*
* $Header$
*/
-
-#if !defined(lint) && !defined(__CODECENTER__)
-static char *rcsid = "$Header$";
-#endif
-
-#include <sys/types.h>
+#include "k5-int.h"
#include <sys/time.h>
-#include <errno.h>
#include <kadm5/admin.h>
#include <kdb.h>
-#include <stdio.h>
-#include <string.h>
#include "server_internal.h"
-#include <stdarg.h>
-#include <stdlib.h>
#ifdef USE_PASSWORD_SERVER
#include <sys/wait.h>
#include <signal.h>
-
#endif
+#include <krb5/kadm5_hook_plugin.h>
+
#ifdef USE_VALGRIND
#include <valgrind/memcheck.h>
#else
extern krb5_principal master_princ;
extern krb5_principal hist_princ;
extern krb5_keyblock master_keyblock;
-extern krb5_keylist_node *master_keylist;
extern krb5_actkvno_node *active_mkey_list;
-extern krb5_keyblock hist_key;
extern krb5_db_entry master_db;
-extern krb5_db_entry hist_db;
-extern krb5_kvno hist_kvno;
-static int decrypt_key_data(krb5_context context, krb5_keyblock *mkey,
+static int decrypt_key_data(krb5_context context,
int n_key_data, krb5_key_data *key_data,
krb5_keyblock **keyblocks, int *n_keys);
int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
char *password)
{
- krb5_db_entry kdb;
+ krb5_db_entry *kdb;
osa_princ_ent_rec adb;
kadm5_policy_ent_rec polent;
+ krb5_boolean have_polent = FALSE;
krb5_int32 now;
krb5_tl_data *tl_data_orig, *tl_data_tail;
unsigned int ret;
*/
if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) ||
(mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) ||
- (mask & KADM5_MKVNO) || (mask & KADM5_POLICY_CLR) ||
- (mask & KADM5_AUX_ATTRIBUTES) || (mask & KADM5_KEY_DATA) ||
- (mask & KADM5_LAST_SUCCESS) || (mask & KADM5_LAST_FAILED) ||
- (mask & KADM5_FAIL_AUTH_COUNT))
+ (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
+ (mask & KADM5_KEY_DATA) || (mask & KADM5_LAST_SUCCESS) ||
+ (mask & KADM5_LAST_FAILED) || (mask & KADM5_FAIL_AUTH_COUNT))
+ return KADM5_BAD_MASK;
+ if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
return KADM5_BAD_MASK;
if((mask & ~ALL_PRINC_MASK))
return KADM5_BAD_MASK;
if (entry == NULL)
return EINVAL;
+ /* Use default keysalts if caller did not provide any. */
+ if (n_ks_tuple == 0) {
+ ks_tuple = handle->params.keysalts;
+ n_ks_tuple = handle->params.num_keysalts;
+ }
+
/*
* Check to see if the principal exists
*/
case KADM5_UNK_PRINC:
break;
case 0:
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
return KADM5_DUP;
default:
return ret;
}
- memset(&kdb, 0, sizeof(krb5_db_entry));
+ kdb = krb5_db_alloc(handle->context, NULL, sizeof(*kdb));
+ if (kdb == NULL)
+ return ENOMEM;
+ memset(kdb, 0, sizeof(*kdb));
memset(&adb, 0, sizeof(osa_princ_ent_rec));
/*
if ((mask & KADM5_POLICY)) {
if ((ret = kadm5_get_policy(handle->lhandle, entry->policy,
&polent)) != KADM5_OK) {
- if(ret == EINVAL)
- return KADM5_BAD_POLICY;
- else
- return ret;
+ if (ret == EINVAL)
+ ret = KADM5_BAD_POLICY;
+ if (ret)
+ goto cleanup;
}
+ have_polent = TRUE;
}
if (password) {
- ret = passwd_check(handle, password, (mask & KADM5_POLICY),
- &polent, entry->principal);
- if (ret) {
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return ret;
- }
+ ret = passwd_check(handle, password, have_polent ? &polent : NULL,
+ entry->principal);
+ if (ret)
+ goto cleanup;
}
/*
* Start populating the various DB fields, using the
* "defaults" for fields that were not specified by the
* mask.
*/
- if ((ret = krb5_timeofday(handle->context, &now))) {
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return ret;
- }
+ if ((ret = krb5_timeofday(handle->context, &now)))
+ goto cleanup;
- kdb.magic = KRB5_KDB_MAGIC_NUMBER;
- kdb.len = KRB5_KDB_V1_BASE_LENGTH; /* gag me with a chainsaw */
+ kdb->magic = KRB5_KDB_MAGIC_NUMBER;
+ kdb->len = KRB5_KDB_V1_BASE_LENGTH; /* gag me with a chainsaw */
if ((mask & KADM5_ATTRIBUTES))
- kdb.attributes = entry->attributes;
+ kdb->attributes = entry->attributes;
else
- kdb.attributes = handle->params.flags;
+ kdb->attributes = handle->params.flags;
if ((mask & KADM5_MAX_LIFE))
- kdb.max_life = entry->max_life;
+ kdb->max_life = entry->max_life;
else
- kdb.max_life = handle->params.max_life;
+ kdb->max_life = handle->params.max_life;
if (mask & KADM5_MAX_RLIFE)
- kdb.max_renewable_life = entry->max_renewable_life;
+ kdb->max_renewable_life = entry->max_renewable_life;
else
- kdb.max_renewable_life = handle->params.max_rlife;
+ kdb->max_renewable_life = handle->params.max_rlife;
if ((mask & KADM5_PRINC_EXPIRE_TIME))
- kdb.expiration = entry->princ_expire_time;
+ kdb->expiration = entry->princ_expire_time;
else
- kdb.expiration = handle->params.expiration;
+ kdb->expiration = handle->params.expiration;
- kdb.pw_expiration = 0;
- if ((mask & KADM5_POLICY)) {
+ kdb->pw_expiration = 0;
+ if (have_polent) {
if(polent.pw_max_life)
- kdb.pw_expiration = now + polent.pw_max_life;
+ kdb->pw_expiration = now + polent.pw_max_life;
else
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
}
if ((mask & KADM5_PW_EXPIRATION))
- kdb.pw_expiration = entry->pw_expiration;
+ kdb->pw_expiration = entry->pw_expiration;
- kdb.last_success = 0;
- kdb.last_failed = 0;
- kdb.fail_auth_count = 0;
+ kdb->last_success = 0;
+ kdb->last_failed = 0;
+ kdb->fail_auth_count = 0;
/* this is kind of gross, but in order to free the tl data, I need
to free the entire kdb entry, and that will try to free the
principal. */
if ((ret = kadm5_copy_principal(handle->context,
- entry->principal, &(kdb.princ)))) {
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return(ret);
- }
+ entry->principal, &(kdb->princ))))
+ goto cleanup;
- if ((ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now))) {
