From 04d29de13e88ff63c1ab0acd924d1f672370afd7 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Wed, 24 Jul 1996 22:20:03 +0000 Subject: [PATCH] * Makefile.in, configure.in: fix shared lib lossage by rearrangement of subdirectories git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@8804 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/kadm5/ChangeLog | 5 + src/lib/kadm5/Makefile.in | 111 +-- src/lib/kadm5/adb_free.c | 71 -- src/lib/kadm5/adb_openclose.c | 338 -------- src/lib/kadm5/adb_policy.c | 401 --------- src/lib/kadm5/adb_principal.c | 408 --------- src/lib/kadm5/adb_xdr.c | 132 --- src/lib/kadm5/client_handle.c | 9 - src/lib/kadm5/client_init.c | 554 ------------ src/lib/kadm5/client_internal.h | 93 -- src/lib/kadm5/client_principal.c | 307 ------- src/lib/kadm5/client_rpc.c | 221 ----- src/lib/kadm5/clnt_chpass_util.c | 15 - src/lib/kadm5/clnt_policy.c | 151 ---- src/lib/kadm5/clnt_privs.c | 66 -- src/lib/kadm5/configure.in | 53 +- src/lib/kadm5/server_acl.c | 511 ----------- src/lib/kadm5/server_acl.h | 81 -- src/lib/kadm5/server_dict.c | 199 ----- src/lib/kadm5/server_handle.c | 9 - src/lib/kadm5/server_init.c | 330 -------- src/lib/kadm5/server_kdb.c | 424 ---------- src/lib/kadm5/server_misc.c | 101 --- src/lib/kadm5/svr_chpass_util.c | 15 - src/lib/kadm5/svr_iters.c | 248 ------ src/lib/kadm5/svr_misc_free.c | 37 - src/lib/kadm5/svr_policy.c | 315 ------- src/lib/kadm5/svr_principal.c | 1350 ------------------------------ 28 files changed, 36 insertions(+), 6519 deletions(-) delete mode 100644 src/lib/kadm5/adb_free.c delete mode 100644 src/lib/kadm5/adb_openclose.c delete mode 100644 src/lib/kadm5/adb_policy.c delete mode 100644 src/lib/kadm5/adb_principal.c delete mode 100644 src/lib/kadm5/adb_xdr.c delete mode 100644 src/lib/kadm5/client_handle.c delete mode 100644 src/lib/kadm5/client_init.c delete mode 100644 src/lib/kadm5/client_internal.h delete mode 100644 src/lib/kadm5/client_principal.c delete mode 100644 src/lib/kadm5/client_rpc.c delete mode 100644 src/lib/kadm5/clnt_chpass_util.c delete mode 100644 src/lib/kadm5/clnt_policy.c delete mode 100644 src/lib/kadm5/clnt_privs.c delete mode 100644 src/lib/kadm5/server_acl.c delete mode 100644 src/lib/kadm5/server_acl.h delete mode 100644 src/lib/kadm5/server_dict.c delete mode 100644 src/lib/kadm5/server_handle.c delete mode 100644 src/lib/kadm5/server_init.c delete mode 100644 src/lib/kadm5/server_kdb.c delete mode 100644 src/lib/kadm5/server_misc.c delete mode 100644 src/lib/kadm5/svr_chpass_util.c delete mode 100644 src/lib/kadm5/svr_iters.c delete mode 100644 src/lib/kadm5/svr_misc_free.c delete mode 100644 src/lib/kadm5/svr_policy.c delete mode 100644 src/lib/kadm5/svr_principal.c diff --git a/src/lib/kadm5/ChangeLog b/src/lib/kadm5/ChangeLog index 7eb2c1ab4..ade62cc98 100644 --- a/src/lib/kadm5/ChangeLog +++ b/src/lib/kadm5/ChangeLog @@ -1,3 +1,8 @@ +Wed Jul 24 18:18:39 1996 Tom Yu + + * Makefile.in, configure.in: fix shared lib lossage by + rearrangement of subdirectories + Tue Jul 23 16:49:56 1996 Tom Yu * Makefile.in: delete extraneous trailing backslash from GENSRCS diff --git a/src/lib/kadm5/Makefile.in b/src/lib/kadm5/Makefile.in index 12771f156..ab82a0385 100644 --- a/src/lib/kadm5/Makefile.in +++ b/src/lib/kadm5/Makefile.in @@ -1,7 +1,6 @@ CFLAGS = $(CCOPTS) $(DEFS) ##DOSBUILDTOP = ..\.. -##DOSLIBNAME=libkadm5srv.lib .c.o: $(CC) $(CFLAGS) -c $(srcdir)/$*.c @@ -28,7 +27,7 @@ clean:: $(RM) adb_err.c adb_err.h adb_err.o $(RM) chpass_util_strings.c chpass_util_strings.h chpass_util_strings.o -GENSRCS = kadm_err.c \ +SRCS = kadm_err.c \ adb_err.c \ chpass_util_strings.c \ $(srcdir)/ovsec_glue.c \ @@ -39,30 +38,7 @@ GENSRCS = kadm_err.c \ $(srcdir)/str_conv.c \ $(srcdir)/logger.c -SRVSRCS = $(GENSRCS) \ - $(srcdir)/svr_policy.c \ - $(srcdir)/svr_principal.c \ - $(srcdir)/server_acl.c \ - $(srcdir)/server_kdb.c \ - $(srcdir)/server_misc.c \ - $(srcdir)/server_init.c \ - $(srcdir)/server_dict.c \ - $(srcdir)/svr_iters.c \ - $(srcdir)/svr_chpass_util.c \ - $(srcdir)/adb_xdr.c \ - $(srcdir)/adb_policy.c \ - $(srcdir)/adb_free.c \ - $(srcdir)/adb_openclose.c - -CLNTSRCS = $(GENSRCS) \ - $(srcdir)/clnt_policy.c \ - $(srcdir)/client_rpc.c \ - $(srcdir)/client_principal.c \ - $(srcdir)/client_init.c \ - $(srcdir)/clnt_privs.c \ - $(srcdir)/clnt_chpass_util.c - -GENOBJS = kadm_err.$(OBJEXT) \ +OBJS = kadm_err.$(OBJEXT) \ adb_err.$(OBJEXT) \ chpass_util_strings.$(OBJEXT) \ ovsec_glue.$(OBJEXT) \ @@ -73,93 +49,18 @@ GENOBJS = kadm_err.$(OBJEXT) \ str_conv.$(OBJEXT) \ logger.$(OBJEXT) -SRVOBJS = $(GENOBJS) \ - svr_policy.$(OBJEXT) \ - svr_principal.$(OBJEXT) \ - server_acl.$(OBJEXT) \ - server_kdb.$(OBJEXT) \ - server_misc.$(OBJEXT) \ - server_init.$(OBJEXT) \ - server_dict.$(OBJEXT) \ - svr_iters.$(OBJEXT) \ - svr_chpass_util.$(OBJEXT) \ - adb_xdr.$(OBJEXT) \ - adb_policy.$(OBJEXT) \ - adb_free.$(OBJEXT) \ - adb_openclose.$(OBJEXT) - -CLNTOBJS = $(GENOBJS) @LIBOBJS@ \ - clnt_policy.$(OBJEXT) \ - client_rpc.$(OBJEXT) \ - client_principal.$(OBJEXT) \ - client_init.$(OBJEXT) \ - clnt_privs.$(OBJEXT) \ - clnt_chpass_util.$(OBJEXT) - -# -# Depends on libkdb5, libkrb5, libcrypto, libcom_err, libdyn -# -KDB5_VER=@KDB5_SH_VERS@ -KRB5_VER=@KRB5_SH_VERS@ -CRYPTO_VER=@CRYPTO_SH_VERS@ -COMERR_VER=@COMERR_SH_VERS@ -DYN_VER=@DYN_SH_VERS@ -DEPLIBS=$(TOPLIBD)/libkdb5.$(SHEXT).$(KDB5_VER) \ - $(TOPLIBD)/libkrb5.$(SHEXT).$(KRB5_VER) \ - $(TOPLIBD)/libcrypto.$(SHEXT).$(CRYPTO_VER) \ - $(TOPLIBD)/libcom_err.$(SHEXT).$(COMERR_VER) \ - $(TOPLIBD)/libdyn.$(SHEXT).$(DYN_VER) - -SHLIB_LIBS=-lkdb5 -lkrb5 -lcrypto -lcom_err -ldyn -SHLIB_LDFLAGS= $(LDFLAGS) @SHLIB_RPATH_DIRS@ -SHLIB_LIBDIRS= @SHLIB_LIBDIRS@ - -all-unix:: shared includes $(OBJS) +all-unix:: shared includes $(OBJS) DONE all-mac:: $(OBJS) all-windows:: $(OBJS) -# don't think about this very hard. when the build system goes away, -# so will this. -LIBDONE = srv/DONE clnt/DONE -LIB_SUBDIRS= shared: - -mkdir shared srv clnt - ln -s ../shared srv/shared - ln -s ../shared clnt/shared - -srv/DONE: $(SRVOBJS) - $(RM) srv/DONE - echo $(SRVOBJS) > srv/DONE - -clnt/DONE: $(CLNTOBJS) - $(RM) clnt/DONE - echo $(CLNTOBJS) > clnt/DONE + mkdir shared check-windows:: clean-unix:: - $(RM) shared/* srv/* clnt/* - -rmdir shared srv clnt + $(RM) shared/* + -rmdir shared clean-mac:: clean-windows:: - -libkadm5srv.a: $(SRVOBJS) - $(RM) $@ - $(ARADD) $@ $(SRVOBJS) - $(RANLIB) $@ - -libkadm5clnt.a: $(CLNTOBJS) - $(RM) $@ - $(ARADD) $@ $(CLNTOBJS) - $(RANLIB) $@ - -install:: libkadm5srv.a libkadm5clnt.a - $(INSTALL_DATA) libkadm5srv.a $(DESTDIR)$(KRB5_LIBDIR)/libkadm5srv.a - $(RANLIB) $(DESTDIR)$(KRB5_LIBDIR)/libkadm5srv.a - $(INSTALL_DATA) libkadm5clnt.a $(DESTDIR)$(KRB5_LIBDIR)/libkadm5clnt.a - $(RANLIB) $(DESTDIR)$(KRB5_LIBDIR)/libkadm5clnt.a - -clean:: - $(RM) libkadm5srv.a libkadm5srv.bak DONESRV - $(RM) libkadm5clnt.a libkadm5clnt.bak DONECLNT diff --git a/src/lib/kadm5/adb_free.c b/src/lib/kadm5/adb_free.c deleted file mode 100644 index 4c6f8a66d..000000000 --- a/src/lib/kadm5/adb_free.c +++ /dev/null @@ -1,71 +0,0 @@ -/* - * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved - * - * $Header$ - * - * $Log$ - * Revision 1.8 1996/07/22 20:35:16 marc - * this commit includes all the changes on the OV_9510_INTEGRATION and - * OV_MERGE branches. This includes, but is not limited to, the new openvision - * admin system, and major changes to gssapi to add functionality, and bring - * the implementation in line with rfc1964. before committing, the - * code was built and tested for netbsd and solaris. - * - * Revision 1.7.4.1 1996/07/18 03:08:07 marc - * merged in changes from OV_9510_BP to OV_9510_FINAL1 - * - * Revision 1.7.2.1 1996/06/20 02:16:25 marc - * File added to the repository on a branch - * - * Revision 1.7 1996/05/12 06:21:57 marc - * don't use for "internal header files" - * - * Revision 1.6 1993/12/13 21:15:56 shanzer - * fixed memory leak - * ., - * - * Revision 1.5 1993/12/06 22:20:37 marc - * fixup free functions to use xdr to free the underlying struct - * - * Revision 1.4 1993/11/15 00:29:46 shanzer - * check to make sure pointers are somewhat vaid before freeing. - * - * Revision 1.3 1993/11/09 04:02:24 shanzer - * added some includefiles - * changed bzero to memset - * - * Revision 1.2 1993/11/04 01:54:24 shanzer - * added rcs header .. - * - */ - -#if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header$"; -#endif - -#include "adb.h" -#include -#include - -void -osa_free_princ_ent(osa_princ_ent_t val) -{ - XDR xdrs; - - xdrmem_create(&xdrs, NULL, 0, XDR_FREE); - - xdr_osa_princ_ent_rec(&xdrs, val); - free(val); -} - -void -osa_free_policy_ent(osa_policy_ent_t val) -{ - XDR xdrs; - - xdrmem_create(&xdrs, NULL, 0, XDR_FREE); - - xdr_osa_policy_ent_rec(&xdrs, val); - free(val); -} - diff --git a/src/lib/kadm5/adb_openclose.c b/src/lib/kadm5/adb_openclose.c deleted file mode 100644 index 627a6b410..000000000 --- a/src/lib/kadm5/adb_openclose.c +++ /dev/null @@ -1,338 +0,0 @@ -/* - * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved - * - * $Header$ - */ - -#if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header$"; -#endif - -#include -#include -#include -#include "adb.h" -#include - -#define MAX_LOCK_TRIES 5 - -struct _locklist { - osa_adb_lock_ent lockinfo; - struct _locklist *next; -}; - -osa_adb_ret_t osa_adb_create_db(char *filename, char *lockfilename, - int magic) -{ - FILE *lf; - DB *db; - HASHINFO info; - - lf = fopen(lockfilename, "w+"); - if (lf == NULL) - return errno; - (void) fclose(lf); - - memset(&info, 0, sizeof(info)); - info.hash = NULL; - info.bsize = 256; - info.ffactor = 8; - info.nelem = 25000; - info.lorder = 0; - db = dbopen(filename, O_RDWR | O_CREAT | O_EXCL, 0600, DB_HASH, &info); - if (db == NULL) - return errno; - if (db->close(db) < 0) - return errno; - return OSA_ADB_OK; -} - -osa_adb_ret_t osa_adb_destroy_db(char *filename, char *lockfilename, - int magic) -{ - /* the admin databases do not contain security-critical data */ - if (unlink(filename) < 0 || - unlink(lockfilename) < 0) - return errno; - return OSA_ADB_OK; -} - -osa_adb_ret_t osa_adb_init_db(osa_adb_db_t *dbp, char *filename, - char *lockfilename, int magic) -{ - osa_adb_db_t db; - static struct _locklist *locklist = NULL; - struct _locklist *lockp; - krb5_error_code code; - - if (dbp == NULL || filename == NULL) - return EINVAL; - - db = (osa_adb_princ_t) malloc(sizeof(osa_adb_db_ent)); - if (db == NULL) - return ENOMEM; - - memset(db, 0, sizeof(*db)); - db->info.hash = NULL; - db->info.bsize = 256; - db->info.ffactor = 8; - db->info.nelem = 25000; - db->info.lorder = 0; - - /* - * A process is allowed to open the same database multiple times - * and access it via different handles. If the handles use - * distinct lockinfo structures, things get confused: lock(A), - * lock(B), release(B) will result in the kernel unlocking the - * lock file but handle A will still think the file is locked. - * Therefore, all handles using the same lock file must share a - * single lockinfo structure. - * - * It is not sufficient to have a single lockinfo structure, - * however, because a single process may also wish to open - * multiple different databases simultaneously, with different - * lock files. This code used to use a single static lockinfo - * structure, which means that the second database opened used - * the first database's lock file. This was Bad. - * - * We now maintain a linked list of lockinfo structures, keyed by - * lockfilename. An entry is added when this function is called - * with a new lockfilename, and all subsequent calls with that - * lockfilename use the existing entry, updating the refcnt. - * When the database is closed with fini_db(), the refcnt is - * decremented, and when it is zero the lockinfo structure is - * freed and reset. The entry in the linked list, however, is - * never removed; it will just be reinitialized the next time - * init_db is called with the right lockfilename. - */ - - /* find or create the lockinfo structure for lockfilename */ - lockp = locklist; - while (lockp) { - if (strcmp(lockp->lockinfo.filename, lockfilename) == 0) - break; - else - lockp = lockp->next; - } - if (lockp == NULL) { - /* doesn't exist, create it, add to list */ - lockp = (struct _locklist *) malloc(sizeof(*lockp)); - if (lockp == NULL) { - free(db); - return ENOMEM; - } - memset(lockp, 0, sizeof(*lockp)); - lockp->next = locklist; - locklist = lockp; - } - - /* now initialize lockp->lockinfo if necessary */ - if (lockp->lockinfo.lockfile == NULL) { - if (code = krb5_init_context(&lockp->lockinfo.context)) { - free(db); - return((osa_adb_ret_t) code); - } - - /* - * needs be open read/write so that write locking can work with - * POSIX systems - */ - lockp->lockinfo.filename = strdup(lockfilename); - if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) { - /* - * maybe someone took away write permission so we could only - * get shared locks? - */ - if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r")) - == NULL) { - free(db); - return OSA_ADB_NOLOCKFILE; - } - } - lockp->lockinfo.lockmode = lockp->lockinfo.lockcnt = 0; - } - - /* lockp is set, lockinfo is initialized, update the reference count */ - db->lock = &lockp->lockinfo; - db->lock->refcnt++; - - db->filename = strdup(filename); - db->magic = magic; - - *dbp = db; - - return OSA_ADB_OK; -} - -osa_adb_ret_t osa_adb_fini_db(osa_adb_db_t db, int magic) -{ - if (db->magic != magic) - return EINVAL; - if (db->lock->refcnt == 0) { - /* barry says this can't happen */ - return OSA_ADB_FAILURE; - } else { - db->lock->refcnt--; - } - - if (db->lock->refcnt == 0) { - /* - * Don't free db->lock->filename, it is used as a key to - * find the lockinfo entry in the linked list. If the - * lockfile doesn't exist, we must be closing the database - * after trashing it. This has to be allowed, so don't - * generate an error. - */ - (void) fclose(db->lock->lockfile); - db->lock->lockfile = NULL; - krb5_free_context(db->lock->context); - } - - db->magic = 0; - free(db->filename); - free(db); - return OSA_ADB_OK; -} - -osa_adb_ret_t osa_adb_get_lock(osa_adb_db_t db, int mode) -{ - int tries, gotlock, perm, krb5_mode, ret; - - if (db->lock->lockmode >= mode) { - /* No need to upgrade lock, just incr refcnt and return */ - db->lock->lockcnt++; - return(OSA_ADB_OK); - } - - perm = 0; - switch (mode) { - case OSA_ADB_PERMANENT: - perm = 1; - case OSA_ADB_EXCLUSIVE: - krb5_mode = KRB5_LOCKMODE_EXCLUSIVE; - break; - case OSA_ADB_SHARED: - krb5_mode = KRB5_LOCKMODE_SHARED; - break; - default: - return(EINVAL); - } - - for (gotlock = tries = 0; tries < MAX_LOCK_TRIES; tries++) { - if ((ret = krb5_lock_file(db->lock->context, - fileno(db->lock->lockfile), - krb5_mode|KRB5_LOCKMODE_DONTBLOCK)) == 0) { - gotlock++; - break; - } else if (ret == EBADF && mode == OSA_ADB_EXCLUSIVE) - /* tried to exclusive-lock something we don't have */ - /* write access to */ - return OSA_ADB_NOEXCL_PERM; - - sleep(1); - } - - /* test for all the likely "can't get lock" error codes */ - if (ret == EACCES || ret == EAGAIN || ret == EWOULDBLOCK) - return OSA_ADB_CANTLOCK_DB; - else if (ret != 0) - return ret; - - /* - * If the file no longer exists, someone acquired a permanent - * lock. If that process terminates its exclusive lock is lost, - * but if we already had the file open we can (probably) lock it - * even though it has been unlinked. So we need to insist that - * it exist. - */ - if (access(db->lock->filename, F_OK) < 0) { - (void) krb5_lock_file(db->lock->context, - fileno(db->lock->lockfile), - KRB5_LOCKMODE_UNLOCK); - return OSA_ADB_NOLOCKFILE; - } - - /* we have the shared/exclusive lock */ - - if (perm) { - if (unlink(db->lock->filename) < 0) { - int ret; - - /* somehow we can't delete the file, but we already */ - /* have the lock, so release it and return */ - - ret = errno; - (void) krb5_lock_file(db->lock->context, - fileno(db->lock->lockfile), - KRB5_LOCKMODE_UNLOCK); - - /* maybe we should return CANTLOCK_DB.. but that would */ - /* look just like the db was already locked */ - return ret; - } - - /* this releases our exclusive lock.. which is okay because */ - /* now no one else can get one either */ - (void) fclose(db->lock->lockfile); - } - - db->lock->lockmode = mode; - db->lock->lockcnt++; - return OSA_ADB_OK; -} - -osa_adb_ret_t osa_adb_release_lock(osa_adb_db_t db) -{ - int ret; - - if (!db->lock->lockcnt) /* lock already unlocked */ - return OSA_ADB_NOTLOCKED; - - if (--db->lock->lockcnt == 0) { - if (db->lock->lockmode == OSA_ADB_PERMANENT) { - /* now we need to create the file since it does not exist */ - if ((db->lock->lockfile = fopen(db->lock->filename, - "w+")) == NULL) - return OSA_ADB_NOLOCKFILE; - } else if (ret = krb5_lock_file(db->lock->context, - fileno(db->lock->lockfile), - KRB5_LOCKMODE_UNLOCK)) - return ret; - - db->lock->lockmode = 0; - } - return OSA_ADB_OK; -} - -osa_adb_ret_t osa_adb_open_and_lock(osa_adb_princ_t db, int locktype) -{ - int ret; - - ret = osa_adb_get_lock(db, locktype); - if (ret != OSA_ADB_OK) - return ret; - - db->db = dbopen(db->filename, O_RDWR, 0600, DB_HASH, &db->info); - if (db->db == NULL) { - (void) osa_adb_release_lock(db); - if(errno == EINVAL) - return OSA_ADB_BAD_DB; - return errno; - } - return OSA_ADB_OK; -} - -osa_adb_ret_t osa_adb_close_and_unlock(osa_adb_princ_t db) -{ - int ret; - - if(db->db->close(db->db) == -1) { - (void) osa_adb_release_lock(db); - return OSA_ADB_FAILURE; - } - - db->db = NULL; - - return(osa_adb_release_lock(db)); -} - diff --git a/src/lib/kadm5/adb_policy.c b/src/lib/kadm5/adb_policy.c deleted file mode 100644 index ff0117bac..000000000 --- a/src/lib/kadm5/adb_policy.c +++ /dev/null @@ -1,401 +0,0 @@ -/* - * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved - * - * $Header$ - */ - -#if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header$"; -#endif - -#include -#include -#include "adb.h" -#include -#include -#include - -extern int errno; - -#define OPENLOCK(db, mode) \ -{ \ - int ret; \ - if (db == NULL) \ - return EINVAL; \ - else if (db->magic != OSA_ADB_POLICY_DB_MAGIC) \ - return OSA_ADB_DBINIT; \ - else if ((ret = osa_adb_open_and_lock(db, mode)) != OSA_ADB_OK) \ - return ret; \ - } - -#define CLOSELOCK(db) \ -{ \ - int ret; \ - if ((ret = osa_adb_close_and_unlock(db)) != OSA_ADB_OK) \ - return ret; \ -} - -osa_adb_ret_t osa_adb_create_policy_db(kadm5_config_params *params) -{ - return osa_adb_create_db(params->admin_dbname, - params->admin_lockfile, - OSA_ADB_POLICY_DB_MAGIC); -} - -osa_adb_ret_t osa_adb_destroy_policy_db(kadm5_config_params *params) -{ - return osa_adb_destroy_db(params->admin_dbname, - params->admin_lockfile, - OSA_ADB_POLICY_DB_MAGIC); -} - -osa_adb_ret_t osa_adb_open_policy(osa_adb_princ_t *dbp, - kadm5_config_params *rparams) -{ - return osa_adb_init_db(dbp, rparams->admin_dbname, - rparams->admin_lockfile, - OSA_ADB_POLICY_DB_MAGIC); -} - -osa_adb_ret_t osa_adb_close_policy(osa_adb_princ_t db) -{ - return osa_adb_fini_db(db, OSA_ADB_POLICY_DB_MAGIC); -} - -/* - * Function: osa_adb_create_policy - * - * Purpose: create a policy entry in the policy db. - * - * Arguments: - * entry (input) pointer to the entry to be added - * OSA_ADB_OK on sucsess, else error code. - * - * Requires: - * entry have a valid name. - * - * Effects: - * creates the entry in the db - * - * Modifies: - * the policy db. - * - */ -osa_adb_ret_t -osa_adb_create_policy(osa_adb_policy_t db, osa_policy_ent_t entry) -{ - DBT dbkey; - DBT dbdata; - XDR xdrs; - int ret; - - OPENLOCK(db, OSA_ADB_EXCLUSIVE); - - if(entry->name == NULL) { - ret = EINVAL; - goto error; - } - dbkey.data = entry->name; - dbkey.size = (strlen(entry->name) + 1); - - switch(db->db->get(db->db, &dbkey, &dbdata, 0)) { - case 0: - ret = OSA_ADB_DUP; - goto error; - case 1: - break; - default: - ret = errno; - goto error; - } - xdralloc_create(&xdrs, XDR_ENCODE); - if(!xdr_osa_policy_ent_rec(&xdrs, entry)) { - xdr_destroy(&xdrs); - ret = OSA_ADB_XDR_FAILURE; - goto error; - } - dbdata.data = xdralloc_getdata(&xdrs); - dbdata.size = xdr_getpos(&xdrs); - switch(db->db->put(db->db, &dbkey, &dbdata, R_NOOVERWRITE)) { - case 0: - if((db->db->sync(db->db, 0)) == -1) - ret = OSA_ADB_FAILURE; - ret = OSA_ADB_OK; - break; - case 1: - ret = OSA_ADB_DUP; - break; - default: - ret = OSA_ADB_FAILURE; - break; - } - xdr_destroy(&xdrs); - -error: - CLOSELOCK(db); - return ret; -} - -/* - * Function: osa_adb_destroy_policy - * - * Purpose: destroy a policy entry - * - * Arguments: - * db (input) database handle - * name (input) name of policy - * OSA_ADB_OK on sucsess, or error code. - * - * Requires: - * db being valid. - * name being non-null. - * Effects: - * deletes policy from db. - * - * Modifies: - * policy db. - * - */ -osa_adb_ret_t -osa_adb_destroy_policy(osa_adb_policy_t db, kadm5_policy_t name) -{ - DBT dbkey; - int status, ret; - - OPENLOCK(db, OSA_ADB_EXCLUSIVE); - - if(name == NULL) { - ret = EINVAL; - goto error; - } - dbkey.data = name; - dbkey.size = (strlen(name) + 1); - - status = db->db->del(db->db, &dbkey, 0); - switch(status) { - case 1: - ret = OSA_ADB_NOENT; - goto error; - case 0: - if ((db->db->sync(db->db, 0)) == -1) { - ret = OSA_ADB_FAILURE; - goto error; - } - ret = OSA_ADB_OK; - break; - default: - ret = OSA_ADB_FAILURE; - goto error; - } - -error: - CLOSELOCK(db); - return ret; -} - -/* - * Function: osa_adb_get_policy - * - * Purpose: retrieve policy - * - * Arguments: - * db (input) db handle - * name (input) name of policy - * entry (output) policy entry - * 0 on sucsess, error code on failure. - * - * Requires: - * Effects: - * Modifies: - */ -osa_adb_ret_t -osa_adb_get_policy(osa_adb_policy_t db, kadm5_policy_t name, - osa_policy_ent_t *entry) -{ - DBT dbkey; - DBT dbdata; - XDR xdrs; - int ret; - char *aligned_data; - - OPENLOCK(db, OSA_ADB_SHARED); - - if(name == NULL) { - ret = EINVAL; - goto error; - } - dbkey.data = name; - dbkey.size = (strlen(dbkey.data) + 1); - dbdata.data = NULL; - dbdata.size = 0; - switch((db->db->get(db->db, &dbkey, &dbdata, 0))) { - case 1: - ret = OSA_ADB_NOENT; - goto error; - case 0: - break; - default: - ret = OSA_ADB_FAILURE; - goto error; - } - if (!