e_length);
+ nextloc += entry->e_length;
}
/*
abort();
}
}
+ *entry_ptr = entry;
return 0;
-error_out:;
- krb5_dbe_free_contents(context, entry);
+error_out:
+ krb5_dbe_free(context, entry);
return retval;
}
void
-krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry)
+krb5_dbe_free(krb5_context context, krb5_db_entry *entry)
{
krb5_tl_data * tl_data_next;
krb5_tl_data * tl_data;
int i, j;
- if (entry->e_data)
- free(entry->e_data);
- if (entry->princ)
- krb5_free_principal(context, entry->princ);
+ if (entry == NULL)
+ return;
+ free(entry->e_data);
+ krb5_free_principal(context, entry->princ);
for (tl_data = entry->tl_data; tl_data; tl_data = tl_data_next) {
tl_data_next = tl_data->tl_data_next;
- if (tl_data->tl_data_contents)
- free(tl_data->tl_data_contents);
+ free(tl_data->tl_data_contents);
free(tl_data);
}
if (entry->key_data) {
for (i = 0; i < entry->n_key_data; i++) {
for (j = 0; j < entry->key_data[i].key_data_ver; j++) {
if (entry->key_data[i].key_data_length[j]) {
- if (entry->key_data[i].key_data_contents[j]) {
- memset(entry->key_data[i].key_data_contents[j],
- 0,
- (unsigned) entry->key_data[i].key_data_length[j]);
- free (entry->key_data[i].key_data_contents[j]);
- }
+ zapfree(entry->key_data[i].key_data_contents[j],
+ entry->key_data[i].key_data_length[j]);
}
entry->key_data[i].key_data_contents[j] = NULL;
entry->key_data[i].key_data_length[j] = 0;
}
free(entry->key_data);
}
- memset(entry, 0, sizeof(*entry));
- return;
+ free(entry);
}
krb5_const_principal principal);
krb5_error_code
-krb5_decode_princ_contents(krb5_context context, krb5_data *content,
- krb5_db_entry *entry);
+krb5_decode_princ_entry(krb5_context context, krb5_data *content,
+ krb5_db_entry **entry);
void
-krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry);
+krb5_dbe_free(krb5_context context, krb5_db_entry *entry);
krb5_error_code
-krb5_encode_princ_contents(krb5_context context, krb5_data *content,
- krb5_db_entry *entry);
-
-void
-krb5_free_princ_dbkey(krb5_context context, krb5_data *key);
-
-void
-krb5_free_princ_contents(krb5_context context, krb5_data *contents);
+krb5_encode_princ_entry(krb5_context context, krb5_data *content,
+ krb5_db_entry *entry);
#endif
if (adb.policy != NULL) {
osa_policy_ent_t policy = NULL;
- int count = 0;
- code = krb5_db2_get_policy(context, adb.policy,
- &policy, &count);
- if (code == 0 && count == 1) {
+ code = krb5_db2_get_policy(context, adb.policy, &policy);
+ if (code == 0) {
*pw_max_fail = policy->pw_max_fail;
*pw_failcnt_interval = policy->pw_failcnt_interval;
*pw_lockout_duration = policy->pw_lockout_duration;
- }
- if (policy != NULL)
krb5_db2_free_policy(context, policy);
+ }
}
xdr_destroy(&xdrs);
krb5_kvno max_fail = 0;
krb5_deltat failcnt_interval = 0;
krb5_deltat lockout_duration = 0;
- int nentries = 1;
krb5_db2_context *db_ctx = context->dal_handle->db_context;
krb5_boolean need_update = FALSE;
}
if (need_update) {
- code = krb5_db2_put_principal(context, entry, &nentries, NULL);
+ code = krb5_db2_put_principal(context, entry, NULL);
if (code != 0)
return code;
}
osa_policy_ent_t entry);
krb5_error_code osa_adb_destroy_policy(osa_adb_policy_t db,
char * name);
-krb5_error_code osa_adb_get_policy(osa_adb_policy_t db,
- char * name,
- osa_policy_ent_t *entry,
- int *cnt);
+krb5_error_code osa_adb_get_policy(osa_adb_policy_t db, char *name,
+ osa_policy_ent_t *entry);
krb5_error_code osa_adb_put_policy(osa_adb_policy_t db,
osa_policy_ent_t entry);
krb5_error_code osa_adb_iter_policy(osa_adb_policy_t db,
unsigned char *curr=NULL;
krb5_tl_data *tl_data=NULL;
krb5_db_entry entry;
- int nentry=1;
long mask = 0;
krb5_keyblock key;
int kvno = 0;
break;
} /* end of switch */
- retval = krb5_ldap_put_principal(context, &entry, &nentry, NULL);
+ retval = krb5_ldap_put_principal(context, &entry, NULL);
if (retval) {
com_err(NULL, retval, "while adding entries to database");
goto cleanup;
/* We already know that the policy is inside the realm container. */
if (polname) {
osa_policy_ent_t pwdpol;
- int cnt=0;
krb5_timestamp last_pw_changed;
krb5_ui_4 pw_max_life;
memset(&pwdpol, 0, sizeof(pwdpol));
- if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt)) != 0)
+ if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol)) != 0)
goto cleanup;
pw_max_life = pwdpol->pw_max_life;
free (pwdpol);
void
-krb5_ldap_free_principal(krb5_context kcontext, krb5_db_entry *entries,
- int nentries)
+krb5_ldap_free_principal(krb5_context kcontext, krb5_db_entry *entry)
{
- register int i;
- for (i = 0; i < nentries; i++)
- krb5_dbe_free_contents(kcontext, &entries[i]);
- return 0;
+ if (entry == NULL)
+ return;
+ krb5_dbe_free_contents(kcontext, entry);
+ free(entry);
}
krb5_error_code
*/
krb5_error_code
krb5_ldap_delete_principal(krb5_context context,
- krb5_const_principal searchfor, int *nentries)
+ krb5_const_principal searchfor)
{
char *user=NULL, *DN=NULL, *strval[10] = {NULL};
LDAPMod **mods=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
- krb5_db_entry entries;
- krb5_boolean more=0;
+ krb5_db_entry *entry = NULL;
/* Clear the global error string */
krb5_clear_error_message(context);
SETUP_CONTEXT();
/* get the principal info */
- if ((st=krb5_ldap_get_principal(context, searchfor, 0, &entries, nentries, &more)) != 0 || *nentries == 0)
+ if ((st=krb5_ldap_get_principal(context, searchfor, 0, &entry)))
goto cleanup;
- if (((st=krb5_get_princ_type(context, &entries, &(ptype))) != 0) ||
- ((st=krb5_get_attributes_mask(context, &entries, &(attrsetmask))) != 0) ||
- ((st=krb5_get_princ_count(context, &entries, &(pcount))) != 0) ||
- ((st=krb5_get_userdn(context, &entries, &(DN))) != 0))
+ if (((st=krb5_get_princ_type(context, entry, &(ptype))) != 0) ||
+ ((st=krb5_get_attributes_mask(context, entry, &(attrsetmask))) != 0) ||
+ ((st=krb5_get_princ_count(context, entry, &(pcount))) != 0) ||
+ ((st=krb5_get_userdn(context, entry, &(DN))) != 0))
goto cleanup;
if (DN == NULL) {
free (secretkey);
}
- if (st == 0)
- krb5_ldap_free_principal(context, &entries, *nentries);
+ krb5_ldap_free_principal(context, entry);
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
extern char *policyclass[];
krb5_error_code
-krb5_ldap_put_principal(krb5_context, krb5_db_entry *, int *, char **);
+krb5_ldap_put_principal(krb5_context, krb5_db_entry *, char **);
krb5_error_code
krb5_ldap_get_principal(krb5_context , krb5_const_principal ,
- unsigned int, krb5_db_entry *, int *, krb5_boolean *);
+ unsigned int, krb5_db_entry **);
krb5_error_code
-krb5_ldap_delete_principal(krb5_context, krb5_const_principal, int *);
+krb5_ldap_delete_principal(krb5_context, krb5_const_principal);
void
-krb5_ldap_free_principal(krb5_context, krb5_db_entry *, int );
+krb5_ldap_free_principal(krb5_context, krb5_db_entry *);
krb5_error_code
krb5_ldap_iterate(krb5_context, char *,
krb5_error_code
krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
- unsigned int flags, krb5_db_entry *entries,
- int *nentries, krb5_boolean *more)
+ unsigned int flags, krb5_db_entry **entry_ptr)
{
char *user=NULL, *filter=NULL, **subtree=NULL;
unsigned int tree=0, ntrees=1, princlen=0;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
krb5_principal cprinc=NULL;
+ krb5_boolean found=FALSE;
+ krb5_db_entry *entry = NULL;
+
+ *entry_ptr = NULL;
/* Clear the global error string */
krb5_clear_error_message(context);
- /* set initial values */
- *nentries = 0;
- *more = 0;
- memset(entries, 0, sizeof(*entries));
-
if (searchfor == NULL)
return EINVAL;
CHECK_LDAP_HANDLE(ldap_context);
if (is_principal_in_realm(ldap_context, searchfor) != 0) {
- *more = 0;
krb5_set_error_message (context, st, "Principal does not belong to realm");
goto cleanup;
}
goto cleanup;
GET_HANDLE();
- for (tree=0; tree < ntrees && *nentries == 0; ++tree) {
+ for (tree=0; tree < ntrees && !found; ++tree) {
LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes);
- for (ent=ldap_first_entry(ld, result); ent != NULL && *nentries == 0; ent=ldap_next_entry(ld, ent)) {
+ for (ent=ldap_first_entry(ld, result); ent != NULL && !found; ent=ldap_next_entry(ld, ent)) {
/* get the associated directory user information */
if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
*/
