summaryrefslogtreecommitdiff
path: root/usr/src/cmd/krb5
diff options
context:
space:
mode:
Diffstat (limited to 'usr/src/cmd/krb5')
-rw-r--r--usr/src/cmd/krb5/kadmin/cli/Makefile20
-rw-r--r--usr/src/cmd/krb5/kadmin/cli/getdate.y993
-rwxr-xr-xusr/src/cmd/krb5/kadmin/cli/k5srvutil.sh147
-rw-r--r--usr/src/cmd/krb5/kadmin/cli/kadmin.c703
-rw-r--r--usr/src/cmd/krb5/kadmin/cli/kadmin.h75
-rw-r--r--usr/src/cmd/krb5/kadmin/cli/kadmin_ct.c299
-rw-r--r--usr/src/cmd/krb5/kadmin/cli/kadmin_rmt.c51
-rw-r--r--usr/src/cmd/krb5/kadmin/cli/keytab.c174
-rw-r--r--usr/src/cmd/krb5/kadmin/cli/ss_wrapper.c53
-rw-r--r--usr/src/cmd/krb5/kadmin/dbutil/Makefile4
-rw-r--r--usr/src/cmd/krb5/kadmin/dbutil/dump.c1134
-rw-r--r--usr/src/cmd/krb5/kadmin/dbutil/import_err.h79
-rw-r--r--usr/src/cmd/krb5/kadmin/dbutil/kadm5_create.c123
-rw-r--r--usr/src/cmd/krb5/kadmin/dbutil/kdb5_create.c128
-rw-r--r--usr/src/cmd/krb5/kadmin/dbutil/kdb5_destroy.c55
-rw-r--r--usr/src/cmd/krb5/kadmin/dbutil/kdb5_stash.c100
-rw-r--r--usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.c186
-rw-r--r--usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.h74
-rw-r--r--usr/src/cmd/krb5/kadmin/dbutil/nstrtok.h7
-rw-r--r--usr/src/cmd/krb5/kadmin/dbutil/ovload.c358
-rw-r--r--usr/src/cmd/krb5/kadmin/dbutil/string_table.c22
-rw-r--r--usr/src/cmd/krb5/kadmin/dbutil/string_table.h11
-rw-r--r--usr/src/cmd/krb5/kadmin/dbutil/strtok.c107
-rw-r--r--usr/src/cmd/krb5/kadmin/dbutil/util.c178
-rw-r--r--usr/src/cmd/krb5/kadmin/kpasswd/Makefile4
-rw-r--r--usr/src/cmd/krb5/kadmin/kpasswd/kpasswd.c259
-rw-r--r--usr/src/cmd/krb5/kadmin/kpasswd/kpasswd.h49
-rw-r--r--usr/src/cmd/krb5/kadmin/kpasswd/kpasswd_strings.h58
-rw-r--r--usr/src/cmd/krb5/kadmin/kpasswd/tty_kpasswd.c82
-rw-r--r--usr/src/cmd/krb5/kadmin/ktutil/ktutil.c323
-rw-r--r--usr/src/cmd/krb5/kadmin/ktutil/ktutil.h83
-rw-r--r--usr/src/cmd/krb5/kadmin/ktutil/ktutil_ct.c152
-rw-r--r--usr/src/cmd/krb5/kadmin/ktutil/ktutil_funcs.c37
-rw-r--r--usr/src/cmd/krb5/kadmin/server/ipropd_svc.c6
-rw-r--r--usr/src/cmd/krb5/kadmin/server/kadm_rpc_svc.c79
-rw-r--r--usr/src/cmd/krb5/kadmin/server/misc.c198
-rw-r--r--usr/src/cmd/krb5/kadmin/server/misc.h82
-rw-r--r--usr/src/cmd/krb5/kadmin/server/ovsec_kadmd.c119
-rw-r--r--usr/src/cmd/krb5/kadmin/server/server_glue_v1.c19
-rw-r--r--usr/src/cmd/krb5/kadmin/server/server_stubs.c1631
-rw-r--r--usr/src/cmd/krb5/kdestroy/kdestroy.c10
-rw-r--r--usr/src/cmd/krb5/kinit/kinit.c172
-rw-r--r--usr/src/cmd/krb5/klist/klist.c105
-rw-r--r--usr/src/cmd/krb5/krb5kdc/dispatch.c43
-rw-r--r--usr/src/cmd/krb5/krb5kdc/do_as_req.c98
-rw-r--r--usr/src/cmd/krb5/krb5kdc/do_tgs_req.c182
-rw-r--r--usr/src/cmd/krb5/krb5kdc/extern.h15
-rw-r--r--usr/src/cmd/krb5/krb5kdc/kdc_preauth.c360
-rw-r--r--usr/src/cmd/krb5/krb5kdc/kdc_util.c297
-rw-r--r--usr/src/cmd/krb5/krb5kdc/kdc_util.h24
-rw-r--r--usr/src/cmd/krb5/krb5kdc/main.c298
-rw-r--r--usr/src/cmd/krb5/krb5kdc/network.c73
-rw-r--r--usr/src/cmd/krb5/krb5kdc/policy.c16
-rw-r--r--usr/src/cmd/krb5/krb5kdc/replay.c31
-rw-r--r--usr/src/cmd/krb5/slave/kprop.c211
-rw-r--r--usr/src/cmd/krb5/slave/kprop.h17
-rw-r--r--usr/src/cmd/krb5/slave/kpropd.c269
57 files changed, 5483 insertions, 5000 deletions
diff --git a/usr/src/cmd/krb5/kadmin/cli/Makefile b/usr/src/cmd/krb5/kadmin/cli/Makefile
index 27ce1e9842..ecc77bed36 100644
--- a/usr/src/cmd/krb5/kadmin/cli/Makefile
+++ b/usr/src/cmd/krb5/kadmin/cli/Makefile
@@ -1,11 +1,15 @@
#
-# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
+# Copyright 2006 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "%Z%%M% %I% %E% SMI"
#
PROG= kadmin kadmin.local
+SHFILES= k5srvutil
+CLOBBERFILES= $(SHFILES)
+
+KRB5SBINSHFILES= $(SHFILES:%=$(KRB5SBIN)/%)
COMMON_OBJS = kadmin.o kadmin_ct.o ss_wrapper.o getdate.o keytab.o
RMT_OBJS= $(COMMON_OBJS) kadmin_rmt.o
@@ -16,8 +20,8 @@ SRCS = $(OBJS:.o=.c)
include ../../../Makefile.cmd
include $(SRC)/lib/gss_mechs/mech_krb5/Makefile.mech_krb5
-POFILE = kadmin.po
-POFILES = generic.po
+POFILE = generic.po
+POFILES = kadmin.po k5srvutil.po
DEFS = -DHAVE_LIBSOCKET=1 -DHAVE_LIBNSL=1 -DHAVE_UNISTD_H=1 -DHAVE_SYS_TIMEB_H=1 \
-DHAVE_ALLOCA_H=1 -DHAVE_FTIME=1 -DHAVE_TIMEZONE
@@ -43,7 +47,7 @@ kadmin.local:= DEFS += -D_KADMIN_LOCAL_
.KEEP_STATE:
-all: $(PROG)
+all: $(PROG) $(SHFILES)
kadmin: $(RMT_OBJS)
$(LINK.c) $(RMT_OBJS) -o $@ $(CLLIBS)
@@ -53,7 +57,11 @@ kadmin.local: $(LOC_OBJS)
$(LINK.c) $(LOC_OBJS) -o $@ $(SRVLIBS)
$(POST_PROCESS)
-install: $(KRB5SBINPROG)
+$(SHFILES): $(SHFILES).sh
+ $(RM) $(SHFILES)
+ $(CP) $(SHFILES).sh $(SHFILES)
+
+install: $(KRB5SBINPROG) $(KRB5SBINSHFILES)
clean:
$(RM) $(OBJS)
@@ -66,7 +74,7 @@ $(POFILE): $(DERIVED_FILES) .WAIT $(POFILES)
$(RM) $@
$(CAT) $(POFILES) > $@
-generic.po: FRC
+kadmin.po: FRC
$(RM) messages.po
$(XGETTEXT) $(XGETFLAGS) `$(GREP) -l gettext *.[ch]`
$(SED) "/^domain/d" messages.po > $@
diff --git a/usr/src/cmd/krb5/kadmin/cli/getdate.y b/usr/src/cmd/krb5/kadmin/cli/getdate.y
index 1bf9a15a72..cb16a86cc2 100644
--- a/usr/src/cmd/krb5/kadmin/cli/getdate.y
+++ b/usr/src/cmd/krb5/kadmin/cli/getdate.y
@@ -18,30 +18,28 @@
%{
/*
- * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
/*
- * Originally written by Steven M. Bellovin <smb@research.att.com> while
- * at the University of North Carolina at Chapel Hill. Later tweaked by
- * a couple of people on Usenet. Completely overhauled by Rich $alz
- * <rsalz@bbn.com> and Jim Berets <jberets@bbn.com> in August, 1990;
- * send any email to Rich.
- *
- * This grammar has nine shift/reduce conflicts.
- *
- * This code is in the public domain and has no copyright.
- */
-
-/* SUPPRESS 287 on yaccpar_sccsid */ /* Unusd static variable */
-
-/* SUPPRESS 288 on yyerrlab */ /* Label unused */
+** Originally written by Steven M. Bellovin <smb@research.att.com> while
+** at the University of North Carolina at Chapel Hill. Later tweaked by
+** a couple of people on Usenet. Completely overhauled by Rich $alz
+** <rsalz@bbn.com> and Jim Berets <jberets@bbn.com> in August, 1990;
+** send any email to Rich.
+**
+** This grammar has nine shift/reduce conflicts.
+**
+** This code is in the public domain and has no copyright.
+*/
+/* SUPPRESS 287 on yaccpar_sccsid *//* Unusd static variable */
+/* SUPPRESS 288 on yyerrlab *//* Label unused */
#ifdef HAVE_CONFIG_H
-#if defined(emacs) || defined(CONFIG_BROKETS)
+#if defined (emacs) || defined (CONFIG_BROKETS)
#include <config.h>
#else
#include "config.h"
@@ -49,37 +47,32 @@
#endif
#include <string.h>
-/*
- * Since the code of getdate.y is not included in the Emacs executable
- * itself, there is no need to #define static in this file. Even if
- * the code were included in the Emacs executable, it probably
- * wouldn't do any harm to #undef it here; this will only cause
- * problems if we try to write to a static variable, which I don't
- * think this code needs to do.
- */
-
+/* Since the code of getdate.y is not included in the Emacs executable
+ itself, there is no need to #define static in this file. Even if
+ the code were included in the Emacs executable, it probably
+ wouldn't do any harm to #undef it here; this will only cause
+ problems if we try to write to a static variable, which I don't
+ think this code needs to do. */
#ifdef emacs
#undef static
#endif
-/*
- * The following block of alloca-related preprocessor directives is here
- * solely to allow compilation by non GNU-C compilers of the C parser
- * produced from this file by old versions of bison. Newer versions of
- * bison include a block similar to this one in bison.simple.
- */
+/* The following block of alloca-related preprocessor directives is here
+ solely to allow compilation by non GNU-C compilers of the C parser
+ produced from this file by old versions of bison. Newer versions of
+ bison include a block similar to this one in bison.simple. */
#ifdef __GNUC__
#undef alloca
-#define alloca __builtin_alloca
+#define alloca __builtin_alloca
#else
#ifdef HAVE_ALLOCA_H
#include <alloca.h>
#else
#ifdef _AIX /* for Bison */
-#pragma alloca
+ #pragma alloca
#else
-void *alloca();
+void *alloca ();
#endif
#endif
#endif
@@ -87,12 +80,14 @@ void *alloca();
#include <stdio.h>
#include <ctype.h>
-/*
- * The code at the top of get_date which figures out the offset of the
- * current time zone checks various CPP symbols to see if special
- * tricks are need, but defaults to using the gettimeofday system call.
- * Include <sys/time.h> if that will be used.
- */
+#if defined(HAVE_STDLIB_H)
+#include <stdlib.h>
+#endif
+
+/* The code at the top of get_date which figures out the offset of the
+ current time zone checks various CPP symbols to see if special
+ tricks are need, but defaults to using the gettimeofday system call.
+ Include <sys/time.h> if that will be used. */
#if defined(vms)
@@ -119,10 +114,10 @@ void *alloca();
#endif
/*
- * We use the obsolete `struct my_timeb' as part of our interface!
- * Since the system doesn't have it, we define it here;
- * our callers must do likewise.
- */
+** We use the obsolete `struct my_timeb' as part of our interface!
+** Since the system doesn't have it, we define it here;
+** our callers must do likewise.
+*/
struct my_timeb {
time_t time; /* Seconds since the epoch */
unsigned short millitm; /* Field not used */
@@ -131,18 +126,15 @@ struct my_timeb {
};
#endif /* defined(vms) */
-#if defined(STDC_HEADERS) || defined(USG)
+#if defined (STDC_HEADERS) || defined (USG)
#include <string.h>
#endif
-/*
- * Some old versions of bison generate parsers that use bcopy.
- * That loses on systems that don't provide the function, so we have
- * to redefine it here.
- */
-
-#if !defined(HAVE_BCOPY) && defined(HAVE_MEMCPY) && !defined(bcopy)
-#define bcopy(from, to, len) memcpy((to), (from), (len))
+/* Some old versions of bison generate parsers that use bcopy.
+ That loses on systems that don't provide the function, so we have
+ to redefine it here. */
+#ifndef bcopy
+#define bcopy(from, to, len) memcpy ((to), (from), (len))
#endif
/*
@@ -179,28 +171,23 @@ GETTEXT(const char *msgid)
extern struct tm *gmtime();
extern struct tm *localtime();
-#define yyparse getdate_yyparse
-#define yylex getdate_yylex
-#define yyerror getdate_yyerror
+#define yyparse getdate_yyparse
+#define yylex getdate_yylex
+#define yyerror getdate_yyerror
-static int yylex();
-static int yyerror();
+static int getdate_yylex (void);
+static int getdate_yyerror (char *);
-#if !defined(lint) && !defined(SABER)
-static char RCS[] =
- "$Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/kadmin/cli/getdate.y,v 1.9 1996/10/18 17:48:04 bjaspan Exp $";
-#endif /* !defined(lint) && !defined(SABER) */
-
-#define EPOCH 1970
+#define EPOCH 1970
#define EPOCH_END 2099 /* Solaris 64 bit can support this at this point */
-#define HOUR(x) ((time_t)(x) * 60)
-#define SECSPERDAY (24L * 60L * 60L)
+#define HOUR(x) ((time_t)(x) * 60)
+#define SECSPERDAY (24L * 60L * 60L)
/*
- * An entry in the lexical lookup table.
- */
+** An entry in the lexical lookup table.
+*/
typedef struct _TABLE {
char *name;
int type;
@@ -209,26 +196,26 @@ typedef struct _TABLE {
/*
- * Daylight-savings mode: on, off, or not yet known.
- */
+** Daylight-savings mode: on, off, or not yet known.
+*/
typedef enum _DSTMODE {
DSTon, DSToff, DSTmaybe
} DSTMODE;
/*
- * Meridian: am, pm, or 24-hour style.
- */
+** Meridian: am, pm, or 24-hour style.
+*/
typedef enum _MERIDIAN {
MERam, MERpm, MER24
} MERIDIAN;
/*
- * Global variables. We could get rid of most of these by using a good
- * union as the yacc stack. (This routine was originally written before
- * yacc had the %union construct.) Maybe someday; right now we only use
- * the %union very rarely.
- */
+** Global variables. We could get rid of most of these by using a good
+** union as the yacc stack. (This routine was originally written before
+** yacc had the %union construct.) Maybe someday; right now we only use
+** the %union very rarely.
+*/
static char *yyInput;
static DSTMODE yyDSTmode;
static time_t yyDayOrdinal;
@@ -267,7 +254,7 @@ static time_t yyRelSeconds;
spec : /* NULL */
| spec item
- | tNEVER {
+ | tNEVER {
yyYear = 1970;
yyMonth = 1;
yyDay = 1;
@@ -275,7 +262,7 @@ spec : /* NULL */
yyDSTmode = DSToff;
yyTimezone = 0; /* gmt */
yyHaveDate++;
- }
+ }
;
item : time {
@@ -339,7 +326,7 @@ zone : tZONE {
yyDSTmode = DSTon;
}
|
- tZONE tDST {
+ tZONE tDST {
yyTimezone = $1;
yyDSTmode = DSTon;
}
@@ -519,20 +506,18 @@ static TABLE const OtherTable[] = {
/* The timezone table. */
/* Some of these are commented out because a time_t can't store a float. */
static TABLE const TimezoneTable[] = {
- { gettext("gmt"), tZONE, HOUR(0) }, /* Greenwich Mean */
- { gettext("ut"), tZONE, HOUR(0) }, /* Universal (Coordinated) */
- { gettext("utc"), tZONE, HOUR(0) },
- { gettext("wet"), tZONE, HOUR(0) }, /* Western European */
- { gettext("bst"), tDAYZONE, HOUR(0) }, /* British Summer */
- { gettext("wat"), tZONE, HOUR(1) }, /* West Africa */
- { gettext("at"), tZONE, HOUR(2) }, /* Azores */
+ { gettext("gmt"), tZONE, HOUR( 0) }, /* Greenwich Mean */
+ { gettext("ut"), tZONE, HOUR( 0) }, /* Universal (Coordinated) */
+ { gettext("utc"), tZONE, HOUR( 0) },
+ { gettext("wet"), tZONE, HOUR( 0) }, /* Western European */
+ { gettext("bst"), tDAYZONE, HOUR( 0) }, /* British Summer */
+ { gettext("wat"), tZONE, HOUR( 1) }, /* West Africa */
+ { gettext("at"), tZONE, HOUR( 2) }, /* Azores */
#if 0
- /*
- * For completeness. BST is also British Summer, and GST is
- * also Guam Standard.
- */
- { gettext("bst"), tZONE, HOUR( 3) }, /* Brazil Standard */
- { gettext("gst"), tZONE, HOUR( 3) }, /* Greenland Standard */
+ /* For completeness. BST is also British Summer, and GST is
+ * also Guam Standard. */
+ { gettext("bst"), tZONE, HOUR( 3) }, /* Brazil Standard */
+ { gettext("gst"), tZONE, HOUR( 3) }, /* Greenland Standard */
#endif
#if 0
{ gettext("nft"), tZONE, HOUR(3.5) }, /* Newfoundland */
@@ -577,12 +562,10 @@ static TABLE const TimezoneTable[] = {
#endif
{ gettext("zp6"), tZONE, -HOUR(6) }, /* USSR Zone 5 */
#if 0
- /*
- * For completeness. NST is also Newfoundland Stanard, and SST is
- * also Swedish Summer.
- */
- { gettext("nst"), tZONE, -HOUR(6.5) },/* North Sumatra */
- { gettext("sst"), tZONE, -HOUR(7) }, /* South Sumatra, USSR Zone 6 */
+ /* For completeness. NST is also Newfoundland Stanard, and SST is
+ * also Swedish Summer. */
+ { gettext("nst"), tZONE, -HOUR(6.5) },/* North Sumatra */
+ { gettext("sst"), tZONE, -HOUR(7) }, /* South Sumatra, USSR Zone 6 */
#endif /* 0 */
{ gettext("wast"), tZONE, -HOUR(7) }, /* West Australian Standard */
{ gettext("wadt"), tDAYZONE, -HOUR(7) }, /* West Australian Daylight */
@@ -610,34 +593,38 @@ static TABLE const TimezoneTable[] = {
/* ARGSUSED */
static int
yyerror(s)
-char *s;
+ char *s;
{
- return (0);
+ return 0;
}
static time_t
-ToSeconds(time_t Hours, time_t Minutes, time_t Seconds, MERIDIAN Meridian)
+ToSeconds(Hours, Minutes, Seconds, Meridian)
+ time_t Hours;
+ time_t Minutes;
+ time_t Seconds;
+ MERIDIAN Meridian;
{
- if (Minutes < 0 || Minutes > 59 || Seconds < 0 || Seconds > 59)
- return (-1);
- switch (Meridian) {
- case MER24:
- if (Hours < 0 || Hours > 23)
- return (-1);
- return (Hours * 60L + Minutes) * 60L + Seconds;
- case MERam:
- if (Hours < 1 || Hours > 12)
- return (-1);
- return (Hours * 60L + Minutes) * 60L + Seconds;
- case MERpm:
- if (Hours < 1 || Hours > 12)
- return (-1);
- return ((Hours + 12) * 60L + Minutes) * 60L + Seconds;
- default:
- abort ();
- }
- /* NO TREACHED */
+ if (Minutes < 0 || Minutes > 59 || Seconds < 0 || Seconds > 59)
+ return -1;
+ switch (Meridian) {
+ case MER24:
+ if (Hours < 0 || Hours > 23)
+ return -1;
+ return (Hours * 60L + Minutes) * 60L + Seconds;
+ case MERam:
+ if (Hours < 1 || Hours > 12)
+ return -1;
+ return (Hours * 60L + Minutes) * 60L + Seconds;
+ case MERpm:
+ if (Hours < 1 || Hours > 12)
+ return -1;
+ return ((Hours + 12) * 60L + Minutes) * 60L + Seconds;
+ default:
+ abort ();
+ }
+ /* NOTREACHED */
}
/*
@@ -645,452 +632,460 @@ ToSeconds(time_t Hours, time_t Minutes, time_t Seconds, MERIDIAN Meridian)
* of seconds since 00:00:00 1/1/70 GMT.