(*(entry) = (osa_policy_ent_t)malloc(sizeof(osa_policy_ent_rec)))) { - ret = ENOMEM; - goto error; - } - if (!(aligned_data = (char *) malloc(dbdata.size))) { - ret = ENOMEM; - goto error; - } - memcpy(aligned_data, dbdata.data, dbdata.size); - memset(*entry, 0, sizeof(osa_policy_ent_rec)); - xdrmem_create(&xdrs, aligned_data, dbdata.size, XDR_DECODE); - if (!xdr_osa_policy_ent_rec(&xdrs, *entry)) - ret = OSA_ADB_FAILURE; - else ret = OSA_ADB_OK; - xdr_destroy(&xdrs); - free(aligned_data); - -error: - CLOSELOCK(db); - return ret; -} - -/* - * Function: osa_adb_put_policy - * - * Purpose: update a policy in the dababase - * - * Arguments: - * db (input) db handle - * entry (input) policy entry - * 0 on sucsess error code on failure. - * - * Requires: - * [requires] - * - * Effects: - * [effects] - * - * Modifies: - * [modifies] - * - */ -osa_adb_ret_t -osa_adb_put_policy(osa_adb_policy_t db, osa_policy_ent_t entry) -{ - DBT dbkey; - DBT dbdata; - DBT tmpdb; - XDR xdrs; - int ret; - - OPENLOCK(db, OSA_ADB_EXCLUSIVE); - - if(entry->name == NULL) { - ret = EINVAL; - goto error; - } - dbkey.data = entry->name; - dbkey.size = (strlen(entry->name) + 1); - switch(db->db->get(db->db, &dbkey, &tmpdb, 0)) { - case 0: - break; - case 1: - ret = OSA_ADB_NOENT; - goto error; - default: - ret = OSA_ADB_FAILURE; - goto error; - } - xdralloc_create(&xdrs, XDR_ENCODE); - if(!xdr_osa_policy_ent_rec(&xdrs, entry)) { - xdr_destroy(&xdrs); - ret = OSA_ADB_XDR_FAILURE; - goto error; - } - dbdata.data = xdralloc_getdata(&xdrs); - dbdata.size = xdr_getpos(&xdrs); - switch(db->db->put(db->db, &dbkey, &dbdata, 0)) { - case 0: - if((db->db->sync(db->db, 0)) == -1) - ret = OSA_ADB_FAILURE; - ret = OSA_ADB_OK; - break; - default: - ret = OSA_ADB_FAILURE; - break; - } - xdr_destroy(&xdrs); - -error: - CLOSELOCK(db); - return ret; -} - -/* - * Function: osa_adb_iter_policy - * - * Purpose: iterate over the policy database. - * - * Arguments: - * db (input) db handle - * func (input) fucntion pointer to call - * data opaque data type - * 0 on sucsess error code on failure - * - * Requires: - * Effects: - * Modifies: - */ -osa_adb_ret_t -osa_adb_iter_policy(osa_adb_policy_t db, osa_adb_iter_policy_func func, - void *data) -{ - DBT dbkey, - dbdata; - XDR xdrs; - int ret; - osa_policy_ent_t entry; - char *aligned_data; - - OPENLOCK(db, OSA_ADB_EXCLUSIVE); /* hmmm */ - - if((ret = db->db->seq(db->db, &dbkey, &dbdata, R_FIRST)) == -1) { - ret = errno; - goto error; - } - - while (ret == 0) { - if (!(entry = (osa_policy_ent_t) malloc(sizeof(osa_policy_ent_rec)))) { - ret = ENOMEM; - goto error; - } - - if(!(aligned_data = (char *) malloc(dbdata.size))) { - ret = ENOMEM; - goto error; - } - memcpy(aligned_data, dbdata.data, dbdata.size); - - memset(entry, 0, sizeof(osa_policy_ent_rec)); - xdrmem_create(&xdrs, aligned_data, dbdata.size, XDR_DECODE); - if(!xdr_osa_policy_ent_rec(&xdrs, entry)) { - xdr_destroy(&xdrs); - free(aligned_data); - ret = OSA_ADB_FAILURE; - goto error; - } - (*func)(data, entry); - xdr_destroy(&xdrs); - free(aligned_data); - osa_free_policy_ent(entry); - ret = db->db->seq(db->db, &dbkey, &dbdata, R_NEXT); - } - if(ret == -1) - ret = errno; - else ret = OSA_ADB_OK; - -error: - CLOSELOCK(db); - return ret; -} diff --git a/src/lib/kadm5/adb_principal.c b/src/lib/kadm5/adb_principal.c deleted file mode 100644 index 8ee9aab30..000000000 --- a/src/lib/kadm5/adb_principal.c +++ /dev/null @@ -1,408 +0,0 @@ -/* - * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved - * - * $Header$ - * - * $Log$ - * Revision 1.24 1996/07/22 20:35:23 marc - * this commit includes all the changes on the OV_9510_INTEGRATION and - * OV_MERGE branches. This includes, but is not limited to, the new openvision - * admin system, and major changes to gssapi to add functionality, and bring - * the implementation in line with rfc1964. before committing, the - * code was built and tested for netbsd and solaris. - * - * Revision 1.23.4.1 1996/07/18 03:08:17 marc - * merged in changes from OV_9510_BP to OV_9510_FINAL1 - * - * Revision 1.23.2.1 1996/06/20 02:16:30 marc - * File added to the repository on a branch - * - * Revision 1.23 1996/05/16 21:44:35 bjaspan - * this file is no longer used, #if the whole thing out - * - * Revision 1.22 1996/05/08 20:51:44 bjaspan - * marc's changes - * - * Revision 1.21 1995/08/24 20:23:43 bjaspan - * marc is a bonehead - * - * Revision 1.20 1995/08/23 19:16:02 marc - * check for db == NULL in OPENLOCK() - * - * Revision 1.19 1995/08/08 18:31:30 bjaspan - * [secure/3394] first cut at admin db locking support - * - * Revision 1.18 1995/08/02 15:26:57 bjaspan - * check db==NULL in iter - * - * Revision 1.17 1994/05/09 17:52:36 shanzer - * fixed some include files - * - * Revision 1.16 1994/03/17 01:25:58 shanzer - * include fcntl.h - * - * Revision 1.15 1993/12/17 18:54:06 jik - * [secure-admin/1040] - * - * open_princ should return errno, rather than BAD_DB, if errno is - * something other than BAD_DB. - * - * Revision 1.14 1993/12/13 18:55:58 marc - * remove bogus free()'s - * - * Revision 1.13 1993/12/08 22:29:27 marc - * fixed another xdrmem alignment thing] - * - * Revision 1.12 1993/12/06 22:22:22 bjaspan - * fix alignment and free-memory-read bugs - * - * Revision 1.11 1993/12/05 04:15:16 shanzer - * removed data size hack. - * - * Revision 1.10 1993/11/15 00:29:24 shanzer - * added filenme to open - * - * Revision 1.9 1993/11/10 20:10:06 shanzer - * now uses xdralloc instead of xdrmem - * - * Revision 1.8 1993/11/09 21:43:24 shanzer - * added check to see if we overflowed our xdr buffer. - * - * Revision 1.7 1993/11/09 04:00:19 shanzer - * changed bzero to memset - * - * Revision 1.6 1993/11/05 23:16:21 shanzer - * return ENOMEM instead of ovsec_kadm_mem - * - * Revision 1.5 1993/11/05 22:17:03 shanzer - * added principal db interative function - * - * Revision 1.4 1993/11/04 23:20:24 shanzer - * made HASHINFO static. - * - * Revision 1.3 1993/11/04 01:52:30 shanzer - * Restructred some code .. fixed some bugs/leaks - * - */ - -#if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header$"; -#endif - -#if 0 -/* XXX THIS FILE IS NO LONGER USED, and should be deleted when we're done */ - -#include -#include -#include "adb.h" -#include -#include - -#define OPENLOCK(db, mode) \ -{ \ - int ret; \ - if (db == NULL) \ - return EINVAL; \ - else if (db->magic != OSA_ADB_PRINC_DB_MAGIC) \ - return OSA_ADB_DBINIT; \ - else if ((ret = osa_adb_open_and_lock(db, mode)) != OSA_ADB_OK) \ - return ret; \ - } - -#define CLOSELOCK(db) \ -{ \ - int ret; \ - if ((ret = osa_adb_close_and_unlock(db)) != OSA_ADB_OK) \ - return ret; \ -} - -osa_adb_ret_t osa_adb_open_princ(osa_adb_princ_t *dbp, char *filename) -{ - return osa_adb_init_db(dbp, filename, OSA_ADB_PRINC_DB_MAGIC); -} - -osa_adb_ret_t osa_adb_close_princ(osa_adb_princ_t db) -{ - return osa_adb_fini_db(db, OSA_ADB_PRINC_DB_MAGIC); -} - -osa_adb_ret_t -osa_adb_create_princ(osa_adb_princ_t db, osa_princ_ent_t entry) -{ - - DBT dbkey; - DBT dbdata; - XDR xdrs; - int ret; - - OPENLOCK(db, OSA_ADB_EXCLUSIVE); - - if(krb5_unparse_name(db->lock->context, - entry->name, (char **) &dbkey.data)) { - ret = OSA_ADB_BAD_PRINC; - goto error; - } - if((dbkey.size = strlen(dbkey.data)) == 0) { - ret = OSA_ADB_BAD_PRINC; - goto error; - } - - switch(db->db->get(db->db, &dbkey, &dbdata, 0)) { - case 0: - ret = OSA_ADB_DUP; - goto error; - case 1: - break; - default: - ret = OSA_ADB_FAILURE; - goto error; - } - xdralloc_create(&xdrs, XDR_ENCODE); - if(!xdr_osa_princ_ent_rec(&xdrs, entry)) { - xdr_destroy(&xdrs); - ret = OSA_ADB_XDR_FAILURE; - goto error; - } - dbdata.data = xdralloc_getdata(&xdrs); - dbdata.size = xdr_getpos(&xdrs); - switch(db->db->put(db->db, &dbkey, &dbdata, R_NOOVERWRITE)) { - case 0: - if((db->db->sync(db->db, 0)) == -1) - ret = OSA_ADB_FAILURE; - else - ret = OSA_ADB_OK; - break; - case 1: - ret = OSA_ADB_DUP; - break; - default: - ret = OSA_ADB_FAILURE; - break; - } - xdralloc_release(&xdrs); - free(dbkey.data); - -error: - CLOSELOCK(db); - - return ret; -} - -osa_adb_ret_t -osa_adb_destroy_princ(osa_adb_princ_t db, ovsec_kadm_princ_t name) -{ - DBT dbkey; - int status; - int ret; - - OPENLOCK(db, OSA_ADB_EXCLUSIVE); - - if(krb5_unparse_name(db->lock->context, name, (char **) &dbkey.data)) { - ret = OSA_ADB_BAD_PRINC; - goto error; - } - if ((dbkey.size = strlen(dbkey.data)) == 0) { - ret = OSA_ADB_BAD_PRINC; - goto error; - } - status = db->db->del(db->db, &dbkey, 0); - switch(status) { - case 1: - ret = OSA_ADB_NOENT; - break; - case 0: - if ((db->db->sync(db->db, 0)) == -1) - ret = OSA_ADB_FAILURE; - else - ret = OSA_ADB_OK; - break; - default: - ret = OSA_ADB_FAILURE; - break; - } - free(dbkey.data); - -error: - CLOSELOCK(db); - - return ret; -} - -osa_adb_ret_t -osa_adb_get_princ(osa_adb_princ_t db, ovsec_kadm_princ_t name, - osa_princ_ent_t *entry) -{ - DBT dbkey; - DBT dbdata; - XDR xdrs; - int ret = 0; - char *aligned_data; - - OPENLOCK(db, OSA_ADB_SHARED); - - if(krb5_unparse_name(db->lock->context, name, (char **) &dbkey.data)) { - ret = OSA_ADB_BAD_PRINC; - goto error; - } - if((dbkey.size = strlen(dbkey.data)) == 0) { - ret = OSA_ADB_BAD_PRINC; - goto error; - } - dbdata.size = 0; - dbdata.data = NULL; - switch(db->db->get(db->db, &dbkey, &dbdata, 0)) { - case 1: - ret = OSA_ADB_NOENT; - break; - case 0: - break; - default: - ret = OSA_ADB_FAILURE; - break; - } - free(dbkey.data); - if (ret) - goto error; - - if (!(*(entry) = (osa_princ_ent_t)malloc(sizeof(osa_princ_ent_rec)))) { - ret = ENOMEM; - goto error; - } - - aligned_data = (char *) malloc(dbdata.size); - if (aligned_data == NULL) { - ret = ENOMEM; - goto error; - } - memcpy(aligned_data, dbdata.data, dbdata.size); - - memset(*entry, 0, sizeof(osa_princ_ent_rec)); - xdrmem_create(&xdrs, aligned_data, dbdata.size, XDR_DECODE); - if (!xdr_osa_princ_ent_rec(&xdrs, *entry)) { - xdr_destroy(&xdrs); - free(aligned_data); - ret = OSA_ADB_FAILURE; - goto error; - } - xdr_destroy(&xdrs); - free(aligned_data); - ret = OSA_ADB_OK; - -error: - CLOSELOCK(db); - return ret; -} - -osa_adb_ret_t -osa_adb_put_princ(osa_adb_princ_t db, osa_princ_ent_t entry) -{ - DBT dbkey; - DBT dbdata; - DBT tmpdb; - XDR xdrs; - int ret; - - OPENLOCK(db, OSA_ADB_EXCLUSIVE); - - if(krb5_unparse_name(db->lock->context, - entry->name, (char **) &dbkey.data)) { - ret = OSA_ADB_BAD_PRINC; - goto error; - } - if((dbkey.size = strlen(dbkey.data)) == 0) { - ret = OSA_ADB_BAD_PRINC; - goto error; - } - - switch(db->db->get(db->db, &dbkey, &tmpdb, 0)) { - case 0: - break; - case 1: - ret = OSA_ADB_NOENT; - goto error; - default: - ret = OSA_ADB_FAILURE; - goto error; - } - xdralloc_create(&xdrs, XDR_ENCODE); - if(!xdr_osa_princ_ent_rec(&xdrs, entry)) { - xdr_destroy(&xdrs); - ret = OSA_ADB_XDR_FAILURE; - goto error; - } - dbdata.data = xdralloc_getdata(&xdrs); - dbdata.size = xdr_getpos(&xdrs); - switch(db->db->put(db->db, &dbkey, &dbdata, 0)) { - case 0: - if((db->db->sync(db->db, 0)) == -1) - ret = OSA_ADB_FAILURE; - else - ret = OSA_ADB_OK; - break; - default: - ret = OSA_ADB_FAILURE; - break; - } - xdralloc_release(&xdrs); - free(dbkey.data); - -error: - CLOSELOCK(db); - return ret; -} - -osa_adb_ret_t -osa_adb_iter_princ(osa_adb_princ_t db, osa_adb_iter_princ_func func, - void *data) -{ - DBT dbkey, - dbdata; - XDR xdrs; - int ret; - osa_princ_ent_t entry; - char *aligned_data; - - OPENLOCK(db, OSA_ADB_EXCLUSIVE); /* hmmmm */ - - if((ret = db->db->seq(db->db, &dbkey, &dbdata, R_FIRST)) == -1) { - ret = errno; - goto error; - } - while (ret == 0) { - if (!(entry = (osa_princ_ent_t) malloc(sizeof(osa_princ_ent_rec)))) { - ret = ENOMEM; - goto error; - } - - aligned_data = (char *) malloc(dbdata.size); - if (aligned_data == NULL) { - ret = ENOMEM; - goto error; - } - memcpy(aligned_data, dbdata.data, dbdata.size); - - memset(entry, 0, sizeof(osa_princ_ent_rec)); - xdrmem_create(&xdrs, aligned_data, dbdata.size, XDR_DECODE); - if(!xdr_osa_princ_ent_rec(&xdrs, entry)) { - xdr_destroy(&xdrs); - free(aligned_data); - ret = OSA_ADB_FAILURE; - goto error; - } - (*func)(data, entry); - xdr_destroy(&xdrs); - free(aligned_data); - osa_free_princ_ent(entry); - ret = db->db->seq(db->db, &dbkey, &dbdata, R_NEXT); - } - if(ret == -1) - ret = errno; - else - ret = OSA_ADB_OK; - -error: - CLOSELOCK(db); - return ret; -} - -#endif /* 0 */ diff --git a/src/lib/kadm5/adb_xdr.c b/src/lib/kadm5/adb_xdr.c deleted file mode 100644 index 944fb04b3..000000000 --- a/src/lib/kadm5/adb_xdr.c +++ /dev/null @@ -1,132 +0,0 @@ -/* - * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved - * - * $Header$ - */ - -#if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header$"; -#endif - -#include -#include -#include -#include "adb.h" -#include "admin_xdr.h" -#include - -bool_t -xdr_krb5_key_data(XDR *xdrs, krb5_key_data *objp) -{ - unsigned int tmp; - - if (!xdr_krb5_int16(xdrs, &objp->key_data_ver)) - return(FALSE); - if (!xdr_krb5_int16(xdrs, &objp->key_data_kvno)) - return(FALSE); - if (!xdr_krb5_int16(xdrs, &objp->key_data_type[0])) - return(FALSE); - if (!xdr_krb5_int16(xdrs, &objp->key_data_type[1])) - return(FALSE); - if (!xdr_krb5_int16(xdrs, &objp->key_data_length[0])) - return(FALSE); - if (!xdr_krb5_int16(xdrs, &objp->key_data_length[1])) - return(FALSE); - - tmp = (unsigned int) objp->key_data_length[0]; - if (!xdr_bytes(xdrs, (char **) &objp->key_data_contents[0], - &tmp, ~0)) - return FALSE; - - tmp = (unsigned int) objp->key_data_length[1]; - if (!xdr_bytes(xdrs, (char **) &objp->key_data_contents[1], - &tmp, ~0)) - return FALSE; - - /* don't need to copy tmp out, since key_data_length will be set - by the above encoding. */ - - return(TRUE); -} - -bool_t -xdr_osa_pw_hist_ent(XDR *xdrs, osa_pw_hist_ent *objp) -{ - if (!xdr_array(xdrs, (caddr_t *) &objp->key_data, - (u_int *) &objp->n_key_data, ~0, - sizeof(krb5_key_data), - xdr_krb5_key_data)) - return (FALSE); - return (TRUE); -} - -bool_t -xdr_osa_princ_ent_rec(XDR *xdrs, osa_princ_ent_t objp) -{ - switch (xdrs->x_op) { - case XDR_ENCODE: - objp->version = OSA_ADB_PRINC_VERSION_1; - /* fall through */ - case XDR_FREE: - if (!xdr_int(xdrs, &objp->version)) - return FALSE; - break; - case XDR_DECODE: - if (!xdr_int(xdrs, &objp->version)) - return FALSE; - if (objp->version != OSA_ADB_PRINC_VERSION_1) - return FALSE; - break; - } - - if (!xdr_nullstring(xdrs, &objp->policy)) - return (FALSE); - if (!xdr_long(xdrs, &objp->aux_attributes)) - return (FALSE); - if (!xdr_u_int(xdrs, &objp->old_key_next)) - return (FALSE); - if (!xdr_krb5_kvno(xdrs, &objp->admin_history_kvno)) - return (FALSE); - if (!xdr_array(xdrs, (caddr_t *) &objp->old_keys, - (unsigned int *) &objp->old_key_len, ~0, - sizeof(osa_pw_hist_ent), - xdr_osa_pw_hist_ent)) - return (FALSE); - return (TRUE); -} - -bool_t -xdr_osa_policy_ent_rec(XDR *xdrs, osa_policy_ent_t objp) -{ - switch (xdrs->x_op) { - case XDR_ENCODE: - objp->version = OSA_ADB_POLICY_VERSION_1; - /* fall through */ - case XDR_FREE: - if (!xdr_int(xdrs, &objp->version)) - return FALSE; - break; - case XDR_DECODE: - if (!xdr_int(xdrs, &objp->version)) - return FALSE; - if (objp->version != OSA_ADB_POLICY_VERSION_1) - return FALSE; - break; - } - - if(!xdr_nullstring(xdrs, &objp->name)) - return (FALSE); - if (!xdr_u_int32(xdrs, &objp->pw_min_life)) - return (FALSE); - if (!xdr_u_int32(xdrs, &objp->pw_max_life)) - return (FALSE); - if (!xdr_u_int32(xdrs, &objp->pw_min_length)) - return (FALSE); - if (!xdr_u_int32(xdrs, &objp->pw_min_classes)) - return (FALSE); - if (!xdr_u_int32(xdrs, &objp->pw_history_num)) - return (FALSE); - if (!xdr_u_int32(xdrs, &objp->policy_refcnt)) - return (FALSE); - return (TRUE); -} diff --git a/src/lib/kadm5/client_handle.c b/src/lib/kadm5/client_handle.c deleted file mode 100644 index 895777a6e..000000000 --- a/src/lib/kadm5/client_handle.c +++ /dev/null @@ -1,9 +0,0 @@ -#include -#include -#include "client_internal.h" - -int _kadm5_check_handle(void *handle) -{ - CHECK_HANDLE(handle); - return 0; -} diff --git a/src/lib/kadm5/client_init.c b/src/lib/kadm5/client_init.c deleted file mode 100644 index bfc1c3a3c..000000000 --- a/src/lib/kadm5/client_init.c +++ /dev/null @@ -1,554 +0,0 @@ -/* - * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved - * - * $Header$ - */ - -#if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header$"; -#endif - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include /* for KRB5_ADM_DEFAULT_PORT */ -#ifdef __STDC__ -#include -#endif - -#include -#include -#include "client_internal.h" - -#include -#include -#include -#include - -#define ADM_CCACHE "/tmp/ovsec_adm.XXXXXX" - -#ifndef _POSIX_SOURCE /* Perhaps this should actually say __STDC__ */ -int setenv(const char *var, const char *val, int flag); -void unsetenv(const char *var); -#endif - -enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS }; - -static kadm5_ret_t _kadm5_init_any(char *client_name, - enum init_type init_type, - char *pass, - krb5_ccache ccache_in, - char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - void **server_handle); - -kadm5_ret_t kadm5_init_with_creds(char *client_name, - krb5_ccache ccache, - char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - void **server_handle) -{ - return _kadm5_init_any(client_name, INIT_CREDS, NULL, ccache, - service_name, params, - struct_version, api_version, - server_handle); -} - - -kadm5_ret_t kadm5_init_with_password(char *client_name, char *pass, - char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - void **server_handle) -{ - return _kadm5_init_any(client_name, INIT_PASS, pass, NULL, - service_name, params, struct_version, - api_version, server_handle); -} - -kadm5_ret_t kadm5_init(char *client_name, char *pass, - char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - void **server_handle) -{ - return _kadm5_init_any(client_name, INIT_PASS, pass, NULL, - service_name, params, struct_version, - api_version, server_handle); -} - -kadm5_ret_t kadm5_init_with_skey(char *client_name, char *keytab, - char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - void **server_handle) -{ - return _kadm5_init_any(client_name, INIT_SKEY, keytab, NULL, - service_name, params, struct_version, - api_version, server_handle); -} - -/* - * Try no preauthentication first; then try the encrypted timestamp - * (stolen from krb5 kinit.c) - */ -static int preauth_search_list[] = { - 0, - KRB5_PADATA_ENC_UNIX_TIME, - -1 -}; - -static kadm5_ret_t _kadm5_init_any(char *client_name, - enum init_type init_type, - char *pass, - krb5_ccache ccache_in, - char *service_name, - kadm5_config_params *params_in, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - void **server_handle) -{ - struct sockaddr_in addr; - struct hostent *hp; - struct servent *srv; - int fd; - int i; - - char