for (i=0; values[i] != NULL; ++i) {
if (strcmp(values[i], user) == 0) {
- *nentries = 1;
+ found = TRUE;
break;
}
}
ldap_value_free(values);
- if (*nentries == 0) /* no matching principal found */
+ if (!found) /* no matching principal found */
continue;
}
if (st != 0)
goto cleanup;
} else /* No canonicalization, so don't return aliases. */
- *nentries = 0;
+ found = FALSE;
}
ldap_value_free(values);
- if (*nentries == 0)
+ if (!found)
continue;
}
+ entry = k5alloc(sizeof(*entry), &st);
+ if (entry == NULL)
+ goto cleanup;
if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent,
cprinc ? cprinc : searchfor,
- entries)) != 0)
+ entry)) != 0)
goto cleanup;
}
ldap_msgfree(result);
result = NULL;
} /* for (tree=0 ... */
- /* once done, put back the ldap handle */
- krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
- ldap_server_handle = NULL;
+ if (found) {
+ *entry_ptr = entry;
+ entry = NULL;
+ } else
+ st = KRB5_KDB_NOENTRY;
cleanup:
ldap_msgfree(result);
-
- if (*nentries == 0 || st != 0)
- krb5_dbe_free_contents(context, entries);
+ krb5_ldap_free_principal(context, entry);
if (filter)
free (filter);
}
krb5_error_code
-krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entries,
- int *nentries, char **db_args)
+krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
+ char **db_args)
{
- int i=0, l=0, kerberos_principal_object_type=0;
+ int l=0, kerberos_principal_object_type=0;
krb5_error_code st=0, tempst=0;
LDAP *ld=NULL;
LDAPMessage *result=NULL, *ent=NULL;
/* get ldap handle */
GET_HANDLE();
- for (i=0; i < *nentries; ++i, ++entries) {
- if (is_principal_in_realm(ldap_context, entries->princ) != 0) {
- st = EINVAL;
- krb5_set_error_message(context, st, "Principal does not belong to the default realm");
+ if (is_principal_in_realm(ldap_context, entry->princ) != 0) {
+ st = EINVAL;
+ krb5_set_error_message(context, st, "Principal does not belong to the default realm");
+ goto cleanup;
+ }
+
+ /* get the principal information to act on */
+ if (entry->princ) {
+ if (((st=krb5_unparse_name(context, entry->princ, &user)) != 0) ||
+ ((st=krb5_ldap_unparse_principal_name(user)) != 0))
goto cleanup;
- }
+ }
- /* get the principal information to act on */
- if (entries->princ) {
- if (((st=krb5_unparse_name(context, entries->princ, &user)) != 0) ||
- ((st=krb5_ldap_unparse_principal_name(user)) != 0))
- goto cleanup;
- }
+ /* Identity the type of operation, it can be
+ * add principal or modify principal.
+ * hack if the entry->mask has KRB_PRINCIPAL flag set
+ * then it is a add operation
+ */
+ if (entry->mask & KADM5_PRINCIPAL)
+ optype = ADD_PRINCIPAL;
+ else
+ optype = MODIFY_PRINCIPAL;
- /* Identity the type of operation, it can be
- * add principal or modify principal.
- * hack if the entries->mask has KRB_PRINCIPAL flag set
- * then it is a add operation
- */
- if (entries->mask & KADM5_PRINCIPAL)
- optype = ADD_PRINCIPAL;
- else
- optype = MODIFY_PRINCIPAL;
+ if (((st=krb5_get_princ_type(context, entry, &kerberos_principal_object_type)) != 0) ||
+ ((st=krb5_get_userdn(context, entry, &principal_dn)) != 0))
+ goto cleanup;
- if (((st=krb5_get_princ_type(context, entries, &kerberos_principal_object_type)) != 0) ||
- ((st=krb5_get_userdn(context, entries, &principal_dn)) != 0))
- goto cleanup;
+ if ((st=process_db_args(context, db_args, &xargs, optype)) != 0)
+ goto cleanup;
+
+ if (entry->mask & KADM5_LOAD) {
+ int tree = 0, ntrees = 0, princlen = 0, numlentries = 0;
+ char **subtreelist = NULL, *filter = NULL;
- if ((st=process_db_args(context, db_args, &xargs, optype)) != 0)
+ /* A load operation is special, will do a mix-in (add krbprinc
+ * attrs to a non-krb object entry) if an object exists with a
+ * matching krbprincipalname attribute so try to find existing
+ * object and set principal_dn. This assumes that the
+ * krbprincipalname attribute is unique (only one object entry has
+ * a particular krbprincipalname attribute).
+ */
+ if (user == NULL) {
+ /* must have principal name for search */
+ st = EINVAL;
+ krb5_set_error_message(context, st, "operation can not continue, principal name not found");
goto cleanup;
+ }
+ princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */
+ if ((filter = malloc(princlen)) == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
+ snprintf(filter, princlen, FILTER"%s))", user);
- if (entries->mask & KADM5_LOAD) {
- int tree = 0, ntrees = 0, princlen = 0, numlentries = 0;
- char **subtreelist = NULL, *filter = NULL;
+ /* get the current subtree list */
+ if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0)
+ goto cleanup;
- /* A load operation is special, will do a mix-in (add krbprinc
- * attrs to a non-krb object entry) if an object exists with a
- * matching krbprincipalname attribute so try to find existing
- * object and set principal_dn. This assumes that the
- * krbprincipalname attribute is unique (only one object entry has
- * a particular krbprincipalname attribute).
- */
- if (user == NULL) {
- /* must have principal name for search */
- st = EINVAL;
- krb5_set_error_message(context, st, "operation can not continue, principal name not found");
- goto cleanup;
- }
- princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */
- if ((filter = malloc(princlen)) == NULL) {
- st = ENOMEM;
- goto cleanup;
+ found_entry = FALSE;
+ /* search for entry with matching krbprincipalname attribute */
+ for (tree = 0; found_entry == FALSE && tree < ntrees; ++tree) {
+ result = NULL;
+ if (principal_dn == NULL) {
+ LDAP_SEARCH_1(subtreelist[tree], ldap_context->lrparams->search_scope, filter, principal_attributes, IGNORE_STATUS);
+ } else {
+ /* just look for entry with principal_dn */
+ LDAP_SEARCH_1(principal_dn, LDAP_SCOPE_BASE, filter, principal_attributes, IGNORE_STATUS);
}
- snprintf(filter, princlen, FILTER"%s))", user);
-
- /* get the current subtree list */
- if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0)
- goto cleanup;
-
- found_entry = FALSE;
- /* search for entry with matching krbprincipalname attribute */
- for (tree = 0; found_entry == FALSE && tree < ntrees; ++tree) {
- result = NULL;
- if (principal_dn == NULL) {
- LDAP_SEARCH_1(subtreelist[tree], ldap_context->lrparams->search_scope, filter, principal_attributes, IGNORE_STATUS);
- } else {
- /* just look for entry with principal_dn */
- LDAP_SEARCH_1(principal_dn, LDAP_SCOPE_BASE, filter, principal_attributes, IGNORE_STATUS);
- }
- if (st == LDAP_SUCCESS) {
- numlentries = ldap_count_entries(ld, result);
- if (numlentries > 1) {
- ldap_msgfree(result);
- free(filter);
- st = EINVAL;
- krb5_set_error_message(context, st,
- "operation can not continue, more than one entry with principal name \"%s\" found",
- user);
- goto cleanup;
- } else if (numlentries == 1) {
- found_entry = TRUE;
- if (principal_dn == NULL) {
- ent = ldap_first_entry(ld, result);
- if (ent != NULL) {
- /* setting principal_dn will cause that entry to be modified further down */
- if ((principal_dn = ldap_get_dn(ld, ent)) == NULL) {
- ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st);
- st = set_ldap_error (context, st, 0);
- ldap_msgfree(result);
- free(filter);
- goto cleanup;
- }
+ if (st == LDAP_SUCCESS) {
+ numlentries = ldap_count_entries(ld, result);
+ if (numlentries > 1) {
+ ldap_msgfree(result);
+ free(filter);
+ st = EINVAL;
+ krb5_set_error_message(context, st,
+ "operation can not continue, more than one entry with principal name \"%s\" found",
+ user);
+ goto cleanup;
+ } else if (numlentries == 1) {
+ found_entry = TRUE;
+ if (principal_dn == NULL) {
+ ent = ldap_first_entry(ld, result);
+ if (ent != NULL) {
+ /* setting principal_dn will cause that entry to be modified further down */
+ if ((principal_dn = ldap_get_dn(ld, ent)) == NULL) {
+ ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st);
+ st = set_ldap_error (context, st, 0);
+ ldap_msgfree(result);
+ free(filter);
+ goto cleanup;
}
}
}
- if (result)
- ldap_msgfree(result);
- } else if (st != LDAP_NO_SUCH_OBJECT) {
- /* could not perform search, return with failure */
- st = set_ldap_error (context, st, 0);
- free(filter);
- goto cleanup;
}
- /*
- * If it isn't found then assume a standalone princ entry is to
- * be created.