*/
static time_t
-Convert(time_t Month, time_t Day, time_t Year, time_t Hours,
- time_t Minutes, time_t Seconds, MERIDIAN Meridian, DSTMODE DSTmode)
+Convert(Month, Day, Year, Hours, Minutes, Seconds, Meridian, DSTmode)
+ time_t Month;
+ time_t Day;
+ time_t Year;
+ time_t Hours;
+ time_t Minutes;
+ time_t Seconds;
+ MERIDIAN Meridian;
+ DSTMODE DSTmode;
{
- static int DaysInMonth[12] = {
- 31, 0, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
- };
- time_t tod;
- time_t Julian;
- int i;
-
- if (Year < 0)
- Year = -Year;
- if (Year < 1900)
- Year += 1900;
- DaysInMonth[1] = Year % 4 == 0 && (Year % 100 != 0 || Year % 400 == 0)
- ? 29 : 28;
- if (Year < EPOCH || Year > EPOCH_END || Month < 1 || Month > 12
- /* Lint fluff: " conversion from long may lose accuracy" */
- || Day < 1 || Day > DaysInMonth[(int)--Month])
- return (-1);
-
- for (Julian = Day - 1, i = 0; i < Month; i++)
- Julian += DaysInMonth[i];
- for (i = EPOCH; i < Year; i++)
- Julian += 365 + ((i % 4 == 0) && ((Year % 100 != 0) ||
- (Year % 400 == 0)));
- Julian *= SECSPERDAY;
- Julian += yyTimezone * 60L;
- if ((tod = ToSeconds(Hours, Minutes, Seconds, Meridian)) < 0)
- return (-1);
- Julian += tod;
-
- if (DSTmode == DSTon
- || (DSTmode == DSTmaybe && localtime(&Julian)->tm_isdst))
- Julian -= 60 * 60;
-
- return (Julian);
+ static int DaysInMonth[12] = {
+ 31, 0, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
+ };
+ time_t tod;
+ time_t Julian;
+ int i;
+
+ if (Year < 0)
+ Year = -Year;
+ if (Year < 1900)
+ Year += 1900;
+ DaysInMonth[1] = Year % 4 == 0 && (Year % 100 != 0 || Year % 400 == 0)
+ ? 29 : 28;
+ if (Year < EPOCH
+ || Year > EPOCH_END
+ || Month < 1 || Month > 12
+ /* Lint fluff: "conversion from long may lose accuracy" */
+ || Day < 1 || Day > DaysInMonth[(int)--Month])
+ return -1;
+
+ for (Julian = Day - 1, i = 0; i < Month; i++)
+ Julian += DaysInMonth[i];
+ for (i = EPOCH; i < Year; i++)
+ Julian += 365 + ((i % 4 == 0) && ((Year % 100 != 0) ||
+ (Year % 400 == 0)));
+ Julian *= SECSPERDAY;
+ Julian += yyTimezone * 60L;
+ if ((tod = ToSeconds(Hours, Minutes, Seconds, Meridian)) < 0)
+ return -1;
+ Julian += tod;
+ if (DSTmode == DSTon
+ || (DSTmode == DSTmaybe && localtime(&Julian)->tm_isdst))
+ Julian -= 60 * 60;
+ return Julian;
}
static time_t
DSTcorrect(Start, Future)
-time_t Start;
-time_t Future;
+ time_t Start;
+ time_t Future;
{
- time_t StartDay;
- time_t FutureDay;
+ time_t StartDay;
+ time_t FutureDay;
- StartDay = (localtime(&Start)->tm_hour + 1) % 24;
- FutureDay = (localtime(&Future)->tm_hour + 1) % 24;
- return (Future - Start) + (StartDay - FutureDay) * 60L * 60L;
+ StartDay = (localtime(&Start)->tm_hour + 1) % 24;
+ FutureDay = (localtime(&Future)->tm_hour + 1) % 24;
+ return (Future - Start) + (StartDay - FutureDay) * 60L * 60L;
}
static time_t
RelativeDate(Start, DayOrdinal, DayNumber)
-time_t Start;
-time_t DayOrdinal;
-time_t DayNumber;
+ time_t Start;
+ time_t DayOrdinal;
+ time_t DayNumber;
{
- struct tm *tm;
- time_t now;
-
- now = Start;
- tm = localtime(&now);
- now += SECSPERDAY * ((DayNumber - tm->tm_wday + 7) % 7);
- now += 7 * SECSPERDAY * (DayOrdinal <= 0 ? DayOrdinal : DayOrdinal - 1);
-
- return (DSTcorrect(Start, now));
+ struct tm *tm;
+ time_t now;
+
+ now = Start;
+ tm = localtime(&now);
+ now += SECSPERDAY * ((DayNumber - tm->tm_wday + 7) % 7);
+ now += 7 * SECSPERDAY * (DayOrdinal <= 0 ? DayOrdinal : DayOrdinal - 1);
+ return DSTcorrect(Start, now);
}
static time_t
-RelativeMonth(time_t Start, time_t RelMonth)
+RelativeMonth(Start, RelMonth)
+ time_t Start;
+ time_t RelMonth;
{
- struct tm *tm;
- time_t Month;
- time_t Year;
- time_t ret;
-
- if (RelMonth == 0)
- return (0);
- tm = localtime(&Start);
- Month = 12 * tm->tm_year + tm->tm_mon + RelMonth;
- Year = Month / 12;
- Month = Month % 12 + 1;
+ struct tm *tm;
+ time_t Month;
+ time_t Year;
+ time_t ret;
+
+ if (RelMonth == 0)
+ return 0;
+ tm = localtime(&Start);
+ Month = 12 * tm->tm_year + tm->tm_mon + RelMonth;
+ Year = Month / 12;
+ Month = Month % 12 + 1;
ret = Convert(Month, (time_t)tm->tm_mday, Year,
- (time_t)tm->tm_hour, (time_t)tm->tm_min, (time_t)tm->tm_sec,
- MER24, DSTmaybe);
+ (time_t)tm->tm_hour, (time_t)tm->tm_min, (time_t)tm->tm_sec,
+ MER24, DSTmaybe);
if (ret == -1)
- return ret;
+ return ret;
return DSTcorrect(Start, ret);
}
static int
-LookupWord(char *buff)
+LookupWord(buff)
+ char *buff;
{
- register char *p;
- register char *q;
- register const TABLE *tp;
- int i;
- int abbrev;
-
- /* Make it lowercase. */
- for (p = buff; *p; p++)
- if (isupper(*p))
- *p = tolower(*p);
-
- if (strcmp(buff, gettext("am")) == 0 ||
- strcmp(buff, gettext("a.m.")) == 0) {
- yylval.Meridian = MERam;
- return (tMERIDIAN);
- }
- if (strcmp(buff, gettext("pm")) == 0 ||
+ register char *p;
+ register char *q;
+ register const TABLE *tp;
+ int i;
+ int abbrev;
+
+ /* Make it lowercase. */
+ for (p = buff; *p; p++)
+ if (isupper((int) *p))
+ *p = tolower((int) *p);
+
+ if (strcmp(buff, gettext("am")) == 0 || strcmp(buff, gettext("a.m.")) == 0) {
+ yylval.Meridian = MERam;
+ return tMERIDIAN;
+ }
+ if (strcmp(buff, gettext("pm")) == 0 ||
strcmp(buff, gettext("p.m.")) == 0) {
- yylval.Meridian = MERpm;
- return (tMERIDIAN);
+ yylval.Meridian = MERpm;
+ return tMERIDIAN;
+ }
+
+ /* See if we have an abbreviation for a month. */
+ if (strlen(buff) == 3)
+ abbrev = 1;
+ else if (strlen(buff) == 4 && buff[3] == '.') {
+ abbrev = 1;
+ buff[3] = '\0';
+ }
+ else
+ abbrev = 0;
+
+ for (tp = MonthDayTable; tp->name; tp++) {
+ if (abbrev) {
+ if (strncmp(buff, GETTEXT(tp->name), 3) == 0) {
+ yylval.Number = tp->value;
+ return tp->type;
+ }
}
-
- /* See if we have an abbreviation for a month. */
- if (strlen(buff) == 3)
- abbrev = 1;
- else if (strlen(buff) == 4 && buff[3] == '.') {
- abbrev = 1;
- buff[3] = '\0';
- }
- else
- abbrev = 0;
-
- for (tp = MonthDayTable; tp->name; tp++) {
- if (abbrev) {
- if (strncmp(buff, GETTEXT(tp->name), 3) == 0) {
- yylval.Number = tp->value;
- return (tp->type);
- }
- }
- else if (strcmp(buff, GETTEXT(tp->name)) == 0) {
- yylval.Number = tp->value;
- return (tp->type);
- }
+ else if (strcmp(buff, GETTEXT(tp->name)) == 0) {
+ yylval.Number = tp->value;
+ return tp->type;
}
+ }
- for (tp = TimezoneTable; tp->name; tp++)
- if (strcmp(buff, GETTEXT(tp->name)) == 0) {
- yylval.Number = tp->value;
- return (tp->type);
- }
+ for (tp = TimezoneTable; tp->name; tp++)
+ if (strcmp(buff, GETTEXT(tp->name)) == 0) {
+ yylval.Number = tp->value;
+ return tp->type;
+ }
- if (strcmp(buff, gettext("dst")) == 0)
- return (tDST);
+ if (strcmp(buff, gettext("dst")) == 0)
+ return tDST;
- for (tp = UnitsTable; tp->name; tp++)
- if (strcmp(buff, GETTEXT(tp->name)) == 0) {
- yylval.Number = tp->value;
- return (tp->type);
- }
+ for (tp = UnitsTable; tp->name; tp++)
+ if (strcmp(buff, GETTEXT(tp->name)) == 0) {
+ yylval.Number = tp->value;
+ return tp->type;
+ }
/* Strip off any plural and try the units table again. */
- i = strlen(buff) - 1;
- if (buff[i] == 's') {
- buff[i] = '\0';
- for (tp = UnitsTable; tp->name; tp++)
- if (strcmp(buff, GETTEXT(tp->name)) == 0) {
- yylval.Number = tp->value;
- return (tp->type);
- }
- buff[i] = 's'; /* Put back for "this" in OtherTable. */
+ i = strlen(buff) - 1;
+ if (buff[i] == 's') {
+ buff[i] = '\0';
+ for (tp = UnitsTable; tp->name; tp++)
+ if (strcmp(buff, GETTEXT(tp->name)) == 0) {
+ yylval.Number = tp->value;
+ return tp->type;
+ }
+ buff[i] = 's'; /* Put back for "this" in OtherTable. */
+ }
+
+ for (tp = OtherTable; tp->name; tp++)
+ if (strcmp(buff, GETTEXT(tp->name)) == 0) {
+ yylval.Number = tp->value;
+ return tp->type;
}
- for (tp = OtherTable; tp->name; tp++)
- if (strcmp(buff, GETTEXT(tp->name)) == 0) {
- yylval.Number = tp->value;
- return (tp->type);
- }
-
- /* Drop out any periods and try the timezone table again. */
- for (i = 0, p = q = buff; *q; q++)
- if (*q != '.')
- *p++ = *q;
- else
- i++;
- *p = '\0';
- if (i)
- for (tp = TimezoneTable; tp->name; tp++)
- if (strcmp(buff, GETTEXT(tp->name)) == 0) {
- yylval.Number = tp->value;
- return (tp->type);
- }
-
- return (tID);
+ /* Drop out any periods and try the timezone table again. */
+ for (i = 0, p = q = buff; *q; q++)
+ if (*q != '.')
+ *p++ = *q;
+ else
+ i++;
+ *p = '\0';
+ if (i)
+ for (tp = TimezoneTable; tp->name; tp++)
+ if (strcmp(buff, GETTEXT(tp->name)) == 0) {
+ yylval.Number = tp->value;
+ return tp->type;
+ }
+
+ return tID;
}
static int
yylex()
{
- register char c;
- register char *p;
- char buff[20];
- int Count;
- int sign;
-
- for ( ; ; ) {
- while (isspace(*yyInput))
- yyInput++;
-
- if (isdigit(c = *yyInput) || c == '-' || c == '+') {
- if (c == '-' || c == '+') {
- sign = c == '-' ? -1 : 1;
- if (!isdigit(*++yyInput))
- /* skip the '-' sign */
- continue;
- }
- else
- sign = 0;
- for (yylval.Number = 0; isdigit(c = *yyInput++); )
- yylval.Number = 10 * yylval.Number + c - '0';
- yyInput--;
- if (sign < 0)
- yylval.Number = -yylval.Number;
- return (sign ? tSNUMBER : tUNUMBER);
- }
- if (isalpha(c)) {
- for (p = buff; isalpha(c = *yyInput++) || c == '.'; )
- if (p < &buff[sizeof buff - 1])
- *p++ = c;
- *p = '\0';
- yyInput--;
- return (LookupWord(buff));
- }
- if (c != '(')
- return (*yyInput++);
- Count = 0;
- do {
- c = *yyInput++;
- if (c == '\0')
- return (c);
- if (c == '(')
- Count++;
- else if (c == ')')
- Count--;
- } while (Count > 0);
+ register char c;
+ register char *p;
+ char buff[20];
+ int Count;
+ int sign;
+
+ for ( ; ; ) {
+ while (isspace((int) *yyInput))
+ yyInput++;
+
+ c = *yyInput;
+ if (isdigit((int) c) || c == '-' || c == '+') {
+ if (c == '-' || c == '+') {
+ sign = c == '-' ? -1 : 1;
+ if (!isdigit((int) (*++yyInput)))
+ /* skip the '-' sign */
+ continue;
+ }
+ else
+ sign = 0;
+ for (yylval.Number = 0; isdigit((int) (c = *yyInput++)); )
+ yylval.Number = 10 * yylval.Number + c - '0';
+ yyInput--;
+ if (sign < 0)
+ yylval.Number = -yylval.Number;
+ return sign ? tSNUMBER : tUNUMBER;
}
+ if (isalpha((int) c)) {
+ for (p = buff; isalpha((int) (c = *yyInput++)) || c == '.'; )
+ if (p < &buff[sizeof buff - 1])
+ *p++ = c;
+ *p = '\0';
+ yyInput--;
+ return LookupWord(buff);
+ }
+ if (c != '(')
+ return *yyInput++;
+ Count = 0;
+ do {
+ c = *yyInput++;
+ if (c == '\0')
+ return c;
+ if (c == '(')
+ Count++;
+ else if (c == ')')
+ Count--;
+ } while (Count > 0);
+ }
}
-#define TM_YEAR_ORIGIN 1900
+#define TM_YEAR_ORIGIN 1900
/* Yield A - B, measured in seconds. */
static time_t
-difftm(struct tm *a, struct tm *b)
+difftm(a, b)
+ struct tm *a, *b;
{
- int ay = a->tm_year + (TM_YEAR_ORIGIN - 1);
- int by = b->tm_year + (TM_YEAR_ORIGIN - 1);
- return ((((
- /* difference in day of year */
- a->tm_yday - b->tm_yday
- /* + intervening leap days */
- + ((ay >> 2) - (by >> 2))
- - (ay/100 - by/100)
- + ((ay/100 >> 2) - (by/100 >> 2))
- /* + difference in years * 365 */
- + (time_t)(ay-by) * 365
- )*24 + (a->tm_hour - b->tm_hour)
- )*60 + (a->tm_min - b->tm_min)
- )*60 + (a->tm_sec - b->tm_sec));
+ int ay = a->tm_year + (TM_YEAR_ORIGIN - 1);
+ int by = b->tm_year + (TM_YEAR_ORIGIN - 1);
+ return
+ (
+ (
+ (
+ /* difference in day of year */
+ a->tm_yday - b->tm_yday
+ /* + intervening leap days */
+ + ((ay >> 2) - (by >> 2))
+ - (ay/100 - by/100)
+ + ((ay/100 >> 2) - (by/100 >> 2))
+ /* + difference in years * 365 */
+ + (time_t)(ay-by) * 365
+ )*24 + (a->tm_hour - b->tm_hour)
+ )*60 + (a->tm_min - b->tm_min)
+ )*60 + (a->tm_sec - b->tm_sec);
}
+/* For get_date extern declaration compatibility check... yuck. */
+#include <krb5.h>
+#include "kadmin.h"
+
time_t
-get_date(char *p, struct my_timeb *now)
+get_date(p)
+ char *p;
{
- struct tm *tm, gmt;
- struct my_timeb ftz;
- time_t Start;
- time_t tod;
+ struct my_timeb *now = NULL;
+ struct tm *tm, gmt;
+ struct my_timeb ftz;
+ time_t Start;
+ time_t tod;
time_t delta;
- yyInput = p;
- if (now == NULL) {
- now = &ftz;
-
- ftz.time = time((time_t *) 0);
-
- if (! (tm = gmtime (&ftz.time)))
- return (-1);
- gmt = *tm; /* Make a copy, in case localtime modifies *tm. */
- ftz.timezone = difftm (&gmt, localtime (&ftz.time)) / 60;
- }
-
- tm = localtime(&now->time);
- yyYear = tm->tm_year;
- yyMonth = tm->tm_mon + 1;
- yyDay = tm->tm_mday;
- yyTimezone = now->timezone;
-
- /*
- * Since the logic later depends on the yyTimezone being the difference
- * between gmt and local time, non daylight savings time, we need to
- * correct the difference if local time is daylight savings time.
- */
-
- if ((tm->tm_isdst > 0) && (yyTimezone > 0))
- yyTimezone += 60;
- else if ((tm->tm_isdst > 0) && (yyTimezone < 0))
- yyTimezone -= 60;
- yyDSTmode = DSTmaybe;
- yyHour = 0;
- yyMinutes = 0;
- yySeconds = 0;
- yyMeridian = MER24;
- yyRelSeconds = 0;
- yyRelMonth = 0;
- yyHaveDate = 0;
- yyHaveDay = 0;
- yyHaveRel = 0;
- yyHaveTime = 0;
- yyHaveZone = 0;
-
- /*
- * When yyparse returns, zero or more of yyHave{Time,Zone,Date,Day,Rel}
- * will have been incremented. The value is number of items of
- * that type that were found; for all but Rel, more than one is
- * illegal.
- *
- * For each yyHave indicator, the following values are set:
- *
- * yyHaveTime:
- * yyHour, yyMinutes, yySeconds: hh:mm:ss specified, initialized
- * to zeros above
- * yyMeridian: MERam, MERpm, or MER24
- * yyTimeZone: time zone specified in minutes
- * yyDSTmode: DSToff if yyTimeZone is set, otherwise unchanged
- * (initialized above to DSTmaybe)
- *
- * yyHaveZone:
- * yyTimezone: as above
- * yyDSTmode: DSToff if a non-DST zone is specified, otherwise DSTon
- * XXX don't understand interaction with yyHaveTime zone info
- *
- * yyHaveDay:
- * yyDayNumber: 0-6 for Sunday-Saturday
- * yyDayOrdinal: val specified with day ("second monday",
- * Ordinal=2), otherwise 1
- *
- * yyHaveDate:
- * yyMonth, yyDay, yyYear: mm/dd/yy specified, initialized to
- * today above
- *
- * yyHaveRel:
- * yyRelSeconds: seconds specified with MINUTE_UNITs ("3 hours") or
- * SEC_UNITs ("30 seconds")
- * yyRelMonth: months specified with MONTH_UNITs ("3 months", "1
- * year")
- *
- * The code following yyparse turns these values into a single
- * date stamp.
- */
- if (yyparse() || yyHaveTime > 1 || yyHaveZone > 1 ||
- yyHaveDate > 1 || yyHaveDay > 1)
- return (-1);
-
- /*
- * If an absolute time specified, set Start to the equivalent Unix
- * timestamp. Otherwise, set Start to now, and if we do not have
- * a relatime time (ie: only yyHaveZone), decrement Start to the
- * beginning of today.
- *
- * By having yyHaveDay in the "absolute" list, "next Monday" means
- * midnight next Monday. Otherwise, "next Monday" would mean the
- * time right now, next Monday. It's not clear to me why the
- * current behavior is preferred.
- */
- if (yyHaveDate || yyHaveTime || yyHaveDay) {
- Start = Convert(yyMonth, yyDay, yyYear,
- yyHour, yyMinutes, yySeconds,
- yyMeridian, yyDSTmode);
- if (Start < 0)
- return (-1);
- }
- else {
- Start = now->time;
- if (!yyHaveRel)
- Start -= ((tm->tm_hour * 60L + tm->tm_min) * 60L)
- + tm->tm_sec;
- }
-
- /*
- * Add in the relative time specified. RelativeMonth adds in the
- * months, accounting for the fact that the actual length of "3
- * months" depends on where you start counting.
- *
- * XXX By having this separate from the previous block, we are
- * allowing dates like "10:00am 3 months", which means 3 months
- * from 10:00am today, or even "1/1/99 two days" which means two
- * days after 1/1/99.
- *
- * XXX Shouldn't this only be done if yyHaveRel, just for
- * thoroughness?