full_service_name[BUFSIZ], host[MAXHOSTNAMELEN], *ccname_orig; - char *realm; - krb5_creds creds; - krb5_ccache ccache = NULL; - krb5_timestamp now; - - OM_uint32 gssstat, minor_stat; - gss_buffer_desc input_name; - gss_name_t gss_target, gss_client; - gss_cred_id_t gss_client_creds = GSS_C_NO_CREDENTIAL; - - kadm5_server_handle_t handle; - kadm5_config_params params_local; - - int code = 0; - generic_ret *r; - - initialize_ovk_error_table(); - initialize_adb_error_table(); - initialize_ovku_error_table(); - - if (! server_handle) { - return EINVAL; - } - - if (! (handle = malloc(sizeof(*handle)))) { - return ENOMEM; - } - if (! (handle->lhandle = malloc(sizeof(*handle)))) { - free(handle); - return ENOMEM; - } - - handle->magic_number = KADM5_SERVER_HANDLE_MAGIC; - handle->struct_version = struct_version; - handle->api_version = api_version; - handle->clnt = 0; - handle->cache_name = 0; - handle->destroy_cache = 0; - *handle->lhandle = *handle; - handle->lhandle->api_version = KADM5_API_VERSION_2; - handle->lhandle->struct_version = KADM5_STRUCT_VERSION; - handle->lhandle->lhandle = handle->lhandle; - - krb5_init_context(&handle->context); - krb5_init_ets(handle->context); - - if(service_name == NULL || client_name == NULL) { - free(handle); - return EINVAL; - } - memset((char *) &creds, 0, sizeof(creds)); - - /* - * Verify the version numbers before proceeding; we can't use - * CHECK_HANDLE because not all fields are set yet. - */ - GENERIC_CHECK_HANDLE(handle, KADM5_OLD_LIB_API_VERSION, - KADM5_NEW_LIB_API_VERSION); - - /* - * Acquire relevant profile entries. In version 2, merge values - * in params_in with values from profile, based on - * params_in->mask. - * - * In version 1, we've given a realm (which may be NULL) instead - * of params_in. So use that realm, make params_in contain an - * empty mask, and behave like version 2. - */ - memset((char *) ¶ms_local, 0, sizeof(params_local)); - if (api_version == KADM5_API_VERSION_1) { - realm = params_local.realm = (char *) params_in; - if (params_in) - params_local.mask = KADM5_CONFIG_REALM; - params_in = ¶ms_local; - } else { - if (params_in && (params_in->mask & KADM5_CONFIG_REALM)) - realm = params_in->realm; - else - realm = NULL; - } - -#define ILLEGAL_PARAMS (KADM5_CONFIG_DBNAME | KADM5_CONFIG_ADBNAME | \ - KADM5_CONFIG_ADB_LOCKFILE | \ - KADM5_CONFIG_ACL_FILE | KADM5_CONFIG_DICT_FILE \ - | KADM5_CONFIG_ADMIN_KEYTAB | \ - KADM5_CONFIG_STASH_FILE | \ - KADM5_CONFIG_MKEY_NAME | KADM5_CONFIG_ENCTYPE \ - | KADM5_CONFIG_MAX_LIFE | \ - KADM5_CONFIG_MAX_RLIFE | \ - KADM5_CONFIG_EXPIRATION | KADM5_CONFIG_FLAGS | \ - KADM5_CONFIG_ENCTYPES | KADM5_CONFIG_MKEY_FROM_KBD) - - if (params_in && params_in->mask & ILLEGAL_PARAMS) { - free(handle); - return KADM5_BAD_CLIENT_PARAMS; - } - - if (code = kadm5_get_config_params(handle->context, - "/etc/krb5.conf", - "KRB5_CONFIG", - params_in, - &handle->params)) { - krb5_free_context(handle->context); - free(handle); - return(code); - } - -#define REQUIRED_PARAMS (KADM5_CONFIG_REALM | \ - KADM5_CONFIG_ADMIN_SERVER | \ - KADM5_CONFIG_KADMIND_PORT) - - if ((handle->params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) { - krb5_free_context(handle->context); - free(handle); - return KRB5_CONFIG_BADFORMAT; - } - - /* - * Acquire a service ticket for service_name@realm in the name of - * client_name, using password pass (which could be NULL), and - * create a ccache to store them in. If INIT_CREDS, use the - * ccache we were provided instead. - */ - - if ((code = krb5_parse_name(handle->context, client_name, &creds.client))) - goto error; - - if (realm) { - sprintf(full_service_name, "%s@%s", service_name, realm); - } else { - /* krb5_princ_realm(creds.client) is not null terminated */ - strcpy(full_service_name, service_name); - strcat(full_service_name, "@"); - strncat(full_service_name, krb5_princ_realm(handle->context, - creds.client)->data, - krb5_princ_realm(handle->context, creds.client)->length); - } - - if ((code = krb5_parse_name(handle->context, full_service_name, - &creds.server))) - goto error; - - /* XXX temporarily fix a bug in krb5_cc_get_type */ -#undef krb5_cc_get_type -#define krb5_cc_get_type(context, cache) ((cache)->ops->prefix) - - - if (init_type == INIT_CREDS) { - ccache = ccache_in; - handle->cache_name = (char *) - malloc(strlen(krb5_cc_get_type(handle->context, ccache)) + - strlen(krb5_cc_get_name(handle->context, ccache)) + 2); - if (handle->cache_name == NULL) { - code = ENOMEM; - goto error; - } - sprintf(handle->cache_name, "%s:%s", - krb5_cc_get_type(handle->context, ccache), - krb5_cc_get_name(handle->context, ccache)); - } else { - handle->cache_name = - (char *) malloc(strlen(ADM_CCACHE)+strlen("FILE:")+1); - if (handle->cache_name == NULL) { - code = ENOMEM; - goto error; - } - sprintf(handle->cache_name, "FILE:%s", ADM_CCACHE); - mktemp(handle->cache_name + strlen("FILE:")); - - if ((code = krb5_cc_resolve(handle->context, handle->cache_name, - &ccache))) - goto error; - - if ((code = krb5_cc_initialize (handle->context, ccache, - creds.client))) - goto error; - - handle->destroy_cache = 1; - } - handle->lhandle->cache_name = handle->cache_name; - - if ((code = krb5_timeofday(handle->context, &now))) - goto error; - - /* - * Get a ticket, use the method specified in init_type. - */ - - creds.times.starttime = 0; /* start timer at KDC */ - creds.times.endtime = 0; /* endtime will be limited by service */ - - if (init_type == INIT_PASS) { - for (i=0; preauth_search_list[i] >= 0; i++) { - code = krb5_get_in_tkt_with_password(handle->context, - 0, /* no options */ - 0, /* default addresses */ - NULL, - NULL, /* XXX preauth */ - pass, - ccache, - &creds, - NULL); - if (code != KRB5KDC_ERR_PREAUTH_FAILED && - code != KRB5KDC_ERR_PREAUTH_REQUIRED && - code != KRB5KRB_ERR_GENERIC) - break; - } - } else if (init_type == INIT_SKEY) { - krb5_keytab kt = NULL; - - if (pass && (code = krb5_kt_resolve(handle->context, pass, &kt))) - ; - else { - for (i=0; preauth_search_list[i] >= 0; i++) { - code = krb5_get_in_tkt_with_keytab(handle->context, - 0, /* no options */ - 0, /* default addrs */ - NULL, - NULL, /* XXX preauth */ - kt, - ccache, - &creds, - NULL); - if (code != KRB5KDC_ERR_PREAUTH_FAILED && - code != KRB5KDC_ERR_PREAUTH_REQUIRED && - code != KRB5KRB_ERR_GENERIC) - break; - } - - if (pass) krb5_kt_close(handle->context, kt); - } - } - - /* Improved error messages */ - if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) code = KADM5_BAD_PASSWORD; - if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) - code = KADM5_SECURE_PRINC_MISSING; - - if (code != 0) goto error; - -#ifdef ZEROPASSWD - if (pass != NULL) - memset(pass, 0, strlen(pass)); -#endif - - /* - * We have ticket; open the RPC connection. - */ - - hp = gethostbyname(handle->params.admin_server); - if (hp == (struct hostent *) NULL) { - code = KRB5_CONFIG_BADFORMAT; - goto cleanup; - } - - memset(&addr, 0, sizeof(addr)); - addr.sin_family = hp->h_addrtype; - (void) memcpy((char *) &addr.sin_addr, (char *) hp->h_addr, - sizeof(addr.sin_addr)); - addr.sin_port = htons((u_short) handle->params.kadmind_port); - - fd = RPC_ANYSOCK; - - handle->clnt = clnttcp_create(&addr, KADM, KADMVERS, &fd, 0, 0); - if (handle->clnt == NULL) { - code = KADM5_RPC_ERROR; - goto error; - } - handle->lhandle->clnt = handle->clnt; - - /* now that handle->clnt is set, we can check the handle */ - if (code = _kadm5_check_handle((void *) handle)) - goto error; - - /* - * The RPC connection is open; establish the GSS-API - * authentication context. - */ - - /* use the kadm5 cache */ - ccname_orig = getenv("KRB5CCNAME"); - if (ccname_orig) - ccname_orig = strdup(ccname_orig); - - (void) setenv("KRB5CCNAME", handle->cache_name, 1); - -#ifndef INIT_TEST - input_name.value = full_service_name; - input_name.length = strlen((char *)input_name.value) + 1; - gssstat = gss_import_name(&minor_stat, &input_name, - gss_nt_krb5_name, &gss_target); - if (gssstat != GSS_S_COMPLETE) { - code = KADM5_GSS_ERROR; - goto error; - } -#endif /* ! INIT_TEST */ - - input_name.value = client_name; - input_name.length = strlen((char *)input_name.value) + 1; - gssstat = gss_import_name(&minor_stat, &input_name, - gss_nt_krb5_name, &gss_client); - if (gssstat != GSS_S_COMPLETE) { - code = KADM5_GSS_ERROR; - goto error; - } - - gssstat = gss_acquire_cred(&minor_stat, gss_client, 0, - GSS_C_NULL_OID_SET, GSS_C_INITIATE, - &gss_client_creds, NULL, NULL); - (void) gss_release_name(&minor_stat, &gss_client); - if (gssstat != GSS_S_COMPLETE) { - code = KADM5_GSS_ERROR; - goto error; - } - -#ifndef INIT_TEST - handle->clnt->cl_auth = auth_gssapi_create(handle->clnt, - &gssstat, - &minor_stat, - gss_client_creds, - gss_target, - GSS_C_NULL_OID, - GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG, - 0, - NULL, - NULL, - NULL); - (void) gss_release_name(&minor_stat, &gss_target); -#endif /* ! INIT_TEST */ - - if (ccname_orig) { - (void) setenv("KRB5CCNAME", ccname_orig, 1); - free(ccname_orig); - } else - (void) unsetenv("KRB5CCNAME"); - - - if (handle->clnt->cl_auth == NULL) { - code = KADM5_GSS_ERROR; - goto error; - } - - r = init_1(&handle->api_version, handle->clnt); - if (r == NULL) { - code = KADM5_RPC_ERROR; - goto error; - } - if (r->code) { - code = r->code; - goto error; - } - - *server_handle = (void *) handle; - - if (init_type != INIT_CREDS) - krb5_cc_close(handle->context, ccache); - - goto cleanup; - -error: - /* - * Note that it is illegal for this code to execute if "handle" - * has not been allocated and initialized. I.e., don't use "goto - * error" before the block of code at the top of the function - * that allocates and initializes "handle". - */ - if (handle->cache_name) - free(handle->cache_name); - if (handle->destroy_cache && ccache) - krb5_cc_destroy(handle->context, ccache); - if(handle->clnt && handle->clnt->cl_auth) - AUTH_DESTROY(handle->clnt->cl_auth); - if(handle->clnt) - clnt_destroy(handle->clnt); - -cleanup: - krb5_free_cred_contents(handle->context, &creds); - if (gss_client_creds != GSS_C_NO_CREDENTIAL) - (void) gss_release_cred(&minor_stat, &gss_client_creds); - - if (code) - free(handle); - - return code; -} - -kadm5_ret_t -kadm5_destroy(void *server_handle) -{ - krb5_ccache ccache = NULL; - int code = KADM5_OK; - kadm5_server_handle_t handle = - (kadm5_server_handle_t) server_handle; - - CHECK_HANDLE(server_handle); - - if (handle->destroy_cache && handle->cache_name) { - if ((code = krb5_cc_resolve(handle->context, - handle->cache_name, &ccache)) == 0) - code = krb5_cc_destroy (handle->context, ccache); - } - if (handle->cache_name) - free(handle->cache_name); - if (handle->clnt && handle->clnt->cl_auth) - AUTH_DESTROY(handle->clnt->cl_auth); - if (handle->clnt) - clnt_destroy(handle->clnt); - - handle->magic_number = 0; - free(handle); - - return code; -} - -kadm5_ret_t kadm5_flush(void *server_handle) -{ - return KADM5_OK; -} - -int _kadm5_check_handle(void *handle) -{ - CHECK_HANDLE(handle); - return 0; -} diff --git a/src/lib/kadm5/client_internal.h b/src/lib/kadm5/client_internal.h deleted file mode 100644 index 5a246158e..000000000 --- a/src/lib/kadm5/client_internal.h +++ /dev/null @@ -1,93 +0,0 @@ -/* - * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved - * - * $Header$ - * - * $Log$ - * Revision 1.11 1996/07/22 20:35:46 marc - * this commit includes all the changes on the OV_9510_INTEGRATION and - * OV_MERGE branches. This includes, but is not limited to, the new openvision - * admin system, and major changes to gssapi to add functionality, and bring - * the implementation in line with rfc1964. before committing, the - * code was built and tested for netbsd and solaris. - * - * Revision 1.10.4.1 1996/07/18 03:08:37 marc - * merged in changes from OV_9510_BP to OV_9510_FINAL1 - * - * Revision 1.10.2.1 1996/06/20 02:16:46 marc - * File added to the repository on a branch - * - * Revision 1.10 1996/06/06 20:09:16 bjaspan - * add destroy_cache, for kadm5_init_with_creds - * - * Revision 1.9 1996/05/30 21:04:42 bjaspan - * add lhandle to handle - * - * Revision 1.8 1996/05/28 20:33:49 bjaspan - * rework kadm5_config - * - * Revision 1.7 1996/05/17 21:36:59 bjaspan - * rename to kadm5, begin implementing version 2 - * - * Revision 1.6 1996/05/16 21:45:07 bjaspan - * add context - * - * Revision 1.5 1996/05/08 21:10:23 bjaspan - * marc's changes - * - * Revision 1.4 1996/01/16 20:54:30 grier - * secure/3570 use krb5_ui_4 not unsigned int - * - * Revision 1.3 1995/11/14 17:48:57 grier - * long to int - * - * Revision 1.2 1994/08/16 18:53:47 jik - * Versioning stuff. - * - * Revision 1.1 1994/08/09 21:14:38 jik - * Initial revision - * - */ - -/* - * This header file is used internally by the Admin API client - * libraries. IF YOU THINK YOU NEED TO USE THIS FILE FOR ANYTHING, - * YOU'RE ALMOST CERTAINLY WRONG. - */ - -#ifndef __KADM5_CLIENT_INTERNAL_H__ -#define __KADM5_CLIENT_INTERNAL_H__ - -#include "admin_internal.h" - -typedef struct _kadm5_server_handle_t { - krb5_ui_4 magic_number; - krb5_ui_4 struct_version; - krb5_ui_4 api_version; - char * cache_name; - int destroy_cache; - CLIENT * clnt; - krb5_context context; - kadm5_config_params params; - struct _kadm5_server_handle_t *lhandle; -} kadm5_server_handle_rec, *kadm5_server_handle_t; - -#define CLIENT_CHECK_HANDLE(handle) \ -{ \ - kadm5_server_handle_t srvr = \ - (kadm5_server_handle_t) handle; \ - \ - if (! srvr->clnt) \ - return KADM5_BAD_SERVER_HANDLE; \ - if (! srvr->cache_name) \ - return KADM5_BAD_SERVER_HANDLE; \ - if (! srvr->lhandle) \ - return KADM5_BAD_SERVER_HANDLE; \ -} - -#define CHECK_HANDLE(handle) \ - GENERIC_CHECK_HANDLE(handle, KADM5_OLD_LIB_API_VERSION, \ - KADM5_NEW_LIB_API_VERSION) \ - CLIENT_CHECK_HANDLE(handle) - -#endif /* __KADM5_CLIENT_INTERNAL_H__ */ diff --git a/src/lib/kadm5/client_principal.c b/src/lib/kadm5/client_principal.c deleted file mode 100644 index c41922722..000000000 --- a/src/lib/kadm5/client_principal.c +++ /dev/null @@ -1,307 +0,0 @@ -/* - * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved - * - * $Header$ - */ - -#if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header$"; -#endif - -#include -#include -#include -#include -#include "client_internal.h" - -kadm5_ret_t -kadm5_create_principal(void *server_handle, - kadm5_principal_ent_t princ, long mask, - char *pw) -{ - generic_ret *r; - cprinc_arg arg; - kadm5_server_handle_t handle = server_handle; - - CHECK_HANDLE(server_handle); - - arg.mask = mask; - arg.passwd = pw; - arg.api_version = handle->api_version; - - if(princ == NULL) - return EINVAL; - memcpy(&arg.rec, princ, sizeof(kadm5_principal_ent_rec)); - if (handle->api_version == KADM5_API_VERSION_1) { - /* - * hack hack cough cough. - * krb5_unparse name dumps core if we pass it in garbage - * or null. So, since the client is not allowed to set mod_name - * anyway, we just fill it in with a dummy principal. The server of - * course ignores this. - */ - krb5_parse_name(handle->context, "bogus/bogus", &arg.rec.mod_name); - } else - arg.rec.mod_name = NULL; - - if(!(mask & KADM5_POLICY)) - arg.rec.policy = NULL; - if (! (mask & KADM5_KEY_DATA)) { - arg.rec.n_key_data = 0; - arg.rec.key_data = NULL; - } - if (! (mask & KADM5_TL_DATA)) { - arg.rec.n_tl_data = 0; - arg.rec.tl_data = NULL; - } - - r = create_principal_1(&arg, handle->clnt); - - if (handle->api_version == KADM5_API_VERSION_1) - krb5_free_principal(handle->context, arg.rec.mod_name); - - if(r == NULL) - return KADM5_RPC_ERROR; - return r->code; -} - -kadm5_ret_t -kadm5_delete_principal(void *server_handle, krb5_principal principal) -{ - dprinc_arg arg; - generic_ret *r; - kadm5_server_handle_t handle = server_handle; - - CHECK_HANDLE(server_handle); - - if(principal == NULL) - return EINVAL; - arg.princ = principal; - arg.api_version = handle->api_version; - r = delete_principal_1(&arg, handle->clnt); - if(r == NULL) - return KADM5_RPC_ERROR; - return r->code; -} - -kadm5_ret_t -kadm5_modify_principal(void *server_handle, - kadm5_principal_ent_t princ, long mask) -{ - mprinc_arg arg; - generic_ret *r; - kadm5_server_handle_t handle = server_handle; - - CHECK_HANDLE(server_handle); - - arg.mask = mask; - arg.api_version = handle->api_version; - /* - * cough cough gag gag - * see comment in create_principal. - */ - if(princ == NULL) - return EINVAL; - memcpy(&arg.rec, princ, sizeof(kadm5_principal_ent_rec)); - if(!(mask & KADM5_POLICY)) - arg.rec.policy = NULL; - if (! (mask & KADM5_KEY_DATA)) { - arg.rec.n_key_data = 0; - arg.rec.key_data = NULL; - } - if (! (mask & KADM5_TL_DATA)) { - arg.rec.n_tl_data = 0; - arg.rec.tl_data = NULL; - } - - if (handle->api_version == KADM5_API_VERSION_1) { - /* - * See comment in create_principal - */ - krb5_parse_name(handle->context, "bogus/bogus", &arg.rec.mod_name); - } else - arg.rec.mod_name = NULL; - - r = modify_principal_1(&arg, handle->clnt); - - if (handle->api_version == KADM5_API_VERSION_1) - krb5_free_principal(handle->context, arg.rec.mod_name); - - if(r == NULL) - return KADM5_RPC_ERROR; - return r->code; -} - -kadm5_ret_t -kadm5_get_principal(void *server_handle, - krb5_principal princ, kadm5_principal_ent_t ent, - long mask) -{ - gprinc_arg arg; - gprinc_ret *r; - kadm5_server_handle_t handle = server_handle; - krb5_error_code retval; - - CHECK_HANDLE(server_handle); - - if(princ == NULL) - return EINVAL; - arg.princ = princ; - if (handle->api_version == KADM5_API_VERSION_1) - arg.mask = KADM5_PRINCIPAL_NORMAL_MASK; - else - arg.mask = mask; - arg.api_version = handle->api_version; - r = get_principal_1(&arg, handle->clnt); - if(r == NULL) - return KADM5_RPC_ERROR; - if (handle->api_version == KADM5_API_VERSION_1) { - kadm5_principal_ent_t_v1 *entp; - - entp = (kadm5_principal_ent_t_v1 *) ent; - if (r->code == 0) { - if (!