- krb5_db_free_principal(handle->context, &kdb, 1);
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return(ret);
- }
+ if ((ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now)))
+ goto cleanup;
if (mask & KADM5_TL_DATA) {
- /* splice entry->tl_data onto the front of kdb.tl_data */
- tl_data_orig = kdb.tl_data;
+ /* splice entry->tl_data onto the front of kdb->tl_data */
+ tl_data_orig = kdb->tl_data;
for (tl_data_tail = entry->tl_data; tl_data_tail;
tl_data_tail = tl_data_tail->tl_data_next)
{
- ret = krb5_dbe_update_tl_data(handle->context, &kdb, tl_data_tail);
+ ret = krb5_dbe_update_tl_data(handle->context, kdb, tl_data_tail);
if( ret )
- {
- krb5_db_free_principal(handle->context, &kdb, 1);
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return ret;
- }
+ goto cleanup;
}
}
/* initialize the keys */
- ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
- active_mkey_list, &act_kvno, &act_mkey);
- if (ret) {
- krb5_db_free_principal(handle->context, &kdb, 1);
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return (ret);
- }
+ ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, &act_kvno,
+ &act_mkey);
+ if (ret)
+ goto cleanup;
if (password) {
- ret = krb5_dbe_cpw(handle->context, act_mkey,
- n_ks_tuple?ks_tuple:handle->params.keysalts,
- n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
+ ret = krb5_dbe_cpw(handle->context, act_mkey, ks_tuple, n_ks_tuple,
password, (mask & KADM5_KVNO)?entry->kvno:1,
- FALSE, &kdb);
+ FALSE, kdb);
} else {
/* Null password means create with random key (new in 1.8). */
ret = krb5_dbe_crk(handle->context, &master_keyblock,
- n_ks_tuple?ks_tuple:handle->params.keysalts,
- n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
- FALSE, &kdb);
- }
- if (ret) {
- krb5_db_free_principal(handle->context, &kdb, 1);
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return(ret);
+ ks_tuple, n_ks_tuple, FALSE, kdb);
}
+ if (ret)
+ goto cleanup;
/* Record the master key VNO used to encrypt this entry's keys */
- ret = krb5_dbe_update_mkvno(handle->context, &kdb, act_kvno);
+ ret = krb5_dbe_update_mkvno(handle->context, kdb, act_kvno);
if (ret)
- {
- krb5_db_free_principal(handle->context, &kdb, 1);
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return ret;
- }
+ goto cleanup;
+
+ ret = k5_kadm5_hook_create(handle->context, handle->hook_handles,
+ KADM5_HOOK_STAGE_PRECOMMIT, entry, mask,
+ n_ks_tuple, ks_tuple, password);
+ if (ret)
+ goto cleanup;
/* populate the admin-server-specific fields. In the OV server,
this used to be in a separate database. Since there's already
I'm going to keep it, and make all the admin stuff occupy a
single tl_data record, */
- adb.admin_history_kvno = hist_kvno;
- if ((mask & KADM5_POLICY)) {
+ adb.admin_history_kvno = INITIAL_HIST_KVNO;
+ if (have_polent) {
adb.aux_attributes = KADM5_POLICY;
/* this does *not* need to be strdup'ed, because adb is xdr */
/* increment the policy ref count, if any */
- if ((mask & KADM5_POLICY)) {
+ if (have_polent) {
polent.policy_refcnt++;
if ((ret = kadm5_modify_policy_internal(handle->lhandle, &polent,
KADM5_REF_COUNT))
- != KADM5_OK) {
- krb5_db_free_principal(handle->context, &kdb, 1);
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return(ret);
- }
+ != KADM5_OK)
+ goto cleanup;
}
/* In all cases key and the principal data is set, let the database provider know */
- kdb.mask = mask | KADM5_KEY_DATA | KADM5_PRINCIPAL ;
+ kdb->mask = mask | KADM5_KEY_DATA | KADM5_PRINCIPAL ;
/* store the new db entry */
- ret = kdb_put_entry(handle, &kdb, &adb);
+ ret = kdb_put_entry(handle, kdb, &adb);
- krb5_db_free_principal(handle->context, &kdb, 1);
if (ret) {
- if ((mask & KADM5_POLICY)) {
+ if (have_polent) {
/* decrement the policy ref count */
polent.policy_refcnt--;
(void) kadm5_modify_policy_internal(handle->lhandle, &polent,
KADM5_REF_COUNT);
}
-
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return(ret);
}
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
+ (void) k5_kadm5_hook_create(handle->context, handle->hook_handles,
+ KADM5_HOOK_STAGE_POSTCOMMIT, entry, mask,
+ n_ks_tuple, ks_tuple, password);
- return KADM5_OK;
+cleanup:
+ krb5_db_free_principal(handle->context, kdb);
+ if (have_polent)
+ (void) kadm5_free_policy_ent(handle->lhandle, &polent);
+ return ret;
}
{
unsigned int ret;
kadm5_policy_ent_rec polent;
- krb5_db_entry kdb;
+ krb5_db_entry *kdb;
osa_princ_ent_rec adb;
kadm5_server_handle_t handle = server_handle;
if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
return(ret);
+ ret = k5_kadm5_hook_remove(handle->context, handle->hook_handles,
+ KADM5_HOOK_STAGE_PRECOMMIT, principal);
+ if (ret) {
+ kdb_free_entry(handle, kdb, &adb);
+ return ret;
+ }
if ((adb.aux_attributes & KADM5_POLICY)) {
if ((ret = kadm5_get_policy(handle->lhandle,
KADM5_REF_COUNT))
!= KADM5_OK) {
(void) kadm5_free_policy_ent(handle->lhandle, &polent);
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
return(ret);
}
}
if ((ret = kadm5_free_policy_ent(handle->lhandle, &polent))) {
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
return ret;
}
}
ret = kdb_delete_entry(handle, principal);
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
+
+ if (ret == 0)
+ (void) k5_kadm5_hook_remove(handle->context,
+ handle->hook_handles,
+ KADM5_HOOK_STAGE_POSTCOMMIT, principal);
return ret;
}
int ret, ret2, i;
kadm5_policy_ent_rec npol, opol;
int have_npol = 0, have_opol = 0;
- krb5_db_entry kdb;
+ krb5_db_entry *kdb;
krb5_tl_data *tl_data_orig;
osa_princ_ent_rec adb;
kadm5_server_handle_t handle = server_handle;