- */
- Start += yyRelSeconds;
+ yyInput = p;
+ if (now == NULL) {
+ now = &ftz;
+
+ ftz.time = time((time_t *) 0);
+
+ if (! (tm = gmtime (&ftz.time)))
+ return -1;
+ gmt = *tm; /* Make a copy, in case localtime modifies *tm. */
+ ftz.timezone = difftm (&gmt, localtime (&ftz.time)) / 60;
+ }
+
+ tm = localtime(&now->time);
+ yyYear = tm->tm_year;
+ yyMonth = tm->tm_mon + 1;
+ yyDay = tm->tm_mday;
+ yyTimezone = now->timezone;
+ yyDSTmode = DSTmaybe;
+ yyHour = 0;
+ yyMinutes = 0;
+ yySeconds = 0;
+ yyMeridian = MER24;
+ yyRelSeconds = 0;
+ yyRelMonth = 0;
+ yyHaveDate = 0;
+ yyHaveDay = 0;
+ yyHaveRel = 0;
+ yyHaveTime = 0;
+ yyHaveZone = 0;
+
+ /*
+ * When yyparse returns, zero or more of yyHave{Time,Zone,Date,Day,Rel}
+ * will have been incremented. The value is number of items of
+ * that type that were found; for all but Rel, more than one is
+ * illegal.
+ *
+ * For each yyHave indicator, the following values are set:
+ *
+ * yyHaveTime:
+ * yyHour, yyMinutes, yySeconds: hh:mm:ss specified, initialized
+ * to zeros above
+ * yyMeridian: MERam, MERpm, or MER24
+ * yyTimeZone: time zone specified in minutes
+ * yyDSTmode: DSToff if yyTimeZone is set, otherwise unchanged
+ * (initialized above to DSTmaybe)
+ *
+ * yyHaveZone:
+ * yyTimezone: as above
+ * yyDSTmode: DSToff if a non-DST zone is specified, otherwise DSTon
+ * XXX don't understand interaction with yyHaveTime zone info
+ *
+ * yyHaveDay:
+ * yyDayNumber: 0-6 for Sunday-Saturday
+ * yyDayOrdinal: val specified with day ("second monday",
+ * Ordinal=2), otherwise 1
+ *
+ * yyHaveDate:
+ * yyMonth, yyDay, yyYear: mm/dd/yy specified, initialized to
+ * today above
+ *
+ * yyHaveRel:
+ * yyRelSeconds: seconds specified with MINUTE_UNITs ("3 hours") or
+ * SEC_UNITs ("30 seconds")
+ * yyRelMonth: months specified with MONTH_UNITs ("3 months", "1
+ * year")
+ *
+ * The code following yyparse turns these values into a single
+ * date stamp.
+ */
+ if (yyparse()
+ || yyHaveTime > 1 || yyHaveZone > 1 || yyHaveDate > 1 || yyHaveDay > 1)
+ return -1;
+
+ /*
+ * If an absolute time specified, set Start to the equivalent Unix
+ * timestamp. Otherwise, set Start to now, and if we do not have
+ * a relatime time (ie: only yyHaveZone), decrement Start to the
+ * beginning of today.
+ *
+ * By having yyHaveDay in the "absolute" list, "next Monday" means
+ * midnight next Monday. Otherwise, "next Monday" would mean the
+ * time right now, next Monday. It's not clear to me why the
+ * current behavior is preferred.
+ */
+ if (yyHaveDate || yyHaveTime || yyHaveDay) {
+ Start = Convert(yyMonth, yyDay, yyYear, yyHour, yyMinutes, yySeconds,
+ yyMeridian, yyDSTmode);
+ if (Start < 0)
+ return -1;
+ }
+ else {
+ Start = now->time;
+ if (!yyHaveRel)
+ Start -= ((tm->tm_hour * 60L + tm->tm_min) * 60L) + tm->tm_sec;
+ }
+
+ /*
+ * Add in the relative time specified. RelativeMonth adds in the
+ * months, accounting for the fact that the actual length of "3
+ * months" depends on where you start counting.
+ *
+ * XXX By having this separate from the previous block, we are
+ * allowing dates like "10:00am 3 months", which means 3 months
+ * from 10:00am today, or even "1/1/99 two days" which means two
+ * days after 1/1/99.
+ *
+ * XXX Shouldn't this only be done if yyHaveRel, just for
+ * thoroughness?
+ */
+ Start += yyRelSeconds;
delta = RelativeMonth(Start, yyRelMonth);
if (delta == (time_t) -1)
- return -1;
+ return -1;
Start += delta;
- /*
- * Now, if you specified a day of week and counter, add it in. By
- * disallowing Date but allowing Time, you can say "5pm next
- * monday".
- *
- * XXX The yyHaveDay && !yyHaveDate restriction should be enforced
- * above and be able to cause failure.
- */
- if (yyHaveDay && !yyHaveDate) {
- tod = RelativeDate(Start, yyDayOrdinal, yyDayNumber);
- Start += tod;
- }
-
- /* Have to do *something* with a legitimate -1 so it's distinguishable
- * from the error return value. (Alternately could set errno on error.) */
- return (Start == -1 ? 0 : Start);
+ /*
+ * Now, if you specified a day of week and counter, add it in. By
+ * disallowing Date but allowing Time, you can say "5pm next
+ * monday".
+ *
+ * XXX The yyHaveDay && !yyHaveDate restriction should be enforced
+ * above and be able to cause failure.
+ */
+ if (yyHaveDay && !yyHaveDate) {
+ tod = RelativeDate(Start, yyDayOrdinal, yyDayNumber);
+ Start += tod;
+ }
+
+ /* Have to do *something* with a legitimate -1 so it's distinguishable
+ * from the error return value. (Alternately could set errno on error.) */
+ return Start == -1 ? 0 : Start;
}
#if defined(TEST)
/* ARGSUSED */
-main(int ac, char *av[])
+main(ac, av)
+ int ac;
+ char *av[];
{
- char buff[128];
- time_t d;
-
- (void)printf(gettext("Enter date, or blank line to exit.\n\t> "));
- (void)fflush(stdout);
- while (gets(buff) && buff[0]) {
- d = get_date(buff, (struct my_timeb *)NULL);
- if (d == -1)
- (void)printf(
+ char buff[128];
+ time_t d;
+
+ (void)printf(gettext("Enter date, or blank line to exit.\n\t> "));
+ (void)fflush(stdout);
+ while (gets(buff) && buff[0]) {
+ d = get_date(buff, (struct my_timeb *)NULL);
+ if (d == -1)
+ (void)printf(
gettext("Bad format - couldn't convert.\n"));
- else
- (void)printf("%s", ctime(&d));
- (void)printf("\t> ");
- (void)fflush(stdout);
- }
- exit(0);
- /* NOTREA CHED */
+ else
+ (void)printf("%s", ctime(&d));
+ (void)printf("\t> ");
+ (void)fflush(stdout);
+ }
+ exit(0);
+ /* NOTREACHED */
}
#endif /* defined(TEST) */
diff --git a/usr/src/cmd/krb5/kadmin/cli/k5srvutil.sh b/usr/src/cmd/krb5/kadmin/cli/k5srvutil.sh
new file mode 100755
index 0000000000..64d0886c81
--- /dev/null
+++ b/usr/src/cmd/krb5/kadmin/cli/k5srvutil.sh
@@ -0,0 +1,147 @@
+#!/bin/sh
+#
+#
+# Copyright 2006 Sun Microsystems, Inc. All rights reserved.
+# Use is subject to license terms.
+#
+#
+#
+#
+#pragma ident "%Z%%M% %I% %E% SMI"
+
+TEXTDOMAIN=SUNW_OST_OSCMD
+export TEXTDOMAIN
+
+# list_princs keytab
+# returns a list of principals in the keytab
+# sorted and uniquified
+list_princs() {
+ klist -k $keytab | tail +4 | awk '{print $2}' | sort | uniq
+}
+
+set_command() {
+ if [ x$command != x ] ; then
+ cmd_error `gettext "Only one command can be specified"`
+ usage
+ exit 1
+ fi
+ command=$1
+}
+
+#interactive_prompt prompt princ
+# If in interactive mode return true if the principal should be acted on
+# otherwise return true all the time
+#
+# SUNW14resync: If in interactive mode the default is now to return false
+# i.e. if in interactive mode unless the user types "Yes" or
+# "yes" false will be returned.
+#
+interactive_prompt() {
+ if [ $interactive = 0 ] ; then
+ return 0
+ fi
+ PROMPT=`gettext "%s for %s? [yes no] "`
+ Y1=`gettext "yes"`
+ Y2=`gettext "Yes"`
+ printf "$PROMPT" "$1" "$2"
+ read ans
+ case $ans in
+ ${Y1}|${Y2})
+ return 0
+ ;;
+ esac
+ return 1
+ }
+
+cmd_error() {
+ echo $@ 2>&1
+ }
+
+usage() {
+ USAGE=`gettext "Usage: $0 [-i] [-f file] list|change|delete|delold"`
+ echo $USAGE
+}
+
+
+
+change_key() {
+ princs=`list_princs `
+ for princ in $princs; do
+ ACTION=`gettext "Change key"`
+ if interactive_prompt "$ACTION" $princ; then
+ kadmin -k -t $keytab -p $princ -q "ktadd -k $keytab $princ"
+ fi
+ done
+ }
+
+delete_old_keys() {
+ princs=`list_princs `
+ for princ in $princs; do
+ ACTION=`gettext "Delete old keys"`
+ if interactive_prompt "$ACTION" $princ; then
+ kadmin -k -t $keytab -p $princ -q "ktrem -k $keytab $princ old"
+ fi
+ done
+ }
+
+delete_keys() {
+ interactive=1
+ princs=`list_princs `
+ for princ in $princs; do
+ ACTION=`gettext "Delete all keys"`
+ if interactive_prompt "$ACTION" $princ; then
+ kadmin -p $princ -k -t $keytab -q "ktrem -k $keytab $princ all"
+ fi
+ done
+ }
+
+
+keytab=/etc/krb5/krb5.keytab
+interactive=0
+
+CHANGE=`gettext "change"`
+DELOLD=`gettext "delold"`
+DELETE=`gettext "delete"`
+LIST=`gettext "list"`
+
+while [ $# -gt 0 ] ; do
+ opt=$1
+ shift
+ case $opt in
+ "-f")
+ keytab=$1
+ shift
+ ;;
+ "-i")
+ interactive=1
+ ;;
+ ${CHANGE}|${DELOLD}|${DELETE}|${LIST})
+ set_command $opt
+ ;;
+ *)
+ ILLEGAL=`gettext "Illegal option: "`
+ cmd_error $ILLEGAL $opt
+ usage
+ exit 1
+ ;;
+ esac
+done
+
+
+case $command in
+ $CHANGE)
+ change_key
+ ;;
+ $DELOLD)
+ delete_old_keys
+ ;;
+ $DELETE)
+ delete_keys
+ ;;
+ $LIST)
+ klist -k $keytab
+ ;;
+ *)
+ usage
+ ;;
+ esac
diff --git a/usr/src/cmd/krb5/kadmin/cli/kadmin.c b/usr/src/cmd/krb5/kadmin/cli/kadmin.c
index b7f9f71e57..f5a92481cf 100644
--- a/usr/src/cmd/krb5/kadmin/cli/kadmin.c
+++ b/usr/src/cmd/krb5/kadmin/cli/kadmin.c
@@ -33,8 +33,8 @@
*/
#include <krb5.h>
-#include <k5-int.h>
#include <kadm5/admin.h>
+#include <krb5/adm_proto.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
@@ -56,17 +56,9 @@
/* functions defined in remote/local specific files */
extern void usage(const char *);
-extern void debugEnable(int);
-/* local principal helpers */
-static char *find_component(const char *, char);
-static char *trim_principal(char *);
-static char *build_admin_princ(const char *, const char *);
-
-/*
- * special struct to convert flag names for principals
- * to actual krb5_flags for a principal
- */
+/* special struct to convert flag names for principals
+ to actual krb5_flags for a principal */
struct pflag {
char *flagname; /* name of flag as typed to CLI */
int flaglen; /* length of string (not counting -,+) */
@@ -113,19 +105,23 @@ char *getenv();
int exit_status = 0;
char *def_realm = NULL;
char *whoami = NULL;
-time_t get_date();
void *handle = NULL;
krb5_context context;
char *ccache_name = NULL;
-char *
-strdur(duration)
+int locked = 0;
+static char *strdur(duration)
time_t duration;
{
- static char out[100];
- int days, hours, minutes, seconds;
-
+ static char out[50];
+ int neg, days, hours, minutes, seconds;
+
+ if (duration < 0) {
+ duration *= -1;
+ neg = 1;
+ } else
+ neg = 0;
days = duration / (24 * 3600);
duration %= 24 * 3600;
hours = duration / 3600;
@@ -133,35 +129,27 @@ strdur(duration)
minutes = duration / 60;
duration %= 60;
seconds = duration;
- if (days == 1) {
- snprintf(out, sizeof (out), gettext("%d day %02d:%02d:%02d"),
- days, hours, minutes, seconds);
- } else {
- snprintf(out, sizeof (out), gettext("%d days %02d:%02d:%02d"),
- days, hours, minutes, seconds);
-}
- return (out);
+ snprintf(out, sizeof (out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
+ days, days == 1 ? gettext("day") : gettext("days"),
+ hours, minutes, seconds);
+ return out;
}
-char *
-strdate(when)
+static char *strdate(when)
krb5_timestamp when;
{
struct tm *tm;
- static char out[30];
+ static char out[40];
time_t lcltim = when;
-
tm = localtime(&lcltim);
- strftime(out, 30, gettext("%a %b %d %H:%M:%S %Z %Y"), tm);
- return (out);
+ strftime(out, sizeof(out), gettext("%a %b %d %H:%M:%S %Z %Y"), tm);
+ return out;
}
-/*
- * this is a wrapper to go around krb5_parse_principal so we can set
- * the default realm up properly
- */
-krb5_error_code
+/* this is a wrapper to go around krb5_parse_principal so we can set
+ the default realm up properly */
+static krb5_error_code
kadmin_parse_name(name, principal)
char *name;
krb5_principal *principal;
@@ -175,14 +163,14 @@ kadmin_parse_name(name, principal)
/* assumes def_realm is initialized! */
fullname = (char *)malloc(strlen(name) + 1 + strlen(def_realm) + 1);
if (fullname == NULL)
- return (ENOMEM);
+ return ENOMEM;
strcpy(fullname, name);
cp = strchr(fullname, '@');
while (cp) {
if (cp - fullname && *(cp - 1) != '\\')
break;
else
- cp = strchr((cp + 1), '@');
+ cp = strchr(cp + 1, '@');
}
if (cp == NULL) {
strcat(fullname, "@");
@@ -190,120 +178,114 @@ kadmin_parse_name(name, principal)
}
retval = krb5_parse_name(context, fullname, principal);
free(fullname);
- return (retval);
+ return retval;
}
-char *
-kadmin_startup(argc, argv)
+char *kadmin_startup(argc, argv)
int argc;
char *argv[];
{
- extern krb5_kt_ops krb5_ktf_writable_ops;
extern char *optarg;
char *princstr = NULL, *keytab_name = NULL, *query = NULL;
char *password = NULL;
- char *kadmin_princ = NULL;
char *luser, *canon, *cp;
- int optchar, use_keytab = 0, debug = 0;
+ int optchar, freeprinc = 0, use_keytab = 0;
struct passwd *pw;
kadm5_ret_t retval;
krb5_ccache cc;
krb5_principal princ;
kadm5_config_params params;
+ char *svcname = NULL;
memset((char *) &params, 0, sizeof(params));
- if (retval = krb5_init_context(&context)) {
- com_err(whoami, retval,
+ retval = krb5_init_context(&context);
+ if (retval) {
+ com_err(whoami, retval,
gettext("while initializing krb5 library"));
exit(1);
}
- while ((optchar = getopt(argc, argv, "Dr:p:kq:w:d:s:mc:t:e:O")) != EOF) {
+
+ while ((optchar = getopt(argc, argv, "r:p:kq:w:d:s:mc:t:e:O")) != EOF) {
switch (optchar) {
- case 'O': /* Undocumented option for testing only */
- kadmin_princ = KADM5_ADMIN_SERVICE_P;
- break;
- case 'D':
- debug++;
- break;
case 'r':
def_realm = optarg;
break;
case 'p':
- princstr = strdup(optarg);
- if (princstr == NULL) {
- fprintf(stderr, gettext("Out of memory in %s\n"),
- whoami);
- exit(1);
- }
- break;
- case 'c':
+ princstr = optarg;
+ break;
+ case 'c':
ccache_name = optarg;
break;
- case 'k':
+ case 'k':
use_keytab++;
break;
case 't':
keytab_name = optarg;
break;
- case 'w':
+ case 'w':
password = optarg;
break;
case 'q':
query = optarg;
break;
- case 'd':
+ case 'd':
params.dbname = optarg;
params.mask |= KADM5_CONFIG_DBNAME;
break;
- case 's':
+ case 's':
params.admin_server = optarg;
params.mask |= KADM5_CONFIG_ADMIN_SERVER;
break;
- case 'm':
+ case 'm':
params.mkey_from_kbd = 1;
params.mask |= KADM5_CONFIG_MKEY_FROM_KBD;
break;
- case 'e':
+ case 'e':
retval = krb5_string_to_keysalts(optarg,
- ", \t", ":.-", 0,
- &params.keysalts,
- &params.num_keysalts);
+ ", \t",
+ ":.-",
+ 0,
+ &params.keysalts,
+ &params.num_keysalts);
if (retval) {
- com_err(whoami, retval,
+ com_err(whoami, retval,
gettext("while parsing keysalts %s"), optarg);
- exit(1);
+ exit(1);
}
params.mask |= KADM5_CONFIG_ENCTYPES;
break;
+ case 'O': /* Undocumented option for testing only */
+ svcname = KADM5_ADMIN_SERVICE_P;
+ break;
default:
usage(whoami);
}
}
-
- debugEnable(debug);
-
if ((ccache_name && use_keytab) ||
(keytab_name && !use_keytab))
- usage(whoami);
+ usage(whoami);
if (def_realm == NULL && krb5_get_default_realm(context, &def_realm)) {
- free(princstr);
+ if (freeprinc)
+ free(princstr);
fprintf(stderr,
gettext("%s: unable to get default realm\n"), whoami);
exit(1);
}
+
params.mask |= KADM5_CONFIG_REALM;
params.realm = def_realm;
- if (kadmin_princ == NULL) {
+ if (svcname == NULL) {
if (kadm5_get_adm_host_srv_name(context,
- def_realm, &kadmin_princ)) {
+ def_realm, &svcname)) {
fprintf(stderr,
gettext("%s: unable to get host based "
"service name for realm %s\n"),
whoami, def_realm);
- free(princstr);
+ if (freeprinc)
+ free(princstr);
exit(1);
}
}
@@ -313,14 +295,14 @@ kadmin_startup(argc, argv)
* argument or the default.
*/
if (ccache_name == NULL) {
- if (retval = krb5_cc_default(context, &cc)) {
+ if ((retval = krb5_cc_default(context, &cc))) {
com_err(whoami, retval,
gettext("while opening default "
"credentials cache"));
exit(1);
}
} else {
- if (retval = krb5_cc_resolve(context, ccache_name, &cc)) {
+ if ((retval = krb5_cc_resolve(context, ccache_name, &cc))) {
com_err(whoami, retval,
gettext("while opening credentials cache %s"),
ccache_name);
@@ -329,47 +311,47 @@ kadmin_startup(argc, argv)
}
/*
- * If no principal name is specified: If a ccache was specified and
- * its primary principal name can be read, it is used, else if a
- * keytab was specified, the principal name is host/hostname,
+ * If no principal name is specified: If a ccache was specified
+ * and its primary principal name can be read, it is used, else if
+ * a keytab was specified, the principal name is host/hostname,
* otherwise append "/admin" to the primary name of the default
* ccache, $USER, or pw_name.
*
* Gee, 100+ lines to figure out the client principal name. This
* should be compressed...