(*entp = (kadm5_principal_ent_t_v1) - malloc(sizeof(kadm5_principal_ent_rec_v1)))) - return ENOMEM; - /* this memcpy works because the v1 structure is an initial - subset of the v2 struct. C guarantees that this will - result in the same layout in memory */ - memcpy(*entp, &r->rec, sizeof(**entp)); - } else { - *entp = NULL; - } - } else { - if (r->code == 0) - memcpy(ent, &r->rec, sizeof(r->rec)); - } - - return r->code; -} - -kadm5_ret_t -kadm5_get_principals(void *server_handle, - char *exp, char ***princs, int *count) -{ - gprincs_arg arg; - gprincs_ret *r; - kadm5_server_handle_t handle = server_handle; - krb5_error_code retval; - - CHECK_HANDLE(server_handle); - - if(princs == NULL || count == NULL) - return EINVAL; - arg.exp = exp; - arg.api_version = handle->api_version; - r = get_princs_1(&arg, handle->clnt); - if(r == NULL) - return KADM5_RPC_ERROR; - if(r->code == 0) { - *count = r->count; - *princs = r->princs; - } else { - *count = 0; - *princs = NULL; - } - - return r->code; -} - -kadm5_ret_t -kadm5_rename_principal(void *server_handle, - krb5_principal source, krb5_principal dest) -{ - rprinc_arg arg; - generic_ret *r; - kadm5_server_handle_t handle = server_handle; - - CHECK_HANDLE(server_handle); - - arg.src = source; - arg.dest = dest; - arg.api_version = handle->api_version; - if (source == NULL || dest == NULL) - return EINVAL; - r = rename_principal_1(&arg, handle->clnt); - if(r == NULL) - return KADM5_RPC_ERROR; - return r->code; -} - -kadm5_ret_t -kadm5_chpass_principal(void *server_handle, - krb5_principal princ, char *password) -{ - chpass_arg arg; - generic_ret *r; - kadm5_server_handle_t handle = server_handle; - - CHECK_HANDLE(server_handle); - - arg.princ = princ; - arg.pass = password; - arg.api_version = handle->api_version; - - if(princ == NULL) - return EINVAL; - r = chpass_principal_1(&arg, handle->clnt); - if(r == NULL) - return KADM5_RPC_ERROR; - return r->code; -} - -kadm5_ret_t -kadm5_randkey_principal(void *server_handle, - krb5_principal princ, - krb5_keyblock **key, int *n_keys) -{ - chrand_arg arg; - chrand_ret *r; - krb5_keyblock new; - kadm5_server_handle_t handle = server_handle; - int i, ret; - - CHECK_HANDLE(server_handle); - - arg.princ = princ; - arg.api_version = handle->api_version; - - if(princ == NULL) - return EINVAL; - r = chrand_principal_1(&arg, handle->clnt); - if(r == NULL) - return KADM5_RPC_ERROR; - if (handle->api_version == KADM5_API_VERSION_1) { - if (key) - krb5_copy_keyblock(handle->context, &r->key, key); - } else { - if (n_keys) - *n_keys = r->n_keys; - if (key) { - *key = (krb5_keyblock *) malloc(r->n_keys*sizeof(krb5_keyblock)); - if (*key == NULL) - return ENOMEM; - for (i = 0; i < r->n_keys; i++) { - ret = krb5_copy_keyblock_contents(handle->context, - &r->keys[i], - &(*key)[i]); - if (ret) { - free(*key); - return ENOMEM; - } - } - } - } - - return r->code; -} - -/* not supported on client side */ -kadm5_ret_t kadm5_decrypt_key(void *server_handle, - kadm5_principal_ent_t entry, krb5_int32 - ktype, krb5_int32 stype, krb5_int32 - kvno, krb5_keyblock *keyblock, - krb5_keysalt *keysalt, int *kvnop) -{ - return EINVAL; -} diff --git a/src/lib/kadm5/client_rpc.c b/src/lib/kadm5/client_rpc.c deleted file mode 100644 index 547844a2c..000000000 --- a/src/lib/kadm5/client_rpc.c +++ /dev/null @@ -1,221 +0,0 @@ -#include -#include -#include -#include -#include - -/* Default timeout can be changed using clnt_control() */ -static struct timeval TIMEOUT = { 25, 0 }; - -generic_ret * -create_principal_1(argp, clnt) - cprinc_arg *argp; - CLIENT *clnt; -{ - static generic_ret res; - - memset((char *)&res, 0, sizeof(res)); - if (clnt_call(clnt, CREATE_PRINCIPAL, xdr_cprinc_arg, argp, xdr_generic_ret, &res, TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&res); -} - -generic_ret * -delete_principal_1(argp, clnt) - dprinc_arg *argp; - CLIENT *clnt; -{ - static generic_ret res; - - memset((char *)&res, 0, sizeof(res)); - if (clnt_call(clnt, DELETE_PRINCIPAL, xdr_dprinc_arg, argp, xdr_generic_ret, &res, TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&res); -} - -generic_ret * -modify_principal_1(argp, clnt) - mprinc_arg *argp; - CLIENT *clnt; -{ - static generic_ret res; - - memset((char *)&res, 0, sizeof(res)); - if (clnt_call(clnt, MODIFY_PRINCIPAL, xdr_mprinc_arg, argp, xdr_generic_ret, &res, TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&res); -} - -generic_ret * -rename_principal_1(argp, clnt) - rprinc_arg *argp; - CLIENT *clnt; -{ - static generic_ret res; - - memset((char *)&res, 0, sizeof(res)); - if (clnt_call(clnt, RENAME_PRINCIPAL, xdr_rprinc_arg, argp, xdr_generic_ret, &res, TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&res); -} - -gprinc_ret * -get_principal_1(argp, clnt) - gprinc_arg *argp; - CLIENT *clnt; -{ - static gprinc_ret res; - - memset((char *)&res, 0, sizeof(res)); - if (clnt_call(clnt, GET_PRINCIPAL, xdr_gprinc_arg, argp, xdr_gprinc_ret, &res, TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&res); -} - -gprincs_ret * -get_princs_1(argp, clnt) - gprinc_arg *argp; - CLIENT *clnt; -{ - static gprincs_ret res; - - memset((char *)&res, 0, sizeof(res)); - if (clnt_call(clnt, GET_PRINCS, xdr_gprincs_arg, argp, - xdr_gprincs_ret, &res, TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&res); -} - -generic_ret * -chpass_principal_1(argp, clnt) - chpass_arg *argp; - CLIENT *clnt; -{ - static generic_ret res; - - memset((char *)&res, 0, sizeof(res)); - if (clnt_call(clnt, CHPASS_PRINCIPAL, xdr_chpass_arg, argp, xdr_generic_ret, &res, TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&res); -} - -chrand_ret * -chrand_principal_1(argp, clnt) - chrand_arg *argp; - CLIENT *clnt; -{ - static chrand_ret res; - - memset((char *)&res, 0, sizeof(res)); - if (clnt_call(clnt, CHRAND_PRINCIPAL, xdr_chrand_arg, argp, xdr_chrand_ret, &res, TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&res); -} - -generic_ret * -create_policy_1(argp, clnt) - cpol_arg *argp; - CLIENT *clnt; -{ - static generic_ret res; - - memset((char *)&res, 0, sizeof(res)); - if (clnt_call(clnt, CREATE_POLICY, xdr_cpol_arg, argp, xdr_generic_ret, &res, TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&res); -} - -generic_ret * -delete_policy_1(argp, clnt) - dpol_arg *argp; - CLIENT *clnt; -{ - static generic_ret res; - - memset((char *)&res, 0, sizeof(res)); - if (clnt_call(clnt, DELETE_POLICY, xdr_dpol_arg, argp, xdr_generic_ret, &res, TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&res); -} - -generic_ret * -modify_policy_1(argp, clnt) - mpol_arg *argp; - CLIENT *clnt; -{ - static generic_ret res; - - memset((char *)&res, 0, sizeof(res)); - if (clnt_call(clnt, MODIFY_POLICY, xdr_mpol_arg, argp, xdr_generic_ret, &res, TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&res); -} - -gpol_ret * -get_policy_1(argp, clnt) - gpol_arg *argp; - CLIENT *clnt; -{ - static gpol_ret res; - - memset((char *)&res, 0, sizeof(res)); - if (clnt_call(clnt, GET_POLICY, xdr_gpol_arg, argp, xdr_gpol_ret, &res, TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&res); -} - -gpols_ret * -get_pols_1(argp, clnt) - gprinc_arg *argp; - CLIENT *clnt; -{ - static gpols_ret res; - - memset((char *)&res, 0, sizeof(res)); - if (clnt_call(clnt, GET_POLS, xdr_gpols_arg, argp, - xdr_gpols_ret, &res, TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&res); -} - -getprivs_ret *get_privs_1(argp, clnt) - void *argp; - CLIENT *clnt; -{ - static getprivs_ret res; - - memset((char *)&res, 0, sizeof(res)); - if (clnt_call(clnt, GET_PRIVS, xdr_u_int32, argp, - xdr_getprivs_ret, &res, TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&res); -} - -generic_ret * -init_1(argp, clnt) - void *argp; - CLIENT *clnt; -{ - static generic_ret res; - - memset((char *)&res, 0, sizeof(res)); - if (clnt_call(clnt, INIT, xdr_u_int32, argp, - xdr_generic_ret, &res, TIMEOUT) != RPC_SUCCESS) { - return (NULL); - } - return (&res); -} diff --git a/src/lib/kadm5/clnt_chpass_util.c b/src/lib/kadm5/clnt_chpass_util.c deleted file mode 100644 index d6c7f0bfb..000000000 --- a/src/lib/kadm5/clnt_chpass_util.c +++ /dev/null @@ -1,15 +0,0 @@ -#include -#include "client_internal.h" - -kadm5_ret_t kadm5_chpass_principal_util(void *server_handle, - krb5_principal princ, - char *new_pw, - char **ret_pw, - char *msg_ret) -{ - kadm5_server_handle_t handle = server_handle; - - CHECK_HANDLE(server_handle); - return _kadm5_chpass_principal_util(handle, handle->lhandle, princ, - new_pw, ret_pw, msg_ret); -} diff --git a/src/lib/kadm5/clnt_policy.c b/src/lib/kadm5/clnt_policy.c deleted file mode 100644 index f81cf7471..000000000 --- a/src/lib/kadm5/clnt_policy.c +++ /dev/null @@ -1,151 +0,0 @@ -/* - * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved - * - * $Header$ - */ - -#if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header$"; -#endif - -#include -#include -#include -#include "client_internal.h" -#include -#include - -kadm5_ret_t -kadm5_create_policy(void *server_handle, - kadm5_policy_ent_t policy, long mask) -{ - cpol_arg arg; - generic_ret *r; - kadm5_server_handle_t handle = server_handle; - - CHECK_HANDLE(server_handle); - - if(policy == (kadm5_policy_ent_t) NULL) - return EINVAL; - - arg.mask = mask; - arg.api_version = handle->api_version; - memcpy(&arg.rec, policy, sizeof(kadm5_policy_ent_rec)); - r = create_policy_1(&arg, handle->clnt); - if(r == NULL) - return KADM5_RPC_ERROR; - return r->code; -} - -kadm5_ret_t -kadm5_delete_policy(void *server_handle, char *name) -{ - dpol_arg arg; - generic_ret *r; - kadm5_server_handle_t handle = server_handle; - - CHECK_HANDLE(server_handle); - - if(name == NULL) - return EINVAL; - - arg.name = name; - arg.api_version = handle->api_version; - - r = delete_policy_1(&arg, handle->clnt); - if(r == NULL) - return KADM5_RPC_ERROR; - return r->code; -} - -kadm5_ret_t -kadm5_modify_policy(void *server_handle, - kadm5_policy_ent_t policy, long mask) - -{ - mpol_arg arg; - generic_ret *r; - kadm5_server_handle_t handle = server_handle; - - CHECK_HANDLE(server_handle); - - if(policy == (kadm5_policy_ent_t) NULL) - return EINVAL; - - arg.mask = mask; - arg.api_version = handle->api_version; - - memcpy(&arg.rec, policy, sizeof(kadm5_policy_ent_rec)); - r = modify_policy_1(&arg, handle->clnt); - if(r == NULL) - return KADM5_RPC_ERROR; - return r->code; -} - -kadm5_ret_t -kadm5_get_policy(void *server_handle, char *name, kadm5_policy_ent_t ent) - -{ - gpol_arg arg; - gpol_ret *r; - kadm5_server_handle_t handle = server_handle; - - CHECK_HANDLE(server_handle); - - arg.name = name; - arg.api_version = handle->api_version; - - if(name == NULL) - return EINVAL; - - r = get_policy_1(&arg, handle->clnt); - if(r == NULL) - return KADM5_RPC_ERROR; - if (handle->api_version == KADM5_API_VERSION_1) { - kadm5_policy_ent_t *entp; - - entp = (kadm5_policy_ent_t *) ent; - if(r->code == 0) { - if (!(*entp = (kadm5_policy_ent_t) - malloc(sizeof(kadm5_policy_ent_rec)))) - return ENOMEM; - memcpy(*entp, &r->rec, sizeof(**entp)); - } else { - *entp = NULL; - } - } else { - if (r->code == 0) - memcpy(ent, &r->rec, sizeof(r->rec)); - } - - return r->code; -} - -kadm5_ret_t -kadm5_get_policies(void *server_handle, - char *exp, char ***pols, int *count) -{ - gpols_arg arg; - gpols_ret *r; - kadm5_server_handle_t handle = server_handle; - krb5_error_code retval; - - CHECK_HANDLE(server_handle); - - if(pols == NULL || count == NULL) - return EINVAL; - arg.exp = exp; - arg.api_version = handle->api_version; - r = get_pols_1(&arg, handle->clnt); - if(r == NULL) - return KADM5_RPC_ERROR; - if(r->code == 0) { - *count = r->count; - *pols = r->pols; - } else { - *count = 0; - *pols = NULL; - } - - return r->code; -} diff --git a/src/lib/kadm5/clnt_privs.c b/src/lib/kadm5/clnt_privs.c deleted file mode 100644 index 93ea199e2..000000000 --- a/src/lib/kadm5/clnt_privs.c +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. - * - * $Id$ - * $Source$ - * - * $Log$ - * Revision 1.6 1996/07/22 20:35:57 marc - * this commit includes all the changes on the OV_9510_INTEGRATION and - * OV_MERGE branches. This includes, but is not limited to, the new openvision - * admin system, and major changes to gssapi to add functionality, and bring - * the implementation in line with rfc1964. before committing, the - * code was built and tested for netbsd and solaris. - * - * Revision 1.5.4.1 1996/07/18 03:08:45 marc - * merged in changes from OV_9510_BP to OV_9510_FINAL1 - * - * Revision 1.5.2.1 1996/06/20 02:16:53 marc - * File added to the repository on a branch - * - * Revision 1.5 1996/05/17 21:36:50 bjaspan - * rename to kadm5, begin implementing version 2 - * - * Revision 1.4 1996/05/16 21:45:51 bjaspan - * u_int32 -> long, add krb5_context - * - * Revision 1.3 1994/09/20 16:25:05 bjaspan - * [secure-admin/2436: API versioning fixes to various admin files] - * [secure-releng/2502: audit secure-admin/2436: random API versioning fixes] - * - * Sandbox: - * - * Unnecessary variable initialization removed. - * - * Revision 1.3 1994/09/12 20:26:39 jik - * Unnecessary variable initialization removed. - * - * Revision 1.2 1994/08/16 18:52:02 jik - * Versioning changes. - * - * Revision 1.1 1993/11/10 23:10:39 bjaspan - * Initial revision - * - */ - -#if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header$"; -#endif - -#include -#include -#include -#include "client_internal.h" - -kadm5_ret_t kadm5_get_privs(void *server_handle, long *privs) -{ - getprivs_ret *r; - kadm5_server_handle_t handle = server_handle; - - r = get_privs_1(&handle->api_version, handle->clnt); - if (r == NULL) - return KADM5_RPC_ERROR; - else if (r->code == KADM5_OK) - *privs = r->privs; - return r->code; -} diff --git a/src/lib/kadm5/configure.in b/src/lib/kadm5/configure.in index 6466673a8..1f7b16344 100644 --- a/src/lib/kadm5/configure.in +++ b/src/lib/kadm5/configure.in @@ -1,5 +1,7 @@ AC_INIT(configure.in) CONFIG_RULES +AC_CONFIG_SUBDIRS(clnt srv) +DO_SUBDIRS AC_PROG_ARCHIVE AC_PROG_ARCHIVE_ADD AC_PROG_RANLIB @@ -7,40 +9,35 @@ AC_PROG_INSTALL AC_PROG_LEX AC_PROG_AWK AC_CHECK_HEADERS(syslog.h) -AC_REPLACE_FUNCS(setenv) -save_LIBS="$LIBS" -LIBS=-lgen -AC_CHECK_FUNCS(compile step) -[if test "$krb5_cv_func_compile" = true ; then - LIBS="$save_LIBS -lgen" -else - LIBS="$save_LIBS" -fi] -AC_CHECK_FUNCS(re_comp re_exec regcomp regexec openlog syslog closelog strftime vsprintf) +AC_CHECK_FUNCS(openlog syslog closelog strftime vsprintf) V5_SHARED_LIB_OBJS -V5_MAKE_SHARED_LIB(libkadm5srv,1.0,.., ./kadm5,srv) -V5_MAKE_SHARED_LIB(libkadm5clnt,1.0,.., ./kadm5,clnt) -GSSRPC_SH_VERS=$krb5_cv_shlib_version_libgssrpc -AC_SUBST(GSSRPC_SH_VERS) -GSSAPI_KRB5_SH_VERS=$krb5_cv_shlib_version_libgssapi_krb5 -AC_SUBST(GSSAPI_KRB5_SH_VERS) -KDB5_SH_VERS=$krb5_cv_shlib_version_libkdb5 -AC_SUBST(KDB5_SH_VERS) -KRB5_SH_VERS=$krb5_cv_shlib_version_libkrb5 -AC_SUBST(KRB5_SH_VERS) -CRYPTO_SH_VERS=$krb5_cv_shlib_version_libcrypto -AC_SUBST(CRYPTO_SH_VERS) -COMERR_SH_VERS=$krb5_cv_shlib_version_libcom_err -AC_SUBST(COMERR_SH_VERS) -DYN_SH_VERS=$krb5_cv_shlib_version_libdyn -AC_SUBST(DYN_SH_VERS) + +dnl V5_MAKE_SHARED_LIB(libkadm5srv,1.0,.., ./kadm5,srv) +dnl V5_MAKE_SHARED_LIB(libkadm5clnt,1.0,.., ./kadm5,clnt) +dnl GSSRPC_SH_VERS=$krb5_cv_shlib_version_libgssrpc +dnl AC_SUBST(GSSRPC_SH_VERS) +dnl GSSAPI_KRB5_SH_VERS=$krb5_cv_shlib_version_libgssapi_krb5 +dnl AC_SUBST(GSSAPI_KRB5_SH_VERS) +dnl KDB5_SH_VERS=$krb5_cv_shlib_version_libkdb5 +dnl AC_SUBST(KDB5_SH_VERS) +dnl KRB5_SH_VERS=$krb5_cv_shlib_version_libkrb5 +dnl AC_SUBST(KRB5_SH_VERS) +dnl CRYPTO_SH_VERS=$krb5_cv_shlib_version_libcrypto +dnl AC_SUBST(CRYPTO_SH_VERS) +dnl COMERR_SH_VERS=$krb5_cv_shlib_version_libcom_err +dnl AC_SUBST(COMERR_SH_VERS) +dnl DYN_SH_VERS=$krb5_cv_shlib_version_libdyn +dnl AC_SUBST(DYN_SH_VERS) + +SubdirLibraryRule([$(OBJS)]) + CopySrcHeader(adb.h,[$](BUILDTOP)/include/kadm5) CopySrcHeader(admin.h,[$](BUILDTOP)/include/kadm5) CopySrcHeader(admin_internal.h,[$](BUILDTOP)/include/kadm5) CopySrcHeader(admin_xdr.h,[$](BUILDTOP)/include/kadm5) -CopySrcHeader(client_internal.h,[$](BUILDTOP)/include/kadm5) +dnl CopySrcHeader(client_internal.h,[$](BUILDTOP)/include/kadm5) CopySrcHeader(kadm_rpc.h,[$](BUILDTOP)/include/kadm5) -CopySrcHeader(server_acl.h,[$](BUILDTOP)/include/kadm5) +dnl CopySrcHeader(server_acl.h,[$](BUILDTOP)/include/kadm5) CopySrcHeader(server_internal.h,[$](BUILDTOP)/include/kadm5) CopyHeader(adb_err.h,[$](BUILDTOP)/include/kadm5) CopyHeader(chpass_util_strings.h,[$](BUILDTOP)/include/kadm5) diff --git a/src/lib/kadm5/server_acl.c b/src/lib/kadm5/server_acl.c deleted file mode 100644 index 16a7f4e40..000000000 --- a/src/lib/kadm5/server_acl.c +++ /dev/null @@ -1,511 +0,0 @@ -/* - * kadmin/v5server/srv_acl.c - * - * Copyright 1995 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * srv_acl.c - Handle Kerberos ACL related functions. - */ -#include -#include -#include -#include "k5-int.h" -#include "server_acl.h" -#include - -typedef struct _acl_op_table { - char ao_op; - krb5_int32 ao_mask; -} aop_t; - -typedef struct _acl_entry { - struct _acl_entry *ae_next; - char *ae_name; - krb5_boolean ae_name_bad; - krb5_principal ae_principal; - krb5_int32 ae_op_allowed; - char *ae_target; - krb5_boolean ae_target_bad; - krb5_principal ae_target_princ; -} aent_t; - -static const aop_t acl_op_table[] = { - { 'a', ACL_ADD }, - { 'd', ACL_DELETE }, - { 'm', ACL_MODIFY }, - { 'c', ACL_CHANGEPW }, - { 'i', ACL_INQUIRE }, - { 'l', ACL_LIST }, - { 'x', ACL_ALL_MASK }, - { '*', ACL_ALL_MASK }, - { '\0', 0 } -}; - -static aent_t *acl_list_head = (aent_t *) NULL; -static aent_t *acl_list_tail = (aent_t *) NULL; - -static const char *acl_acl_file = (char *) NULL; -static int acl_inited = 0; -static int acl_debug_level = 0; -/* - * This is the catchall entry. If nothing else appropriate is found, or in - * the case where the ACL file is not present, this entry controls what can - * be done. - */ -static const char *acl_catchall_entry = NULL; - -static const char *acl_line2long_msg = "%s: line %d too long, truncated\n"; -static const char *acl_op_bad_msg = "Unrecognized ACL operation '%c' in %s\n"; -static const char *acl_syn_err_msg = "%s: syntax error at line %d <%10s...>\n"; -static const char *acl_cantopen_msg = "\007cannot open ACL file"; - -/* - * acl_get_line() - Get a line from the ACL file. - */ -static char * -acl_get_line(fp, lnp) - FILE *fp; - int *lnp; -{ - int i, domore; - static char acl_buf[BUFSIZ]; - - for (domore = 1; domore && !feof(fp); ) { - /* Copy in the line */ - for (i=0; - ((i - * [ ] - */ - acle = (aent_t *) NULL; - acle_object[0] = '\0'; - nmatch = sscanf(lp, "%s %s %s", acle_principal, acle_ops, acle_object); - if (nmatch >= 2) { - acle = (aent_t *) malloc(sizeof(aent_t)); - if (acle) { - acle->ae_next = (aent_t *) NULL; - acle->ae_op_allowed = (krb5_int32) 0; - acle->ae_target = - (nmatch >= 3) ? strdup(acle_object) : (char *) NULL; - acle->ae_target_bad = 0; - acle->ae_target_princ = (krb5_principal) NULL; - opok = 1; - for (op=acle_ops; *op; op++) { - char rop; - - rop = (isupper(*op)) ? tolower(*op) : *op; - found = 0; - for (t=0; acl_op_table[t].ao_op; t++) { - if (rop == acl_op_table[t].ao_op) { - found = 1; - if (rop == *op) - acle->ae_op_allowed |= acl_op_table[t].ao_mask; - else - acle->ae_op_allowed &= ~acl_op_table[t].ao_mask; - } - } - if (!found) { - fprintf(stderr, acl_op_bad_msg, *op, lp); - opok = 0; - } - } - if (opok) { - acle->ae_name = (char *) malloc(strlen(acle_principal)+1); - if (acle->ae_name) { - strcpy(acle->ae_name, acle_principal); - acle->ae_principal = (krb5_principal) NULL; - acle->ae_name_bad = 0; - DPRINT(DEBUG_ACL, acl_debug_level, - ("A ACL entry %s -> opmask %x\n", - acle->ae_name, acle->ae_op_allowed)); - } - else { - if (acle->ae_target) - free(acle->ae_target); - free(acle); - acle = (aent_t *) NULL; - } - } - else { - if (acle->ae_target) - free(acle->ae_target); - free(acle); - acle = (aent_t *) NULL; - } - } - } - DPRINT(DEBUG_CALLS, acl_debug_level, - ("X acl_parse_line() = %x\n", (long) acle)); - return(acle); -} - -/* - * acl_free_entries() - Free all ACL entries. - */ -static void -acl_free_entries() -{ - aent_t *ap; - aent_t *np; - - DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_free_entries()\n")); - for (ap=acl_list_head; ap; ap = np) { - if (ap->ae_name) - free(ap->ae_name); - if (ap->ae_principal) - krb5_free_principal((krb5_context) NULL, ap->ae_principal); - if (ap->ae_target) - free(ap->ae_target); - if (ap->ae_target_princ) - krb5_free_principal((krb5_context) NULL, ap->ae_target_princ); - np = ap->ae_next; - free(ap); - } - acl_list_head = acl_list_tail = (aent_t *) NULL; - acl_inited = 0; - DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_free_entries()\n")); -} - -/* - * acl_load_acl_file() - Open and parse the ACL file. - */ -static int -acl_load_acl_file() -{ -char tmpbuf[10]; - FILE *afp; - char *alinep; - aent_t **aentpp; - int alineno; - int retval = 1; - - DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_load_acl_file()\n")); - /* Open the ACL file for read */ - if (afp = fopen(acl_acl_file, "r")) { - alineno = 1; - aentpp = &acl_list_head; - - /* Get a non-comment line */ - while (alinep = acl_get_line(afp, &alineno)) { - /* Parse it */ - *aentpp = acl_parse_line(alinep); - /* If syntax error, then fall out */ - if (!