/* set pw_max_life based on new policy */
if (npol.pw_max_life) {
- ret = krb5_dbe_lookup_last_pwd_change(handle->context, &kdb,
- &(kdb.pw_expiration));
+ ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb,
+ &(kdb->pw_expiration));
if (ret)
goto done;
- kdb.pw_expiration += npol.pw_max_life;
+ kdb->pw_expiration += npol.pw_max_life;
} else {
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
}
}
free(adb.policy);
adb.policy = NULL;
adb.aux_attributes &= ~KADM5_POLICY;
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
opol.policy_refcnt--;
break;
default:
goto done;
if ((mask & KADM5_ATTRIBUTES))
- kdb.attributes = entry->attributes;
+ kdb->attributes = entry->attributes;
if ((mask & KADM5_MAX_LIFE))
- kdb.max_life = entry->max_life;
+ kdb->max_life = entry->max_life;
if ((mask & KADM5_PRINC_EXPIRE_TIME))
- kdb.expiration = entry->princ_expire_time;
+ kdb->expiration = entry->princ_expire_time;
if (mask & KADM5_PW_EXPIRATION)
- kdb.pw_expiration = entry->pw_expiration;
+ kdb->pw_expiration = entry->pw_expiration;
if (mask & KADM5_MAX_RLIFE)
- kdb.max_renewable_life = entry->max_renewable_life;
+ kdb->max_renewable_life = entry->max_renewable_life;
if((mask & KADM5_KVNO)) {
- for (i = 0; i < kdb.n_key_data; i++)
- kdb.key_data[i].key_data_kvno = entry->kvno;
+ for (i = 0; i < kdb->n_key_data; i++)
+ kdb->key_data[i].key_data_kvno = entry->kvno;
}
if (mask & KADM5_TL_DATA) {
for (tl = entry->tl_data; tl;
tl = tl->tl_data_next)
{
- ret = krb5_dbe_update_tl_data(handle->context, &kdb, tl);
+ ret = krb5_dbe_update_tl_data(handle->context, kdb, tl);
if( ret )
{
goto done;
goto done;
}
- kdb.fail_auth_count = 0;
+ kdb->fail_auth_count = 0;
}
/* let the mask propagate to the database provider */
- kdb.mask = mask;
+ kdb->mask = mask;
- ret = kdb_put_entry(handle, &kdb, &adb);
+ ret = k5_kadm5_hook_modify(handle->context, handle->hook_handles,
+ KADM5_HOOK_STAGE_PRECOMMIT, entry, mask);
+ if (ret)
+ goto done;
+
+ ret = kdb_put_entry(handle, kdb, &adb);
if (ret) goto done;
+ (void) k5_kadm5_hook_modify(handle->context, handle->hook_handles,
+ KADM5_HOOK_STAGE_POSTCOMMIT, entry, mask);
ret = KADM5_OK;
done:
ret2 = kadm5_free_policy_ent(handle->lhandle, &npol);
ret = ret ? ret : ret2;
}
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
return ret;
}
kadm5_rename_principal(void *server_handle,
krb5_principal source, krb5_principal target)
{
- krb5_db_entry kdb;
- osa_princ_ent_rec adb;
- int ret, i;
+ krb5_db_entry *kdb;
+ osa_princ_ent_rec adb;
+ krb5_error_code ret;
kadm5_server_handle_t handle = server_handle;
+ krb5_int16 stype, i;
+ krb5_data *salt = NULL;
CHECK_HANDLE(server_handle);
return EINVAL;
if ((ret = kdb_get_entry(handle, target, &kdb, &adb)) == 0) {
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
return(KADM5_DUP);
}
if ((ret = kdb_get_entry(handle, source, &kdb, &adb)))
return ret;
- /* this is kinda gross, but unavoidable */
-
- for (i=0; i<kdb.n_key_data; i++) {
- if ((kdb.key_data[i].key_data_ver == 1) ||
- (kdb.key_data[i].key_data_type[1] == KRB5_KDB_SALTTYPE_NORMAL)) {
+ /* Transform salts as necessary. */
+ for (i = 0; i < kdb->n_key_data; i++) {
+ ret = krb5_dbe_compute_salt(handle->context, &kdb->key_data[i],
+ kdb->princ, &stype, &salt);
+ if (ret == KRB5_KDB_BAD_SALTTYPE)
ret = KADM5_NO_RENAME_SALT;
+ if (ret)
goto done;
- }
+ kdb->key_data[i].key_data_type[1] = KRB5_KDB_SALTTYPE_SPECIAL;
+ free(kdb->key_data[i].key_data_contents[1]);
+ kdb->key_data[i].key_data_contents[1] = (krb5_octet *)salt->data;
+ kdb->key_data[i].key_data_length[1] = salt->length;
+ kdb->key_data[i].key_data_ver = 2;
+ free(salt);
+ salt = NULL;
}
- kadm5_free_principal(handle->context, kdb.princ);
- ret = kadm5_copy_principal(handle->context, target, &kdb.princ);
+ kadm5_free_principal(handle->context, kdb->princ);
+ ret = kadm5_copy_principal(handle->context, target, &kdb->princ);
if (ret) {
- kdb.princ = NULL; /* so freeing the dbe doesn't lose */
+ kdb->princ = NULL; /* so freeing the dbe doesn't lose */
goto done;
}
- if ((ret = kdb_put_entry(handle, &kdb, &adb)))
+ if ((ret = kdb_put_entry(handle, kdb, &adb)))
goto done;
ret = kdb_delete_entry(handle, source);
done:
- kdb_free_entry(handle, &kdb, &adb);
+ krb5_free_data(handle->context, salt);
+ kdb_free_entry(handle, kdb, &adb);
return ret;
}
kadm5_principal_ent_t entry,
long in_mask)
{
- krb5_db_entry kdb;
+ krb5_db_entry *kdb;
osa_princ_ent_rec adb;
krb5_error_code ret = 0;
long mask;
entry->aux_attributes = adb.aux_attributes;
if ((mask & KADM5_PRINCIPAL) &&
- (ret = krb5_copy_principal(handle->context, kdb.princ,
+ (ret = krb5_copy_principal(handle->context, kdb->princ,
&entry->principal))) {
goto done;
}
if (mask & KADM5_PRINC_EXPIRE_TIME)
- entry->princ_expire_time = kdb.expiration;
+ entry->princ_expire_time = kdb->expiration;
if ((mask & KADM5_LAST_PWD_CHANGE) &&
- (ret = krb5_dbe_lookup_last_pwd_change(handle->context, &kdb,
+ (ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb,
&(entry->last_pwd_change)))) {
goto done;
}
if (mask & KADM5_PW_EXPIRATION)
- entry->pw_expiration = kdb.pw_expiration;
+ entry->pw_expiration = kdb->pw_expiration;
if (mask & KADM5_MAX_LIFE)
- entry->max_life = kdb.max_life;
+ entry->max_life = kdb->max_life;
/* this is a little non-sensical because the function returns two */
/* values that must be checked separately against the mask */
if ((mask & KADM5_MOD_NAME) || (mask & KADM5_MOD_TIME)) {
- ret = krb5_dbe_lookup_mod_princ_data(handle->context, &kdb,
+ ret = krb5_dbe_lookup_mod_princ_data(handle->context, kdb,
&(entry->mod_date),
&(entry->mod_name));
if (ret) {