- */
- } /* end for (tree = 0; principal_dn == ... */
+ if (result)
+ ldap_msgfree(result);
+ } else if (st != LDAP_NO_SUCH_OBJECT) {
+ /* could not perform search, return with failure */
+ st = set_ldap_error (context, st, 0);
+ free(filter);
+ goto cleanup;
+ }
+ /*
+ * If it isn't found then assume a standalone princ entry is to
+ * be created.
+ */
+ } /* end for (tree = 0; principal_dn == ... */
- free(filter);
+ free(filter);
- if (found_entry == FALSE && principal_dn != NULL) {
- /*
- * if principal_dn is null then there is code further down to
- * deal with setting standalone_principal_dn. Also note that
- * this will set create_standalone_prinicipal true for
- * non-mix-in entries which is okay if loading from a dump.
- */
- create_standalone_prinicipal = TRUE;
- standalone_principal_dn = strdup(principal_dn);
- CHECK_NULL(standalone_principal_dn);
- }
- } /* end if (entries->mask & KADM5_LOAD */
+ if (found_entry == FALSE && principal_dn != NULL) {
+ /*
+ * if principal_dn is null then there is code further down to
+ * deal with setting standalone_principal_dn. Also note that
+ * this will set create_standalone_prinicipal true for
+ * non-mix-in entries which is okay if loading from a dump.
+ */
+ create_standalone_prinicipal = TRUE;
+ standalone_principal_dn = strdup(principal_dn);
+ CHECK_NULL(standalone_principal_dn);
+ }
+ } /* end if (entry->mask & KADM5_LOAD */
- /* time to generate the DN information with the help of
- * containerdn, principalcontainerreference or
- * realmcontainerdn information
- */
- if (principal_dn == NULL && xargs.dn == NULL) { /* creation of standalone principal */
- /* get the subtree information */
- if (entries->princ->length == 2 && entries->princ->data[0].length == strlen("krbtgt") &&
- strncmp(entries->princ->data[0].data, "krbtgt", entries->princ->data[0].length) == 0) {
- /* if the principal is a inter-realm principal, always created in the realm container */
- subtree = strdup(ldap_context->lrparams->realmdn);
- } else if (xargs.containerdn) {
- if ((st=checkattributevalue(ld, xargs.containerdn, NULL, NULL, NULL)) != 0) {
- if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) {
- int ost = st;
- st = EINVAL;
- snprintf(errbuf, sizeof(errbuf), "'%s' not found: ",
- xargs.containerdn);
- prepend_err_str(context, errbuf, st, ost);
- }
- goto cleanup;
+ /* time to generate the DN information with the help of
+ * containerdn, principalcontainerreference or
+ * realmcontainerdn information
+ */
+ if (principal_dn == NULL && xargs.dn == NULL) { /* creation of standalone principal */
+ /* get the subtree information */
+ if (entry->princ->length == 2 && entry->princ->data[0].length == strlen("krbtgt") &&
+ strncmp(entry->princ->data[0].data, "krbtgt", entry->princ->data[0].length) == 0) {
+ /* if the principal is a inter-realm principal, always created in the realm container */
+ subtree = strdup(ldap_context->lrparams->realmdn);
+ } else if (xargs.containerdn) {
+ if ((st=checkattributevalue(ld, xargs.containerdn, NULL, NULL, NULL)) != 0) {
+ if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) {
+ int ost = st;
+ st = EINVAL;
+ snprintf(errbuf, sizeof(errbuf), "'%s' not found: ",
+ xargs.containerdn);
+ prepend_err_str(context, errbuf, st, ost);
}
- subtree = strdup(xargs.containerdn);
- } else if (ldap_context->lrparams->containerref && strlen(ldap_context->lrparams->containerref) != 0) {
- /*
- * Here the subtree should be changed with
- * principalcontainerreference attribute value
- */
- subtree = strdup(ldap_context->lrparams->containerref);
- } else {
- subtree = strdup(ldap_context->lrparams->realmdn);
+ goto cleanup;
}
- CHECK_NULL(subtree);
-
- if (asprintf(&standalone_principal_dn, "krbprincipalname=%s,%s",
- user, subtree) < 0)
- standalone_principal_dn = NULL;
- CHECK_NULL(standalone_principal_dn);
+ subtree = strdup(xargs.containerdn);
+ } else if (ldap_context->lrparams->containerref && strlen(ldap_context->lrparams->containerref) != 0) {
/*
- * free subtree when you are done using the subtree
- * set the boolean create_standalone_prinicipal to TRUE
+ * Here the subtree should be changed with
+ * principalcontainerreference attribute value
*/
- create_standalone_prinicipal = TRUE;
- free(subtree);
- subtree = NULL;
+ subtree = strdup(ldap_context->lrparams->containerref);
+ } else {
+ subtree = strdup(ldap_context->lrparams->realmdn);
}
+ CHECK_NULL(subtree);
+ if (asprintf(&standalone_principal_dn, "krbprincipalname=%s,%s",
+ user, subtree) < 0)
+ standalone_principal_dn = NULL;
+ CHECK_NULL(standalone_principal_dn);
/*
- * If the DN information is presented by the user, time to
- * validate the input to ensure that the DN falls under
- * any of the subtrees
+ * free subtree when you are done using the subtree
+ * set the boolean create_standalone_prinicipal to TRUE
*/
- if (xargs.dn_from_kbd == TRUE) {
- /* make sure the DN falls in the subtree */
- int tre=0, dnlen=0, subtreelen=0, ntrees=0;
- char **subtreelist=NULL;
- char *dn=NULL;
- krb5_boolean outofsubtree=TRUE;
-
- if (xargs.dn != NULL) {
- dn = xargs.dn;
- } else if (xargs.linkdn != NULL) {
- dn = xargs.linkdn;
- } else if (standalone_principal_dn != NULL) {
- /*
- * Even though the standalone_principal_dn is constructed
- * within this function, there is the containerdn input
- * from the user that can become part of the it.
- */
- dn = standalone_principal_dn;
- }
+ create_standalone_prinicipal = TRUE;
+ free(subtree);
+ subtree = NULL;
+ }
- /* get the current subtree list */
- if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0)
- goto cleanup;
+ /*
+ * If the DN information is presented by the user, time to
+ * validate the input to ensure that the DN falls under
+ * any of the subtrees
+ */
+ if (xargs.dn_from_kbd == TRUE) {
+ /* make sure the DN falls in the subtree */
+ int tre=0, dnlen=0, subtreelen=0, ntrees=0;
+ char **subtreelist=NULL;
+ char *dn=NULL;
+ krb5_boolean outofsubtree=TRUE;
+
+ if (xargs.dn != NULL) {
+ dn = xargs.dn;
+ } else if (xargs.linkdn != NULL) {
+ dn = xargs.linkdn;
+ } else if (standalone_principal_dn != NULL) {
+ /*
+ * Even though the standalone_principal_dn is constructed
+ * within this function, there is the containerdn input
+ * from the user that can become part of the it.