*aentpp) { - fprintf(stderr, acl_syn_err_msg, - acl_acl_file, alineno, alinep); - retval = 0; - break; - } - acl_list_tail = *aentpp; - aentpp = &(*aentpp)->ae_next; - } - - if (acl_catchall_entry) { - strcpy(tmpbuf, acl_catchall_entry); - if (*aentpp = acl_parse_line(tmpbuf)) { - acl_list_tail = *aentpp; - } - else { - retval = 0; - DPRINT(DEBUG_OPERATION, acl_debug_level, - ("> catchall acl entry (%s) load failed\n", - acl_catchall_entry)); - } - fclose(afp); - } - } - else { - com_err(acl_acl_file, errno, acl_cantopen_msg); - if (acl_list_head = acl_parse_line(acl_catchall_entry)) { - acl_list_tail = acl_list_head; - } - else { - retval = 0; - DPRINT(DEBUG_OPERATION, acl_debug_level, - ("> catchall acl entry (%s) load failed\n", - acl_catchall_entry)); - } - } - - if (!retval) { - acl_free_entries(); - } - DPRINT(DEBUG_CALLS, acl_debug_level, - ("X acl_load_acl_file() = %d\n", retval)); - return(retval); -} - -/* - * acl_match_data() - See if two data entries match. - * - * Wildcarding is only supported for a whole component. - */ -static krb5_boolean -acl_match_data(e1, e2) - krb5_data *e1, *e2; -{ - krb5_boolean retval; - - DPRINT(DEBUG_CALLS, acl_debug_level, - ("* acl_match_entry(%s, %s)\n", e1->data, e2->data)); - retval = 0; - if (!strncmp(e1->data, "*", e1->length) || - !strncmp(e2->data, "*", e2->length)) { - retval = 1; - } - else { - if ((e1->length == e2->length) && - (!strncmp(e1->data, e2->data, e1->length))) - retval = 1; - } - DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_match_entry()=%d\n",retval)); - return(retval); -} - -/* - * acl_find_entry() - Find a matching entry. - */ -static aent_t * -acl_find_entry(kcontext, principal, dest_princ) - krb5_context kcontext; - krb5_principal principal; - krb5_principal dest_princ; -{ - aent_t *entry; - krb5_error_code kret; - int i; - int matchgood; - - DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_find_entry()\n")); - for (entry=acl_list_head; entry; entry = entry->ae_next) { - if (!strcmp(entry->ae_name, "*")) { - DPRINT(DEBUG_ACL, acl_debug_level, ("A wildcard ACL match\n")); - break; - } - if (!entry->ae_principal && !entry->ae_name_bad) { - kret = krb5_parse_name(kcontext, - entry->ae_name, - &entry->ae_principal); - if (kret) - entry->ae_name_bad = 1; - } - if (entry->ae_name_bad) { - DPRINT(DEBUG_ACL, acl_debug_level, - ("A Bad ACL entry %s\n", entry->ae_name)); - continue; - } - if (entry->ae_target && - !entry->ae_target_princ && - !entry->ae_target_bad) { - kret = krb5_parse_name(kcontext, - entry->ae_target, - &entry->ae_target_princ); - if (kret) - entry->ae_target_bad = 1; - } - if (entry->ae_target_bad) { - DPRINT(DEBUG_ACL, acl_debug_level, - ("A Bad target in an ACL entry for %s\n", entry->ae_name)); - entry->ae_name_bad = 1; - continue; - } - matchgood = 0; - if (acl_match_data(&entry->ae_principal->realm, - &principal->realm) && - (entry->ae_principal->length == principal->length)) { - matchgood = 1; - for (i=0; ilength; i++) { - if (!acl_match_data(&entry->ae_principal->data[i], - &principal->data[i])) { - matchgood = 0; - break; - } - } - } - if (!matchgood) - continue; - - /* We've matched the principal. If we have a target, then try it */ - if (entry->ae_target && entry->ae_target_princ && dest_princ) { - if (acl_match_data(&entry->ae_target_princ->realm, - &dest_princ->realm) && - (entry->ae_target_princ->length == dest_princ->length)) { - for (i=0; ilength; i++) { - if (!acl_match_data(&entry->ae_target_princ->data[i], - &dest_princ->data[i])) { - matchgood = 0; - break; - } - } - } - else - matchgood = 0; - } - - if (matchgood) - break; - } - DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_find_entry()=%x\n",entry)); - return(entry); -} - -/* - * acl_init() - Initialize ACL context. - */ -krb5_error_code -acl_init(kcontext, debug_level, acl_file) - krb5_context kcontext; - int debug_level; - char *acl_file; -{ - krb5_error_code kret; - - kret = 0; - acl_debug_level = debug_level; - DPRINT(DEBUG_CALLS, acl_debug_level, - ("* acl_init(afile=%s)\n", - ((acl_file) ? acl_file : "(null)"))); - acl_acl_file = (acl_file) ? acl_file : (char *) KRB5_DEFAULT_ADMIN_ACL; - acl_inited = acl_load_acl_file(); - - DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_init() = %d\n", kret)); - return(kret); -} - -/* - * acl_finish - Terminate ACL context. - */ -void -acl_finish(kcontext, debug_level) - krb5_context kcontext; - int debug_level; -{ - DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_finish()\n")); - acl_free_entries(); - DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_finish()\n")); -} - -/* - * acl_op_permitted() - Is this operation permitted for this principal? - * this code used not to be based on gssapi. In order - * to minimize porting hassles, I've put all the - * gssapi hair in this function. This might not be - * the best medium-term solution. (The best long-term - * solution is, of course, a real authorization service.) - */ -krb5_boolean -acl_check(kcontext, caller, opmask, principal) - krb5_context kcontext; - gss_name_t caller; - krb5_int32 opmask; - krb5_principal principal; -{ - krb5_boolean retval; - aent_t *aentry; - gss_buffer_desc caller_buf; - gss_OID caller_oid; - OM_uint32 emaj, emin; - krb5_error_code code; - krb5_principal caller_princ; - - DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_op_permitted()\n")); - - if (GSS_ERROR(emaj = gss_display_name(&emin, caller, &caller_buf, - &caller_oid))) - return(0); - - code = krb5_parse_name(kcontext, (char *) caller_buf.value, - &caller_princ); - - gss_release_buffer(&emin, &caller_buf); - - if (code) - return(code); - - retval = 0; - if (aentry = acl_find_entry(kcontext, caller_princ, principal)) { - if ((aentry->ae_op_allowed & opmask) == opmask) - retval = 1; - } - - krb5_free_principal(kcontext, caller_princ); - - DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_op_permitted()=%d\n", - retval)); - return(retval); -} - -kadm5_ret_t kadm5_get_privs(void *server_handle, long *privs) -{ - kadm5_server_handle_t handle = server_handle; - - CHECK_HANDLE(server_handle); - - /* this is impossible to do with the current interface. For now, - return all privs, which will confuse some clients, but not - deny any access to users of "smart" clients which try to cache */ - - *privs = ~0; - - return KADM5_OK; -} diff --git a/src/lib/kadm5/server_acl.h b/src/lib/kadm5/server_acl.h deleted file mode 100644 index 9dfc8daba..000000000 --- a/src/lib/kadm5/server_acl.h +++ /dev/null @@ -1,81 +0,0 @@ -/* - * kadmin/v5server/kadm5_defs.h - * - * Copyright 1995 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#ifndef SERVER_ACL_H__ -#define SERVER_ACL_H__ - -/* - * Debug definitions. - */ -#define DEBUG_SPROC 1 -#define DEBUG_OPERATION 2 -#define DEBUG_HOST 4 -#define DEBUG_REALM 8 -#define DEBUG_REQUESTS 16 -#define DEBUG_ACL 32 -#define DEBUG_PROTO 64 -#define DEBUG_CALLS 128 -#define DEBUG_NOSLAVES 256 -#ifdef DEBUG -#define DPRINT(l1, cl, al) if ((cl & l1) != 0) xprintf al -#else /* DEBUG */ -#define DPRINT(l1, cl, al) -#endif /* DEBUG */ -#define DLOG(l1, cl, msg) if ((cl & l1) != 0) \ - com_err(programname, 0, msg) - -/* - * Access control bits. - */ -#define ACL_ADD 1 -#define ACL_DELETE 2 -#define ACL_MODIFY 4 -#define ACL_CHANGEPW 8 -/* #define ACL_CHANGE_OWN_PW 16 */ -#define ACL_INQUIRE 32 -/* #define ACL_EXTRACT 64 */ -#define ACL_LIST 128 -#define ACL_RENAME (ACL_ADD+ACL_DELETE) - -#define ACL_ALL_MASK (ACL_ADD | \ - ACL_DELETE | \ - ACL_MODIFY | \ - ACL_CHANGEPW | \ - ACL_INQUIRE | \ - ACL_LIST) - -krb5_error_code acl_init - KRB5_PROTOTYPE((krb5_context, - int, - char *)); -void acl_finish - KRB5_PROTOTYPE((krb5_context, - int)); -krb5_boolean acl_check - KRB5_PROTOTYPE((krb5_context, - gss_name_t, - krb5_int32, - krb5_principal)); - -#endif /* SERVER_ACL_H__ */ diff --git a/src/lib/kadm5/server_dict.c b/src/lib/kadm5/server_dict.c deleted file mode 100644 index 6c0bcef03..000000000 --- a/src/lib/kadm5/server_dict.c +++ /dev/null @@ -1,199 +0,0 @@ -/* - * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved - * - * $Header$ - */ - -#if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header$"; -#endif - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "server_internal.h" - -static char **word_list = NULL; /* list of word pointers */ -static char *word_block = NULL; /* actual word data */ -static int word_count = 0; /* number of words */ -extern int errno; - -/* - * Function: word_compare - * - * Purpose: compare two words in the dictionary. - * - * Arguments: - * w1 (input) pointer to first word - * w2 (input) pointer to second word - * result of strcmp - * - * Requires: - * w1 and w2 to point to valid memory - * - */ - -static int -word_compare(const void *s1, const void *s2) -{ - return (strcasecmp(*(char **)s1, *(char **)s2)); -} - -/* - * Function: init-dict - * - * Purpose: Initialize in memory word dictionary - * - * Arguments: - * none - * KADM5_OK on sucsess errno on failure; - * (but success on ENOENT) - * - * Requires: - * If WORDFILE exists, it must contain a list of words, - * one word per-line. - * - * Effects: - * If WORDFILE exists, it is read into memory sorted for future - * use. If it does not exist, it syslogs an error message and returns - * success. - * - * Modifies: - * word_list to point to a chunck of allocated memory containing - * pointers to words - * word_block to contain the dictionary. - * - */ - -int init_dict(kadm5_config_params *params) -{ - int fd, - len, - i; - char *p, - *t; - struct stat sb; - - if(word_list != NULL && word_block != NULL) - return KADM5_OK; - if (! (params->mask & KADM5_CONFIG_DICT_FILE)) { - syslog(LOG_INFO, "No dictionary file specified, continuing " - "without one."); - return KADM5_OK; - } - if ((fd = open(params->dict_file, O_RDONLY)) == -1) { - if (errno == ENOENT) { - syslog(LOG_ERR, "WARNING! Cannot find dictionary file %s, " - "continuing without one.", params->dict_file); - return KADM5_OK; - } else - return errno; - } - if (fstat(fd, &sb) == -1) - return errno; - if ((word_block = (char *) malloc(sb.st_size + 1)) == NULL) - return errno; - if (read(fd, word_block, sb.st_size) != sb.st_size) - return errno; - (void) close(fd); - word_block[sb.st_size] = '\0'; - - p = word_block; - len = sb.st_size; - while(len > 0 && (t = memchr(p, '\n', len)) != NULL) { - *t = '\0'; - len -= t - p + 1; - p = t + 1; - word_count++; - } - if ((word_list = (char **) malloc(word_count * sizeof(char *))) == NULL) - return errno; - p = word_block; - for (i = 0; i < word_count; i++) { - word_list[i] = p; - p += strlen(p) + 1; - } - qsort(word_list, word_count, sizeof(char *), word_compare); - return KADM5_OK; -} - -/* - * Function: find_word - * - * Purpose: See if the specified word exists in the in-core dictionary - * - * Arguments: - * word (input) word to search for. - * WORD_NOT_FOUND if not in dictionary, - * KADM5_OK if if found word - * errno if init needs to be called and returns an - * error - * - * Requires: - * word to be a null terminated string. - * That word_list and word_block besetup - * - * Effects: - * finds word in dictionary. - * Modifies: - * nothing. - * - */ - -int -find_word(const char *word) -{ - char **value; - - if(word_list == NULL || word_block == NULL) - return WORD_NOT_FOUND; - if ((value = (char **) bsearch(&word, word_list, word_count, sizeof(char *), - word_compare)) == NULL) - return WORD_NOT_FOUND; - else - return KADM5_OK; -} - -/* - * Function: destroy_dict - * - * Purpose: destroy in-core copy of dictionary. - * - * Arguments: - * none - * none - * Requires: - * nothing - * Effects: - * frees up memory occupied by word_list and word_block - * sets count back to 0, and resets the pointers to NULL - * - * Modifies: - * word_list, word_block, and word_count. - * - */ - -void -destroy_dict(void) -{ - if(word_list) { - free(word_list); - word_list = NULL; - } - if(word_block) { - free(word_block); - word_block = NULL; - } - if(word_count) - word_count = 0; - return; -} diff --git a/src/lib/kadm5/server_handle.c b/src/lib/kadm5/server_handle.c deleted file mode 100644 index 53abe94dd..000000000 --- a/src/lib/kadm5/server_handle.c +++ /dev/null @@ -1,9 +0,0 @@ -#include -#include -#include "server_internal.h" - -int _kadm5_check_handle(void *handle) -{ - CHECK_HANDLE(handle); - return 0; -} diff --git a/src/lib/kadm5/server_init.c b/src/lib/kadm5/server_init.c deleted file mode 100644 index 653f6d896..000000000 --- a/src/lib/kadm5/server_init.c +++ /dev/null @@ -1,330 +0,0 @@ -/* - * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. - * - * $Id$ - * $Source$ - */ - -#if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header$"; -#endif - -#include -#include -#include -#include -#include -#include "server_internal.h" - -/* - * Function check_handle - * - * Purpose: Check a server handle and return a com_err code if it is - * invalid or 0 if it is valid. - * - * Arguments: - * - * handle The server handle. - */ - -static int check_handle(void *handle) -{ - CHECK_HANDLE(handle); - return 0; -} - -kadm5_ret_t kadm5_init_with_password(char *client_name, char *pass, - char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - void **server_handle) -{ - return kadm5_init(client_name, pass, service_name, params, - struct_version, api_version, - server_handle); -} - -kadm5_ret_t kadm5_init_with_creds(char *client_name, - krb5_ccache ccache, - char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - void **server_handle) -{ - /* - * A program calling init_with_creds *never* expects to prompt the - * user. Therefore, always pass a dummy password in case this is - * KADM5_API_VERSION_1. If this is KADM5_API_VERSION_2 and - * MKEY_FROM_KBD is non-zero, return an error. - */ - if (api_version == KADM5_API_VERSION_2 && params && - (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) && - params->mkey_from_kbd) - return KADM5_BAD_SERVER_PARAMS; - return kadm5_init(client_name, NULL, service_name, params, - struct_version, api_version, - server_handle); -} - - -kadm5_ret_t kadm5_init_with_skey(char *client_name, char *keytab, - char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - void **server_handle) -{ - /* - * A program calling init_with_skey *never* expects to prompt the - * user. Therefore, always pass a dummy password in case this is - * KADM5_API_VERSION_1. If this is KADM5_API_VERSION_2 and - * MKEY_FROM_KBD is non-zero, return an error. - */ - if (api_version == KADM5_API_VERSION_2 && params && - (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) && - params->mkey_from_kbd) - return KADM5_BAD_SERVER_PARAMS; - return kadm5_init(client_name, NULL, service_name, params, - struct_version, api_version, - server_handle); -} - -kadm5_ret_t kadm5_init(char *client_name, char *pass, - char *service_name, - kadm5_config_params *params_in, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - void **server_handle) -{ - int ret; - kadm5_server_handle_t handle; - kadm5_config_params params_local; /* for v1 compat */ - - if (! server_handle) - return EINVAL; - - if (! client_name) - return EINVAL; - - if (! (handle = (kadm5_server_handle_t) malloc(sizeof *handle))) - return ENOMEM; - memset(handle, 0, sizeof(*handle)); - - if (ret = (int) krb5_init_context(&(handle->context))) { - free(handle); - return(ret); - } - - initialize_ovk_error_table(); - initialize_adb_error_table(); - initialize_ovku_error_table(); - krb5_init_ets(handle->context); - - handle->magic_number = KADM5_SERVER_HANDLE_MAGIC; - handle->struct_version = struct_version; - handle->api_version = api_version; - - /* - * Verify the version numbers before proceeding; we can't use - * CHECK_HANDLE because not all fields are set yet. - */ - GENERIC_CHECK_HANDLE(handle, KADM5_OLD_SERVER_API_VERSION, - KADM5_NEW_SERVER_API_VERSION); - - /* - * Acquire relevant profile entries. In version 2, merge values - * in params_in with values from profile, based on - * params_in->mask. - * - * In version 1, we've given a realm (which may be NULL) instead - * of params_in. So use that realm, make params_in contain an - * empty mask, and behave like version 2. - */ - memset((char *) ¶ms_local, 0, sizeof(params_local)); - if (api_version == KADM5_API_VERSION_1) { - params_local.realm = (char *) params_in; - if (params_in) - params_local.mask = KADM5_CONFIG_REALM; - params_in = ¶ms_local; - } - -#define ILLEGAL_PARAMS (KADM5_CONFIG_ADMIN_SERVER) - if (params_in && (params_in->mask & ILLEGAL_PARAMS)) { - krb5_free_context(handle->context); - free(handle); - return KADM5_BAD_SERVER_PARAMS; - } - - if (ret = kadm5_get_config_params(handle->context, - (char *) NULL, - (char *) NULL, - params_in, - &handle->params)) { - krb5_free_context(handle->context); - free(handle); - return(ret); - } - -#define REQUIRED_PARAMS (KADM5_CONFIG_REALM | KADM5_CONFIG_DBNAME | \ - KADM5_CONFIG_ADBNAME | \ - KADM5_CONFIG_ADB_LOCKFILE | \ - KADM5_CONFIG_ENCTYPE | \ - KADM5_CONFIG_FLAGS | \ - KADM5_CONFIG_MAX_LIFE | KADM5_CONFIG_MAX_RLIFE | \ - KADM5_CONFIG_EXPIRATION | KADM5_CONFIG_ENCTYPES) - - if ((handle->params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) { - krb5_free_context(handle->context); - free(handle); - return KRB5_CONFIG_BADFORMAT; - } - - /* - * Set the db_name based on configuration before calling - * krb5_db_init, so it will get used. - */ - if (ret = krb5_dbm_db_set_name(handle->context, - handle->params.dbname)) { - free(handle); - return(ret); - } - - if (ret = krb5_db_init(handle->context)) { - krb5_free_context(handle->context); - free(handle); - return(ret); - } - - if ((ret = krb5_parse_name(handle->context, client_name, - &handle->current_caller))) { - krb5_db_fini(handle->context); - krb5_free_context(handle->context); - free(handle); - return ret; - } - - if (! (handle->lhandle = malloc(sizeof(*handle)))) { - krb5_db_fini(handle->context); - krb5_free_context(handle->context); - free(handle); - return ENOMEM; - } - *handle->lhandle = *handle; - handle->lhandle->api_version = KADM5_API_VERSION_2; - handle->lhandle->struct_version = KADM5_STRUCT_VERSION; - handle->lhandle->lhandle = handle->lhandle; - - /* can't check the handle until current_caller is set */ - if (ret = check_handle((void *) handle)) { - free(handle); - return ret; - } - - /* - * The KADM5_API_VERSION_1 spec said "If pass (or keytab) is NULL - * or an empty string, reads the master password from [the stash - * file]. Otherwise, the non-NULL password is ignored and the - * user is prompted for it via the tty." However, the code was - * implemented the other way: when a non-NULL password was - * provided, the stash file was used. This is somewhat more - * sensible, as then a local or remote client that provides a - * password does not prompt the user. This code maintains the - * previous actual behavior, and not the old spec behavior, - * because that is how the unit tests are written. - * - * In KADM5_API_VERSION_2, this decision is controlled by - * params. - * - * kdb_init_master's third argument is "from_keyboard". - */ - if (ret = kdb_init_master(handle, handle->params.realm, - (handle->api_version == KADM5_API_VERSION_1 ? - ((pass == NULL) || !(strlen(pass))) : - ((handle->params.mask & - KADM5_CONFIG_MKEY_FROM_KBD) && - handle->params.mkey_from_kbd)) - )) { - krb5_db_fini(handle->context); - krb5_free_context(handle->context); - free(handle); - return ret; - } - - if ((ret = kdb_init_hist(handle, handle->params.realm))) { - krb5_db_fini(handle->context); - krb5_free_context(handle->context); - free(handle); - return ret; - } - - if (ret = init_dict(&handle->params)) { - krb5_db_fini(handle->context); - krb5_free_principal(handle->context, handle->current_caller); - krb5_free_context(handle->context); - free(handle); - return ret; - } - - if (ret = adb_policy_init(handle)) { - krb5_db_fini(handle->context); - krb5_free_principal(handle->context, handle->current_caller); - krb5_free_context(handle->context); - free(handle); - return ret; - } - handle->lhandle->policy_db = handle->policy_db; - - *server_handle = (void *) handle; - - return KADM5_OK; -} - -kadm5_ret_t kadm5_destroy(void *server_handle) -{ - kadm5_server_handle_t handle = server_handle; - - CHECK_HANDLE(server_handle); - - destroy_dict(); - - adb_policy_close(handle); - krb5_db_fini(handle->context); - krb5_free_principal(handle->context, handle->current_caller); - krb5_free_context(handle->context); - handle->magic_number = 0; - free(handle->lhandle); - free(handle); - - return KADM5_OK; -} - -kadm5_ret_t kadm5_flush(void *server_handle) -{ - kadm5_server_handle_t handle = server_handle; - kadm5_ret_t ret; - - CHECK_HANDLE(server_handle); - - if ((ret = krb5_db_fini(handle->context)) || - /* - * Set the db_name based on configuration before calling - * krb5_db_init, so it will get used. - */ - (ret = krb5_dbm_db_set_name(handle->context, - handle->params.dbname)) || - (ret = krb5_db_init(handle->context)) || - (ret = adb_policy_close(handle)) || - (ret = adb_policy_init(handle))) { - (void) kadm5_destroy(server_handle); - return ret; - } - return KADM5_OK; -} - -int _kadm5_check_handle(void *handle) -{ - CHECK_HANDLE(handle); - return 0; -} diff --git a/src/lib/kadm5/server_kdb.c b/src/lib/kadm5/server_kdb.c deleted file mode 100644 index 1a900a380..000000000 --- a/src/lib/kadm5/server_kdb.c +++ /dev/null @@ -1,424 +0,0 @@ -/* - * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved - * - * $Header$ - */ - -#if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header$"; -#endif - -#include -#include -#include "k5-int.h" -#include -#include "server_internal.h" - -krb5_principal master_princ; -krb5_encrypt_block master_encblock; -krb5_keyblock master_keyblock; -krb5_db_entry master_db; - -krb5_principal hist_princ; -krb5_encrypt_block hist_encblock; -krb5_keyblock hist_key; -krb5_db_entry hist_db; -krb5_kvno hist_kvno; - -/* much of this code is stolen from the kdc. there should be some - library code to deal with this. */ - -krb5_error_code kdb_init_master(kadm5_server_handle_t handle, - char *r, int from_keyboard) -{ - int ret = 0; - char *realm; - krb5_keyblock tmk; - - if (r == NULL) { - if ((ret = krb5_get_default_realm(handle->context, &realm))) - return ret; - } else { - realm = r; - } - - if ((ret = krb5_db_setup_mkey_name(handle->context, - handle->params.mkey_name, - realm, NULL, &master_princ))) - goto