if (! (mask & KADM5_MOD_TIME))
entry->mod_date = 0;
if (! (mask & KADM5_MOD_NAME)) {
- krb5_free_principal(handle->context, entry->principal);
- entry->principal = NULL;
+ krb5_free_principal(handle->context, entry->mod_name);
+ entry->mod_name = NULL;
}
}
if (mask & KADM5_ATTRIBUTES)
- entry->attributes = kdb.attributes;
+ entry->attributes = kdb->attributes;
if (mask & KADM5_KVNO)
- for (entry->kvno = 0, i=0; i<kdb.n_key_data; i++)
- if (kdb.key_data[i].key_data_kvno > entry->kvno)
- entry->kvno = kdb.key_data[i].key_data_kvno;
+ for (entry->kvno = 0, i=0; i<kdb->n_key_data; i++)
+ if ((krb5_kvno) kdb->key_data[i].key_data_kvno > entry->kvno)
+ entry->kvno = kdb->key_data[i].key_data_kvno;
- ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist,
- &entry->mkvno);
- if (ret)
- goto done;
+ if (mask & KADM5_MKVNO) {
+ ret = krb5_dbe_get_mkvno(handle->context, kdb, &entry->mkvno);
+ if (ret)
+ goto done;
+ }
if (mask & KADM5_MAX_RLIFE)
- entry->max_renewable_life = kdb.max_renewable_life;
+ entry->max_renewable_life = kdb->max_renewable_life;
if (mask & KADM5_LAST_SUCCESS)
- entry->last_success = kdb.last_success;
+ entry->last_success = kdb->last_success;
if (mask & KADM5_LAST_FAILED)
- entry->last_failed = kdb.last_failed;
+ entry->last_failed = kdb->last_failed;
if (mask & KADM5_FAIL_AUTH_COUNT)
- entry->fail_auth_count = kdb.fail_auth_count;
+ entry->fail_auth_count = kdb->fail_auth_count;
if (mask & KADM5_TL_DATA) {
krb5_tl_data *tl, *tl2;
entry->tl_data = NULL;
- tl = kdb.tl_data;
+ tl = kdb->tl_data;
while (tl) {
if (tl->tl_data_type > 255) {
if ((tl2 = dup_tl_data(tl)) == NULL) {
}
}
if (mask & KADM5_KEY_DATA) {
- entry->n_key_data = kdb.n_key_data;
+ entry->n_key_data = kdb->n_key_data;
if(entry->n_key_data) {
entry->key_data = malloc(entry->n_key_data*sizeof(krb5_key_data));
if (entry->key_data == NULL) {
for (i = 0; i < entry->n_key_data; i++)
ret = krb5_copy_key_data_contents(handle->context,
- &kdb.key_data[i],
+ &kdb->key_data[i],
&entry->key_data[i]);
if (ret)
goto done;
krb5_free_principal(handle->context, entry->principal);
entry->principal = NULL;
}
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
return ret;
}
*/
static kadm5_ret_t
check_pw_reuse(krb5_context context,
- krb5_keyblock *mkey,
- krb5_keyblock *hist_keyblock,
+ krb5_keyblock *hist_keyblocks,
int n_new_key_data, krb5_key_data *new_key_data,
unsigned int n_pw_hist_data, osa_pw_hist_ent *pw_hist_data)
{
- int x, y, z;
- krb5_keyblock newkey, histkey;
+ unsigned int x, y, z;
+ krb5_keyblock newkey, histkey, *kb;
+ krb5_key_data *key_data;
krb5_error_code ret;
- for (x = 0; x < n_new_key_data; x++) {
- ret = krb5_dbekd_decrypt_key_data(context,
- mkey,
- &(new_key_data[x]),
- &newkey, NULL);
+ assert (n_new_key_data >= 0);
+ for (x = 0; x < (unsigned) n_new_key_data; x++) {
+ /* Check only entries with the most recent kvno. */
+ if (new_key_data[x].key_data_kvno != new_key_data[0].key_data_kvno)
+ break;
+ ret = krb5_dbe_decrypt_key_data(context, NULL, &(new_key_data[x]),
+ &newkey, NULL);
if (ret)
return(ret);
for (y = 0; y < n_pw_hist_data; y++) {
- for (z = 0; z < pw_hist_data[y].n_key_data; z++) {
- ret = krb5_dbekd_decrypt_key_data(context,
- hist_keyblock,
- &pw_hist_data[y].key_data[z],
- &histkey, NULL);
- if (ret)
- return(ret);
-
- if ((newkey.length == histkey.length) &&
- (newkey.enctype == histkey.enctype) &&
- (memcmp(newkey.contents, histkey.contents,
- histkey.length) == 0)) {
+ for (z = 0; z < (unsigned int) pw_hist_data[y].n_key_data; z++) {
+ for (kb = hist_keyblocks; kb->enctype != 0; kb++) {
+ key_data = &pw_hist_data[y].key_data[z];
+ ret = krb5_dbe_decrypt_key_data(context, kb, key_data,
+ &histkey, NULL);
+ if (ret)
+ continue;
+ if (newkey.length == histkey.length &&
+ newkey.enctype == histkey.enctype &&
+ memcmp(newkey.contents, histkey.contents,
+ histkey.length) == 0) {
+ krb5_free_keyblock_contents(context, &histkey);
+ krb5_free_keyblock_contents(context, &newkey);
+ return KADM5_PASS_REUSE;
+ }
krb5_free_keyblock_contents(context, &histkey);
- krb5_free_keyblock_contents(context, &newkey);
-
- return(KADM5_PASS_REUSE);
}
- krb5_free_keyblock_contents(context, &histkey);
}
}
krb5_free_keyblock_contents(context, &newkey);
* Arguments:
*
* context (r) krb5_context to use
+ * mkey (r) master keyblock to decrypt key data with
+ * hist_key (r) history keyblock to encrypt key data with
* n_key_data (r) number of elements in key_data
* key_data (r) keys to add to the history entry
* hist (w) history entry to fill in
* set to n_key_data.
*/
static
-int create_history_entry(krb5_context context, krb5_keyblock *mkey, int n_key_data,
+int create_history_entry(krb5_context context,
+ krb5_keyblock *hist_key, int n_key_data,
krb5_key_data *key_data, osa_pw_hist_ent *hist)
{
int i, ret;
memset(hist->key_data, 0, n_key_data*sizeof(krb5_key_data));
for (i = 0; i < n_key_data; i++) {
- ret = krb5_dbekd_decrypt_key_data(context,
- mkey,
- &key_data[i],
- &key, &salt);
+ ret = krb5_dbe_decrypt_key_data(context, NULL, &key_data[i], &key,
+ &salt);
if (ret)
return ret;
- ret = krb5_dbekd_encrypt_key_data(context, &hist_key,
- &key, &salt,
- key_data[i].key_data_kvno,
- &hist->key_data[i]);
+ ret = krb5_dbe_encrypt_key_data(context, hist_key, &key, &salt,
+ key_data[i].key_data_kvno,
+ &hist->key_data[i]);
if (ret)
return ret;
* Arguments:
*
* context (r) krb5_context to use
+ * hist_kvno (r) kvno of current history key
* adb (r/w) admin principal entry to add keys to
* pol (r) adb's policy
* pw (r) keys for the password to add to adb's key history
* adb->old_key_len).