*/
-
+
if (princstr == NULL) {
if (ccache_name != NULL &&
!krb5_cc_get_principal(context, cc, &princ)) {
- if (retval = krb5_unparse_name(context, princ,
- &princstr)) {
+ if ((retval = krb5_unparse_name(context, princ, &princstr))) {
com_err(whoami, retval,
gettext("while canonicalizing principal name"));
- krb5_free_principal(context, princ);
+ krb5_free_principal(context, princ);
exit(1);
- }
- krb5_free_principal(context, princ);
- } else if (use_keytab != 0) {
- if (retval = krb5_sname_to_principal(context, NULL,
- "host", KRB5_NT_SRV_HST,
- &princ)) {
- com_err(whoami, retval,
- gettext("creating host service principal"));
- exit(1);
- }
- if (retval = krb5_unparse_name(context, princ,
- &princstr)) {
+ }
+ krb5_free_principal(context, princ);
+ freeprinc++;
+ } else if (use_keytab != 0) {
+ if ((retval = krb5_sname_to_principal(context, NULL,
+ "host",
+ KRB5_NT_SRV_HST,
+ &princ))) {
com_err(whoami, retval,
+ gettext("creating host service principal"));
+ exit(1);
+ }
+ if ((retval = krb5_unparse_name(context, princ, &princstr))) {
+ com_err(whoami, retval,
gettext("while canonicalizing "
"principal name"));
krb5_free_principal(context, princ);
exit(1);
}
krb5_free_principal(context, princ);
+ freeprinc++;
} else if (!krb5_cc_get_principal(context, cc, &princ)) {
char *realm = NULL;
-
if (krb5_unparse_name(context, princ, &canon)) {
fprintf(stderr,
gettext("%s: unable to canonicalize "
@@ -377,53 +359,98 @@ kadmin_startup(argc, argv)
krb5_free_principal(context, princ);
exit(1);
}
- krb5_free_principal(context, princ);
- (void) trim_principal(canon);
- princstr = build_admin_princ(canon, def_realm);
+ /* strip out realm of principal if it's there */
+ realm = strchr(canon, '@');
+ while (realm) {
+ if (realm - canon && *(realm - 1) != '\\')
+ break;
+ else
+ realm = strchr(realm, '@');
+ }
+ if (realm)
+ *realm++ = '\0';
+ cp = strchr(canon, '/');
+ while (cp) {
+ if (cp - canon && *(cp - 1) != '\\')
+ break;
+ else
+ cp = strchr(cp, '/');
+ }
+ if (cp != NULL)
+ *cp = '\0';
+ princstr = (char*)malloc(strlen(canon) + 6 /* "/admin" */ +
+ (realm ? 1 + strlen(realm) : 0) + 1);
+ if (princstr == NULL) {
+ fprintf(stderr,
+ gettext("%s: out of memory\n"),
+ whoami);
+ exit(1);
+ }
+ strcpy(princstr, canon);
+ strcat(princstr, "/admin");
+ if (realm) {
+ strcat(princstr, "@");
+ strcat(princstr, realm);
+ }
free(canon);
- } else if (luser = getenv("USER")) {
- princstr = build_admin_princ(luser, def_realm);
- } else if (pw = getpwuid(getuid())) {
- princstr = build_admin_princ(pw->pw_name, def_realm);
- } else {
+ krb5_free_principal(context, princ);
+ freeprinc++;
+ } else if ((luser = getenv("USER"))) {
+ princstr = (char *) malloc(strlen(luser) + 7 /* "/admin@" */
+ + strlen(def_realm) + 1);
+ if (princstr == NULL) {
+ fprintf(stderr,
+ gettext("%s: out of memory\n"),
+ whoami);
+ exit(1);
+ }
+ strcpy(princstr, luser);
+ strcat(princstr, "/admin");
+ strcat(princstr, "@");
+ strcat(princstr, def_realm);
+ freeprinc++;
+ } else if ((pw = getpwuid(getuid()))) {
+ princstr = (char *) malloc(strlen(pw->pw_name) + 7 /* "/admin@" */
+ + strlen(def_realm) + 1);
+ if (princstr == NULL) {
fprintf(stderr,
+ gettext("%s: out of memory\n"),
+ whoami);
+ exit(1);
+ }
+ strcpy(princstr, pw->pw_name);
+ strcat(princstr, "/admin@");
+ strcat(princstr, def_realm);
+ freeprinc++;
+ } else {
+ fprintf(stderr,
gettext("%s: unable to figure out "
"a principal name\n"),
- whoami);
- exit(1);
- }
- } else { /* (princstr != NULL) */
- /* See if we need to add the default realm */
- if (find_component(princstr, '@') == NULL) {
- size_t len;
-
- /* principal @ realm NULL */
- len = strlen(princstr) + 1 + strlen(def_realm) + 1;
- princstr = realloc(princstr, len);
- if (princstr == NULL) {
- fprintf(stderr,
- gettext("%s: out of memory\n"), whoami);
- exit(1);
- }
- strcat(princstr, "@");
- strcat(princstr, def_realm);
+ whoami);
+ exit(1);
}
}
+ retval = krb5_klog_init(context, "admin_server", whoami, 0);
+ if (retval) {
+ com_err(whoami, retval, "while setting up logging");
+ exit(1);
+ }
+
/*
- * Initialize the kadm5 connection. If we were given a ccache, use
- * it. Otherwise, use/prompt for the password.
+ * Initialize the kadm5 connection. If we were given a ccache,
+ * use it. Otherwise, use/prompt for the password.
*/
if (ccache_name) {
printf(gettext(
"Authenticating as principal %s with existing credentials.\n"),
princstr);
retval = kadm5_init_with_creds(princstr, cc,
- kadmin_princ,
- &params,
- KADM5_STRUCT_VERSION,
- KADM5_API_VERSION_2,
- &handle);
+ svcname,
+ &params,
+ KADM5_STRUCT_VERSION,
+ KADM5_API_VERSION_2,
+ &handle);
} else if (use_keytab) {
if (keytab_name)
printf(gettext("Authenticating as principal %s with keytab %s.\n"),
@@ -433,19 +460,20 @@ kadmin_startup(argc, argv)
"Authenticating as principal %s with default keytab.\n"),
princstr);
retval = kadm5_init_with_skey(princstr, keytab_name,
- kadmin_princ,
- &params,
- KADM5_STRUCT_VERSION,
- KADM5_API_VERSION_2,
- &handle);
+ svcname,
+ &params,
+ KADM5_STRUCT_VERSION,
+ KADM5_API_VERSION_2,
+ &handle);
} else {
printf(gettext("Authenticating as principal %s with password.\n"),
princstr);
retval = kadm5_init_with_password(princstr, password,
- kadmin_princ, &params,
- KADM5_STRUCT_VERSION,
- KADM5_API_VERSION_2,
- &handle);
+ svcname,
+ &params,
+ KADM5_STRUCT_VERSION,
+ KADM5_API_VERSION_2,
+ &handle);
}
if (retval) {
if (retval == KADM5_RPC_ERROR_CANTENCODEARGS ||
@@ -464,89 +492,47 @@ kadmin_startup(argc, argv)
}
exit(1);
}
- free(princstr);
+ if (freeprinc)
+ free(princstr);
- if (retval = krb5_cc_close(context, cc)) {
- com_err(whoami, retval, gettext("while closing ccache %s"),
- ccache_name);
- exit(1);
- }
- /* register the WRFILE keytab type and set it as the default */
- if (retval = krb5_kt_register(context, &krb5_ktf_writable_ops)) {
- com_err(whoami, retval,
- gettext("while registering writable key table functions"));
+ if ((retval = krb5_cc_close(context, cc))) {
+ com_err(whoami, retval, gettext("while closing ccache %s"),
+ ccache_name);
exit(1);
}
+
+ /* register the WRFILE keytab type and set it as the default */
{
- /*
- * XXX krb5_defkeyname is an internal library global and
- * should go away
- */
+ /* XXX krb5_defkeyname is an internal library global and
+ should go away */
extern char *krb5_defkeyname;
-
krb5_defkeyname = DEFAULT_KEYTAB;
}
-
+
if ((retval = kadm5_init_iprop(handle)) != 0) {
com_err(whoami, retval, gettext("while mapping update log"));
exit(1);
}
/* Solaris kerberos: fix memory leak */
- if (kadmin_princ)
- free(kadmin_princ);
-
- return (query);
-}
-
-static char *
-find_component(const char *principal, char sep)
-{
- char *p = strchr(principal, sep);
-
- for(p = strchr(principal, sep); p; p = strchr(p, sep))
- if (p != principal && *(p - 1) != '\\')
- break;
- return (p);
-}
+ if (svcname)
+ free(svcname);
-static char *
-trim_principal(char *principal)
-{
- char *p = find_component(principal, '/');
-
- if (p == NULL)
- p = find_component(principal, '@');
-
- if (p)
- *p = '\0';
-
- return (principal);
+ return query;
}
-static char *
-build_admin_princ(const char *user, const char *realm)
+int quit()
{
- char *princstr;
+ kadm5_ret_t retval;
- /* Add 7 to the length for "/admin@" */
- princstr = (char *) malloc(strlen(user) + 7 + strlen(realm) + 1);
- if (princstr == NULL) {
- fprintf(stderr,
- gettext("%s: out of memory\n"),
- whoami);
- exit(1);
+ if (locked) {
+ retval = kadm5_unlock(handle);
+ if (retval) {
+ com_err("quit", retval, gettext("while unlocking locked database"));
+ return 1;
}
- sprintf(princstr, "%s/admin@%s", user, realm);
-
- return (princstr);
-}
-
-int
-quit()
-{
- krb5_ccache cc;
- int retval;
+ locked = 0;
+ }
kadm5_destroy(handle);
if (ccache_name != NULL) {
@@ -554,31 +540,64 @@ quit()
gettext("\n\a\a\aAdministration credentials "
"NOT DESTROYED.\n"));
}
+
/* insert more random cleanup here */
+ krb5_klog_close(context);
krb5_free_context(context);
context = NULL;
- return (0);
+ return 0;
+}
+
+void kadmin_lock(argc, argv)
+ int argc;
+ char *argv[];
+{
+ kadm5_ret_t retval;
+
+ if (locked)
+ return;
+ retval = kadm5_lock(handle);
+ if (retval) {
+ com_err("lock", retval, "");
+ return;
+ }
+ locked = 1;
+}
+
+void kadmin_unlock(argc, argv)
+ int argc;
+ char *argv[];
+{
+ kadm5_ret_t retval;
+
+ if (!locked)
+ return;
+ retval = kadm5_unlock(handle);
+ if (retval) {
+ com_err("unlock", retval, "");
+ return;
+ }
+ locked = 0;
}
-void
-kadmin_delprinc(argc, argv)
+void kadmin_delprinc(argc, argv)
int argc;
char *argv[];
{
kadm5_ret_t retval;
krb5_principal princ;
char *canon;
- char reply[32];
+ char reply[32];
if (! (argc == 2 ||
- (argc == 3 && strcmp("-force", argv[1]) == 0))) {
- fprintf(stderr, "%s: delete_principal [-force] %s\n",
+ (argc == 3 && !strcmp("-force", argv[1])))) {
+ fprintf(stderr, "%s: delete_principal [-force] %s\n",
gettext("usage"), gettext("principal"));
return;
}
retval = kadmin_parse_name(argv[argc - 1], &princ);
if (retval) {
- com_err("delete_principal", retval,
+ com_err("delete_principal", retval,
gettext("while parsing principal name"));
return;
}
@@ -590,7 +609,7 @@ kadmin_delprinc(argc, argv)
return;
}
if (argc == 2) {
- printf(gettext("Are you sure you want to delete "
+ printf(gettext("Are you sure you want to delete "
"the principal \"%s\"? (yes/no): "), canon);
fgets(reply, sizeof (reply), stdin);
if (strncmp(gettext("yes\n"), reply, sizeof (reply)) &&
@@ -612,14 +631,14 @@ kadmin_delprinc(argc, argv)
free(canon);
return;
}
- printf(gettext("Principal \"%s\" deleted.\n"), canon);
+ printf(gettext("Principal \"%s\" deleted.\n"), canon);
printf(gettext("Make sure that you have removed this principal "
"from all ACLs before reusing.\n"));
free(canon);
+ return;
}
-void
-kadmin_cpw(argc, argv)
+void kadmin_cpw(argc, argv)
int argc;
char *argv[];
{
@@ -628,7 +647,8 @@ kadmin_cpw(argc, argv)
static char prompt1[1024], prompt2[1024];
char *canon;
char *pwarg = NULL;
- int n_ks_tuple = 0, keepold = 0, randkey = 0;
+ int n_ks_tuple = 0, randkey = 0;
+ krb5_boolean keepold = FALSE;
krb5_key_salt_tuple *ks_tuple = NULL;
krb5_principal princ;
int local_kadmin = 0;
@@ -654,7 +674,7 @@ kadmin_cpw(argc, argv)
continue;
}
if (!strcmp("-keepold", *argv)) {
- keepold++;
+ keepold = TRUE;
continue;
}
if (!strcmp("-e", *argv)) {
@@ -779,6 +799,8 @@ kadmin_cpw(argc, argv)
free(canon);
krb5_free_principal(context, princ);
usage:
+ if (ks_tuple != NULL)
+ free(ks_tuple);
fprintf(stderr, "%s: change_password [-randkey] [-keepold] "
"[-e keysaltlist] [-pw password] %s\n",
gettext("usage"), gettext("principal"));
@@ -786,8 +808,9 @@ kadmin_cpw(argc, argv)
}
}
-int kadmin_parse_princ_args(argc, argv, oprinc, mask, pass, randkey,
- ks_tuple, n_ks_tuple, caller)
+static int
+kadmin_parse_princ_args(argc, argv, oprinc, mask, pass, randkey,
+ ks_tuple, n_ks_tuple, caller)
int argc;
char *argv[];
kadm5_principal_ent_t oprinc;
@@ -814,16 +837,16 @@ int kadmin_parse_princ_args(argc, argv, oprinc, mask, pass, randkey,
if (strlen(argv[i]) == 7 &&
strcmp("-expire", argv[i]) == 0) {
if (++i > argc - 2)
- return (-1);
+ return -1;
else {
- date = get_date(argv[i], NULL);
+ date = get_date(argv[i]);
if (date == (time_t)-1) {
- fprintf(stderr,
+ fprintf(stderr,
gettext("Invalid date "
"specification "
"\"%s\".\n"),
argv[i]);
- return (-1);
+ return -1;
}
oprinc->princ_expire_time = date;
*mask |= KADM5_PRINC_EXPIRE_TIME;
@@ -831,18 +854,18 @@ int kadmin_parse_princ_args(argc, argv, oprinc, mask, pass, randkey,
}
}
if (strlen(argv[i]) == 9 &&
- strcmp("-pwexpire", argv[i]) == 0) {
+ !strcmp("-pwexpire", argv[i])) {
if (++i > argc - 2)
- return (-1);
+ return -1;
else {
- date = get_date(argv[i], NULL);
+ date = get_date(argv[i]);
if (date == (time_t)-1) {
- fprintf(stderr,
+ fprintf(stderr,
gettext("Invalid date "
"specification "
"\"%s\".\n"),
argv[i]);
- return (-1);
+ return -1;
}
oprinc->pw_expiration = date;
*mask |= KADM5_PW_EXPIRATION;
@@ -850,18 +873,18 @@ int kadmin_parse_princ_args(argc, argv, oprinc, mask, pass, randkey,
}
}
if (strlen(argv[i]) == 8 &&
- strcmp("-maxlife", argv[i]) == 0) {
+ !strcmp("-maxlife", argv[i])) {
if (++i > argc - 2)
- return (-1);
+ return -1;
else {
- date = get_date(argv[i], NULL);
+ date = get_date(argv[i]);
if (date == (time_t)-1) {
fprintf(stderr,
gettext("Invalid date "
"specification "
"\"%s\".\n"),
argv[i]);
- return (-1);
+ return -1;
}
if (date <= now) {
fprintf(stderr,
@@ -877,18 +900,18 @@ int kadmin_parse_princ_args(argc, argv, oprinc, mask, pass, randkey,
}
}
if (strlen(argv[i]) == 13 &&
- strcmp("-maxrenewlife", argv[i]) == 0) {
+ !strcmp("-maxrenewlife", argv[i])) {
if (++i > argc - 2)
- return (-1);
+ return -1;
else {
- date = get_date(argv[i], NULL);
+ date = get_date(argv[i]);
if (date == (time_t)-1) {
fprintf(stderr,
gettext("Invalid date "
"specification "
"\"%s\".\n"),
argv[i]);
- return (-1);
+ return -1;
}
if (date <= now) {
fprintf(stderr,
@@ -904,9 +927,9 @@ int kadmin_parse_princ_args(argc, argv, oprinc, mask, pass, randkey,
}
}
if (strlen(argv[i]) == 5 &&
- strcmp("-kvno", argv[i]) == 0) {
+ !strcmp("-kvno", argv[i])) {
if (++i > argc - 2)
- return (-1);
+ return -1;
else {
oprinc->kvno = atoi(argv[i]);
*mask |= KADM5_KVNO;
@@ -914,9 +937,9 @@ int kadmin_parse_princ_args(argc, argv, oprinc, mask, pass, randkey,
}
}
if (strlen(argv[i]) == 7 &&
- strcmp("-policy", argv[i]) == 0) {
+ !strcmp("-policy", argv[i])) {
if (++i > argc - 2)
- return (-1);
+ return -1;
else {
oprinc->policy = argv[i];
*mask |= KADM5_POLICY;
@@ -924,22 +947,22 @@ int kadmin_parse_princ_args(argc, argv, oprinc, mask, pass, randkey,
}
}
if (strlen(argv[i]) == 12 &&
- strcmp("-clearpolicy", argv[i]) == 0) {
+ !strcmp("-clearpolicy", argv[i])) {
oprinc->policy = NULL;
*mask |= KADM5_POLICY_CLR;
continue;
}
if (strlen(argv[i]) == 3 &&
- strcmp("-pw", argv[i]) == 0) {
+ !strcmp("-pw", argv[i])) {
if (++i > argc - 2)
- return (-1);
+ return -1;
else {
*pass = argv[i];
continue;
}
}
if (strlen(argv[i]) == 8 &&
- strcmp("-randkey", argv[i]) == 0) {
+ !strcmp("-randkey", argv[i])) {
++*randkey;
continue;
}
@@ -959,41 +982,40 @@ int kadmin_parse_princ_args(argc, argv, oprinc, mask, pass, randkey,
}
for (j = 0; j < sizeof (flags) / sizeof (struct pflag); j++) {
if (strlen(argv[i]) == flags[j].flaglen + 1 &&
- strcmp(flags[j].flagname,
- /* strip off leading + or - */
- &argv[i][1]) == 0) {
- if (flags[j].set && argv[i][0] == '-' ||
- !flags[j].set && argv[i][0] == '+') {
+ !strcmp(flags[j].flagname,
+ &argv[i][1] /* strip off leading + or - */)) {
+ if ((flags[j].set && argv[i][0] == '-') ||
+ (!flags[j].set && argv[i][0] == '+')) {
oprinc->attributes |= flags[j].theflag;
*mask |= KADM5_ATTRIBUTES;
attrib_set++;
break;
- } else if (flags[j].set && argv[i][0] == '+' ||
- !flags[j].set && argv[i][0] == '-') {
+ } else if ((flags[j].set && argv[i][0] == '+') ||
+ (!flags[j].set && argv[i][0] == '-')) {
oprinc->attributes &= ~flags[j].theflag;
*mask |= KADM5_ATTRIBUTES;
attrib_set++;
break;
} else {
- return (-1);
+ return -1;
}
}
}
if (!attrib_set)
- return (-1); /* nothing was parsed */
+ return -1; /* nothing was parsed */
}
if (i != argc - 1) {
- return (-1);
+ return -1;
}
retval = kadmin_parse_name(argv[i], &oprinc->principal);
if (retval) {
- com_err(caller, retval, gettext("while parsing principal"));
- return (-1);
+ com_err(caller, retval, gettext("while parsing principal"));
+ return -1;
}
- return (0);
+ return 0;
}
-void
+static void
kadmin_addprinc_usage(func)
char *func;
{
@@ -1014,7 +1036,7 @@ kadmin_addprinc_usage(func)
"password_changing_service\n");
}
-void
+static void
kadmin_modprinc_usage(func)
char *func;
{
@@ -1035,8 +1057,7 @@ kadmin_modprinc_usage(func)
"password_changing_service\n");
}
-void
-kadmin_addprinc(argc, argv)
+void kadmin_addprinc(argc, argv)
int argc;
char *argv[];
{
@@ -1100,7 +1121,8 @@ kadmin_addprinc(argc, argv)
(void) kadm5_free_policy_ent(handle, &defpol);
} else
fprintf(stderr, gettext("WARNING: no policy specified "
- "for %s; defaulting to no policy\n"), canon);
+ "for %s; defaulting to no policy\n"),
+ canon);
}
mask &= ~KADM5_POLICY_CLR;
@@ -1115,11 +1137,11 @@ kadmin_addprinc(argc, argv)
if (randkey || (mask & KADM5_ATTRIBUTES))
princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
- if (randkey) {
- pass = dummybuf;
+ if (randkey) {
mask |= KADM5_ATTRIBUTES;
+ pass = dummybuf;
} else if (pass == NULL) {
- unsigned int i = sizeof (newpw) - 1;
+ unsigned int sz = sizeof (newpw) - 1;
snprintf(prompt1, sizeof (prompt1),
gettext("Enter password for principal \"%.900s\""),
canon);
@@ -1127,7 +1149,7 @@ kadmin_addprinc(argc, argv)
gettext("Re-enter password for principal \"%.900s\""),
canon);
retval = krb5_read_password(context, prompt1, prompt2,
- newpw, &i);
+ newpw, &sz);
if (retval) {
com_err("add_principal", retval,
gettext("while reading password for \"%s\"."), canon);
@@ -1158,8 +1180,7 @@ kadmin_addprinc(argc, argv)
free(ks_tuple);
return;
}
-
- if (randkey) { /* more special stuff for -randkey */
+ if (randkey) { /* more special stuff for -randkey */
if (ks_tuple != NULL || local_kadmin) {
retval = kadm5_randkey_principal_3(handle, princ.principal,
FALSE,
@@ -1219,7 +1240,6 @@ kadmin_addprinc(argc, argv)
return;
}
}
-
krb5_free_principal(context, princ.principal);
printf(gettext("Principal \"%s\" created.\n"), canon);
if (ks_tuple != NULL)
@@ -1227,8 +1247,7 @@ kadmin_addprinc(argc, argv)
free(canon);
}
-void
-kadmin_modprinc(argc, argv)
+void kadmin_modprinc(argc, argv)
int argc;
char *argv[];
{
@@ -1251,7 +1270,7 @@ kadmin_modprinc(argc, argv)
retval = kadmin_parse_name(argv[argc - 1], &kprinc);
if (retval) {
- com_err("modify_principal", retval,
+ com_err("modify_principal", retval,
gettext("while parsing principal"));
return;
}
@@ -1266,7 +1285,7 @@ kadmin_modprinc(argc, argv)
KADM5_PRINCIPAL_NORMAL_MASK);
krb5_free_principal(context, kprinc);
if (retval) {
- com_err("modify_principal", retval,
+ com_err("modify_principal", retval,
gettext("while getting \"%s\"."), canon);
free(canon);
return;
@@ -1316,8 +1335,7 @@ kadmin_modprinc(argc, argv)
free(canon);
}
-void
-kadmin_getprinc(argc, argv)
+void kadmin_getprinc(argc, argv)
int argc;
char *argv[];
{
@@ -1328,23 +1346,25 @@ kadmin_getprinc(argc, argv)
int i;
if (! (argc == 2 ||
- (argc == 3 && strcmp("-terse", argv[1]) == 0))) {
+ (argc == 3 && !strcmp("-terse", argv[1])))) {
fprintf(stderr, "%s: get_principal [-terse] %s\n",
gettext("usage"), gettext("principal"));
return;
}
+
+
memset(&dprinc, 0, sizeof(dprinc));
memset(&princ, 0, sizeof(princ));
retval = kadmin_parse_name(argv[argc - 1], &princ);
if (retval) {
- com_err("get_principal", retval,
+ com_err("get_principal", retval,
gettext("while parsing principal"));
return;
}
retval = krb5_unparse_name(context, princ, &canon);
if (retval) {
- com_err("get_principal", retval,
+ com_err("get_principal", retval,
gettext("while canonicalizing principal"));
krb5_free_principal(context, princ);
return;
@@ -1353,14 +1373,14 @@ kadmin_getprinc(argc, argv)
KADM5_PRINCIPAL_NORMAL_MASK | KADM5_KEY_DATA);
krb5_free_principal(context, princ);
if (retval) {
- com_err("get_principal", retval,
+ com_err("get_principal", retval,
gettext("while retrieving \"%s\"."), canon);
free(canon);
return;
}
retval = krb5_unparse_name(context, dprinc.mod_name, &modcanon);
if (retval) {
- com_err("get_principal", retval,
+ com_err("get_principal", retval,
gettext("while unparsing modname"));
kadm5_free_principal_ent(handle, &dprinc);
free(canon);
@@ -1431,7 +1451,7 @@ kadmin_getprinc(argc, argv)
canon, dprinc.princ_expire_time, dprinc.last_pwd_change,
dprinc.pw_expiration, dprinc.max_life, modcanon,
dprinc.mod_date, dprinc.attributes, dprinc.kvno,
- dprinc.mkvno, dprinc.policy ?
