From 8e78a7eeb7266329891971090d2666f5c6a13ad0 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 6 Jul 2010 21:53:23 +0000 Subject: [PATCH] Remove count parameters from get_principal, put_principal, free_principal, delete_principal, and get_policy. Make get_principal allocate the DB entry container. Fold krb5_db_get_principal_ext into krb5_db_get_principal. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24175 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/kdb.h | 73 +- src/include/kdb_log.h | 8 +- src/kadmin/dbutil/dump.c | 133 +- src/kadmin/dbutil/kdb5_create.c | 50 +- src/kadmin/dbutil/kdb5_mkey.c | 155 +-- src/kadmin/dbutil/kdb5_util.c | 60 +- src/kadmin/dbutil/ovload.c | 13 +- src/kdc/do_as_req.c | 120 +- src/kdc/do_tgs_req.c | 212 ++- src/kdc/kdc_preauth.c | 17 +- src/kdc/kdc_util.c | 110 +- src/kdc/kdc_util.h | 19 +- src/lib/kadm5/server_internal.h | 4 +- src/lib/kadm5/srv/libkadm5srv_mit.exports | 1 - src/lib/kadm5/srv/server_kdb.c | 53 +- src/lib/kadm5/srv/svr_policy.c | 25 +- src/lib/kadm5/srv/svr_principal.c | 457 +++---- src/lib/kadm5/unit-test/lock-test.c | 4 +- src/lib/kdb/kdb5.c | 180 +-- src/lib/kdb/kdb5int.h | 5 +- src/lib/kdb/kdb_convert.c | 904 ++++++------- src/lib/kdb/kdb_cpw.c | 22 +- src/lib/kdb/kdb_default.c | 37 +- src/lib/kdb/kdb_log.c | 14 +- src/lib/kdb/keytab.c | 27 +- src/lib/kdb/libkdb5.exports | 1 - src/plugins/kdb/db2/adb_policy.c | 7 +- src/plugins/kdb/db2/db2_exp.c | 26 +- src/plugins/kdb/db2/kdb_db2.c | 148 +-- src/plugins/kdb/db2/kdb_db2.h | 17 +- src/plugins/kdb/db2/kdb_xdr.c | 88 +- src/plugins/kdb/db2/kdb_xdr.h | 16 +- src/plugins/kdb/db2/lockout.c | 12 +- src/plugins/kdb/db2/policy_db.h | 6 +- .../kdb/ldap/ldap_util/kdb5_ldap_realm.c | 3 +- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 3 +- .../kdb/ldap/libkdb_ldap/ldap_principal.c | 29 +- .../kdb/ldap/libkdb_ldap/ldap_principal.h | 8 +- .../kdb/ldap/libkdb_ldap/ldap_principal2.c | 1183 ++++++++--------- .../kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 10 +- .../kdb/ldap/libkdb_ldap/ldap_pwd_policy.h | 2 +- src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c | 5 +- src/plugins/kdb/ldap/libkdb_ldap/lockout.c | 9 +- src/tests/create/kdb5_mkdums.c | 79 +- src/tests/verify/kdb5_verify.c | 57 +- 45 files changed, 1908 insertions(+), 2504 deletions(-) diff --git a/src/include/kdb.h b/src/include/kdb.h index a576eb9e3..a03361e7a 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -425,23 +425,13 @@ krb5_error_code krb5_db_lock ( krb5_context kcontext, int lock_mode ); krb5_error_code krb5_db_unlock ( krb5_context kcontext ); krb5_error_code krb5_db_get_principal ( krb5_context kcontext, krb5_const_principal search_for, - krb5_db_entry *entries, - int *nentries, - krb5_boolean *more ); -krb5_error_code krb5_db_get_principal_ext ( krb5_context kcontext, - krb5_const_principal search_for, - unsigned int flags, - krb5_db_entry *entries, - int *nentries, - krb5_boolean *more ); -void krb5_db_free_principal ( krb5_context kcontext, krb5_db_entry *entry, - int count ); + unsigned int flags, + krb5_db_entry **entry ); +void krb5_db_free_principal ( krb5_context kcontext, krb5_db_entry *entry ); krb5_error_code krb5_db_put_principal ( krb5_context kcontext, - krb5_db_entry *entries, - int *nentries); + krb5_db_entry *entry ); krb5_error_code krb5_db_delete_principal ( krb5_context kcontext, - krb5_principal search_for, - int *nentries ); + krb5_principal search_for ); krb5_error_code krb5_db_iterate ( krb5_context kcontext, char *match_entry, int (*func) (krb5_pointer, krb5_db_entry *), @@ -740,8 +730,7 @@ krb5_db_create_policy( krb5_context kcontext, krb5_error_code krb5_db_get_policy ( krb5_context kcontext, char *name, - osa_policy_ent_t *policy, - int *nentries); + osa_policy_ent_t *policy ); krb5_error_code krb5_db_put_policy( krb5_context kcontext, @@ -916,16 +905,8 @@ typedef struct _kdb_vftabl { krb5_error_code (*unlock)(krb5_context kcontext); /* - * Mandatory: Fill in *entries with the entry for the principal search_for. - * The module must allocate each entry field separately, as callers may - * free individual fields using db_free. If the principal is not found, - * set *nentries to 0 and return success. - * - * The nentries and more arguments appear to be intended to account for - * multiple entries for a principal, but this functionality is neither - * implemented nor used. *nentries is set to 1 by all callers and should - * be set to 0 or 1 on return; *more sould be set to FALSE on return. - * Callers will typically error out if modules behave otherwise. + * Mandatory: Set *entry to an allocated entry for the principal + * search_for. If the principal is not found, return KRB5_KDB_NOENTRY. * * The meaning of flags are as follows (some of these may be processed by * db_invoke methods such as KRB5_KDB_METHOD_SIGN_AUTH_DATA rather than by @@ -980,23 +961,19 @@ typedef struct _kdb_vftabl { krb5_error_code (*get_principal)(krb5_context kcontext, krb5_const_principal search_for, unsigned int flags, - krb5_db_entry *entries, int *nentries, - krb5_boolean *more); + krb5_db_entry **entry); /* - * Mandatory: Free the memory associated with principal entries. Do not - * free entry itself. All callers ignore the return value. Entries may - * have been constructed by the caller (using the db_alloc function to - * allocate associated memory); thus, a plugin must allocate each field - * of a principal entry separately. + * Mandatory: Free a database entry. The entry may have been constructed + * by the caller (using the db_alloc function to allocate associated + * memory); thus, a plugin must allocate each field of a principal entry + * separately. */ - void (*free_principal)(krb5_context kcontext, krb5_db_entry *entry, - int count); + void (*free_principal)(krb5_context kcontext, krb5_db_entry *entry); /* - * Optional: Create or modify one or more principal entries. All callers - * operate on a single entry. db_args communicates command-line arguments - * for module-specific flags. + * Optional: Create or modify a principal entry. db_args communicates + * command-line arguments for module-specific flags. * * The mask field of an entry indicates the changed fields. Mask values * are defined in kadmin's admin.h header. If KADM5_PRINCIPAL is set in @@ -1006,17 +983,14 @@ typedef struct _kdb_vftabl { * ignore the mask and update the entire entry. */ krb5_error_code (*put_principal)(krb5_context kcontext, - krb5_db_entry *entries, int *nentries, - char **db_args); + krb5_db_entry *entry, char **db_args); /* * Optional: Delete the entry for the principal search_for. If the - * principal does not exist, set *nentries to 0 and return success; if it - * did exist, set *nentries to 1. + * principal did not exist, return KRB5_KDB_NOENTRY. */ krb5_error_code (*delete_principal)(krb5_context kcontext, - krb5_const_principal search_for, - int *nentries); + krb5_const_principal search_for); /* * Optional: For each principal entry in the database, invoke func with the @@ -1037,14 +1011,11 @@ typedef struct _kdb_vftabl { osa_policy_ent_t policy); /* - * Optional: If a password policy entry exists with the name name, allocate - * a policy entry in *policy, fill it in with the policy information, and - * set *cnt to 1. If the entry does not exist, set *cnt to 0 and return - * success, or return an error (existing module implementations are not - * consistent). + * Optional: Set *policy to the policy entry of the specified name. If the + * entry does not exist, return KRB5_KDB_NOENTRY. */ krb5_error_code (*get_policy)(krb5_context kcontext, char *name, - osa_policy_ent_t *policy, int *cnt); + osa_policy_ent_t *policy); /* * Optional: Modify an existing password policy entry to match the values diff --git a/src/include/kdb_log.h b/src/include/kdb_log.h index 620d90c90..51648c7e8 100644 --- a/src/include/kdb_log.h +++ b/src/include/kdb_log.h @@ -84,12 +84,12 @@ extern krb5_error_code ulog_replay(krb5_context context, kdb_incr_result_t *incr_ret, char **db_args); extern krb5_error_code -ulog_conv_2logentry(krb5_context context, krb5_db_entry *entries, - kdb_incr_update_t *updates, int nentries); +ulog_conv_2logentry(krb5_context context, krb5_db_entry *entry, + kdb_incr_update_t *update); extern krb5_error_code -ulog_conv_2dbentry(krb5_context context, krb5_db_entry *entries, - kdb_incr_update_t *updates, int nentries); +ulog_conv_2dbentry(krb5_context context, krb5_db_entry **entry, + kdb_incr_update_t *update); extern void ulog_free_entries(kdb_incr_update_t *updates, int no_of_updates); extern krb5_error_code ulog_set_role(krb5_context ctx, iprop_role role); diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c index baebf4c6e..caff137a4 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -205,7 +205,7 @@ extern krb5_boolean dbactive; extern int exit_status; extern krb5_context util_context; extern kadm5_config_params global_params; -extern krb5_db_entry master_entry; +extern krb5_db_entry *master_entry; /* Strings */ @@ -1235,7 +1235,7 @@ dump_db(argc, argv) * get new master key vno that will be used to protect princs, used * later on. */ - new_mkvno = get_next_kvno(util_context, &master_entry); + new_mkvno = get_next_kvno(util_context, master_entry); } kret = 0; @@ -1517,7 +1517,7 @@ process_k5beta_record(fname, kcontext, filep, flags, linenop) { int nmatched; int retval; - krb5_db_entry dbent; + krb5_db_entry *dbent; int name_len, mod_name_len, key_len; int alt_key_len, salt_len, alt_salt_len; char *name; @@ -1534,16 +1534,19 @@ process_k5beta_record(fname, kcontext, filep, flags, linenop) try2read = (char *) NULL; (*linenop)++; retval = 1; - memset(&dbent, 0, sizeof(dbent)); + dbent = krb5_db_alloc(kcontext, NULL, sizeof(*dbent)); + if (dbent == NULL) + return(1); + memset(dbent, 0, sizeof(*dbent)); /* Make sure we've got key_data entries */ - if (krb5_dbe_create_key_data(kcontext, &dbent) || - krb5_dbe_create_key_data(kcontext, &dbent)) { - krb5_db_free_principal(kcontext, &dbent, 1); + if (krb5_dbe_create_key_data(kcontext, dbent) || + krb5_dbe_create_key_data(kcontext, dbent)) { + krb5_db_free_principal(kcontext, dbent); return(1); } - pkey = &dbent.key_data[0]; - akey = &dbent.key_data[1]; + pkey = &dbent->key_data[0]; + akey = &dbent->key_data[1]; /* * Match the sizes. 6 tokens to match. @@ -1618,17 +1621,17 @@ process_k5beta_record(fname, kcontext, filep, flags, linenop) /* Read principal attributes */ if (!error && (fscanf(filep, "\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t", - &tmpint1, &dbent.max_life, - &dbent.max_renewable_life, - &tmpint2, &dbent.expiration, - &dbent.pw_expiration, &last_pwd_change, - &dbent.last_success, &dbent.last_failed, + &tmpint1, &dbent->max_life, + &dbent->max_renewable_life, + &tmpint2, &dbent->expiration, + &dbent->pw_expiration, &last_pwd_change, + &dbent->last_success, &dbent->last_failed, &tmpint3) != 10)) { try2read = read_pr_data1; error++; } pkey->key_data_kvno = tmpint1; - dbent.fail_auth_count = tmpint3; + dbent->fail_auth_count = tmpint3; /* Read modifier name */ if (!error && read_string(filep, mod_name, @@ -1639,7 +1642,7 @@ process_k5beta_record(fname, kcontext, filep, flags, linenop) } /* Read second set of attributes */ if (!error && (fscanf(filep, "\t%u\t%u\t%u\t", - &mod_date, &dbent.attributes, + &mod_date, &dbent->attributes, &tmpint1) != 3)) { try2read = read_pr_data2; error++; @@ -1718,22 +1721,20 @@ process_k5beta_record(fname, kcontext, filep, flags, linenop) if (!error) { if (!(kret = krb5_parse_name(kcontext, name, - &dbent.princ))) { + &dbent->princ))) { if (!(kret = krb5_parse_name(kcontext, mod_name, &mod_princ))) { if (!(kret = krb5_dbe_update_mod_princ_data(kcontext, - &dbent, + dbent, mod_date, mod_princ)) && !(kret = krb5_dbe_update_last_pwd_change(kcontext, - &dbent, + dbent, last_pwd_change))) { - int one = 1; - - dbent.len = KRB5_KDB_V1_BASE_LENGTH; + dbent->len = KRB5_KDB_V1_BASE_LENGTH; pkey->key_data_ver = (pkey->key_data_type[1] || pkey->key_data_length[1]) ? 2 : 1; akey->key_data_ver = (akey->key_data_type[1] || akey->key_data_length[1]) ? @@ -1742,22 +1743,20 @@ process_k5beta_record(fname, kcontext, filep, flags, linenop) akey->key_data_type[0]) && (pkey->key_data_type[1] == akey->key_data_type[1])) - dbent.n_key_data--; + dbent->n_key_data--; else if ((akey->key_data_type[0] == 0) && (akey->key_data_length[0] == 0) && (akey->key_data_type[1] == 0) && (akey->key_data_length[1] == 0)) - dbent.n_key_data--; + dbent->n_key_data--; - dbent.mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES | + dbent->mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_MAX_RLIFE | KADM5_KEY_DATA | KADM5_PRINC_EXPIRE_TIME | KADM5_LAST_SUCCESS | KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT; if ((kret = krb5_db_put_principal(kcontext, - &dbent, - &one)) || - (one != 1)) { + dbent))) { fprintf(stderr, store_err_fmt, fname, *linenop, name, error_message(kret)); @@ -1768,7 +1767,7 @@ process_k5beta_record(fname, kcontext, filep, flags, linenop) fprintf(stderr, add_princ_fmt, name); retval = 0; } - dbent.n_key_data = 2; + dbent->n_key_data = 2; } krb5_free_principal(kcontext, mod_princ); } @@ -1793,7 +1792,7 @@ process_k5beta_record(fname, kcontext, filep, flags, linenop) fprintf(stderr, no_mem_fmt, fname, *linenop); } - krb5_db_free_principal(kcontext, &dbent, 1); + krb5_db_free_principal(kcontext, dbent); if (mod_name) free(mod_name); if (name) @@ -1822,11 +1821,11 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop) int *linenop; { int retval; - krb5_db_entry dbentry; + krb5_db_entry *dbentry; krb5_int32 t1, t2, t3, t4, t5, t6, t7, t8, t9; int nread; int error; - int i, j, one; + int i, j; char *name; krb5_key_data *kp, *kdatap; krb5_tl_data **tlp, *tl; @@ -1835,7 +1834,10 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop) const char *try2read; try2read = (char *) NULL; - memset(&dbentry, 0, sizeof(dbentry)); + dbentry = krb5_db_alloc(kcontext, NULL, sizeof(*dbentry)); + if (dbentry == NULL) + return(1); + memset(dbentry, 0, sizeof(*dbentry)); (*linenop)++; retval = 1; name = (char *) NULL; @@ -1850,12 +1852,12 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop) error++; /* Get memory for and form tagged data linked list */ - tlp = &dbentry.tl_data; + tlp = &dbentry->tl_data; for (i=0; itl_data_next); - dbentry.n_tl_data++; + dbentry->n_tl_data++; } else { error++; @@ -1873,37 +1875,37 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop) error++; if (!error) { - dbentry.len = t1; - dbentry.n_key_data = t4; - dbentry.e_length = t5; + dbentry->len = t1; + dbentry->n_key_data = t4; + dbentry->e_length = t5; if (kp) { memset(kp, 0, (size_t) (t4*sizeof(krb5_key_data))); - dbentry.key_data = kp; + dbentry->key_data = kp; kp = (krb5_key_data *) NULL; } if (op) { memset(op, 0, (size_t) t5); - dbentry.e_data = op; + dbentry->e_data = op; op = (krb5_octet *) NULL; } /* Read in and parse the principal name */ if (!read_string(filep, name, t2, linenop) && - !(kret = krb5_parse_name(kcontext, name, &dbentry.princ))) { + !(kret = krb5_parse_name(kcontext, name, &dbentry->princ))) { /* Get the fixed principal attributes */ nread = fscanf(filep, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t", &t2, &t3, &t4, &t5, &t6, &t7, &t8, &t9); if (nread == 8) { - dbentry.attributes = (krb5_flags) t2; - dbentry.max_life = (krb5_deltat) t3; - dbentry.max_renewable_life = (krb5_deltat) t4; - dbentry.expiration = (krb5_timestamp) t5; - dbentry.pw_expiration = (krb5_timestamp) t6; - dbentry.last_success = (krb5_timestamp) t7; - dbentry.last_failed = (krb5_timestamp) t8; - dbentry.fail_auth_count = (krb5_kvno) t9; - dbentry.mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES | + dbentry->attributes = (krb5_flags) t2; + dbentry->max_life = (krb5_deltat) t3; + dbentry->max_renewable_life = (krb5_deltat) t4; + dbentry->expiration = (krb5_timestamp) t5; + dbentry->pw_expiration = (krb5_timestamp) t6; + dbentry->last_success = (krb5_timestamp) t7; + dbentry->last_failed = (krb5_timestamp) t8; + dbentry->fail_auth_count = (krb5_kvno) t9; + dbentry->mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_MAX_RLIFE | KADM5_PRINC_EXPIRE_TIME | KADM5_LAST_SUCCESS | KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT; @@ -1922,8 +1924,8 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop) * it at dump time has almost as good an effect, so * that's what I did. [krb5-admin/89] */ - if (!error && dbentry.n_tl_data) { - for (tl = dbentry.tl_data; tl; tl = tl->tl_data_next) { + if (!error && dbentry->n_tl_data) { + for (tl = dbentry->tl_data; tl; tl = tl->tl_data_next) { nread = fscanf(filep, "%d\t%d\t", &t1, &t2); if (nread == 2) { tl->tl_data_type = (krb5_int16) t1; @@ -1947,7 +1949,7 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop) * Assuming aux_attributes will always be * there */ - dbentry.mask |= KADM5_AUX_ATTRIBUTES; + dbentry->mask |= KADM5_AUX_ATTRIBUTES; /* test for an actual policy reference */ memset(&osa_princ_ent, 0, sizeof(osa_princ_ent)); @@ -1957,7 +1959,7 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop) (osa_princ_ent.aux_attributes & KADM5_POLICY) && osa_princ_ent.policy != NULL) { - dbentry.mask |= KADM5_POLICY; + dbentry->mask |= KADM5_POLICY; kdb_free_entry(NULL, NULL, &osa_princ_ent); } xdr_destroy(&xdrs); @@ -1980,13 +1982,13 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop) } } if (!error) - dbentry.mask |= KADM5_TL_DATA; + dbentry->mask |= KADM5_TL_DATA; } /* Get the key data */ - if (!error && dbentry.n_key_data) { - for (i=0; !error && (in_key_data) { + for (i=0; !error && (in_key_data); i++) { + kdatap = &dbentry->key_data[i]; nread = fscanf(filep, "%d\t%d\t", &t1, &t2); if (nread == 2) { kdatap->key_data_ver = (krb5_int16) t1; @@ -2028,14 +2030,14 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop) } } if (!error) - dbentry.mask |= KADM5_KEY_DATA; + dbentry->mask |= KADM5_KEY_DATA; } /* Get the extra data */ - if (!error && dbentry.e_length) { + if (!error && dbentry->e_length) { if (read_octet_string(filep, - dbentry.e_data, - (int) dbentry.e_length)) { + dbentry->e_data, + (int) dbentry->e_length)) { try2read = read_econtents; error++; } @@ -2056,10 +2058,7 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop) * We have either read in all the data or choked. */ if (!error) { - one = 1; - if ((kret = krb5_db_put_principal(kcontext, - &dbentry, - &one))) { + if ((kret = krb5_db_put_principal(kcontext, dbentry))) { fprintf(stderr, store_err_fmt, fname, *linenop, name, error_message(kret)); @@ -2092,7 +2091,7 @@ process_k5beta6_record(fname, kcontext, filep, flags, linenop) free(kp); if (name) free(name); - krb5_db_free_principal(kcontext, &dbentry, 1); + krb5_db_free_principal(kcontext, dbentry); } else { if (nread == EOF) diff --git a/src/kadmin/dbutil/kdb5_create.c b/src/kadmin/dbutil/kdb5_create.c index cf2f2a7f2..087c3dc71 100644 --- a/src/kadmin/dbutil/kdb5_create.c +++ b/src/kadmin/dbutil/kdb5_create.c @@ -421,47 +421,49 @@ add_principal(context, princ, op, pblock) struct realm_info *pblock; { krb5_error_code retval; - krb5_db_entry entry; + krb5_db_entry *entry; krb5_kvno mkey_kvno; krb5_timestamp now; struct iterate_args iargs; - int nentries = 1; krb5_actkvno_node actkvno; - memset(&entry, 0, sizeof(entry)); + entry = krb5_db_alloc(context, NULL, sizeof(*entry)); + if (entry == NULL) + return ENOMEM; + memset(entry, 0, sizeof(*entry)); - entry.len = KRB5_KDB_V1_BASE_LENGTH; - entry.attributes = pblock->flags; - entry.max_life = pblock->max_life; - entry.max_renewable_life = pblock->max_rlife; - entry.expiration = pblock->expiration; + entry->len = KRB5_KDB_V1_BASE_LENGTH; + entry->attributes = pblock->flags; + entry->max_life = pblock->max_life; + entry->max_renewable_life = pblock->max_rlife; + entry->expiration = pblock->expiration; - if ((retval = krb5_copy_principal(context, princ, &entry.princ))) + if ((retval = krb5_copy_principal(context, princ, &entry->princ))) goto error_out; if ((retval = krb5_timeofday(context, &now))) goto error_out; - if ((retval = krb5_dbe_update_mod_princ_data(context, &entry, + if ((retval = krb5_dbe_update_mod_princ_data(context, entry, now, &db_create_princ))) goto error_out; switch (op) { case MASTER_KEY: - if ((entry.key_data=(krb5_key_data*)malloc(sizeof(krb5_key_data))) + if ((entry->key_data=(krb5_key_data*)malloc(sizeof(krb5_key_data))) == NULL) goto error_out; - memset(entry.key_data, 0, sizeof(krb5_key_data)); - entry.n_key_data = 1; + memset(entry->key_data, 0, sizeof(krb5_key_data)); + entry->n_key_data = 1; if (global_params.mask & KADM5_CONFIG_KVNO) mkey_kvno = global_params.kvno; /* user specified */ else mkey_kvno = 1; /* Default */ - entry.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; + entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX; if ((retval = krb5_dbe_encrypt_key_data(context, pblock->key, &master_keyblock, NULL, - mkey_kvno, entry.key_data))) + mkey_kvno, entry->key_data))) return retval; /* * There should always be at least one "active" mkey so creating the @@ -471,18 +473,18 @@ add_principal(context, princ, op, pblock) actkvno.act_kvno = mkey_kvno; /* earliest possible time in case system clock is set back */ actkvno.act_time = 0; - if ((retval = krb5_dbe_update_actkvno(context, &entry, &actkvno))) + if ((retval = krb5_dbe_update_actkvno(context, entry, &actkvno))) return retval; /* so getprinc shows the right kvno */ - if ((retval = krb5_dbe_update_mkvno(context, &entry, mkey_kvno))) + if ((retval = krb5_dbe_update_mkvno(context, entry, mkey_kvno))) return retval; break; case TGT_KEY: iargs.ctx = context; iargs.rblock = pblock; - iargs.dbentp = &entry; + iargs.dbentp = entry; /* * Iterate through the key/salt list, ignoring salt types. */ @@ -499,13 +501,13 @@ add_principal(context, princ, op, pblock) break; } - entry.mask = (KADM5_KEY_DATA | KADM5_PRINCIPAL | KADM5_ATTRIBUTES | - KADM5_MAX_LIFE | KADM5_MAX_RLIFE | KADM5_TL_DATA | - KADM5_PRINC_EXPIRE_TIME); + entry->mask = (KADM5_KEY_DATA | KADM5_PRINCIPAL | KADM5_ATTRIBUTES | + KADM5_MAX_LIFE | KADM5_MAX_RLIFE | KADM5_TL_DATA | + KADM5_PRINC_EXPIRE_TIME); - retval = krb5_db_put_principal(context, &entry, &nentries); + retval = krb5_db_put_principal(context, entry); -error_out:; - krb5_db_free_principal(context, &entry, 1); +error_out: + krb5_db_free_principal(context, entry); return retval; } diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c index 9c397b6ab..4bd72e50e 100644 --- a/src/kadmin/dbutil/kdb5_mkey.c +++ b/src/kadmin/dbutil/kdb5_mkey.c @@ -196,14 +196,13 @@ kdb5_add_mkey(int argc, char *argv[]) char *mkey_fullname; char *pw_str = 0; unsigned int pw_size = 0; - int do_stash = 0, nentries = 0; - krb5_boolean more = 0; + int do_stash = 0; krb5_data pwd; krb5_kvno new_mkey_kvno; krb5_keyblock new_mkeyblock; krb5_enctype new_master_enctype = ENCTYPE_UNKNOWN; char *new_mkey_password; - krb5_db_entry master_entry; + krb5_db_entry *master_entry; krb5_timestamp now; /* @@ -247,26 +246,14 @@ kdb5_add_mkey(int argc, char *argv[]) return; } - retval = krb5_db_get_principal(util_context, master_princ, &master_entry, - &nentries, &more); + retval = krb5_db_get_principal(util_context, master_princ, 0, + &master_entry); if (retval != 0) { com_err(progname, retval, "while getting master key principal %s", mkey_fullname); exit_status++; goto cleanup_return; - } else if (nentries == 0) { - com_err(progname, KRB5_KDB_NOENTRY, - "principal %s not found in Kerberos database", - mkey_fullname); - exit_status++; - goto cleanup_return; - } else if (nentries > 1) { - com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, - "principal %s has multiple entries in Kerberos database", - mkey_fullname); - exit_status++; - goto cleanup_return; } printf("Creating new master key for master key principal '%s'\n", @@ -310,7 +297,7 @@ kdb5_add_mkey(int argc, char *argv[]) goto cleanup_return; } - retval = add_new_mkey(util_context, &master_entry, &new_mkeyblock, 0); + retval = add_new_mkey(util_context, master_entry, &new_mkeyblock, 0); if (retval) { com_err(progname, retval, "adding new master key to master principal"); exit_status++; @@ -323,14 +310,14 @@ kdb5_add_mkey(int argc, char *argv[]) goto cleanup_return; } - if ((retval = krb5_dbe_update_mod_princ_data(util_context, &master_entry, + if ((retval = krb5_dbe_update_mod_princ_data(util_context, master_entry, now, master_princ))) { com_err(progname, retval, "while updating the master key principal modification time"); exit_status++; goto cleanup_return; } - if ((retval = krb5_db_put_principal(util_context, &master_entry, &nentries))) { + if ((retval = krb5_db_put_principal(util_context, master_entry))) { (void) krb5_db_fini(util_context); com_err(progname, retval, "while adding master key entry to the database"); exit_status++; @@ -375,9 +362,7 @@ kdb5_use_mkey(int argc, char *argv[]) krb5_timestamp now, start_time; krb5_actkvno_node *actkvno_list = NULL, *new_actkvno = NULL, *prev_actkvno, *cur_actkvno; - krb5_db_entry master_entry; - int nentries = 0; - krb5_boolean more = FALSE; + krb5_db_entry *master_entry; krb5_keylist_node *keylist_node; krb5_boolean inserted = FALSE; @@ -446,29 +431,17 @@ kdb5_use_mkey(int argc, char *argv[]) goto cleanup_return; } - retval = krb5_db_get_principal(util_context, master_princ, &master_entry, - &nentries, &more); + retval = krb5_db_get_principal(util_context, master_princ, 0, + &master_entry); if (retval != 0) { com_err(progname, retval, "while getting master key principal %s", mkey_fullname); exit_status++; goto cleanup_return; - } else if (nentries == 0) { - com_err(progname, KRB5_KDB_NOENTRY, - "principal %s not found in Kerberos database", - mkey_fullname); - exit_status++; - goto cleanup_return; - } else if (nentries > 1) { - com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, - "principal %s has multiple entries in Kerberos database", - mkey_fullname); - exit_status++; - goto cleanup_return; } - retval = krb5_dbe_lookup_actkvno(util_context, &master_entry, &actkvno_list); + retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list); if (retval != 0) { com_err(progname, retval, "while looking up active version of master key"); @@ -552,21 +525,21 @@ kdb5_use_mkey(int argc, char *argv[]) goto cleanup_return; } - if ((retval = krb5_dbe_update_actkvno(util_context, &master_entry, + if ((retval = krb5_dbe_update_actkvno(util_context, master_entry, actkvno_list))) { com_err(progname, retval, "while updating actkvno data for master principal entry"); exit_status++; goto cleanup_return; } - if ((retval = krb5_dbe_update_mod_princ_data(util_context, &master_entry, + if ((retval = krb5_dbe_update_mod_princ_data(util_context, master_entry, now, master_princ))) { com_err(progname, retval, "while updating the master key principal modification time"); exit_status++; goto cleanup_return; } - if ((retval = krb5_db_put_principal(util_context, &master_entry, &nentries))) { + if ((retval = krb5_db_put_principal(util_context, master_entry))) { (void) krb5_db_fini(util_context); com_err(progname, retval, "while adding master key entry to the database"); exit_status++; @@ -590,9 +563,7 @@ kdb5_list_mkeys(int argc, char *argv[]) krb5_kvno act_kvno; krb5_timestamp act_time; krb5_actkvno_node *actkvno_list = NULL, *cur_actkvno; - krb5_db_entry master_entry; - int nentries = 0; - krb5_boolean more = FALSE; + krb5_db_entry *master_entry; krb5_keylist_node *cur_kb_node; krb5_keyblock *act_mkey; @@ -612,29 +583,17 @@ kdb5_list_mkeys(int argc, char *argv[]) return; } - retval = krb5_db_get_principal(util_context, master_princ, &master_entry, - &nentries, &more); + retval = krb5_db_get_principal(util_context, master_princ, 0, + &master_entry); if (retval != 0) { com_err(progname, retval, "while getting master key principal %s", mkey_fullname); exit_status++; goto cleanup_return; - } else if (nentries == 0) { - com_err(progname, KRB5_KDB_NOENTRY, - "principal %s not found in Kerberos database", - mkey_fullname); - exit_status++; - goto cleanup_return; - } else if (nentries > 1) { - com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, - "principal %s has multiple entries in Kerberos database", - mkey_fullname); - exit_status++; - goto cleanup_return; } - retval = krb5_dbe_lookup_actkvno(util_context, &master_entry, &actkvno_list); + retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list); if (retval != 0) { com_err(progname, retval, "while looking up active kvno list"); exit_status++; @@ -642,7 +601,7 @@ kdb5_list_mkeys(int argc, char *argv[]) } if (actkvno_list == NULL) { - act_kvno = master_entry.key_data[0].key_data_kvno; + act_kvno = master_entry->key_data[0].key_data_kvno; } else { retval = krb5_dbe_find_act_mkey(util_context, master_keylist, actkvno_list, &act_kvno, &act_mkey); @@ -834,7 +793,6 @@ update_princ_encryption_1(void *cb, krb5_db_entry *ent) krb5_error_code retval; int match; krb5_timestamp now; - int nentries = 1; int result; krb5_kvno old_mkvno; @@ -905,7 +863,7 @@ update_princ_encryption_1(void *cb, krb5_db_entry *ent) ent->mask |= KADM5_KEY_DATA; - if ((retval = krb5_db_put_principal(util_context, ent, &nentries))) { + if ((retval = krb5_db_put_principal(util_context, ent))) { com_err(progname, retval, "while updating principal '%s' key data in the database", pname); @@ -957,9 +915,7 @@ kdb5_update_princ_encryption(int argc, char *argv[]) int optchar; krb5_error_code retval; krb5_actkvno_node *actkvno_list = 0; - krb5_db_entry master_entry; - int nentries = 1; - krb5_boolean more = FALSE; + krb5_db_entry *master_entry; char *mkey_fullname = 0; #ifdef BSD_REGEXPS char *msg; @@ -1032,23 +988,16 @@ kdb5_update_princ_encryption(int argc, char *argv[]) goto cleanup; } - retval = krb5_db_get_principal(util_context, master_princ, &master_entry, - &nentries, &more); + retval = krb5_db_get_principal(util_context, master_princ, 0, + &master_entry); if (retval != 0) { com_err(progname, retval, "while getting master key principal %s", mkey_fullname); exit_status++; goto cleanup; } - if (nentries != 1) { - com_err(progname, 0, - "cannot find master key principal %s in database!", - mkey_fullname); - exit_status++; - goto cleanup; - } - retval = krb5_dbe_lookup_actkvno(util_context, &master_entry, &actkvno_list); + retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list); if (retval != 0) { com_err(progname, retval, "while looking up active kvno list"); exit_status++; @@ -1058,11 +1007,11 @@ kdb5_update_princ_encryption(int argc, char *argv[]) /* Master key is always stored encrypted in the latest version of itself. */ new_mkvno = krb5_db_get_key_data_kvno(util_context, - master_entry.n_key_data, - master_entry.key_data); + master_entry->n_key_data, + master_entry->key_data); retval = krb5_dbe_find_mkey(util_context, master_keylist, - &master_entry, &tmp_keyblock); + master_entry, &tmp_keyblock); if (retval) { com_err(progname, retval, "retrieving the most recent master key"); exit_status++; @@ -1154,9 +1103,7 @@ kdb5_purge_mkeys(int argc, char *argv[]) krb5_error_code retval; char *mkey_fullname = NULL; krb5_timestamp now; - krb5_db_entry master_entry; - int nentries = 0; - krb5_boolean more = FALSE; + krb5_db_entry *master_entry; krb5_boolean force = FALSE, dry_run = FALSE, verbose = FALSE; struct purge_args args; char buf[5]; @@ -1205,26 +1152,14 @@ kdb5_purge_mkeys(int argc, char *argv[]) return; } - retval = krb5_db_get_principal(util_context, master_princ, &master_entry, - &nentries, &more); + retval = krb5_db_get_principal(util_context, master_princ, 0, + &master_entry); if (retval != 0) { com_err(progname, retval, "while getting master key principal %s", mkey_fullname); exit_status++; goto cleanup_return; - } else if (nentries == 0) { - com_err(progname, KRB5_KDB_NOENTRY, - "principal %s not found in Kerberos database", - mkey_fullname); - exit_status++; - goto cleanup_return; - } else if (nentries > 1) { - com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, - "principal %s has multiple entries in Kerberos database", - mkey_fullname); - exit_status++; - goto cleanup_return; } if (!force) { @@ -1243,13 +1178,13 @@ kdb5_purge_mkeys(int argc, char *argv[]) } /* save the old keydata */ - old_key_data_count = master_entry.n_key_data; + old_key_data_count = master_entry->n_key_data; if (old_key_data_count == 1) { if (verbose) printf("There is only one master key which can not be purged.