*/
static kadm5_ret_t add_to_history(krb5_context context,
+ krb5_kvno hist_kvno,
osa_princ_ent_t adb,
kadm5_policy_ent_t pol,
osa_pw_hist_ent *pw)
if (nhist <= 1)
return 0;
+ if (adb->admin_history_kvno != hist_kvno) {
+ /* The history key has changed since the last password change, so we
+ * have to reset the password history. */
+ free(adb->old_keys);
+ adb->old_keys = NULL;
+ adb->old_key_len = 0;
+ adb->old_key_next = 0;
+ adb->admin_history_kvno = hist_kvno;
+ }
+
nkeys = adb->old_key_len;
knext = adb->old_key_next;
/* resize the adb->old_keys array if necessary */
knext = adb->old_key_next = 0;
/* free the old pw history entry if it contains data */
histp = &adb->old_keys[knext];
- for (i = 0; i < histp->n_key_data; i++)
+ for (i = 0; i < (unsigned int) histp->n_key_data; i++)
krb5_free_key_data_contents(context, &histp->key_data[i]);
free(histp->key_data);
krb5_int32 now;
kadm5_policy_ent_rec pol;
osa_princ_ent_rec adb;
- krb5_db_entry kdb, kdb_save;
+ krb5_db_entry *kdb;
int ret, ret2, last_pwd, hist_added;
int have_pol = 0;
kadm5_server_handle_t handle = server_handle;
osa_pw_hist_ent hist;
- krb5_keyblock *act_mkey;
- krb5_kvno act_kvno;
+ krb5_keyblock *act_mkey, *hist_keyblocks = NULL;
+ krb5_kvno act_kvno, hist_kvno;
CHECK_HANDLE(server_handle);
principal, hist_princ)) == TRUE)
return KADM5_PROTECT_PRINCIPAL;
+ /* Use default keysalts if caller did not provide any. */
+ if (n_ks_tuple == 0) {
+ ks_tuple = handle->params.keysalts;
+ n_ks_tuple = handle->params.num_keysalts;
+ }
+
if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
return(ret);
- /* we are going to need the current keys after the new keys are set */
- if ((ret = kdb_get_entry(handle, principal, &kdb_save, NULL))) {
- kdb_free_entry(handle, &kdb, &adb);
- return(ret);
- }
-
if ((adb.aux_attributes & KADM5_POLICY)) {
if ((ret = kadm5_get_policy(handle->lhandle, adb.policy, &pol)))
goto done;
have_pol = 1;
+
+ /* Create a password history entry before we change kdb's key_data. */
+ ret = kdb_get_hist_key(handle, &hist_keyblocks, &hist_kvno);
+ if (ret)
+ goto done;
+ ret = create_history_entry(handle->context, &hist_keyblocks[0],
+ kdb->n_key_data, kdb->key_data, &hist);
+ if (ret)
+ goto done;
}
- if ((ret = passwd_check(handle, password, adb.aux_attributes &
- KADM5_POLICY, &pol, principal)))
+ if ((ret = passwd_check(handle, password, have_pol ? &pol : NULL,
+ principal)))
goto done;
- ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
- active_mkey_list, &act_kvno, &act_mkey);
+ ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, &act_kvno,
+ &act_mkey);
if (ret)
goto done;
- ret = krb5_dbe_cpw(handle->context, act_mkey,
- n_ks_tuple?ks_tuple:handle->params.keysalts,
- n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
+ ret = krb5_dbe_cpw(handle->context, act_mkey, ks_tuple, n_ks_tuple,
password, 0 /* increment kvno */,
- keepold, &kdb);
+ keepold, kdb);
if (ret)
goto done;
- ret = krb5_dbe_update_mkvno(handle->context, &kdb, act_kvno);
+ ret = krb5_dbe_update_mkvno(handle->context, kdb, act_kvno);
if (ret)
goto done;
- kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
+ kdb->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
ret = krb5_timeofday(handle->context, &now);
if (ret)
if ((adb.aux_attributes & KADM5_POLICY)) {
/* the policy was loaded before */
- ret = krb5_dbe_lookup_last_pwd_change(handle->context,
- &kdb, &last_pwd);
+ ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
if (ret)
goto done;
* local caller implicitly has all authorization bits.
*/
if ((now - last_pwd) < pol.pw_min_life &&
- !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
+ !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
ret = KADM5_PASS_TOOSOON;
goto done;
}
#endif
- ret = create_history_entry(handle->context,
- act_mkey,
- kdb_save.n_key_data,
- kdb_save.key_data, &hist);
- if (ret)
- goto done;
-
- ret = check_pw_reuse(handle->context, act_mkey, &hist_key,
- kdb.n_key_data, kdb.key_data,
+ ret = check_pw_reuse(handle->context, hist_keyblocks,
+ kdb->n_key_data, kdb->key_data,
1, &hist);
if (ret)
goto done;
if (pol.pw_history_num > 1) {
- if (adb.admin_history_kvno != hist_kvno) {
- ret = KADM5_BAD_HIST_KEY;
- goto done;
+ /* If hist_kvno has changed since the last password change, we
+ * can't check the history. */
+ if (adb.admin_history_kvno == hist_kvno) {
+ ret = check_pw_reuse(handle->context, hist_keyblocks,
+ kdb->n_key_data, kdb->key_data,
+ adb.old_key_len, adb.old_keys);
+ if (ret)
+ goto done;
}
- ret = check_pw_reuse(handle->context, act_mkey, &hist_key,
- kdb.n_key_data, kdb.key_data,
- adb.old_key_len, adb.old_keys);
- if (ret)
- goto done;
-
- ret = add_to_history(handle->context, &adb, &pol, &hist);
+ ret = add_to_history(handle->context, hist_kvno, &adb, &pol,
+ &hist);
if (ret)
goto done;
hist_added = 1;
}
if (pol.pw_max_life)
- kdb.pw_expiration = now + pol.pw_max_life;
+ kdb->pw_expiration = now + pol.pw_max_life;
else
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
} else {
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
}
#ifdef USE_PASSWORD_SERVER
}
#endif
- ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now);
+ ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now);
if (ret)
goto done;
/* unlock principal on this KDC */
- kdb.fail_auth_count = 0;
+ kdb->fail_auth_count = 0;
/* key data and attributes changed, let the database provider know */
- kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES |
+ kdb->mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES |
KADM5_FAIL_AUTH_COUNT;
/* | KADM5_CPW_FUNCTION */
- if ((ret = kdb_put_entry(handle, &kdb, &adb)))
+ ret = k5_kadm5_hook_chpass(handle->context, handle->hook_handles,
+ KADM5_HOOK_STAGE_PRECOMMIT, principal, keepold,
+ n_ks_tuple, ks_tuple, password);
+ if (ret)
+ goto done;
+
+ if ((ret = kdb_put_entry(handle, kdb, &adb)))
goto done;
+ (void) k5_kadm5_hook_chpass(handle->context, handle->hook_handles,
+ KADM5_HOOK_STAGE_POSTCOMMIT, principal,
+ keepold, n_ks_tuple, ks_tuple, password);
ret = KADM5_OK;
done:
if (!hist_added && hist.key_data)
free_history_entry(handle->context, &hist);
- kdb_free_entry(handle, &kdb, &adb);
- kdb_free_entry(handle, &kdb_save, NULL);
- krb5_db_free_principal(handle->context, &kdb, 1);
+ kdb_free_entry(handle, kdb, &adb);
+ kdb_free_keyblocks(handle, hist_keyblocks);
if (have_pol && (ret2 = kadm5_free_policy_ent(handle->lhandle, &pol))
&& !ret)
krb5_keyblock **keyblocks,
int *n_keys)
{
- krb5_db_entry kdb;
+ krb5_db_entry *kdb;
osa_princ_ent_rec adb;
krb5_int32 now;
kadm5_policy_ent_rec pol;
CHECK_HANDLE(server_handle);
+ /* Use default keysalts if caller did not provide any. */
+ if (n_ks_tuple == 0) {
+ ks_tuple = handle->params.keysalts;
+ n_ks_tuple = handle->params.num_keysalts;
+ }
+
krb5_clear_error_message(handle->context);
if (principal == NULL)
return EINVAL;
- if (hist_princ && /* this will be NULL when initializing the databse */
- ((krb5_principal_compare(handle->context,
- principal, hist_princ)) == TRUE))
- return KADM5_PROTECT_PRINCIPAL;
+ if (krb5_principal_compare(handle->context, principal, hist_princ)) {
+ /* If changing the history entry, the new entry must have exactly one
+ * key. */
+ if (keepold)
+ return KADM5_PROTECT_PRINCIPAL;
+ n_ks_tuple = 1;
+ }
if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
return(ret);
- ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
- active_mkey_list, NULL, &act_mkey);
+ ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, NULL,
+ &act_mkey);
if (ret)
goto done;
- ret = krb5_dbe_crk(handle->context, act_mkey,
- n_ks_tuple?ks_tuple:handle->params.keysalts,
- n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
- keepold,
- &kdb);
+ ret = krb5_dbe_crk(handle->context, act_mkey, ks_tuple, n_ks_tuple,
+ keepold, kdb);
if (ret)
goto done;
- kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
+ kdb->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
ret = krb5_timeofday(handle->context, &now);
if (ret)
goto done;
have_pol = 1;
- ret = krb5_dbe_lookup_last_pwd_change(handle->context,
- &kdb, &last_pwd);
+ ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
if (ret)
goto done;
* local caller implicitly has all authorization bits.