+ */
+ dn = standalone_principal_dn;
+ }
- for (tre=0; tre<ntrees; ++tre) {
- if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) {
+ /* get the current subtree list */
+ if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0)
+ goto cleanup;
+
+ for (tre=0; tre<ntrees; ++tre) {
+ if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) {
+ outofsubtree = FALSE;
+ break;
+ } else {
+ dnlen = strlen (dn);
+ subtreelen = strlen(subtreelist[tre]);
+ if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) {
outofsubtree = FALSE;
break;
- } else {
- dnlen = strlen (dn);
- subtreelen = strlen(subtreelist[tre]);
- if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) {
- outofsubtree = FALSE;
- break;
- }
}
}
+ }
- for (tre=0; tre < ntrees; ++tre) {
- free(subtreelist[tre]);
- }
+ for (tre=0; tre < ntrees; ++tre) {
+ free(subtreelist[tre]);
+ }
- if (outofsubtree == TRUE) {
- st = EINVAL;
- krb5_set_error_message(context, st, "DN is out of the realm subtree");
- goto cleanup;
- }
+ if (outofsubtree == TRUE) {
+ st = EINVAL;
+ krb5_set_error_message(context, st, "DN is out of the realm subtree");
+ goto cleanup;
+ }
+
+ /*
+ * dn value will be set either by dn, linkdn or the standalone_principal_dn
+ * In the first 2 cases, the dn should be existing and in the last case we
+ * are supposed to create the ldap object. so the below should not be
+ * executed for the last case.
+ */
+ if (standalone_principal_dn == NULL) {
/*
- * dn value will be set either by dn, linkdn or the standalone_principal_dn
- * In the first 2 cases, the dn should be existing and in the last case we
- * are supposed to create the ldap object. so the below should not be
- * executed for the last case.
+ * If the ldap object is missing, this results in an error.
*/
- if (standalone_principal_dn == NULL) {
- /*
- * If the ldap object is missing, this results in an error.
- */
-
- /*
- * Search for krbprincipalname attribute here.
- * This is to find if a kerberos identity is already present
- * on the ldap object, in which case adding a kerberos identity
- * on the ldap object should result in an error.
- */
- char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL};
-
- LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS);
- if (st == LDAP_SUCCESS) {
- ent = ldap_first_entry(ld, result);
- if (ent != NULL) {
- if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) {
- ldap_value_free(values);
- }
+ /*
+ * Search for krbprincipalname attribute here.
+ * This is to find if a kerberos identity is already present
+ * on the ldap object, in which case adding a kerberos identity
+ * on the ldap object should result in an error.
+ */
+ char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL};
+
+ LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS);
+ if (st == LDAP_SUCCESS) {
+ ent = ldap_first_entry(ld, result);
+ if (ent != NULL) {
+ if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) {
+ ldap_value_free(values);
+ }
- if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
- krb_identity_exists = TRUE;
- ldap_value_free(values);
- }
+ if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
+ krb_identity_exists = TRUE;
+ ldap_value_free(values);
}
- ldap_msgfree(result);
- } else {
- st = set_ldap_error(context, st, OP_SEARCH);
- goto cleanup;
}
+ ldap_msgfree(result);
+ } else {
+ st = set_ldap_error(context, st, OP_SEARCH);
+ goto cleanup;
}
}
+ }
+ /*
+ * If xargs.dn is set then the request is to add a
+ * kerberos principal on a ldap object, but if
+ * there is one already on the ldap object this
+ * should result in an error.
+ */
+
+ if (xargs.dn != NULL && krb_identity_exists == TRUE) {
+ st = EINVAL;
+ snprintf(errbuf, sizeof(errbuf), "ldap object is already kerberized");
+ krb5_set_error_message(context, st, "%s", errbuf);
+ goto cleanup;
+ }
+
+ if (xargs.linkdn != NULL) {
/*
- * If xargs.dn is set then the request is to add a
- * kerberos principal on a ldap object, but if
- * there is one already on the ldap object this
- * should result in an error.
+ * link information can be changed using modprinc.
+ * However, link information can be changed only on the
+ * standalone kerberos principal objects. A standalone
+ * kerberos principal object is of type krbprincipal
+ * structural objectclass.
+ *
+ * NOTE: kerberos principals on an ldap object can't be
+ * linked to other ldap objects.
*/
-
- if (xargs.dn != NULL && krb_identity_exists == TRUE) {
+ if (optype == MODIFY_PRINCIPAL &&
+ kerberos_principal_object_type != KDB_STANDALONE_PRINCIPAL_OBJECT) {
st = EINVAL;
- snprintf(errbuf, sizeof(errbuf), "ldap object is already kerberized");
+ snprintf(errbuf, sizeof(errbuf),
+ "link information can not be set/updated as the kerberos principal belongs to an ldap object");
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
+ /*
+ * Check the link information. If there is already a link
+ * existing then this operation is not allowed.
+ */
+ {
+ char **linkdns=NULL;
+ int j=0;
- if (xargs.linkdn != NULL) {
- /*
- * link information can be changed using modprinc.
- * However, link information can be changed only on the
- * standalone kerberos principal objects. A standalone
- * kerberos principal object is of type krbprincipal
- * structural objectclass.
- *
- * NOTE: kerberos principals on an ldap object can't be
- * linked to other ldap objects.
- */
- if (optype == MODIFY_PRINCIPAL &&
- kerberos_principal_object_type != KDB_STANDALONE_PRINCIPAL_OBJECT) {
+ if ((st=krb5_get_linkdn(context, entry, &linkdns)) != 0) {
+ snprintf(errbuf, sizeof(errbuf),
+ "Failed getting object references");
+ krb5_set_error_message(context, st, "%s", errbuf);
+ goto cleanup;
+ }
+ if (linkdns != NULL) {
st = EINVAL;
snprintf(errbuf, sizeof(errbuf),
- "link information can not be set/updated as the kerberos principal belongs to an ldap object");
+ "kerberos principal is already linked "
+ "to a ldap object");
krb5_set_error_message(context, st, "%s", errbuf);
+ for (j=0; linkdns[j] != NULL; ++j)
+ free (linkdns[j]);
+ free (linkdns);
goto cleanup;
}
- /*
- * Check the link information. If there is already a link
- * existing then this operation is not allowed.
- */
- {
- char **linkdns=NULL;
- int j=0;
+ }
- if ((st=krb5_get_linkdn(context, entries, &linkdns)) != 0) {
- snprintf(errbuf, sizeof(errbuf),
- "Failed getting object references");
- krb5_set_error_message(context, st, "%s", errbuf);
- goto cleanup;
- }
- if (linkdns != NULL) {
- st = EINVAL;
- snprintf(errbuf, sizeof(errbuf),
- "kerberos principal is already linked "
- "to a ldap object");
- krb5_set_error_message(context, st, "%s", errbuf);
- for (j=0; linkdns[j] != NULL; ++j)
- free (linkdns[j]);
- free (linkdns);
- goto cleanup;
- }
- }
+ establish_links = TRUE;
+ }
- establish_links = TRUE;
+ if (entry->mask & KADM5_LAST_SUCCESS) {
+ memset(strval, 0, sizeof(strval));
+ if ((strval[0]=getstringtime(entry->last_success)) == NULL)
+ goto cleanup;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastSuccessfulAuth", LDAP_MOD_REPLACE, strval)) != 0) {
+ free (strval[0]);
+ goto cleanup;
}
+ free (strval[0]);
+ }
- if (entries->mask & KADM5_LAST_SUCCESS) {
- memset(strval, 0, sizeof(strval));
- if ((strval[0]=getstringtime(entries->last_success)) == NULL)
- goto cleanup;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastSuccessfulAuth", LDAP_MOD_REPLACE, strval)) != 0) {
- free (strval[0]);
- goto cleanup;
- }
+ if (entry->mask & KADM5_LAST_FAILED) {
+ memset(strval, 0, sizeof(strval));
+ if ((strval[0]=getstringtime(entry->last_failed)) == NULL)
+ goto cleanup;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastFailedAuth", LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
+ goto cleanup;
}
+ free(strval[0]);
+ }
- if (entries->mask & KADM5_LAST_FAILED) {
- memset(strval, 0, sizeof(strval));
- if ((strval[0]=getstringtime(entries->last_failed)) == NULL)
- goto cleanup;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastFailedAuth", LDAP_MOD_REPLACE, strval)) != 0) {
- free (strval[0]);
- goto cleanup;
- }
- free(strval[0]);
- }
+ if (entry->mask & KADM5_FAIL_AUTH_COUNT) {
+ krb5_kvno fail_auth_count;
- if (entries->mask & KADM5_FAIL_AUTH_COUNT) {
- krb5_kvno fail_auth_count;
+ fail_auth_count = entry->fail_auth_count;
+ if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT)
+ fail_auth_count++;
- fail_auth_count = entries->fail_auth_count;
- if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT)
- fail_auth_count++;
+ st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
+ LDAP_MOD_REPLACE,
+ fail_auth_count);
+ if (st != 0)
+ goto cleanup;
+ } else if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) {
+ int attr_mask = 0;
+ krb5_boolean has_fail_count;
+
+ /* Check if the krbLoginFailedCount attribute exists. (Through
+ * krb5 1.8.1, it wasn't set in new entries.) */
+ st = krb5_get_attributes_mask(context, entry, &attr_mask);
+ if (st != 0)
+ goto cleanup;
+ has_fail_count = ((attr_mask & KDB_FAIL_AUTH_COUNT_ATTR) != 0);
+ /*
+ * If the client library and server supports RFC 4525,
+ * then use it to increment by one the value of the
+ * krbLoginFailedCount attribute. Otherwise, assert the
+ * (provided) old value by deleting it before adding.