\n"); goto cleanup_return; } - old_key_data = master_entry.key_data; + old_key_data = master_entry->key_data; args.kvnos = (struct kvnos_in_use *) malloc(sizeof(struct kvnos_in_use) * old_key_data_count); if (args.kvnos == NULL) { @@ -1264,7 +1199,7 @@ kdb5_purge_mkeys(int argc, char *argv[]) /* populate the kvnos array with all the current mkvnos */ for (i = 0; i < old_key_data_count; i++) - args.kvnos[i].kvno = master_entry.key_data[i].key_data_kvno; + args.kvnos[i].kvno = master_entry->key_data[i].key_data_kvno; if ((retval = krb5_db_iterate(util_context, NULL, @@ -1310,29 +1245,29 @@ kdb5_purge_mkeys(int argc, char *argv[]) goto cleanup_return; } - retval = krb5_dbe_lookup_actkvno(util_context, &master_entry, &actkvno_list); + retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list); if (retval != 0) { com_err(progname, retval, "while looking up active kvno list"); exit_status++; goto cleanup_return; } - retval = krb5_dbe_lookup_mkey_aux(util_context, &master_entry, &mkey_aux_list); + retval = krb5_dbe_lookup_mkey_aux(util_context, master_entry, &mkey_aux_list); if (retval != 0) { com_err(progname, retval, "while looking up mkey aux data list"); exit_status++; goto cleanup_return; } - master_entry.key_data = (krb5_key_data *) malloc(sizeof(krb5_key_data) * num_kvnos_inuse); - if (master_entry.key_data == NULL) { + master_entry->key_data = (krb5_key_data *) malloc(sizeof(krb5_key_data) * num_kvnos_inuse); + if (master_entry->key_data == NULL) { retval = ENOMEM; com_err(progname, ENOMEM, "while allocating key_data"); exit_status++; goto cleanup_return; } - memset(master_entry.key_data, 0, sizeof(krb5_key_data) * num_kvnos_inuse); - master_entry.n_key_data = num_kvnos_inuse; /* there's only 1 mkey per kvno */ + memset(master_entry->key_data, 0, sizeof(krb5_key_data) * num_kvnos_inuse); + master_entry->n_key_data = num_kvnos_inuse; /* there's only 1 mkey per kvno */ /* * Assuming that the latest mkey will not be purged because it will always @@ -1342,7 +1277,7 @@ kdb5_purge_mkeys(int argc, char *argv[]) for (j = 0; j < args.num_kvnos; j++) { if (args.kvnos[j].kvno == (krb5_kvno) old_key_data[i].key_data_kvno) { if (args.kvnos[j].use_count != 0) { - master_entry.key_data[k++] = old_key_data[i]; + master_entry->key_data[k++] = old_key_data[i]; break; } else { /* remove unused mkey */ @@ -1397,7 +1332,7 @@ kdb5_purge_mkeys(int argc, char *argv[]) } assert(k == num_kvnos_inuse); - if ((retval = krb5_dbe_update_actkvno(util_context, &master_entry, + if ((retval = krb5_dbe_update_actkvno(util_context, master_entry, actkvno_list))) { com_err(progname, retval, "while updating actkvno data for master principal entry"); @@ -1405,7 +1340,7 @@ kdb5_purge_mkeys(int argc, char *argv[]) goto cleanup_return; } - if ((retval = krb5_dbe_update_mkey_aux(util_context, &master_entry, + if ((retval = krb5_dbe_update_mkey_aux(util_context, master_entry, mkey_aux_list))) { com_err(progname, retval, "while updating mkey_aux data for master principal entry"); @@ -1419,7 +1354,7 @@ kdb5_purge_mkeys(int argc, char *argv[]) goto cleanup_return; } - if ((retval = krb5_dbe_update_mod_princ_data(util_context, &master_entry, + if ((retval = krb5_dbe_update_mod_princ_data(util_context, master_entry, now, master_princ))) { com_err(progname, retval, "while updating the master key principal modification time"); @@ -1427,9 +1362,9 @@ kdb5_purge_mkeys(int argc, char *argv[]) goto cleanup_return; } - master_entry.mask |= KADM5_KEY_DATA; + master_entry->mask |= KADM5_KEY_DATA; - if ((retval = krb5_db_put_principal(util_context, &master_entry, &nentries))) { + if ((retval = krb5_db_put_principal(util_context, master_entry))) { (void) krb5_db_fini(util_context); com_err(progname, retval, "while adding master key entry to the database"); exit_status++; diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c index 09b0d0704..6c8e364c6 100644 --- a/src/kadmin/dbutil/kdb5_util.c +++ b/src/kadmin/dbutil/kdb5_util.c @@ -110,7 +110,7 @@ krb5_keyblock master_keyblock; krb5_kvno master_kvno; /* fetched */ extern krb5_keylist_node *master_keylist; extern krb5_principal master_princ; -krb5_db_entry master_entry; +krb5_db_entry *master_entry = NULL; int valid_master_key = 0; char *progname; @@ -397,8 +397,6 @@ void set_dbname(argc, argv) static int open_db_and_mkey() { krb5_error_code retval; - int nentries; - krb5_boolean more; krb5_data scratch, pwd, seed; dbactive = FALSE; @@ -421,24 +419,12 @@ static int open_db_and_mkey() exit_status++; return(1); } - nentries = 1; - if ((retval = krb5_db_get_principal(util_context, master_princ, - &master_entry, &nentries, &more))) { + if ((retval = krb5_db_get_principal(util_context, master_princ, 0, + &master_entry))) { com_err(progname, retval, "while retrieving master entry"); exit_status++; (void) krb5_db_fini(util_context); return(1); - } else if (more) { - com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, - "while retrieving master entry"); - exit_status++; - (void) krb5_db_fini(util_context); - return(1); - } else if (!nentries) { - com_err(progname, KRB5_KDB_NOENTRY, "while retrieving master entry"); - exit_status++; - (void) krb5_db_fini(util_context); - return(1); } if (global_params.mask & KADM5_CONFIG_KVNO) @@ -549,9 +535,7 @@ add_random_key(argc, argv) { krb5_error_code ret; krb5_principal princ; - krb5_db_entry dbent; - int n; - krb5_boolean more; + krb5_db_entry *dbent; krb5_timestamp now; krb5_key_salt_tuple *keysalts = NULL; @@ -582,25 +566,12 @@ add_random_key(argc, argv) exit_status++; return; } - n = 1; - ret = krb5_db_get_principal(util_context, princ, &dbent, - &n, &more); + ret = krb5_db_get_principal(util_context, princ, 0, &dbent); if (ret) { com_err(me, ret, "while fetching principal %s", pr_str); exit_status++; return; } - if (n != 1) { - fprintf(stderr, "principal %s not found\n", pr_str); - exit_status++; - return; - } - if (more) { - fprintf(stderr, "principal %s not unique\n", pr_str); - krb5_db_free_principal(util_context, &dbent, 1); - exit_status++; - return; - } ret = krb5_string_to_keysalts(ks_str, ", \t", ":.-", 0, &keysalts, @@ -618,41 +589,40 @@ add_random_key(argc, argv) free_keysalts = 1; /* Find the mkey used to protect the existing keys */ - ret = krb5_dbe_find_mkey(util_context, master_keylist, &dbent, &tmp_mkey); + ret = krb5_dbe_find_mkey(util_context, master_keylist, dbent, &tmp_mkey); if (ret) { com_err(me, ret, "while finding mkey"); + krb5_db_free_principal(util_context, dbent); exit_status++; return; } - ret = krb5_dbe_ark(util_context, tmp_mkey, - keysalts, num_keysalts, - &dbent); + ret = krb5_dbe_ark(util_context, tmp_mkey, keysalts, num_keysalts, dbent); if (free_keysalts) free(keysalts); if (ret) { com_err(me, ret, "while randomizing principal %s", pr_str); - krb5_db_free_principal(util_context, &dbent, 1); + krb5_db_free_principal(util_context, dbent); exit_status++; return; } - dbent.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; + dbent->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; ret = krb5_timeofday(util_context, &now); if (ret) { com_err(me, ret, "while getting time"); - krb5_db_free_principal(util_context, &dbent, 1); + krb5_db_free_principal(util_context, dbent); exit_status++; return; } - ret = krb5_dbe_update_last_pwd_change(util_context, &dbent, now); + ret = krb5_dbe_update_last_pwd_change(util_context, dbent, now); if (ret) { com_err(me, ret, "while setting changetime"); - krb5_db_free_principal(util_context, &dbent, 1); + krb5_db_free_principal(util_context, dbent); exit_status++; return; } - ret = krb5_db_put_principal(util_context, &dbent, &n); - krb5_db_free_principal(util_context, &dbent, 1); + ret = krb5_db_put_principal(util_context, dbent); + krb5_db_free_principal(util_context, dbent); if (ret) { com_err(me, ret, "while saving principal %s", pr_str); exit_status++; diff --git a/src/kadmin/dbutil/ovload.c b/src/kadmin/dbutil/ovload.c index e2afd5844..de677a25b 100644 --- a/src/kadmin/dbutil/ovload.c +++ b/src/kadmin/dbutil/ovload.c @@ -108,11 +108,10 @@ int process_ov_principal(fname, kcontext, filep, verbose, linenop) krb5_error_code ret; krb5_tl_data tl_data; krb5_principal princ; - krb5_db_entry kdb; + krb5_db_entry *kdb = NULL; char *current = 0; char *cp; - int x, one; - krb5_boolean more; + int x; char line[LINESIZE]; if (fgets(line, LINESIZE, filep) == (char *) NULL) { @@ -187,16 +186,15 @@ int process_ov_principal(fname, kcontext, filep, verbose, linenop) tl_data.tl_data_length = xdr_getpos(&xdrs); tl_data.tl_data_contents = (krb5_octet *) xdralloc_getdata(&xdrs); - one = 1; - ret = krb5_db_get_principal(kcontext, princ, &kdb, &one, &more); + ret = krb5_db_get_principal(kcontext, princ, 0, &kdb); if (ret) goto done; - ret = krb5_dbe_update_tl_data(kcontext, &kdb, &tl_data); + ret = krb5_dbe_update_tl_data(kcontext, kdb, &tl_data); if (ret) goto done; - ret = krb5_db_put_principal(kcontext, &kdb, &one); + ret = krb5_db_put_principal(kcontext, kdb); if (ret) goto done; @@ -208,5 +206,6 @@ done: free(current); krb5_free_principal(kcontext, princ); osa_free_princ_ent(rec); + krb5_db_free_principal(kcontext, kdb); return ret; } diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 18ce37f27..57070f517 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -93,14 +93,12 @@ krb5_error_code process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, const krb5_fulladdr *from, krb5_data **response) { - krb5_db_entry client, server; + krb5_db_entry *client = NULL, *server = NULL; krb5_kdc_rep reply; krb5_enc_kdc_rep_part reply_encpart; krb5_ticket ticket_reply; krb5_enc_tkt_part enc_tkt_reply; krb5_error_code errcode; - int c_nprincs = 0, s_nprincs = 0; - krb5_boolean more; krb5_timestamp kdc_time, authtime = 0; krb5_keyblock session_key; const char *status; @@ -201,33 +199,25 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, if (include_pac_p(kdc_context, request)) { setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC); } - c_nprincs = 1; - if ((errcode = krb5_db_get_principal_ext(kdc_context, request->client, - c_flags, &client, &c_nprincs, - &more))) { - status = "LOOKING_UP_CLIENT"; - c_nprincs = 0; - goto errout; - } - - if (more) { - status = "NON-UNIQUE_CLIENT"; - errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; - goto errout; - } else if (c_nprincs != 1) { + errcode = krb5_db_get_principal(kdc_context, request->client, + c_flags, &client); + if (errcode == KRB5_KDB_NOENTRY) { status = "CLIENT_NOT_FOUND"; if (vague_errors) errcode = KRB5KRB_ERR_GENERIC; else errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; goto errout; + } else if (errcode) { + status = "LOOKING_UP_CLIENT"; + goto errout; } /* * If the backend returned a principal that is not in the local * realm, then we need to refer the client to that realm. */ - if (!is_local_principal(client.princ)) { + if (!is_local_principal(client->princ)) { /* Entry is a referral to another realm */ status = "REFERRAL"; errcode = KRB5KDC_ERR_WRONG_REALM; @@ -239,7 +229,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, * Turn off canonicalization if client is marked DES only * (unless enterprise principal name was requested) */ - if (isflagset(client.attributes, KRB5_KDB_NON_MS_PRINCIPAL) && + if (isflagset(client->attributes, KRB5_KDB_NON_MS_PRINCIPAL) && krb5_princ_type(kdc_context, request->client) != KRB5_NT_ENTERPRISE_PRINCIPAL) { clear(c_flags, KRB5_KDB_FLAG_CANONICALIZE); @@ -250,21 +240,15 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) { setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE); } - s_nprincs = 1; - if ((errcode = krb5_db_get_principal_ext(kdc_context, request->server, - s_flags, &server, - &s_nprincs, &more))) { - status = "LOOKING_UP_SERVER"; - goto errout; - } - if (more) { - status = "NON-UNIQUE_SERVER"; - errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; - goto errout; - } else if (s_nprincs != 1) { + errcode = krb5_db_get_principal(kdc_context, request->server, + s_flags, &server); + if (errcode == KRB5_KDB_NOENTRY) { status = "SERVER_NOT_FOUND"; errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; goto errout; + } else if (errcode) { + status = "LOOKING_UP_SERVER"; + goto errout; } if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) { @@ -273,7 +257,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } authtime = kdc_time; /* for audit_as_request() */ - if ((errcode = validate_as_request(request, client, server, + if ((errcode = validate_as_request(request, *client, *server, kdc_time, &status, &e_data))) { if (!status) status = "UNKNOWN_REASON"; @@ -284,7 +268,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, /* * Select the keytype for the ticket session key. */ - if ((useenctype = select_session_keytype(kdc_context, &server, + if ((useenctype = select_session_keytype(kdc_context, server, request->nktypes, request->ktype)) == 0) { /* unsupported ktype */ @@ -306,8 +290,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, */ if (isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE) && krb5_is_tgs_principal(request->server) && - krb5_is_tgs_principal(server.princ)) { - ticket_reply.server = server.princ; + krb5_is_tgs_principal(server->princ)) { + ticket_reply.server = server->princ; } else { ticket_reply.server = request->server; } @@ -335,11 +319,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, enc_tkt_reply.session = &session_key; if (isflagset(c_flags, KRB5_KDB_FLAG_CANONICALIZE)) { - client_princ = *(client.princ); + client_princ = *(client->princ); } else { client_princ = *(request->client); /* The realm is always canonicalized */ - client_princ.realm = *(krb5_princ_realm(context, client.princ)); + client_princ.realm = *(krb5_princ_realm(context, client->princ)); } enc_tkt_reply.client = &client_princ; enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS; @@ -356,12 +340,12 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, enc_tkt_reply.times.starttime, kdc_infinity, request->till, - &client, - &server, + client, + server, &enc_tkt_reply.times.endtime); if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) && - !isflagset(client.attributes, KRB5_KDB_DISALLOW_RENEWABLE) && + !isflagset(client->attributes, KRB5_KDB_DISALLOW_RENEWABLE) && (enc_tkt_reply.times.endtime < request->till)) { /* we set the RENEWABLE option for later processing */ @@ -379,8 +363,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, setflag(enc_tkt_reply.flags, TKT_FLG_RENEWABLE); enc_tkt_reply.times.renew_till = min(rtime, enc_tkt_reply.times.starttime + - min(client.max_renewable_life, - min(server.max_renewable_life, + min(client->max_renewable_life, + min(server->max_renewable_life, max_renewable_life_for_realm))); } else enc_tkt_reply.times.renew_till = 0; /* XXX */ @@ -413,17 +397,17 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } enc_tkt_reply.client = request->client; - setflag(client.attributes, KRB5_KDB_REQUIRES_PRE_AUTH); + setflag(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH); } /* * Check the preauthentication if it is there. */ if (request->padata) { - errcode = check_padata(kdc_context, &client, req_pkt, request, + errcode = check_padata(kdc_context, client, req_pkt, request, &enc_tkt_reply, &pa_context, &e_data); if (errcode) { if (errcode == KRB5KDC_ERR_PREAUTH_FAILED) - get_preauth_hint_list(request, &client, &server, &e_data); + get_preauth_hint_list(request, client, server, &e_data); status = "PREAUTH_FAILED"; if (vague_errors) @@ -437,14 +421,14 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, * preauthentication, verify that the proper kind of * preauthentication was carried out. */ - status = missing_required_preauth(&client, &server, &enc_tkt_reply); + status = missing_required_preauth(client, server, &enc_tkt_reply); if (status) { errcode = KRB5KDC_ERR_PREAUTH_REQUIRED; - get_preauth_hint_list(request, &client, &server, &e_data); + get_preauth_hint_list(request, client, server, &e_data); goto errout; } - if ((errcode = validate_forwardable(request, client, server, + if ((errcode = validate_forwardable(request, *client, *server, kdc_time, &status))) { errcode += ERROR_TABLE_BASE_krb5; goto errout; @@ -455,7 +439,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, /* * Find the server key */ - if ((errcode = krb5_dbe_find_enctype(kdc_context, &server, + if ((errcode = krb5_dbe_find_enctype(kdc_context, server, -1, /* ignore keytype */ -1, /* Ignore salttype */ 0, /* Get highest kvno */ @@ -464,7 +448,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } - if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server, + if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, server, &mkey_ptr))) { /* try refreshing master key list */ /* XXX it would nice if we had the mkvno here for optimization */ @@ -473,7 +457,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, krb5_dbe_free_key_list(kdc_context, master_keylist); master_keylist = tmp_mkey_list; if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, - &server, &mkey_ptr))) { + server, &mkey_ptr))) { status = "FINDING_MASTER_KEY"; goto errout; } @@ -484,7 +468,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } /* - * Convert server.key into a real key + * Convert server->key into a real key * (it may be encrypted in the database) * * server_keyblock is later used to generate auth data signatures @@ -506,7 +490,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, if (!krb5_c_valid_enctype(useenctype)) continue; - if (!krb5_dbe_find_enctype(kdc_context, &client, useenctype, -1, + if (!krb5_dbe_find_enctype(kdc_context, client, useenctype, -1, 0, &client_key)) break; } @@ -517,7 +501,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } - if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &client, + if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, client, &mkey_ptr))) { /* try refreshing master key list */ /* XXX it would nice if we had the mkvno here for optimization */ @@ -526,7 +510,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, krb5_dbe_free_key_list(kdc_context, master_keylist); master_keylist = tmp_mkey_list; if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, - &client, &mkey_ptr))) { + client, &mkey_ptr))) { status = "FINDING_MASTER_KEY"; goto errout; } @@ -550,12 +534,12 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, reply.client = enc_tkt_reply.client; /* post canonicalization */ reply.ticket = &ticket_reply; reply_encpart.session = &session_key; - if ((errcode = fetch_last_req_info(&client, &reply_encpart.last_req))) { + if ((errcode = fetch_last_req_info(client, &reply_encpart.last_req))) { status = "FETCH_LAST_REQ"; goto errout; } reply_encpart.nonce = request->nonce; - reply_encpart.key_exp = client.expiration; + reply_encpart.key_exp = client->expiration; reply_encpart.flags = enc_tkt_reply.flags; reply_encpart.server = ticket_reply.server; @@ -571,7 +555,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, /* Fetch the padata info to be returned (do this before * authdata to handle possible replacement of reply key */ - errcode = return_padata(kdc_context, &client, req_pkt, request, + errcode = return_padata(kdc_context, client, req_pkt, request, &reply, client_key, &client_keyblock, &pa_context); if (errcode) { status = "KDC_RETURN_PADATA"; @@ -587,9 +571,9 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, errcode = handle_authdata(kdc_context, c_flags, - &client, - &server, - &server, + client, + server, + server, &client_keyblock, &server_keyblock, &server_keyblock, @@ -629,7 +613,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } errcode = return_enc_padata(kdc_context, req_pkt, request, - as_encrypting_key, &server, &reply_encpart, + as_encrypting_key, server, &reply_encpart, FALSE); if (errcode) { status = "KDC_RETURN_ENC_PADATA"; @@ -649,7 +633,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length); free(reply.enc_part.ciphertext.data); - log_as_req(from, request, &reply, &client, cname, &server, sname, + log_as_req(from, request, &reply, client, cname, server, sname, authtime, 0, 0, 0); did_log = 1; @@ -668,7 +652,7 @@ egress: emsg = krb5_get_error_message(kdc_context, errcode); if (status) { - log_as_req(from, request, &reply, &client, cname, &server, sname, + log_as_req(from, request, &reply, client, cname, server, sname, authtime, status, errcode, emsg); did_log = 1; } @@ -681,7 +665,7 @@ egress: errcode = KRB_ERR_GENERIC; errcode = prepare_error_as(state, request, errcode, &e_data, - c_nprincs ? client.princ : NULL, + (client != NULL) ? client->princ : NULL, response, status); status = 0; } @@ -703,10 +687,8 @@ egress: free(cname); if (sname != NULL) free(sname); - if (c_nprincs) - krb5_db_free_principal(kdc_context, &client, c_nprincs); - if (s_nprincs) - krb5_db_free_principal(kdc_context, &server, s_nprincs); + krb5_db_free_principal(kdc_context, client); + krb5_db_free_principal(kdc_context, server); if (session_key.contents != NULL) krb5_free_keyblock_contents(kdc_context, &session_key); if (ticket_reply.enc_part.ciphertext.data != NULL) { diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 827f65cb3..eeafa071c 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -72,9 +72,8 @@ #include "adm_proto.h" #include -static void -find_alternate_tgs(krb5_kdc_req *,krb5_db_entry *, - krb5_boolean *,int *); +static krb5_error_code +find_alternate_tgs(krb5_kdc_req *,krb5_db_entry **); static krb5_error_code prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *,krb5_ticket *,int, @@ -91,7 +90,7 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, krb5_keyblock * subkey = 0; krb5_keyblock * tgskey = 0; krb5_kdc_req *request = 0; - krb5_db_entry server; + krb5_db_entry *server = NULL; krb5_kdc_rep reply; krb5_enc_kdc_rep_part reply_encpart; krb5_ticket ticket_reply, *header_ticket = 0; @@ -101,8 +100,6 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, int newtransited = 0; krb5_error_code retval = 0; krb5_keyblock encrypting_key; - int nprincs = 0; - krb5_boolean more; krb5_timestamp kdc_time, authtime = 0; krb5_keyblock session_key; krb5_timestamp rtime; @@ -118,8 +115,7 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, const char *status = 0; krb5_enc_tkt_part *header_enc_tkt = NULL; /* TGT */ krb5_enc_tkt_part *subject_tkt = NULL; /* TGT or evidence ticket */ - krb5_db_entry client, krbtgt; - int c_nprincs = 0, k_nprincs = 0; + krb5_db_entry *client = NULL, *krbtgt = NULL; krb5_pa_s4u_x509_user *s4u_x509_user = NULL; /* protocol transition request */ krb5_authdata **kdc_issued_auth_data = NULL; /* auth data issued by KDC */ unsigned int c_flags = 0, s_flags = 0; /* client/server KDB flags */ @@ -157,8 +153,7 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, return retval; } errcode = kdc_process_tgs_req(request, from, pkt, &header_ticket, - &krbtgt, &k_nprincs, &tgskey, - &subkey, &pa_tgs_req); + &krbtgt, &tgskey, &subkey, &pa_tgs_req); if (header_ticket && header_ticket->enc_part2 && (errcode2 = krb5_unparse_name(kdc_context, header_ticket->enc_part2->client, @@ -217,30 +212,20 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, db_ref_done = FALSE; ref_tgt_again: - nprincs = 1; if ((errcode = krb5_unparse_name(kdc_context, request->server, &sname))) { status = "UNPARSING SERVER"; goto cleanup; } limit_string(sname); - errcode = krb5_db_get_principal_ext(kdc_context, - request->server, - s_flags, - &server, - &nprincs, - &more); - if (errcode) { + errcode = krb5_db_get_principal(kdc_context, request->server, + s_flags, &server); + if (errcode && errcode != KRB5_KDB_NOENTRY) { status = "LOOKING_UP_SERVER"; - nprincs = 0; goto cleanup; } tgt_again: - if (more) { - status = "NON_UNIQUE_PRINCIPAL"; - errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; - goto cleanup; - } else if (nprincs != 1) { + if (errcode == KRB5_KDB_NOENTRY) { /* * might be a request for a TGT for some other realm; we * should do our best to find such a TGS in this db @@ -256,13 +241,11 @@ tgt_again: tgs_1 = krb5_princ_component(kdc_context, tgs_server, 1); if (!tgs_1 || !data_eq(*server_1, *tgs_1)) { - krb5_db_free_principal(kdc_context, &server, nprincs); - find_alternate_tgs(request, &server, &more, &nprincs); + errcode = find_alternate_tgs(request, &server); firstpass = 0; goto tgt_again; } } - krb5_db_free_principal(kdc_context, &server, nprincs); status = "UNKNOWN_SERVER"; errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; goto cleanup; @@ -283,7 +266,6 @@ tgt_again: } } - krb5_db_free_principal(kdc_context, &server, nprincs); status = "UNKNOWN_SERVER"; errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; goto cleanup; @@ -294,7 +276,7 @@ tgt_again: goto cleanup; } - if ((retval = validate_tgs_request(request, server, header_ticket, + if ((retval = validate_tgs_request(request, *server, header_ticket, kdc_time, &status, &e_data))) { if (!status) status = "UNKNOWN_REASON"; @@ -305,20 +287,19 @@ tgt_again: if (!is_local_principal(header_enc_tkt->client)) setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM); - is_referral = krb5_is_tgs_principal(server.princ) && - !krb5_principal_compare(kdc_context, tgs_server, server.princ); + is_referral = krb5_is_tgs_principal(server->princ) && + !krb5_principal_compare(kdc_context, tgs_server, server->princ); /* Check for protocol transition */ errcode = kdc_process_s4u2self_req(kdc_context, request, header_enc_tkt->client, - &server, + server, subkey, header_enc_tkt->session, kdc_time, &s4u_x509_user, &client, - &c_nprincs, &status); if (errcode) goto cleanup; @@ -342,8 +323,7 @@ tgt_again: krb5_keyblock * st_sealing_key; krb5_kvno st_srv_kvno; krb5_enctype etype; - krb5_db_entry st_client; - int st_nprincs = 0; + krb5_db_entry *st_client; /* * Get the key for the second ticket, and decrypt it. @@ -352,7 +332,6 @@ tgt_again: c_flags, TRUE, /* match_enctype */ &st_client, - &st_nprincs, &st_sealing_key, &st_srv_kvno))) { status = "2ND_TKT_SERVER"; @@ -363,7 +342,7 @@ tgt_again: krb5_free_keyblock(kdc_context, st_sealing_key); if (errcode) { status = "2ND_TKT_DECRYPT"; - krb5_db_free_principal(kdc_context, &st_client, st_nprincs); + krb5_db_free_principal(kdc_context, st_client); goto cleanup; } @@ -371,7 +350,7 @@ tgt_again: if (!krb5_c_valid_enctype(etype)) { status = "BAD_ETYPE_IN_2ND_TKT"; errcode = KRB5KDC_ERR_ETYPE_NOSUPP; - krb5_db_free_principal(kdc_context, &st_client, st_nprincs); + krb5_db_free_principal(kdc_context, st_client); goto cleanup; } @@ -387,7 +366,7 @@ tgt_again: errcode = kdc_process_s4u2proxy_req(kdc_context, request, request->second_ticket[st_idx]->enc_part2, - &st_client, + st_client, header_ticket->enc_part2->client, request->server, &status); @@ -398,13 +377,11 @@ tgt_again: assert(krb5_is_tgs_principal(header_ticket->server)); - assert(c_nprincs == 0); /* assured by kdc_process_s4u2self_req() */ - + assert(client == NULL); /* assured by kdc_process_s4u2self_req() */ client = st_client; - c_nprincs = st_nprincs; } else { /* "client" is not used for user2user */ - krb5_db_free_principal(kdc_context, &st_client, st_nprincs); + krb5_db_free_principal(kdc_context, st_client); } } @@ -412,7 +389,7 @@ tgt_again: * Select the keytype for the ticket session key. */ if ((useenctype == 0) && - (useenctype = select_session_keytype(kdc_context, &server, + (useenctype = select_session_keytype(kdc_context, server, request->nktypes, request->ktype)) == 0) { /* unsupported ktype */ @@ -443,14 +420,14 @@ tgt_again: authtime = subject_tkt->times.authtime; if (is_referral) - ticket_reply.server = server.princ; + ticket_reply.server = server->princ; else ticket_reply.server = request->server; /* XXX careful for realm... */ enc_tkt_reply.flags = 0; enc_tkt_reply.times.starttime = 0; - if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) + if (isflagset(server->attributes, KRB5_KDB_OK_AS_DELEGATE)) setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE); /* @@ -487,8 +464,8 @@ tgt_again: * Consider this block the S4U2Self equivalent to * validate_forwardable(). */ - if (c_nprincs && - isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE)) + if (client != NULL && + isflagset(client->attributes, KRB5_KDB_DISALLOW_FORWARDABLE)) clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); /* * Forwardable flag is propagated along referral path. @@ -500,7 +477,7 @@ tgt_again: * S4U2Self in order for forwardable tickets to be returned. */ else if (!is_referral && - !isflagset(server.attributes, + !isflagset(server->attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE)) clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); } @@ -569,13 +546,9 @@ tgt_again: /* not a renew request */ enc_tkt_reply.times.starttime = kdc_time; - kdc_get_ticket_endtime(kdc_context, - enc_tkt_reply.times.starttime, - header_enc_tkt->times.endtime, - request->till, - &client, - &server, - &enc_tkt_reply.times.endtime); + kdc_get_ticket_endtime(kdc_context, enc_tkt_reply.times.starttime, + header_enc_tkt->times.endtime, request->till, + client, server, &enc_tkt_reply.times.endtime); if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) && (enc_tkt_reply.times.endtime < request->till) && @@ -595,7 +568,7 @@ tgt_again: min(rtime, min(header_enc_tkt->times.renew_till, enc_tkt_reply.times.starttime + - min(server.max_renewable_life, + min(server->max_renewable_life, max_renewable_life_for_realm))); } else { enc_tkt_reply.times.renew_till = 0; @@ -642,7 +615,7 @@ tgt_again: /* * Find the server key */ - if ((errcode = krb5_dbe_find_enctype(kdc_context, &server, + if ((errcode = krb5_dbe_find_enctype(kdc_context, server, -1, /* ignore keytype */ -1, /* Ignore salttype */ 0, /* Get highest kvno */ @@ -651,7 +624,7 @@ tgt_again: goto