+ dprinc.mkvno, dprinc.policy ?
dprinc.policy : gettext("[none]"),
dprinc.max_renewable_life, dprinc.last_success,
dprinc.last_failed, dprinc.fail_auth_count,
@@ -1449,13 +1469,12 @@ kadmin_getprinc(argc, argv)
free(canon);
}
-void
-kadmin_getprincs(argc, argv)
+void kadmin_getprincs(argc, argv)
int argc;
char *argv[];
{
krb5_error_code retval;
- char *exp, **names;
+ char *expr, **names;
int i, count;
FILE *output;
@@ -1464,15 +1483,15 @@ kadmin_getprincs(argc, argv)
sigset_t nmask, omask;
int waitb;
- exp = NULL;
- if (! (argc == 1 || (argc == 2 && (exp = argv[1])))) {
+ expr = NULL;
+ if (! (argc == 1 || (argc == 2 && (expr = argv[1])))) {
fprintf(stderr, "%s: get_principals %s\n",
gettext("usage"), gettext("[expression]"));
return;
}
- retval = kadm5_get_principals(handle, exp, &names, &count);
+ retval = kadm5_get_principals(handle, expr, &names, &count);
if (retval) {
- com_err("get_principals", retval,
+ com_err("get_principals", retval,
gettext("while retrieving list."));
return;
}
@@ -1496,7 +1515,7 @@ kadmin_getprincs(argc, argv)
sigprocmask(SIG_SETMASK, &omask, (sigset_t *)0);
for (i = 0; i < count; i++)
- fprintf(output, "%s\n", names[i]);
+ fprintf(output, "%s\n", names[i]);
fclose(output);
@@ -1505,7 +1524,7 @@ kadmin_getprincs(argc, argv)
kadm5_free_name_list(handle, names, count);
}
-int
+static int
kadmin_parse_policy_args(argc, argv, policy, mask, caller)
int argc;
char *argv[];
@@ -1516,24 +1535,23 @@ kadmin_parse_policy_args(argc, argv, policy, mask, caller)
int i;
time_t now;
time_t date;
- krb5_error_code retval;
time(&now);
*mask = 0;
for (i = 1; i < argc - 1; i++) {
if (strlen(argv[i]) == 8 &&
- strcmp(argv[i], "-maxlife") == 0) {
+ !strcmp(argv[i], "-maxlife")) {
if (++i > argc -2)
- return (-1);
+ return -1;
else {
- date = get_date(argv[i], NULL);
+ date = get_date(argv[i]);
if (date == (time_t)-1) {
fprintf(stderr,
gettext("Invalid date "
"specification "
"\"%s\".\n"),
argv[i]);
- return (-1);
+ return -1;
}
if (date <= now) {
fprintf(stderr,
@@ -1548,18 +1566,18 @@ kadmin_parse_policy_args(argc, argv, policy, mask, caller)
continue;
}
} else if (strlen(argv[i]) == 8 &&
- strcmp(argv[i], "-minlife") == 0) {
+ !strcmp(argv[i], "-minlife")) {
if (++i > argc - 2)
- return (-1);
+ return -1;
else {
- date = get_date(argv[i], NULL);
+ date = get_date(argv[i]);
if (date == (time_t)-1) {
fprintf(stderr,
gettext("Invalid date "
"specification "
"\"%s\".\n"),
argv[i]);
- return (-1);
+ return -1;
}
if (date <= now) {
fprintf(stderr,
@@ -1574,43 +1592,43 @@ kadmin_parse_policy_args(argc, argv, policy, mask, caller)
continue;
}
} else if (strlen(argv[i]) == 10 &&
- strcmp(argv[i], "-minlength") == 0) {
+ !strcmp(argv[i], "-minlength")) {
if (++i > argc - 2)
- return (-1);
+ return -1;
else {
policy->pw_min_length = atoi(argv[i]);
*mask |= KADM5_PW_MIN_LENGTH;
continue;
}
} else if (strlen(argv[i]) == 11 &&
- strcmp(argv[i], "-minclasses") == 0) {
+ !strcmp(argv[i], "-minclasses")) {
if (++i > argc - 2)
- return (-1);
+ return -1;
else {
policy->pw_min_classes = atoi(argv[i]);
*mask |= KADM5_PW_MIN_CLASSES;
continue;
}
} else if (strlen(argv[i]) == 8 &&
- strcmp(argv[i], "-history") == 0) {
+ !strcmp(argv[i], "-history")) {
if (++i > argc - 2)
- return (-1);
+ return -1;
else {
policy->pw_history_num = atoi(argv[i]);
*mask |= KADM5_PW_HISTORY_NUM;
continue;
}
} else
- return (-1);
+ return -1;
}
if (i != argc -1) {
- fprintf(stderr, gettext("%s: parser lost count!\n"), caller);
- return (-1);
+ fprintf(stderr, gettext("%s: parser lost count!\n"), caller);
+ return -1;
} else
- return (0);
+ return 0;
}
-void
+static void
kadmin_addmodpol_usage(func)
char *func;
{
@@ -1622,8 +1640,7 @@ kadmin_addmodpol_usage(func)
"[-history number]\n");
}
-void
-kadmin_addpol(argc, argv)
+void kadmin_addpol(argc, argv)
int argc;
char *argv[];
{
@@ -1632,8 +1649,7 @@ kadmin_addpol(argc, argv)
kadm5_policy_ent_rec policy;
memset(&policy, 0, sizeof(policy));
- if (kadmin_parse_policy_args(argc, argv,
- &policy, &mask, "add_policy")) {
+ if (kadmin_parse_policy_args(argc, argv, &policy, &mask, "add_policy")) {
kadmin_addmodpol_usage("add_policy");
return;
} else {
@@ -1647,10 +1663,10 @@ kadmin_addpol(argc, argv)
return;
}
}
+ return;
}
-void
-kadmin_modpol(argc, argv)
+void kadmin_modpol(argc, argv)
int argc;
char *argv[];
{
@@ -1673,19 +1689,19 @@ kadmin_modpol(argc, argv)
return;
}
}
+ return;
}
-void
-kadmin_delpol(argc, argv)
+void kadmin_delpol(argc, argv)
int argc;
char *argv[];
{
krb5_error_code retval;
- char reply[32];
+ char reply[32];
if (! (argc == 2 ||
- (argc == 3 && strcmp("-force", argv[1]) == 0))) {
- fprintf(stderr, "%s: delete_policy [-force] %s\n",
+ (argc == 3 && !strcmp("-force", argv[1])))) {
+ fprintf(stderr, "%s: delete_policy [-force] %s\n",
gettext("usage"), gettext("policy"));
return;
}
@@ -1710,10 +1726,10 @@ kadmin_delpol(argc, argv)
argv[argc - 1]);
return;
}
+ return;
}
-void
-kadmin_getpol(argc, argv)
+void kadmin_getpol(argc, argv)
int argc;
char *argv[];
{
@@ -1721,7 +1737,7 @@ kadmin_getpol(argc, argv)
kadm5_policy_ent_rec policy;
if (! (argc == 2 ||
- (argc == 3 && strcmp("-terse", argv[1]) == 0))) {
+ (argc == 3 && !strcmp("-terse", argv[1])))) {
fprintf(stderr, "%s: get_policy [-terse] %s\n",
gettext("usage"), gettext("policy"));
return;
@@ -1735,45 +1751,45 @@ kadmin_getpol(argc, argv)
}
if (argc == 2) {
printf(gettext("Policy: %s\n"), policy.policy);
- printf(gettext("Maximum password life: %d\n"),
+ printf(gettext("Maximum password life: %ld\n"),
policy.pw_max_life);
- printf(gettext("Minimum password life: %d\n"),
+ printf(gettext("Minimum password life: %ld\n"),
policy.pw_min_life);
- printf(gettext("Minimum password length: %d\n"),
+ printf(gettext("Minimum password length: %ld\n"),
policy.pw_min_length);
printf(gettext("Minimum number of password "
- "character classes: %d\n"),
+ "character classes: %ld\n"),
policy.pw_min_classes);
- printf(gettext("Number of old keys kept: %d\n"),
+ printf(gettext("Number of old keys kept: %ld\n"),
policy.pw_history_num);
- printf(gettext("Reference count: %d\n"), policy.policy_refcnt);
+ printf(gettext("Reference count: %ld\n"), policy.policy_refcnt);
} else {
- printf("\"%s\"\t%d\t%d\t%d\t%d\t%d\t%d\n",
+ printf("\"%s\"\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\n",
policy.policy, policy.pw_max_life, policy.pw_min_life,
policy.pw_min_length, policy.pw_min_classes,
policy.pw_history_num, policy.policy_refcnt);
}
kadm5_free_policy_ent(handle, &policy);
+ return;
}
-void
-kadmin_getpols(argc, argv)
+void kadmin_getpols(argc, argv)
int argc;
char *argv[];
{
krb5_error_code retval;
- char *exp, **names;
+ char *expr, **names;
int i, count;
- exp = NULL;
- if (! (argc == 1 || (argc == 2 && (exp = argv[1])))) {
- fprintf(stderr, "%s: get_policies %s\n",
+ expr = NULL;
+ if (! (argc == 1 || (argc == 2 && (expr = argv[1])))) {
+ fprintf(stderr, "%s: get_policies %s\n",
gettext("usage"), gettext("[expression]\n"));
return;
}
- retval = kadm5_get_policies(handle, exp, &names, &count);
+ retval = kadm5_get_policies(handle, expr, &names, &count);
if (retval) {
- com_err("get_policies", retval,
+ com_err("get_policies", retval,
gettext("while retrieving list."));
return;
}
@@ -1781,3 +1797,4 @@ kadmin_getpols(argc, argv)
printf("%s\n", names[i]);
kadm5_free_name_list(handle, names, count);
}
+
diff --git a/usr/src/cmd/krb5/kadmin/cli/kadmin.h b/usr/src/cmd/krb5/kadmin/cli/kadmin.h
new file mode 100644
index 0000000000..abf6fcf526
--- /dev/null
+++ b/usr/src/cmd/krb5/kadmin/cli/kadmin.h
@@ -0,0 +1,75 @@
+#pragma ident "%Z%%M% %I% %E% SMI"
+
+/*
+ * kadmin/cli/kadmin.h
+ *
+ * Copyright 2001 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * Prototypes for kadmin functions called from SS library.
+ */
+
+#ifndef __KADMIN_H__
+#define __KADMIN_H__
+
+/* It would be nice if ss produced a header file we could reference */
+extern char *kadmin_startup(int argc, char *argv[]);
+extern int quit (void);
+extern void kadmin_lock(int argc, char *argv[]);
+extern void kadmin_unlock(int argc, char *argv[]);
+extern void kadmin_delprinc(int argc, char *argv[]);
+extern void kadmin_cpw(int argc, char *argv[]);
+extern void kadmin_addprinc(int argc, char *argv[]);
+extern void kadmin_modprinc(int argc, char *argv[]);
+extern void kadmin_getprinc(int argc, char *argv[]);
+extern void kadmin_getprincs(int argc, char *argv[]);
+extern void kadmin_addpol(int argc, char *argv[]);
+extern void kadmin_modpol(int argc, char *argv[]);
+extern void kadmin_delpol(int argc, char *argv[]);
+extern void kadmin_getpol(int argc, char *argv[]);
+extern void kadmin_getpols(int argc, char *argv[]);
+extern void kadmin_getprivs(int argc, char *argv[]);
+extern void kadmin_keytab_add(int argc, char *argv[]);
+extern void kadmin_keytab_remove(int argc, char *argv[]);
+
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#else
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#endif
+
+extern time_t get_date(char *);
+
+/* Yucky global variables */
+extern krb5_context context;
+extern char *krb5_defkeyname;
+extern char *whoami;
+extern void *handle;
+
+#endif /* __KADMIN_H__ */
+
diff --git a/usr/src/cmd/krb5/kadmin/cli/kadmin_ct.c b/usr/src/cmd/krb5/kadmin/cli/kadmin_ct.c
index 7da36fe992..b29c36a7be 100644
--- a/usr/src/cmd/krb5/kadmin/cli/kadmin_ct.c
+++ b/usr/src/cmd/krb5/kadmin/cli/kadmin_ct.c
@@ -32,180 +32,201 @@
#include <ss/ss.h>
#ifndef __STDC__
-#define const
+#define const
#endif
-static char const *const ssu00001[] = {
- "add_principal",
- "addprinc",
- "ank",
- (char const *) 0
+static char const * const ssu00001[] = {
+"add_principal",
+ "addprinc",
+ "ank",
+ (char const *)0
};
extern void kadmin_addprinc __SS_PROTO;
-static char const *const ssu00002[] = {
- "delete_principal",
- "delprinc",
- (char const *) 0
+static char const * const ssu00002[] = {
+"delete_principal",
+ "delprinc",
+ (char const *)0
};
extern void kadmin_delprinc __SS_PROTO;
-static char const *const ssu00003[] = {
- "modify_principal",
- "modprinc",
- (char const *) 0
+static char const * const ssu00003[] = {
+"modify_principal",
+ "modprinc",
+ (char const *)0
};
extern void kadmin_modprinc __SS_PROTO;
-static char const *const ssu00004[] = {
- "change_password",
- "cpw",
- (char const *) 0
+static char const * const ssu00004[] = {
+"change_password",
+ "cpw",
+ (char const *)0
};
extern void kadmin_cpw __SS_PROTO;
-static char const *const ssu00005[] = {
- "get_principal",
- "getprinc",
- (char const *) 0
+static char const * const ssu00005[] = {
+"get_principal",
+ "getprinc",
+ (char const *)0
};
extern void kadmin_getprinc __SS_PROTO;
-static char const *const ssu00006[] = {
- "list_principals",
- "listprincs",
- "get_principals",
- "getprincs",
- (char const *) 0
+static char const * const ssu00006[] = {
+"list_principals",
+ "listprincs",
+ "get_principals",
+ "getprincs",
+ (char const *)0
};
extern void kadmin_getprincs __SS_PROTO;
-static char const *const ssu00007[] = {
- "add_policy",
- "addpol",
- (char const *) 0
+static char const * const ssu00007[] = {
+"add_policy",
+ "addpol",
+ (char const *)0
};
extern void kadmin_addpol __SS_PROTO;
-static char const *const ssu00008[] = {
- "modify_policy",
- "modpol",
- (char const *) 0
+static char const * const ssu00008[] = {
+"modify_policy",
+ "modpol",
+ (char const *)0
};
extern void kadmin_modpol __SS_PROTO;
-static char const *const ssu00009[] = {
- "delete_policy",
- "delpol",
- (char const *) 0
+static char const * const ssu00009[] = {
+"delete_policy",
+ "delpol",
+ (char const *)0
};
extern void kadmin_delpol __SS_PROTO;
-static char const *const ssu00010[] = {
- "get_policy",
- "getpol",
- (char const *) 0
+static char const * const ssu00010[] = {
+"get_policy",
+ "getpol",
+ (char const *)0
};
extern void kadmin_getpol __SS_PROTO;
-static char const *const ssu00011[] = {
- "list_policies",
- "listpols",
- "get_policies",
- "getpols",
- (char const *) 0
+static char const * const ssu00011[] = {
+"list_policies",
+ "listpols",
+ "get_policies",
+ "getpols",
+ (char const *)0
};
extern void kadmin_getpols __SS_PROTO;
-static char const *const ssu00012[] = {
- "get_privs",
- "getprivs",
- (char const *) 0
+static char const * const ssu00012[] = {
+"get_privs",
+ "getprivs",
+ (char const *)0
};
extern void kadmin_getprivs __SS_PROTO;
-static char const *const ssu00013[] = {
- "ktadd",
- "xst",
- (char const *) 0
+static char const * const ssu00013[] = {
+"ktadd",
+ "xst",
+ (char const *)0
};
extern void kadmin_keytab_add __SS_PROTO;
-static char const *const ssu00014[] = {
- "ktremove",
- "ktrem",
- (char const *) 0
+static char const * const ssu00014[] = {
+"ktremove",
+ "ktrem",
+ (char const *)0
};
extern void kadmin_keytab_remove __SS_PROTO;
-static char const *const ssu00015[] = {
- "list_requests",
- "lr",
- "?",
- (char const *) 0
+
+static char const * const ssu00015[] = {
+"lock",
+ (char const *)0
+};
+extern void kadmin_lock __SS_PROTO;
+static char const * const ssu00016[] = {
+"unlock",
+ (char const *)0
};
+extern void kadmin_unlock __SS_PROTO;
+
+static char const * const ssu00017[] = {
+"list_requests",
+ "lr",
+ "?",
+ (char const *)0
+};
+
extern void ss_list_requests __SS_PROTO;
-static char const *const ssu00016[] = {
- "quit",
- "exit",
- "q",
- (char const *) 0
+static char const * const ssu00018[] = {
+"quit",
+ "exit",
+ "q",
+ (char const *)0
};
extern void ss_quit __SS_PROTO;
-static ss_request_entry ssu00017[] = {
- {ssu00001,
- kadmin_addprinc,
- gettext("Add principal"),
- 0},
- {ssu00002,
- kadmin_delprinc,
- gettext("Delete principal"),
- 0},
- {ssu00003,
- kadmin_modprinc,
- gettext("Modify principal"),
- 0},
- {ssu00004,
- kadmin_cpw,
- gettext("Change password"),
- 0},
- {ssu00005,
- kadmin_getprinc,
- gettext("Get principal"),
- 0},
- {ssu00006,
- kadmin_getprincs,
- gettext("List principals"),
- 0},
- {ssu00007,
- kadmin_addpol,
- gettext("Add policy"),
- 0},
- {ssu00008,
- kadmin_modpol,
- gettext("Modify policy"),
- 0},
- {ssu00009,
- kadmin_delpol,
- gettext("Delete policy"),
- 0},
- {ssu00010,
- kadmin_getpol,
- gettext("Get policy"),
- 0},
- {ssu00011,
- kadmin_getpols,
- gettext("List policies"),
- 0},
- {ssu00012,
- kadmin_getprivs,
- gettext("Get privileges"),
- 0},
- {ssu00013,
- kadmin_keytab_add,
- gettext("Add entry(s) to a keytab"),
- 0},
- {ssu00014,
- kadmin_keytab_remove,
- gettext("Remove entry(s) from a keytab"),
- 0},
- {ssu00015,
- ss_list_requests,
- gettext("List available requests."),
- 0},
- {ssu00016,
- ss_quit,
- gettext("Exit program."),
- 0},
- {0, 0, 0, 0}
+static ss_request_entry ssu00019[] = {
+ { ssu00001,
+ kadmin_addprinc,
+ gettext("Add principal"),
+ 0 },
+ { ssu00002,
+ kadmin_delprinc,
+ gettext("Delete principal"),
+ 0 },
+ { ssu00003,
+ kadmin_modprinc,
+ gettext("Modify principal"),
+ 0 },
+ { ssu00004,
+ kadmin_cpw,
+ gettext("Change password"),
+ 0 },
+ { ssu00005,
+ kadmin_getprinc,
+ gettext("Get principal"),
+ 0 },
+ { ssu00006,
+ kadmin_getprincs,
+ gettext("List principals"),
+ 0 },
+ { ssu00007,
+ kadmin_addpol,
+ gettext("Add policy"),
+ 0 },
+ { ssu00008,
+ kadmin_modpol,
+ gettext("Modify policy"),
+ 0 },
+ { ssu00009,
+ kadmin_delpol,
+ gettext("Delete policy"),
+ 0 },
+ { ssu00010,
+ kadmin_getpol,
+ gettext("Get policy"),
+ 0 },
+ { ssu00011,
+ kadmin_getpols,
+ gettext("List policies"),
+ 0 },
+ { ssu00012,
+ kadmin_getprivs,
+ gettext("Get privileges"),
+ 0 },
+ { ssu00013,
+ kadmin_keytab_add,
+ gettext("Add entry(s) to a keytab"),
+ 0 },
+ { ssu00014,
+ kadmin_keytab_remove,
+ gettext("Remove entry(s) from a keytab"),
+ 0 },
+ { ssu00015,
+ kadmin_lock,
+ gettext("Lock database exclusively (use with extreme caution!)"),
+ 0 },
+ { ssu00016,
+ kadmin_unlock,
+ gettext("Release exclusive database lock"),
+ 0 },
+ { ssu00017,
+ ss_list_requests,
+ gettext("List available requests."),
+ 0 },
+ { ssu00018,
+ ss_quit,
+ gettext("Exit program."),
+ 0 },
+ { 0, 0, 0, 0 }
};
-ss_request_table kadmin_cmds = {2, ssu00017};
+ss_request_table kadmin_cmds = { 2, ssu00019 };
#undef gettext
diff --git a/usr/src/cmd/krb5/kadmin/cli/kadmin_rmt.c b/usr/src/cmd/krb5/kadmin/cli/kadmin_rmt.c
index 0d63238512..261db1536a 100644
--- a/usr/src/cmd/krb5/kadmin/cli/kadmin_rmt.c
+++ b/usr/src/cmd/krb5/kadmin/cli/kadmin_rmt.c
@@ -1,6 +1,6 @@
/*
- * Copyright (c) 1998-1999 by Sun Microsystems, Inc.