+ */
+#ifdef LDAP_MOD_INCREMENT
+ if (ldap_server_handle->server_info->modify_increment &&
+ has_fail_count) {
st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
- LDAP_MOD_REPLACE,
- fail_auth_count);
+ LDAP_MOD_INCREMENT, 1);
if (st != 0)
goto cleanup;
- } else if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) {
- int attr_mask = 0;
- krb5_boolean has_fail_count;
-
- /* Check if the krbLoginFailedCount attribute exists. (Through
- * krb5 1.8.1, it wasn't set in new entries.) */
- st = krb5_get_attributes_mask(context, entries, &attr_mask);
- if (st != 0)
- goto cleanup;
- has_fail_count = ((attr_mask & KDB_FAIL_AUTH_COUNT_ATTR) != 0);
-
- /*
- * If the client library and server supports RFC 4525,
- * then use it to increment by one the value of the
- * krbLoginFailedCount attribute. Otherwise, assert the
- * (provided) old value by deleting it before adding.
- */
-#ifdef LDAP_MOD_INCREMENT
- if (ldap_server_handle->server_info->modify_increment &&
- has_fail_count) {
- st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
- LDAP_MOD_INCREMENT, 1);
- if (st != 0)
- goto cleanup;
- } else {
+ } else {
#endif /* LDAP_MOD_INCREMENT */
- if (has_fail_count) {
- st = krb5_add_int_mem_ldap_mod(&mods,
- "krbLoginFailedCount",
- LDAP_MOD_DELETE,
- entries->fail_auth_count);
- if (st != 0)
- goto cleanup;
- }
- st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
- LDAP_MOD_ADD,
- entries->fail_auth_count + 1);
+ if (has_fail_count) {
+ st = krb5_add_int_mem_ldap_mod(&mods,
+ "krbLoginFailedCount",
+ LDAP_MOD_DELETE,
+ entry->fail_auth_count);
if (st != 0)
goto cleanup;
-#ifdef LDAP_MOD_INCREMENT
}
-#endif
- } else if (optype == ADD_PRINCIPAL) {
- /* Initialize krbLoginFailedCount in new entries to help avoid a
- * race during the first failed login. */
st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
- LDAP_MOD_ADD, 0);
- }
-
- if (entries->mask & KADM5_MAX_LIFE) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entries->max_life)) != 0)
+ LDAP_MOD_ADD,
+ entry->fail_auth_count + 1);
+ if (st != 0)
goto cleanup;
+#ifdef LDAP_MOD_INCREMENT
}
+#endif
+ } else if (optype == ADD_PRINCIPAL) {
+ /* Initialize krbLoginFailedCount in new entries to help avoid a
+ * race during the first failed login. */
+ st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
+ LDAP_MOD_ADD, 0);
+ }
- if (entries->mask & KADM5_MAX_RLIFE) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE,
- entries->max_renewable_life)) != 0)
- goto cleanup;
- }
+ if (entry->mask & KADM5_MAX_LIFE) {
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entry->max_life)) != 0)
+ goto cleanup;
+ }
- if (entries->mask & KADM5_ATTRIBUTES) {
- if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE,
- entries->attributes)) != 0)
- goto cleanup;
- }
+ if (entry->mask & KADM5_MAX_RLIFE) {
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE,
+ entry->max_renewable_life)) != 0)
+ goto cleanup;
+ }
- if (entries->mask & KADM5_PRINCIPAL) {
- memset(strval, 0, sizeof(strval));
- strval[0] = user;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_REPLACE, strval)) != 0)
- goto cleanup;
- }
+ if (entry->mask & KADM5_ATTRIBUTES) {
+ if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE,
+ entry->attributes)) != 0)
+ goto cleanup;
+ }
- if (entries->mask & KADM5_PRINC_EXPIRE_TIME) {
- memset(strval, 0, sizeof(strval));
- if ((strval[0]=getstringtime(entries->expiration)) == NULL)
- goto cleanup;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalexpiration", LDAP_MOD_REPLACE, strval)) != 0) {
- free (strval[0]);
- goto cleanup;
- }
+ if (entry->mask & KADM5_PRINCIPAL) {
+ memset(strval, 0, sizeof(strval));
+ strval[0] = user;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_REPLACE, strval)) != 0)
+ goto cleanup;
+ }
+
+ if (entry->mask & KADM5_PRINC_EXPIRE_TIME) {
+ memset(strval, 0, sizeof(strval));
+ if ((strval[0]=getstringtime(entry->expiration)) == NULL)
+ goto cleanup;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalexpiration", LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
+ goto cleanup;
}
+ free (strval[0]);
+ }
- if (entries->mask & KADM5_PW_EXPIRATION) {
- memset(strval, 0, sizeof(strval));
- if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL)
- goto cleanup;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration",
- LDAP_MOD_REPLACE,
- strval)) != 0) {
- free (strval[0]);
- goto cleanup;
- }
+ if (entry->mask & KADM5_PW_EXPIRATION) {
+ memset(strval, 0, sizeof(strval));
+ if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL)
+ goto cleanup;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration",
+ LDAP_MOD_REPLACE,
+ strval)) != 0) {
free (strval[0]);
+ goto cleanup;
}
+ free (strval[0]);
+ }
- if (entries->mask & KADM5_POLICY) {
- memset(&princ_ent, 0, sizeof(princ_ent));
- for (tl_data=entries->tl_data; tl_data; tl_data=tl_data->tl_data_next) {
- if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) {
- /* FIX ME: I guess the princ_ent should be freed after this call */
- if ((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) {
- goto cleanup;
- }
+ if (entry->mask & KADM5_POLICY) {
+ memset(&princ_ent, 0, sizeof(princ_ent));
+ for (tl_data=entry->tl_data; tl_data; tl_data=tl_data->tl_data_next) {
+ if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) {
+ /* FIX ME: I guess the princ_ent should be freed after this call */
+ if ((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) {
+ goto cleanup;
}
}
+ }
- if (princ_ent.aux_attributes & KADM5_POLICY) {
- memset(strval, 0, sizeof(strval));
- if ((st = krb5_ldap_name_to_policydn (context, princ_ent.policy, &polname)) != 0)
- goto cleanup;
- strval[0] = polname;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
- goto cleanup;
- } else {
- st = EINVAL;
- krb5_set_error_message(context, st, "Password policy value null");
+ if (princ_ent.aux_attributes & KADM5_POLICY) {
+ memset(strval, 0, sizeof(strval));
+ if ((st = krb5_ldap_name_to_policydn (context, princ_ent.policy, &polname)) != 0)
goto cleanup;
- }
- } else if (entries->mask & KADM5_LOAD && found_entry == TRUE) {
- /*
- * a load is special in that existing entries must have attrs that
- * removed.
- */
-
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, NULL)) != 0)
+ strval[0] = polname;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
goto cleanup;
+ } else {
+ st = EINVAL;
+ krb5_set_error_message(context, st, "Password policy value null");
+ goto cleanup;
}
+ } else if (entry->mask & KADM5_LOAD && found_entry == TRUE) {
+ /*
+ * a load is special in that existing entries must have attrs that
+ * removed.