cleanup; } - if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server, + if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, server, &mkey_ptr))) { krb5_keylist_node *tmp_mkey_list; /* try refreshing master key list */ @@ -661,7 +634,7 @@ tgt_again: krb5_dbe_free_key_list(kdc_context, master_keylist); master_keylist = tmp_mkey_list; if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, - &server, &mkey_ptr))) { + server, &mkey_ptr))) { status = "FINDING_MASTER_KEY"; goto cleanup; } @@ -689,9 +662,9 @@ tgt_again: * delegation is requested. We don't want to deny the server * the ability to validate that delegation was used. */ - clear(server.attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED); + clear(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED); } - if (isflagset(server.attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED) == 0) { + if (isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED) == 0) { /* * If we are not doing protocol transition/constrained delegation * try to lookup the client principal so plugins can add additional @@ -706,27 +679,10 @@ tgt_again: /* Map principals from foreign (possibly non-AD) realms */ setflag(c_flags, KRB5_KDB_FLAG_MAP_PRINCIPALS); - assert(c_nprincs == 0); /* should not have been looked up already */ + assert(client == NULL); /* should not have been set already */ - c_nprincs = 1; - errcode = krb5_db_get_principal_ext(kdc_context, - subject_tkt->client, - c_flags, - &client, - &c_nprincs, - &more); - /* - * We can ignore errors because the principal may be a - * valid cross-realm principal for which we have no local - * mapping. But we do want to check that at most one entry - * was returned. - */ - if (errcode == 0 && (more || c_nprincs > 1)) { - errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; - goto cleanup; - } else if (errcode) { - c_nprincs = 0; - } + errcode = krb5_db_get_principal(kdc_context, subject_tkt->client, + c_flags, &client); } } @@ -740,11 +696,7 @@ tgt_again: enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS; enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */ - errcode = handle_authdata(kdc_context, - c_flags, - (c_nprincs != 0) ? &client : NULL, - &server, - (k_nprincs != 0) ? &krbtgt : NULL, + errcode = handle_authdata(kdc_context, c_flags, client, server, krbtgt, subkey != NULL ? subkey : header_ticket->enc_part2->session, &encrypting_key, /* U2U or server key */ @@ -802,8 +754,7 @@ tgt_again: } if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) { errcode = validate_transit_path(kdc_context, header_enc_tkt->client, - &server, - (k_nprincs != 0) ? &krbtgt : NULL); + server, krbtgt); if (errcode) { status = "NON_TRANSITIVE"; goto cleanup; @@ -953,7 +904,7 @@ tgt_again: goto cleanup; } errcode = return_enc_padata(kdc_context, pkt, request, - reply_key, &server, &reply_encpart, + reply_key, server, &reply_encpart, is_referral && isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE)); @@ -1005,7 +956,7 @@ cleanup: errcode = KRB_ERR_GENERIC; retval = prepare_error_tgs(state, request, header_ticket, errcode, - nprincs ? server.princ : NULL, + (server != NULL) ? server->princ : NULL, response, status, &e_data); if (got_err) { krb5_free_error_message (kdc_context, status); @@ -1023,16 +974,13 @@ cleanup: free(cname); if (sname != NULL) free(sname); - if (nprincs != 0) - krb5_db_free_principal(kdc_context, &server, 1); + krb5_db_free_principal(kdc_context, server); + krb5_db_free_principal(kdc_context, krbtgt); + krb5_db_free_principal(kdc_context, client); if (session_key.contents != NULL) krb5_free_keyblock_contents(kdc_context, &session_key); if (newtransited) free(enc_tkt_reply.transited.tr_contents.data); - if (k_nprincs) - krb5_db_free_principal(kdc_context, &krbtgt, k_nprincs); - if (c_nprincs) - krb5_db_free_principal(kdc_context, &client, c_nprincs); if (s4u_x509_user != NULL) krb5_free_pa_s4u_x509_user(kdc_context, s4u_x509_user); if (kdc_issued_auth_data != NULL) @@ -1108,16 +1056,15 @@ prepare_error_tgs (struct kdc_request_state *state, * but we don't have a ticket for the final TGS. Try to give the requestor * some intermediate realm. */ -static void -find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server, - krb5_boolean *more, int *nprincs) +static krb5_error_code +find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry **server_ptr) { krb5_error_code retval; - krb5_principal *plist, *pl2; + krb5_principal *plist = NULL, *pl2, tmpprinc; krb5_data tmp; + krb5_db_entry *server = NULL; - *nprincs = 0; - *more = FALSE; + *server_ptr = NULL; /* * Call to krb5_princ_component is normally not safe but is so @@ -1129,7 +1076,7 @@ find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server, krb5_princ_realm(kdc_context, request->server), krb5_princ_component(kdc_context, request->server, 1), &plist, KRB5_REALM_BRANCH_CHAR))) - return; + return retval; /* move to the end */ for (pl2 = plist; *pl2; pl2++); @@ -1137,49 +1084,38 @@ find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server, /* the first entry in this array is for krbtgt/local@local, so we ignore it */ while (--pl2 > plist) { - *nprincs = 1; tmp = *krb5_princ_realm(kdc_context, *pl2); krb5_princ_set_realm(kdc_context, *pl2, krb5_princ_realm(kdc_context, tgs_server)); - retval = get_principal(kdc_context, *pl2, server, nprincs, more); + retval = krb5_db_get_principal(kdc_context, *pl2, 0, &server); krb5_princ_set_realm(kdc_context, *pl2, &tmp); - if (retval) { - *nprincs = 0; - *more = FALSE; - krb5_free_realm_tree(kdc_context, plist); - return; - } - if (*more) { - krb5_db_free_principal(kdc_context, server, *nprincs); + if (retval == KRB5_KDB_NOENTRY) continue; - } else if (*nprincs == 1) { - /* Found it! */ - krb5_principal tmpprinc; - - tmp = *krb5_princ_realm(kdc_context, *pl2); - krb5_princ_set_realm(kdc_context, *pl2, - krb5_princ_realm(kdc_context, tgs_server)); - if ((retval = krb5_copy_principal(kdc_context, *pl2, &tmpprinc))) { - krb5_db_free_principal(kdc_context, server, *nprincs); - krb5_princ_set_realm(kdc_context, *pl2, &tmp); - continue; - } - krb5_princ_set_realm(kdc_context, *pl2, &tmp); + else if (retval) + goto cleanup; - krb5_free_principal(kdc_context, request->server); - request->server = tmpprinc; - log_tgs_alt_tgt(request->server); - krb5_free_realm_tree(kdc_context, plist); - return; - } - krb5_db_free_principal(kdc_context, server, *nprincs); - continue; + /* Found it. */ + tmp = *krb5_princ_realm(kdc_context, *pl2); + krb5_princ_set_realm(kdc_context, *pl2, + krb5_princ_realm(kdc_context, tgs_server)); + retval = krb5_copy_principal(kdc_context, *pl2, &tmpprinc); + if (retval) + goto cleanup; + krb5_princ_set_realm(kdc_context, *pl2, &tmp); + + krb5_free_principal(kdc_context, request->server); + request->server = tmpprinc; + log_tgs_alt_tgt(request->server); + *server_ptr = server; + server = NULL; + goto cleanup; } + retval = KRB5_KDB_NOENTRY; - *nprincs = 0; - *more = FALSE; +cleanup: krb5_free_realm_tree(kdc_context, plist); - return; + krb5_db_free_principal(kdc_context, server); + return retval; } static krb5_int32 diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index d754edcf4..4c413d07e 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -2081,9 +2081,7 @@ get_sam_edata(krb5_context context, krb5_kdc_req *request, */ { - int npr = 1; - krb5_boolean more; - krb5_db_entry assoc; + krb5_db_entry *assoc; krb5_key_data *assoc_key; krb5_principal newp; int probeslot; @@ -2105,9 +2103,8 @@ get_sam_edata(krb5_context context, krb5_kdc_req *request, krb5_princ_component(kdc_context,newp,probeslot)->data = sam_ptr->name; krb5_princ_component(kdc_context,newp,probeslot)->length = strlen(sam_ptr->name); - npr = 1; - retval = get_principal(kdc_context, newp, &assoc, &npr, &more); - if(!retval && npr) { + retval = krb5_db_get_principal(kdc_context, newp, 0, &assoc); + if(retval == 0) { sc.sam_type = sam_ptr->sam_type; break; } @@ -2123,8 +2120,8 @@ get_sam_edata(krb5_context context, krb5_kdc_req *request, if (sc.sam_type) { /* so use assoc to get the key out! */ { - if ((retval = krb5_dbe_find_mkey(context, master_keylist, &assoc, - &mkey_ptr))) { + if ((retval = krb5_dbe_find_mkey(context, master_keylist, + assoc, &mkey_ptr))) { krb5_keylist_node *tmp_mkey_list; /* try refreshing the mkey list in case it's been updated */ if (krb5_db_fetch_mkey_list(context, master_princ, @@ -2133,7 +2130,7 @@ get_sam_edata(krb5_context context, krb5_kdc_req *request, krb5_dbe_free_key_list(context, master_keylist); master_keylist = tmp_mkey_list; if ((retval = krb5_dbe_find_mkey(context, master_keylist, - &assoc, &mkey_ptr))) { + assoc, &mkey_ptr))) { return (retval); } } else { @@ -2142,7 +2139,7 @@ get_sam_edata(krb5_context context, krb5_kdc_req *request, } /* here's what do_tgs_req does */ - retval = krb5_dbe_find_enctype(kdc_context, &assoc, + retval = krb5_dbe_find_enctype(kdc_context, assoc, ENCTYPE_DES_CBC_RAW, KRB5_KDB_SALTTYPE_NORMAL, 0, /* Get highest kvno */ diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 61fd9b345..3d03ca3ed 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -243,7 +243,7 @@ find_pa_data(krb5_pa_data **padata, krb5_preauthtype pa_type) krb5_error_code kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from, krb5_data *pkt, krb5_ticket **ticket, - krb5_db_entry *krbtgt, int *nprincs, + krb5_db_entry **krbtgt_ptr, krb5_keyblock **tgskey, krb5_keyblock **subkey, krb5_pa_data **pa_tgs_req) @@ -259,8 +259,9 @@ kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from, krb5_authenticator * authenticator = NULL; krb5_checksum * his_cksum = NULL; krb5_kvno kvno = 0; + krb5_db_entry * krbtgt = NULL; - *nprincs = 0; + *krbtgt_ptr = NULL; *tgskey = NULL; tmppa = find_pa_data(request->padata, KRB5_PADATA_AP_REQ); @@ -304,7 +305,7 @@ kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from, #endif if ((retval = kdc_get_server_key(apreq->ticket, 0, foreign_server, - krbtgt, nprincs, tgskey, &kvno))) + &krbtgt, tgskey, &kvno))) goto cleanup_auth_context; /* * We do not use the KDB keytab because other parts of the TGS need the TGT key. @@ -409,11 +410,15 @@ kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from, if (!(retval = encode_krb5_kdc_req_body(request, &scratch))) retval = comp_cksum(kdc_context, scratch, *ticket, his_cksum); krb5_free_data(kdc_context, scratch); + if (retval) + goto cleanup_authenticator; } } - if (retval == 0) - *pa_tgs_req = tmppa; + *pa_tgs_req = tmppa; + *krbtgt_ptr = krbtgt; + krbtgt = NULL; + cleanup_authenticator: krb5_free_authenticator(kdc_context, authenticator); @@ -430,6 +435,7 @@ cleanup: *tgskey = NULL; } krb5_free_ap_req(kdc_context, apreq); + krb5_db_free_principal(kdc_context, krbtgt); return retval; } @@ -442,38 +448,30 @@ cleanup: */ krb5_error_code kdc_get_server_key(krb5_ticket *ticket, unsigned int flags, - krb5_boolean match_enctype, krb5_db_entry *server, - int *nprincs, krb5_keyblock **key, krb5_kvno *kvno) + krb5_boolean match_enctype, krb5_db_entry **server_ptr, + krb5_keyblock **key, krb5_kvno *kvno) { krb5_error_code retval; - krb5_boolean more, similar; + krb5_boolean similar; krb5_key_data * server_key; krb5_keyblock * mkey_ptr; + krb5_db_entry * server = NULL; - *nprincs = 1; + *server_ptr = NULL; - retval = krb5_db_get_principal_ext(kdc_context, - ticket->server, - flags, - server, - nprincs, - &more); - if (retval) { - return(retval); - } - if (more) { - return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); - } else if (*nprincs != 1) { + retval = krb5_db_get_principal(kdc_context, ticket->server, flags, + &server); + if (retval == KRB5_KDB_NOENTRY) { char *sname; - if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) { limit_string(sname); krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'", sname); free(sname); } - return(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN); - } + return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; + } else if (retval) + return retval; if (server->attributes & KRB5_KDB_DISALLOW_SVR || server->attributes & KRB5_KDB_DISALLOW_ALL_TIX) { retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; @@ -526,12 +524,10 @@ kdc_get_server_key(krb5_ticket *ticket, unsigned int flags, } (*key)->enctype = ticket->enc_part.enctype; *kvno = server_key->key_data_kvno; + *server_ptr = server; + server = NULL; errout: - if (retval != 0) { - krb5_db_free_principal(kdc_context, server, *nprincs); - *nprincs = 0; - } - + krb5_db_free_principal(kdc_context, server); return retval; } @@ -1724,28 +1720,6 @@ rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep) return; } -krb5_error_code -get_principal_locked (krb5_context kcontext, - krb5_const_principal search_for, - krb5_db_entry *entries, int *nentries, - krb5_boolean *more) -{ - return krb5_db_get_principal (kcontext, search_for, entries, nentries, - more); -} - -krb5_error_code -get_principal (krb5_context kcontext, - krb5_const_principal search_for, - krb5_db_entry *entries, int *nentries, krb5_boolean *more) -{ - /* Eventually this will be used to manage locking while looking up - principals in the database. */ - return get_principal_locked (kcontext, search_for, entries, nentries, - more); -} - - krb5_error_code sign_db_authdata (krb5_context context, unsigned int flags, @@ -2122,17 +2096,15 @@ kdc_process_s4u2self_req(krb5_context context, krb5_keyblock *tgs_session, krb5_timestamp kdc_time, krb5_pa_s4u_x509_user **s4u_x509_user, - krb5_db_entry *princ, - int *nprincs, + krb5_db_entry **princ_ptr, const char **status) { krb5_error_code code; krb5_pa_data *pa_data; - krb5_boolean more; int flags; + krb5_db_entry *princ; - *nprincs = 0; - memset(princ, 0, sizeof(*princ)); + *princ_ptr = NULL; pa_data = find_pa_data(request->padata, KRB5_PADATA_S4U_X509_USER); if (pa_data != NULL) { @@ -2227,23 +2199,14 @@ kdc_process_s4u2self_req(krb5_context context, krb5_data e_data; e_data.data = NULL; - *nprincs = 1; - code = krb5_db_get_principal_ext(context, - (*s4u_x509_user)->user_id.user, - KRB5_KDB_FLAG_INCLUDE_PAC, - princ, nprincs, &more); - if (code) { - *status = "LOOKING_UP_S4U2SELF_PRINCIPAL"; - *nprincs = 0; - return code; /* caller can free for_user */ - } - - if (more) { - *status = "NON_UNIQUE_S4U2SELF_PRINCIPAL"; - return KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; - } else if (*nprincs != 1) { + code = krb5_db_get_principal(context, (*s4u_x509_user)->user_id.user, + KRB5_KDB_FLAG_INCLUDE_PAC, &princ); + if (code == KRB5_KDB_NOENTRY) { *status = "UNKNOWN_S4U2SELF_PRINCIPAL"; return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; + } else if (code) { + *status = "LOOKING_UP_S4U2SELF_PRINCIPAL"; + return code; /* caller can free for_user */ } memset(&no_server, 0, sizeof(no_server)); @@ -2251,9 +2214,12 @@ kdc_process_s4u2self_req(krb5_context context, code = validate_as_request(request, *princ, no_server, kdc_time, status, &e_data); if (code) { + krb5_db_free_principal(context, princ); krb5_free_data_contents(context, &e_data); return code; } + + *princ_ptr = princ; } return 0; @@ -2654,7 +2620,7 @@ kdc_get_ticket_endtime(krb5_context context, life = until - starttime; - if (client->max_life != 0) + if (client != NULL && client->max_life != 0) life = min(life, client->max_life); if (server->max_life != 0) life = min(life, server->max_life); diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index d6a2d720c..a1bde886c 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -63,16 +63,14 @@ kdc_process_tgs_req (krb5_kdc_req *, const krb5_fulladdr *, krb5_data *, krb5_ticket **, - krb5_db_entry *krbtgt, - int *nprincs, + krb5_db_entry **krbtgt_ptr, krb5_keyblock **, krb5_keyblock **, krb5_pa_data **pa_tgs_req); krb5_error_code kdc_get_server_key (krb5_ticket *, unsigned int, krb5_boolean match_enctype, - krb5_db_entry *, int *, - krb5_keyblock **, krb5_kvno *); + krb5_db_entry **, krb5_keyblock **, krb5_kvno *); int validate_as_request (krb5_kdc_req *, krb5_db_entry, @@ -236,16 +234,6 @@ void kdc_free_lookaside(krb5_context); /* kdc_util.c */ void reset_for_hangup(void); -krb5_error_code -get_principal_locked (krb5_context kcontext, - krb5_const_principal search_for, - krb5_db_entry *entries, int *nentries, - krb5_boolean *more); -krb5_error_code -get_principal (krb5_context kcontext, - krb5_const_principal search_for, - krb5_db_entry *entries, int *nentries, krb5_boolean *more); - krb5_boolean include_pac_p(krb5_context context, krb5_kdc_req *request); @@ -281,8 +269,7 @@ kdc_process_s4u2self_req (krb5_context context, krb5_keyblock *tgs_session, krb5_timestamp kdc_time, krb5_pa_s4u_x509_user **s4u2self_req, - krb5_db_entry *princ, - int *nprincs, + krb5_db_entry **princ_ptr, const char **status); krb5_error_code diff --git a/src/lib/kadm5/server_internal.h b/src/lib/kadm5/server_internal.h index 3276b2727..cc589fad2 100644 --- a/src/lib/kadm5/server_internal.h +++ b/src/lib/kadm5/server_internal.h @@ -77,8 +77,8 @@ krb5_error_code kdb_get_hist_key(kadm5_server_handle_t handle, krb5_keyblock *hist_keyblock, krb5_kvno *hist_kvno); krb5_error_code kdb_get_entry(kadm5_server_handle_t handle, - krb5_principal principal, krb5_db_entry *kdb, - osa_princ_ent_rec *adb); + krb5_principal principal, + krb5_db_entry **kdb, osa_princ_ent_rec *adb); krb5_error_code kdb_free_entry(kadm5_server_handle_t handle, krb5_db_entry *kdb, osa_princ_ent_rec *adb); krb5_error_code kdb_put_entry(kadm5_server_handle_t handle, diff --git a/src/lib/kadm5/srv/libkadm5srv_mit.exports b/src/lib/kadm5/srv/libkadm5srv_mit.exports index fa8d69c51..6da95bd7c 100644 --- a/src/lib/kadm5/srv/libkadm5srv_mit.exports +++ b/src/lib/kadm5/srv/libkadm5srv_mit.exports @@ -55,7 +55,6 @@ kadm5_setv4key_principal kadm5_unlock kdb_delete_entry kdb_free_entry -kdb_get_entry kdb_init_hist kdb_init_master kdb_iter_entry diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c index d986b626e..cb60971c0 100644 --- a/src/lib/kadm5/srv/server_kdb.c +++ b/src/lib/kadm5/srv/server_kdb.c @@ -175,7 +175,7 @@ kdb_get_hist_key(kadm5_server_handle_t handle, krb5_keyblock *hist_keyblock, krb5_kvno *hist_kvno) { krb5_error_code ret; - krb5_db_entry kdb; + krb5_db_entry *kdb; krb5_keyblock *mkey; /* Fetch the history principal, creating it if necessary. */ @@ -189,27 +189,26 @@ kdb_get_hist_key(kadm5_server_handle_t handle, krb5_keyblock *hist_keyblock, if (ret) return ret; - if (kdb.n_key_data <= 0) { + if (kdb->n_key_data <= 0) { ret = KRB5_KDB_NO_MATCHING_KEY; krb5_set_error_message(handle->context, ret, "History entry contains no key data"); goto done; } - ret = krb5_dbe_find_mkey(handle->context, master_keylist, &kdb, - &mkey); + ret = krb5_dbe_find_mkey(handle->context, master_keylist, kdb, &mkey); if (ret) goto done; - ret = krb5_dbe_decrypt_key_data(handle->context, mkey, &kdb.key_data[0], + ret = krb5_dbe_decrypt_key_data(handle->context, mkey, &kdb->key_data[0], hist_keyblock, NULL); if (ret) goto done; - *hist_kvno = kdb.key_data[0].key_data_kvno; + *hist_kvno = kdb->key_data[0].key_data_kvno; done: - kdb_free_entry(handle, &kdb, NULL); + kdb_free_entry(handle, kdb, NULL); return ret; } @@ -223,7 +222,7 @@ done: * * handle (r) the server_handle * principal (r) the principal to get - * kdb (w) krb5_db_entry to fill in + * kdb (w) krb5_db_entry to create * adb (w) osa_princ_ent_rec to fill in * * when the caller is done with kdb and adb, kdb_free_entry must be @@ -233,27 +232,21 @@ done: */ krb5_error_code kdb_get_entry(kadm5_server_handle_t handle, - krb5_principal principal, krb5_db_entry *kdb, + krb5_principal principal, krb5_db_entry **kdb_ptr, osa_princ_ent_rec *adb) { krb5_error_code ret; - int nprincs; - krb5_boolean more; krb5_tl_data tl_data; XDR xdrs; + krb5_db_entry *kdb; - ret = krb5_db_get_principal(handle->context, principal, kdb, &nprincs, - &more); - if (ret) - return(ret); + *kdb_ptr = NULL; - if (more) { - krb5_db_free_principal(handle->context, kdb, nprincs); - return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); - } else if (nprincs != 1) { - krb5_db_free_principal(handle->context, kdb, nprincs); + ret = krb5_db_get_principal(handle->context, principal, 0, &kdb); + if (ret == KRB5_KDB_NOENTRY) return(KADM5_UNK_PRINC); - } + if (ret) + return(ret); if (adb) { memset(adb, 0, sizeof(*adb)); @@ -274,7 +267,7 @@ kdb_get_entry(kadm5_server_handle_t handle, data will get stored correctly. */ adb->admin_history_kvno = INITIAL_HIST_KVNO; - + *kdb_ptr = kdb; return(ret); } @@ -282,12 +275,13 @@ kdb_get_entry(kadm5_server_handle_t handle, tl_data.tl_data_length, XDR_DECODE); if (! xdr_osa_princ_ent_rec(&xdrs, adb)) { xdr_destroy(&xdrs); - krb5_db_free_principal(handle->context, kdb, 1); + krb5_db_free_principal(handle->context, kdb); return(KADM5_XDR_FAILURE); } xdr_destroy(&xdrs); } + *kdb_ptr = kdb; return(0); } @@ -314,7 +308,7 @@ kdb_free_entry(kadm5_server_handle_t handle, if (kdb) - krb5_db_free_principal(handle->context, kdb, 1); + krb5_db_free_principal(handle->context, kdb); if (adb) { xdrmem_create(&xdrs, NULL, 0, XDR_FREE); @@ -351,7 +345,6 @@ kdb_put_entry(kadm5_server_handle_t handle, krb5_int32 now; XDR xdrs; krb5_tl_data tl_data; - int one; ret = krb5_timeofday(handle->context, &now); if (ret) @@ -378,12 +371,10 @@ kdb_put_entry(kadm5_server_handle_t handle, if (ret) return(ret); - one = 1; - /* we are always updating TL data */ kdb->mask |= KADM5_TL_DATA; - ret = krb5_db_put_principal(handle->context, kdb, &one); + ret = krb5_db_put_principal(handle->context, kdb); if (ret) return(ret); @@ -393,11 +384,11 @@ kdb_put_entry(kadm5_server_handle_t handle, krb5_error_code kdb_delete_entry(kadm5_server_handle_t handle, krb5_principal name) { - int one = 1; krb5_error_code ret; - ret = krb5_db_delete_principal(handle->context, name, &one); - + ret = krb5_db_delete_principal(handle->context, name); + if (ret == KRB5_KDB_NOENTRY) + ret = 0; return ret; } diff --git a/src/lib/kadm5/srv/svr_policy.c b/src/lib/kadm5/srv/svr_policy.c index 1d3ccbc66..65f5db164 100644 --- a/src/lib/kadm5/srv/svr_policy.c +++ b/src/lib/kadm5/srv/svr_policy.c @@ -173,7 +173,6 @@ kadm5_delete_policy(void *server_handle, kadm5_policy_t name) kadm5_server_handle_t handle = server_handle; osa_policy_ent_t entry; int ret; - int cnt=1; CHECK_HANDLE(server_handle); @@ -183,10 +182,11 @@ kadm5_delete_policy(void *server_handle, kadm5_policy_t name) return EINVAL; if(strlen(name) == 0) return KADM5_BAD_POLICY; - if((ret = krb5_db_get_policy(handle->context, name, &entry,&cnt))) - return ret; - if( cnt != 1 ) + ret = krb5_db_get_policy(handle->context, name, &entry); + if (ret == KRB5_KDB_NOENTRY) return KADM5_UNK_POLICY; + else if (ret) + return ret; if(entry->policy_refcnt != 0) { krb5_db_free_policy(handle->context, entry); @@ -220,7 +220,6 @@ kadm5_modify_policy_internal(void *server_handle, kadm5_server_handle_t handle = server_handle; osa_policy_ent_t p; int ret; - int cnt=1; CHECK_HANDLE(server_handle); @@ -231,10 +230,11 @@ kadm5_modify_policy_internal(void *server_handle, if((mask & KADM5_POLICY)) return KADM5_BAD_MASK; - if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt))) - return ret; - if (cnt != 1) + ret = krb5_db_get_policy(handle->context, entry->policy, &p); + if (ret == KRB5_KDB_NOENTRY) return KADM5_UNK_POLICY; + else if (ret) + return ret; if ((mask & KADM5_PW_MAX_LIFE)) p->pw_max_life = entry->pw_max_life; @@ -289,7 +289,6 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name, osa_policy_ent_t t; int ret; kadm5_server_handle_t handle = server_handle; - int cnt=1; CHECK_HANDLE(server_handle); @@ -299,11 +298,11 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name, return EINVAL; if(strlen(name) == 0) return KADM5_BAD_POLICY; - if((ret = krb5_db_get_policy(handle->context, name, &t, &cnt))) - return ret; - - if( cnt != 1 ) + ret = krb5_db_get_policy(handle->context, name, &t); + if (ret == KRB5_KDB_NOENTRY) return KADM5_UNK_POLICY; + else if (ret) + return ret; if ((entry->policy = strdup(t->name)) == NULL) { krb5_db_free_policy(handle->context, t); diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index 451e4ff02..6b14d3ba6 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -224,9 +224,10 @@ kadm5_create_principal_3(void *server_handle, int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, char *password) { - krb5_db_entry kdb; + krb5_db_entry *kdb; osa_princ_ent_rec adb; kadm5_policy_ent_rec polent; + krb5_boolean have_polent = FALSE; krb5_int32 now; krb5_tl_data *tl_data_orig, *tl_data_tail; unsigned int ret; @@ -264,13 +265,16 @@ kadm5_create_principal_3(void *server_handle, case KADM5_UNK_PRINC: break; case 0: - kdb_free_entry(handle, &kdb, &adb); + kdb_free_entry(handle, kdb, &adb); return KADM5_DUP; default: return ret; } - memset(&kdb, 0, sizeof(krb5_db_entry)); + kdb = krb5_db_alloc(handle->context, NULL, sizeof(*kdb)); + if (kdb == NULL) + return ENOMEM; + memset(kdb, 0, sizeof(*kdb)); memset(&adb, 0, sizeof(osa_princ_ent_rec)); /* @@ -280,101 +284,84 @@ kadm5_create_principal_3(void *server_handle, if ((mask & KADM5_POLICY)) { if ((ret = kadm5_get_policy(handle->lhandle, entry->policy, &polent)) != KADM5_OK) { - if(ret == EINVAL) - return KADM5_BAD_POLICY; - else - return ret; + if (ret == EINVAL) + ret = KADM5_BAD_POLICY; + if (ret) + goto cleanup; } + have_polent = TRUE; } if (password) { - ret = passwd_check(handle, password, (mask & KADM5_POLICY), - &polent, entry->principal); - if (ret) { - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return ret; - } + ret = passwd_check(handle, password, have_polent, &polent, + entry->principal); + if (ret) + goto cleanup; } /* * Start populating the various DB fields, using the * "defaults" for fields that were not specified by the * mask. */ - if ((ret = krb5_timeofday(handle->context, &now))) { - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return ret; - } + if ((ret = krb5_timeofday(handle->context, &now))) + goto cleanup; - kdb.magic = KRB5_KDB_MAGIC_NUMBER; - kdb.len = KRB5_KDB_V1_BASE_LENGTH; /* gag me with a chainsaw */ + kdb->magic = KRB5_KDB_MAGIC_NUMBER; + kdb->len = KRB5_KDB_V1_BASE_LENGTH; /* gag me with a chainsaw */ if ((mask & KADM5_ATTRIBUTES)) - kdb.attributes = entry->attributes; + kdb->attributes = entry->attributes; else - kdb.attributes = handle->params.flags; + kdb->attributes = handle->params.flags; if ((mask & KADM5_MAX_LIFE)) - kdb.max_life = entry->max_life; + kdb->max_life = entry->max_life; else - kdb.max_life = handle->params.max_life; + kdb->max_life = handle->params.max_life; if (mask & KADM5_MAX_RLIFE) - kdb.max_renewable_life = entry->max_renewable_life; + kdb->max_renewable_life = entry->max_renewable_life; else - kdb.max_renewable_life = handle->params.max_rlife; + kdb->max_renewable_life = handle->params.max_rlife; if ((mask & KADM5_PRINC_EXPIRE_TIME)) - kdb.expiration = entry->princ_expire_time; + kdb->expiration = entry->princ_expire_time; else - kdb.expiration = handle->params.expiration; + kdb->expiration = handle->params.expiration; - kdb.pw_expiration = 0; - if ((mask & KADM5_POLICY)) { + kdb->pw_expiration = 0; + if (have_polent) { if(polent.pw_max_life) - kdb.pw_expiration = now + polent.pw_max_life; + kdb->pw_expiration = now + polent.pw_max_life; else - kdb.pw_expiration = 0; + kdb->pw_expiration = 0; } if ((mask & KADM5_PW_EXPIRATION)) - kdb.pw_expiration = entry->pw_expiration; + kdb->pw_expiration = entry->pw_expiration; - kdb.last_success = 0; - kdb.last_failed = 0; - kdb.fail_auth_count = 0; + kdb->last_success = 0; + kdb->last_failed = 0; + kdb->fail_auth_count = 0; /* this is kind of gross, but in order to free the tl data, I need to free the entire kdb entry, and that will try to free the principal. */ if ((ret = kadm5_copy_principal(handle->context, - entry->principal, &(kdb.princ)))) { - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return(ret); - } + entry->principal, &(kdb->princ)))) + goto cleanup; - if ((ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now))) { - krb5_db_free_principal(handle->context, &kdb, 1); - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return(ret); - } + if ((ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now))) + goto cleanup; if (mask & KADM5_TL_DATA) { - /* splice entry->tl_data onto the front of kdb.tl_data */ - tl_data_orig = kdb.tl_data; + /* splice entry->tl_data onto the front of kdb->tl_data */ + tl_data_orig = kdb->tl_data; for (tl_data_tail = entry->tl_data; tl_data_tail; tl_data_tail = tl_data_tail->tl_data_next) { - ret = krb5_dbe_update_tl_data(handle->context, &kdb, tl_data_tail); + ret = krb5_dbe_update_tl_data(handle->context, kdb, tl_data_tail); if( ret ) - { - krb5_db_free_principal(handle->context, &kdb, 1); - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return ret; - } + goto cleanup; } } @@ -382,42 +369,29 @@ kadm5_create_principal_3(void *server_handle, ret = krb5_dbe_find_act_mkey(handle->context, master_keylist, active_mkey_list, &act_kvno, &act_mkey); - if (ret) { - krb5_db_free_principal(handle->context, &kdb, 1); - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return (ret); - } + if (ret) + goto cleanup; if (password) { ret = krb5_dbe_cpw(handle->context, act_mkey, n_ks_tuple?ks_tuple:handle->params.keysalts, n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, password, (mask & KADM5_KVNO)?entry->kvno:1, - FALSE, &kdb); + FALSE, kdb); } else { /* Null password means create with random key (new in 1.8). */ ret = krb5_dbe_crk(handle->context, &master_keyblock, n_ks_tuple?ks_tuple:handle->params.keysalts, n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, - FALSE, &kdb); - } - if (ret) { - krb5_db_free_principal(handle->context, &kdb, 1); - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return(ret); + FALSE, kdb); } + if (ret) + goto cleanup; /* Record the master key VNO used to encrypt this entry's keys */ - ret = krb5_dbe_update_mkvno(handle->context, &kdb, act_kvno); + ret = krb5_dbe_update_mkvno(handle->context, kdb, act_kvno); if (ret) - { - krb5_db_free_principal(handle->context, &kdb, 1); - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return ret; - } + goto cleanup; /* populate the admin-server-specific fields. In the OV server, this used to be in a separate database. Since there's already @@ -426,7 +400,7 @@ kadm5_create_principal_3(void *server_handle, single tl_data record, */ adb.admin_history_kvno = INITIAL_HIST_KVNO; - if ((mask & KADM5_POLICY)) { + if (have_polent) { adb.aux_attributes = KADM5_POLICY; /* this does *not* need to be strdup'ed, because adb is xdr */ @@ -437,28 +411,23 @@ kadm5_create_principal_3(void *server_handle, /* increment the policy ref count, if any */ - if ((mask & KADM5_POLICY)) { + if (have_polent) { polent.policy_refcnt++; if ((ret = kadm5_modify_policy_internal(handle->lhandle, &polent, KADM5_REF_COUNT)) - != KADM5_OK) { - krb5_db_free_principal(handle->context, &kdb, 1); - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return(ret); - } + != KADM5_OK) + goto cleanup; } /* In all cases key and the principal data is set, let the database provider know */ - kdb.mask = mask | KADM5_KEY_DATA | KADM5_PRINCIPAL ; + kdb->mask = mask | KADM5_KEY_DATA | KADM5_PRINCIPAL ; /* store the new db entry */ - ret = kdb_put_entry(handle, &kdb, &adb); + ret = kdb_put_entry(handle, kdb, &adb); - krb5_db_free_principal(handle->context, &kdb, 1); if (ret) { - if ((mask & KADM5_POLICY)) { + if (have_polent) { /* decrement the policy ref count */ polent.policy_refcnt--; @@ -469,16 +438,13 @@ kadm5_create_principal_3(void *server_handle, (void) kadm5_modify_policy_internal(handle->lhandle, &polent, KADM5_REF_COUNT); } - - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return(ret); } - if (mask & KADM5_POLICY) +cleanup: + krb5_db_free_principal(handle->context, kdb); + if (have_polent) (void) kadm5_free_policy_ent(handle->lhandle, &polent); - - return KADM5_OK; + return ret; } @@ -487,7 +453,7 @@ kadm5_delete_principal(void *server_handle, krb5_principal principal) { unsigned int ret; kadm5_policy_ent_rec polent; - krb5_db_entry kdb; + krb5_db_entry *kdb; osa_princ_ent_rec adb; kadm5_server_handle_t handle = server_handle; @@ -510,19 +476,19 @@ kadm5_delete_principal(void *server_handle, krb5_principal principal) KADM5_REF_COUNT)) != KADM5_OK) { (void) kadm5_free_policy_ent(handle->lhandle, &polent); - kdb_free_entry(handle, &kdb, &adb); + kdb_free_entry(handle, kdb, &adb); return(ret); } } if ((ret = kadm5_free_policy_ent(handle->lhandle, &polent))) { - kdb_free_entry(handle, &kdb, &adb); + kdb_free_entry(handle, kdb, &adb); return ret; } } ret = kdb_delete_entry(handle, principal); - kdb_free_entry(handle, &kdb, &adb); + kdb_free_entry(handle, kdb, &adb); return ret; } @@ -534,7 +500,7 @@ kadm5_modify_principal(void *server_handle, int ret, ret2, i; kadm5_policy_ent_rec npol, opol; int have_npol = 0, have_opol = 0; - krb5_db_entry kdb; + krb5_db_entry *kdb; krb5_tl_data *tl_data_orig; osa_princ_ent_rec adb; kadm5_server_handle_t handle = server_handle; @@ -620,13 +586,13 @@ kadm5_modify_principal(void *server_handle, /* set pw_max_life based on new policy */ if (npol.pw_max_life) { - ret = krb5_dbe_lookup_last_pwd_change(handle->context, &kdb, - &(kdb.pw_expiration)); + ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, + &(kdb->pw_expiration)); if (ret) goto done; - kdb.pw_expiration += npol.pw_max_life; + kdb->pw_expiration += npol.pw_max_life; } else { - kdb.pw_expiration = 0; + kdb->pw_expiration = 0; } } @@ -646,7 +612,7 @@ kadm5_modify_principal(void *server_handle, free(adb.policy); adb.policy = NULL; adb.aux_attributes &= ~KADM5_POLICY; - kdb.pw_expiration = 0; + kdb->pw_expiration = 0; opol.policy_refcnt--; break; default: @@ -667,19 +633,19 @@ kadm5_modify_principal(void *server_handle, goto done; if ((mask & KADM5_ATTRIBUTES)) - kdb.attributes = entry->attributes; + kdb->attributes = entry->attributes; if ((mask & KADM5_MAX_LIFE)) - kdb.max_life = entry->max_life; + kdb->max_life = entry->max_life; if ((mask & KADM5_PRINC_EXPIRE_TIME)) - kdb.expiration = entry->princ_expire_time; + kdb->expiration = entry->princ_expire_time; if (mask & KADM5_PW_EXPIRATION) - kdb.pw_expiration = entry->pw_expiration; + kdb->pw_expiration = entry->pw_expiration; if (mask & KADM5_MAX_RLIFE) - kdb.max_renewable_life = entry->max_renewable_life; + kdb->max_renewable_life = entry->max_renewable_life; if((mask & KADM5_KVNO)) { - for (i = 0; i < kdb.n_key_data; i++) - kdb.key_data[i].key_data_kvno = entry->kvno; + for (i = 0; i < kdb->n_key_data; i++) + kdb->key_data[i].key_data_kvno = entry->kvno; } if (mask & KADM5_TL_DATA) { @@ -690,7 +656,7 @@ kadm5_modify_principal(void *server_handle, for (tl = entry->tl_data; tl; tl = tl->tl_data_next) { - ret = krb5_dbe_update_tl_data(handle->context, &kdb, tl); + ret = krb5_dbe_update_tl_data(handle->context, kdb, tl); if( ret ) { goto done; @@ -709,13 +675,13 @@ kadm5_modify_principal(void *server_handle, goto done; } - kdb.fail_auth_count = 0; + kdb->fail_auth_count = 0; } /* let the mask propagate to the database provider */ - kdb.mask = mask; + kdb->mask = mask; - ret = kdb_put_entry(handle, &kdb, &adb); + ret = kdb_put_entry(handle, kdb, &adb); if (ret) goto done; ret = KADM5_OK; @@ -728,7 +694,7 @@ done: ret2 = kadm5_free_policy_ent(handle->lhandle, &npol); ret = ret ? ret : ret2; } - kdb_free_entry(handle, &kdb, &adb); + kdb_free_entry(handle, kdb, &adb); return ret; } @@ -736,7 +702,7 @@ kadm5_ret_t kadm5_rename_principal(void *server_handle, krb5_principal source, krb5_principal target) { - krb5_db_entry kdb; + krb5_db_entry *kdb; osa_princ_ent_rec adb; int ret, i; kadm5_server_handle_t handle = server_handle; @@ -749,7 +715,7 @@ kadm5_rename_principal(void *server_handle, return EINVAL; if ((ret = kdb_get_entry(handle, target, &kdb, &adb)) == 0) { - kdb_free_entry(handle, &kdb, &adb); + kdb_free_entry(handle, kdb, &adb); return(KADM5_DUP); } @@ -758,28 +724,28 @@ kadm5_rename_principal(void *server_handle, /* this is kinda gross, but unavoidable */ - for (i=0; in_key_data; i++) { + if ((kdb->key_data[i].key_data_ver == 1) || + (kdb->key_data[i].key_data_type[1] == KRB5_KDB_SALTTYPE_NORMAL)) { ret = KADM5_NO_RENAME_SALT; goto done; } } - kadm5_free_principal(handle->context, kdb.princ); - ret = kadm5_copy_principal(handle->context, target, &kdb.princ); + kadm5_free_principal(handle->context, kdb->princ); + ret = kadm5_copy_principal(handle->context, target, &kdb->princ); if (ret) { - kdb.princ = NULL; /* so freeing the dbe doesn't lose */ + kdb->princ = NULL; /* so freeing the dbe doesn't lose */ goto done; } - if ((ret = kdb_put_entry(handle, &kdb, &adb))) + if ((ret = kdb_put_entry(handle, kdb, &adb))) goto done; ret = kdb_delete_entry(handle, source); done: - kdb_free_entry(handle, &kdb, &adb); + kdb_free_entry(handle, kdb, &adb); return ret; } @@ -788,7 +754,7 @@ kadm5_get_principal(void *server_handle, krb5_principal principal, kadm5_principal_ent_t entry, long in_mask) { - krb5_db_entry kdb; + krb5_db_entry *kdb; osa_princ_ent_rec adb; krb5_error_code ret = 0; long mask; @@ -826,29 +792,29 @@ kadm5_get_principal(void *server_handle, krb5_principal principal, entry->aux_attributes = adb.aux_attributes; if ((mask & KADM5_PRINCIPAL) && - (ret = krb5_copy_principal(handle->context, kdb.princ, + (ret = krb5_copy_principal(handle->context, kdb->princ, &entry->principal))) { goto done; } if (mask & KADM5_PRINC_EXPIRE_TIME) - entry->princ_expire_time = kdb.expiration; + entry->princ_expire_time = kdb->expiration; if ((mask & KADM5_LAST_PWD_CHANGE) && - (ret = krb5_dbe_lookup_last_pwd_change(handle->context, &kdb, + (ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &(entry->last_pwd_change)))) { goto done; } if (mask & KADM5_PW_EXPIRATION) - entry->pw_expiration = kdb.pw_expiration; + entry->pw_expiration = kdb->pw_expiration; if (mask & KADM5_MAX_LIFE) - entry->max_life = kdb.max_life; + entry->max_life = kdb->max_life; /* this is a little non-sensical because the function returns two */ /* values that must be checked separately against the mask */ if ((mask & KADM5_MOD_NAME) || (mask & KADM5_MOD_TIME)) { - ret = krb5_dbe_lookup_mod_princ_data(handle->context, &kdb, + ret = krb5_dbe_lookup_mod_princ_data(handle->context, kdb, &(entry->mod_date), &(entry->mod_name)); if (ret) { @@ -864,34 +830,34 @@ kadm5_get_principal(void *server_handle, krb5_principal principal, } if (mask & KADM5_ATTRIBUTES) - entry->attributes = kdb.attributes; + entry->attributes = kdb->attributes; if (mask & KADM5_KVNO) - for (entry->kvno = 0, i=0; i entry->kvno) - entry->kvno = kdb.key_data[i].key_data_kvno; + for (entry->kvno = 0, i=0; in_key_data; i++) + if (kdb->key_data[i].key_data_kvno > entry->kvno) + entry->kvno = kdb->key_data[i].key_data_kvno; if (mask & KADM5_MKVNO) { - ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist, + ret = krb5_dbe_get_mkvno(handle->context, kdb, master_keylist, &entry->mkvno); if (ret) goto done; } if (mask & KADM5_MAX_RLIFE) - entry->max_renewable_life = kdb.max_renewable_life; + entry->max_renewable_life = kdb->max_renewable_life; if (mask & KADM5_LAST_SUCCESS) - entry->last_success = kdb.last_success; + entry->last_success = kdb->last_success; if (mask & KADM5_LAST_FAILED) - entry->last_failed = kdb.last_failed; + entry->last_failed = kdb->last_failed; if (mask & KADM5_FAIL_AUTH_COUNT) - entry->fail_auth_count = kdb.fail_auth_count; + entry->fail_auth_count = kdb->fail_auth_count; if (mask & KADM5_TL_DATA) { krb5_tl_data *tl, *tl2; entry->tl_data = NULL; - tl = kdb.tl_data; + tl = kdb->tl_data; while (tl) { if (tl->tl_data_type > 255) { if ((tl2 = dup_tl_data(tl)) == NULL) { @@ -907,7 +873,7 @@ kadm5_get_principal(void *server_handle, krb5_principal principal, } } if (mask & KADM5_KEY_DATA) { - entry->n_key_data = kdb.n_key_data; + entry->n_key_data = kdb->n_key_data; if(entry->n_key_data) { entry->key_data = malloc(entry->n_key_data*sizeof(krb5_key_data)); if (entry->key_data == NULL) { @@ -919,7 +885,7 @@ kadm5_get_principal(void *server_handle, krb5_principal principal, for (i = 0; i < entry->n_key_data; i++) ret = krb5_copy_key_data_contents(handle->context, - &kdb.key_data[i], + &kdb->key_data[i], &entry->key_data[i]); if (ret) goto done; @@ -932,7 +898,7 @@ done: krb5_free_principal(handle->context, entry->principal); entry->principal = NULL; } - kdb_free_entry(handle, &kdb, &adb); + kdb_free_entry(handle, kdb, &adb); return ret; } @@ -1338,7 +1304,7 @@ kadm5_chpass_principal_3(void *server_handle, krb5_int32 now; kadm5_policy_ent_rec pol; osa_princ_ent_rec adb; - krb5_db_entry kdb, kdb_save; + krb5_db_entry *kdb, *kdb_save; int ret, ret2, last_pwd, hist_added; int have_pol = 0; kadm5_server_handle_t handle = server_handle; @@ -1365,7 +1331,7 @@ kadm5_chpass_principal_3(void *server_handle, /* we are going to need the current keys after the new keys are set */ if ((ret = kdb_get_entry(handle, principal, &kdb_save, NULL))) { - kdb_free_entry(handle, &kdb, &adb); + kdb_free_entry(handle, kdb, &adb); return(ret); } @@ -1388,15 +1354,15 @@ kadm5_chpass_principal_3(void *server_handle, n_ks_tuple?ks_tuple:handle->params.keysalts, n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, password, 0 /* increment kvno */, - keepold, &kdb); + keepold, kdb); if (ret) goto done; - ret = krb5_dbe_update_mkvno(handle->context, &kdb, act_kvno); + ret = krb5_dbe_update_mkvno(handle->context, kdb, act_kvno); if (ret) goto done; - kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; + kdb->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; ret = krb5_timeofday(handle->context, &now); if (ret) @@ -1405,8 +1371,7 @@ kadm5_chpass_principal_3(void *server_handle, if ((adb.aux_attributes & KADM5_POLICY)) { /* the policy was loaded before */ - ret = krb5_dbe_lookup_last_pwd_change(handle->context, - &kdb, &last_pwd); + ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd); if (ret) goto done; @@ -1418,7 +1383,7 @@ kadm5_chpass_principal_3(void *server_handle, * local caller implicitly has all authorization bits. */ if ((now - last_pwd) < pol.pw_min_life && - !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { + !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { ret = KADM5_PASS_TOOSOON; goto done; } @@ -1430,13 +1395,13 @@ kadm5_chpass_principal_3(void *server_handle, ret = create_history_entry(handle->context, act_mkey, &hist_keyblock, - kdb_save.n_key_data, - kdb_save.key_data, &hist); + kdb_save->n_key_data, + kdb_save->key_data, &hist); if (ret) goto done; ret = check_pw_reuse(handle->context, act_mkey, &hist_keyblock, - kdb.n_key_data, kdb.key_data, + kdb->n_key_data, kdb->key_data, 1, &hist); if (ret) goto done; @@ -1446,7 +1411,7 @@ kadm5_chpass_principal_3(void *server_handle, * can't check the history. */ if (adb.admin_history_kvno == hist_kvno) { ret = check_pw_reuse(handle->context, act_mkey, &hist_keyblock, - kdb.n_key_data, kdb.key_data, + kdb->n_key_data, kdb->key_data, adb.old_key_len, adb.old_keys); if (ret) goto done; @@ -1460,11 +1425,11 @@ kadm5_chpass_principal_3(void *server_handle, } if (pol.pw_max_life) - kdb.pw_expiration = now + pol.pw_max_life; + kdb->pw_expiration = now + pol.pw_max_life; else - kdb.pw_expiration = 0; + kdb->pw_expiration = 0; } else { - kdb.pw_expiration = 0; + kdb->pw_expiration = 0; } #ifdef USE_PASSWORD_SERVER @@ -1496,28 +1461,27 @@ kadm5_chpass_principal_3(void *server_handle, } #endif - ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now); + ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now); if (ret) goto done; /* unlock principal on this KDC */ - kdb.fail_auth_count = 0; + kdb->fail_auth_count = 0; /* key data and attributes changed, let the database provider know */ - kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES | + kdb->mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES | KADM5_FAIL_AUTH_COUNT; /* | KADM5_CPW_FUNCTION */ - if ((ret = kdb_put_entry(handle, &kdb, &adb))) + if ((ret = kdb_put_entry(handle, kdb, &adb))) goto done; ret = KADM5_OK; done: if (!hist_added && hist.key_data) free_history_entry(handle->context, &hist); - kdb_free_entry(handle, &kdb, &adb); - kdb_free_entry(handle, &kdb_save, NULL); - krb5_db_free_principal(handle->context, &kdb, 1); + kdb_free_entry(handle, kdb, &adb); + kdb_free_entry(handle, kdb_save, NULL); krb5_free_keyblock_contents(handle->context, &hist_keyblock); if (have_pol && (ret2 = kadm5_free_policy_ent(handle->lhandle, &pol)) @@ -1546,7 +1510,7 @@ kadm5_randkey_principal_3(void *server_handle, krb5_keyblock **keyblocks, int *n_keys) { - krb5_db_entry kdb; + krb5_db_entry *kdb; osa_princ_ent_rec adb; krb5_int32 now; kadm5_policy_ent_rec pol; @@ -1584,11 +1548,11 @@ kadm5_randkey_principal_3(void *server_handle, n_ks_tuple?ks_tuple:handle->params.keysalts, n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, keepold, - &kdb); + kdb); if (ret) goto done; - kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; + kdb->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; ret = krb5_timeofday(handle->context, &now); if (ret) @@ -1600,8 +1564,7 @@ kadm5_randkey_principal_3(void *server_handle, goto done; have_pol = 1; - ret = krb5_dbe_lookup_last_pwd_change(handle->context, - &kdb, &last_pwd); + ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd); if (ret) goto done; @@ -1613,45 +1576,45 @@ kadm5_randkey_principal_3(void *server_handle, * local caller implicitly has all authorization bits. */ if((now - last_pwd) < pol.pw_min_life && - !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { + !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { ret = KADM5_PASS_TOOSOON; goto done; } #endif if (pol.pw_max_life) - kdb.pw_expiration = now + pol.pw_max_life; + kdb->pw_expiration = now + pol.pw_max_life; else - kdb.pw_expiration = 0; + kdb->pw_expiration = 0; } else { - kdb.pw_expiration = 0; + kdb->pw_expiration = 0; } - ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now); + ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now); if (ret) goto done; /* unlock principal on this KDC */ - kdb.fail_auth_count = 0; + kdb->fail_auth_count = 0; if (keyblocks) { ret = decrypt_key_data(handle->context, act_mkey, - kdb.n_key_data, kdb.key_data, + kdb->n_key_data, kdb->key_data, keyblocks, n_keys); if (ret) goto done; } /* key data changed, let the database provider know */ - kdb.mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT; + kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT; /* | KADM5_RANDKEY_USED */; - if ((ret = kdb_put_entry(handle, &kdb, &adb))) + if ((ret = kdb_put_entry(handle, kdb, &adb))) goto done; ret = KADM5_OK; done: - kdb_free_entry(handle, &kdb, &adb); + kdb_free_entry(handle, kdb, &adb); if (have_pol) kadm5_free_policy_ent(handle->lhandle, &pol); @@ -1670,7 +1633,7 @@ kadm5_setv4key_principal(void *server_handle, krb5_principal principal, krb5_keyblock *keyblock) { - krb5_db_entry kdb; + krb5_db_entry *kdb; osa_princ_ent_rec adb; krb5_int32 now; kadm5_policy_ent_rec pol; @@ -1702,18 +1665,18 @@ kadm5_setv4key_principal(void *server_handle, if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) return(ret); - for (kvno = 0, i=0; i kvno) - kvno = kdb.key_data[i].key_data_kvno; + for (kvno = 0, i=0; in_key_data; i++) + if (kdb->key_data[i].key_data_kvno > kvno) + kvno = kdb->key_data[i].key_data_kvno; - if (kdb.key_data != NULL) - cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data); + if (kdb->key_data != NULL) + cleanup_key_data(handle->context, kdb->n_key_data, kdb->key_data); - kdb.key_data = (krb5_key_data*)krb5_db_alloc(handle->context, NULL, sizeof(krb5_key_data)); - if (kdb.key_data == NULL) + kdb->key_data = (krb5_key_data*)krb5_db_alloc(handle->context, NULL, sizeof(krb5_key_data)); + if (kdb->key_data == NULL) return ENOMEM; - memset(kdb.key_data, 0, sizeof(krb5_key_data)); - kdb.n_key_data = 1; + memset(kdb->key_data, 0, sizeof(krb5_key_data)); + kdb->n_key_data = 1; keysalt.type = KRB5_KDB_SALTTYPE_V4; /* XXX data.magic? */ keysalt.data.length = 0; @@ -1732,18 +1695,18 @@ kadm5_setv4key_principal(void *server_handle, } for (k = 0; k < tmp_key_data.key_data_ver; k++) { - kdb.key_data->key_data_type[k] = tmp_key_data.key_data_type[k]; - kdb.key_data->key_data_length[k] = tmp_key_data.key_data_length[k]; + kdb->key_data->key_data_type[k] = tmp_key_data.key_data_type[k]; + kdb->key_data->key_data_length[k] = tmp_key_data.key_data_length[k]; if (tmp_key_data.key_data_contents[k]) { - kdb.key_data->key_data_contents[k] = krb5_db_alloc(handle->context, NULL, tmp_key_data.key_data_length[k]); - if (kdb.key_data->key_data_contents[k] == NULL) { - cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data); - kdb.key_data = NULL; - kdb.n_key_data = 0; + kdb->key_data->key_data_contents[k] = krb5_db_alloc(handle->context, NULL, tmp_key_data.key_data_length[k]); + if (kdb->key_data->key_data_contents[k] == NULL) { + cleanup_key_data(handle->context, kdb->n_key_data, kdb->key_data); + kdb->key_data = NULL; + kdb->n_key_data = 0; ret = ENOMEM; goto done; } - memcpy (kdb.key_data->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]); + memcpy (kdb->key_data->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]); memset (tmp_key_data.key_data_contents[k], 0, tmp_key_data.key_data_length[k]); free (tmp_key_data.key_data_contents[k]); @@ -1753,7 +1716,7 @@ kadm5_setv4key_principal(void *server_handle, - kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; + kdb->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; ret = krb5_timeofday(handle->context, &now); if (ret) @@ -1773,31 +1736,31 @@ kadm5_setv4key_principal(void *server_handle, * local caller implicitly has all authorization bits. */ if (ret = krb5_dbe_lookup_last_pwd_change(handle->context, - &kdb, &last_pwd)) + kdb, &last_pwd)) goto done; if((now - last_pwd) < pol.pw_min_life && - !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { + !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { ret = KADM5_PASS_TOOSOON; goto done; } #endif if (pol.pw_max_life) - kdb.pw_expiration = now + pol.pw_max_life; + kdb->pw_expiration = now + pol.pw_max_life; else - kdb.pw_expiration = 0; + kdb->pw_expiration = 0; } else { - kdb.pw_expiration = 0; + kdb->pw_expiration = 0; } - ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now); + ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now); if (ret) goto done; /* unlock principal on this KDC */ - kdb.fail_auth_count = 0; + kdb->fail_auth_count = 0; - if ((ret = kdb_put_entry(handle, &kdb, &adb))) + if ((ret = kdb_put_entry(handle, kdb, &adb))) goto done; ret = KADM5_OK; @@ -1809,7 +1772,7 @@ done: } } - kdb_free_entry(handle, &kdb, &adb); + kdb_free_entry(handle, kdb, &adb); if (have_pol) kadm5_free_policy_ent(handle->lhandle, &pol); @@ -1836,7 +1799,7 @@ kadm5_setkey_principal_3(void *server_handle, krb5_keyblock *keyblocks, int n_keys) { - krb5_db_entry kdb; + krb5_db_entry *kdb; osa_princ_ent_rec adb; krb5_int32 now; kadm5_policy_ent_rec pol; @@ -1887,29 +1850,29 @@ kadm5_setkey_principal_3(void *server_handle, if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) return(ret); - for (kvno = 0, i=0; i kvno) - kvno = kdb.key_data[i].key_data_kvno; + for (kvno = 0, i=0; in_key_data; i++) + if (kdb->key_data[i].key_data_kvno > kvno) + kvno = kdb->key_data[i].key_data_kvno; if (keepold) { - old_key_data = kdb.key_data; - n_old_keys = kdb.n_key_data; + old_key_data = kdb->key_data; + n_old_keys = kdb->n_key_data; } else { - if (kdb.key_data != NULL) - cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data); + if (kdb->key_data != NULL) + cleanup_key_data(handle->context, kdb->n_key_data, kdb->key_data); n_old_keys = 0; old_key_data = NULL; } - kdb.key_data = (krb5_key_data*)krb5_db_alloc(handle->context, NULL, (n_keys+n_old_keys) - *sizeof(krb5_key_data)); - if (kdb.key_data == NULL) { + kdb->key_data = (krb5_key_data*)krb5_db_alloc(handle->context, NULL, (n_keys+n_old_keys) + *sizeof(krb5_key_data)); + if (kdb->key_data == NULL) { ret = ENOMEM; goto done; } - memset(kdb.key_data, 0, (n_keys+n_old_keys)*sizeof(krb5_key_data)); - kdb.n_key_data = 0; + memset(kdb->key_data, 0, (n_keys+n_old_keys)*sizeof(krb5_key_data)); + kdb->n_key_data = 0; for (i = 0; i < n_keys; i++) { if (n_ks_tuple) { @@ -1935,7 +1898,7 @@ kadm5_setkey_principal_3(void *server_handle, if (ret) goto done; - tptr = &kdb.key_data[i]; + tptr = &kdb->key_data[i]; tptr->key_data_ver = tmp_key_data.key_data_ver; tptr->key_data_kvno = tmp_key_data.key_data_kvno; for (k = 0; k < tmp_key_data.key_data_ver; k++) { @@ -1962,21 +1925,21 @@ kadm5_setkey_principal_3(void *server_handle, tmp_key_data.key_data_contents[k] = NULL; } } - kdb.n_key_data++; + kdb->n_key_data++; } /* copy old key data if necessary */ for (i = 0; i < n_old_keys; i++) { - kdb.key_data[i+n_keys] = old_key_data[i]; + kdb->key_data[i+n_keys] = old_key_data[i]; memset(&old_key_data[i], 0, sizeof (krb5_key_data)); - kdb.n_key_data++; + kdb->n_key_data++; } if (old_key_data) krb5_db_free(handle->context, old_key_data); - /* assert(kdb.n_key_data == n_keys + n_old_keys) */ - kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; + /* assert(kdb->n_key_data == n_keys + n_old_keys) */ + kdb->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; if ((ret = krb5_timeofday(handle->context, &now))) goto done; @@ -1995,35 +1958,35 @@ kadm5_setkey_principal_3(void *server_handle, * local caller implicitly has all authorization bits. */ if (ret = krb5_dbe_lookup_last_pwd_change(handle->context, - &kdb, &last_pwd)) + kdb, &last_pwd)) goto done; if((now - last_pwd) < pol.pw_min_life && - !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { + !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { ret = KADM5_PASS_TOOSOON; goto done; } #endif if (pol.pw_max_life) - kdb.pw_expiration = now + pol.pw_max_life; + kdb->pw_expiration = now + pol.pw_max_life; else - kdb.pw_expiration = 0; + kdb->pw_expiration = 0; } else { - kdb.pw_expiration = 0; + kdb->pw_expiration = 0; } - if ((ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now))) + if ((ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now))) goto done; /* unlock principal on this KDC */ - kdb.fail_auth_count = 0; + kdb->fail_auth_count = 0; - if ((ret = kdb_put_entry(handle, &kdb, &adb))) + if ((ret = kdb_put_entry(handle, kdb, &adb))) goto done; ret = KADM5_OK; done: - kdb_free_entry(handle, &kdb, &adb); + kdb_free_entry(handle, kdb, &adb); if (have_pol) kadm5_free_policy_ent(handle->lhandle, &pol); @@ -2040,7 +2003,7 @@ kadm5_get_principal_keys(void *server_handle /* IN */, krb5_keyblock **keyblocks /* OUT */, int *n_keys /* OUT */) { - krb5_db_entry kdb; + krb5_db_entry *kdb; osa_princ_ent_rec adb; kadm5_ret_t ret; kadm5_server_handle_t handle = server_handle; @@ -2058,7 +2021,7 @@ kadm5_get_principal_keys(void *server_handle /* IN */, return(ret); if (keyblocks) { - if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, &kdb, + if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, kdb, &mkey_ptr))) { krb5_keylist_node *tmp_mkey_list; /* try refreshing master key list */ @@ -2069,7 +2032,7 @@ kadm5_get_principal_keys(void *server_handle /* IN */, krb5_dbe_free_key_list(handle->context, master_keylist); master_keylist = tmp_mkey_list; if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, - &kdb, &mkey_ptr))) { + kdb, &mkey_ptr))) { goto done; } } else { @@ -2078,7 +2041,7 @@ kadm5_get_principal_keys(void *server_handle /* IN */, } ret = decrypt_key_data(handle->context, mkey_ptr, - kdb.n_key_data, kdb.key_data, + kdb->n_key_data, kdb->key_data, keyblocks, n_keys); if (ret) goto done; @@ -2086,7 +2049,7 @@ kadm5_get_principal_keys(void *server_handle /* IN */, ret = KADM5_OK; done: - kdb_free_entry(handle, &kdb, &adb); + kdb_free_entry(handle, kdb, &adb); return ret; } diff --git a/src/lib/kadm5/unit-test/lock-test.c b/src/lib/kadm5/unit-test/lock-test.c index 5a0501b27..59f9d2609 100644 --- a/src/lib/kadm5/unit-test/lock-test.c +++ b/src/lib/kadm5/unit-test/lock-test.c @@ -76,11 +76,9 @@ int main(int argc, char **argv) else printf("released\n"); } else if (strcmp(*argv, "get") == 0) { - int cnt = 1; argc--; argv++; if (!argc) usage(); - if ((ret = krb5_db_get_policy(context, *argv, - &entry, &cnt)) ) { + if ((ret = krb5_db_get_policy(context, *argv, &entry))) { com_err(whoami, ret, "while getting policy"); } else { printf("retrieved\n"); diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index 493647d01..af81d37bf 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -698,43 +698,23 @@ krb5_db_unlock(krb5_context kcontext) } krb5_error_code -krb5_db_get_principal(krb5_context kcontext, - krb5_const_principal search_for, - krb5_db_entry * entries, - int *nentries, krb5_boolean * more) +krb5_db_get_principal(krb5_context kcontext, krb5_const_principal search_for, + unsigned int flags, krb5_db_entry **entry) { krb5_error_code status = 0; kdb_vftabl *v; + *entry = NULL; status = get_vftabl(kcontext, &v); if (status) return status; if (v->get_principal == NULL) return KRB5_PLUGIN_OP_NOTSUPP; - return v->get_principal(kcontext, search_for, 0, entries, nentries, more); -} - -krb5_error_code -krb5_db_get_principal_ext(krb5_context kcontext, - krb5_const_principal search_for, - unsigned int flags, - krb5_db_entry * entries, - int *nentries, krb5_boolean * more) -{ - krb5_error_code status = 0; - kdb_vftabl *v; - - status = get_vftabl(kcontext, &v); - if (status) - return status; - if (v->get_principal == NULL) - return KRB5_PLUGIN_OP_NOTSUPP; - return v->get_principal(kcontext, search_for, flags, entries, nentries, - more); + return v->get_principal(kcontext, search_for, flags, entry); } void -krb5_db_free_principal(krb5_context kcontext, krb5_db_entry * entry, int count) +krb5_db_free_principal(krb5_context kcontext, krb5_db_entry *entry) { krb5_error_code status = 0; kdb_vftabl *v; @@ -742,7 +722,7 @@ krb5_db_free_principal(krb5_context kcontext, krb5_db_entry * entry, int count) status = get_vftabl(kcontext, &v); if (status) return; - v->free_principal(kcontext, entry, count); + v->free_principal(kcontext, entry); } static void @@ -826,8 +806,7 @@ clean_n_exit: } krb5_error_code -krb5int_put_principal_no_log(krb5_context kcontext, - krb5_db_entry *entries, int *nentries) +krb5int_put_principal_no_log(krb5_context kcontext, krb5_db_entry *entry) { kdb_vftabl *v; krb5_error_code status; @@ -838,53 +817,47 @@ krb5int_put_principal_no_log(krb5_context kcontext, return status; if (v->put_principal == NULL) return KRB5_PLUGIN_OP_NOTSUPP; - status = extract_db_args_from_tl_data(kcontext, &entries->tl_data, - &entries->n_tl_data, + status = extract_db_args_from_tl_data(kcontext, &entry->tl_data, + &entry->n_tl_data, &db_args); if (status) return status; - status = v->put_principal(kcontext, entries, nentries, db_args); + status = v->put_principal(kcontext, entry, db_args); free_db_args(kcontext, db_args); return status; } krb5_error_code -krb5_db_put_principal(krb5_context kcontext, - krb5_db_entry * entries, int *nentries) +krb5_db_put_principal(krb5_context kcontext, krb5_db_entry *entry) { krb5_error_code status = 0; kdb_vftabl *v; char **db_args = NULL; - kdb_incr_update_t *upd, *fupd = 0; + kdb_incr_update_t *upd = NULL; char *princ_name = NULL; kdb_log_context *log_ctx; - int i; int ulog_locked = 0; log_ctx = kcontext->kdblog_context; status = get_vftabl(kcontext, &v); if (status) - goto clean_n_exit; + return status; + if (v->put_principal == NULL) + return KRB5_PLUGIN_OP_NOTSUPP; - status = extract_db_args_from_tl_data(kcontext, &entries->tl_data, - &entries->n_tl_data, + status = extract_db_args_from_tl_data(kcontext, &entry->tl_data, + &entry->n_tl_data, &db_args); if (status) goto clean_n_exit; if (log_ctx && (log_ctx->iproprole == IPROP_MASTER)) { - if (!