done; - - master_keyblock.enctype = handle->params.enctype; - - krb5_use_enctype(handle->context, &master_encblock, - master_keyblock.enctype); - - if (ret = krb5_db_fetch_mkey(handle->context, master_princ, - &master_encblock, from_keyboard, - FALSE /* only prompt once */, - handle->params.stash_file, - NULL /* I'm not sure about this, - but it's what the kdc does --marc */, - &master_keyblock)) - goto done; - - if ((ret = krb5_db_init(handle->context)) != KSUCCESS) - goto done; - - if ((ret = krb5_db_verify_master_key(handle->context, master_princ, - &master_keyblock, - &master_encblock))) { - krb5_db_fini(handle->context); - return ret; - } - - /* the kdc gets the db mkvno here. The admin server never uses this - bit of information, so there's no reason to retrieve it. */ - - if ((ret = krb5_process_key(handle->context, &master_encblock, - &master_keyblock))) { - krb5_db_fini(handle->context); - goto done; - } - -done: - if (r == NULL) - free(realm); - - return(ret); -} - -/* - * Function: kdb_init_hist - * - * Purpose: Initializes the global history variables. - * - * Arguments: - * - * handle (r) kadm5 api server handle - * r (r) realm of history principal to use, or NULL - * - * Effects: This function sets the value of the following global - * variables: - * - * hist_princ krb5_principal holding the history principal - * hist_db krb5_db_entry of the history principal - * hist_key krb5_keyblock holding the history principal's key - * hist_encblock krb5_encrypt_block holding the procssed hist_key - * hist_kvno the version number of the history key - * - * If the history principal does not already exist, this function - * attempts to create it with kadm5_create_principal. WARNING! - * If the history principal is deleted and this function is executed - * (by kadmind, or kadmin.local, or anything else with permission), - * the principal will be assigned a new random key and all existing - * password history information will become useless. - */ -krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, char *r) -{ - int ret = 0; - char *realm, *hist_name; - krb5_key_data *key_data; - - if (r == NULL) { - if ((ret = krb5_get_default_realm(handle->context, &realm))) - return ret; - } else { - realm = r; - } - - if ((hist_name = (char *) malloc(strlen(KADM5_HIST_PRINCIPAL) + - strlen(realm) + 2)) == NULL) - goto done; - - (void) sprintf(hist_name, "%s@%s", KADM5_HIST_PRINCIPAL, realm); - - if ((ret = krb5_parse_name(handle->context, hist_name, &hist_princ))) - goto done; - - if ((ret = kdb_get_entry(handle, hist_princ, &hist_db, NULL))) { - kadm5_principal_ent_rec ent; - - if (ret != KADM5_UNK_PRINC) - goto done; - - /* try to create the principal */ - - memset(&ent, 0, sizeof(ent)); - - ent.principal = hist_princ; - ent.max_life = KRB5_KDB_DISALLOW_ALL_TIX; - ent.attributes = 0; - - /* this uses hist_kvno. So we set it to 2, which will be the - correct value once the principal is created and randomized. - Of course, it doesn't make sense to keep a history for the - history principal, anyway. */ - - hist_kvno = 2; - - if (ret = kadm5_create_principal(handle, &ent, - (KADM5_PRINCIPAL | - KADM5_MAX_LIFE | - KADM5_ATTRIBUTES), - "to-be-random")) - goto done; - - /* this won't let us randomize the hist_princ. So we cheat. */ - - hist_princ = NULL; - - ret = kadm5_randkey_principal(handle, ent.principal, NULL, NULL); - - hist_princ = ent.principal; - - if (ret) - goto done; - - /* now read the newly-created kdb record out of the - database. */ - - if ((ret = kdb_get_entry(handle, hist_princ, &hist_db, NULL))) - goto done; - - } - - if (ret = krb5_dbe_find_enctype(handle->context, - &hist_db, - handle->params.enctype, - -1, - -1, - &key_data)) - goto done; - - if (ret = krb5_dbekd_decrypt_key_data(handle->context, &master_encblock, - key_data, &hist_key, NULL)) - goto done; - - krb5_use_enctype(handle->context, &hist_encblock, hist_key.enctype); - - if ((ret = krb5_process_key(handle->context, &hist_encblock, - &hist_key)) != KSUCCESS) - goto done; - - hist_kvno = key_data->key_data_kvno; - -done: - free(hist_name); - if (r == NULL) - free(realm); - return ret; -} - -/* - * Function: kdb_get_entry - * - * Purpose: Gets an entry from the kerberos database and breaks - * it out into a krb5_db_entry and an osa_princ_ent_t. - * - * Arguments: - * - * handle (r) the server_handle - * principal (r) the principal to get - * kdb (w) krb5_db_entry to fill in - * adb (w) osa_princ_ent_rec to fill in - * - * when the caller is done with kdb and adb, kdb_free_entry must be - * called to release them. The adb record is filled in with the - * contents of the KRB5_TL_KADM_DATA record; if that record doesn't - * exist, an empty but valid adb record is returned. - */ -krb5_error_code -kdb_get_entry(kadm5_server_handle_t handle, - krb5_principal principal, krb5_db_entry *kdb, - osa_princ_ent_rec *adb) -{ - krb5_error_code ret; - int nprincs; - krb5_boolean more; - krb5_tl_data tl_data; - XDR xdrs; - - if (ret = krb5_db_get_principal(handle->context, principal, kdb, &nprincs, - &more)) - return(ret); - - if (more) { - krb5_db_free_principal(handle->context, kdb, nprincs); - return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); - } else if (nprincs != 1) { - krb5_db_free_principal(handle->context, kdb, nprincs); - return(KADM5_UNK_PRINC); - } - - if (adb) { - memset(adb, 0, sizeof(*adb)); - - tl_data.tl_data_type = KRB5_TL_KADM_DATA; - /* - * XXX Currently, lookup_tl_data always returns zero; it sets - * tl_data->tl_data_length to zero if the type isn't found. - * This should be fixed... - */ - if ((ret = krb5_dbe_lookup_tl_data(handle->context, kdb, &tl_data)) - || (tl_data.tl_data_length == 0)) { - /* there's no admin data. this can happen, if the admin - server is put into production after some principals - are created. In this case, return valid admin - data (which is all zeros with the hist_kvno filled - in), and when the entry is written, the admin - data will get stored correctly. */ - - adb->admin_history_kvno = hist_kvno; - - return(ret); - } - - xdrmem_create(&xdrs, tl_data.tl_data_contents, - tl_data.tl_data_length, XDR_DECODE); - if (! xdr_osa_princ_ent_rec(&xdrs, adb)) { - xdr_destroy(&xdrs); - krb5_db_free_principal(handle->context, kdb, 1); - return(OSA_ADB_XDR_FAILURE); - } - xdr_destroy(&xdrs); - } - - return(0); -} - -/* - * Function: kdb_free_entry - * - * Purpose: frees the resources allocated by kdb_get_entry - * - * Arguments: - * - * handle (r) the server_handle - * kdb (w) krb5_db_entry to fill in - * adb (w) osa_princ_ent_rec to fill in - * - * when the caller is done with kdb and adb, kdb_free_entry must be - * called to release them. - */ - -krb5_error_code -kdb_free_entry(kadm5_server_handle_t handle, - krb5_db_entry *kdb, osa_princ_ent_rec *adb) -{ - XDR xdrs; - - - if (kdb) - krb5_db_free_principal(handle->context, kdb, 1); - - if (adb) { - xdrmem_create(&xdrs, NULL, 0, XDR_FREE); - xdr_osa_princ_ent_rec(&xdrs, adb); - xdr_destroy(&xdrs); - } - - return(0); -} - -/* - * Function: kdb_put_entry - * - * Purpose: Stores the osa_princ_ent_t and krb5_db_entry into to - * database. - * - * Arguments: - * - * handle (r) the server_handle - * kdb (r/w) the krb5_db_entry to store - * adb (r) the osa_princ_db_ent to store - * - * Effects: - * - * The last modifier field of the kdb is set to the caller at now. - * adb is encoded with xdr_osa_princ_ent_ret and stored in kbd as - * KRB5_TL_KADM_DATA. kdb is then written to the database. - */ -krb5_error_code -kdb_put_entry(kadm5_server_handle_t handle, - krb5_db_entry *kdb, osa_princ_ent_rec *adb) -{ - krb5_error_code ret; - krb5_int32 now; - XDR xdrs; - krb5_tl_data tl_data; - int one; - - if (ret = krb5_timeofday(handle->context, &now)) - return(ret); - - if (ret = krb5_dbe_update_mod_princ_data(handle->context, kdb, now, - handle->current_caller)) - return(ret); - - xdralloc_create(&xdrs, XDR_ENCODE); - if(! xdr_osa_princ_ent_rec(&xdrs, adb)) { - xdr_destroy(&xdrs); - return(OSA_ADB_XDR_FAILURE); - } - tl_data.tl_data_type = KRB5_TL_KADM_DATA; - tl_data.tl_data_length = xdr_getpos(&xdrs); - tl_data.tl_data_contents = xdralloc_getdata(&xdrs); - - ret = krb5_dbe_update_tl_data(handle->context, kdb, &tl_data); - - xdr_destroy(&xdrs); - - if (ret) - return(ret); - - one = 1; - - if (ret = krb5_db_put_principal(handle->context, kdb, &one)) - return(ret); - - return(0); -} - -krb5_error_code -kdb_delete_entry(kadm5_server_handle_t handle, krb5_principal name) -{ - int one = 1; - krb5_error_code ret; - - ret = krb5_db_delete_principal(handle->context, name, &one); - - return ret; -} - -typedef struct _iter_data { - void (*func)(void *, krb5_principal); - void *data; -} iter_data; - -static krb5_error_code -kdb_iter_func(krb5_pointer data, krb5_db_entry *kdb) -{ - iter_data *id = (iter_data *) data; - - (*(id->func))(id->data, kdb->princ); - - return(0); -} - -krb5_error_code -kdb_iter_entry(kadm5_server_handle_t handle, - void (*iter_fct)(void *, krb5_principal), void *data) -{ - iter_data id; - krb5_error_code ret; - - id.func = iter_fct; - id.data = data; - - if (ret = krb5_db_iterate(handle->context, kdb_iter_func, &id)) - return(ret); - - return(0); -} - - diff --git a/src/lib/kadm5/server_misc.c b/src/lib/kadm5/server_misc.c deleted file mode 100644 index 24f101ce5..000000000 --- a/src/lib/kadm5/server_misc.c +++ /dev/null @@ -1,101 +0,0 @@ -/* - * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved - * - * $Header$ - */ - -#if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header$"; -#endif - -#include "k5-int.h" -#include -#include -#include "adb.h" - -/* for strcasecmp */ -#include - -#include "server_internal.h" - -kadm5_ret_t -adb_policy_init(kadm5_server_handle_t handle) -{ - osa_adb_ret_t ret; - if(handle->policy_db == (osa_adb_policy_t) NULL) - if((ret = osa_adb_open_policy(&handle->policy_db, - &handle->params)) != OSA_ADB_OK) - return ret; - return KADM5_OK; -} - -kadm5_ret_t -adb_policy_close(kadm5_server_handle_t handle) -{ - osa_adb_ret_t ret; - if(handle->policy_db != (osa_adb_policy_t) NULL) - if((ret = osa_adb_close_policy(handle->policy_db)) != OSA_ADB_OK) - return ret; - handle->policy_db = NULL; - return KADM5_OK; -} - -/* some of this is stolen from gatekeeper ... */ -kadm5_ret_t -passwd_check(kadm5_server_handle_t handle, - char *password, int use_policy, kadm5_policy_ent_t pol, - krb5_principal principal) -{ - int nupper = 0, - nlower = 0, - ndigit = 0, - npunct = 0, - nspec = 0; - char c, *s; - - if(use_policy) { - if(strlen(password) < pol->pw_min_length) - return KADM5_PASS_Q_TOOSHORT; - s = password; - while ((c = *s++)) { - if (islower(c)) { - nlower = 1; - continue; - } - else if (isupper(c)) { - nupper = 1; - continue; - } else if (isdigit(c)) { - ndigit = 1; - continue; - } else if (ispunct(c)) { - npunct = 1; - continue; - } else { - nspec = 1; - continue; - } - } - if ((nupper + nlower + ndigit + npunct + nspec) < pol->pw_min_classes) - return KADM5_PASS_Q_CLASS; - if((find_word(password) == KADM5_OK)) - return KADM5_PASS_Q_DICT; - else { - char *cp; - int c, n = krb5_princ_size(handle->context, principal); - cp = krb5_princ_realm(handle->context, principal)->data; - if (strcasecmp(cp, password) == 0) - return KADM5_PASS_Q_DICT; - for (c = 0; c < n ; c++) { - cp = krb5_princ_component(handle->context, principal, c)->data; - if (strcasecmp(cp, password) == 0) - return KADM5_PASS_Q_DICT; - } - return KADM5_OK; - } - } else { - if (strlen(password) < 1) - return KADM5_PASS_Q_TOOSHORT; - } - return KADM5_OK; -} diff --git a/src/lib/kadm5/svr_chpass_util.c b/src/lib/kadm5/svr_chpass_util.c deleted file mode 100644 index df2bf4c47..000000000 --- a/src/lib/kadm5/svr_chpass_util.c +++ /dev/null @@ -1,15 +0,0 @@ -#include -#include "server_internal.h" - -kadm5_ret_t kadm5_chpass_principal_util(void *server_handle, - krb5_principal princ, - char *new_pw, - char **ret_pw, - char *msg_ret) -{ - kadm5_server_handle_t handle = server_handle; - - CHECK_HANDLE(server_handle); - return _kadm5_chpass_principal_util(handle, handle->lhandle, princ, - new_pw, ret_pw, msg_ret); -} diff --git a/src/lib/kadm5/svr_iters.c b/src/lib/kadm5/svr_iters.c deleted file mode 100644 index 19c900021..000000000 --- a/src/lib/kadm5/svr_iters.c +++ /dev/null @@ -1,248 +0,0 @@ -/* - * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved - * - * $Header$ - */ - -#if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header$"; -#endif - -#if defined(HAVE_COMPILE) && defined(HAVE_STEP) -#define SOLARIS_REGEXPS -#elif defined(HAVE_REGCOMP) && defined(HAVE_REGEXEC) -#define POSIX_REGEXPS -#elif defined(HAVE_RE_COMP) && defined(HAVE_RE_EXEC) -#define BSD_REGEXPS -#else -#error I cannot find any regexp functions -#endif - -#include -#include -#include -#include "adb.h" -#include -#ifdef SOLARIS_REGEXPS -#include -#endif -#ifdef POSIX_REGEXPS -#include -#endif -#include - -#include "server_internal.h" - -struct iter_data { - krb5_context context; - DynObject matches; - char *exp; -#ifdef SOLARIS_REGEXPS - char *expbuf; -#endif -#ifdef POSIX_REGEXPS - regex_t preg; -#endif -}; - -/* - * Function: glob_to_regexp - * - * Arguments: - * - * glob (r) the shell-style glob (?*[]) to convert - * realm (r) the default realm to append, or NULL - * regexp (w) the ed-style regexp created from glob - * - * Effects: - * - * regexp is filled in with allocated memory contained a regular - * expression to be used with re_comp/compile that matches what the - * shell-style glob would match. If glob does not contain an "@" - * character and realm is not NULL, "@" is appended to the regexp. - * - * Conversion algorithm: - * - * quoted characters are copied quoted - * ? is converted to . - * * is converted to .* - * active characters are quoted: ^, $, . - * [ and ] are active but supported and have the same meaning, so - * they are copied - * other characters are copied - * regexp is anchored with ^ and $ - */ -kadm5_ret_t glob_to_regexp(char *glob, char *realm, char **regexp) -{ - int append_realm; - char *p; - - /* validate the glob */ - if (glob[strlen(glob)-1] == '\\') - return EINVAL; - - /* A character of glob can turn into two in regexp, plus ^ and $ */ - /* and trailing null. If glob has no @, also allocate space for */ - /* the realm. */ - append_realm = (realm != NULL) && (strchr(glob, '@') == NULL); - p = (char *) malloc(strlen(glob)*2+ 3 + - (append_realm ? (strlen(realm)+1) : 0)); - if (p == NULL) - return ENOMEM; - *regexp = p; - - *p++ = '^'; - while (*glob) { - switch (*glob) { - case '?': - *p++ = '.'; - break; - case '*': - *p++ = '.'; - *p++ = '*'; - break; - case '.': - case '^': - case '$': - *p++ = '\\'; - *p++ = *glob; - break; - case '\\': - *p++ = '\\'; - *p++ = ++*glob; - break; - default: - *p++ = *glob; - break; - } - glob++; - } - - if (append_realm) { - *p++ = '@'; - strcpy(p, realm); - p += strlen(realm); - } - - *p++ = '$'; - *p++ = '\0'; - return KADM5_OK; -} - -void get_either_iter(struct iter_data *data, char *name) -{ - if ( -#ifdef SOLARIS_REGEXPS - (step(name, data->expbuf) != 0) -#endif -#ifdef POSIX_REGEXPS - (regexec(&data->preg, name, 0, NULL, 0) == 0) -#endif -#ifdef BSD_REGEXPS - (re_exec(name) != 0) -#endif - ) - { - (void) DynAdd(data->matches, &name); - } else - free(name); -} - -void get_pols_iter(void *data, osa_policy_ent_t entry) -{ - char *name; - - if ((name = strdup(entry->name)) == NULL) - return; - get_either_iter(data, name); -} - -void get_princs_iter(void *data, krb5_principal princ) -{ - struct iter_data *id = (struct iter_data *) data; - char *name; - - if (krb5_unparse_name(id->context, princ, &name) != 0) - return; - get_either_iter(data, name); -} - -kadm5_ret_t kadm5_get_either(int princ, - void *server_handle, - char *exp, - char ***princs, - int *count) -{ - struct iter_data data; - char *msg, *regexp; - int ret; - kadm5_server_handle_t handle = server_handle; - - *count = 0; - if (exp == NULL) - exp = "*"; - - CHECK_HANDLE(server_handle); - - if ((ret = glob_to_regexp(exp, princ ? handle->params.realm : NULL, - ®exp)) != KADM5_OK) - return ret; - - if ( -#ifdef SOLARIS_REGEXPS - ((data.expbuf = compile(regexp, NULL, NULL)) == NULL) -#endif -#ifdef POSIX_REGEXPS - ((regcomp(&data.preg, regexp, REG_NOSUB)) != 0) -#endif -#ifdef BSD_REGEXPS - ((msg = (char *) re_comp(regexp)) != NULL) -#endif - ) - { - /* XXX syslog msg or regerr(regerrno) */ - free(regexp); - return EINVAL; - } - - if ((data.matches = DynCreate(sizeof(char *), -4)) == NULL) { - free(regexp); - return ENOMEM; - } - - if (princ) { - data.context = handle->context; - ret = kdb_iter_entry(handle, get_princs_iter, (void *) &data); - } else { - ret = osa_adb_iter_policy(handle->policy_db, get_pols_iter, (void *)&data); - } - - if (ret != OSA_ADB_OK) { - free(regexp); - DynDestroy(data.matches); - return ret; - } - - (*princs) = (char **) DynArray(data.matches); - *count = DynSize(data.matches); - DynRelease(data.matches); - free(regexp); - return KADM5_OK; -} - -kadm5_ret_t kadm5_get_principals(void *server_handle, - char *exp, - char ***princs, - int *count) -{ - return kadm5_get_either(1, server_handle, exp, princs, count); -} - -kadm5_ret_t kadm5_get_policies(void *server_handle, - char *exp, - char ***pols, - int *count) -{ - return kadm5_get_either(0, server_handle, exp, pols, count); -} - diff --git a/src/lib/kadm5/svr_misc_free.c b/src/lib/kadm5/svr_misc_free.c deleted file mode 100644 index 5c76a1ebc..000000000 --- a/src/lib/kadm5/svr_misc_free.c +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved - * - * $Header$ - * - */ - -#if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header$"; -#endif -#include -#include -#include "server_internal.h" - -kadm5_ret_t -kadm5_free_principal_ent(void *server_handle, - kadm5_principal_ent_t val) -{ - kadm5_server_handle_t handle = server_handle; - - CHECK_HANDLE(server_handle); - - if(val) { - if(val->principal) - krb5_free_principal(handle->context, val->principal); - if(val->mod_name) - krb5_free_principal(handle->context, val->mod_name); - if(val->policy) - free(val->policy); - - /* XXX free key_data and tl_data */ - - if (handle->api_version == KADM5_API_VERSION_1) - free(val); - } - return KADM5_OK; -} diff --git a/src/lib/kadm5/svr_policy.c b/src/lib/kadm5/svr_policy.c deleted file mode 100644 index 74e252115..000000000 --- a/src/lib/kadm5/svr_policy.c +++ /dev/null @@ -1,315 +0,0 @@ -/* - * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved - * - * $Header$ - */ - -#if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header$"; -#endif - -#include -#include -#include "adb.h" -#include "server_internal.h" -#include - -#define MAX_PW_HISTORY 10 -#define MIN_PW_HISTORY 1 -#define MIN_PW_CLASSES 1 -#define MAX_PW_CLASSES 5 -#define MIN_PW_LENGTH 1 - -/* - * Function: kadm5_create_policy - * - * Purpose: Create Policies in the policy DB. - * - * Arguments: - * entry (input) The policy entry to be written out to the DB. - * mask (input) Specifies which fields in entry are to ge written out - * and which get default values. - * 0 if sucsessfull otherwise an error code is returned. - * - * Requires: - * Entry must be a valid principal entry, and mask have a valid value. - * - * Effects: - * Verifies that mask does not specify that the refcount should - * be set as part of the creation, and calls - * kadm5_create_policy_internal. If the refcount *is* - * specified, returns KADM5_BAD_MASK. - */ - -kadm5_ret_t -kadm5_create_policy(void *server_handle, - kadm5_policy_ent_t entry, long mask) -{ - CHECK_HANDLE(server_handle); - - if (mask & KADM5_REF_COUNT) - return KADM5_BAD_MASK; - else - return kadm5_create_policy_internal(server_handle, entry, mask); -} - -/* - * Function: kadm5_create_policy_internal - * - * Purpose: Create Policies in the policy DB. - * - * Arguments: - * entry (input) The policy entry to be written out to the DB. - * mask (input) Specifies which fields in entry are to ge written out - * and which get default values. - * 0 if sucsessfull otherwise an error code is returned. - * - * Requires: - * Entry must be a valid principal entry, and mask have a valid value. - * - * Effects: - * Writes the data to the database, and does a database sync if - * sucsessfull. - * - */ - -kadm5_ret_t -kadm5_create_policy_internal(void *server_handle, - kadm5_policy_ent_t entry, long mask) -{ - kadm5_server_handle_t handle = server_handle; - osa_policy_ent_rec pent; - int ret; - char *p; - - CHECK_HANDLE(server_handle); - - if ((entry == (kadm5_policy_ent_t) NULL) || (entry->policy == NULL)) - return EINVAL; - if(strlen(entry->policy) == 0) - return KADM5_BAD_POLICY; - if (!