+ */
- if (entries->mask & KADM5_POLICY_CLR) {
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, NULL)) != 0)
- goto cleanup;
- }
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, NULL)) != 0)
+ goto cleanup;
+ }
- if (entries->mask & KADM5_KEY_DATA || entries->mask & KADM5_KVNO) {
- krb5_kvno mkvno;
+ if (entry->mask & KADM5_POLICY_CLR) {
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, NULL)) != 0)
+ goto cleanup;
+ }
- if ((st=krb5_dbe_lookup_mkvno(context, entries, &mkvno)) != 0)
- goto cleanup;
- bersecretkey = krb5_encode_krbsecretkey (entries->key_data,
- entries->n_key_data, mkvno);
+ if (entry->mask & KADM5_KEY_DATA || entry->mask & KADM5_KVNO) {
+ krb5_kvno mkvno;
- if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
- LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0)
- goto cleanup;
+ if ((st=krb5_dbe_lookup_mkvno(context, entry, &mkvno)) != 0)
+ goto cleanup;
+ bersecretkey = krb5_encode_krbsecretkey (entry->key_data,
+ entry->n_key_data, mkvno);
- if (!(entries->mask & KADM5_PRINCIPAL)) {
- memset(strval, 0, sizeof(strval));
- if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL)
- goto cleanup;
- if ((st=krb5_add_str_mem_ldap_mod(&mods,
- "krbpasswordexpiration",
- LDAP_MOD_REPLACE, strval)) != 0) {
- free (strval[0]);
- goto cleanup;
- }
+ if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
+ LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0)
+ goto cleanup;
+
+ if (!(entry->mask & KADM5_PRINCIPAL)) {
+ memset(strval, 0, sizeof(strval));
+ if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL)
+ goto cleanup;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods,
+ "krbpasswordexpiration",
+ LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
+ goto cleanup;
}
+ free (strval[0]);
+ }
- /* Update last password change whenever a new key is set */
- {
- krb5_timestamp last_pw_changed;
- if ((st=krb5_dbe_lookup_last_pwd_change(context, entries,
- &last_pw_changed)) != 0)
- goto cleanup;
+ /* Update last password change whenever a new key is set */
+ {
+ krb5_timestamp last_pw_changed;
+ if ((st=krb5_dbe_lookup_last_pwd_change(context, entry,
+ &last_pw_changed)) != 0)
+ goto cleanup;
- memset(strval, 0, sizeof(strval));
- if ((strval[0] = getstringtime(last_pw_changed)) == NULL)
- goto cleanup;
+ memset(strval, 0, sizeof(strval));
+ if ((strval[0] = getstringtime(last_pw_changed)) == NULL)
+ goto cleanup;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastPwdChange",
- LDAP_MOD_REPLACE, strval)) != 0) {
- free (strval[0]);
- goto cleanup;
- }
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastPwdChange",
+ LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
+ goto cleanup;
}
+ free (strval[0]);
+ }
- } /* Modify Key data ends here */
+ } /* Modify Key data ends here */
- /* Set tl_data */
- if (entries->tl_data != NULL) {
- int count = 0;
- struct berval **ber_tl_data = NULL;
- krb5_tl_data *ptr;
- for (ptr = entries->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
+ /* Set tl_data */
+ if (entry->tl_data != NULL) {
+ int count = 0;
+ struct berval **ber_tl_data = NULL;
+ krb5_tl_data *ptr;
+ for (ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
+ if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE
+#ifdef SECURID
+ || ptr->tl_data_type == KRB5_TL_DB_ARGS
+#endif
+ || ptr->tl_data_type == KRB5_TL_KADM_DATA
+ || ptr->tl_data_type == KDB_TL_USER_INFO
+ || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL)
+ continue;
+ count++;
+ }
+ if (count != 0) {
+ int j;
+ ber_tl_data = (struct berval **) calloc (count + 1,
+ sizeof (struct berval*));
+ if (ber_tl_data == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
+ for (j = 0, ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
+ /* Ignore tl_data that are stored in separate directory
+ * attributes */
if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE
#ifdef SECURID
|| ptr->tl_data_type == KRB5_TL_DB_ARGS
|| ptr->tl_data_type == KDB_TL_USER_INFO
|| ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL)
continue;
- count++;
+ if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0)
+ break;
+ j++;
}
- if (count != 0) {
- int j;
- ber_tl_data = (struct berval **) calloc (count + 1,
- sizeof (struct berval*));
- if (ber_tl_data == NULL) {
- st = ENOMEM;
- goto cleanup;
- }
- for (j = 0, ptr = entries->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
- /* Ignore tl_data that are stored in separate directory
- * attributes */
- if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE
-#ifdef SECURID
- || ptr->tl_data_type == KRB5_TL_DB_ARGS
-#endif
- || ptr->tl_data_type == KRB5_TL_KADM_DATA
- || ptr->tl_data_type == KDB_TL_USER_INFO
- || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL)
- continue;
- if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0)
- break;
- j++;
- }
- if (st != 0) {
- for (j = 0; ber_tl_data[j] != NULL; j++) {
- free (ber_tl_data[j]->bv_val);
- free (ber_tl_data[j]);
- }
- free (ber_tl_data);
- goto cleanup;
+ if (st != 0) {
+ for (j = 0; ber_tl_data[j] != NULL; j++) {
+ free (ber_tl_data[j]->bv_val);
+ free (ber_tl_data[j]);
}
- ber_tl_data[count] = NULL;
- if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbExtraData",
- LDAP_MOD_REPLACE | LDAP_MOD_BVALUES,
- ber_tl_data)) != 0)
- goto cleanup;
+ free (ber_tl_data);
+ goto cleanup;
}
+ ber_tl_data[count] = NULL;
+ if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbExtraData",
+ LDAP_MOD_REPLACE | LDAP_MOD_BVALUES,
+ ber_tl_data)) != 0)
+ goto cleanup;
}
+ }
- /* Directory specific attribute */
- if (xargs.tktpolicydn != NULL) {
- int tmask=0;
-
- if (strlen(xargs.tktpolicydn) != 0) {
- st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask);
- CHECK_CLASS_VALIDITY(st, tmask, "ticket policy object value: ");
-
- strval[0] = xargs.tktpolicydn;
- strval[1] = NULL;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
- goto cleanup;
+ /* Directory specific attribute */
+ if (xargs.tktpolicydn != NULL) {
+ int tmask=0;
- } else {
- /* if xargs.tktpolicydn is a empty string, then delete
- * already existing krbticketpolicyreference attr */
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_DELETE, NULL)) != 0)
- goto cleanup;
- }
+ if (strlen(xargs.tktpolicydn) != 0) {
+ st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask);
+ CHECK_CLASS_VALIDITY(st, tmask, "ticket policy object value: ");
- }
+ strval[0] = xargs.tktpolicydn;
+ strval[1] = NULL;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
+ goto cleanup;
- if (establish_links == TRUE) {
- memset(strval, 0, sizeof(strval));
- strval[0] = xargs.linkdn;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbObjectReferences", LDAP_MOD_REPLACE, strval)) != 0)
+ } else {
+ /* if xargs.tktpolicydn is a empty string, then delete
+ * already existing krbticketpolicyreference attr */
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_DELETE, NULL)) != 0)
goto cleanup;
}
- /*
- * in case mods is NULL then return
- * not sure but can happen in a modprinc
- * so no need to return an error
- * addprinc will at least have the principal name
- * and the keys passed in
- */
- if (mods == NULL)
+ }
+
+ if (establish_links == TRUE) {
+ memset(strval, 0, sizeof(strval));
+ strval[0] = xargs.linkdn;
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbObjectReferences", LDAP_MOD_REPLACE, strval)) != 0)
goto cleanup;
+ }
- if (create_standalone_prinicipal == TRUE) {
- memset(strval, 0, sizeof(strval));
- strval[0] = "krbprincipal";
- strval[1] = "krbprincipalaux";
- strval[2] = "krbTicketPolicyAux";
+ /*
+ * in case mods is NULL then return
+ * not sure but can happen in a modprinc
+ * so no need to return an error
+ * addprinc will at least have the principal name
+ * and the keys passed in
+ */
+ if (mods == NULL)
+ goto cleanup;
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
+ if (create_standalone_prinicipal == TRUE) {
+ memset(strval, 0, sizeof(strval));
+ strval[0] = "krbprincipal";
+ strval[1] = "krbprincipalaux";
+ strval[2] = "krbTicketPolicyAux";
- st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL);
- if (st == LDAP_ALREADY_EXISTS && entries->mask & KADM5_LOAD) {
- /* a load operation must replace an existing entry */
- st = ldap_delete_ext_s(ld, standalone_principal_dn, NULL, NULL);
- if (st != LDAP_SUCCESS) {
- snprintf(errbuf, sizeof(errbuf), "Principal delete failed (trying to replace entry): %s",
- ldap_err2string(st));
- st = translate_ldap_error (st, OP_ADD);
- krb5_set_error_message(context, st, "%s", errbuf);
- goto cleanup;
- } else {
- st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL);
- }
- }
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
+ goto cleanup;
+
+ st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL);
+ if (st == LDAP_ALREADY_EXISTS && entry->mask & KADM5_LOAD) {
+ /* a load operation must replace an existing entry */
+ st = ldap_delete_ext_s(ld, standalone_principal_dn, NULL, NULL);
if (st != LDAP_SUCCESS) {
- snprintf(errbuf, sizeof(errbuf), "Principal add failed: %s", ldap_err2string(st));
+ snprintf(errbuf, sizeof(errbuf), "Principal delete failed (trying to replace entry): %s",
+ ldap_err2string(st));
st = translate_ldap_error (st, OP_ADD);
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
+ } else {
+ st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL);
}
- } else {
- /*
- * Here existing ldap object is modified and can be related
- * to any attribute, so always ensure that the ldap
- * object is extended with all the kerberos related
- * objectclasses so that there are no constraint
- * violations.