(upd = (kdb_incr_update_t *) - malloc(sizeof (kdb_incr_update_t)* *nentries))) { - status = errno; - goto err_lock; - } - fupd = upd; - - (void) memset(upd, 0, sizeof(kdb_incr_update_t)* *nentries); - - if ((status = ulog_conv_2logentry(kcontext, entries, upd, *nentries))) - goto err_lock; + upd = k5alloc(sizeof(*upd), &status); + if (upd == NULL) + goto clean_n_exit; + if ((status = ulog_conv_2logentry(kcontext, entry, upd))) + goto clean_n_exit; } status = ulog_lock(kcontext, KRB5_LOCKMODE_EXCLUSIVE); @@ -892,51 +865,35 @@ krb5_db_put_principal(krb5_context kcontext, goto err_lock; ulog_locked = 1; - for (i = 0; i < *nentries; i++) { - if (fupd) { - if ((status = krb5_unparse_name(kcontext, entries->princ, - &princ_name))) - goto err_lock; + if (upd != NULL) { + status = krb5_unparse_name(kcontext, entry->princ, &princ_name); + if (status != 0) + goto err_lock; - upd->kdb_princ_name.utf8str_t_val = princ_name; - upd->kdb_princ_name.utf8str_t_len = strlen(princ_name); + upd->kdb_princ_name.utf8str_t_val = princ_name; + upd->kdb_princ_name.utf8str_t_len = strlen(princ_name); - if ((status = ulog_add_update(kcontext, upd)) != 0) - goto err_lock; - upd++; - } + if ((status = ulog_add_update(kcontext, upd)) != 0) + goto err_lock; } - if (v->put_principal == NULL) { - status = KRB5_PLUGIN_OP_NOTSUPP; - goto err_lock; - } + status = v->put_principal(kcontext, entry, db_args); + if (status == 0 && upd != NULL) + (void) ulog_finish_update(kcontext, upd); - status = v->put_principal(kcontext, entries, nentries, db_args); - if (status == 0 && fupd) { - upd = fupd; - for (i = 0; i < *nentries; i++) { - (void) ulog_finish_update(kcontext, upd); - upd++; - } - } err_lock: if (ulog_locked) ulog_lock(kcontext, KRB5_LOCKMODE_UNLOCK); clean_n_exit: free_db_args(kcontext, db_args); - - if (log_ctx && (log_ctx->iproprole == IPROP_MASTER)) - ulog_free_entries(fupd, *nentries); - + ulog_free_entries(upd, 1); return status; } krb5_error_code krb5int_delete_principal_no_log(krb5_context kcontext, - krb5_principal search_for, - int *nentries) + krb5_principal search_for) { kdb_vftabl *v; krb5_error_code status; @@ -946,12 +903,12 @@ krb5int_delete_principal_no_log(krb5_context kcontext, return status; if (v->delete_principal == NULL) return KRB5_PLUGIN_OP_NOTSUPP; - return v->delete_principal(kcontext, search_for, nentries); + return v->delete_principal(kcontext, search_for); } krb5_error_code krb5_db_delete_principal(krb5_context kcontext, - krb5_principal search_for, int *nentries) + krb5_principal search_for) { krb5_error_code status = 0; kdb_vftabl *v; @@ -994,7 +951,7 @@ krb5_db_delete_principal(krb5_context kcontext, if (v->delete_principal == NULL) return KRB5_PLUGIN_OP_NOTSUPP; - status = v->delete_principal(kcontext, search_for, nentries); + status = v->delete_principal(kcontext, search_for); /* * We need to commit our update upon success @@ -1168,21 +1125,15 @@ krb5_db_fetch_mkey(krb5_context context, * princ. */ if (kvno != NULL && *kvno == IGNORE_VNO) { - int nentries = 1; - krb5_boolean more; krb5_error_code rc; - krb5_db_entry master_entry; - - rc = krb5_db_get_principal(context, mname, - &master_entry, &nentries, &more); + krb5_db_entry *master_entry; - if (rc == 0 && nentries == 1 && more == FALSE) - *kvno = (krb5_kvno) master_entry.key_data->key_data_kvno; - else + rc = krb5_db_get_principal(context, mname, 0, &master_entry); + if (rc == 0) { + *kvno = (krb5_kvno) master_entry->key_data->key_data_kvno; + krb5_db_free_principal(context, master_entry); + } else *kvno = 1; - - if (rc == 0 && nentries) - krb5_db_free_principal(context, &master_entry, nentries); } if (!salt) @@ -1233,32 +1184,18 @@ krb5_dbe_fetch_act_key_list(krb5_context context, krb5_actkvno_node **act_key_list) { krb5_error_code retval = 0; - krb5_db_entry entry; - int nprinc; - krb5_boolean more; + krb5_db_entry *entry; if (act_key_list == NULL) return (EINVAL); - nprinc = 1; - if ((retval = krb5_db_get_principal(context, princ, &entry, - &nprinc, &more))) { - return (retval); - } - - if (nprinc != 1) { - if (nprinc) { - krb5_db_free_principal(context, &entry, nprinc); - return (KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); - } else { - return(KRB5_KDB_NOMASTERKEY); - } - } else if (more) { - krb5_db_free_principal(context, &entry, nprinc); - return (KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); - } + retval = krb5_db_get_principal(context, princ, 0, &entry); + if (retval == KRB5_KDB_NOENTRY) + return KRB5_KDB_NOMASTERKEY; + else if (retval) + return retval; - retval = krb5_dbe_lookup_actkvno(context, &entry, act_key_list); + retval = krb5_dbe_lookup_actkvno(context, entry, act_key_list); if (*act_key_list == NULL) { krb5_actkvno_node *tmp_actkvno; @@ -1267,17 +1204,19 @@ krb5_dbe_fetch_act_key_list(krb5_context context, */ tmp_actkvno = (krb5_actkvno_node *) malloc(sizeof(krb5_actkvno_node)); - if (tmp_actkvno == NULL) - return (ENOMEM); + if (tmp_actkvno == NULL) { + krb5_db_free_principal(context, entry); + return ENOMEM; + } memset(tmp_actkvno, 0, sizeof(krb5_actkvno_node)); tmp_actkvno->act_time = 0; /* earliest time possible */ /* use most current key */ - tmp_actkvno->act_kvno = entry.key_data[0].key_data_kvno; + tmp_actkvno->act_kvno = entry->key_data[0].key_data_kvno; *act_key_list = tmp_actkvno; } - krb5_db_free_principal(context, &entry, nprinc); + krb5_db_free_principal(context, entry); return retval; } @@ -2144,8 +2083,7 @@ krb5_db_create_policy(krb5_context kcontext, osa_policy_ent_t policy) } krb5_error_code -krb5_db_get_policy(krb5_context kcontext, char *name, - osa_policy_ent_t * policy, int *cnt) +krb5_db_get_policy(krb5_context kcontext, char *name, osa_policy_ent_t *policy) { krb5_error_code status = 0; kdb_vftabl *v; @@ -2155,7 +2093,7 @@ krb5_db_get_policy(krb5_context kcontext, char *name, return status; if (v->get_policy == NULL) return KRB5_PLUGIN_OP_NOTSUPP; - return v->get_policy(kcontext, name, policy, cnt); + return v->get_policy(kcontext, name, policy); } krb5_error_code diff --git a/src/lib/kdb/kdb5int.h b/src/lib/kdb/kdb5int.h index 994f1f931..9d63ca86c 100644 --- a/src/lib/kdb/kdb5int.h +++ b/src/lib/kdb/kdb5int.h @@ -35,11 +35,10 @@ krb5_error_code krb5int_put_principal_no_log(krb5_context kcontext, - krb5_db_entry *entries, int *nentries); + krb5_db_entry *entries); krb5_error_code krb5int_delete_principal_no_log(krb5_context kcontext, - krb5_principal search_for, - int *nentries); + krb5_principal search_for); #endif /* __KDB5INT_H__ */ diff --git a/src/lib/kdb/kdb_convert.c b/src/lib/kdb/kdb_convert.c index df3019d6d..20bcc31e8 100644 --- a/src/lib/kdb/kdb_convert.c +++ b/src/lib/kdb/kdb_convert.c @@ -291,581 +291,525 @@ error: /* - * This routine converts one or more krb5 db2 records into update - * log (ulog) entry format. Space for the update log entries should - * be allocated prior to invocation of this routine. + * This routine converts a krb5 DB record into update log (ulog) entry format. + * Space for the update log entry should be allocated prior to invocation of + * this routine. */ krb5_error_code -ulog_conv_2logentry(krb5_context context, krb5_db_entry *entries, - kdb_incr_update_t *updates, - int nentries) +ulog_conv_2logentry(krb5_context context, krb5_db_entry *entry, + kdb_incr_update_t *update) { - int i, j, k, cnt, final, nattrs, tmpint, nprincs; - unsigned int more; + int i, j, cnt, final, nattrs, tmpint; krb5_principal tmpprinc; krb5_tl_data *newtl; - krb5_db_entry curr; + krb5_db_entry *curr; krb5_error_code ret; kdbe_attr_type_t *attr_types; - kdb_incr_update_t *upd; - krb5_db_entry *ent; int kadm_data_yes; /* always exclude non-replicated attributes, for now */ krb5_boolean exclude_nra = TRUE; - if ((updates == NULL) || (entries == NULL)) - return (KRB5KRB_ERR_GENERIC); + nattrs = tmpint = 0; + final = -1; + kadm_data_yes = 0; + attr_types = NULL; - upd = updates; - ent = entries; + /* + * XXX we rely on the good behaviour of the database not to + * exceed this limit. + */ + if ((update->kdb_update.kdbe_t_val = (kdbe_val_t *) + malloc(MAXENTRY_SIZE)) == NULL) { + return (ENOMEM); + } - for (k = 0; k < nentries; k++) { - nprincs = nattrs = tmpint = 0; - final = -1; - kadm_data_yes = 0; - attr_types = NULL; + /* + * Find out which attrs have been modified + */ + if ((attr_types = (kdbe_attr_type_t *)malloc( + sizeof (kdbe_attr_type_t) * MAXATTRS_SIZE)) + == NULL) { + return (ENOMEM); + } - /* - * XXX we rely on the good behaviour of the database not to - * exceed this limit. - */ - if ((upd->kdb_update.kdbe_t_val = (kdbe_val_t *) - malloc(MAXENTRY_SIZE)) == NULL) { - return (ENOMEM); - } + ret = krb5_db_get_principal(context, entry->princ, 0, &curr); + if (ret && ret != KRB5_KDB_NOENTRY) { + free(attr_types); + return (ret); + } + if (ret == KRB5_KDB_NOENTRY) { /* - * Find out which attrs have been modified + * This is a new entry to the database, hence will + * include all the attribute-value pairs + * + * We leave out the TL_DATA types which we model as + * attrs in kdbe_attr_type_t, since listing AT_TL_DATA + * encompasses these other types-turned-attributes + * + * So, we do *NOT* consider AT_MOD_PRINC, AT_MOD_TIME, + * AT_MOD_WHERE, AT_PW_LAST_CHANGE, AT_PW_POLICY, + * AT_PW_POLICY_SWITCH, AT_PW_HIST_KVNO and AT_PW_HIST, + * totalling 8 attrs. */ - if ((attr_types = (kdbe_attr_type_t *)malloc( - sizeof (kdbe_attr_type_t) * MAXATTRS_SIZE)) - == NULL) { - return (ENOMEM); - } - - if ((ret = krb5_db_get_principal(context, ent->princ, &curr, - &nprincs, &more))) { - free(attr_types); - return (ret); + while (nattrs < MAXATTRS_SIZE - 8) { + attr_types[nattrs] = nattrs; + nattrs++; } + } else { + find_changed_attrs(curr, entry, exclude_nra, attr_types, &nattrs); + krb5_db_free_principal(context, curr); + } - if (nprincs == 0) { - /* - * This is a new entry to the database, hence will - * include all the attribute-value pairs - * - * We leave out the TL_DATA types which we model as - * attrs in kdbe_attr_type_t, since listing AT_TL_DATA - * encompasses these other types-turned-attributes - * - * So, we do *NOT* consider AT_MOD_PRINC, AT_MOD_TIME, - * AT_MOD_WHERE, AT_PW_LAST_CHANGE, AT_PW_POLICY, - * AT_PW_POLICY_SWITCH, AT_PW_HIST_KVNO and AT_PW_HIST, - * totalling 8 attrs. - */ - while (nattrs < MAXATTRS_SIZE - 8) { - attr_types[nattrs] = nattrs; - nattrs++; + for (i = 0; i < nattrs; i++) { + switch (attr_types[i]) { + case AT_ATTRFLAGS: + if (entry->attributes >= 0) { + ULOG_ENTRY_TYPE(update, ++final).av_type = + AT_ATTRFLAGS; + ULOG_ENTRY(update, final).av_attrflags = + (uint32_t)entry->attributes; } - } else { - find_changed_attrs(&curr, ent, exclude_nra, attr_types, &nattrs); + break; - krb5_db_free_principal(context, &curr, nprincs); - } + case AT_MAX_LIFE: + if (entry->max_life >= 0) { + ULOG_ENTRY_TYPE(update, ++final).av_type = AT_MAX_LIFE; + ULOG_ENTRY(update, final).av_max_life = + (uint32_t)entry->max_life; + } + break; - for (i = 0; i < nattrs; i++) { - switch (attr_types[i]) { - case AT_ATTRFLAGS: - if (ent->attributes >= 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_ATTRFLAGS; - ULOG_ENTRY(upd, final).av_attrflags = - (uint32_t)ent->attributes; - } - break; + case AT_MAX_RENEW_LIFE: + if (entry->max_renewable_life >= 0) { + ULOG_ENTRY_TYPE(update, ++final).av_type = AT_MAX_RENEW_LIFE; + ULOG_ENTRY(update, final).av_max_renew_life = + (uint32_t)entry->max_renewable_life; + } + break; - case AT_MAX_LIFE: - if (ent->max_life >= 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_MAX_LIFE; - ULOG_ENTRY(upd, final).av_max_life = - (uint32_t)ent->max_life; - } - break; + case AT_EXP: + if (entry->expiration >= 0) { + ULOG_ENTRY_TYPE(update, ++final).av_type = AT_EXP; + ULOG_ENTRY(update, final).av_exp = (uint32_t)entry->expiration; + } + break; - case AT_MAX_RENEW_LIFE: - if (ent->max_renewable_life >= 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_MAX_RENEW_LIFE; - ULOG_ENTRY(upd, - final).av_max_renew_life = - (uint32_t)ent->max_renewable_life; - } - break; + case AT_PW_EXP: + if (entry->pw_expiration >= 0) { + ULOG_ENTRY_TYPE(update, ++final).av_type = AT_PW_EXP; + ULOG_ENTRY(update, final).av_pw_exp = + (uint32_t)entry->pw_expiration; + } + break; - case AT_EXP: - if (ent->expiration >= 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_EXP; - ULOG_ENTRY(upd, final).av_exp = - (uint32_t)ent->expiration; - } - break; + case AT_LAST_SUCCESS: + if (!exclude_nra && entry->last_success >= 0) { + ULOG_ENTRY_TYPE(update, ++final).av_type = AT_LAST_SUCCESS; + ULOG_ENTRY(update, final).av_last_success = + (uint32_t)entry->last_success; + } + break; - case AT_PW_EXP: - if (ent->pw_expiration >= 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_PW_EXP; - ULOG_ENTRY(upd, final).av_pw_exp = - (uint32_t)ent->pw_expiration; + case AT_LAST_FAILED: + if (!exclude_nra && entry->last_failed >= 0) { + ULOG_ENTRY_TYPE(update, ++final).av_type = AT_LAST_FAILED; + ULOG_ENTRY(update, final).av_last_failed = + (uint32_t)entry->last_failed; + } + break; + + case AT_FAIL_AUTH_COUNT: + if (!exclude_nra && entry->fail_auth_count >= (krb5_kvno)0) { + ULOG_ENTRY_TYPE(update, ++final).av_type = + AT_FAIL_AUTH_COUNT; + ULOG_ENTRY(update, final).av_fail_auth_count = + (uint32_t)entry->fail_auth_count; + } + break; + + case AT_PRINC: + if (entry->princ->length > 0) { + ULOG_ENTRY_TYPE(update, ++final).av_type = AT_PRINC; + if ((ret = conv_princ_2ulog(entry->princ, + update, final, REG_PRINC))) { + free(attr_types); + return (ret); } - break; + } + break; - case AT_LAST_SUCCESS: - if (!exclude_nra && ent->last_success >= 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_LAST_SUCCESS; - ULOG_ENTRY(upd, - final).av_last_success = - (uint32_t)ent->last_success; + case AT_KEYDATA: +/* BEGIN CSTYLED */ + if (entry->n_key_data >= 0) { + ULOG_ENTRY_TYPE(update, ++final).av_type = AT_KEYDATA; + ULOG_ENTRY(update, final).av_keydata.av_keydata_len = + entry->n_key_data; + ULOG_ENTRY(update, final).av_keydata.av_keydata_val = + malloc(entry->n_key_data * sizeof (kdbe_key_t)); + if (ULOG_ENTRY(update, final).av_keydata.av_keydata_val == + NULL) { + free(attr_types); + return (ENOMEM); } - break; - case AT_LAST_FAILED: - if (!exclude_nra && ent->last_failed >= 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_LAST_FAILED; - ULOG_ENTRY(upd, - final).av_last_failed = - (uint32_t)ent->last_failed; - } - break; + for (j = 0; j < entry->n_key_data; j++) { + ULOG_ENTRY_KEYVAL(update, final, j).k_ver = + entry->key_data[j].key_data_ver; + ULOG_ENTRY_KEYVAL(update, final, j).k_kvno = + entry->key_data[j].key_data_kvno; + ULOG_ENTRY_KEYVAL(update, final, j).k_enctype.k_enctype_len = entry->key_data[j].key_data_ver; + ULOG_ENTRY_KEYVAL(update, final, j).k_contents.k_contents_len = entry->key_data[j].key_data_ver; - case AT_FAIL_AUTH_COUNT: - if (!exclude_nra && ent->fail_auth_count >= (krb5_kvno)0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_FAIL_AUTH_COUNT; - ULOG_ENTRY(upd, - final).av_fail_auth_count = - (uint32_t)ent->fail_auth_count; - } - break; - - case AT_PRINC: - if (ent->princ->length > 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_PRINC; - if ((ret = conv_princ_2ulog(ent->princ, - upd, final, REG_PRINC))) { + ULOG_ENTRY_KEYVAL(update, final, j).k_enctype.k_enctype_val = malloc(entry->key_data[j].key_data_ver * sizeof(int32_t)); + if (ULOG_ENTRY_KEYVAL(update, final, j).k_enctype.k_enctype_val == NULL) { free(attr_types); - return (ret); + return (ENOMEM); } - } - break; - case AT_KEYDATA: -/* BEGIN CSTYLED */ - if (ent->n_key_data >= 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_KEYDATA; - ULOG_ENTRY(upd, final).av_keydata.av_keydata_len = ent->n_key_data; - - ULOG_ENTRY(upd, final).av_keydata.av_keydata_val = malloc(ent->n_key_data * sizeof (kdbe_key_t)); - if (ULOG_ENTRY(upd, final).av_keydata.av_keydata_val == NULL) { + ULOG_ENTRY_KEYVAL(update, final, j).k_contents.k_contents_val = malloc(entry->key_data[j].key_data_ver * sizeof(utf8str_t)); + if (ULOG_ENTRY_KEYVAL(update, final, j).k_contents.k_contents_val == NULL) { free(attr_types); return (ENOMEM); } - for (j = 0; j < ent->n_key_data; j++) { - ULOG_ENTRY_KEYVAL(upd, final, j).k_ver = ent->key_data[j].key_data_ver; - ULOG_ENTRY_KEYVAL(upd, final, j).k_kvno = ent->key_data[j].key_data_kvno; - ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_len = ent->key_data[j].key_data_ver; - ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_len = ent->key_data[j].key_data_ver; - - ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_val = malloc(ent->key_data[j].key_data_ver * sizeof(int32_t)); - if (ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_val == NULL) { - free(attr_types); - return (ENOMEM); - } - - ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val = malloc(ent->key_data[j].key_data_ver * sizeof(utf8str_t)); - if (ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val == NULL) { + for (cnt = 0; cnt < entry->key_data[j].key_data_ver; + cnt++) { + ULOG_ENTRY_KEYVAL(update, final, j).k_enctype.k_enctype_val[cnt] = entry->key_data[j].key_data_type[cnt]; + ULOG_ENTRY_KEYVAL(update, final, j).k_contents.k_contents_val[cnt].utf8str_t_len = entry->key_data[j].key_data_length[cnt]; + ULOG_ENTRY_KEYVAL(update, final, j).k_contents.k_contents_val[cnt].utf8str_t_val = malloc(entry->key_data[j].key_data_length[cnt] * sizeof (char)); + if (ULOG_ENTRY_KEYVAL(update, final, j).k_contents.k_contents_val[cnt].utf8str_t_val == NULL) { free(attr_types); return (ENOMEM); } - - for (cnt = 0; cnt < ent->key_data[j].key_data_ver; cnt++) { - ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_val[cnt] = ent->key_data[j].key_data_type[cnt]; - ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_len = ent->key_data[j].key_data_length[cnt]; - ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_val = malloc(ent->key_data[j].key_data_length[cnt] * sizeof (char)); - if (ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_val == NULL) { - free(attr_types); - return (ENOMEM); - } - (void) memcpy(ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_val, ent->key_data[j].key_data_contents[cnt], ent->key_data[j].key_data_length[cnt]); - } + (void) memcpy(ULOG_ENTRY_KEYVAL(update, final, j).k_contents.k_contents_val[cnt].utf8str_t_val, entry->key_data[j].key_data_contents[cnt], entry->key_data[j].key_data_length[cnt]); } } - break; + } + break; - case AT_TL_DATA: - ret = krb5_dbe_lookup_last_pwd_change(context, - ent, &tmpint); - if (ret == 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_PW_LAST_CHANGE; - ULOG_ENTRY(upd, final).av_pw_last_change = tmpint; - } - tmpint = 0; + case AT_TL_DATA: + ret = krb5_dbe_lookup_last_pwd_change(context, entry, &tmpint); + if (ret == 0) { + ULOG_ENTRY_TYPE(update, ++final).av_type = AT_PW_LAST_CHANGE; + ULOG_ENTRY(update, final).av_pw_last_change = tmpint; + } + tmpint = 0; - if(!(ret = krb5_dbe_lookup_mod_princ_data( - context, ent, &tmpint, &tmpprinc))) { + if(!(ret = krb5_dbe_lookup_mod_princ_data(context, entry, &tmpint, + &tmpprinc))) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_MOD_PRINC; + ULOG_ENTRY_TYPE(update, ++final).av_type = AT_MOD_PRINC; - ret = conv_princ_2ulog(tmpprinc, - upd, final, MOD_PRINC); - krb5_free_principal(context, tmpprinc); - if (ret) { - free(attr_types); - return (ret); - } - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_MOD_TIME; - ULOG_ENTRY(upd, final).av_mod_time = - tmpint; + ret = conv_princ_2ulog(tmpprinc, update, final, MOD_PRINC); + krb5_free_principal(context, tmpprinc); + if (ret) { + free(attr_types); + return (ret); } + ULOG_ENTRY_TYPE(update, ++final).av_type = AT_MOD_TIME; + ULOG_ENTRY(update, final).av_mod_time = + tmpint; + } - newtl = ent->tl_data; - while (newtl) { - switch (newtl->tl_data_type) { - case KRB5_TL_LAST_PWD_CHANGE: - case KRB5_TL_MOD_PRINC: - break; - - case KRB5_TL_KADM_DATA: - default: - if (kadm_data_yes == 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = AT_TL_DATA; - ULOG_ENTRY(upd, final).av_tldata.av_tldata_len = 0; - ULOG_ENTRY(upd, final).av_tldata.av_tldata_val = malloc(ent->n_tl_data * sizeof(kdbe_tl_t)); - - if (ULOG_ENTRY(upd, final).av_tldata.av_tldata_val == NULL) { - free(attr_types); - return (ENOMEM); - } - kadm_data_yes = 1; - } + newtl = entry->tl_data; + while (newtl) { + switch (newtl->tl_data_type) { + case KRB5_TL_LAST_PWD_CHANGE: + case KRB5_TL_MOD_PRINC: + break; - tmpint = ULOG_ENTRY(upd, final).av_tldata.av_tldata_len; - ULOG_ENTRY(upd, final).av_tldata.av_tldata_len++; - ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_type = newtl->tl_data_type; - ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_len = newtl->tl_data_length; - ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val = malloc(newtl->tl_data_length * sizeof (char)); - if (ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val == NULL) { + case KRB5_TL_KADM_DATA: + default: + if (kadm_data_yes == 0) { + ULOG_ENTRY_TYPE(update, ++final).av_type = AT_TL_DATA; + ULOG_ENTRY(update, final).av_tldata.av_tldata_len = 0; + ULOG_ENTRY(update, final).av_tldata.av_tldata_val = + malloc(entry->n_tl_data * sizeof(kdbe_tl_t)); + + if (ULOG_ENTRY(update, final).av_tldata.av_tldata_val + == NULL) { free(attr_types); return (ENOMEM); } - (void) memcpy(ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val, newtl->tl_data_contents, newtl->tl_data_length); - break; + kadm_data_yes = 1; } - newtl = newtl->tl_data_next; - } - break; -/* END CSTYLED */ - case AT_LEN: - if (ent->len >= 0) { - ULOG_ENTRY_TYPE(upd, ++final).av_type = - AT_LEN; - ULOG_ENTRY(upd, final).av_len = - (int16_t)ent->len; + tmpint = ULOG_ENTRY(update, final).av_tldata.av_tldata_len; + ULOG_ENTRY(update, final).av_tldata.av_tldata_len++; + ULOG_ENTRY(update, final).av_tldata.av_tldata_val[tmpint].tl_type = newtl->tl_data_type; + ULOG_ENTRY(update, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_len = newtl->tl_data_length; + ULOG_ENTRY(update, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val = malloc(newtl->tl_data_length * sizeof (char)); + if (ULOG_ENTRY(update, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val == NULL) { + free(attr_types); + return (ENOMEM); + } + (void) memcpy(ULOG_ENTRY(update, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val, newtl->tl_data_contents, newtl->tl_data_length); + break; } - break; + newtl = newtl->tl_data_next; + } + break; +/* END CSTYLED */ - default: - break; + case AT_LEN: + if (entry->len >= 0) { + ULOG_ENTRY_TYPE(update, ++final).av_type = AT_LEN; + ULOG_ENTRY(update, final).av_len = (int16_t)entry->len; } + break; + default: + break; } - free(attr_types); + } - /* - * Update len field in kdb_update - */ - upd->kdb_update.kdbe_t_len = ++final; + free(attr_types); - /* - * Bump up to next struct - */ - upd++; - ent++; - } + /* + * Update len field in kdb_update + */ + update->kdb_update.kdbe_t_len = ++final; return (0); } -/* - * This routine converts one or more update log (ulog) entries into - * kerberos db2 records. Required memory should be allocated - * for the db2 records (pointed to by krb5_db_entry *ent), prior - * to calling this routine. - */ +/* Convert an update log (ulog) entry into a kerberos record. */ krb5_error_code -ulog_conv_2dbentry(krb5_context context, krb5_db_entry *entries, - kdb_incr_update_t *updates, - int nentries) +ulog_conv_2dbentry(krb5_context context, krb5_db_entry **entry, + kdb_incr_update_t *update) { - int k; krb5_db_entry *ent; - kdb_incr_update_t *upd; int slave; + krb5_principal mod_princ = NULL; + int i, j, cnt = 0, mod_time = 0, nattrs; + krb5_principal dbprinc; + char *dbprincstr = NULL; + krb5_tl_data *newtl = NULL; + krb5_error_code ret; + unsigned int prev_n_keys = 0; + krb5_boolean is_add; - if ((updates == NULL) || (entries == NULL)) - return (KRB5KRB_ERR_GENERIC); - - ent = entries; - upd = updates; + *entry = NULL; slave = (context->kdblog_context != NULL) && (context->kdblog_context->iproprole == IPROP_SLAVE); - for (k = 0; k < nentries; k++) { - krb5_principal mod_princ = NULL; - int i, j, cnt = 0, mod_time = 0, nattrs, nprincs = 0; - krb5_principal dbprinc; - char *dbprincstr = NULL; - - krb5_tl_data *newtl = NULL; - krb5_error_code ret; - unsigned int more; - unsigned int prev_n_keys = 0; - - /* - * If the ulog entry represents a DELETE update, - * just skip to the next entry. - */ - if (upd->kdb_deleted == TRUE) - goto next; - - /* - * Store the no. of changed attributes in nattrs - */ - nattrs = upd->kdb_update.kdbe_t_len; + /* + * Store the no. of changed attributes in nattrs + */ + nattrs = update->kdb_update.kdbe_t_len; + + dbprincstr = malloc((update->kdb_princ_name.utf8str_t_len + 1) + * sizeof (char)); + if (dbprincstr == NULL) + return (ENOMEM); + strncpy(dbprincstr, (char *)update->kdb_princ_name.utf8str_t_val, + update->kdb_princ_name.utf8str_t_len); + dbprincstr[update->kdb_princ_name.utf8str_t_len] = 0; + + ret = krb5_parse_name(context, dbprincstr, &dbprinc); + free(dbprincstr); + if (ret) + return (ret); + + ret = krb5_db_get_principal(context, dbprinc, 0, &ent); + krb5_free_principal(context, dbprinc); + if (ret && ret != KRB5_KDB_NOENTRY) + return (ret); + is_add = (ret == KRB5_KDB_NOENTRY); - dbprincstr = malloc((upd->kdb_princ_name.utf8str_t_len + 1) - * sizeof (char)); - if (dbprincstr == NULL) + /* + * Set ent->n_tl_data = 0 initially, if this is an ADD update + */ + if (is_add) { + ent = krb5_db_alloc(context, NULL, sizeof(*ent)); + if (ent == NULL) return (ENOMEM); - strncpy(dbprincstr, (char *)upd->kdb_princ_name.utf8str_t_val, - upd->kdb_princ_name.utf8str_t_len); - dbprincstr[upd->kdb_princ_name.utf8str_t_len] = 0; - - ret = krb5_parse_name(context, dbprincstr, &dbprinc); - free(dbprincstr); - if (ret) - return (ret); - - ret = krb5_db_get_principal(context, dbprinc, ent, &nprincs, - &more); - krb5_free_principal(context, dbprinc); - if (ret) - return (ret); - - /* - * Set ent->n_tl_data = 0 initially, if this is an ADD update - */ - if (nprincs == 0) - ent->n_tl_data = 0; - - for (i = 0; i < nattrs; i++) { - krb5_principal tmpprinc = NULL; - -#define u (ULOG_ENTRY(upd, i)) - switch (ULOG_ENTRY_TYPE(upd, i).av_type) { - case AT_ATTRFLAGS: - ent->attributes = (krb5_flags) u.av_attrflags; - break; - - case AT_MAX_LIFE: - ent->max_life = (krb5_deltat) u.av_max_life; - break; - - case AT_MAX_RENEW_LIFE: - ent->max_renewable_life = (krb5_deltat) u.av_max_renew_life; - break; - - case AT_EXP: - ent->expiration = (krb5_timestamp) u.av_exp; - break; - - case AT_PW_EXP: - ent->pw_expiration = (krb5_timestamp) u.av_pw_exp; - break; - - case AT_LAST_SUCCESS: - if (!slave) - ent->last_success = (krb5_timestamp) u.av_last_success; - break; - - case AT_LAST_FAILED: - if (!slave) - ent->last_failed = (krb5_timestamp) u.av_last_failed; - break; - - case AT_FAIL_AUTH_COUNT: - if (!slave) - ent->fail_auth_count = (krb5_kvno) u.av_fail_auth_count; - break; - - case AT_PRINC: - tmpprinc = conv_princ_2db(context, &u.av_princ); - if (tmpprinc == NULL) - return ENOMEM; - if (nprincs) - krb5_free_principal(context, ent->princ); - ent->princ = tmpprinc; - break; + memset(ent, 0, sizeof(*ent)); + ent->n_tl_data = 0; + } - case AT_KEYDATA: - if (nprincs != 0) - prev_n_keys = ent->n_key_data; - else - prev_n_keys = 0; - ent->n_key_data = (krb5_int16)u.av_keydata.av_keydata_len; - if (nprincs == 0) - ent->key_data = NULL; - - ent->key_data = (krb5_key_data *)realloc(ent->key_data, - (ent->n_key_data * - sizeof (krb5_key_data))); - /* XXX Memory leak: Old key data in - records eliminated by resizing to - smaller size. */ - if (ent->key_data == NULL) - /* XXX Memory leak: old storage. */ - return (ENOMEM); + for (i = 0; i < nattrs; i++) { + krb5_principal tmpprinc = NULL; + +#define u (ULOG_ENTRY(update, i)) + switch (ULOG_ENTRY_TYPE(update, i).av_type) { + case AT_ATTRFLAGS: + ent->attributes = (krb5_flags) u.av_attrflags; + break; + + case AT_MAX_LIFE: + ent->max_life = (krb5_deltat) u.av_max_life; + break; + + case AT_MAX_RENEW_LIFE: + ent->max_renewable_life = (krb5_deltat) u.av_max_renew_life; + break; + + case AT_EXP: + ent->expiration = (krb5_timestamp) u.av_exp; + break; + + case AT_PW_EXP: + ent->pw_expiration = (krb5_timestamp) u.av_pw_exp; + break; + + case AT_LAST_SUCCESS: + if (!slave) + ent->last_success = (krb5_timestamp) u.av_last_success; + break; + + case AT_LAST_FAILED: + if (!slave) + ent->last_failed = (krb5_timestamp) u.av_last_failed; + break; + + case AT_FAIL_AUTH_COUNT: + if (!slave) + ent->fail_auth_count = (krb5_kvno) u.av_fail_auth_count; + break; + + case AT_PRINC: + tmpprinc = conv_princ_2db(context, &u.av_princ); + if (tmpprinc == NULL) + return ENOMEM; + krb5_free_principal(context, ent->princ); + ent->princ = tmpprinc; + break; + + case AT_KEYDATA: + if (!is_add) + prev_n_keys = ent->n_key_data; + else + prev_n_keys = 0; + ent->n_key_data = (krb5_int16)u.av_keydata.av_keydata_len; + if (is_add) + ent->key_data = NULL; + + ent->key_data = (krb5_key_data *)realloc(ent->key_data, + (ent->n_key_data * + sizeof (krb5_key_data))); + /* XXX Memory leak: Old key data in + records eliminated by resizing to + smaller size. */ + if (ent->key_data == NULL) + /* XXX Memory leak: old storage. */ + return (ENOMEM); /* BEGIN CSTYLED */ - for (j = prev_n_keys; j < ent->n_key_data; j++) { - for (cnt = 0; cnt < 2; cnt++) { - ent->key_data[j].key_data_contents[cnt] = NULL; - } + for (j = prev_n_keys; j < ent->n_key_data; j++) { + for (cnt = 0; cnt < 2; cnt++) { + ent->key_data[j].key_data_contents[cnt] = NULL; } - for (j = 0; j < ent->n_key_data; j++) { - krb5_key_data *kp = &ent->key_data[j]; - kdbe_key_t *kv = &ULOG_ENTRY_KEYVAL(upd, i, j); - kp->key_data_ver = (krb5_int16)kv->k_ver; - kp->key_data_kvno = (krb5_int16)kv->k_kvno; - if (kp->key_data_ver > 2) { - return EINVAL; /* XXX ? */ - } - - for (cnt = 0; cnt < kp->key_data_ver; cnt++) { - void *newptr; - kp->key_data_type[cnt] = (krb5_int16)kv->k_enctype.k_enctype_val[cnt]; - kp->key_data_length[cnt] = (krb5_int16)kv->k_contents.k_contents_val[cnt].utf8str_t_len; - newptr = realloc(kp->key_data_contents[cnt], - kp->key_data_length[cnt]); - if (newptr == NULL) - return ENOMEM; - kp->key_data_contents[cnt] = newptr; - - (void) memset(kp->key_data_contents[cnt], 0, - kp->key_data_length[cnt]); - (void) memcpy(kp->key_data_contents[cnt], - kv->k_contents.k_contents_val[cnt].utf8str_t_val, - kp->key_data_length[cnt]); - } + } + for (j = 0; j < ent->n_key_data; j++) { + krb5_key_data *kp = &ent->key_data[j]; + kdbe_key_t *kv = &ULOG_ENTRY_KEYVAL(update, i, j); + kp->key_data_ver = (krb5_int16)kv->k_ver; + kp->key_data_kvno = (krb5_int16)kv->k_kvno; + if (kp->key_data_ver > 2) { + return EINVAL; /* XXX ? */ } - break; - - case AT_TL_DATA: { - int t; - cnt = u.av_tldata.av_tldata_len; - newtl = calloc(cnt, sizeof (krb5_tl_data)); - if (newtl == NULL) + for (cnt = 0; cnt < kp->key_data_ver; cnt++) { + void *newptr; + kp->key_data_type[cnt] = (krb5_int16)kv->k_enctype.k_enctype_val[cnt]; + kp->key_data_length[cnt] = (krb5_int16)kv->k_contents.k_contents_val[cnt].utf8str_t_len; + newptr = realloc(kp->key_data_contents[cnt], + kp->key_data_length[cnt]); + if (newptr == NULL) + return ENOMEM; + kp->key_data_contents[cnt] = newptr; + + (void) memset(kp->key_data_contents[cnt], 0, + kp->key_data_length[cnt]); + (void) memcpy(kp->key_data_contents[cnt], + kv->k_contents.k_contents_val[cnt].utf8str_t_val, + kp->key_data_length[cnt]); + } + } + break; + + case AT_TL_DATA: { + int t; + + cnt = u.av_tldata.av_tldata_len; + newtl = calloc(cnt, sizeof (krb5_tl_data)); + if (newtl == NULL) + return (ENOMEM); + + for (j = 0, t = 0; j < cnt; j++) { + newtl[t].tl_data_type = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_type; + newtl[t].tl_data_length = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_data.tl_data_len; + newtl[t].tl_data_contents = malloc(newtl[t].tl_data_length * sizeof (krb5_octet)); + if (newtl[t].tl_data_contents == NULL) + /* XXX Memory leak: newtl + and previously + allocated elements. */ return (ENOMEM); - for (j = 0, t = 0; j < cnt; j++) { - newtl[t].tl_data_type = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_type; - newtl[t].tl_data_length = (krb5_int16)u.av_tldata.av_tldata_val[j].tl_data.tl_data_len; - newtl[t].tl_data_contents = malloc(newtl[t].tl_data_length * sizeof (krb5_octet)); - if (newtl[t].tl_data_contents == NULL) - /* XXX Memory leak: newtl - and previously - allocated elements. */ - return (ENOMEM); - - (void) memcpy(newtl[t].tl_data_contents, u.av_tldata.av_tldata_val[t].tl_data.tl_data_val, newtl[t].tl_data_length); - newtl[t].tl_data_next = NULL; - if (t > 0) - newtl[t - 1].tl_data_next = &newtl[t]; - t++; - } + (void) memcpy(newtl[t].tl_data_contents, u.av_tldata.av_tldata_val[t].tl_data.tl_data_val, newtl[t].tl_data_length); + newtl[t].tl_data_next = NULL; + if (t > 0) + newtl[t - 1].tl_data_next = &newtl[t]; + t++; + } - if ((ret = krb5_dbe_update_tl_data(context, ent, newtl))) - return (ret); - for (j = 0; j < t; j++) - if (newtl[j].tl_data_contents) { - free(newtl[j].tl_data_contents); - newtl[j].tl_data_contents = NULL; - } - if (newtl) { - free(newtl); - newtl = NULL; + if ((ret = krb5_dbe_update_tl_data(context, ent, newtl))) + return (ret); + for (j = 0; j < t; j++) + if (newtl[j].tl_data_contents) { + free(newtl[j].tl_data_contents); + newtl[j].tl_data_contents = NULL; } - break; -/* END CSTYLED */ + if (newtl) { + free(newtl); + newtl = NULL; } - case AT_PW_LAST_CHANGE: - if ((ret = krb5_dbe_update_last_pwd_change(context, ent, - u.av_pw_last_change))) - return (ret); - break; - - case AT_MOD_PRINC: - tmpprinc = conv_princ_2db(context, &u.av_mod_princ); - if (tmpprinc == NULL) - return ENOMEM; - mod_princ = tmpprinc; - break; + break; +/* END CSTYLED */ + } + case AT_PW_LAST_CHANGE: + if ((ret = krb5_dbe_update_last_pwd_change(context, ent, + u.av_pw_last_change))) + return (ret); + break; - case AT_MOD_TIME: - mod_time = u.av_mod_time; - break; + case AT_MOD_PRINC: + tmpprinc = conv_princ_2db(context, &u.av_mod_princ); + if (tmpprinc == NULL) + return ENOMEM; + mod_princ = tmpprinc; + break; - case AT_LEN: - ent->len = (krb5_int16) u.av_len; - break; + case AT_MOD_TIME: + mod_time = u.av_mod_time; + break; - default: - break; - } -#undef u - } + case AT_LEN: + ent->len = (krb5_int16) u.av_len; + break; - /* - * process mod_princ_data request - */ - if (mod_time && mod_princ) { - ret = krb5_dbe_update_mod_princ_data(context, ent, - mod_time, mod_princ); - krb5_free_principal(context, mod_princ); - mod_princ = NULL; - if (ret) - return (ret); + default: + break; } +#undef u + } - next: - /* - * Bump up to next struct - */ - upd++; - ent++; + /* + * process mod_princ_data request + */ + if (mod_time && mod_princ) { + ret = krb5_dbe_update_mod_princ_data(context, ent, + mod_time, mod_princ); + krb5_free_principal(context, mod_princ); + mod_princ = NULL; + if (ret) + return (ret); } + + *entry = ent; return (0); } diff --git a/src/lib/kdb/kdb_cpw.c b/src/lib/kdb/kdb_cpw.c index dcf00ab05..a2dff2ef9 100644 --- a/src/lib/kdb/kdb_cpw.c +++ b/src/lib/kdb/kdb_cpw.c @@ -105,9 +105,8 @@ add_key_rnd(context, master_key, ks_tuple, ks_tuple_count, db_entry, kvno) { krb5_principal krbtgt_princ; krb5_keyblock key; - krb5_db_entry krbtgt_entry; - krb5_boolean more; - int max_kvno, one, i, j, k; + krb5_db_entry *krbtgt_entry; + int max_kvno, i, j, k; krb5_error_code retval; krb5_key_data tmp_key_data; krb5_key_data *tptr; @@ -127,22 +126,15 @@ add_key_rnd(context, master_key, ks_tuple, ks_tuple_count, db_entry, kvno) return retval; /* Get tgt from database */ - retval = krb5_db_get_principal(context, krbtgt_princ, &krbtgt_entry, - &one, &more); + retval = krb5_db_get_principal(context, krbtgt_princ, 0, &krbtgt_entry); krb5_free_principal(context, krbtgt_princ); /* don't need it anymore */ if (retval) return(retval); - if ((one > 1) || (more)) { - krb5_db_free_principal(context, &krbtgt_entry, one); - return KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; - } - if (!one) - return KRB5_KDB_NOENTRY; /* Get max kvno */ - for (max_kvno = j = 0; j < krbtgt_entry.n_key_data; j++) { - if (max_kvno < krbtgt_entry.key_data[j].key_data_kvno) { - max_kvno = krbtgt_entry.key_data[j].key_data_kvno; + for (max_kvno = j = 0; j < krbtgt_entry->n_key_data; j++) { + if (max_kvno < krbtgt_entry->key_data[j].key_data_kvno) { + max_kvno = krbtgt_entry->key_data[j].key_data_kvno; } } @@ -224,7 +216,7 @@ add_key_rnd(context, master_key, ks_tuple, ks_tuple_count, db_entry, kvno) } add_key_rnd_err: - krb5_db_free_principal(context, &krbtgt_entry, one); + krb5_db_free_principal(context, krbtgt_entry); for( i = 0; i < tmp_key_data.key_data_ver; i++ ) { diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index 5f8d504a0..5ca749e61 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -425,9 +425,8 @@ krb5_def_fetch_mkey_list(krb5_context context, krb5_keylist_node **mkeys_list) { krb5_error_code retval; - krb5_db_entry master_entry; - int nprinc; - krb5_boolean more, found_key = FALSE; + krb5_db_entry *master_entry; + krb5_boolean found_key = FALSE; krb5_keyblock cur_mkey; krb5_keylist_node *mkey_list_head = NULL, **mkey_list_node; krb5_key_data *key_data; @@ -438,36 +437,28 @@ krb5_def_fetch_mkey_list(krb5_context context, return (EINVAL); memset(&cur_mkey, 0, sizeof(cur_mkey)); - memset(&master_entry, 0, sizeof(master_entry)); - nprinc = 1; - if ((retval = krb5_db_get_principal(context, mprinc, - &master_entry, &nprinc, &more))) + retval = krb5_db_get_principal(context, mprinc, 0, &master_entry); + if (retval == KRB5_KDB_NOENTRY) + return (KRB5_KDB_NOMASTERKEY); + if (retval) return (retval); - if (nprinc != 1) { - if (nprinc) - krb5_db_free_principal(context, &master_entry, nprinc); - return(KRB5_KDB_NOMASTERKEY); - } else if (more) { - krb5_db_free_principal(context, &master_entry, nprinc); - return (KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); - } - /* * Check if the input mkey is the latest key and if it isn't then find the * latest mkey. */ - if (mkey->enctype == master_entry.key_data[0].key_data_type[0]) { - if (krb5_dbe_decrypt_key_data(context, mkey, &master_entry.key_data[0], + if (mkey->enctype == master_entry->key_data[0].key_data_type[0]) { + if (krb5_dbe_decrypt_key_data(context, mkey, + &master_entry->key_data[0], &cur_mkey, NULL) == 0) { found_key = TRUE; } } if (!found_key) { - if ((retval = krb5_dbe_lookup_mkey_aux(context, &master_entry, + if ((retval = krb5_dbe_lookup_mkey_aux(context, master_entry, &mkey_aux_data_list))) goto clean_n_exit; @@ -504,13 +495,13 @@ krb5_def_fetch_mkey_list(krb5_context context, /* Set mkey_list_head to the current mkey as an optimization. */ /* mkvno may not be latest so ... */ - mkey_list_head->kvno = master_entry.key_data[0].key_data_kvno; + mkey_list_head->kvno = master_entry->key_data[0].key_data_kvno; /* this is the latest clear mkey (avoids a redundant decrypt) */ mkey_list_head->keyblock = cur_mkey; /* loop through any other master keys creating a list of krb5_keylist_nodes */ mkey_list_node = &mkey_list_head->next; - for (i = 1; i < master_entry.n_key_data; i++) { + for (i = 1; i < master_entry->n_key_data; i++) { if (*mkey_list_node == NULL) { /* *mkey_list_node points to next field of previous node */ *mkey_list_node = (krb5_keylist_node *) malloc(sizeof(krb5_keylist_node)); @@ -520,7 +511,7 @@ krb5_def_fetch_mkey_list(krb5_context context, } memset(*mkey_list_node, 0, sizeof(krb5_keylist_node)); } - key_data = &master_entry.key_data[i]; + key_data = &master_entry->key_data[i]; retval = krb5_dbe_decrypt_key_data(context, &cur_mkey, key_data, &((*mkey_list_node)->keyblock), NULL); @@ -534,7 +525,7 @@ krb5_def_fetch_mkey_list(krb5_context context, *mkeys_list = mkey_list_head; clean_n_exit: - krb5_db_free_principal(context, &master_entry, nprinc); + krb5_db_free_principal(context, master_entry); krb5_dbe_free_mkey_aux_list(context, mkey_aux_data_list); if (retval != 0) krb5_dbe_free_key_list(context, mkey_list_head); diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c index fe128535c..0842439a3 100644 --- a/src/lib/kdb/kdb_log.c +++ b/src/lib/kdb/kdb_log.c @@ -353,8 +353,6 @@ ulog_replay(krb5_context context, kdb_incr_result_t *incr_ret, char **db_args) goto cleanup; for (i = 0; i < no_of_updates; i++) { - int nentry = 1; - if (!upd->kdb_commit) continue; @@ -379,9 +377,7 @@ ulog_replay(krb5_context context, kdb_incr_result_t *incr_ret, char **db_args) free(dbprincstr); - retval = krb5int_delete_principal_no_log(context, - dbprinc, - &nentry); + retval = krb5int_delete_principal_no_log(context, dbprinc); if (dbprinc) { krb5_free_principal(context, dbprinc); @@ -400,15 +396,13 @@ ulog_replay(krb5_context context, kdb_incr_result_t *incr_ret, char **db_args) (void) memset(entry, 0, sizeof (krb5_db_entry)); - if ((retval = ulog_conv_2dbentry(context, entry, upd, 1))) + if ((retval = ulog_conv_2dbentry(context, &entry, upd))) goto cleanup; - retval = krb5int_put_principal_no_log(context, entry, - &nentry); + retval = krb5int_put_principal_no_log(context, entry); if (entry) { - krb5_db_free_principal(context, entry, nentry); - free(entry); + krb5_db_free_principal(context, entry); entry = NULL; } if (retval) diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c index ae02e918f..4d56915b9 100644 --- a/src/lib/kdb/keytab.c +++ b/src/lib/kdb/keytab.c @@ -128,9 +128,7 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry) krb5_keyblock * master_key; krb5_error_code kerror = 0; krb5_key_data * key_data; - krb5_db_entry db_entry; - krb5_boolean more = 0; - int n = 0; + krb5_db_entry * db_entry; int xrealm_tgt; krb5_boolean similar; @@ -146,19 +144,14 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry) return(kerror); /* get_principal */ - kerror = krb5_db_get_principal(context, principal, & - db_entry, &n, &more); - if (kerror) { - /* krb5_db_close_database(context); */ + kerror = krb5_db_get_principal(context, principal, 0, &db_entry); + if (kerror == KRB5_KDB_NOENTRY) + return(KRB5_KT_NOTFOUND); + if (kerror) return(kerror); - } - if (n != 1) { - /* krb5_db_close_database(context); */ - return KRB5_KT_NOTFOUND; - } - if (db_entry.attributes & KRB5_KDB_DISALLOW_SVR - || db_entry.attributes & KRB5_KDB_DISALLOW_ALL_TIX) { + if (db_entry->attributes & KRB5_KDB_DISALLOW_SVR + || db_entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX) { kerror = KRB5_KT_NOTFOUND; goto error; } @@ -168,7 +161,7 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry) if (kerror) goto error; - kerror = krb5_dbe_find_mkey(context, master_keylist, &db_entry, &master_key); + kerror = krb5_dbe_find_mkey(context, master_keylist, db_entry, &master_key); if (kerror) goto error; @@ -176,7 +169,7 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry) * for other principals, we only match the first enctype that is * found. Since the TGS and AS code do the same thing, then we * will only successfully decrypt tickets we have issued.*/ - kerror = krb5_dbe_find_enctype(context, &db_entry, + kerror = krb5_dbe_find_enctype(context, db_entry, xrealm_tgt?enctype:-1, -1, kvno, &key_data); if (kerror == KRB5_KDB_NO_MATCHING_KEY) @@ -213,7 +206,7 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry) /* Close database */ error: - krb5_db_free_principal(context, &db_entry, 1); + krb5_db_free_principal(context, db_entry); /* krb5_db_close_database(context); */ return(kerror); } diff --git a/src/lib/kdb/libkdb5.exports b/src/lib/kdb/libkdb5.exports index 4a2576a30..4719a6431 100644 --- a/src/lib/kdb/libkdb5.exports +++ b/src/lib/kdb/libkdb5.exports @@ -16,7 +16,6 @@ krb5_db_get_key_data_kvno krb5_db_get_mkey_list krb5_db_get_context krb5_db_get_principal -krb5_db_get_principal_ext krb5_db_invoke krb5_db_iterate krb5_db_lock diff --git a/src/plugins/kdb/db2/adb_policy.c b/src/plugins/kdb/db2/adb_policy.c index 2b6c1214f..057f1826f 100644 --- a/src/plugins/kdb/db2/adb_policy.c +++ b/src/plugins/kdb/db2/adb_policy.c @@ -184,7 +184,7 @@ error: */ krb5_error_code osa_adb_get_policy(osa_adb_policy_t db, char *name, - osa_policy_ent_t *entry, int *cnt) + osa_policy_ent_t *entry) { DBT dbkey; DBT dbdata; @@ -194,8 +194,6 @@ osa_adb_get_policy(osa_adb_policy_t db, char *name, OPENLOCK(db, KRB5_DB_LOCKMODE_SHARED); - *cnt = 1; - if(name == NULL) { ret = EINVAL; goto error; @@ -206,8 +204,7 @@ osa_adb_get_policy(osa_adb_policy_t db, char *name, dbdata.size = 0; switch((db->db->get(db->db, &dbkey, &dbdata, 0))) { case 1: - ret = 0; - *cnt = 0; + ret = KRB5_KDB_NOENTRY; goto error; case 0: break; diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c index a78bc7510..fe4f6e96d 100644 --- a/src/plugins/kdb/db2/db2_exp.c +++ b/src/plugins/kdb/db2/db2_exp.c @@ -120,27 +120,22 @@ WRAP_K (krb5_db2_unlock, (krb5_context ctx), (ctx)); WRAP_K (krb5_db2_get_principal, (krb5_context ctx, krb5_const_principal p, - unsigned int flags, - krb5_db_entry *d, - int * i, - krb5_boolean *b), - (ctx, p, d, i, b)); + unsigned int f, + krb5_db_entry **d), + (ctx, p, f, d)); WRAP_VOID (krb5_db2_free_principal, (krb5_context ctx, - krb5_db_entry *d, - int i), - (ctx, d, i)); + krb5_db_entry *d), + (ctx, d)); WRAP_K (krb5_db2_put_principal, (krb5_context ctx, krb5_db_entry *d, - int *i, char **db_args), - (ctx, d, i, db_args)); + (ctx, d, db_args)); WRAP_K (krb5_db2_delete_principal, (krb5_context context, - krb5_const_principal searchfor, - int *nentries), - (context, searchfor, nentries)); + krb5_const_principal searchfor), + (context, searchfor)); WRAP_K (krb5_db2_iterate, (krb5_context ctx, char *s, @@ -155,9 +150,8 @@ WRAP_K (krb5_db2_create_policy, WRAP_K (krb5_db2_get_policy, ( krb5_context kcontext, char *name, - osa_policy_ent_t *policy, - int *cnt), - (kcontext, name, policy, cnt)); + osa_policy_ent_t *policy), + (kcontext, name, policy)); WRAP_K (krb5_db2_put_policy, ( krb5_context kcontext, osa_policy_ent_t policy ), (kcontext, policy)); diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c index c23b81335..707bf842b 100644 --- a/src/plugins/kdb/db2/kdb_db2.c +++ b/src/plugins/kdb/db2/kdb_db2.c @@ -850,18 +850,9 @@ destroy_db(krb5_context context, char *dbname) return retval1; } -/* - * look up a principal in the data base. - * returns number of entries found, and whether there were - * more than requested. - */ - krb5_error_code -krb5_db2_get_principal(krb5_context context, - krb5_const_principal searchfor, - krb5_db_entry *entries, /* filled in */ - int *nentries, /* how much room/how many found */ - krb5_boolean *more) /* are there more? */ +krb5_db2_get_principal(krb5_context context, krb5_const_principal searchfor, + unsigned int flags, krb5_db_entry **entry) { krb5_db2_context *db_ctx; krb5_error_code retval; @@ -870,9 +861,7 @@ krb5_db2_get_principal(krb5_context context, krb5_data keydata, contdata; int trynum, dbret; - *more = FALSE; - *nentries = 0; - + *entry = NULL; if (!k5db2_inited(context)) return KRB5_KDB_DBNOTINITED; @@ -898,22 +887,20 @@ krb5_db2_get_principal(krb5_context context, key.size = keydata.length; db = db_ctx->db; - dbret = (*db->get) (db, &key, &contents, 0); + dbret = (*db->get)(db, &key, &contents, 0); retval = errno; krb5_free_data_contents(context, &keydata); switch (dbret) { case 1: - retval = 0; + retval = KRB5_KDB_NOENTRY; + /* Fall through. */ case -1: default: - *nentries = 0; goto cleanup; case 0: contdata.data = contents.data; contdata.length = contents.size; - retval = krb5_decode_princ_contents(context, &contdata, entries); - if (!retval) - *nentries = 1; + retval = krb5_decode_princ_entry(context, &contdata, entry); break; } @@ -922,34 +909,18 @@ cleanup: return retval; } -/* - Free stuff returned by krb5_db2_get_principal. -*/ +/* Free an entry returned by krb5_db2_get_principal. */ void -krb5_db2_free_principal(krb5_context context, krb5_db_entry *entries, - int nentries) +krb5_db2_free_principal(krb5_context context, krb5_db_entry *entry) { - register int i; - for (i = 0; i < nentries; i++) - krb5_dbe_free_contents(context, &entries[i]); + krb5_dbe_free(context, entry); } -/* - Stores the *"nentries" entry structures pointed to by "entries" in the - database. - - *"nentries" is updated upon return to reflect the number of records - acutally stored; the first *"nstored" records will have been stored in the - database (even if an error occurs). - -*/ - krb5_error_code -krb5_db2_put_principal(krb5_context context, krb5_db_entry *entries, - int *nentries, /* number of entry structs to update */ +krb5_db2_put_principal(krb5_context context, krb5_db_entry *entry, char **db_args) { - int i, n, dbret; + int dbret; DB *db; DBT key, contents; krb5_data contdata, keydata; @@ -965,8 +936,6 @@ krb5_db2_put_principal(krb5_context context, krb5_db_entry *entries, return EINVAL; } - n = *nentries; - *nentries = 0; if (!k5db2_inited(context)) return KRB5_KDB_DBNOTINITED; @@ -980,47 +949,35 @@ krb5_db2_put_principal(krb5_context context, krb5_db_entry *entries, return retval; } - /* for each one, stuff temps, and do replace/append */ - for (i = 0; i < n; i++) { - retval = krb5_encode_princ_contents(context, &contdata, entries); - if (retval) - break; - contents.data = contdata.data; - contents.size = contdata.length; - retval = krb5_encode_princ_dbkey(context, &keydata, entries->princ); - if (retval) { - krb5_free_data_contents(context, &contdata); - break; - } - - key.data = keydata.data; - key.size = keydata.length; - dbret = (*db->put) (db, &key, &contents, 0); - retval = dbret ? errno : 0; - krb5_free_data_contents(context, &keydata); + retval = krb5_encode_princ_entry(context, &contdata, entry); + if (retval) + goto cleanup; + contents.data = contdata.data; + contents.size = contdata.length; + retval = krb5_encode_princ_dbkey(context, &keydata, entry->princ); + if (retval) { krb5_free_data_contents(context, &contdata); - if (retval) - break; - entries++; /* bump to next struct */ + goto cleanup; } + key.data = keydata.data; + key.size = keydata.length; + dbret = (*db->put)(db, &key, &contents, 0); + retval = dbret ? errno : 0; + krb5_free_data_contents(context, &keydata); + krb5_free_data_contents(context, &contdata); + +cleanup: (void) krb5_db2_end_update(context); (void) krb5_db2_unlock(context); /* unlock database */ - *nentries = i; return (retval); } -/* - * delete a principal from the data base. - * returns number of entries removed - */ - krb5_error_code -krb5_db2_delete_principal(krb5_context context, krb5_const_principal searchfor, - int *nentries) /* how many found & deleted */ +krb5_db2_delete_principal(krb5_context context, krb5_const_principal searchfor) { krb5_error_code retval; - krb5_db_entry entry; + krb5_db_entry *entry; krb5_db2_context *db_ctx; DB *db; DBT key, contents; @@ -1050,31 +1007,29 @@ krb5_db2_delete_principal(krb5_context context, krb5_const_principal searchfor, switch (dbret) { case 1: retval = KRB5_KDB_NOENTRY; + /* Fall through. */ case -1: default: - *nentries = 0; goto cleankey; case 0: ; } - memset(&entry, 0, sizeof(entry)); contdata.data = contents.data; contdata.length = contents.size; - retval = krb5_decode_princ_contents(context, &contdata, &entry); + retval = krb5_decode_princ_entry(context, &contdata, &entry); if (retval) goto cleankey; - *nentries = 1; /* Clear encrypted key contents */ - for (i = 0; i < entry.n_key_data; i++) { - if (entry.key_data[i].key_data_length[0]) { - memset(entry.key_data[i].key_data_contents[0], 0, - (unsigned) entry.key_data[i].key_data_length[0]); + for (i = 0; i < entry->n_key_data; i++) { + if (entry->key_data[i].key_data_length[0]) { + memset(entry->key_data[i].key_data_contents[0], 0, + (unsigned) entry->key_data[i].key_data_length[0]); } } - retval = krb5_encode_princ_contents(context, &contdata, &entry); - krb5_dbe_free_contents(context, &entry); + retval = krb5_encode_princ_entry(context, &contdata, entry); + krb5_dbe_free(context, entry); if (retval) goto cleankey; @@ -1105,7 +1060,7 @@ krb5_db2_iterate_ext(krb5_context context, DB *db; DBT key, contents; krb5_data contdata; - krb5_db_entry entries; + krb5_db_entry *entry; krb5_error_code retval; int dbret; void *cookie; @@ -1142,14 +1097,14 @@ krb5_db2_iterate_ext(krb5_context context, contdata.data = contents.data; contdata.length = contents.size; - retval = krb5_decode_princ_contents(context, &contdata, &entries); + retval = krb5_decode_princ_entry(context, &contdata, &entry); if (retval) break; retval = k5_mutex_unlock(krb5_db2_mutex); if (retval) break; - retval = (*func) (func_arg, &entries); - krb5_dbe_free_contents(context, &entries); + retval = (*func)(func_arg, entry); + krb5_dbe_free(context, entry); retval2 = k5_mutex_lock(krb5_db2_mutex); /* Note: If re-locking fails, the wrapper in db2_exp.c will still try to unlock it again. That would be a bug. Fix @@ -1319,11 +1274,11 @@ krb5_db2_create_policy(krb5_context context, osa_policy_ent_t policy) krb5_error_code krb5_db2_get_policy(krb5_context context, - char *name, osa_policy_ent_t * policy, int *cnt) + char *name, osa_policy_ent_t *policy) { krb5_db2_context *dbc = context->dal_handle->db_context; - return osa_adb_get_policy(dbc->policy_db, name, policy, cnt); + return osa_adb_get_policy(dbc->policy_db, name, policy); } krb5_error_code @@ -1450,9 +1405,8 @@ krb5_db2_merge_nra_iterator(krb5_pointer ptr, krb5_db_entry *entry) struct nra_context *nra = (struct nra_context *)ptr; kdb5_dal_handle *dal_handle = nra->kcontext->dal_handle; krb5_error_code retval; - int n_entries = 0, changed; - krb5_db_entry s_entry; - krb5_boolean more; + int changed; + krb5_db_entry *s_entry; krb5_db2_context *dst_db; memset(&s_entry, 0, sizeof(s_entry)); @@ -1461,23 +1415,21 @@ krb5_db2_merge_nra_iterator(krb5_pointer ptr, krb5_db_entry *entry) dal_handle->db_context = nra->db_context; /* look up the new principal in the old DB */ - retval = krb5_db2_get_principal(nra->kcontext, entry->princ, &s_entry, - &n_entries, &more); - if (retval != 0 || n_entries == 0) { + retval = krb5_db2_get_principal(nra->kcontext, entry->princ, 0, &s_entry); + if (retval != 0) { /* principal may be newly created, so ignore */ dal_handle->db_context = dst_db; return 0; } /* merge non-replicated attributes from the old entry in */ - krb5_db2_merge_principal(nra->kcontext, &s_entry, entry, &changed); + krb5_db2_merge_principal(nra->kcontext, s_entry, entry, &changed); dal_handle->db_context = dst_db; /* if necessary, commit the modified new entry to the new DB */ if (changed) { - retval = krb5_db2_put_principal(nra->kcontext, entry, &n_entries, - NULL); + retval = krb5_db2_put_principal(nra->kcontext, entry, NULL); } else { retval = 0; } diff --git a/src/plugins/kdb/db2/kdb_db2.h b/src/plugins/kdb/db2/kdb_db2.h index d7ac7a4cb..6096dc4b1 100644 --- a/src/plugins/kdb/db2/kdb_db2.h +++ b/src/plugins/kdb/db2/kdb_db2.h @@ -60,9 +60,9 @@ krb5_error_code krb5_db2_fini(krb5_context); krb5_error_code krb5_db2_get_age(krb5_context, char *, time_t *); krb5_error_code krb5_db2_rename(krb5_context, char *, char *, int ); krb5_error_code krb5_db2_get_principal(krb5_context, krb5_const_principal, - krb5_db_entry *, int *, krb5_boolean *); -void krb5_db2_free_principal(krb5_context, krb5_db_entry *, int); -krb5_error_code krb5_db2_put_principal(krb5_context, krb5_db_entry *, int *, + unsigned int, krb5_db_entry **); +void krb5_db2_free_principal(krb5_context, krb5_db_entry *); +krb5_error_code krb5_db2_put_principal(krb5_context, krb5_db_entry *, char **db_args); krb5_error_code krb5_db2_iterate_ext(krb5_context, krb5_error_code (*)(krb5_pointer, @@ -85,12 +85,8 @@ krb5_error_code krb5_db2_get_mkey_list(krb5_context context, krb5_keylist_node **keylist); krb5_error_code -krb5_db2_put_principal(krb5_context context, krb5_db_entry *entries, - register int *nentries, char **db_args); - -krb5_error_code -krb5_db2_delete_principal(krb5_context context, krb5_const_principal searchfor, - int *nentries); +krb5_db2_delete_principal(krb5_context context, + krb5_const_principal searchfor); krb5_error_code krb5_db2_lib_init(void); krb5_error_code krb5_db2_lib_cleanup(void); @@ -122,8 +118,7 @@ krb5_error_code krb5_db2_create_policy(krb5_context context, osa_policy_ent_t entry); krb5_error_code krb5_db2_get_policy(krb5_context kcontext, - char *name, osa_policy_ent_t *policy, - int *cnt); + char *name, osa_policy_ent_t *policy); krb5_error_code krb5_db2_put_policy(krb5_context kcontext, osa_policy_ent_t policy); diff --git a/src/plugins/kdb/db2/kdb_xdr.c b/src/plugins/kdb/db2/kdb_xdr.c index 81a3cc426..14b63fa04 100644 --- a/src/plugins/kdb/db2/kdb_xdr.c +++ b/src/plugins/kdb/db2/kdb_xdr.c @@ -47,15 +47,9 @@ krb5_encode_princ_dbkey(krb5_context context, krb5_data *key, return(retval); } -void -krb5_free_princ_dbkey(krb5_context context, krb5_data *key) -{ - (void) krb5_free_data_contents(context, key); -} - krb5_error_code -krb5_encode_princ_contents(krb5_context context, krb5_data *content, - krb5_db_entry *entry) +krb5_encode_princ_entry(krb5_context context, krb5_data *content, + krb5_db_entry *entry) { int i, j; unsigned int unparse_princ_size; @@ -229,29 +223,23 @@ epc_error:; return retval; } -void -krb5_free_princ_contents(krb5_context context, krb5_data *contents) -{ - krb5_free_data_contents(context, contents); - return; -} - krb5_error_code -krb5_decode_princ_contents(krb5_context context, krb5_data *content, - krb5_db_entry *entry) +krb5_decode_princ_entry(krb5_context context, krb5_data *content, + krb5_db_entry **entry_ptr) { int sizeleft, i; unsigned char * nextloc; krb5_tl_data ** tl_data; krb5_int16 i16; - + krb5_db_entry * entry; krb5_error_code retval; - /* Zero out entry and NULL pointers */ - memset(entry, 0, sizeof(krb5_db_entry)); + entry = k5alloc(sizeof(*entry), &retval); + if (entry == NULL) + return retval; /* - * undo the effects of encode_princ_contents. + * Reverse the encoding of encode_princ_entry. * * The first part is decoding the base type. If the base type is * bigger than the original base type then the additional fields @@ -262,8 +250,10 @@ krb5_decode_princ_contents(krb5_context context, krb5_data *content, /* First do the easy stuff */ nextloc = (unsigned char *)content->data; sizeleft = content->length; - if ((sizeleft -= KRB5_KDB_V1_BASE_LENGTH) < 0) - return KRB5_KDB_TRUNCATED_RECORD; + if ((sizeleft -= KRB5_KDB_V1_BASE_LENGTH) < 0) { + retval = KRB5_KDB_TRUNCATED_RECORD; + goto error_out; + } /* Base Length */ krb5_kdb_decode_int16(nextloc, entry->len); @@ -305,25 +295,28 @@ krb5_decode_princ_contents(krb5_context context, krb5_data *content, krb5_kdb_decode_int16(nextloc, entry->n_tl_data); nextloc += 2; - if (entry->n_tl_data < 0) - return KRB5_KDB_TRUNCATED_RECORD; + if (entry->n_tl_data < 0) { + retval = KRB5_KDB_TRUNCATED_RECORD; + goto error_out; + } /* # key_data strutures */ krb5_kdb_decode_int16(nextloc, entry->n_key_data); nextloc += 2; - if (entry->n_key_data < 0) - return KRB5_KDB_TRUNCATED_RECORD; + if (entry->n_key_data < 0) { + retval = KRB5_KDB_TRUNCATED_RECORD; + goto error_out; + } /* Check for extra data */ if (entry->len > KRB5_KDB_V1_BASE_LENGTH) { entry->e_length = entry->len - KRB5_KDB_V1_BASE_LENGTH; - if ((entry->e_data = (krb5_octet *)malloc(entry->e_length))) { - memcpy(entry->e_data, nextloc, entry->e_length); - nextloc += entry->e_length; - } else { - return ENOMEM; - } + entry->e_data = k5alloc(entry->e_length, &retval); + if (entry->e_data == NULL) + goto error_out; + memcpy(entry->e_data, nextloc, entry->e_length); + nextloc += entry->e_length; } /* @@ -435,40 +428,36 @@ krb5_decode_princ_contents(krb5_context context, krb5_data *content, abort(); } } + *entry_ptr = entry; return 0; -error_out:; - krb5_dbe_free_contents(context, entry); +error_out: + krb5_dbe_free(context, entry); return retval; } void -krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry) +krb5_dbe_free(krb5_context context, krb5_db_entry *entry) { krb5_tl_data * tl_data_next; krb5_tl_data * tl_data; int i, j; - if (entry->e_data) - free(entry->e_data); - if (entry->princ) - krb5_free_principal(context, entry->princ); + if (entry == NULL) + return; + free(entry->e_data); + krb5_free_principal(context, entry->princ); for (tl_data = entry->tl_data; tl_data; tl_data = tl_data_next) { tl_data_next = tl_data->tl_data_next; - if (tl_data->tl_data_contents) - free(tl_data->tl_data_contents); + free(tl_data->tl_data_contents); free(tl_data); } if (entry->key_data) { for (i = 0; i < entry->n_key_data; i++) { for (j = 0; j < entry->key_data[i].key_data_ver; j++) { if (entry->key_data[i].key_data_length[j]) { - if (entry->key_data[i].key_data_contents[j]) { - memset(entry->key_data[i].key_data_contents[j], - 0, - (unsigned) entry->key_data[i].key_data_length[j]); - free (entry->key_data[i].key_data_contents[j]); - } + zapfree(entry->key_data[i].key_data_contents[j], + entry->key_data[i].key_data_length[j]); } entry->key_data[i].key_data_contents[j] = NULL; entry->key_data[i].key_data_length[j] = 0; @@ -477,6 +466,5 @@ krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry) } free(entry->key_data); } - memset(entry, 0, sizeof(*entry)); - return; + free(entry); } diff --git a/src/plugins/kdb/db2/kdb_xdr.h b/src/plugins/kdb/db2/kdb_xdr.h index e4a202b37..122605f76 100644 --- a/src/plugins/kdb/db2/kdb_xdr.h +++ b/src/plugins/kdb/db2/kdb_xdr.h @@ -9,20 +9,14 @@ krb5_encode_princ_dbkey(krb5_context context, krb5_data *key, krb5_const_principal principal); krb5_error_code -krb5_decode_princ_contents(krb5_context context, krb5_data *content, - krb5_db_entry *entry); +krb5_decode_princ_entry(krb5_context context, krb5_data *content, + krb5_db_entry **entry); void -krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry); +krb5_dbe_free(krb5_context context, krb5_db_entry *entry); krb5_error_code -krb5_encode_princ_contents(krb5_context context, krb5_data *content, - krb5_db_entry *entry); - -void -krb5_free_princ_dbkey(krb5_context context, krb5_data *key); - -void -krb5_free_princ_contents(krb5_context context, krb5_data *contents); +krb5_encode_princ_entry(krb5_context context, krb5_data *content, + krb5_db_entry *entry); #endif diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c index 1e9cc11d9..3ba53d214 100644 --- a/src/plugins/kdb/db2/lockout.c +++ b/src/plugins/kdb/db2/lockout.c @@ -73,17 +73,14 @@ lookup_lockout_policy(krb5_context context, if (adb.policy != NULL) { osa_policy_ent_t policy = NULL; - int count = 0; - code = krb5_db2_get_policy(context, adb.policy, - &policy, &count); - if (code == 0 && count == 1) { + code = krb5_db2_get_policy(context, adb.policy, &policy); + if (code == 0) { *pw_max_fail = policy->pw_max_fail; *pw_failcnt_interval = policy->pw_failcnt_interval; *pw_lockout_duration = policy->pw_lockout_duration; - } - if (policy != NULL) krb5_db2_free_policy(context, policy); + } } xdr_destroy(&xdrs); @@ -148,7 +145,6 @@ krb5_db2_lockout_audit(krb5_context context, krb5_kvno max_fail = 0; krb5_deltat failcnt_interval = 0; krb5_deltat lockout_duration = 0; - int nentries = 1; krb5_db2_context *db_ctx = context->dal_handle->db_context; krb5_boolean need_update = FALSE; @@ -198,7 +194,7 @@ krb5_db2_lockout_audit(krb5_context context, } if (need_update) { - code = krb5_db2_put_principal(context, entry, &nentries, NULL); + code = krb5_db2_put_principal(context, entry, NULL); if (code != 0) return code; } diff --git a/src/plugins/kdb/db2/policy_db.h b/src/plugins/kdb/db2/policy_db.h index f2842e956..6c920bc44 100644 --- a/src/plugins/kdb/db2/policy_db.h +++ b/src/plugins/kdb/db2/policy_db.h @@ -87,10 +87,8 @@ krb5_error_code osa_adb_create_policy(osa_adb_policy_t db, osa_policy_ent_t entry); krb5_error_code osa_adb_destroy_policy(osa_adb_policy_t db, char * name); -krb5_error_code osa_adb_get_policy(osa_adb_policy_t db, - char * name, - osa_policy_ent_t *entry, - int *cnt); +krb5_error_code osa_adb_get_policy(osa_adb_policy_t db, char *name, + osa_policy_ent_t *entry); krb5_error_code osa_adb_put_policy(osa_adb_policy_t db, osa_policy_ent_t entry); krb5_error_code osa_adb_iter_policy(osa_adb_policy_t db, diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c index 0ee57d118..97710aef8 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c @@ -2345,7 +2345,6 @@ kdb_ldap_create_principal(krb5_context context, krb5_principal princ, unsigned char *curr=NULL; krb5_tl_data *tl_data=NULL; krb5_db_entry entry; - int nentry=1; long mask = 0; krb5_keyblock key; int kvno = 0; @@ -2497,7 +2496,7 @@ kdb_ldap_create_principal(krb5_context context, krb5_principal princ, break; } /* end of switch */ - retval = krb5_ldap_put_principal(context, &entry, &nentry, NULL); + retval = krb5_ldap_put_principal(context, &entry, NULL); if (retval) { com_err(NULL, retval, "while adding entries to database"); goto cleanup; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c index 85c70761f..1f3e60e92 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c @@ -2113,13 +2113,12 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context, /* We already know that the policy is inside the realm container. */ if (polname) { osa_policy_ent_t pwdpol; - int cnt=0; krb5_timestamp last_pw_changed; krb5_ui_4 pw_max_life; memset(&pwdpol, 0, sizeof(pwdpol)); - if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt)) != 0) + if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol)) != 0) goto cleanup; pw_max_life = pwdpol->pw_max_life; free (pwdpol); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c index 9128fd5d7..68b08c512 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c @@ -123,13 +123,12 @@ krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry) void -krb5_ldap_free_principal(krb5_context kcontext, krb5_db_entry *entries, - int nentries) +krb5_ldap_free_principal(krb5_context kcontext, krb5_db_entry *entry) { - register int i; - for (i = 0; i < nentries; i++) - krb5_dbe_free_contents(kcontext, &entries[i]); - return 0; + if (entry == NULL) + return; + krb5_dbe_free_contents(kcontext, entry); + free(entry); } krb5_error_code @@ -230,7 +229,7 @@ cleanup: */ krb5_error_code krb5_ldap_delete_principal(krb5_context context, - krb5_const_principal searchfor, int *nentries) + krb5_const_principal searchfor) { char *user=NULL, *DN=NULL, *strval[10] = {NULL}; LDAPMod **mods=NULL; @@ -242,21 +241,20 @@ krb5_ldap_delete_principal(krb5_context context, kdb5_dal_handle *dal_handle=NULL; krb5_ldap_context *ldap_context=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; - krb5_db_entry entries; - krb5_boolean more=0; + krb5_db_entry *entry = NULL; /* Clear the global error string */ krb5_clear_error_message(context); SETUP_CONTEXT(); /* get the principal info */ - if ((st=krb5_ldap_get_principal(context, searchfor, 0, &entries, nentries, &more)) != 0 || *nentries == 0) + if ((st=krb5_ldap_get_principal(context, searchfor, 0, &entry))) goto cleanup; - if (((st=krb5_get_princ_type(context, &entries, &(ptype))) != 0) || - ((st=krb5_get_attributes_mask(context, &entries, &(attrsetmask))) != 0) || - ((st=krb5_get_princ_count(context, &entries, &(pcount))) != 0) || - ((st=krb5_get_userdn(context, &entries, &(DN))) != 0)) + if (((st=krb5_get_princ_type(context, entry, &(ptype))) != 0) || + ((st=krb5_get_attributes_mask(context, entry, &(attrsetmask))) != 0) || + ((st=krb5_get_princ_count(context, entry, &(pcount))) != 0) || + ((st=krb5_get_userdn(context, entry, &(DN))) != 0)) goto cleanup; if (DN == NULL) { @@ -356,8 +354,7 @@ cleanup: free (secretkey); } - if (st == 0) - krb5_ldap_free_principal(context, &entries, *nentries); + krb5_ldap_free_principal(context, entry); ldap_mods_free(mods, 1); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h index 805462d36..3942e3f42 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h @@ -95,17 +95,17 @@ extern struct timeval timeout; extern char *policyclass[]; krb5_error_code -krb5_ldap_put_principal(krb5_context, krb5_db_entry *, int *, char **); +krb5_ldap_put_principal(krb5_context, krb5_db_entry *, char **); krb5_error_code krb5_ldap_get_principal(krb5_context , krb5_const_principal , - unsigned int, krb5_db_entry *, int *, krb5_boolean *); + unsigned int, krb5_db_entry **); krb5_error_code -krb5_ldap_delete_principal(krb5_context, krb5_const_principal, int *); +krb5_ldap_delete_principal(krb5_context, krb5_const_principal); void -krb5_ldap_free_principal(krb5_context, krb5_db_entry *, int ); +krb5_ldap_free_principal(krb5_context, krb5_db_entry *); krb5_error_code krb5_ldap_iterate(krb5_context, char *, diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index 7ad31da83..9b50eda72 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -100,8 +100,7 @@ aliases_ok(unsigned int flags) krb5_error_code krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, - unsigned int flags, krb5_db_entry *entries, - int *nentries, krb5_boolean *more) + unsigned int flags, krb5_db_entry **entry_ptr) { char *user=NULL, *filter=NULL, **subtree=NULL; unsigned int tree=0, ntrees=1, princlen=0; @@ -113,15 +112,14 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, kdb5_dal_handle *dal_handle=NULL; krb5_ldap_server_handle *ldap_server_handle=NULL; krb5_principal cprinc=NULL; + krb5_boolean found=FALSE; + krb5_db_entry *entry = NULL; + + *entry_ptr = NULL; /* Clear the global error string */ krb5_clear_error_message(context); - /* set initial values */ - *nentries = 0; - *more = 0; - memset(entries, 0, sizeof(*entries)); - if (searchfor == NULL) return EINVAL; @@ -131,7 +129,6 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, CHECK_LDAP_HANDLE(ldap_context); if (is_principal_in_realm(ldap_context, searchfor) != 0) { - *more = 0; krb5_set_error_message (context, st, "Principal does not belong to realm"); goto cleanup; } @@ -153,10 +150,10 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, goto cleanup; GET_HANDLE(); - for (tree=0; tree < ntrees && *nentries == 0; ++tree) { + for (tree=0; tree < ntrees && !found; ++tree) { LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes); - for (ent=ldap_first_entry(ld, result); ent != NULL && *nentries == 0; ent=ldap_next_entry(ld, ent)) { + for (ent=ldap_first_entry(ld, result); ent != NULL && !found; ent=ldap_next_entry(ld, ent)) { /* get the associated directory user information */ if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { @@ -168,13 +165,13 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, */ for (i=0; values[i] != NULL; ++i) { if (strcmp(values[i], user) == 0) { - *nentries = 1; + found = TRUE; break; } } ldap_value_free(values); - if (*nentries == 0) /* no matching principal found */ + if (!found) /* no matching principal found */ continue; } @@ -189,31 +186,34 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor, if (st != 0) goto cleanup; } else /* No canonicalization, so don't return aliases. */ - *nentries = 0; + found = FALSE; } ldap_value_free(values); - if (*nentries == 0) + if (!found) continue; } + entry = k5alloc(sizeof(*entry), &st); + if (entry == NULL) + goto cleanup; if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent, cprinc ? cprinc : searchfor, - entries)) != 0) + entry)) != 0) goto cleanup; } ldap_msgfree(result); result = NULL; } /* for (tree=0 ... */ - /* once done, put back the ldap handle */ - krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); - ldap_server_handle = NULL; + if (found) { + *entry_ptr = entry; + entry = NULL; + } else + st = KRB5_KDB_NOENTRY; cleanup: ldap_msgfree(result); - - if (*nentries == 0 || st != 0) - krb5_dbe_free_contents(context, entries); + krb5_ldap_free_principal(context, entry); if (filter) free (filter); @@ -494,10 +494,10 @@ tl_data2berval (krb5_tl_data *in, struct berval **out) } krb5_error_code -krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entries, - int *nentries, char **db_args) +krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, + char **db_args) { - int i=0, l=0, kerberos_principal_object_type=0; + int l=0, kerberos_principal_object_type=0; krb5_error_code st=0, tempst=0; LDAP *ld=NULL; LDAPMessage *result=NULL, *ent=NULL; @@ -529,554 +529,574 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entries, /* get ldap handle */ GET_HANDLE(); - for (i=0; i < *nentries; ++i, ++entries) { - if (is_principal_in_realm(ldap_context, entries->princ) != 0) { - st = EINVAL; - krb5_set_error_message(context, st, "Principal does not belong to the default realm"); + if (is_principal_in_realm(ldap_context, entry->princ) != 0) { + st = EINVAL; + krb5_set_error_message(context, st, "Principal does not belong to the default realm"); + goto cleanup; + } + + /* get the principal information to act on */ + if (entry->princ) { + if (((st=krb5_unparse_name(context, entry->princ, &user)) != 0) || + ((st=krb5_ldap_unparse_principal_name(user)) != 0)) goto cleanup; - } + } - /* get the principal information to act on */ - if (entries->princ) { - if (((st=krb5_unparse_name(context, entries->princ, &user)) != 0) || - ((st=krb5_ldap_unparse_principal_name(user)) != 0)) - goto cleanup; - } + /* Identity the type of operation, it can be + * add principal or modify principal. + * hack if the entry->mask has KRB_PRINCIPAL flag set + * then it is a add operation + */ + if (entry->mask & KADM5_PRINCIPAL) + optype = ADD_PRINCIPAL; + else + optype = MODIFY_PRINCIPAL; - /* Identity the type of operation, it can be - * add principal or modify principal. - * hack if the entries->mask has KRB_PRINCIPAL flag set - * then it is a add operation - */ - if (entries->mask & KADM5_PRINCIPAL) - optype = ADD_PRINCIPAL; - else - optype = MODIFY_PRINCIPAL; + if (((st=krb5_get_princ_type(context, entry, &kerberos_principal_object_type)) != 0) || + ((st=krb5_get_userdn(context, entry, &principal_dn)) != 0)) + goto cleanup; - if (((st=krb5_get_princ_type(context, entries, &kerberos_principal_object_type)) != 0) || - ((st=krb5_get_userdn(context, entries, &principal_dn)) != 0)) - goto cleanup; + if ((st=process_db_args(context, db_args, &xargs, optype)) != 0) + goto cleanup; + + if (entry->mask & KADM5_LOAD) { + int tree = 0, ntrees = 0, princlen = 0, numlentries = 0; + char **subtreelist = NULL, *filter = NULL; - if ((st=process_db_args(context, db_args, &xargs, optype)) != 0) + /* A load operation is special, will do a mix-in (add krbprinc + * attrs to a non-krb object entry) if an object exists with a + * matching krbprincipalname attribute so try to find existing + * object and set principal_dn. This assumes that the + * krbprincipalname attribute is unique (only one object entry has + * a particular krbprincipalname attribute). + */ + if (user == NULL) { + /* must have principal name for search */ + st = EINVAL; + krb5_set_error_message(context, st, "operation can not continue, principal name not found"); goto cleanup; + } + princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */ + if ((filter = malloc(princlen)) == NULL) { + st = ENOMEM; + goto cleanup; + } + snprintf(filter, princlen, FILTER"%s))", user); - if (entries->mask & KADM5_LOAD) { - int tree = 0, ntrees = 0, princlen = 0, numlentries = 0; - char **subtreelist = NULL, *filter = NULL; + /* get the current subtree list */ + if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0) + goto cleanup; - /* A load operation is special, will do a mix-in (add krbprinc - * attrs to a non-krb object entry) if an object exists with a - * matching krbprincipalname attribute so try to find existing - * object and set principal_dn. This assumes that the - * krbprincipalname attribute is unique (only one object entry has - * a particular krbprincipalname attribute). - */ - if (user == NULL) { - /* must have principal name for search */ - st = EINVAL; - krb5_set_error_message(context, st, "operation can not continue, principal name not found"); - goto cleanup; - } - princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */ - if ((filter = malloc(princlen)) == NULL) { - st = ENOMEM; - goto cleanup; + found_entry = FALSE; + /* search for entry with matching krbprincipalname attribute */ + for (tree = 0; found_entry == FALSE && tree < ntrees; ++tree) { + result = NULL; + if (principal_dn == NULL) { + LDAP_SEARCH_1(subtreelist[tree], ldap_context->lrparams->search_scope, filter, principal_attributes, IGNORE_STATUS); + } else { + /* just look for entry with principal_dn */ + LDAP_SEARCH_1(principal_dn, LDAP_SCOPE_BASE, filter, principal_attributes, IGNORE_STATUS); } - snprintf(filter, princlen, FILTER"%s))", user); - - /* get the current subtree list */ - if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0) - goto cleanup; - - found_entry = FALSE; - /* search for entry with matching krbprincipalname attribute */ - for (tree = 0; found_entry == FALSE && tree < ntrees; ++tree) { - result = NULL; - if (principal_dn == NULL) { - LDAP_SEARCH_1(subtreelist[tree], ldap_context->lrparams->search_scope, filter, principal_attributes, IGNORE_STATUS); - } else { - /* just look for entry with principal_dn */ - LDAP_SEARCH_1(principal_dn, LDAP_SCOPE_BASE, filter, principal_attributes, IGNORE_STATUS); - } - if (st == LDAP_SUCCESS) { - numlentries = ldap_count_entries(ld, result); - if (numlentries > 1) { - ldap_msgfree(result); - free(filter); - st = EINVAL; - krb5_set_error_message(context, st, - "operation can not continue, more than one entry with principal name \"%s\" found", - user); - goto cleanup; - } else if (numlentries == 1) { - found_entry = TRUE; - if (principal_dn == NULL) { - ent = ldap_first_entry(ld, result); - if (ent != NULL) { - /* setting principal_dn will cause that entry to be modified further down */ - if ((principal_dn = ldap_get_dn(ld, ent)) == NULL) { - ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st); - st = set_ldap_error (context, st, 0); - ldap_msgfree(result); - free(filter); - goto cleanup; - } + if (st == LDAP_SUCCESS) { + numlentries = ldap_count_entries(ld, result); + if (numlentries > 1) { + ldap_msgfree(result); + free(filter); + st = EINVAL; + krb5_set_error_message(context, st, + "operation can not continue, more than one entry with principal name \"%s\" found", + user); + goto cleanup; + } else if (numlentries == 1) { + found_entry = TRUE; + if (principal_dn == NULL) { + ent = ldap_first_entry(ld, result); + if (ent != NULL) { + /* setting principal_dn will cause that entry to be modified further down */ + if ((principal_dn = ldap_get_dn(ld, ent)) == NULL) { + ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st); + st = set_ldap_error (context, st, 0); + ldap_msgfree(result); + free(filter); + goto cleanup; } } } - if (result) - ldap_msgfree(result); - } else if (st != LDAP_NO_SUCH_OBJECT) { - /* could not perform search, return with failure */ - st = set_ldap_error (context, st, 0); - free(filter); - goto cleanup; } - /* - * If it isn't found then assume a standalone princ entry is to - * be created. - */ - } /* end for (tree = 0; principal_dn == ... */ + if (result) + ldap_msgfree(result); + } else if (st != LDAP_NO_SUCH_OBJECT) { + /* could not perform search, return with failure */ + st = set_ldap_error (context, st, 0); + free(filter); + goto cleanup; + } + /* + * If it isn't found then assume a standalone princ entry is to + * be created. + */ + } /* end for (tree = 0; principal_dn == ... */ - free(filter); + free(filter); - if (found_entry == FALSE && principal_dn != NULL) { - /* - * if principal_dn is null then there is code further down to - * deal with setting standalone_principal_dn. Also note that - * this will set create_standalone_prinicipal true for - * non-mix-in entries which is okay if loading from a dump. - */ - create_standalone_prinicipal = TRUE; - standalone_principal_dn = strdup(principal_dn); - CHECK_NULL(standalone_principal_dn); - } - } /* end if (entries->mask & KADM5_LOAD */ + if (found_entry == FALSE && principal_dn != NULL) { + /* + * if principal_dn is null then there is code further down to + * deal with setting standalone_principal_dn. Also note that + * this will set create_standalone_prinicipal true for + * non-mix-in entries which is okay if loading from a dump. + */ + create_standalone_prinicipal = TRUE; + standalone_principal_dn = strdup(principal_dn); + CHECK_NULL(standalone_principal_dn); + } + } /* end if (entry->mask & KADM5_LOAD */ - /* time to generate the DN information with the help of - * containerdn, principalcontainerreference or - * realmcontainerdn information - */ - if (principal_dn == NULL && xargs.dn == NULL) { /* creation of standalone principal */ - /* get the subtree information */ - if (entries->princ->length == 2 && entries->princ->data[0].length == strlen("krbtgt") && - strncmp(entries->princ->data[0].data, "krbtgt", entries->princ->data[0].length) == 0) { - /* if the principal is a inter-realm principal, always created in the realm container */ - subtree = strdup(ldap_context->lrparams->realmdn); - } else if (xargs.containerdn) { - if ((st=checkattributevalue(ld, xargs.containerdn, NULL, NULL, NULL)) != 0) { - if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) { - int ost = st; - st = EINVAL; - snprintf(errbuf, sizeof(errbuf), "'%s' not found: ", - xargs.containerdn); - prepend_err_str(context, errbuf, st, ost); - } - goto cleanup; + /* time to generate the DN information with the help of + * containerdn, principalcontainerreference or + * realmcontainerdn information + */ + if (principal_dn == NULL && xargs.dn == NULL) { /* creation of standalone principal */ + /* get the subtree information */ + if (entry->princ->length == 2 && entry->princ->data[0].length == strlen("krbtgt") && + strncmp(entry->princ->data[0].data, "krbtgt", entry->princ->data[0].length) == 0) { + /* if the principal is a inter-realm principal, always created in the realm container */ + subtree = strdup(ldap_context->lrparams->realmdn); + } else if (xargs.containerdn) { + if ((st=checkattributevalue(ld, xargs.containerdn, NULL, NULL, NULL)) != 0) { + if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) { + int ost = st; + st = EINVAL; + snprintf(errbuf, sizeof(errbuf), "'%s' not found: ", + xargs.containerdn); + prepend_err_str(context, errbuf, st, ost); } - subtree = strdup(xargs.containerdn); - } else if (ldap_context->lrparams->containerref && strlen(ldap_context->lrparams->containerref) != 0) { - /* - * Here the subtree should be changed with - * principalcontainerreference attribute value - */ - subtree = strdup(ldap_context->lrparams->containerref); - } else { - subtree = strdup(ldap_context->lrparams->realmdn); + goto cleanup; } - CHECK_NULL(subtree); - - if (asprintf(&standalone_principal_dn, "krbprincipalname=%s,%s", - user, subtree) < 0) - standalone_principal_dn = NULL; - CHECK_NULL(standalone_principal_dn); + subtree = strdup(xargs.containerdn); + } else if (ldap_context->lrparams->containerref && strlen(ldap_context->lrparams->containerref) != 0) { /* - * free subtree when you are done using the subtree - * set the boolean create_standalone_prinicipal to TRUE + * Here the subtree should be changed with + * principalcontainerreference attribute value */ - create_standalone_prinicipal = TRUE; - free(subtree); - subtree = NULL; + subtree = strdup(ldap_context->lrparams->containerref); + } else { + subtree = strdup(ldap_context->lrparams->realmdn); } + CHECK_NULL(subtree); + if (asprintf(&standalone_principal_dn, "krbprincipalname=%s,%s", + user, subtree) < 0) + standalone_principal_dn = NULL; + CHECK_NULL(standalone_principal_dn); /* - * If the DN information is presented by the user, time to - * validate the input to ensure that the DN falls under - * any of the subtrees + * free subtree when you are done using the subtree + * set the boolean create_standalone_prinicipal to TRUE */ - if (xargs.dn_from_kbd == TRUE) { - /* make sure the DN falls in the subtree */ - int tre=0, dnlen=0, subtreelen=0, ntrees=0; - char **subtreelist=NULL; - char *dn=NULL; - krb5_boolean outofsubtree=TRUE; - - if (xargs.dn != NULL) { - dn = xargs.dn; - } else if (xargs.linkdn != NULL) { - dn = xargs.linkdn; - } else if (standalone_principal_dn != NULL) { - /* - * Even though the standalone_principal_dn is constructed - * within this function, there is the containerdn input - * from the user that can become part of the it. - */ - dn = standalone_principal_dn; - } + create_standalone_prinicipal = TRUE; + free(subtree); + subtree = NULL; + } - /* get the current subtree list */ - if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0) - goto cleanup; + /* + * If the DN information is presented by the user, time to + * validate the input to ensure that the DN falls under + * any of the subtrees + */ + if (xargs.dn_from_kbd == TRUE) { + /* make sure the DN falls in the subtree */ + int tre=0, dnlen=0, subtreelen=0, ntrees=0; + char **subtreelist=NULL; + char *dn=NULL; + krb5_boolean outofsubtree=TRUE; + + if (xargs.dn != NULL) { + dn = xargs.dn; + } else if (xargs.linkdn != NULL) { + dn = xargs.linkdn; + } else if (standalone_principal_dn != NULL) { + /* + * Even though the standalone_principal_dn is constructed + * within this function, there is the containerdn input + * from the user that can become part of the it. + */ + dn = standalone_principal_dn; + } - for (tre=0; tre= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) { outofsubtree = FALSE; break; - } else { - dnlen = strlen (dn); - subtreelen = strlen(subtreelist[tre]); - if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) { - outofsubtree = FALSE; - break; - } } } + } - for (tre=0; tre < ntrees; ++tre) { - free(subtreelist[tre]); - } + for (tre=0; tre < ntrees; ++tre) { + free(subtreelist[tre]); + } - if (outofsubtree == TRUE) { - st = EINVAL; - krb5_set_error_message(context, st, "DN is out of the realm subtree"); - goto cleanup; - } + if (outofsubtree == TRUE) { + st = EINVAL; + krb5_set_error_message(context, st, "DN is out of the realm subtree"); + goto cleanup; + } + + /* + * dn value will be set either by dn, linkdn or the standalone_principal_dn + * In the first 2 cases, the dn should be existing and in the last case we + * are supposed to create the ldap object. so the below should not be + * executed for the last case. + */ + if (standalone_principal_dn == NULL) { /* - * dn value will be set either by dn, linkdn or the standalone_principal_dn - * In the first 2 cases, the dn should be existing and in the last case we - * are supposed to create the ldap object. so the below should not be - * executed for the last case. + * If the ldap object is missing, this results in an error. */ - if (standalone_principal_dn == NULL) { - /* - * If the ldap object is missing, this results in an error. - */ - - /* - * Search for krbprincipalname attribute here. - * This is to find if a kerberos identity is already present - * on the ldap object, in which case adding a kerberos identity - * on the ldap object should result in an error. - */ - char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL}; - - LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS); - if (st == LDAP_SUCCESS) { - ent = ldap_first_entry(ld, result); - if (ent != NULL) { - if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) { - ldap_value_free(values); - } + /* + * Search for krbprincipalname attribute here. + * This is to find if a kerberos identity is already present + * on the ldap object, in which case adding a kerberos identity + * on the ldap object should result in an error. + */ + char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL}; + + LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS); + if (st == LDAP_SUCCESS) { + ent = ldap_first_entry(ld, result); + if (ent != NULL) { + if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) { + ldap_value_free(values); + } - if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { - krb_identity_exists = TRUE; - ldap_value_free(values); - } + if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { + krb_identity_exists = TRUE; + ldap_value_free(values); } - ldap_msgfree(result); - } else { - st = set_ldap_error(context, st, OP_SEARCH); - goto cleanup; } + ldap_msgfree(result); + } else { + st = set_ldap_error(context, st, OP_SEARCH); + goto cleanup; } } + } + /* + * If xargs.dn is set then the request is to add a + * kerberos principal on a ldap object, but if + * there is one already on the ldap object this + * should result in an error. + */ + + if (xargs.dn != NULL && krb_identity_exists == TRUE) { + st = EINVAL; + snprintf(errbuf, sizeof(errbuf), "ldap object is already kerberized"); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; + } + + if (xargs.linkdn != NULL) { /* - * If xargs.dn is set then the request is to add a - * kerberos principal on a ldap object, but if - * there is one already on the ldap object this - * should result in an error. + * link information can be changed using modprinc. + * However, link information can be changed only on the + * standalone kerberos principal objects. A standalone + * kerberos principal object is of type krbprincipal + * structural objectclass. + * + * NOTE: kerberos principals on an ldap object can't be + * linked to other ldap objects. */ - - if (xargs.dn != NULL && krb_identity_exists == TRUE) { + if (optype == MODIFY_PRINCIPAL && + kerberos_principal_object_type != KDB_STANDALONE_PRINCIPAL_OBJECT) { st = EINVAL; - snprintf(errbuf, sizeof(errbuf), "ldap object is already kerberized"); + snprintf(errbuf, sizeof(errbuf), + "link information can not be set/updated as the kerberos principal belongs to an ldap object"); krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; } + /* + * Check the link information. If there is already a link + * existing then this operation is not allowed. + */ + { + char **linkdns=NULL; + int j=0; - if (xargs.linkdn != NULL) { - /* - * link information can be changed using modprinc. - * However, link information can be changed only on the - * standalone kerberos principal objects. A standalone - * kerberos principal object is of type krbprincipal - * structural objectclass. - * - * NOTE: kerberos principals on an ldap object can't be - * linked to other ldap objects. - */ - if (optype == MODIFY_PRINCIPAL && - kerberos_principal_object_type != KDB_STANDALONE_PRINCIPAL_OBJECT) { + if ((st=krb5_get_linkdn(context, entry, &linkdns)) != 0) { + snprintf(errbuf, sizeof(errbuf), + "Failed getting object references"); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; + } + if (linkdns != NULL) { st = EINVAL; snprintf(errbuf, sizeof(errbuf), - "link information can not be set/updated as the kerberos principal belongs to an ldap object"); + "kerberos principal is already linked " + "to a ldap object"); krb5_set_error_message(context, st, "%s", errbuf); + for (j=0; linkdns[j] != NULL; ++j) + free (linkdns[j]); + free (linkdns); goto cleanup; } - /* - * Check the link information. If there is already a link - * existing then this operation is not allowed. - */ - { - char **linkdns=NULL; - int j=0; + } - if ((st=krb5_get_linkdn(context, entries, &linkdns)) != 0) { - snprintf(errbuf, sizeof(errbuf), - "Failed getting object references"); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; - } - if (linkdns != NULL) { - st = EINVAL; - snprintf(errbuf, sizeof(errbuf), - "kerberos principal is already linked " - "to a ldap object"); - krb5_set_error_message(context, st, "%s", errbuf); - for (j=0; linkdns[j] != NULL; ++j) - free (linkdns[j]); - free (linkdns); - goto cleanup; - } - } + establish_links = TRUE; + } - establish_links = TRUE; + if (entry->mask & KADM5_LAST_SUCCESS) { + memset(strval, 0, sizeof(strval)); + if ((strval[0]=getstringtime(entry->last_success)) == NULL) + goto cleanup; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastSuccessfulAuth", LDAP_MOD_REPLACE, strval)) != 0) { + free (strval[0]); + goto cleanup; } + free (strval[0]); + } - if (entries->mask & KADM5_LAST_SUCCESS) { - memset(strval, 0, sizeof(strval)); - if ((strval[0]=getstringtime(entries->last_success)) == NULL) - goto cleanup; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastSuccessfulAuth", LDAP_MOD_REPLACE, strval)) != 0) { - free (strval[0]); - goto cleanup; - } + if (entry->mask & KADM5_LAST_FAILED) { + memset(strval, 0, sizeof(strval)); + if ((strval[0]=getstringtime(entry->last_failed)) == NULL) + goto cleanup; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastFailedAuth", LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); + goto cleanup; } + free(strval[0]); + } - if (entries->mask & KADM5_LAST_FAILED) { - memset(strval, 0, sizeof(strval)); - if ((strval[0]=getstringtime(entries->last_failed)) == NULL) - goto cleanup; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastFailedAuth", LDAP_MOD_REPLACE, strval)) != 0) { - free (strval[0]); - goto cleanup; - } - free(strval[0]); - } + if (entry->mask & KADM5_FAIL_AUTH_COUNT) { + krb5_kvno fail_auth_count; - if (entries->mask & KADM5_FAIL_AUTH_COUNT) { - krb5_kvno fail_auth_count; + fail_auth_count = entry->fail_auth_count; + if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) + fail_auth_count++; - fail_auth_count = entries->fail_auth_count; - if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) - fail_auth_count++; + st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", + LDAP_MOD_REPLACE, + fail_auth_count); + if (st != 0) + goto cleanup; + } else if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) { + int attr_mask = 0; + krb5_boolean has_fail_count; + + /* Check if the krbLoginFailedCount attribute exists. (Through + * krb5 1.8.1, it wasn't set in new entries.) */ + st = krb5_get_attributes_mask(context, entry, &attr_mask); + if (st != 0) + goto cleanup; + has_fail_count = ((attr_mask & KDB_FAIL_AUTH_COUNT_ATTR) != 0); + /* + * If the client library and server supports RFC 4525, + * then use it to increment by one the value of the + * krbLoginFailedCount attribute. Otherwise, assert the + * (provided) old value by deleting it before adding. + */ +#ifdef LDAP_MOD_INCREMENT + if (ldap_server_handle->server_info->modify_increment && + has_fail_count) { st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", - LDAP_MOD_REPLACE, - fail_auth_count); + LDAP_MOD_INCREMENT, 1); if (st != 0) goto cleanup; - } else if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) { - int attr_mask = 0; - krb5_boolean has_fail_count; - - /* Check if the krbLoginFailedCount attribute exists. (Through - * krb5 1.8.1, it wasn't set in new entries.) */ - st = krb5_get_attributes_mask(context, entries, &attr_mask); - if (st != 0) - goto cleanup; - has_fail_count = ((attr_mask & KDB_FAIL_AUTH_COUNT_ATTR) != 0); - - /* - * If the client library and server supports RFC 4525, - * then use it to increment by one the value of the - * krbLoginFailedCount attribute. Otherwise, assert the - * (provided) old value by deleting it before adding. - */ -#ifdef LDAP_MOD_INCREMENT - if (ldap_server_handle->server_info->modify_increment && - has_fail_count) { - st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", - LDAP_MOD_INCREMENT, 1); - if (st != 0) - goto cleanup; - } else { + } else { #endif /* LDAP_MOD_INCREMENT */ - if (has_fail_count) { - st = krb5_add_int_mem_ldap_mod(&mods, - "krbLoginFailedCount", - LDAP_MOD_DELETE, - entries->fail_auth_count); - if (st != 0) - goto cleanup; - } - st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", - LDAP_MOD_ADD, - entries->fail_auth_count + 1); + if (has_fail_count) { + st = krb5_add_int_mem_ldap_mod(&mods, + "krbLoginFailedCount", + LDAP_MOD_DELETE, + entry->fail_auth_count); if (st != 0) goto cleanup; -#ifdef LDAP_MOD_INCREMENT } -#endif - } else if (optype == ADD_PRINCIPAL) { - /* Initialize krbLoginFailedCount in new entries to help avoid a - * race during