*/
if((now - last_pwd) < pol.pw_min_life &&
- !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
+ !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
ret = KADM5_PASS_TOOSOON;
goto done;
}
#endif
- if(pol.pw_history_num > 1) {
- if(adb.admin_history_kvno != hist_kvno) {
- ret = KADM5_BAD_HIST_KEY;
- goto done;
- }
-
- ret = check_pw_reuse(handle->context, act_mkey, &hist_key,
- kdb.n_key_data, kdb.key_data,
- adb.old_key_len, adb.old_keys);
- if (ret)
- goto done;
- }
if (pol.pw_max_life)
- kdb.pw_expiration = now + pol.pw_max_life;
+ kdb->pw_expiration = now + pol.pw_max_life;
else
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
} else {
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
}
- ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now);
+ ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now);
if (ret)
goto done;
/* unlock principal on this KDC */
- kdb.fail_auth_count = 0;
+ kdb->fail_auth_count = 0;
if (keyblocks) {
- ret = decrypt_key_data(handle->context, act_mkey,
- kdb.n_key_data, kdb.key_data,
+ ret = decrypt_key_data(handle->context,
+ kdb->n_key_data, kdb->key_data,
keyblocks, n_keys);
if (ret)
goto done;
}
/* key data changed, let the database provider know */
- kdb.mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT;
+ kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT;
/* | KADM5_RANDKEY_USED */;
- if ((ret = kdb_put_entry(handle, &kdb, &adb)))
+ ret = k5_kadm5_hook_chpass(handle->context, handle->hook_handles,
+ KADM5_HOOK_STAGE_PRECOMMIT, principal, keepold,
+ n_ks_tuple, ks_tuple, NULL);
+ if (ret)
+ goto done;
+ if ((ret = kdb_put_entry(handle, kdb, &adb)))
goto done;
+ (void) k5_kadm5_hook_chpass(handle->context, handle->hook_handles,
+ KADM5_HOOK_STAGE_POSTCOMMIT, principal,
+ keepold, n_ks_tuple, ks_tuple, NULL);
ret = KADM5_OK;
done:
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
if (have_pol)
kadm5_free_policy_ent(handle->lhandle, &pol);
krb5_principal principal,
krb5_keyblock *keyblock)
{
- krb5_db_entry kdb;
+ krb5_db_entry *kdb;
osa_princ_ent_rec adb;
krb5_int32 now;
kadm5_policy_ent_rec pol;
if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
return(ret);
- for (kvno = 0, i=0; i<kdb.n_key_data; i++)
- if (kdb.key_data[i].key_data_kvno > kvno)
- kvno = kdb.key_data[i].key_data_kvno;
+ for (kvno = 0, i=0; i<kdb->n_key_data; i++)
+ if (kdb->key_data[i].key_data_kvno > kvno)
+ kvno = kdb->key_data[i].key_data_kvno;
- if (kdb.key_data != NULL)
- cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data);
+ if (kdb->key_data != NULL)
+ cleanup_key_data(handle->context, kdb->n_key_data, kdb->key_data);
- kdb.key_data = (krb5_key_data*)krb5_db_alloc(handle->context, NULL, sizeof(krb5_key_data));
- if (kdb.key_data == NULL)
+ kdb->key_data = (krb5_key_data*)krb5_db_alloc(handle->context, NULL, sizeof(krb5_key_data));
+ if (kdb->key_data == NULL)
return ENOMEM;
- memset(kdb.key_data, 0, sizeof(krb5_key_data));
- kdb.n_key_data = 1;
+ memset(kdb->key_data, 0, sizeof(krb5_key_data));
+ kdb->n_key_data = 1;
keysalt.type = KRB5_KDB_SALTTYPE_V4;
/* XXX data.magic? */
keysalt.data.length = 0;
keysalt.data.data = NULL;
- ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
- active_mkey_list, NULL, &act_mkey);
+ ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, NULL,
+ &act_mkey);
if (ret)
goto done;
/* use tmp_key_data as temporary location and reallocate later */
- ret = krb5_dbekd_encrypt_key_data(handle->context, act_mkey,
- keyblock, &keysalt, kvno + 1,
- &tmp_key_data);
+ ret = krb5_dbe_encrypt_key_data(handle->context, act_mkey, keyblock,
+ &keysalt, kvno + 1, &tmp_key_data);
if (ret) {
goto done;
}
for (k = 0; k < tmp_key_data.key_data_ver; k++) {
- kdb.key_data->key_data_type[k] = tmp_key_data.key_data_type[k];
- kdb.key_data->key_data_length[k] = tmp_key_data.key_data_length[k];
+ kdb->key_data->key_data_type[k] = tmp_key_data.key_data_type[k];
+ kdb->key_data->key_data_length[k] = tmp_key_data.key_data_length[k];
if (tmp_key_data.key_data_contents[k]) {
- kdb.key_data->key_data_contents[k] = krb5_db_alloc(handle->context, NULL, tmp_key_data.key_data_length[k]);
- if (kdb.key_data->key_data_contents[k] == NULL) {
- cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data);
- kdb.key_data = NULL;
- kdb.n_key_data = 0;
+ kdb->key_data->key_data_contents[k] = krb5_db_alloc(handle->context, NULL, tmp_key_data.key_data_length[k]);
+ if (kdb->key_data->key_data_contents[k] == NULL) {
+ cleanup_key_data(handle->context, kdb->n_key_data, kdb->key_data);
+ kdb->key_data = NULL;
+ kdb->n_key_data = 0;
ret = ENOMEM;
goto done;
}
- memcpy (kdb.key_data->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]);
+ memcpy (kdb->key_data->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]);
memset (tmp_key_data.key_data_contents[k], 0, tmp_key_data.key_data_length[k]);
free (tmp_key_data.key_data_contents[k]);
- kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
+ kdb->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
ret = krb5_timeofday(handle->context, &now);
if (ret)
* local caller implicitly has all authorization bits.