- */
- {
- char *attrvalues[] = {"krbprincipalaux", "krbTicketPolicyAux", NULL};
- int p, q, r=0, amask=0;
+ }
+ if (st != LDAP_SUCCESS) {
+ snprintf(errbuf, sizeof(errbuf), "Principal add failed: %s", ldap_err2string(st));
+ st = translate_ldap_error (st, OP_ADD);
+ krb5_set_error_message(context, st, "%s", errbuf);
+ goto cleanup;
+ }
+ } else {
+ /*
+ * Here existing ldap object is modified and can be related
+ * to any attribute, so always ensure that the ldap
+ * object is extended with all the kerberos related
+ * objectclasses so that there are no constraint
+ * violations.
+ */
+ {
+ char *attrvalues[] = {"krbprincipalaux", "krbTicketPolicyAux", NULL};
+ int p, q, r=0, amask=0;
- if ((st=checkattributevalue(ld, (xargs.dn) ? xargs.dn : principal_dn,
- "objectclass", attrvalues, &amask)) != 0)
- goto cleanup;
+ if ((st=checkattributevalue(ld, (xargs.dn) ? xargs.dn : principal_dn,
+ "objectclass", attrvalues, &amask)) != 0)
+ goto cleanup;
- memset(strval, 0, sizeof(strval));
- for (p=1, q=0; p<=2; p<<=1, ++q) {
- if ((p & amask) == 0)
- strval[r++] = attrvalues[q];
- }
- if (r != 0) {
- if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
- goto cleanup;
- }
+ memset(strval, 0, sizeof(strval));
+ for (p=1, q=0; p<=2; p<<=1, ++q) {
+ if ((p & amask) == 0)
+ strval[r++] = attrvalues[q];
}
- if (xargs.dn != NULL)
- st=ldap_modify_ext_s(ld, xargs.dn, mods, NULL, NULL);
- else
- st = ldap_modify_ext_s(ld, principal_dn, mods, NULL, NULL);
-
- if (st != LDAP_SUCCESS) {
- snprintf(errbuf, sizeof(errbuf), "User modification failed: %s", ldap_err2string(st));
- st = translate_ldap_error (st, OP_MOD);
- krb5_set_error_message(context, st, "%s", errbuf);
- goto cleanup;
+ if (r != 0) {
+ if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
+ goto cleanup;
}
+ }
+ if (xargs.dn != NULL)
+ st=ldap_modify_ext_s(ld, xargs.dn, mods, NULL, NULL);
+ else
+ st = ldap_modify_ext_s(ld, principal_dn, mods, NULL, NULL);
- if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT)
- entries->fail_auth_count++;
+ if (st != LDAP_SUCCESS) {
+ snprintf(errbuf, sizeof(errbuf), "User modification failed: %s", ldap_err2string(st));
+ st = translate_ldap_error (st, OP_MOD);
+ krb5_set_error_message(context, st, "%s", errbuf);
+ goto cleanup;
}
+
+ if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT)
+ entry->fail_auth_count++;
}
cleanup:
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
- *nentries = i;
return(st);
}
static krb5_error_code
krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name,
- char *pol_dn, osa_policy_ent_t *policy,
- int *cnt)
+ char *pol_dn, osa_policy_ent_t *policy)
{
krb5_error_code st=0, tempst=0;
LDAP *ld=NULL;
SETUP_CONTEXT();
GET_HANDLE();
- *cnt = 0;
*(policy) = (osa_policy_ent_t) malloc(sizeof(osa_policy_ent_rec));
if (*policy == NULL) {
st = ENOMEM;
memset(*policy, 0, sizeof(osa_policy_ent_rec));
LDAP_SEARCH(pol_dn, LDAP_SCOPE_BASE, "(objectclass=krbPwdPolicy)", password_policy_attributes);
- *cnt = 1;
#if 0 /************** Begin IFDEF'ed OUT *******************************/
(*policy)->name = strdup(name);
CHECK_NULL((*policy)->name);
*/
krb5_error_code
krb5_ldap_get_password_policy(krb5_context context, char *name,
- osa_policy_ent_t *policy, int *cnt)
+ osa_policy_ent_t *policy)
{
krb5_error_code st = 0;
char *policy_dn = NULL;
if (st != 0)
goto cleanup;
- st = krb5_ldap_get_password_policy_from_dn(context, name, policy_dn, policy, cnt);
+ st = krb5_ldap_get_password_policy_from_dn(context, name, policy_dn,
+ policy);
cleanup:
if (policy_dn != NULL)
#define _LDAP_KRBPWDPOLICY_H_
krb5_error_code
-krb5_ldap_get_password_policy(krb5_context, char *, osa_policy_ent_t *, int *);
+krb5_ldap_get_password_policy(krb5_context, char *, osa_policy_ent_t *);
krb5_error_code
krb5_ldap_create_password_policy(krb5_context, osa_policy_ent_t);
for (i = 0; values[i] != NULL; ++i) {
krb5_parse_name(context, values[i], &principal);
if (principal_in_realm_2(principal, lrealm) == 0) {
- int nent = 0;
- if ((st=krb5_ldap_delete_principal(context, principal,
- &nent)) != LDAP_SUCCESS)
+ st=krb5_ldap_delete_principal(context, principal);
+ if (st && st != KRB5_KDB_NOENTRY)
goto cleanup;
}
krb5_free_principal(context, principal);
if (adb.policy != NULL) {
osa_policy_ent_t policy = NULL;
- int count = 0;
- code = krb5_ldap_get_password_policy(context, adb.policy,
- &policy, &count);
- if (code == 0 && count == 1) {
+ code = krb5_ldap_get_password_policy(context, adb.policy, &policy);
+ if (code == 0) {
*pw_max_fail = policy->pw_max_fail;
*pw_failcnt_interval = policy->pw_failcnt_interval;
*pw_lockout_duration = policy->pw_lockout_duration;
krb5_kvno max_fail = 0;
krb5_deltat failcnt_interval = 0;
krb5_deltat lockout_duration = 0;
- int nentries = 1;
SETUP_CONTEXT();
}
if (entry->mask) {
- code = krb5_ldap_put_principal(context, entry, &nentries, NULL);
+ code = krb5_ldap_put_principal(context, entry, NULL);
if (code != 0)
return code;
}
int master_princ_set = 0;
krb5_keyblock master_keyblock;
krb5_principal master_princ;
-krb5_db_entry master_entry;
krb5_pointer master_random;
krb5_context test_context;
com_err(progname, retval, "while closing database");
exit(1);
}
- if (master_princ_set) {
+ if (master_princ_set)
krb5_free_principal(test_context, master_princ);
- }
krb5_free_context(test_context);
exit(0);
}
{
krb5_error_code retval;
krb5_principal newprinc;
- krb5_db_entry newentry;
+ krb5_db_entry *newentry;
char princ_name[4096];
- memset(&newentry, 0, sizeof(newentry));
+ newentry = krb5_db_alloc(context, NULL, sizeof(*newentry));
+ if (newentry == NULL) {
+ com_err(progname, ENOMEM, "while allocating DB entry");
+ return;
+ }
+ memset(newentry, 0, sizeof(*newentry));
snprintf(princ_name, sizeof(princ_name), "%s@%s", str_newprinc, cur_realm);
if ((retval = krb5_parse_name(context, princ_name, &newprinc))) {
com_err(progname, retval, "while parsing '%s'", princ_name);
}
/* Add basic data */
- newentry.len = KRB5_KDB_V1_BASE_LENGTH;
- newentry.attributes = mblock.flags;
- newentry.max_life = mblock.max_life;
- newentry.max_renewable_life = mblock.max_rlife;
- newentry.expiration = mblock.expiration;
- newentry.pw_expiration = mblock.expiration;
+ newentry->len = KRB5_KDB_V1_BASE_LENGTH;
+ newentry->attributes = mblock.flags;
+ newentry->max_life = mblock.max_life;
+ newentry->max_renewable_life = mblock.max_rlife;
+ newentry->expiration = mblock.expiration;
+ newentry->pw_expiration = mblock.expiration;
/* Add princ to db entry */
- if ((retval = krb5_copy_principal(context, newprinc, &newentry.princ))) {
+ if ((retval = krb5_copy_principal(context, newprinc, &newentry->princ))) {
com_err(progname, retval, "while encoding princ to db entry for '%s'",
princ_name);
krb5_free_principal(context, newprinc);
krb5_free_principal(context, newprinc);
goto error;
}
- retval = krb5_dbe_update_mod_princ_data(context, &newentry, now,