the first failed login. */ st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", - LDAP_MOD_ADD, 0); - } - - if (entries->mask & KADM5_MAX_LIFE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entries->max_life)) != 0) + LDAP_MOD_ADD, + entry->fail_auth_count + 1); + if (st != 0) goto cleanup; +#ifdef LDAP_MOD_INCREMENT } +#endif + } else if (optype == ADD_PRINCIPAL) { + /* Initialize krbLoginFailedCount in new entries to help avoid a + * race during the first failed login. */ + st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount", + LDAP_MOD_ADD, 0); + } - if (entries->mask & KADM5_MAX_RLIFE) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE, - entries->max_renewable_life)) != 0) - goto cleanup; - } + if (entry->mask & KADM5_MAX_LIFE) { + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entry->max_life)) != 0) + goto cleanup; + } - if (entries->mask & KADM5_ATTRIBUTES) { - if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE, - entries->attributes)) != 0) - goto cleanup; - } + if (entry->mask & KADM5_MAX_RLIFE) { + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE, + entry->max_renewable_life)) != 0) + goto cleanup; + } - if (entries->mask & KADM5_PRINCIPAL) { - memset(strval, 0, sizeof(strval)); - strval[0] = user; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_REPLACE, strval)) != 0) - goto cleanup; - } + if (entry->mask & KADM5_ATTRIBUTES) { + if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE, + entry->attributes)) != 0) + goto cleanup; + } - if (entries->mask & KADM5_PRINC_EXPIRE_TIME) { - memset(strval, 0, sizeof(strval)); - if ((strval[0]=getstringtime(entries->expiration)) == NULL) - goto cleanup; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalexpiration", LDAP_MOD_REPLACE, strval)) != 0) { - free (strval[0]); - goto cleanup; - } + if (entry->mask & KADM5_PRINCIPAL) { + memset(strval, 0, sizeof(strval)); + strval[0] = user; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_REPLACE, strval)) != 0) + goto cleanup; + } + + if (entry->mask & KADM5_PRINC_EXPIRE_TIME) { + memset(strval, 0, sizeof(strval)); + if ((strval[0]=getstringtime(entry->expiration)) == NULL) + goto cleanup; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalexpiration", LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); + goto cleanup; } + free (strval[0]); + } - if (entries->mask & KADM5_PW_EXPIRATION) { - memset(strval, 0, sizeof(strval)); - if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL) - goto cleanup; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration", - LDAP_MOD_REPLACE, - strval)) != 0) { - free (strval[0]); - goto cleanup; - } + if (entry->mask & KADM5_PW_EXPIRATION) { + memset(strval, 0, sizeof(strval)); + if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL) + goto cleanup; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration", + LDAP_MOD_REPLACE, + strval)) != 0) { free (strval[0]); + goto cleanup; } + free (strval[0]); + } - if (entries->mask & KADM5_POLICY) { - memset(&princ_ent, 0, sizeof(princ_ent)); - for (tl_data=entries->tl_data; tl_data; tl_data=tl_data->tl_data_next) { - if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) { - /* FIX ME: I guess the princ_ent should be freed after this call */ - if ((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) { - goto cleanup; - } + if (entry->mask & KADM5_POLICY) { + memset(&princ_ent, 0, sizeof(princ_ent)); + for (tl_data=entry->tl_data; tl_data; tl_data=tl_data->tl_data_next) { + if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) { + /* FIX ME: I guess the princ_ent should be freed after this call */ + if ((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) { + goto cleanup; } } + } - if (princ_ent.aux_attributes & KADM5_POLICY) { - memset(strval, 0, sizeof(strval)); - if ((st = krb5_ldap_name_to_policydn (context, princ_ent.policy, &polname)) != 0) - goto cleanup; - strval[0] = polname; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, strval)) != 0) - goto cleanup; - } else { - st = EINVAL; - krb5_set_error_message(context, st, "Password policy value null"); + if (princ_ent.aux_attributes & KADM5_POLICY) { + memset(strval, 0, sizeof(strval)); + if ((st = krb5_ldap_name_to_policydn (context, princ_ent.policy, &polname)) != 0) goto cleanup; - } - } else if (entries->mask & KADM5_LOAD && found_entry == TRUE) { - /* - * a load is special in that existing entries must have attrs that - * removed. - */ - - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, NULL)) != 0) + strval[0] = polname; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, strval)) != 0) goto cleanup; + } else { + st = EINVAL; + krb5_set_error_message(context, st, "Password policy value null"); + goto cleanup; } + } else if (entry->mask & KADM5_LOAD && found_entry == TRUE) { + /* + * a load is special in that existing entries must have attrs that + * removed. + */ - if (entries->mask & KADM5_POLICY_CLR) { - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, NULL)) != 0) - goto cleanup; - } + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, NULL)) != 0) + goto cleanup; + } - if (entries->mask & KADM5_KEY_DATA || entries->mask & KADM5_KVNO) { - krb5_kvno mkvno; + if (entry->mask & KADM5_POLICY_CLR) { + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, NULL)) != 0) + goto cleanup; + } - if ((st=krb5_dbe_lookup_mkvno(context, entries, &mkvno)) != 0) - goto cleanup; - bersecretkey = krb5_encode_krbsecretkey (entries->key_data, - entries->n_key_data, mkvno); + if (entry->mask & KADM5_KEY_DATA || entry->mask & KADM5_KVNO) { + krb5_kvno mkvno; - if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", - LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0) - goto cleanup; + if ((st=krb5_dbe_lookup_mkvno(context, entry, &mkvno)) != 0) + goto cleanup; + bersecretkey = krb5_encode_krbsecretkey (entry->key_data, + entry->n_key_data, mkvno); - if (!(entries->mask & KADM5_PRINCIPAL)) { - memset(strval, 0, sizeof(strval)); - if ((strval[0]=getstringtime(entries->pw_expiration)) == NULL) - goto cleanup; - if ((st=krb5_add_str_mem_ldap_mod(&mods, - "krbpasswordexpiration", - LDAP_MOD_REPLACE, strval)) != 0) { - free (strval[0]); - goto cleanup; - } + if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", + LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0) + goto cleanup; + + if (!(entry->mask & KADM5_PRINCIPAL)) { + memset(strval, 0, sizeof(strval)); + if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL) + goto cleanup; + if ((st=krb5_add_str_mem_ldap_mod(&mods, + "krbpasswordexpiration", + LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); + goto cleanup; } + free (strval[0]); + } - /* Update last password change whenever a new key is set */ - { - krb5_timestamp last_pw_changed; - if ((st=krb5_dbe_lookup_last_pwd_change(context, entries, - &last_pw_changed)) != 0) - goto cleanup; + /* Update last password change whenever a new key is set */ + { + krb5_timestamp last_pw_changed; + if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, + &last_pw_changed)) != 0) + goto cleanup; - memset(strval, 0, sizeof(strval)); - if ((strval[0] = getstringtime(last_pw_changed)) == NULL) - goto cleanup; + memset(strval, 0, sizeof(strval)); + if ((strval[0] = getstringtime(last_pw_changed)) == NULL) + goto cleanup; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastPwdChange", - LDAP_MOD_REPLACE, strval)) != 0) { - free (strval[0]); - goto cleanup; - } + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastPwdChange", + LDAP_MOD_REPLACE, strval)) != 0) { free (strval[0]); + goto cleanup; } + free (strval[0]); + } - } /* Modify Key data ends here */ + } /* Modify Key data ends here */ - /* Set tl_data */ - if (entries->tl_data != NULL) { - int count = 0; - struct berval **ber_tl_data = NULL; - krb5_tl_data *ptr; - for (ptr = entries->tl_data; ptr != NULL; ptr = ptr->tl_data_next) { + /* Set tl_data */ + if (entry->tl_data != NULL) { + int count = 0; + struct berval **ber_tl_data = NULL; + krb5_tl_data *ptr; + for (ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) { + if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE +#ifdef SECURID + || ptr->tl_data_type == KRB5_TL_DB_ARGS +#endif + || ptr->tl_data_type == KRB5_TL_KADM_DATA + || ptr->tl_data_type == KDB_TL_USER_INFO + || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL) + continue; + count++; + } + if (count != 0) { + int j; + ber_tl_data = (struct berval **) calloc (count + 1, + sizeof (struct berval*)); + if (ber_tl_data == NULL) { + st = ENOMEM; + goto cleanup; + } + for (j = 0, ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) { + /* Ignore tl_data that are stored in separate directory + * attributes */ if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE #ifdef SECURID || ptr->tl_data_type == KRB5_TL_DB_ARGS @@ -1085,156 +1105,134 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entries, || ptr->tl_data_type == KDB_TL_USER_INFO || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL) continue; - count++; + if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0) + break; + j++; } - if (count != 0) { - int j; - ber_tl_data = (struct berval **) calloc (count + 1, - sizeof (struct berval*)); - if (ber_tl_data == NULL) { - st = ENOMEM; - goto cleanup; - } - for (j = 0, ptr = entries->tl_data; ptr != NULL; ptr = ptr->tl_data_next) { - /* Ignore tl_data that are stored in separate directory - * attributes */ - if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE -#ifdef SECURID - || ptr->tl_data_type == KRB5_TL_DB_ARGS -#endif - || ptr->tl_data_type == KRB5_TL_KADM_DATA - || ptr->tl_data_type == KDB_TL_USER_INFO - || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL) - continue; - if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0) - break; - j++; - } - if (st != 0) { - for (j = 0; ber_tl_data[j] != NULL; j++) { - free (ber_tl_data[j]->bv_val); - free (ber_tl_data[j]); - } - free (ber_tl_data); - goto cleanup; + if (st != 0) { + for (j = 0; ber_tl_data[j] != NULL; j++) { + free (ber_tl_data[j]->bv_val); + free (ber_tl_data[j]); } - ber_tl_data[count] = NULL; - if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbExtraData", - LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, - ber_tl_data)) != 0) - goto cleanup; + free (ber_tl_data); + goto cleanup; } + ber_tl_data[count] = NULL; + if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbExtraData", + LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, + ber_tl_data)) != 0) + goto cleanup; } + } - /* Directory specific attribute */ - if (xargs.tktpolicydn != NULL) { - int tmask=0; - - if (strlen(xargs.tktpolicydn) != 0) { - st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask); - CHECK_CLASS_VALIDITY(st, tmask, "ticket policy object value: "); - - strval[0] = xargs.tktpolicydn; - strval[1] = NULL; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_REPLACE, strval)) != 0) - goto cleanup; + /* Directory specific attribute */ + if (xargs.tktpolicydn != NULL) { + int tmask=0; - } else { - /* if xargs.tktpolicydn is a empty string, then delete - * already existing krbticketpolicyreference attr */ - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_DELETE, NULL)) != 0) - goto cleanup; - } + if (strlen(xargs.tktpolicydn) != 0) { + st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask); + CHECK_CLASS_VALIDITY(st, tmask, "ticket policy object value: "); - } + strval[0] = xargs.tktpolicydn; + strval[1] = NULL; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_REPLACE, strval)) != 0) + goto cleanup; - if (establish_links == TRUE) { - memset(strval, 0, sizeof(strval)); - strval[0] = xargs.linkdn; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbObjectReferences", LDAP_MOD_REPLACE, strval)) != 0) + } else { + /* if xargs.tktpolicydn is a empty string, then delete + * already existing krbticketpolicyreference attr */ + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_DELETE, NULL)) != 0) goto cleanup; } - /* - * in case mods is NULL then return - * not sure but can happen in a modprinc - * so no need to return an error - * addprinc will at least have the principal name - * and the keys passed in - */ - if (mods == NULL) + } + + if (establish_links == TRUE) { + memset(strval, 0, sizeof(strval)); + strval[0] = xargs.linkdn; + if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbObjectReferences", LDAP_MOD_REPLACE, strval)) != 0) goto cleanup; + } - if (create_standalone_prinicipal == TRUE) { - memset(strval, 0, sizeof(strval)); - strval[0] = "krbprincipal"; - strval[1] = "krbprincipalaux"; - strval[2] = "krbTicketPolicyAux"; + /* + * in case mods is NULL then return + * not sure but can happen in a modprinc + * so no need to return an error + * addprinc will at least have the principal name + * and the keys passed in + */ + if (mods == NULL) + goto cleanup; - if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; + if (create_standalone_prinicipal == TRUE) { + memset(strval, 0, sizeof(strval)); + strval[0] = "krbprincipal"; + strval[1] = "krbprincipalaux"; + strval[2] = "krbTicketPolicyAux"; - st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL); - if (st == LDAP_ALREADY_EXISTS && entries->mask & KADM5_LOAD) { - /* a load operation must replace an existing entry */ - st = ldap_delete_ext_s(ld, standalone_principal_dn, NULL, NULL); - if (st != LDAP_SUCCESS) { - snprintf(errbuf, sizeof(errbuf), "Principal delete failed (trying to replace entry): %s", - ldap_err2string(st)); - st = translate_ldap_error (st, OP_ADD); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; - } else { - st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL); - } - } + if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) + goto cleanup; + + st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL); + if (st == LDAP_ALREADY_EXISTS && entry->mask & KADM5_LOAD) { + /* a load operation must replace an existing entry */ + st = ldap_delete_ext_s(ld, standalone_principal_dn, NULL, NULL); if (st != LDAP_SUCCESS) { - snprintf(errbuf, sizeof(errbuf), "Principal add failed: %s", ldap_err2string(st)); + snprintf(errbuf, sizeof(errbuf), "Principal delete failed (trying to replace entry): %s", + ldap_err2string(st)); st = translate_ldap_error (st, OP_ADD); krb5_set_error_message(context, st, "%s", errbuf); goto cleanup; + } else { + st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL); } - } else { - /* - * Here existing ldap object is modified and can be related - * to any attribute, so always ensure that the ldap - * object is extended with all the kerberos related - * objectclasses so that there are no constraint - * violations. - */ - { - char *attrvalues[] = {"krbprincipalaux", "krbTicketPolicyAux", NULL}; - int p, q, r=0, amask=0; + } + if (st != LDAP_SUCCESS) { + snprintf(errbuf, sizeof(errbuf), "Principal add failed: %s", ldap_err2string(st)); + st = translate_ldap_error (st, OP_ADD); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; + } + } else { + /* + * Here existing ldap object is modified and can be related + * to any attribute, so always ensure that the ldap + * object is extended with all the kerberos related + * objectclasses so that there are no constraint + * violations. + */ + { + char *attrvalues[] = {"krbprincipalaux", "krbTicketPolicyAux", NULL}; + int p, q, r=0, amask=0; - if ((st=checkattributevalue(ld, (xargs.dn) ? xargs.dn : principal_dn, - "objectclass", attrvalues, &amask)) != 0) - goto cleanup; + if ((st=checkattributevalue(ld, (xargs.dn) ? xargs.dn : principal_dn, + "objectclass", attrvalues, &amask)) != 0) + goto cleanup; - memset(strval, 0, sizeof(strval)); - for (p=1, q=0; p<=2; p<<=1, ++q) { - if ((p & amask) == 0) - strval[r++] = attrvalues[q]; - } - if (r != 0) { - if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) - goto cleanup; - } + memset(strval, 0, sizeof(strval)); + for (p=1, q=0; p<=2; p<<=1, ++q) { + if ((p & amask) == 0) + strval[r++] = attrvalues[q]; } - if (xargs.dn != NULL) - st=ldap_modify_ext_s(ld, xargs.dn, mods, NULL, NULL); - else - st = ldap_modify_ext_s(ld, principal_dn, mods, NULL, NULL); - - if (st != LDAP_SUCCESS) { - snprintf(errbuf, sizeof(errbuf), "User modification failed: %s", ldap_err2string(st)); - st = translate_ldap_error (st, OP_MOD); - krb5_set_error_message(context, st, "%s", errbuf); - goto cleanup; + if (r != 0) { + if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0) + goto cleanup; } + } + if (xargs.dn != NULL) + st=ldap_modify_ext_s(ld, xargs.dn, mods, NULL, NULL); + else + st = ldap_modify_ext_s(ld, principal_dn, mods, NULL, NULL); - if (entries->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) - entries->fail_auth_count++; + if (st != LDAP_SUCCESS) { + snprintf(errbuf, sizeof(errbuf), "User modification failed: %s", ldap_err2string(st)); + st = translate_ldap_error (st, OP_MOD); + krb5_set_error_message(context, st, "%s", errbuf); + goto cleanup; } + + if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) + entry->fail_auth_count++; } cleanup: @@ -1269,7 +1267,6 @@ cleanup: ldap_mods_free(mods, 1); krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle); - *nentries = i; return(st); } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c index 6d25ca1d8..d58fbe965 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c @@ -226,8 +226,7 @@ cleanup: static krb5_error_code krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name, - char *pol_dn, osa_policy_ent_t *policy, - int *cnt) + char *pol_dn, osa_policy_ent_t *policy) { krb5_error_code st=0, tempst=0; LDAP *ld=NULL; @@ -247,7 +246,6 @@ krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name, SETUP_CONTEXT(); GET_HANDLE(); - *cnt = 0; *(policy) = (osa_policy_ent_t) malloc(sizeof(osa_policy_ent_rec)); if (*policy == NULL) { st = ENOMEM; @@ -256,7 +254,6 @@ krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name, memset(*policy, 0, sizeof(osa_policy_ent_rec)); LDAP_SEARCH(pol_dn, LDAP_SCOPE_BASE, "(objectclass=krbPwdPolicy)", password_policy_attributes); - *cnt = 1; #if 0 /************** Begin IFDEF'ed OUT *******************************/ (*policy)->name = strdup(name); CHECK_NULL((*policy)->name); @@ -302,7 +299,7 @@ cleanup: */ krb5_error_code krb5_ldap_get_password_policy(krb5_context context, char *name, - osa_policy_ent_t *policy, int *cnt) + osa_policy_ent_t *policy) { krb5_error_code st = 0; char *policy_dn = NULL; @@ -320,7 +317,8 @@ krb5_ldap_get_password_policy(krb5_context context, char *name, if (st != 0) goto cleanup; - st = krb5_ldap_get_password_policy_from_dn(context, name, policy_dn, policy, cnt); + st = krb5_ldap_get_password_policy_from_dn(context, name, policy_dn, + policy); cleanup: if (policy_dn != NULL) diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.h index 12396ac12..101119553 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.h @@ -33,7 +33,7 @@ #define _LDAP_KRBPWDPOLICY_H_ krb5_error_code -krb5_ldap_get_password_policy(krb5_context, char *, osa_policy_ent_t *, int *); +krb5_ldap_get_password_policy(krb5_context, char *, osa_policy_ent_t *); krb5_error_code krb5_ldap_create_password_policy(krb5_context, osa_policy_ent_t); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c index 81df6292c..11ca9cdce 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c @@ -322,9 +322,8 @@ krb5_ldap_delete_realm (krb5_context context, char *lrealm) for (i = 0; values[i] != NULL; ++i) { krb5_parse_name(context, values[i], &principal); if (principal_in_realm_2(principal, lrealm) == 0) { - int nent = 0; - if ((st=krb5_ldap_delete_principal(context, principal, - &nent)) != LDAP_SUCCESS) + st=krb5_ldap_delete_principal(context, principal); + if (st && st != KRB5_KDB_NOENTRY) goto cleanup; } krb5_free_principal(context, principal); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c index 323963e8d..c1a4d7ebe 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c @@ -71,11 +71,9 @@ lookup_lockout_policy(krb5_context context, if (adb.policy != NULL) { osa_policy_ent_t policy = NULL; - int count = 0; - code = krb5_ldap_get_password_policy(context, adb.policy, - &policy, &count); - if (code == 0 && count == 1) { + code = krb5_ldap_get_password_policy(context, adb.policy, &policy); + if (code == 0) { *pw_max_fail = policy->pw_max_fail; *pw_failcnt_interval = policy->pw_failcnt_interval; *pw_lockout_duration = policy->pw_lockout_duration; @@ -147,7 +145,6 @@ krb5_ldap_lockout_audit(krb5_context context, krb5_kvno max_fail = 0; krb5_deltat failcnt_interval = 0; krb5_deltat lockout_duration = 0; - int nentries = 1; SETUP_CONTEXT(); @@ -198,7 +195,7 @@ krb5_ldap_lockout_audit(krb5_context context, } if (entry->mask) { - code = krb5_ldap_put_principal(context, entry, &nentries, NULL); + code = krb5_ldap_put_principal(context, entry, NULL); if (code != 0) return code; } diff --git a/src/tests/create/kdb5_mkdums.c b/src/tests/create/kdb5_mkdums.c index 0d860b909..f451307d7 100644 --- a/src/tests/create/kdb5_mkdums.c +++ b/src/tests/create/kdb5_mkdums.c @@ -70,7 +70,6 @@ usage(who, status) int master_princ_set = 0; krb5_keyblock master_keyblock; krb5_principal master_princ; -krb5_db_entry master_entry; krb5_pointer master_random; krb5_context test_context; @@ -202,9 +201,8 @@ main(argc, argv) com_err(progname, retval, "while closing database"); exit(1); } - if (master_princ_set) { + if (master_princ_set) krb5_free_principal(test_context, master_princ); - } krb5_free_context(test_context); exit(0); } @@ -216,10 +214,15 @@ add_princ(context, str_newprinc) { krb5_error_code retval; krb5_principal newprinc; - krb5_db_entry newentry; + krb5_db_entry *newentry; char princ_name[4096]; - memset(&newentry, 0, sizeof(newentry)); + newentry = krb5_db_alloc(context, NULL, sizeof(*newentry)); + if (newentry == NULL) { + com_err(progname, ENOMEM, "while allocating DB entry"); + return; + } + memset(newentry, 0, sizeof(*newentry)); snprintf(princ_name, sizeof(princ_name), "%s@%s", str_newprinc, cur_realm); if ((retval = krb5_parse_name(context, princ_name, &newprinc))) { com_err(progname, retval, "while parsing '%s'", princ_name); @@ -227,15 +230,15 @@ add_princ(context, str_newprinc) } /* Add basic data */ - newentry.len = KRB5_KDB_V1_BASE_LENGTH; - newentry.attributes = mblock.flags; - newentry.max_life = mblock.max_life; - newentry.max_renewable_life = mblock.max_rlife; - newentry.expiration = mblock.expiration; - newentry.pw_expiration = mblock.expiration; + newentry->len = KRB5_KDB_V1_BASE_LENGTH; + newentry->attributes = mblock.flags; + newentry->max_life = mblock.max_life; + newentry->max_renewable_life = mblock.max_rlife; + newentry->expiration = mblock.expiration; + newentry->pw_expiration = mblock.expiration; /* Add princ to db entry */ - if ((retval = krb5_copy_principal(context, newprinc, &newentry.princ))) { + if ((retval = krb5_copy_principal(context, newprinc, &newentry->princ))) { com_err(progname, retval, "while encoding princ to db entry for '%s'", princ_name); krb5_free_principal(context, newprinc); @@ -252,7 +255,7 @@ add_princ(context, str_newprinc) krb5_free_principal(context, newprinc); goto error; } - retval = krb5_dbe_update_mod_princ_data(context, &newentry, now, + retval = krb5_dbe_update_mod_princ_data(context, newentry, now, master_princ); if (retval) { com_err(progname, retval, "while encoding mod_princ data"); @@ -285,7 +288,7 @@ add_princ(context, str_newprinc) } krb5_free_data_contents(context, &salt); - if ((retval = krb5_dbe_create_key_data(context, &newentry))) { + if ((retval = krb5_dbe_create_key_data(context, newentry))) { com_err(progname, retval, "while creating key_data for '%s'", princ_name); free(key.contents); @@ -294,7 +297,7 @@ add_princ(context, str_newprinc) if ((retval = krb5_dbe_encrypt_key_data(context, &master_keyblock, &key, NULL, 1, - newentry.key_data))) { + newentry->key_data))) { com_err(progname, retval, "while encrypting key for '%s'", princ_name); free(key.contents); @@ -303,26 +306,15 @@ add_princ(context, str_newprinc) free(key.contents); } - { - int one = 1; - - if ((retval = krb5_db_put_principal(context, &newentry, &one))) { - com_err(progname, retval, "while storing principal date"); - goto error; - } - if (one != 1) { - com_err(progname,0,"entry not stored in database (unknown failure)"); - goto error; - } + if ((retval = krb5_db_put_principal(context, newentry))) { + com_err(progname, retval, "while storing principal date"); + goto error; } fprintf(stdout, "Added %s to database\n", princ_name); error: /* Do cleanup of newentry regardless of error */ -#if 0 - krb5_dbe_free_contents(context, &newentry); -#endif - krb5_db_free_principal(context, &newentry, 1); + krb5_db_free_principal(context, newentry); return; } @@ -332,11 +324,10 @@ set_dbname_help(pname, dbname) char *dbname; { krb5_error_code retval; - int nentries; - krb5_boolean more; krb5_data pwd, scratch; char *args[2]; krb5_keylist_node *mkeys; + krb5_db_entry *master_entry; /* assemble & parse the master key name */ @@ -401,30 +392,20 @@ set_dbname_help(pname, dbname) return(1); } krb5_db_free_mkey_list(test_context, mkeys); - nentries = 1; - if ((retval = krb5_db_get_principal(test_context, master_princ, - &master_entry, &nentries, &more))) { + if ((retval = krb5_db_get_principal(test_context, master_princ, 0, + &master_entry))) { com_err(pname, retval, "while retrieving master entry"); (void) krb5_db_fini(test_context); return(1); - } else if (more) { - com_err(pname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, - "while retrieving master entry"); - (void) krb5_db_fini(test_context); - return(1); - } else if (!nentries) { - com_err(pname, KRB5_KDB_NOENTRY, "while retrieving master entry"); - (void) krb5_db_fini(test_context); - return(1); } - mblock.max_life = master_entry.max_life; - mblock.max_rlife = master_entry.max_renewable_life; - mblock.expiration = master_entry.expiration; + mblock.max_life = master_entry->max_life; + mblock.max_rlife = master_entry->max_renewable_life; + mblock.expiration = master_entry->expiration; /* don't set flags, master has some extra restrictions */ - mblock.mkvno = master_entry.key_data[0].key_data_kvno; + mblock.mkvno = master_entry->key_data[0].key_data_kvno; - krb5_db_free_principal(test_context, &master_entry, nentries); + krb5_db_free_principal(test_context, master_entry); return 0; } diff --git a/src/tests/verify/kdb5_verify.c b/src/tests/verify/kdb5_verify.c index 5fdab77c0..dade5cc90 100644 --- a/src/tests/verify/kdb5_verify.c +++ b/src/tests/verify/kdb5_verify.c @@ -68,7 +68,6 @@ usage(who, status) krb5_keyblock master_keyblock; krb5_principal master_princ; -krb5_db_entry master_entry; krb5_encrypt_block master_encblock; krb5_pointer master_random; char *str_master_princ; @@ -230,12 +229,10 @@ check_princ(context, str_princ) char * str_princ; { krb5_error_code retval; - krb5_db_entry kdbe; + krb5_db_entry *kdbe = NULL; krb5_keyblock pwd_key, db_key; krb5_data pwd, salt; krb5_principal princ; - krb5_boolean more; - int nprincs = 1; /* char *str_mod_name; */ char princ_name[4096]; @@ -267,22 +264,15 @@ check_princ(context, str_princ) } krb5_free_data_contents(context, &salt); - if ((retval = krb5_db_get_principal(context, princ, &kdbe, - &nprincs, &more))) { + if ((retval = krb5_db_get_principal(context, princ, 0, &kdbe))) { com_err(progname, retval, "while attempting to verify principal's existence"); krb5_free_principal(context, princ); goto out; } krb5_free_principal(context, princ); - if (nprincs != 1) { - com_err(progname, 0, "Found %d entries db entry for %s.\n", nprincs, - princ_name); - goto errout; - } - if ((retval = krb5_dbe_decrypt_key_data(context, &master_keyblock, - kdbe.key_data, &db_key, NULL))) { + kdbe->key_data, &db_key, NULL))) { com_err(progname, retval, "while decrypting key for '%s'", princ_name); goto errout; } @@ -292,7 +282,7 @@ check_princ(context, str_princ) fprintf (stderr, "\tKey types do not agree (%d expected, %d from db)\n", pwd_key.enctype, db_key.enctype); errout: - krb5_db_free_principal(context, &kdbe, nprincs); + krb5_db_free_principal(context, kdbe); return(-1); } else { @@ -307,25 +297,25 @@ check_princ(context, str_princ) free(pwd_key.contents); free(db_key.contents); - if (kdbe.key_data[0].key_data_kvno != 1) { + if (kdbe->key_data[0].key_data_kvno != 1) { fprintf(stderr,"\tkvno did not match stored value for %s.\n", princ_name); goto errout; } - if (kdbe.max_life != mblock.max_life) { + if (kdbe->max_life != mblock.max_life) { fprintf(stderr, "\tmax life did not match stored value for %s.\n", princ_name); goto errout; } - if (kdbe.max_renewable_life != mblock.max_rlife) { + if (kdbe->max_renewable_life != mblock.max_rlife) { fprintf(stderr, "\tmax renewable life did not match stored value for %s.\n", princ_name); goto errout; } - if (kdbe.expiration != mblock.expiration) { + if (kdbe->expiration != mblock.expiration) { fprintf(stderr, "\texpiration time did not match stored value for %s.\n", princ_name); goto errout; @@ -345,14 +335,14 @@ check_princ(context, str_princ) } */ - if (kdbe.attributes != mblock.flags) { + if (kdbe->attributes != mblock.flags) { fprintf(stderr, "\tAttributes did not match stored value for %s.\n", princ_name); goto errout; } out: - krb5_db_free_principal(context, &kdbe, nprincs); + krb5_db_free_principal(context, kdbe); return(0); } @@ -364,11 +354,10 @@ set_dbname_help(context, pname, dbname) char *dbname; { krb5_error_code retval; - int nentries; - krb5_boolean more; krb5_data pwd, scratch; char *args[2]; krb5_keylist_node *mkeys; + krb5_db_entry *master_entry; /* assemble & parse the master key name */ @@ -428,21 +417,11 @@ set_dbname_help(context, pname, dbname) return(1); } krb5_db_free_mkey_list(context, mkeys); - nentries = 1; - if ((retval = krb5_db_get_principal(context, master_princ, &master_entry, - &nentries, &more))) { + if ((retval = krb5_db_get_principal(context, master_princ, 0, + &master_entry))) { com_err(pname, retval, "while retrieving master entry"); (void) krb5_db_fini(context); return(1); - } else if (more) { - com_err(pname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, - "while retrieving master entry"); - (void) krb5_db_fini(context); - return(1); - } else if (!nentries) { - com_err(pname, KRB5_KDB_NOENTRY, "while retrieving master entry"); - (void) krb5_db_fini(context); - return(1); } if ((retval = krb5_unparse_name(context, master_princ, @@ -466,12 +445,12 @@ set_dbname_help(context, pname, dbname) (void) krb5_db_fini(context); return(1); } - mblock.max_life = master_entry.max_life; - mblock.max_rlife = master_entry.max_renewable_life; - mblock.expiration = master_entry.expiration; + mblock.max_life = master_entry->max_life; + mblock.max_rlife = master_entry->max_renewable_life; + mblock.expiration = master_entry->expiration; /* don't set flags, master has some extra restrictions */ - mblock.mkvno = master_entry.key_data[0].key_data_kvno; + mblock.mkvno = master_entry->key_data[0].key_data_kvno; - krb5_db_free_principal(context, &master_entry, nentries); + krb5_db_free_principal(context, master_entry); return 0; } -- 2.26.2