- * All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
@@ -41,31 +41,30 @@ debugEnable(int displayMsgs)
#endif
}
-void
-kadmin_getprivs(argc, argv)
-int argc;
-char *argv[];
+void kadmin_getprivs(argc, argv)
+ int argc;
+ char *argv[];
{
- static char *privs[] = {"GET", "ADD", "MODIFY", "DELETE", "LIST",
- "CHANGE"};
- krb5_error_code retval;
- int i;
- long plist;
+ static char *privs[] = {"GET", "ADD", "MODIFY", "DELETE", "LIST", "CHANGE"};
+ krb5_error_code retval;
+ int i;
+ long plist;
- if (argc != 1) {
- fprintf(stderr, "%s: get_privs\n", gettext("usage"));
- return;
- }
- retval = kadm5_get_privs(handle, &plist);
- if (retval) {
- com_err("get_privs", retval,
+ if (argc != 1) {
+ fprintf(stderr, "%s: get_privs\n", gettext("usage"));
+ return;
+ }
+ retval = kadm5_get_privs(handle, &plist);
+ if (retval) {
+ com_err("get_privs", retval,
gettext("while retrieving privileges"));
- return;
- }
- printf(gettext("current privileges:"));
- for (i = 0; i < sizeof (privs) / sizeof (char *); i++) {
- if (plist & 1 << i)
- printf(" %s", gettext(privs[i]));
- }
- printf("\n");
+ return;
+ }
+ printf(gettext("current privileges:"));
+ for (i = 0; i < sizeof (privs) / sizeof (char *); i++) {
+ if (plist & 1 << i)
+ printf(" %s", gettext(privs[i]));
+ }
+ printf("\n");
+ return;
}
diff --git a/usr/src/cmd/krb5/kadmin/cli/keytab.c b/usr/src/cmd/krb5/kadmin/cli/keytab.c
index cabbcae093..5d88815b7a 100644
--- a/usr/src/cmd/krb5/kadmin/cli/keytab.c
+++ b/usr/src/cmd/krb5/kadmin/cli/keytab.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -8,7 +8,7 @@
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
*
- * $Id: keytab.c,v 1.26 2000/02/19 01:57:07 tlyu Exp $
+ * $Id: keytab.c,v 1.28 2004/05/31 12:39:16 epeisach Exp $
* $Source: /cvs/krbdev/krb5/src/kadmin/cli/keytab.c,v $
*/
@@ -39,7 +39,7 @@
*/
#if !defined(lint) && !defined(__CODECENTER__)
-static char *rcsid = "$Header: /cvs/krbdev/krb5/src/kadmin/cli/keytab.c,v 1.26 2000/02/19 01:57:07 tlyu Exp $";
+static char *rcsid = "$Header: /cvs/krbdev/krb5/src/kadmin/cli/keytab.c,v 1.28 2004/05/31 12:39:16 epeisach Exp $";
#endif
#include <stdio.h>
@@ -48,33 +48,28 @@ static char *rcsid = "$Header: /cvs/krbdev/krb5/src/kadmin/cli/keytab.c,v 1.26 2
#include <libintl.h>
#include <krb5.h>
-#include <k5-int.h>
#include <kadm5/admin.h>
+#include <krb5/adm_proto.h>
+#include "kadmin.h"
-static int add_principal(void *handle, char *keytab_str, krb5_keytab keytab,
- int keepold,
+static int add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab,
+ krb5_boolean keepold,
int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
char *princ_str);
static int remove_principal(char *keytab_str, krb5_keytab keytab, char
*princ_str, char *kvno_str);
static char *etype_string(krb5_enctype enctype);
-extern char *krb5_defkeyname;
-extern char *whoami;
-extern krb5_context context;
-extern void *handle;
static int quiet;
-void
-add_usage()
+static void add_usage()
{
fprintf(stderr, "%s: %s\n", gettext("Usage"),
"ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] "
"[principal | -glob princ-exp] [...]\n");
}
-void
-rem_usage()
+static void rem_usage()
{
fprintf(stderr, "%s: %s\n",
gettext("Usage"),
@@ -82,25 +77,24 @@ rem_usage()
"[kvno|\"all\"|\"old\"]\n");
}
-int
-process_keytab(krb5_context context, char **keytab_str,
+static int process_keytab(krb5_context my_context, char **keytab_str,
krb5_keytab *keytab)
{
int code;
char buf[BUFSIZ];
if (*keytab_str == NULL) {
- if (code = krb5_kt_default(context, keytab)) {
+ if (code = krb5_kt_default(my_context, keytab)) {
com_err(whoami, code, gettext("while opening default keytab"));
- return (1);
+ return 1;
}
- if (code = krb5_kt_get_name(context, *keytab, buf, BUFSIZ)) {
+ if (code = krb5_kt_get_name(my_context, *keytab, buf, BUFSIZ)) {
com_err(whoami, code, gettext("while retrieving keytab name"));
- return (1);
+ return 1;
}
if (!(*keytab_str = strdup(buf))) {
com_err(whoami, ENOMEM, gettext("while creating keytab name"));
- return(1);
+ return 1;
}
} else {
if (strchr(*keytab_str, ':') != NULL) {
@@ -108,7 +102,7 @@ process_keytab(krb5_context context, char **keytab_str,
if (*keytab_str == NULL) {
com_err(whoami, ENOMEM,
gettext("while creating keytab name"));
- return (1);
+ return 1;
}
} else {
char *tmp = *keytab_str;
@@ -118,41 +112,39 @@ process_keytab(krb5_context context, char **keytab_str,
if (*keytab_str == NULL) {
com_err(whoami, ENOMEM,
gettext("while creating keytab name"));
- return (1);
+ return 1;
}
sprintf(*keytab_str, "WRFILE:%s", tmp);
}
- code = krb5_kt_resolve(context, *keytab_str, keytab);
+ code = krb5_kt_resolve(my_context, *keytab_str, keytab);
if (code != 0) {
com_err(whoami, code,
gettext("while resolving keytab %s"), *keytab_str);
free(keytab_str);
- return (1);
+ return 1;
}
}
- return (0);
+ return 0;
}
-void
-kadmin_keytab_add(int argc, char **argv)
+void kadmin_keytab_add(int argc, char **argv)
{
krb5_keytab keytab = 0;
- char *princ_str, *keytab_str = NULL, **princs;
+ char *keytab_str = NULL, **princs;
int code, num, i;
krb5_error_code retval;
- int keepold = 0, n_ks_tuple = 0;
+ int n_ks_tuple = 0;
+ krb5_boolean keepold = FALSE;
krb5_key_salt_tuple *ks_tuple = NULL;
- argc--;
- argv++;
+ argc--; argv++;
quiet = 0;
while (argc) {
if (strncmp(*argv, "-k", 2) == 0) {
- argc--;
- argv++;
+ argc--; argv++;
if (!argc || keytab_str) {
add_usage();
return;
@@ -177,8 +169,7 @@ kadmin_keytab_add(int argc, char **argv)
}
} else
break;
- argc--;
- argv++;
+ argc--; argv++;
}
if (argc == 0) {
@@ -195,8 +186,9 @@ kadmin_keytab_add(int argc, char **argv)
add_usage();
break;
}
- if (code = kadm5_get_principals(handle, *argv,
- &princs, &num)) {
+
+ code = kadm5_get_principals(handle, *argv, &princs, &num);
+ if (code) {
com_err(whoami, code,
gettext("while expanding expression "
"\"%s\"."),
@@ -224,20 +216,17 @@ kadmin_keytab_add(int argc, char **argv)
free(keytab_str);
}
-void
-kadmin_keytab_remove(int argc, char **argv)
+void kadmin_keytab_remove(int argc, char **argv)
{
krb5_keytab keytab = 0;
- char *princ_str, *keytab_str = NULL;
+ char *keytab_str = NULL;
int code;
- argc--;
- argv++;
+ argc--; argv++;
quiet = 0;
while (argc) {
if (strncmp(*argv, "-k", 2) == 0) {
- argc--;
- argv++;
+ argc--; argv++;
if (!argc || keytab_str) {
rem_usage();
return;
@@ -247,8 +236,7 @@ kadmin_keytab_remove(int argc, char **argv)
quiet++;
} else
break;
- argc--;
- argv++;
+ argc--; argv++;
}
if (argc != 1 && argc != 2) {
@@ -267,8 +255,9 @@ kadmin_keytab_remove(int argc, char **argv)
free(keytab_str);
}
-int add_principal(void *handle, char *keytab_str, krb5_keytab keytab,
- int keepold, int n_ks_tuple,
+static
+int add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab,
+ krb5_boolean keepold, int n_ks_tuple,
krb5_key_salt_tuple *ks_tuple,
char *princ_str)
{
@@ -276,7 +265,7 @@ int add_principal(void *handle, char *keytab_str, krb5_keytab keytab,
krb5_principal princ;
krb5_keytab_entry new_entry;
krb5_keyblock *keys;
- int code, code2, mask, nkeys, i;
+ int code, nkeys, i;
int nktypes = 0;
krb5_key_salt_tuple *permitted_etypes = NULL;
@@ -336,9 +325,9 @@ int add_principal(void *handle, char *keytab_str, krb5_keytab keytab,
nktypes = n_ks_tuple;
}
- code = kadm5_randkey_principal_3(handle, princ,
- keepold, nktypes, permitted_etypes,
- &keys, &nkeys);
+ code = kadm5_randkey_principal_3(lhandle, princ,
+ keepold, nktypes, permitted_etypes,
+ &keys, &nkeys);
#ifndef _KADMIN_LOCAL_
/* this block is not needed in the kadmin.local client */
@@ -351,20 +340,19 @@ int add_principal(void *handle, char *keytab_str, krb5_keytab keytab,
code = kadm5_randkey_principal_old(handle, princ, &keys, &nkeys);
}
#endif /* !KADMIN_LOCAL */
- if (code != 0) {
- if (code == KADM5_UNK_PRINC) {
+ if (code != 0) {
+ if (code == KADM5_UNK_PRINC) {
fprintf(stderr,
gettext("%s: Principal %s does not exist.\n"),
whoami, princ_str);
- } else {
+ } else
com_err(whoami, code,
gettext("while changing %s's key"),
princ_str);
- }
- goto cleanup;
- }
+ goto cleanup;
+ }
- code = kadm5_get_principal(handle, princ, &princ_rec,
+ code = kadm5_get_principal(lhandle, princ, &princ_rec,
KADM5_PRINCIPAL_NORMAL_MASK);
if (code != 0) {
com_err(whoami, code, gettext("while retrieving principal"));
@@ -381,7 +369,7 @@ int add_principal(void *handle, char *keytab_str, krb5_keytab keytab,
if (code != 0) {
com_err(whoami, code,
gettext("while adding key to keytab"));
- (void) kadm5_free_principal_ent(handle, &princ_rec);
+ (void) kadm5_free_principal_ent(lhandle, &princ_rec);
goto cleanup;
}
@@ -392,7 +380,7 @@ int add_principal(void *handle, char *keytab_str, krb5_keytab keytab,
etype_string(keys[i].enctype), keytab_str);
}
- code = kadm5_free_principal_ent(handle, &princ_rec);
+ code = kadm5_free_principal_ent(lhandle, &princ_rec);
if (code != 0) {
com_err(whoami, code, gettext("while freeing principal entry"));
goto cleanup;
@@ -410,28 +398,27 @@ cleanup:
if (permitted_etypes != NULL && ks_tuple == NULL)
free(permitted_etypes);
- return (code);
+ return code;
}
-int
-remove_principal(char *keytab_str, krb5_keytab keytab, char
+int remove_principal(char *keytab_str, krb5_keytab keytab, char
*princ_str, char *kvno_str)
{
krb5_principal princ;
krb5_keytab_entry entry;
krb5_kt_cursor cursor;
- enum {
- UNDEF, SPEC, HIGH, ALL, OLD
- } mode;
- int code, kvno, did_something;
+ enum { UNDEF, SPEC, HIGH, ALL, OLD } mode;
+ int code, did_something;
+ krb5_kvno kvno;
code = krb5_parse_name(context, princ_str, &princ);
if (code != 0) {
com_err(whoami, code,
gettext("while parsing principal name %s"),
princ_str);
- return (code);
+ return code;
}
+
mode = UNDEF;
if (kvno_str == NULL) {
mode = HIGH;
@@ -471,8 +458,9 @@ remove_principal(char *keytab_str, krb5_keytab keytab, char
gettext("while retrieving highest "
"kvno from keytab"));
}
- return (code);
+ return code;
}
+
/* set kvno to spec'ed value for SPEC, highest kvno otherwise */
kvno = entry.vno;
krb5_kt_free_entry(context, &entry);
@@ -480,11 +468,11 @@ remove_principal(char *keytab_str, krb5_keytab keytab, char
code = krb5_kt_start_seq_get(context, keytab, &cursor);
if (code != 0) {
com_err(whoami, code, gettext("while starting keytab scan"));
- return (code);
+ return code;
}
+
did_something = 0;
- while ((code = krb5_kt_next_entry(context,
- keytab, &entry, &cursor)) == 0) {
+ while ((code = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
if (krb5_principal_compare(context, princ, entry.principal) &&
((mode == ALL) ||
(mode == SPEC && entry.vno == kvno) ||
@@ -492,30 +480,31 @@ remove_principal(char *keytab_str, krb5_keytab keytab, char
(mode == HIGH && entry.vno == kvno))) {
/*
- * Ack! What a kludge... the scanning functions
- * lock the keytab so entries cannot be removed
- * while they are operating.
+ * Ack! What a kludge... the scanning functions lock
+ * the keytab so entries cannot be removed while they
+ * are operating.
*/
code = krb5_kt_end_seq_get(context, keytab, &cursor);
if (code != 0) {
com_err(whoami, code,
gettext("while temporarily "
"ending keytab scan"));
- return (code);
+ return code;
}
code = krb5_kt_remove_entry(context, keytab, &entry);
if (code != 0) {
com_err(whoami, code,
gettext("while deleting entry "
"from keytab"));
- return (code);
+ return code;
}
code = krb5_kt_start_seq_get(context, keytab, &cursor);
if (code != 0) {
com_err(whoami, code,
gettext("while restarting keytab scan"));
- return (code);
+ return code;
}
+
did_something++;
if (!quiet)
printf(gettext("Entry for principal "
@@ -527,25 +516,27 @@ remove_principal(char *keytab_str, krb5_keytab keytab, char
}
if (code && code != KRB5_KT_END) {
com_err(whoami, code, gettext("while scanning keytab"));
- return (code);
+ return code;
}
- if (code = krb5_kt_end_seq_get(context, keytab, &cursor)) {
+ if ((code = krb5_kt_end_seq_get(context, keytab, &cursor))) {
com_err(whoami, code, gettext("while ending keytab scan"));
- return (code);
+ return code;
}
+
/*
- * If !did_someting then mode must be OLD or we would have already
- * returned with an error. But check it anyway just to prevent
- * unexpected error messages...
+ * If !did_someting then mode must be OLD or we would have
+ * already returned with an error. But check it anyway just to
+ * prevent unexpected error messages...
*/
if (!did_something && mode == OLD) {
fprintf(stderr,
gettext("%s: There is only one entry for principal "
"%s in keytab %s\n"),
whoami, princ_str, keytab_str);
- return (1);
+ return 1;
}
- return (0);
+
+ return 0;
}
/*
@@ -553,15 +544,14 @@ remove_principal(char *keytab_str, krb5_keytab keytab, char
* encryption type. XXX copied from klist.c; this should be a
* library function, or perhaps just #defines
*/
-static char *
-etype_string(enctype)
+static char *etype_string(enctype)
krb5_enctype enctype;
{
static char buf[100];
krb5_error_code ret;
- if (ret = krb5_enctype_to_string(enctype, buf, sizeof(buf)))
+ if ((ret = krb5_enctype_to_string(enctype, buf, sizeof(buf))))
sprintf(buf, "etype %d", enctype);
- return (buf);
+ return buf;
}
diff --git a/usr/src/cmd/krb5/kadmin/cli/ss_wrapper.c b/usr/src/cmd/krb5/kadmin/cli/ss_wrapper.c
index f0c5fe64f4..d2bd318e82 100644
--- a/usr/src/cmd/krb5/kadmin/cli/ss_wrapper.c
+++ b/usr/src/cmd/krb5/kadmin/cli/ss_wrapper.c
@@ -26,7 +26,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -40,7 +40,7 @@
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*
* ss wrapper for kadmin
*/
@@ -51,22 +51,21 @@
#include <string.h>
#include <libintl.h>
#include <locale.h>
+#include "kadmin.h"
extern ss_request_table kadmin_cmds;
extern int exit_status;
-extern char *kadmin_startup();
extern char *whoami;
-int
-main(argc, argv)
-int argc;
-char *argv[];
+int main(argc, argv)
+ int argc;
+ char *argv[];
{
- char *request;
- krb5_error_code retval;
- int sci_idx, code = 0;
+ char *request;
+ krb5_error_code retval;
+ int sci_idx, code = 0;
- whoami = ((whoami = strrchr(argv[0], '/')) ? whoami + 1 : argv[0]);
+ whoami = ((whoami = strrchr(argv[0], '/')) ? whoami+1 : argv[0]);
(void) setlocale(LC_ALL, "");
@@ -76,24 +75,24 @@ char *argv[];
(void) textdomain(TEXT_DOMAIN);
- request = kadmin_startup(argc, argv);
- sci_idx = ss_create_invocation(whoami, "5.0", (char *) NULL,
- &kadmin_cmds, &retval);
- if (retval) {
- ss_perror(sci_idx, retval, gettext("creating invocation"));
- exit(1);
- }
+ request = kadmin_startup(argc, argv);
+ sci_idx = ss_create_invocation(whoami, "5.0", (char *) NULL,
+ &kadmin_cmds, &retval);
+ if (retval) {
+ ss_perror(sci_idx, retval, gettext("creating invocation"));
+ exit(1);
+ }
(void) setlocale(LC_ALL, "");
(void) textdomain(TEXT_DOMAIN);
- if (request) {
- code = ss_execute_line(sci_idx, request);
- if (code != 0) {
- ss_perror(sci_idx, code, request);
- exit_status++;
- }
- } else
- ss_listen(sci_idx, &retval);
- return (quit() ? 1 : exit_status);
+ if (request) {
+ code = ss_execute_line(sci_idx, request);
+ if (code != 0) {
+ ss_perror(sci_idx, code, request);
+ exit_status++;
+ }
+ } else
+ retval = ss_listen(sci_idx);
+ return quit() ? 1 : exit_status;
}
diff --git a/usr/src/cmd/krb5/kadmin/dbutil/Makefile b/usr/src/cmd/krb5/kadmin/dbutil/Makefile
index 872fb5b1fc..419d88df4d 100644
--- a/usr/src/cmd/krb5/kadmin/dbutil/Makefile
+++ b/usr/src/cmd/krb5/kadmin/dbutil/Makefile
@@ -1,5 +1,5 @@
#
-# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
+# Copyright 2006 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "%Z%%M% %I% %E% SMI"
@@ -9,7 +9,7 @@ PROG= kdb5_util
OBJS = kdb5_util.o \
kdb5_create.o kadm5_create.o string_table.o kdb5_stash.o \
- kdb5_destroy.o ovload.o dump.o
+ kdb5_destroy.o ovload.o strtok.o dump.o
SRCS = $(OBJS:.o=.c)
diff --git a/usr/src/cmd/krb5/kadmin/dbutil/dump.c b/usr/src/cmd/krb5/kadmin/dbutil/dump.c
index 034c98f087..28c472d56f 100644
--- a/usr/src/cmd/krb5/kadmin/dbutil/dump.c
+++ b/usr/src/cmd/krb5/kadmin/dbutil/dump.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2005 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -73,7 +73,7 @@
#define krb5_dbm_db_set_lockmode krb5_db_set_lockmode
#define krb5_dbm_db_close_database krb5_db_close_database
#define krb5_dbm_db_open_database krb5_db_open_database
-#define krb5_dbm_db_iterate krb5_db_iterate
+#define krb5_dbm_db_iterate krb5_db_iterate_ext
#include <stdio.h>
#include <com_err.h>
@@ -82,8 +82,7 @@
#include <libintl.h>
#include "kdb5_util.h"
-
-#if HAVE_REGEX_H
+#if defined(HAVE_REGEX_H) && defined(HAVE_REGCOMP)
#include <regex.h>
#endif /* HAVE_REGEX_H */
@@ -92,11 +91,12 @@
*/
extern krb5_keyblock master_key;
extern krb5_principal master_princ;
-extern int valid_master_key;
-extern void usage();
static int mkey_convert;
static krb5_keyblock new_master_key;
+static int backwards;
+static int recursive;
+
/*
* Use compile(3) if no regcomp present.