+ retval = krb5_dbe_update_mod_princ_data(context, newentry, now,
master_princ);
if (retval) {
com_err(progname, retval, "while encoding mod_princ data");
}
krb5_free_data_contents(context, &salt);
- if ((retval = krb5_dbe_create_key_data(context, &newentry))) {
+ if ((retval = krb5_dbe_create_key_data(context, newentry))) {
com_err(progname, retval, "while creating key_data for '%s'",
princ_name);
free(key.contents);
if ((retval = krb5_dbe_encrypt_key_data(context, &master_keyblock,
&key, NULL, 1,
- newentry.key_data))) {
+ newentry->key_data))) {
com_err(progname, retval, "while encrypting key for '%s'",
princ_name);
free(key.contents);
free(key.contents);
}
- {
- int one = 1;
-
- if ((retval = krb5_db_put_principal(context, &newentry, &one))) {
- com_err(progname, retval, "while storing principal date");
- goto error;
- }
- if (one != 1) {
- com_err(progname,0,"entry not stored in database (unknown failure)");
- goto error;
- }
+ if ((retval = krb5_db_put_principal(context, newentry))) {
+ com_err(progname, retval, "while storing principal date");
+ goto error;
}
fprintf(stdout, "Added %s to database\n", princ_name);
error: /* Do cleanup of newentry regardless of error */
-#if 0
- krb5_dbe_free_contents(context, &newentry);
-#endif
- krb5_db_free_principal(context, &newentry, 1);
+ krb5_db_free_principal(context, newentry);
return;
}
char *dbname;
{
krb5_error_code retval;
- int nentries;
- krb5_boolean more;
krb5_data pwd, scratch;
char *args[2];
krb5_keylist_node *mkeys;
+ krb5_db_entry *master_entry;
/* assemble & parse the master key name */
return(1);
}
krb5_db_free_mkey_list(test_context, mkeys);
- nentries = 1;
- if ((retval = krb5_db_get_principal(test_context, master_princ,
- &master_entry, &nentries, &more))) {
+ if ((retval = krb5_db_get_principal(test_context, master_princ, 0,
+ &master_entry))) {
com_err(pname, retval, "while retrieving master entry");
(void) krb5_db_fini(test_context);
return(1);
- } else if (more) {
- com_err(pname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
- "while retrieving master entry");
- (void) krb5_db_fini(test_context);
- return(1);
- } else if (!nentries) {
- com_err(pname, KRB5_KDB_NOENTRY, "while retrieving master entry");
- (void) krb5_db_fini(test_context);
- return(1);
}
- mblock.max_life = master_entry.max_life;
- mblock.max_rlife = master_entry.max_renewable_life;
- mblock.expiration = master_entry.expiration;
+ mblock.max_life = master_entry->max_life;
+ mblock.max_rlife = master_entry->max_renewable_life;
+ mblock.expiration = master_entry->expiration;
/* don't set flags, master has some extra restrictions */
- mblock.mkvno = master_entry.key_data[0].key_data_kvno;
+ mblock.mkvno = master_entry->key_data[0].key_data_kvno;
- krb5_db_free_principal(test_context, &master_entry, nentries);
+ krb5_db_free_principal(test_context, master_entry);
return 0;
}
krb5_keyblock master_keyblock;
krb5_principal master_princ;
-krb5_db_entry master_entry;
krb5_encrypt_block master_encblock;
krb5_pointer master_random;
char *str_master_princ;
char * str_princ;
{
krb5_error_code retval;
- krb5_db_entry kdbe;
+ krb5_db_entry *kdbe = NULL;
krb5_keyblock pwd_key, db_key;
krb5_data pwd, salt;
krb5_principal princ;
- krb5_boolean more;
- int nprincs = 1;
/* char *str_mod_name; */
char princ_name[4096];
}
krb5_free_data_contents(context, &salt);
- if ((retval = krb5_db_get_principal(context, princ, &kdbe,
- &nprincs, &more))) {
+ if ((retval = krb5_db_get_principal(context, princ, 0, &kdbe))) {
com_err(progname, retval, "while attempting to verify principal's existence");
krb5_free_principal(context, princ);
goto out;
}
krb5_free_principal(context, princ);
- if (nprincs != 1) {
- com_err(progname, 0, "Found %d entries db entry for %s.\n", nprincs,
- princ_name);
- goto errout;
- }
-
if ((retval = krb5_dbe_decrypt_key_data(context, &master_keyblock,
- kdbe.key_data, &db_key, NULL))) {
+ kdbe->key_data, &db_key, NULL))) {
com_err(progname, retval, "while decrypting key for '%s'", princ_name);
goto errout;
}
fprintf (stderr, "\tKey types do not agree (%d expected, %d from db)\n",
pwd_key.enctype, db_key.enctype);
errout:
- krb5_db_free_principal(context, &kdbe, nprincs);
+ krb5_db_free_principal(context, kdbe);
return(-1);
}
else {
free(pwd_key.contents);
free(db_key.contents);
- if (kdbe.key_data[0].key_data_kvno != 1) {
+ if (kdbe->key_data[0].key_data_kvno != 1) {
fprintf(stderr,"\tkvno did not match stored value for %s.\n", princ_name);
goto errout;
}
- if (kdbe.max_life != mblock.max_life) {
+ if (kdbe->max_life != mblock.max_life) {
fprintf(stderr, "\tmax life did not match stored value for %s.\n",
princ_name);
goto errout;
}
- if (kdbe.max_renewable_life != mblock.max_rlife) {
+ if (kdbe->max_renewable_life != mblock.max_rlife) {
fprintf(stderr,
"\tmax renewable life did not match stored value for %s.\n",
princ_name);
goto errout;
}
- if (kdbe.expiration != mblock.expiration) {
+ if (kdbe->expiration != mblock.expiration) {
fprintf(stderr, "\texpiration time did not match stored value for %s.\n",
princ_name);
goto errout;
}
*/
- if (kdbe.attributes != mblock.flags) {
+ if (kdbe->attributes != mblock.flags) {
fprintf(stderr, "\tAttributes did not match stored value for %s.\n",
princ_name);
goto errout;
}
out:
- krb5_db_free_principal(context, &kdbe, nprincs);
+ krb5_db_free_principal(context, kdbe);
return(0);
}
char *dbname;
{
krb5_error_code retval;
- int nentries;
- krb5_boolean more;
krb5_data pwd, scratch;
char *args[2];
krb5_keylist_node *mkeys;
+ krb5_db_entry *master_entry;
/* assemble & parse the master key name */
return(1);
}
krb5_db_free_mkey_list(context, mkeys);
- nentries = 1;
- if ((retval = krb5_db_get_principal(context, master_princ, &master_entry,
- &nentries, &more))) {
+ if ((retval = krb5_db_get_principal(context, master_princ, 0,
+ &master_entry))) {
com_err(pname, retval, "while retrieving master entry");
(void) krb5_db_fini(context);
return(1);
- } else if (more) {
- com_err(pname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
- "while retrieving master entry");
- (void) krb5_db_fini(context);
- return(1);
- } else if (!nentries) {
- com_err(pname, KRB5_KDB_NOENTRY, "while retrieving master entry");
- (void) krb5_db_fini(context);
- return(1);
}
if ((retval = krb5_unparse_name(context, master_princ,
(void) krb5_db_fini(context);
return(1);
}
- mblock.max_life = master_entry.max_life;
- mblock.max_rlife = master_entry.max_renewable_life;
- mblock.expiration = master_entry.expiration;
+ mblock.max_life = master_entry->max_life;
+ mblock.max_rlife = master_entry->max_renewable_life;
+ mblock.expiration = master_entry->expiration;
/* don't set flags, master has some extra restrictions */
- mblock.mkvno = master_entry.key_data[0].key_data_kvno;
+ mblock.mkvno = master_entry->key_data[0].key_data_kvno;
- krb5_db_free_principal(context, &master_entry, nentries);
+ krb5_db_free_principal(context, master_entry);
return 0;
}