*/
if (ret = krb5_dbe_lookup_last_pwd_change(handle->context,
- &kdb, &last_pwd))
+ kdb, &last_pwd))
goto done;
if((now - last_pwd) < pol.pw_min_life &&
- !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
+ !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
ret = KADM5_PASS_TOOSOON;
goto done;
}
#endif
-#if 0
- /*
- * Should we be checking/updating pw history here?
- */
- if(pol.pw_history_num > 1) {
- if(adb.admin_history_kvno != hist_kvno) {
- ret = KADM5_BAD_HIST_KEY;
- goto done;
- }
-
- if (ret = check_pw_reuse(handle->context,
- &hist_key,
- kdb.n_key_data, kdb.key_data,
- adb.old_key_len, adb.old_keys))
- goto done;
- }
-#endif
if (pol.pw_max_life)
- kdb.pw_expiration = now + pol.pw_max_life;
+ kdb->pw_expiration = now + pol.pw_max_life;
else
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
} else {
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
}
- ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now);
+ ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now);
if (ret)
goto done;
/* unlock principal on this KDC */
- kdb.fail_auth_count = 0;
+ kdb->fail_auth_count = 0;
- if ((ret = kdb_put_entry(handle, &kdb, &adb)))
+ if ((ret = kdb_put_entry(handle, kdb, &adb)))
goto done;
ret = KADM5_OK;
}
}
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
if (have_pol)
kadm5_free_policy_ent(handle->lhandle, &pol);
krb5_keyblock *keyblocks,
int n_keys)
{
- krb5_db_entry kdb;
+ krb5_db_entry *kdb;
osa_princ_ent_rec adb;
krb5_int32 now;
kadm5_policy_ent_rec pol;
if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
return(ret);
- for (kvno = 0, i=0; i<kdb.n_key_data; i++)
- if (kdb.key_data[i].key_data_kvno > kvno)
- kvno = kdb.key_data[i].key_data_kvno;
+ for (kvno = 0, i=0; i<kdb->n_key_data; i++)
+ if (kdb->key_data[i].key_data_kvno > kvno)
+ kvno = kdb->key_data[i].key_data_kvno;
if (keepold) {
- old_key_data = kdb.key_data;
- n_old_keys = kdb.n_key_data;
+ old_key_data = kdb->key_data;
+ n_old_keys = kdb->n_key_data;
} else {
- if (kdb.key_data != NULL)
- cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data);
+ if (kdb->key_data != NULL)
+ cleanup_key_data(handle->context, kdb->n_key_data, kdb->key_data);
n_old_keys = 0;
old_key_data = NULL;
}
- kdb.key_data = (krb5_key_data*)krb5_db_alloc(handle->context, NULL, (n_keys+n_old_keys)
- *sizeof(krb5_key_data));
- if (kdb.key_data == NULL) {
+ kdb->key_data = (krb5_key_data*)krb5_db_alloc(handle->context, NULL, (n_keys+n_old_keys)
+ *sizeof(krb5_key_data));
+ if (kdb->key_data == NULL) {
ret = ENOMEM;
goto done;
}
- memset(kdb.key_data, 0, (n_keys+n_old_keys)*sizeof(krb5_key_data));
- kdb.n_key_data = 0;
+ memset(kdb->key_data, 0, (n_keys+n_old_keys)*sizeof(krb5_key_data));
+ kdb->n_key_data = 0;
for (i = 0; i < n_keys; i++) {
if (n_ks_tuple) {
}
memset (&tmp_key_data, 0, sizeof(tmp_key_data));
- ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
- active_mkey_list, NULL, &act_mkey);
+ ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, NULL,
+ &act_mkey);
if (ret)
goto done;
- ret = krb5_dbekd_encrypt_key_data(handle->context,
- act_mkey,
- &keyblocks[i],
- n_ks_tuple ? &keysalt : NULL,
- kvno + 1,
- &tmp_key_data);
+ ret = krb5_dbe_encrypt_key_data(handle->context, act_mkey,
+ &keyblocks[i],
+ n_ks_tuple ? &keysalt : NULL, kvno + 1,
+ &tmp_key_data);
if (ret)
goto done;
- tptr = &kdb.key_data[i];
+ tptr = &kdb->key_data[i];
tptr->key_data_ver = tmp_key_data.key_data_ver;
tptr->key_data_kvno = tmp_key_data.key_data_kvno;
for (k = 0; k < tmp_key_data.key_data_ver; k++) {
tmp_key_data.key_data_contents[k] = NULL;
}
}
- kdb.n_key_data++;
+ kdb->n_key_data++;
}
/* copy old key data if necessary */
for (i = 0; i < n_old_keys; i++) {
- kdb.key_data[i+n_keys] = old_key_data[i];
+ kdb->key_data[i+n_keys] = old_key_data[i];
memset(&old_key_data[i], 0, sizeof (krb5_key_data));
- kdb.n_key_data++;
+ kdb->n_key_data++;
}
if (old_key_data)
krb5_db_free(handle->context, old_key_data);
- /* assert(kdb.n_key_data == n_keys + n_old_keys) */
- kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
+ /* assert(kdb->n_key_data == n_keys + n_old_keys) */
+ kdb->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
if ((ret = krb5_timeofday(handle->context, &now)))
goto done;
* local caller implicitly has all authorization bits.
*/
if (ret = krb5_dbe_lookup_last_pwd_change(handle->context,
- &kdb, &last_pwd))
+ kdb, &last_pwd))
goto done;
if((now - last_pwd) < pol.pw_min_life &&
- !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
+ !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
ret = KADM5_PASS_TOOSOON;
goto done;
}
#endif
-#if 0
- /*
- * Should we be checking/updating pw history here?