*/
@@ -120,45 +120,41 @@ struct dump_args {
int verbose;
};
-static krb5_error_code dump_k5beta_iterator
-(krb5_pointer,
- krb5_db_entry *);
-static krb5_error_code dump_k5beta6_iterator
-(krb5_pointer,
- krb5_db_entry *);
-static krb5_error_code dump_iprop_iterator
-(krb5_pointer,
- krb5_db_entry *);
-static krb5_error_code dump_k5beta7_princ
-(krb5_pointer,
- krb5_db_entry *);
-static krb5_error_code dump_iprop_princ
-(krb5_pointer,
- krb5_db_entry *);
-static krb5_error_code dump_ov_princ
-(krb5_pointer,
- krb5_db_entry *);
+static krb5_error_code dump_k5beta_iterator (krb5_pointer,
+ krb5_db_entry *);
+static krb5_error_code dump_k5beta6_iterator (krb5_pointer,
+ krb5_db_entry *);
+static krb5_error_code dump_k5beta6_iterator_ext (krb5_pointer,
+ krb5_db_entry *,
+ int);
+static krb5_error_code dump_iprop_iterator (krb5_pointer,
+ krb5_db_entry *);
+static krb5_error_code dump_k5beta7_princ (krb5_pointer,
+ krb5_db_entry *);
+static krb5_error_code dump_k5beta7_princ_ext (krb5_pointer,
+ krb5_db_entry *,
+ int);
+static krb5_error_code dump_k5beta7_princ_withpolicy
+ (krb5_pointer, krb5_db_entry *);
+static krb5_error_code dump_iprop_princ (krb5_pointer,
+ krb5_db_entry *);
+static krb5_error_code dump_ov_princ (krb5_pointer,
+ krb5_db_entry *);
static void dump_k5beta7_policy (void *, osa_policy_ent_t);
-typedef
-krb5_error_code(*dump_func) (krb5_pointer,
- krb5_db_entry *);
+typedef krb5_error_code (*dump_func)(krb5_pointer,
+ krb5_db_entry *);
-static int process_k5beta_record
-(char *, krb5_context,
- FILE *, int, int *, void *);
-static int process_k5beta6_record
-(char *, krb5_context,
- FILE *, int, int *, void *);
-static int process_k5beta7_record
-(char *, krb5_context,
- FILE *, int, int *, void *);
-static int process_ov_record
-(char *, krb5_context,
- FILE *, int, int *, void *);
-typedef
-krb5_error_code(*load_func) (char *, krb5_context,
- FILE *, int, int *, void *);
+static int process_k5beta_record (char *, krb5_context,
+ FILE *, int, int *, void *);
+static int process_k5beta6_record (char *, krb5_context,
+ FILE *, int, int *, void *);
+static int process_k5beta7_record (char *, krb5_context,
+ FILE *, int, int *, void *);
+static int process_ov_record (char *, krb5_context,
+ FILE *, int, int *, void *);
+typedef krb5_error_code (*load_func)(char *, krb5_context,
+ FILE *, int, int *, void *);
typedef struct _dump_version {
char *name;
@@ -216,6 +212,16 @@ dump_version ov_version = {
process_ov_record,
};
+dump_version r1_3_version = {
+ "Kerberos version 5 release 1.3",
+ "kdb5_util load_dump version 5\n",
+ 0,
+ 0,
+ dump_k5beta7_princ_withpolicy,
+ dump_k5beta7_policy,
+ process_k5beta7_record,
+};
+
/* External data */
extern char *current_dbname;
extern krb5_boolean dbactive;
@@ -225,9 +231,7 @@ extern kadm5_config_params global_params;
/* Strings */
-static const char k5beta_dump_header[] = "kdb5_edit load_dump version 2.0\n";
-static const char k5beta6_dump_header[] = "kdb5_edit load_dump version 3.0\n";
-static const char k5beta7_dump_header[] = "kdb5_edit load_dump version 4\n";
+#define k5beta_dump_header "kdb5_edit load_dump version 2.0\n"
static const char null_mprinc_name[] = "kdb5_dump@MISSING";
@@ -369,6 +373,7 @@ static const char dfile_err_fmt[] =
static const char oldoption[] = "-old";
static const char b6option[] = "-b6";
+static const char b7option[] = "-b7";
static const char ipropoption[] = "-i";
static const char verboseoption[] = "-verbose";
static const char updateoption[] = "-update";
@@ -379,14 +384,14 @@ static const char dump_tmptrail[] = "~";
/*
* Re-encrypt the key_data with the new master key...
*/
-krb5_error_code master_key_convert(context, db_entry)
+static krb5_error_code master_key_convert(context, db_entry)
krb5_context context;
krb5_db_entry * db_entry;
{
krb5_error_code retval;
krb5_keyblock v5plainkey, *key_ptr;
krb5_keysalt keysalt;
- int i;
+ int i, j;
krb5_key_data new_key_data, *key_data;
krb5_boolean is_mkey;
@@ -416,7 +421,11 @@ krb5_error_code master_key_convert(context, db_entry)
if (retval)
return retval;
krb5_free_keyblock_contents(context, &v5plainkey);
- free(key_data->key_data_contents);
+ for (j = 0; j < key_data->key_data_ver; j++) {
+ if (key_data->key_data_length[j]) {
+ free(key_data->key_data_contents[j]);
+ }
+ }
*key_data = new_key_data;
}
return 0;
@@ -425,8 +434,7 @@ krb5_error_code master_key_convert(context, db_entry)
/*
* Update the "ok" file.
*/
-void
-update_ok_file(file_name)
+void update_ok_file (file_name)
char *file_name;
{
/* handle slave locking/failure stuff */
@@ -460,8 +468,10 @@ update_ok_file(file_name)
free(file_ok);
return;
}
+
free(file_ok);
close(fd);
+ return;
}
/*
@@ -479,20 +489,16 @@ name_matches(name, arglist)
int match_error;
char match_errmsg[BUFSIZ];
size_t errmsg_size;
-
#elif HAVE_REGEXP_H
char regexp_buffer[RE_BUF_SIZE];
-
#elif HAVE_RE_COMP
extern char *re_comp();
char *re_result;
-
#endif /* HAVE_RE_COMP */
int i, match;
/*
- * Plow, brute force, through the list of names/regular
- * expressions.
+ * Plow, brute force, through the list of names/regular expressions.
*/
match = (arglist->nnames) ? 0 : 1;
for (i=0; i<arglist->nnames; i++) {
@@ -500,9 +506,8 @@ name_matches(name, arglist)
/*
* Compile the regular expression.
*/
- if (match_error = regcomp(&match_exp,
- arglist->names[i],
- REG_EXTENDED)) {
+ match_error = regcomp(&match_exp, arglist->names[i], REG_EXTENDED);
+ if (match_error) {
errmsg_size = regerror(match_error,
&match_exp,
match_errmsg,
@@ -514,8 +519,8 @@ name_matches(name, arglist)
/*
* See if we have a match.
*/
- if (match_error = regexec(&match_exp,
- name, 1, &match_match, 0)) {
+ match_error = regexec(&match_exp, name, 1, &match_match, 0);
+ if (match_error) {
if (match_error != REG_NOMATCH) {
errmsg_size = regerror(match_error,
&match_exp,
@@ -525,7 +530,8 @@ name_matches(name, arglist)
arglist->programname, match_errmsg);
break;
}
- } else {
+ }
+ else {
/*
* We have a match. See if it matches the whole
* name.
@@ -553,18 +559,16 @@ name_matches(name, arglist)
* Compile the regular expression.
*/
if (re_result = re_comp(arglist->names[i])) {
- fprintf(stderr, gettext(regex_err),
- arglist->programname, re_result);
+ fprintf(stderr, gettext(regex_err), arglist->programname, re_result);
break;
}
if (re_exec(name))
match = 1;
#else /* HAVE_RE_COMP */
/*
- * If no regular expression support, then just compare the
- * strings.
+ * If no regular expression support, then just compare the strings.
*/
- if (strcmp(arglist->names[i], name) == 0)
+ if (!strcmp(arglist->names[i], name))
match = 1;
#endif /* HAVE_REGCOMP */
if (match)
@@ -601,6 +605,7 @@ find_enctype(dbentp, enctype, salttype, kentp)
return(ENOENT);
}
+#if 0
/*
* dump_k5beta_header() - Make a dump header that is recognizable by Kerberos
* Version 5 Beta 5 and previous releases.
@@ -613,6 +618,7 @@ dump_k5beta_header(arglist)
fprintf(arglist->ofile, k5beta_dump_header);
return(0);
}
+#endif
/*
* dump_k5beta_iterator() - Dump an entry in a format that is usable
@@ -693,12 +699,11 @@ dump_k5beta_iterator(ptr, entry)
mod_name = strdup(null_mprinc_name);
/*
- * Find the last password change record and set it
- * straight.
+ * Find the last password change record and set it straight.
*/
if ((retval =
krb5_dbe_lookup_last_pwd_change(arg->kcontext, entry,
- &last_pwd_change))) {
+ &last_pwd_change))) {
fprintf(stderr, gettext(nokeys_err),
arg->programname, name);
krb5_xfree(mod_name);
@@ -723,25 +728,22 @@ dump_k5beta_iterator(ptr, entry)
krb5_xfree(name);
return(retval);
}
- /*
- * If we only have one type, then ship it out as the
- * primary.
- */
+
+ /* If we only have one type, then ship it out as the primary. */
if (!pkey && akey) {
pkey = akey;
akey = &nullkey;
- } else {
+ }
+ else {
if (!akey)
akey = &nullkey;
}
/*
- * First put out strings representing the length of the
- * variable length data in this record, then the name and
- * the primary key type.
+ * First put out strings representing the length of the variable
+ * length data in this record, then the name and the primary key type.
*/
- fprintf(arg->ofile, "%d\t%d\t%d\t%d\t%d\t%d\t%s\t%d\t",
- strlen(name),
+ fprintf(arg->ofile, "%d\t%d\t%d\t%d\t%d\t%d\t%s\t%d\t", strlen(name),
strlen(mod_name),
(krb5_int32) pkey->key_data_length[0],
(krb5_int32) akey->key_data_length[0],
@@ -750,40 +752,34 @@ dump_k5beta_iterator(ptr, entry)
name,
(krb5_int32) pkey->key_data_type[0]);
for (i=0; i<pkey->key_data_length[0]; i++) {
- fprintf(arg->ofile, "%02x",
- pkey->key_data_contents[0][i]);
+ fprintf(arg->ofile, "%02x", pkey->key_data_contents[0][i]);
}
/*
- * Second, print out strings representing the standard
- * integer data in this record.
+ * Second, print out strings representing the standard integer
+ * data in this record.
*/
fprintf(arg->ofile,
- "\t%u\t%u\t%u\t%u\t%u\t%u\t%u"
- "\t%u\t%u\t%u\t%s\t%u\t%u\t%u\t",
+ "\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%s\t%u\t%u\t%u\t",
(krb5_int32) pkey->key_data_kvno,
entry->max_life, entry->max_renewable_life,
- 1 /* Fake mkvno */, entry->expiration,
- entry->pw_expiration, last_pwd_change,
- entry->last_success, entry->last_failed,
+ 1 /* Fake mkvno */, entry->expiration, entry->pw_expiration,
+ last_pwd_change, entry->last_success, entry->last_failed,
entry->fail_auth_count, mod_name, mod_date,
entry->attributes, pkey->key_data_type[1]);
/* Pound out the salt data, if present. */
for (i=0; i<pkey->key_data_length[1]; i++) {
- fprintf(arg->ofile, "%02x",
- pkey->key_data_contents[1][i]);
+ fprintf(arg->ofile, "%02x", pkey->key_data_contents[1][i]);
}
/* Pound out the alternate key type and contents */
fprintf(arg->ofile, "\t%u\t", akey->key_data_type[0]);
for (i=0; i<akey->key_data_length[0]; i++) {
- fprintf(arg->ofile, "%02x",
- akey->key_data_contents[0][i]);
+ fprintf(arg->ofile, "%02x", akey->key_data_contents[0][i]);
}
/* Pound out the alternate salt type and contents */
fprintf(arg->ofile, "\t%u\t", akey->key_data_type[1]);
for (i=0; i<akey->key_data_length[1]; i++) {
- fprintf(arg->ofile, "%02x",
- akey->key_data_contents[1][i]);
+ fprintf(arg->ofile, "%02x", akey->key_data_contents[1][i]);
}
/* Pound out the expansion data. (is null) */
for (i=0; i < 8; i++) {
@@ -807,6 +803,15 @@ dump_k5beta6_iterator(ptr, entry)
krb5_pointer ptr;
krb5_db_entry *entry;
{
+ return dump_k5beta6_iterator_ext(ptr, entry, 0);
+}
+
+static krb5_error_code
+dump_k5beta6_iterator_ext(ptr, entry, kadm)
+ krb5_pointer ptr;
+ krb5_db_entry *entry;
+ int kadm;
+{
krb5_error_code retval;
struct dump_args *arg;
char *name;
@@ -846,39 +851,45 @@ dump_k5beta6_iterator(ptr, entry)
*/
if (!arg->nnames || name_matches(name, arg)) {
/*
- * We'd like to just blast out the contents as they would
- * appear in the database so that we can just suck it back
- * in, but it doesn't lend itself to easy editing.
+ * We'd like to just blast out the contents as they would appear in
+ * the database so that we can just suck it back in, but it doesn't
+ * lend itself to easy editing.
*/
/*
- * The dump format is as follows: len strlen(name)
- * n_tl_data n_key_data e_length name attributes max_life
- * max_renewable_life expiration pw_expiration last_success
- * last_failed fail_auth_count n_tl_data*[type length
- * <contents>] n_key_data*[ver kvno ver*(type length
- * <contents>)] <e_data> Fields which are not encapsulated
- * by angle-brackets are to appear verbatim. Bracketed
- * fields absence is indicated by a -1 in its place
+ * The dump format is as follows:
+ * len strlen(name) n_tl_data n_key_data e_length
+ * name
+ * attributes max_life max_renewable_life expiration
+ * pw_expiration last_success last_failed fail_auth_count
+ * n_tl_data*[type length <contents>]
+ * n_key_data*[ver kvno ver*(type length <contents>)]
+ * <e_data>
+ * Fields which are not encapsulated by angle-brackets are to appear
+ * verbatim. A bracketed field's absence is indicated by a -1 in its
+ * place
*/
- /*
+ /*
* Make sure that the tagged list is reasonably correct.
*/
counter = skip = 0;
for (tlp = entry->tl_data; tlp; tlp = tlp->tl_data_next) {
- /*
- * don't dump tl data types we know aren't
- * understood by earlier revisions [krb5-admin/89]
- */
- switch (tlp->tl_data_type) {
- case KRB5_TL_KADM_DATA:
- skip++;
- break;
- default:
- counter++;
- break;
- }
+ /*
+ * don't dump tl data types we know aren't understood by
+ * earlier revisions [krb5-admin/89]
+ */
+ switch (tlp->tl_data_type) {
+ case KRB5_TL_KADM_DATA:
+ if (kadm)
+ counter++;
+ else
+ skip++;
+ break;
+ default:
+ counter++;
+ break;
+ }
}
if (counter + skip == entry->n_tl_data) {
@@ -900,30 +911,23 @@ dump_k5beta6_iterator(ptr, entry)
entry->last_failed,
entry->fail_auth_count);
/* Pound out tagged data. */
- for (tlp = entry->tl_data; tlp;
- tlp = tlp->tl_data_next) {
- if (tlp->tl_data_type == KRB5_TL_KADM_DATA)
- /* see above, [krb5-admin/89] */
- continue;
+ for (tlp = entry->tl_data; tlp; tlp = tlp->tl_data_next) {
+ if (tlp->tl_data_type == KRB5_TL_KADM_DATA && !kadm)
+ continue; /* see above, [krb5-admin/89] */
fprintf(arg->ofile, "%d\t%d\t",
(int) tlp->tl_data_type,
(int) tlp->tl_data_length);
if (tlp->tl_data_length)
- for (i = 0;
- i < tlp->tl_data_length;
- i++)
- fprintf(arg->ofile, "%02x",
- tlp->
- tl_data_contents[i]);
+ for (i=0; i<tlp->tl_data_length; i++)
+ fprintf(arg->ofile, "%02x", tlp->tl_data_contents[i]);
else
fprintf(arg->ofile, "%d", -1);
fprintf(arg->ofile, "\t");
}
/* Pound out key data */
- for (counter = 0;
- counter < entry->n_key_data; counter++) {
+ for (counter=0; counter<entry->n_key_data; counter++) {
kdata = &entry->key_data[counter];
fprintf(arg->ofile, "%d\t%d\t",
(int) kdata->key_data_ver,
@@ -933,15 +937,9 @@ dump_k5beta6_iterator(ptr, entry)
kdata->key_data_type[i],
kdata->key_data_length[i]);
if (kdata->key_data_length[i])
- for (j = 0;
- j < kdata->
- key_data_length[i];
- j++)
- fprintf(arg->ofile,
- "%02x",
- kdata->
- key_data_contents
- [i][j]);
+ for (j=0; j<kdata->key_data_length[i]; j++)
+ fprintf(arg->ofile, "%02x",
+ kdata->key_data_contents[i][j]);
else
fprintf(arg->ofile, "%d", -1);
fprintf(arg->ofile, "\t");
@@ -951,8 +949,7 @@ dump_k5beta6_iterator(ptr, entry)
/* Pound out extra data */
if (entry->e_length)
for (i=0; i<entry->e_length; i++)
- fprintf(arg->ofile, "%02x",
- entry->e_data[i]);
+ fprintf(arg->ofile, "%02x", entry->e_data[i]);
else
fprintf(arg->ofile, "%d", -1);
@@ -961,9 +958,10 @@ dump_k5beta6_iterator(ptr, entry)
if (arg->verbose)
fprintf(stderr, "%s\n", name);
- } else {
+ }
+ else {
fprintf(stderr, gettext(sdump_tl_inc_err),
- arg->programname, name, counter + skip,
+ arg->programname, name, counter+skip,
(int) entry->n_tl_data);
retval = EINVAL;
}
@@ -971,6 +969,7 @@ dump_k5beta6_iterator(ptr, entry)
krb5_xfree(name);
return(retval);
}
+
/*
* dump_iprop_iterator() - Output a dump record in iprop format.
*/
@@ -1136,6 +1135,15 @@ dump_k5beta7_princ(ptr, entry)
krb5_pointer ptr;
krb5_db_entry *entry;
{
+ return dump_k5beta7_princ_ext(ptr, entry, 0);
+}
+
+static krb5_error_code
+dump_k5beta7_princ_ext(ptr, entry, kadm)
+ krb5_pointer ptr;
+ krb5_db_entry *entry;
+ int kadm;
+{
krb5_error_code retval;
struct dump_args *arg;
char *name;
@@ -1165,11 +1173,12 @@ dump_k5beta7_princ(ptr, entry)
/* save the callee from matching the name again */
tmp_nnames = arg->nnames;
arg->nnames = 0;
- retval = dump_k5beta6_iterator(ptr, entry);
+ retval = dump_k5beta6_iterator_ext(ptr, entry, kadm);
arg->nnames = tmp_nnames;
}
+
free(name);
- return (retval);
+ return retval;
}
/*
@@ -1216,8 +1225,16 @@ dump_iprop_princ(ptr, entry)
free(name);
return (retval);
}
-void
-dump_k5beta7_policy(void *data, osa_policy_ent_t entry)
+
+static krb5_error_code
+dump_k5beta7_princ_withpolicy(ptr, entry)
+ krb5_pointer ptr;
+ krb5_db_entry *entry;
+{
+ return dump_k5beta7_princ_ext(ptr, entry, 1);
+}
+
+void dump_k5beta7_policy(void *data, osa_policy_ent_t entry)
{
struct dump_args *arg;
@@ -1228,8 +1245,7 @@ dump_k5beta7_policy(void *data, osa_policy_ent_t entry)
entry->policy_refcnt);
}
-void
-print_key_data(FILE * f, krb5_key_data * key_data)
+static void print_key_data(FILE *f, krb5_key_data *key_data)
{
int c;
@@ -1263,11 +1279,10 @@ print_key_data(FILE * f, krb5_key_data * key_data)
* nuttin
*
*/
-static krb5_error_code
-dump_ov_princ(krb5_pointer ptr, krb5_db_entry * kdb)
+static krb5_error_code dump_ov_princ(krb5_pointer ptr, krb5_db_entry *kdb)
{
char *princstr;
- int x, y, foundcrc, ret;
+ int x, y, foundcrc;
struct dump_args *arg;
krb5_tl_data tl_data;
osa_princ_ent_rec adb;
@@ -1276,21 +1291,21 @@ dump_ov_princ(krb5_pointer ptr, krb5_db_entry * kdb)
arg = (struct dump_args *) ptr;
/*
* XXX Currently, lookup_tl_data always returns zero; it sets
- * tl_data->tl_data_length to zero if the type isn't found. This
- * should be fixed...