(mask & KADM5_POLICY)) - return KADM5_BAD_MASK; - - pent.name = entry->policy; - p = entry->policy; - while(*p != '\0') { - if(*p < ' ' || *p > '~') - return KADM5_BAD_POLICY; - else - p++; - } - if (!(mask & KADM5_PW_MAX_LIFE)) - pent.pw_max_life = 0; - else - pent.pw_max_life = entry->pw_max_life; - if (!(mask & KADM5_PW_MIN_LIFE)) - pent.pw_min_life = 0; - else { - if((mask & KADM5_PW_MAX_LIFE)) { - if(entry->pw_min_life > entry->pw_max_life && entry->pw_max_life != 0) - return KADM5_BAD_MIN_PASS_LIFE; - } - pent.pw_min_life = entry->pw_min_life; - } - if (!(mask & KADM5_PW_MIN_LENGTH)) - pent.pw_min_length = MIN_PW_LENGTH; - else { - if(entry->pw_min_length < MIN_PW_LENGTH) - return KADM5_BAD_LENGTH; - pent.pw_min_length = entry->pw_min_length; - } - if (!(mask & KADM5_PW_MIN_CLASSES)) - pent.pw_min_classes = MIN_PW_CLASSES; - else { - if(entry->pw_min_classes > MAX_PW_CLASSES || entry->pw_min_classes < MIN_PW_CLASSES) - return KADM5_BAD_CLASS; - pent.pw_min_classes = entry->pw_min_classes; - } - if (!(mask & KADM5_PW_HISTORY_NUM)) - pent.pw_history_num = MIN_PW_HISTORY; - else { - if(entry->pw_history_num < MIN_PW_HISTORY || - entry->pw_history_num > MAX_PW_HISTORY) - return KADM5_BAD_HISTORY; - else - pent.pw_history_num = entry->pw_history_num; - } - if (!(mask & KADM5_REF_COUNT)) - pent.policy_refcnt = 0; - else - pent.policy_refcnt = entry->policy_refcnt; - if ((ret = osa_adb_create_policy(handle->policy_db, &pent)) == OSA_ADB_OK) - return KADM5_OK; - else - return ret; -} - -kadm5_ret_t -kadm5_delete_policy(void *server_handle, kadm5_policy_t name) -{ - kadm5_server_handle_t handle = server_handle; - osa_policy_ent_t entry; - int ret; - - CHECK_HANDLE(server_handle); - - if(name == (kadm5_policy_t) NULL) - return EINVAL; - if(strlen(name) == 0) - return KADM5_BAD_POLICY; - if ((ret = osa_adb_get_policy(handle->policy_db, name, &entry)) != OSA_ADB_OK) - return ret; - if(entry->policy_refcnt != 0) { - osa_free_policy_ent(entry); - return KADM5_POLICY_REF; - } - osa_free_policy_ent(entry); - if ((ret = osa_adb_destroy_policy(handle->policy_db, name)) == OSA_ADB_OK) - return KADM5_OK; - else - return ret; -} - -kadm5_ret_t -kadm5_modify_policy(void *server_handle, - kadm5_policy_ent_t entry, long mask) -{ - CHECK_HANDLE(server_handle); - - if (mask & KADM5_REF_COUNT) - return KADM5_BAD_MASK; - else - return kadm5_modify_policy_internal(server_handle, entry, mask); -} - -kadm5_ret_t -kadm5_modify_policy_internal(void *server_handle, - kadm5_policy_ent_t entry, long mask) -{ - kadm5_server_handle_t handle = server_handle; - osa_policy_ent_t p; - int ret; - - CHECK_HANDLE(server_handle); - - if((entry == (kadm5_policy_ent_t) NULL) || (entry->policy == NULL)) - return EINVAL; - if(strlen(entry->policy) == 0) - return KADM5_BAD_POLICY; - if((mask & KADM5_POLICY)) - return KADM5_BAD_MASK; - - switch ((ret = osa_adb_get_policy(handle->policy_db, entry->policy, &p))) { - case OSA_ADB_OK: - break; - case OSA_ADB_NOENT: - return KADM5_UNK_POLICY; - default: - break; - } - if ((mask & KADM5_PW_MAX_LIFE)) - p->pw_max_life = entry->pw_max_life; - if ((mask & KADM5_PW_MIN_LIFE)) { - if(entry->pw_min_life > p->pw_max_life && p->pw_max_life != 0) { - osa_free_policy_ent(p); - return KADM5_BAD_MIN_PASS_LIFE; - } - p->pw_min_life = entry->pw_min_life; - } - if ((mask & KADM5_PW_MIN_LENGTH)) { - if(entry->pw_min_length < MIN_PW_LENGTH) { - osa_free_policy_ent(p); - return KADM5_BAD_LENGTH; - } - p->pw_min_length = entry->pw_min_length; - } - if ((mask & KADM5_PW_MIN_CLASSES)) { - if(entry->pw_min_classes > MAX_PW_CLASSES || - entry->pw_min_classes < MIN_PW_CLASSES) { - osa_free_policy_ent(p); - return KADM5_BAD_CLASS; - } - p->pw_min_classes = entry->pw_min_classes; - } - if ((mask & KADM5_PW_HISTORY_NUM)) { - if(entry->pw_history_num < MIN_PW_HISTORY || - entry->pw_history_num > MAX_PW_HISTORY) { - osa_free_policy_ent(p); - return KADM5_BAD_HISTORY; - } - p->pw_history_num = entry->pw_history_num; - } - if ((mask & KADM5_REF_COUNT)) - p->policy_refcnt = entry->policy_refcnt; - switch ((ret = osa_adb_put_policy(handle->policy_db, p))) { - case OSA_ADB_OK: - ret = KADM5_OK; - break; - case OSA_ADB_NOENT: /* this should not happen here ... */ - ret = KADM5_UNK_POLICY; - break; - } - osa_free_policy_ent(p); - return ret; -} - -kadm5_ret_t -kadm5_get_policy(void *server_handle, kadm5_policy_t name, - kadm5_policy_ent_t entry) -{ - osa_policy_ent_t t; - kadm5_policy_ent_rec entry_local, **entry_orig, *new; - int ret; - kadm5_server_handle_t handle = server_handle; - - CHECK_HANDLE(server_handle); - - /* - * In version 1, entry is a pointer to a kadm5_policy_ent_t that - * should be filled with allocated memory. - */ - if (handle->api_version == KADM5_API_VERSION_1) { - entry_orig = (kadm5_policy_ent_rec **) entry; - *entry_orig = NULL; - entry = &entry_local; - } - - if (name == (kadm5_policy_t) NULL) - return EINVAL; - if(strlen(name) == 0) - return KADM5_BAD_POLICY; - switch((ret = osa_adb_get_policy(handle->policy_db, name, &t))) { - case OSA_ADB_OK: - break; - case OSA_ADB_NOENT: - return KADM5_UNK_POLICY; - default: - return ret; - } - if ((entry->policy = (char *) malloc(strlen(t->name) + 1)) == NULL) { - osa_free_policy_ent(t); - return ENOMEM; - } - strcpy(entry->policy, t->name); - entry->pw_min_life = t->pw_min_life; - entry->pw_max_life = t->pw_max_life; - entry->pw_min_length = t->pw_min_length; - entry->pw_min_classes = t->pw_min_classes; - entry->pw_history_num = t->pw_history_num; - entry->policy_refcnt = t->policy_refcnt; - osa_free_policy_ent(t); - - if (handle->api_version == KADM5_API_VERSION_1) { - new = (kadm5_policy_ent_t) malloc(sizeof(kadm5_policy_ent_rec)); - if (new == NULL) { - free(entry->policy); - osa_free_policy_ent(t); - return ENOMEM; - } - *new = *entry; - *entry_orig = new; - } - - return KADM5_OK; -} diff --git a/src/lib/kadm5/svr_principal.c b/src/lib/kadm5/svr_principal.c deleted file mode 100644 index 6f9671fcf..000000000 --- a/src/lib/kadm5/svr_principal.c +++ /dev/null @@ -1,1350 +0,0 @@ -/* - * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved - * - * $Header$ - */ - -#if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header$"; -#endif - -#include -#include -#include -#include "adb.h" -#include "k5-int.h" -#include -#include -#include -#include "server_internal.h" -#include -#include - -extern krb5_principal master_princ; -extern krb5_principal hist_princ; -extern krb5_encrypt_block master_encblock; -extern krb5_encrypt_block hist_encblock; -extern krb5_keyblock master_keyblock; -extern krb5_keyblock hist_key; -extern krb5_db_entry master_db; -extern krb5_db_entry hist_db; -extern krb5_kvno hist_kvno; - -static int decrypt_key_data(krb5_context context, - int n_key_data, krb5_key_data *key_data, - krb5_keyblock **keyblocks, int *n_keys); - -/* - * XXX Functions that ought to be in libkrb5.a, but aren't. - */ -int krb5_free_keyblock_contents(context, key) - krb5_context context; - krb5_keyblock *key; -{ - memset(key->contents, 0, key->length); - krb5_xfree(key->contents); - return 0; -} - -kadm5_ret_t krb5_copy_key_data_contents(context, from, to) - krb5_context context; - krb5_key_data *from, *to; -{ - int i, idx; - - *to = *from; - - idx = (from->key_data_ver == 1 ? 1 : 2); - - for (i = 0; i < idx; i++) { - to->key_data_contents[i] = malloc(from->key_data_length[i]); - if (to->key_data_contents[i] == NULL) { - for (i = 0; i < idx; i++) { - if (to->key_data_contents[i]) { - memset(to->key_data_contents[i], 0, - to->key_data_length[i]); - free(to->key_data_contents[i]); - } - } - return ENOMEM; - } - memcpy(to->key_data_contents[i], from->key_data_contents[i], - from->key_data_length[i]); - } - return 0; -} - -static krb5_tl_data *dup_tl_data(krb5_tl_data *tl) -{ - krb5_tl_data *n; - - n = (krb5_tl_data *) malloc(sizeof(krb5_tl_data)); - if (n == NULL) - return NULL; - n->tl_data_contents = malloc(tl->tl_data_length); - if (n->tl_data_contents == NULL) { - free(n); - return NULL; - } - memcpy(n->tl_data_contents, tl->tl_data_contents, tl->tl_data_length); - n->tl_data_type = tl->tl_data_type; - n->tl_data_length = tl->tl_data_length; - n->tl_data_next = NULL; - return n; -} - -kadm5_ret_t -kadm5_create_principal(void *server_handle, - kadm5_principal_ent_t entry, long mask, - char *password) -{ - krb5_db_entry kdb; - osa_princ_ent_rec adb; - kadm5_policy_ent_rec polent; - krb5_int32 now; - krb5_tl_data *tl_data_orig, *tl_data_tail; - unsigned int ret; - kadm5_server_handle_t handle = server_handle; - - CHECK_HANDLE(server_handle); - - /* - * Argument sanity checking, and opening up the DB - */ - if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) || - (mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) || - (mask & KADM5_MKVNO) || (mask & KADM5_POLICY_CLR) || - (mask & KADM5_AUX_ATTRIBUTES) || (mask & KADM5_KEY_DATA) || - (mask & KADM5_LAST_SUCCESS) || (mask & KADM5_LAST_FAILED) || - (mask & KADM5_FAIL_AUTH_COUNT)) - return KADM5_BAD_MASK; - if((mask & ~ALL_PRINC_MASK)) - return KADM5_BAD_MASK; - if (entry == (kadm5_principal_ent_t) NULL || password == NULL) - return EINVAL; - - /* - * Check to see if the principal exists - */ - ret = kdb_get_entry(handle, entry->principal, &kdb, &adb); - - switch(ret) { - case KADM5_UNK_PRINC: - break; - case 0: - kdb_free_entry(handle, &kdb, &adb); - return KADM5_DUP; - default: - return ret; - } - - memset(&kdb, 0, sizeof(krb5_db_entry)); - memset(&adb, 0, sizeof(osa_princ_ent_rec)); - - /* - * If a policy was specified, load it. - * If we can not find the one specified return an error - */ - if ((mask & KADM5_POLICY)) { - if ((ret = kadm5_get_policy(handle->lhandle, entry->policy, - &polent)) != KADM5_OK) { - if(ret == EINVAL) - return KADM5_BAD_POLICY; - else - return ret; - } - } - if (ret = passwd_check(handle, password, (mask & KADM5_POLICY), - &polent, entry->principal)) { - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return ret; - } - /* - * Start populating the various DB fields, using the - * "defaults" for fields that were not specified by the - * mask. - */ - if (ret = krb5_timeofday(handle->context, &now)) { - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return ret; - } - - kdb.magic = KRB5_KDB_MAGIC_NUMBER; - kdb.len = KRB5_KDB_V1_BASE_LENGTH; /* gag me with a chainsaw */ - - if ((mask & KADM5_ATTRIBUTES)) - kdb.attributes = entry->attributes; - else - kdb.attributes = handle->params.flags; - - if ((mask & KADM5_MAX_LIFE)) - kdb.max_life = entry->max_life; - else - kdb.max_life = handle->params.max_life; - - if (mask & KADM5_MAX_RLIFE) - kdb.max_renewable_life = entry->max_renewable_life; - else - kdb.max_renewable_life = handle->params.max_rlife; - - if ((mask & KADM5_PRINC_EXPIRE_TIME)) - kdb.expiration = entry->princ_expire_time; - else - kdb.expiration = handle->params.expiration; - - kdb.pw_expiration = 0; - if ((mask & KADM5_POLICY)) { - if(polent.pw_max_life) - kdb.pw_expiration = now + polent.pw_max_life; - else - kdb.pw_expiration = 0; - } - if ((mask & KADM5_PW_EXPIRATION)) { - if(!kdb.pw_expiration) - kdb.pw_expiration = entry->pw_expiration; - else { - if(entry->pw_expiration != 0) - kdb.pw_expiration = (entry->pw_expiration < kdb.pw_expiration) ? - entry->pw_expiration : kdb.pw_expiration; - } - } - - kdb.last_success = 0; - kdb.last_failed = 0; - kdb.fail_auth_count = 0; - - /* this is kind of gross, but in order to free the tl data, I need - to free the entire kdb entry, and that will try to free the - principal. */ - - if (ret = krb5_copy_principal(handle->context, - entry->principal, &(kdb.princ))) { - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return(ret); - } - - if (ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now)) { - krb5_dbe_free_contents(handle->context, &kdb); - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return(ret); - } - - /* initialize the keys */ - - if (ret = krb5_dbe_cpw(handle->context, &master_encblock, - handle->params.keysalts, - handle->params.num_keysalts, - password, - (mask & KADM5_KVNO)?entry->kvno:1, &kdb)) { - krb5_dbe_free_contents(handle->context, &kdb); - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return(ret); - } - - /* populate the admin-server-specific fields. In the OV server, - this used to be in a separate database. Since there's already - marshalling code for the admin fields, to keep things simple, - I'm going to keep it, and make all the admin stuff occupy a - single tl_data record, */ - - adb.admin_history_kvno = hist_kvno; - if ((mask & KADM5_POLICY)) { - adb.aux_attributes = KADM5_POLICY; - - /* this does *not* need to be strdup'ed, because adb is xdr */ - /* encoded in osa_adb_create_princ, and not ever freed */ - - adb.policy = entry->policy; - } - - /* increment the policy ref count, if any */ - - if ((mask & KADM5_POLICY)) { - polent.policy_refcnt++; - if ((ret = kadm5_modify_policy_internal(handle->lhandle, &polent, - KADM5_REF_COUNT)) - != KADM5_OK) { - krb5_dbe_free_contents(handle->context, &kdb); - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return(ret); - } - } - - if (mask & KADM5_TL_DATA) { - /* splice entry->tl_data onto the front of kdb.tl_data */ - tl_data_orig = kdb.tl_data; - for (tl_data_tail = entry->tl_data; tl_data_tail->tl_data_next; - tl_data_tail = tl_data_tail->tl_data_next) - ; - tl_data_tail->tl_data_next = kdb.tl_data; - kdb.tl_data = entry->tl_data; - } - - /* store the new db entry */ - ret = kdb_put_entry(handle, &kdb, &adb); - - if (mask & KADM5_TL_DATA) { - /* remove entry->tl_data from the front of kdb.tl_data */ - tl_data_tail->tl_data_next = NULL; - kdb.tl_data = tl_data_orig; - } - - krb5_dbe_free_contents(handle->context, &kdb); - - if (ret) { - if ((mask & KADM5_POLICY)) { - /* decrement the policy ref count */ - - polent.policy_refcnt--; - /* - * if this fails, there's nothing we can do anyway. the - * policy refcount wil be too high. - */ - (void) kadm5_modify_policy_internal(handle->lhandle, &polent, - KADM5_REF_COUNT); - } - - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return(ret); - } - - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - - return KADM5_OK; -} - - -kadm5_ret_t -kadm5_delete_principal(void *server_handle, krb5_principal principal) -{ - unsigned int ret; - kadm5_policy_ent_rec polent; - krb5_db_entry kdb; - osa_princ_ent_rec adb; - kadm5_server_handle_t handle = server_handle; - - CHECK_HANDLE(server_handle); - - if (principal == NULL) - return EINVAL; - - if (ret = kdb_get_entry(handle, principal, &kdb, &adb)) - return(ret); - - if ((adb.aux_attributes & KADM5_POLICY)) { - if ((ret = kadm5_get_policy(handle->lhandle, - adb.policy, &polent)) - == KADM5_OK) { - polent.policy_refcnt--; - if ((ret = kadm5_modify_policy_internal(handle->lhandle, &polent, - KADM5_REF_COUNT)) - != KADM5_OK) { - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - kdb_free_entry(handle, &kdb, &adb); - return(ret); - } - } - if (ret = kadm5_free_policy_ent(handle->lhandle, &polent)) { - kdb_free_entry(handle, &kdb, &adb); - return ret; - } - } - - ret = kdb_delete_entry(handle, principal); - - kdb_free_entry(handle, &kdb, &adb); - - return ret; -} - -kadm5_ret_t -kadm5_modify_principal(void *server_handle, - kadm5_principal_ent_t entry, long mask) -{ - int ret, ret2, i; - kadm5_policy_ent_rec npol, opol; - int have_npol = 0, have_opol = 0; - krb5_db_entry kdb; - krb5_tl_data *tl_data_orig, *tl_data_tail; - osa_princ_ent_rec adb; - kadm5_server_handle_t handle = server_handle; - - CHECK_HANDLE(server_handle); - - if((mask & KADM5_PRINCIPAL) || (mask & KADM5_LAST_PWD_CHANGE) || - (mask & KADM5_MOD_TIME) || (mask & KADM5_MOD_NAME) || - (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) || - (mask & KADM5_KEY_DATA) || (mask & KADM5_LAST_SUCCESS) || - (mask & KADM5_LAST_FAILED)) - return KADM5_BAD_MASK; - if((mask & ~ALL_PRINC_MASK)) - return KADM5_BAD_MASK; - if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR)) - return KADM5_BAD_MASK; - if(entry == (kadm5_principal_ent_t) NULL) - return EINVAL; - - if (ret = kdb_get_entry(handle, entry->principal, &kdb, &adb)) - return(ret); - - /* - * This is pretty much the same as create ... - */ - - if ((mask & KADM5_POLICY)) { - ret = kadm5_get_policy(handle->lhandle, entry->policy, &npol); - switch(ret) { - case EINVAL: - ret = KADM5_BAD_POLICY; - break; - case KADM5_UNK_POLICY: - case KADM5_BAD_POLICY: - ret = KADM5_UNK_POLICY; - goto done; - break; - case KADM5_OK: - have_npol = 1; - if(adb.aux_attributes & KADM5_POLICY) { - if(strcmp(adb.policy, entry->policy)) { - ret = kadm5_get_policy(handle->lhandle, - adb.policy, &opol); - switch(ret) { - case EINVAL: - case KADM5_BAD_POLICY: - case KADM5_UNK_POLICY: - break; - case KADM5_OK: - have_opol = 1; - opol.policy_refcnt--; - break; - default: - goto done; - break; - } - npol.policy_refcnt++; - } - } else npol.policy_refcnt++; - adb.aux_attributes |= KADM5_POLICY; - if (adb.policy) - free(adb.policy); - adb.policy = strdup(entry->policy); - if (npol.pw_max_life) { - if (ret = - krb5_dbe_lookup_last_pwd_change(handle->context, &kdb, - &(kdb.pw_expiration))) - goto done; - kdb.pw_expiration += npol.pw_max_life; - } else { - kdb.pw_expiration = 0; - } - break; - default: - goto done; - } - if ((mask & KADM5_PW_EXPIRATION)) { - if(kdb.pw_expiration == 0) - kdb.pw_expiration = entry->pw_expiration; - else if(entry->pw_expiration != 0) - kdb.pw_expiration = (entry->pw_expiration < kdb.pw_expiration) ? - entry->pw_expiration : kdb.pw_expiration; - } - } - if ((mask & KADM5_PW_EXPIRATION) && !