- */
- if (pol.pw_history_num > 1) {
- if(adb.admin_history_kvno != hist_kvno) {
- ret = KADM5_BAD_HIST_KEY;
- goto done;
- }
-
- if (ret = check_pw_reuse(handle->context,
- &hist_key,
- kdb.n_key_data, kdb.key_data,
- adb.old_key_len, adb.old_keys))
- goto done;
- }
-#endif
if (pol.pw_max_life)
- kdb.pw_expiration = now + pol.pw_max_life;
+ kdb->pw_expiration = now + pol.pw_max_life;
else
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
} else {
- kdb.pw_expiration = 0;
+ kdb->pw_expiration = 0;
}
- if ((ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now)))
+ if ((ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now)))
goto done;
/* unlock principal on this KDC */
- kdb.fail_auth_count = 0;
+ kdb->fail_auth_count = 0;
- if ((ret = kdb_put_entry(handle, &kdb, &adb)))
+ if ((ret = kdb_put_entry(handle, kdb, &adb)))
goto done;
ret = KADM5_OK;
done:
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
if (have_pol)
kadm5_free_policy_ent(handle->lhandle, &pol);
krb5_keyblock **keyblocks /* OUT */,
int *n_keys /* OUT */)
{
- krb5_db_entry kdb;
+ krb5_db_entry *kdb;
osa_princ_ent_rec adb;
kadm5_ret_t ret;
kadm5_server_handle_t handle = server_handle;
- krb5_keyblock *mkey_ptr;
if (keyblocks)
*keyblocks = NULL;
return(ret);
if (keyblocks) {
- if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, &kdb,
- &mkey_ptr))) {
- krb5_keylist_node *tmp_mkey_list;
- /* try refreshing master key list */
- /* XXX it would nice if we had the mkvno here for optimization */
- if (krb5_db_fetch_mkey_list(handle->context, master_princ,
- &master_keyblock, 0,
- &tmp_mkey_list) == 0) {
- krb5_dbe_free_key_list(handle->context, master_keylist);
- master_keylist = tmp_mkey_list;
- if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist,
- &kdb, &mkey_ptr))) {
- goto done;
- }
- } else {
- goto done;
- }
- }
-
- ret = decrypt_key_data(handle->context, mkey_ptr,
- kdb.n_key_data, kdb.key_data,
+ ret = decrypt_key_data(handle->context,
+ kdb->n_key_data, kdb->key_data,
keyblocks, n_keys);
if (ret)
goto done;
ret = KADM5_OK;
done:
- kdb_free_entry(handle, &kdb, &adb);
+ kdb_free_entry(handle, kdb, &adb);
return ret;
}
/*
* Allocate an array of n_key_data krb5_keyblocks, fill in each
- * element with the results of decrypting the nth key in key_data with
- * mkey, and if n_keys is not NULL fill it in with the
+ * element with the results of decrypting the nth key in key_data,
+ * and if n_keys is not NULL fill it in with the
* number of keys decrypted.
*/
-static int decrypt_key_data(krb5_context context, krb5_keyblock *mkey,
+static int decrypt_key_data(krb5_context context,
int n_key_data, krb5_key_data *key_data,
krb5_keyblock **keyblocks, int *n_keys)
{
memset(keys, 0, n_key_data*sizeof(krb5_keyblock));
for (i = 0; i < n_key_data; i++) {
- ret = krb5_dbekd_decrypt_key_data(context, mkey,
- &key_data[i],
- &keys[i], NULL);
+ ret = krb5_dbe_decrypt_key_data(context, NULL, &key_data[i], &keys[i],
+ NULL);
if (ret) {
for (; i >= 0; i--) {
if (keys[i].contents) {
/* find_mkey only uses this field */
dbent.tl_data = entry->tl_data;
- if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, &dbent,
- &mkey_ptr))) {
- krb5_keylist_node *tmp_mkey_list;
+ if ((ret = krb5_dbe_find_mkey(handle->context, &dbent, &mkey_ptr))) {
/* try refreshing master key list */
/* XXX it would nice if we had the mkvno here for optimization */
if (krb5_db_fetch_mkey_list(handle->context, master_princ,
- &master_keyblock, 0, &tmp_mkey_list) == 0) {
- krb5_dbe_free_key_list(handle->context, master_keylist);
- master_keylist = tmp_mkey_list;
- if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist,
- &dbent, &mkey_ptr))) {
+ &master_keyblock) == 0) {
+ if ((ret = krb5_dbe_find_mkey(handle->context, &dbent,
+ &mkey_ptr))) {
return ret;
}
} else {
}
}
- if ((ret = krb5_dbekd_decrypt_key_data(handle->context,
- mkey_ptr, key_data,
- keyblock, keysalt)))
+ if ((ret = krb5_dbe_decrypt_key_data(handle->context, NULL, key_data,
+ keyblock, keysalt)))
return ret;
/*
return KADM5_OK;
}
+
+kadm5_ret_t
+kadm5_purgekeys(void *server_handle,
+ krb5_principal principal,
+ int keepkvno)
+{
+ kadm5_server_handle_t handle = server_handle;
+ kadm5_ret_t ret;
+ krb5_db_entry *kdb;
+ osa_princ_ent_rec adb;
+ krb5_key_data *old_keydata;
+ int n_old_keydata;
+ int i, j, k;
+
+ CHECK_HANDLE(server_handle);
+
+ if (principal == NULL)
+ return EINVAL;
+
+ ret = kdb_get_entry(handle, principal, &kdb, &adb);
+ if (ret)
+ return(ret);
+
+ if (keepkvno <= 0) {
+ keepkvno = krb5_db_get_key_data_kvno(handle->context, kdb->n_key_data,
+ kdb->key_data);
+ }
+
+ old_keydata = kdb->key_data;
+ n_old_keydata = kdb->n_key_data;
+ kdb->n_key_data = 0;
+ kdb->key_data = krb5_db_alloc(handle->context, NULL,
+ n_old_keydata * sizeof(krb5_key_data));
+ if (kdb->key_data == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ memset(kdb->key_data, 0, n_old_keydata * sizeof(krb5_key_data));
+ for (i = 0, j = 0; i < n_old_keydata; i++) {
+ if (old_keydata[i].key_data_kvno < keepkvno)
+ continue;
+
+ /* Alias the key_data_contents pointers; we null them out in the
+ * source array immediately after. */
+ kdb->key_data[j] = old_keydata[i];
+ for (k = 0; k < old_keydata[i].key_data_ver; k++) {
+ old_keydata[i].key_data_contents[k] = NULL;
+ }
+ j++;
+ }
+ kdb->n_key_data = j;
+ cleanup_key_data(handle->context, n_old_keydata, old_keydata);
+
+ kdb->mask = KADM5_KEY_DATA;
+ ret = kdb_put_entry(handle, kdb, &adb);
+ if (ret)
+ goto done;
+
+done:
+ kdb_free_entry(handle, kdb, &adb);
+ return ret;
+}
+
+kadm5_ret_t
+kadm5_get_strings(void *server_handle, krb5_principal principal,
+ krb5_string_attr **strings_out, int *count_out)
+{
+ kadm5_server_handle_t handle = server_handle;
+ kadm5_ret_t ret;
+ krb5_db_entry *kdb = NULL;
+
+ *strings_out = NULL;
+ *count_out = 0;
+ CHECK_HANDLE(server_handle);
+ if (principal == NULL)
+ return EINVAL;
+
+ ret = kdb_get_entry(handle, principal, &kdb, NULL);
+ if (ret)
+ return ret;
+
+ ret = krb5_dbe_get_strings(handle->context, kdb, strings_out, count_out);
+ kdb_free_entry(handle, kdb, NULL);
+ return ret;
+}
+
+kadm5_ret_t
+kadm5_set_string(void *server_handle, krb5_principal principal,
+ const char *key, const char *value)
+{
+ kadm5_server_handle_t handle = server_handle;
+ kadm5_ret_t ret;
+ krb5_db_entry *kdb;
+ osa_princ_ent_rec adb;
+
+ CHECK_HANDLE(server_handle);
+ if (principal == NULL || key == NULL)
+ return EINVAL;
+
+ ret = kdb_get_entry(handle, principal, &kdb, &adb);
+ if (ret)
+ return ret;
+
+ ret = krb5_dbe_set_string(handle->context, kdb, key, value);
+ if (ret)
+ goto done;
+
+ kdb->mask = KADM5_TL_DATA;
+ ret = kdb_put_entry(handle, kdb, &adb);
+
+done:
+ kdb_free_entry(handle, kdb, &adb);
+ return ret;
+}