(mask & KADM5_POLICY)) { - if(kdb.pw_expiration == 0) - kdb.pw_expiration = entry->pw_expiration; - else if(entry->pw_expiration != 0) - kdb.pw_expiration = (entry->pw_expiration < kdb.pw_expiration) ? - entry->pw_expiration : kdb.pw_expiration; - } - - if ((mask & KADM5_POLICY_CLR)) { - if (adb.aux_attributes & KADM5_POLICY) { - adb.aux_attributes &= ~KADM5_POLICY; - kdb.pw_expiration = 0; - ret = kadm5_get_policy(handle->lhandle, adb.policy, &opol); - switch(ret) { - case EINVAL: - case KADM5_BAD_POLICY: - case KADM5_UNK_POLICY: - ret = KADM5_BAD_DB; - goto done; - break; - case KADM5_OK: - have_opol = 1; - if (adb.policy) - free(adb.policy); - adb.policy = NULL; - opol.policy_refcnt--; - break; - default: - goto done; - break; - } - } - } - if (((mask & KADM5_POLICY) || - (mask & KADM5_POLICY_CLR)) && - (((have_opol) && - (ret = - kadm5_modify_policy_internal(handle->lhandle, &opol, - KADM5_REF_COUNT))) || - ((have_npol) && - (ret = - kadm5_modify_policy_internal(handle->lhandle, &npol, - KADM5_REF_COUNT))))) - goto done; - - if ((mask & KADM5_ATTRIBUTES)) - kdb.attributes = entry->attributes; - if ((mask & KADM5_MAX_LIFE)) - kdb.max_life = entry->max_life; - if ((mask & KADM5_PRINC_EXPIRE_TIME)) - kdb.expiration = entry->princ_expire_time; - /* the pw_expiration logic would go here if it wasn't spread - all over the policy code */ - if (mask & KADM5_MAX_RLIFE) - kdb.max_renewable_life = entry->max_renewable_life; - if (mask & KADM5_FAIL_AUTH_COUNT) - kdb.fail_auth_count = entry->fail_auth_count; - - if((mask & KADM5_KVNO)) { - for (i = 0; i < kdb.n_key_data; i++) - kdb.key_data[i].key_data_kvno = entry->kvno; - } - - if (mask & KADM5_TL_DATA) { - /* splice entry->tl_data onto the front of kdb.tl_data */ - tl_data_orig = kdb.tl_data; - for (tl_data_tail = entry->tl_data; tl_data_tail->tl_data_next; - tl_data_tail = tl_data_tail->tl_data_next) - ; - tl_data_tail->tl_data_next = kdb.tl_data; - kdb.tl_data = entry->tl_data; - } - - if ((ret = kdb_put_entry(handle, &kdb, &adb))) - goto done; - - if (mask & KADM5_TL_DATA) { - /* remove entry->tl_data from the front of kdb.tl_data */ - tl_data_tail->tl_data_next = NULL; - kdb.tl_data = tl_data_orig; - } - - ret = KADM5_OK; -done: - if (have_opol) { - ret2 = kadm5_free_policy_ent(handle->lhandle, &opol); - ret = ret ? ret : ret2; - } - if (have_npol) { - ret2 = kadm5_free_policy_ent(handle->lhandle, &npol); - ret = ret ? ret : ret2; - } - kdb_free_entry(handle, &kdb, &adb); - return ret; -} - -kadm5_ret_t -kadm5_rename_principal(void *server_handle, - krb5_principal source, krb5_principal target) -{ - krb5_db_entry kdb; - osa_princ_ent_rec adb; - int ret, i; - kadm5_server_handle_t handle = server_handle; - - CHECK_HANDLE(server_handle); - - if (source == NULL || target == NULL) - return EINVAL; - - if ((ret = kdb_get_entry(handle, target, &kdb, &adb)) == 0) { - kdb_free_entry(handle, &kdb, &adb); - return(KADM5_DUP); - } - - if ((ret = kdb_get_entry(handle, source, &kdb, &adb))) - return ret; - - /* this is kinda gross, but unavoidable */ - - for (i=0; icontext, kdb.princ); - if (ret = krb5_copy_principal(handle->context, target, &kdb.princ)) { - kdb.princ = NULL; /* so freeing the dbe doesn't lose */ - goto done; - } - - if ((ret = kdb_put_entry(handle, &kdb, &adb))) - goto done; - - ret = kdb_delete_entry(handle, source); - -done: - kdb_free_entry(handle, &kdb, &adb); - return ret; -} - -kadm5_ret_t -kadm5_get_principal(void *server_handle, krb5_principal principal, - kadm5_principal_ent_t entry, - long in_mask) -{ - krb5_db_entry kdb; - osa_princ_ent_rec adb; - osa_adb_ret_t ret = 0; - long mask; - int i; - kadm5_server_handle_t handle = server_handle; - kadm5_principal_ent_rec entry_local, *entry_orig; - - CHECK_HANDLE(server_handle); - - /* - * In version 1, all the defined fields are always returned. - * entry is a pointer to a kadm5_principal_ent_t_v1 that should be - * filled with allocated memory. - */ - if (handle->api_version == KADM5_API_VERSION_1) { - mask = KADM5_PRINCIPAL_NORMAL_MASK; - entry_orig = entry; - entry = &entry_local; - } else { - mask = in_mask; - } - - memset((char *) entry, 0, sizeof(*entry)); - - if (principal == NULL) - return EINVAL; - - if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) - return ret; - - if ((mask & KADM5_POLICY) && - adb.policy && (adb.aux_attributes & KADM5_POLICY)) { - if ((entry->policy = (char *) malloc(strlen(adb.policy) + 1)) == NULL) { - ret = ENOMEM; - goto done; - } - strcpy(entry->policy, adb.policy); - } - - if (mask & KADM5_AUX_ATTRIBUTES) - entry->aux_attributes = adb.aux_attributes; - - if ((mask & KADM5_PRINCIPAL) && - (ret = krb5_copy_principal(handle->context, principal, - &entry->principal))) { - goto done; - } - - if (mask & KADM5_PRINC_EXPIRE_TIME) - entry->princ_expire_time = kdb.expiration; - - if ((mask & KADM5_LAST_PWD_CHANGE) && - (ret = krb5_dbe_lookup_last_pwd_change(handle->context, &kdb, - &(entry->last_pwd_change)))) { - goto done; - } - - if (mask & KADM5_PW_EXPIRATION) - entry->pw_expiration = kdb.pw_expiration; - if (mask & KADM5_MAX_LIFE) - entry->max_life = kdb.max_life; - - /* this is a little non-sensical because the function returns two */ - /* values that must be checked separately against the mask */ - if ((mask & KADM5_MOD_NAME) || (mask & KADM5_MOD_TIME)) { - if (ret = krb5_dbe_lookup_mod_princ_data(handle->context, &kdb, - &(entry->mod_date), - &(entry->mod_name))) { - goto done; - } - if (! (mask & KADM5_MOD_TIME)) - entry->mod_date = 0; - if (! (mask & KADM5_MOD_NAME)) { - krb5_free_principal(handle->context, entry->principal); - entry->principal = NULL; - } - } - - if (mask & KADM5_ATTRIBUTES) - entry->attributes = kdb.attributes; - - if (mask & KADM5_KVNO) - for (entry->kvno = 0, i=0; i entry->kvno) - entry->kvno = kdb.key_data[i].key_data_kvno; - - if (handle->api_version == KADM5_API_VERSION_2) - entry->mkvno = 0; - else { - /* XXX I'll be damned if I know how to deal with this one --marc */ - entry->mkvno = 1; - } - - /* - * The new fields that only exist in version 2 start here - */ - if (handle->api_version == KADM5_API_VERSION_2) { - if (mask & KADM5_MAX_RLIFE) - entry->max_renewable_life = kdb.max_renewable_life; - if (mask & KADM5_LAST_SUCCESS) - entry->last_success = kdb.last_success; - if (mask & KADM5_LAST_FAILED) - entry->last_failed = kdb.last_failed; - if (mask & KADM5_FAIL_AUTH_COUNT) - entry->fail_auth_count = kdb.fail_auth_count; - if (mask & KADM5_TL_DATA) { - krb5_tl_data td, *tl, *tl2; - - entry->n_tl_data = kdb.n_tl_data; - entry->tl_data = NULL; - - tl = kdb.tl_data; - while (tl) { - if ((tl2 = dup_tl_data(tl)) == NULL) { - ret = ENOMEM; - goto done; - } - tl2->tl_data_next = entry->tl_data; - entry->tl_data = tl2; - - tl = tl->tl_data_next; - } - - if (kdb.e_length) { - td.tl_data_type = KRB5_TL_KADM5_E_DATA; - td.tl_data_length = kdb.e_length; - td.tl_data_contents = kdb.e_data; - - if ((tl = dup_tl_data(&td)) == NULL) { - ret = ENOMEM; - goto done; - } - tl->tl_data_next = entry->tl_data; - entry->tl_data = tl; - } - } - if (mask & KADM5_KEY_DATA) { - entry->n_key_data = kdb.n_key_data; - entry->key_data = (krb5_key_data *) - malloc(entry->n_key_data*sizeof(krb5_key_data)); - if (entry->key_data == NULL) { - ret = ENOMEM; - goto done; - } - for (i = 0; i < entry->n_key_data; i++) - if (ret = krb5_copy_key_data_contents(handle->context, - &kdb.key_data[i], - &entry->key_data[i])) - goto done; - } - } - - /* - * If KADM5_API_VERSION_1, we return an allocated structure, and - * we need to convert the new structure back into the format the - * caller is expecting. - */ - if (handle->api_version == KADM5_API_VERSION_1) { - kadm5_principal_ent_t_v1 newv1; - - newv1 = ((kadm5_principal_ent_t_v1) calloc(1, sizeof(*newv1))); - if (newv1 == NULL) { - ret = ENOMEM; - goto done; - } - - newv1->principal = entry->principal; - newv1->princ_expire_time = entry->princ_expire_time; - newv1->last_pwd_change = entry->last_pwd_change; - newv1->pw_expiration = entry->pw_expiration; - newv1->max_life = entry->max_life; - newv1->mod_name = entry->mod_name; - newv1->mod_date = entry->mod_date; - newv1->attributes = entry->attributes; - newv1->kvno = entry->kvno; - newv1->mkvno = entry->mkvno; - newv1->policy = entry->policy; - newv1->aux_attributes = entry->aux_attributes; - - *((kadm5_principal_ent_t_v1 *) entry_orig) = newv1; - } - - ret = KADM5_OK; - -done: - if (ret && entry->principal) - krb5_free_principal(handle->context, entry->principal); - kdb_free_entry(handle, &kdb, &adb); - - return ret; -} - -/* - * Function: check_pw_reuse - * - * Purpose: Check if a key appears in a list of keys, in order to - * enforce password history. - * - * Arguments: - * - * context (r) the krb5 context - * histkey_encblock (r) the encblock that hist_key_data is - * encrypted in - * n_new_key_data (r) length of new_key_data - * new_key_data (r) keys to check against - * pw_hist_data, encrypted in histkey_encblock - * n_pw_hist_data (r) length of pw_hist_data - * pw_hist_data (r) passwords to check new_key_data against - * - * Effects: - * For each new_key in new_key_data: - * decrypt new_key with the master_encblock - * for each password in pw_hist_data: - * for each hist_key in password: - * decrypt hist_key with histkey_encblock - * compare the new_key and hist_key - * - * Returns krb5 errors, KADM5_PASS_RESUSE if a key in - * new_key_data is the same as a key in pw_hist_data, or 0. - */ -static kadm5_ret_t -check_pw_reuse(krb5_context context, - krb5_encrypt_block *histkey_encblock, - int n_new_key_data, krb5_key_data *new_key_data, - int n_pw_hist_data, osa_pw_hist_ent *pw_hist_data) -{ - int x, y, z; - krb5_keyblock newkey, histkey; - krb5_error_code ret; - - for (x = 0; x < n_new_key_data; x++) { - if (ret = krb5_dbekd_decrypt_key_data(context, - &master_encblock, - &(new_key_data[x]), - &newkey, NULL)) - return(ret); - for (y = 0; y < n_pw_hist_data; y++) { - for (z = 0; z < pw_hist_data[y].n_key_data; z++) { - if (ret = - krb5_dbekd_decrypt_key_data(context, - histkey_encblock, - &pw_hist_data[y].key_data[z], - &histkey, NULL)) - return(ret); - - if ((newkey.length == histkey.length) && - (newkey.enctype == histkey.enctype) && - (memcmp(newkey.contents, histkey.contents, - histkey.length) == 0)) { - krb5_free_keyblock_contents(context, &histkey); - krb5_free_keyblock_contents(context, &newkey); - - return(KADM5_PASS_REUSE); - } - krb5_free_keyblock_contents(context, &histkey); - } - } - krb5_free_keyblock_contents(context, &newkey); - } - - return(0); -} - -/* - * Function: create_history_entry - * - * Purpose: Creates a password history entry from an array of - * key_data. - * - * Arguments: - * - * context (r) krb5_context to use - * n_key_data (r) number of elements in key_data - * key_data (r) keys to add to the history entry - * hist (w) history entry to fill in - * - * Effects: - * - * hist->key_data is allocated to store n_key_data key_datas. Each - * element of key_data is decrypted with master_encblock, re-encrypted - * in hist_encblock, and added to hist->key_data. hist->n_key_data is - * set to n_key_data. - */ -int create_history_entry(krb5_context context, int n_key_data, - krb5_key_data *key_data, osa_pw_hist_ent *hist) -{ - int i, ret; - krb5_keyblock key; - krb5_keysalt salt; - - hist->key_data = (krb5_key_data*)malloc(n_key_data*sizeof(krb5_key_data)); - if (hist->key_data == NULL) - return ENOMEM; - memset(hist->key_data, 0, n_key_data*sizeof(krb5_key_data)); - - for (i = 0; i < n_key_data; i++) { - if (ret = krb5_dbekd_decrypt_key_data(context, - &master_encblock, - &key_data[i], - &key, &salt)) - return ret; - if (ret = krb5_dbekd_encrypt_key_data(context, - &hist_encblock, - &key, &salt, - key_data[i].key_data_kvno, - &hist->key_data[i])) - return ret; - krb5_free_keyblock_contents(context, &key); - /* krb5_free_keysalt(context, &salt); */ - } - - hist->n_key_data = n_key_data; - return 0; -} - -int free_history_entry(krb5_context context, osa_pw_hist_ent *hist) -{ - int i; - - for (i = 0; i < hist->n_key_data; i++) - krb5_free_key_data_contents(context, &hist->key_data[i]); - free(hist->key_data); -} - -/* - * Function: add_to_history - * - * Purpose: Adds a password to a principal's password history. - * - * Arguments: - * - * context (r) krb5_context to use - * adb (r/w) admin principal entry to add keys to - * pol (r) adb's policy - * pw (r) keys for the password to add to adb's key history - * - * Effects: - * - * add_to_history adds a single password to adb's password history. - * pw contains n_key_data keys in its key_data, in storage should be - * allocated but not freed by the caller (XXX blech!). - * - * This function maintains adb->old_keys as a circular queue. It - * starts empty, and grows each time this function is called until it - * is pol->pw_history_num items long. adb->old_key_len holds the - * number of allocated entries in the array, and must therefore be [0, - * pol->pw_history_num). adb->old_key_next is the index into the - * array where the next element should be written, and must be [0, - * adb->old_key_len). - */ -static kadm5_ret_t add_to_history(krb5_context context, - osa_princ_ent_t adb, - kadm5_policy_ent_t pol, - osa_pw_hist_ent *pw) -{ - osa_pw_hist_ent hist, *histp; - int ret, i; - - /* A history of 1 means just check the current password */ - if (pol->pw_history_num == 1) - return 0; - - /* resize the adb->old_keys array if necessary */ - if (adb->old_key_len < pol->pw_history_num-1) { - adb->old_keys = (osa_pw_hist_ent *) - realloc(adb->old_keys, - (adb->old_key_len+1)*sizeof(osa_pw_hist_ent)); - if (adb->old_keys == NULL) - return(ENOMEM); - - memset(&adb->old_keys[adb->old_key_len],0,sizeof(osa_pw_hist_ent)); - adb->old_key_len++; - } - - /* free the old pw history entry if it contains data */ - histp = &adb->old_keys[adb->old_key_next]; - for (i = 0; i < histp->n_key_data; i++) - krb5_free_key_data_contents(context, &histp->key_data[i]); - - /* store the new entry */ - adb->old_keys[adb->old_key_next] = *pw; - - /* update the next pointer */ - if (++adb->old_key_next == pol->pw_history_num-1) - adb->old_key_next = 0; - - return(0); -} - -kadm5_ret_t -kadm5_chpass_principal(void *server_handle, - krb5_principal principal, char *password) -{ - krb5_int32 now; - kadm5_policy_ent_rec pol; - osa_princ_ent_rec adb; - krb5_db_entry kdb, kdb_save; - int ret, ret2, last_pwd, i, hist_added; - int have_pol = 0; - kadm5_server_handle_t handle = server_handle; - osa_pw_hist_ent hist; - - CHECK_HANDLE(server_handle); - - hist_added = 0; - memset(&hist, 0, sizeof(hist)); - - if (principal == NULL || password == NULL) - return EINVAL; - if ((krb5_principal_compare(handle->context, - principal, hist_princ)) == TRUE) - return KADM5_PROTECT_PRINCIPAL; - - if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) - return(ret); - - /* we are going to need the current keys after the new keys are set */ - if ((ret = kdb_get_entry(handle, principal, &kdb_save, NULL))) { - kdb_free_entry(handle, &kdb, &adb); - return(ret); - } - - if ((adb.aux_attributes & KADM5_POLICY)) { - if ((ret = kadm5_get_policy(handle->lhandle, adb.policy, &pol))) - goto done; - have_pol = 1; - } - - if ((ret = passwd_check(handle, password, adb.aux_attributes & - KADM5_POLICY, &pol, principal))) - goto done; - - if (ret = krb5_dbe_cpw(handle->context, &master_encblock, - handle->params.keysalts, - handle->params.num_keysalts, - password, 0 /* increment kvno */, &kdb)) - goto done; - - kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; - - if (ret = krb5_timeofday(handle->context, &now)) - goto done; - - if ((adb.aux_attributes & KADM5_POLICY)) { - /* the policy was loaded before */ - - if (ret = krb5_dbe_lookup_last_pwd_change(handle->context, - &kdb, &last_pwd)) - goto done; - -#if 0 - /* - * The spec says this check is overridden if the caller has - * modify privilege. The admin server therefore makes this - * check itself (in chpass_principal_wrapper, misc.c). A - * local caller implicitly has all authorization bits. - */ - if ((now - last_pwd) < pol.pw_min_life && - !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - ret = KADM5_PASS_TOOSOON; - goto done; - } -#endif - - if (ret = create_history_entry(handle->context, - kdb_save.n_key_data, - kdb_save.key_data, &hist)) - goto done; - - if (ret = check_pw_reuse(handle->context, - &hist_encblock, - kdb.n_key_data, kdb.key_data, - 1, &hist)) - goto done; - - if (pol.pw_history_num > 1) { - if (adb.admin_history_kvno != hist_kvno) { - ret = KADM5_BAD_HIST_KEY; - goto done; - } - - if (ret = check_pw_reuse(handle->context, - &hist_encblock, - kdb.n_key_data, kdb.key_data, - adb.old_key_len, adb.old_keys)) - goto done; - - if (ret = add_to_history(handle->context, &adb, &pol, &hist)) - goto done; - hist_added = 1; - } - - if (pol.pw_max_life) - kdb.pw_expiration = now + pol.pw_max_life; - else - kdb.pw_expiration = 0; - } else { - kdb.pw_expiration = 0; - } - - if (ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now)) - goto done; - - if ((ret = kdb_put_entry(handle, &kdb, &adb))) - goto done; - - ret = KADM5_OK; -done: - if (!hist_added && hist.key_data) - free_history_entry(handle->context, &hist); - kdb_free_entry(handle, &kdb, &adb); - kdb_free_entry(handle, &kdb_save, NULL); - krb5_dbe_free_contents(handle->context, &kdb); - - if (have_pol && (ret2 = kadm5_free_policy_ent(handle->lhandle, &pol)) - && !ret) - ret = ret2; - - return ret; -} - -kadm5_ret_t -kadm5_randkey_principal(void *server_handle, - krb5_principal principal, - krb5_keyblock **keyblocks, - int *n_keys) -{ - krb5_db_entry kdb; - osa_princ_ent_rec adb; - krb5_int32 now; - kadm5_policy_ent_rec pol; - krb5_key_data *key_data; - krb5_keyblock *keyblock; - int ret, last_pwd, have_pol = 0; - kadm5_server_handle_t handle = server_handle; - - if (keyblocks) - *keyblocks = NULL; - - CHECK_HANDLE(server_handle); - - if (principal == NULL) - return EINVAL; - if (hist_princ && /* this will be NULL when initializing the databse */ - ((krb5_principal_compare(handle->context, - principal, hist_princ)) == TRUE)) - return KADM5_PROTECT_PRINCIPAL; - - if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) - return(ret); - - if (ret = krb5_dbe_crk(handle->context, &master_encblock, - handle->params.keysalts, - handle->params.num_keysalts, - &kdb)) - goto done; - - kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; - - if (ret = krb5_timeofday(handle->context, &now)) - goto done; - - if ((adb.aux_attributes & KADM5_POLICY)) { - if ((ret = kadm5_get_policy(handle->lhandle, adb.policy, - &pol)) != KADM5_OK) - goto done; - have_pol = 1; - - if (ret = krb5_dbe_lookup_last_pwd_change(handle->context, - &kdb, &last_pwd)) - goto done; - -#if 0 - /* - * The spec says this check is overridden if the caller has - * modify privilege. The admin server therefore makes this - * check itself (in chpass_principal_wrapper, misc.c). A - * local caller implicitly has all authorization bits. - */ - if((now - last_pwd) < pol.pw_min_life && - !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - ret = KADM5_PASS_TOOSOON; - goto done; - } -#endif - - if(pol.pw_history_num > 1) { - if(adb.admin_history_kvno != hist_kvno) { - ret = KADM5_BAD_HIST_KEY; - goto done; - } - - if (ret = check_pw_reuse(handle->context, - &hist_encblock, - kdb.n_key_data, kdb.key_data, - adb.old_key_len, adb.old_keys)) - goto done; - } - if (pol.pw_max_life) - kdb.pw_expiration = now + pol.pw_max_life; - else - kdb.pw_expiration = 0; - } else { - kdb.pw_expiration = 0; - } - - if (ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now)) - goto done; - - if (keyblocks) { - if (handle->api_version == KADM5_API_VERSION_1) { - /* Version 1 clients will expect to see a DES_CRC enctype. */ - if (ret = krb5_dbe_find_enctype(handle->context, &kdb, - ENCTYPE_DES_CBC_CRC, - -1, -1, &key_data)) - goto done; - - if (ret = decrypt_key_data(handle->context, 1, key_data, - keyblocks, NULL)) - goto done; - } else { - ret = decrypt_key_data(handle->context, - kdb.n_key_data, kdb.key_data, - keyblocks, n_keys); - if (ret) - goto done; - } - } - - if ((ret = kdb_put_entry(handle, &kdb, &adb))) - goto done; - - ret = KADM5_OK; -done: - kdb_free_entry(handle, &kdb, &adb); - if (have_pol) - kadm5_free_policy_ent(handle->lhandle, &pol); - - return ret; -} - -/* - * Allocate an array of n_key_data krb5_keyblocks, fill in each - * element with the results of decrypting the nth key in key_data with - * master_encblock, and if n_keys is not NULL fill it in with the - * number of keys decrypted. - */ -static int decrypt_key_data(krb5_context context, - int n_key_data, krb5_key_data *key_data, - krb5_keyblock **keyblocks, int *n_keys) -{ - krb5_keyblock *keys; - int ret, i; - - keys = (krb5_keyblock *) malloc(n_key_data*sizeof(krb5_keyblock)); - if (keys == NULL) - return ENOMEM; - memset((char *) keys, 0, n_key_data*sizeof(krb5_keyblock)); - - for (i = 0; i < n_key_data; i++) { - if (ret = krb5_dbekd_decrypt_key_data(context, - &master_encblock, - &key_data[i], - &keys[i], NULL)) { - - memset((char *) keys, 0, n_key_data*sizeof(krb5_keyblock)); - free(keys); - return ret; - } - } - - *keyblocks = keys; - if (n_keys) - *n_keys = n_key_data; - - return 0; -} - -/* - * Function: kadm5_decrypt_key - * - * Purpose: Retrieves and decrypts a principal key. - * - * Arguments: - * - * server_handle (r) kadm5 handle - * entry (r) principal retrieved with kadm5_get_principal - * ktype (r) enctype to search for, or -1 to ignore - * stype (r) salt type to search for, or -1 to ignore - * kvno (r) kvno to search for, -1 for max, 0 for max - * only if it also matches ktype and stype - * keyblock (w) keyblock to fill in - * keysalt (w) keysalt to fill in, or NULL - * kvnop (w) kvno to fill in, or NULL - * - * Effects: Searches the key_data array of entry, which must have been - * retrived with kadm5_get_principal with the KADM5_KEY_DATA mask, to - * find a key with a specified enctype, salt type, and kvno in a - * principal entry. If not found, return ENOENT. Otherwise, decrypt - * it with the master key, and return the key in keyblock, the salt - * in salttype, and the key version number in kvno. - * - * If ktype or stype is -1, it is ignored for the search. If kvno is - * -1, ktype and stype are ignored and the key with the max kvno is - * returned. If kvno is 0, only the key with the max kvno is returned - * and only if it matches the ktype and stype; otherwise, ENOENT is - * returned. - */ -kadm5_ret_t kadm5_decrypt_key(void *server_handle, - kadm5_principal_ent_t entry, krb5_int32 - ktype, krb5_int32 stype, krb5_int32 - kvno, krb5_keyblock *keyblock, - krb5_keysalt *keysalt, int *kvnop) -{ - kadm5_server_handle_t handle = server_handle; - krb5_db_entry dbent; - krb5_key_data *key_data; - int ret; - - CHECK_HANDLE(server_handle); - - if (entry->n_key_data == 0 || entry->key_data == NULL) - return EINVAL; - - /* find_enctype only uses these two fields */ - dbent.n_key_data = entry->n_key_data; - dbent.key_data = entry->key_data; - if (ret = krb5_dbe_find_enctype(handle->context, &dbent, ktype, - stype, kvno, &key_data)) - return ret; - - if (ret = krb5_dbekd_decrypt_key_data(handle->context, - &master_encblock, key_data, - keyblock, keysalt)) - return ret; - - if (kvnop) - *kvnop = key_data->key_data_kvno; - - return KADM5_OK; -} -- 2.26.2