+ * tl_data->tl_data_length to zero if the type isn't found.
+ * This should be fixed...
*/
/*
* XXX Should this function do nothing for a principal with no
- * admin data, or print a record of "default" values? See comment
- * in server_kdb.c to help decide.
+ * admin data, or print a record of "default" values? See
+ * comment in server_kdb.c to help decide.
*/
tl_data.tl_data_type = KRB5_TL_KADM_DATA;
- if ((ret = krb5_dbe_lookup_tl_data(arg->kcontext, kdb, &tl_data)) ||
- (tl_data.tl_data_length == 0))
- return (0);
+ if (krb5_dbe_lookup_tl_data(arg->kcontext, kdb, &tl_data)
+ || (tl_data.tl_data_length == 0))
+ return 0;
memset(&adb, 0, sizeof(adb));
- xdrmem_create(&xdrs, (const caddr_t) tl_data.tl_data_contents,
+ xdrmem_create(&xdrs, (const caddr_t) tl_data.tl_data_contents,
tl_data.tl_data_length, XDR_DECODE);
if (! xdr_osa_princ_ent_rec(&xdrs, &adb)) {
xdr_destroy(&xdrs);
@@ -1304,7 +1319,7 @@ dump_ov_princ(krb5_pointer ptr, krb5_db_entry * kdb)
fputc('\t', arg->ofile);
else
fprintf(arg->ofile, "%s\t", adb.policy);
- fprintf(arg->ofile, "%x\t%d\t%d\t%d", adb.aux_attributes,
+ fprintf(arg->ofile, "%lx\t%d\t%d\t%d", adb.aux_attributes,
adb.old_key_len,adb.old_key_next, adb.admin_history_kvno);
for (x = 0; x < adb.old_key_len; x++) {
@@ -1337,12 +1352,14 @@ dump_ov_princ(krb5_pointer ptr, krb5_db_entry * kdb)
fputc('\n', arg->ofile);
free(princstr);
- return (0);
+ return 0;
}
/*
* usage is:
- * dump_db [-i] [-old] [-b6] [-ov] [-verbose] [filename [principals...]]
+ * dump_db [-i] [-old] [-b6] [-b7] [-ov] [-verbose] [-mkey_convert]
+ * [-new_mkey_file mkey_file] [-rev] [-recurse]
+ * [filename [principals...]]
*/
void
dump_db(argc, argv)
@@ -1351,7 +1368,6 @@ dump_db(argc, argv)
{
FILE *f;
struct dump_args arglist;
- int error;
char *programname;
char *ofile;
krb5_error_code kret, retval;
@@ -1370,24 +1386,27 @@ dump_db(argc, argv)
if (strrchr(programname, (int) '/'))
programname = strrchr(argv[0], (int) '/') + 1;
ofile = (char *) NULL;
- error = 0;
- dump = &beta7_version;
+ dump = &r1_3_version;
arglist.verbose = 0;
new_mkey_file = 0;
mkey_convert = 0;
+ backwards = 0;
+ recursive = 0;
log_ctx = util_context->kdblog_context;
/*
* Parse the qualifiers.
*/
for (aindex = 1; aindex < argc; aindex++) {
- if (strcmp(argv[aindex], oldoption) == 0)
+ if (!strcmp(argv[aindex], oldoption))
dump = &old_version;
- else if (strcmp(argv[aindex], b6option) == 0)
+ else if (!strcmp(argv[aindex], b6option))
dump = &beta6_version;
- else if (strcmp(argv[aindex], ovoption) == 0)
+ else if (!strcmp(argv[aindex], b7option))
+ dump = &beta7_version;
+ else if (!strcmp(argv[aindex], ovoption))
dump = &ov_version;
- else if (!strcmp(argv[aindex], ipropoption)) {
+ else if (!strcmp(argv[aindex], ipropoption)) {
if (log_ctx && log_ctx->iproprole) {
dump = &iprop_version;
/*
@@ -1403,14 +1422,18 @@ dump_db(argc, argv)
return;
}
}
- else if (strcmp(argv[aindex], verboseoption) == 0)
+ else if (!strcmp(argv[aindex], verboseoption))
arglist.verbose++;
else if (!strcmp(argv[aindex], "-mkey_convert"))
mkey_convert = 1;
else if (!strcmp(argv[aindex], "-new_mkey_file")) {
new_mkey_file = argv[++aindex];
mkey_convert = 1;
- } else
+ } else if (!strcmp(argv[aindex], "-rev"))
+ backwards = 1;
+ else if (!strcmp(argv[aindex], "-recurse"))
+ recursive = 1;
+ else
break;
}
@@ -1463,10 +1486,11 @@ dump_db(argc, argv)
}
if (!new_mkey_file)
printf(gettext("Please enter new master key....\n"));
-
if ((retval = krb5_db_fetch_mkey(util_context, master_princ,
global_params.enctype,
- !new_mkey_file, TRUE,
+ (new_mkey_file == 0) ?
+ (krb5_boolean) 1 : 0,
+ TRUE,
new_mkey_file, 0,
&new_master_key))) {
com_err(argv[0], retval,
@@ -1479,13 +1503,19 @@ dump_db(argc, argv)
locked = 0;
if (ofile && strcmp(ofile, "-")) {
/*
+ * Discourage accidental dumping to filenames beginning with '-'.
+ */
+ if (ofile[0] == '-')
+ usage();
+ /*
* Make sure that we don't open and truncate on the fopen,
* since that may hose an on-going kprop process.
*
- * We could also control this by opening for read and write,
- * doing an flock with LOCK_EX, and then truncating the
- * file once we have gotten the lock, but that would
- * involve more OS dependencies than I want to get into.
+ * We could also control this by opening for read and
+ * write, doing an flock with LOCK_EX, and then
+ * truncating the file once we have gotten the lock,
+ * but that would involve more OS dependencies than I
+ * want to get into.
*/
unlink(ofile);
if (!(f = fopen(ofile, "w"))) {
@@ -1500,7 +1530,8 @@ dump_db(argc, argv)
fprintf(stderr, gettext(oflock_error),
programname, ofile, error_message(kret));
exit_status++;
- } else
+ }
+ else
locked = 1;
} else {
f = stdout;
@@ -1538,9 +1569,10 @@ dump_db(argc, argv)
if (dump->header[strlen(dump->header)-1] != '\n')
fputc('\n', arglist.ofile);
- if ((kret = krb5_dbm_db_iterate(util_context,
- dump->dump_princ,
- (krb5_pointer) &arglist))) {
+ if ((kret = krb5_dbm_db_iterate(util_context,
+ dump->dump_princ,
+ (krb5_pointer) &arglist,
+ backwards, recursive))) {
fprintf(stderr, gettext(dumprec_err),
programname, dump->name, error_message(kret));
exit_status++;
@@ -1563,8 +1595,7 @@ error:
}
}
if (locked)
- (void) krb5_lock_file(util_context,
- fileno(f), KRB5_LOCKMODE_UNLOCK);
+ (void) krb5_lock_file(util_context, fileno(f), KRB5_LOCKMODE_UNLOCK);
}
/*
@@ -1673,6 +1704,7 @@ update_tl_data(kcontext, dbentp, mod_name, mod_date, last_pwd_change)
if (mprinc.mod_princ)
krb5_free_principal(kcontext, mprinc.mod_princ);
}
+
/*
* Handle last password change.
*/
@@ -1689,119 +1721,42 @@ update_tl_data(kcontext, dbentp, mod_name, mod_date, last_pwd_change)
linked = 0;
if (!pwchg) {
/* No, allocate a new one */
- if ((pwchg = (krb5_tl_data *)
- malloc(sizeof (krb5_tl_data)))) {
- memset(pwchg, 0, sizeof(krb5_tl_data));
- if (!(pwchg->tl_data_contents =
- (krb5_octet *) malloc(sizeof (krb5_timestamp)))) {
- free(pwchg);
- pwchg = (krb5_tl_data *) NULL;
- } else {
- pwchg->tl_data_type = KRB5_TL_LAST_PWD_CHANGE;
- pwchg->tl_data_length =
- (krb5_int16) sizeof (krb5_timestamp);
- }
+ if ((pwchg = (krb5_tl_data *) malloc(sizeof(krb5_tl_data)))) {
+ memset(pwchg, 0, sizeof(krb5_tl_data));
+ if (!(pwchg->tl_data_contents =
+ (krb5_octet *) malloc(sizeof(krb5_timestamp)))) {
+ free(pwchg);
+ pwchg = (krb5_tl_data *) NULL;
+ }
+ else {
+ pwchg->tl_data_type = KRB5_TL_LAST_PWD_CHANGE;
+ pwchg->tl_data_length =
+ (krb5_int16) sizeof(krb5_timestamp);
+ }
}
- } else
- linked = 1;
+ }
+ else
+ linked = 1;
/* Do we have an entry? */
if (pwchg && pwchg->tl_data_contents) {
/* Encode it */
- krb5_kdb_encode_int32(last_pwd_change,
- pwchg->tl_data_contents);
+ krb5_kdb_encode_int32(last_pwd_change, pwchg->tl_data_contents);
/* Link it in if necessary */
if (!linked) {
pwchg->tl_data_next = dbentp->tl_data;
dbentp->tl_data = pwchg;
dbentp->n_tl_data++;
}
- } else
+ }
+ else
kret = ENOMEM;
}
+
return(kret);
}
-
#endif
-static int
-k5beta_parse_and_store(char *fname, krb5_context kcontext, int verbose,
- int *linenop, krb5_db_entry *dbent,
- char *name, char *mod_name,
- krb5_timestamp last_pwd_change,
- krb5_timestamp mod_date
-)
-{
- int error;
- int retval = 1;
- krb5_error_code kret;
- krb5_principal mod_princ;
- krb5_key_data *pkey, *akey;
-
- pkey = &dbent->key_data[0];
- akey = &dbent->key_data[1];
-
- if (!(kret = krb5_parse_name(kcontext, name, &dbent->princ))) {
- if (!(kret =
- krb5_parse_name(kcontext, mod_name, &mod_princ))) {
- if (!(kret = krb5_dbe_update_mod_princ_data(
- kcontext, dbent,
- mod_date, mod_princ)) &&
- !(kret = krb5_dbe_update_last_pwd_change(
- kcontext, dbent, last_pwd_change))) {
- int one = 1;
-
- dbent->len = KRB5_KDB_V1_BASE_LENGTH;
- pkey->key_data_ver =
- (pkey->key_data_type[1] ||
- pkey->key_data_length[1]) ? 2 : 1;
- akey->key_data_ver =
- (akey->key_data_type[1] ||
- akey->key_data_length[1]) ? 2 : 1;
- if ((pkey->key_data_type[0] ==
- akey->key_data_type[0]) &&
- (pkey->key_data_type[1] ==
- akey->key_data_type[1]))
- dbent->n_key_data--;
- else if ((akey->key_data_type[0] == 0) &&
- (akey->key_data_length[0] == 0) &&
- (akey->key_data_type[1] == 0) &&
- (akey->key_data_length[1] == 0))
- dbent->n_key_data--;
- if ((kret = krb5_db_put_principal(
- kcontext, dbent, &one)) ||
- (one != 1)) {
- fprintf(stderr, gettext(store_err_fmt),
- fname, *linenop, name,
- error_message(kret));
- error++;
- } else {
- if (verbose)
- fprintf(stderr,
- gettext(add_princ_fmt),
- name);
- retval = 0;
- }
- dbent->n_key_data = 2;
- }
- krb5_free_principal(kcontext, mod_princ);
- } else {
- fprintf(stderr,
- gettext(parse_err_fmt),
- fname, *linenop, mod_name,
- error_message(kret));
- error++;
- }
- } else {
- fprintf(stderr, gettext(parse_err_fmt),
- fname, *linenop, name,
- error_message(kret));
- error++;
- }
-
- return (retval);
-}
-
/*
* process_k5beta_record() - Handle a dump record in old format.
*
@@ -1871,15 +1826,14 @@ process_k5beta_record(fname, kcontext, filep, verbose, linenop, pol_db)
(krb5_octet *) malloc((size_t) (key_len + 1)))) &&
(!alt_key_len ||
(akey->key_data_contents[0] =
- (krb5_octet *)
- malloc((size_t) (alt_key_len + 1)))) &&
+ (krb5_octet *) malloc((size_t) (alt_key_len + 1)))) &&
(!salt_len ||
(pkey->key_data_contents[1] =
(krb5_octet *) malloc((size_t) (salt_len + 1)))) &&
(!alt_salt_len ||
(akey->key_data_contents[1] =
- (krb5_octet *)
- malloc((size_t) (alt_salt_len + 1))))) {
+ (krb5_octet *) malloc((size_t) (alt_salt_len + 1))))
+ ) {
error = 0;
/* Read the principal name */
@@ -1888,10 +1842,9 @@ process_k5beta_record(fname, kcontext, filep, verbose, linenop, pol_db)
error++;
}
/* Read the key type */
- if (!error &&
- (fscanf(filep, "\t%d\t", &tmpint1) != 1)) {
- try2read = read_key_type;
- error++;
+ if (!error && (fscanf(filep, "\t%d\t", &tmpint1) != 1)) {
+ try2read = read_key_type;
+ error++;
}
pkey->key_data_type[0] = tmpint1;
/* Read the old format key */
@@ -1902,24 +1855,15 @@ process_k5beta_record(fname, kcontext, filep, verbose, linenop, pol_db)
error++;
}
/* convert to a new format key */
- /*
- * the encrypted version is stored as the
- * unencrypted key length (4 bytes, MSB first)
- * followed by the encrypted key.
- */
- if ((pkey->key_data_length[0] > 4) &&
- (pkey->key_data_contents[0][0] == 0) &&
- (pkey->key_data_contents[0][1] == 0)) {
- /*
- * this really does look like an old key,
- * so drop and swap
- */
- /*
- * the *new* length is 2 bytes, LSB first,
- * sigh.
- */
- size_t shortlen = pkey->key_data_length[0] - 4 + 2;
- krb5_octet *origdata = pkey->key_data_contents[0];
+ /* the encrypted version is stored as the unencrypted key length
+ (4 bytes, MSB first) followed by the encrypted key. */
+ if ((pkey->key_data_length[0] > 4)
+ && (pkey->key_data_contents[0][0] == 0)
+ && (pkey->key_data_contents[0][1] == 0)) {
+ /* this really does look like an old key, so drop and swap */
+ /* the *new* length is 2 bytes, LSB first, sigh. */
+ size_t shortlen = pkey->key_data_length[0]-4+2;
+ krb5_octet *origdata = pkey->key_data_contents[0];
shortcopy1 = (krb5_octet *) malloc(shortlen);
if (shortcopy1) {
@@ -1934,18 +1878,18 @@ process_k5beta_record(fname, kcontext, filep, verbose, linenop, pol_db)
error++;
}
}
+
/* Read principal attributes */
- if (!error &&
- (fscanf(filep, "\t%u\t%u\t%u\t%u\t%u\t%u"
- "\t%u\t%u\t%u\t%u\t",
- &tmpint1, &dbent.max_life,
- &dbent.max_renewable_life,
- &tmpint2, &dbent.expiration,
- &dbent.pw_expiration, &last_pwd_change,
- &dbent.last_success, &dbent.last_failed,
- &tmpint3) != 10)) {
- try2read = read_pr_data1;
- error++;
+ if (!error && (fscanf(filep,
+ "\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t",
+ &tmpint1, &dbent.max_life,
+ &dbent.max_renewable_life,
+ &tmpint2, &dbent.expiration,
+ &dbent.pw_expiration, &last_pwd_change,
+ &dbent.last_success, &dbent.last_failed,
+ &tmpint3) != 10)) {
+ try2read = read_pr_data1;
+ error++;
}
pkey->key_data_kvno = tmpint1;
dbent.fail_auth_count = tmpint3;
@@ -1973,37 +1917,28 @@ process_k5beta_record(fname, kcontext, filep, verbose, linenop, pol_db)
error++;
}
/* Read alternate key type */
- if (!error &&
- (fscanf(filep, "\t%u\t", &tmpint1) != 1)) {
- try2read = read_akey_type;
- error++;
+ if (!error && (fscanf(filep, "\t%u\t", &tmpint1) != 1)) {
+ try2read = read_akey_type;
+ error++;
}
akey->key_data_type[0] = tmpint1;
/* Read alternate key */
if (!error && read_octet_string(filep,
akey->key_data_contents[0],
akey->key_data_length[0])) {
- try2read = read_akey_data;
- error++;
+ try2read = read_akey_data;
+ error++;
}
+
/* convert to a new format key */
- /*
- * the encrypted version is stored as the
- * unencrypted key length (4 bytes, MSB first)
- * followed by the encrypted key.
- */
- if ((akey->key_data_length[0] > 4) &&
- (akey->key_data_contents[0][0] == 0) &&
- (akey->key_data_contents[0][1] == 0)) {
- /*
- * this really does look like an old key,
- * so drop and swap
- */
- /*
- * the *new* length is 2 bytes, LSB first,
- * sigh.
- */
- size_t shortlen = akey->key_data_length[0] - 4 + 2;
+ /* the encrypted version is stored as the unencrypted key length
+ (4 bytes, MSB first) followed by the encrypted key. */
+ if ((akey->key_data_length[0] > 4)
+ && (akey->key_data_contents[0][0] == 0)
+ && (akey->key_data_contents[0][1] == 0)) {
+ /* this really does look like an old key, so drop and swap */
+ /* the *new* length is 2 bytes, LSB first, sigh. */
+ size_t shortlen = akey->key_data_length[0]-4+2;
krb5_octet *origdata = akey->key_data_contents[0];
@@ -2021,11 +1956,11 @@ process_k5beta_record(fname, kcontext, filep, verbose, linenop, pol_db)
error++;
}
}
+
/* Read alternate salt type */
- if (!error &&
- (fscanf(filep, "\t%u\t", &tmpint1) != 1)) {
- try2read = read_asalt_type;
- error++;
+ if (!error && (fscanf(filep, "\t%u\t", &tmpint1) != 1)) {
+ try2read = read_asalt_type;
+ error++;
}
akey->key_data_type[1] = tmpint1;
/* Read alternate salt data */
@@ -2038,31 +1973,93 @@ process_k5beta_record(fname, kcontext, filep, verbose, linenop, pol_db)
/* Read expansion data - discard it */
if (!error) {
for (i=0; i<8; i++) {
- if (fscanf(filep,
- "\t%u", &tmpint1) != 1) {
+ if (fscanf(filep, "\t%u", &tmpint1) != 1) {
try2read = read_exp_data;
error++;
break;
- }
+ }
}
if (!error)
find_record_end(filep, fname, *linenop);
}
+
/*
- * If no error, then we're done reading. Now parse
- * the names and store the database dbent.
+ * If no error, then we're done reading. Now parse the names
+ * and store the database dbent.
*/
if (!error) {
- retval = k5beta_parse_and_store(
- fname, kcontext, verbose,
- linenop, &dbent, name, mod_name,
- last_pwd_change, mod_date);
- } else {
- fprintf(stderr, gettext(read_err_fmt),
- fname, *linenop, try2read);
+ if (!(kret = krb5_parse_name(kcontext,
+ name,
+ &dbent.princ))) {
+ if (!(kret = krb5_parse_name(kcontext,
+ mod_name,
+ &mod_princ))) {
+ if (!(kret =
+ krb5_dbe_update_mod_princ_data(kcontext,
+ &dbent,
+ mod_date,
+ mod_princ)) &&
+ !(kret =
+ krb5_dbe_update_last_pwd_change(kcontext,
+ &dbent,
+ last_pwd_change))) {
+ int one = 1;
+
+ dbent.len = KRB5_KDB_V1_BASE_LENGTH;
+ pkey->key_data_ver = (pkey->key_data_type[1] || pkey->key_data_length[1]) ?
+ 2 : 1;
+ akey->key_data_ver = (akey->key_data_type[1] || akey->key_data_length[1]) ?
+ 2 : 1;
+ if ((pkey->key_data_type[0] ==
+ akey->key_data_type[0]) &&
+ (pkey->key_data_type[1] ==
+ akey->key_data_type[1]))
+ dbent.n_key_data--;
+ else if ((akey->key_data_type[0] == 0)
+ && (akey->key_data_length[0] == 0)
+ && (akey->key_data_type[1] == 0)
+ && (akey->key_data_length[1] == 0))
+ dbent.n_key_data--;
+ if ((kret = krb5_db_put_principal(kcontext,
+ &dbent,
+ &one)) ||
+ (one != 1)) {
+ fprintf(stderr, gettext(store_err_fmt),
+ fname, *linenop, name,
+ error_message(kret));
+ error++;
+ }
+ else {
+ if (verbose)
+ fprintf(stderr,
+ gettext(add_princ_fmt),
+ name);
+ retval = 0;
+ }
+ dbent.n_key_data = 2;
+ }
+ krb5_free_principal(kcontext, mod_princ);
+ }
+ else {
+ fprintf(stderr,
+ gettext(parse_err_fmt),
+ fname, *linenop, mod_name,
+ error_message(kret));
+ error++;
+ }
+ }
+ else {
+ fprintf(stderr, gettext(parse_err_fmt),
+ fname, *linenop, name, error_message(kret));
+ error++;
+ }
+ }
+ else {
+ fprintf(stderr, gettext(no_mem_fmt), fname, *linenop, try2read);
}
- } else {
- fprintf(stderr, gettext(no_mem_fmt), fname, *linenop);
+ }
+ else {
+ fprintf(stderr, gettext(read_err_fmt), fname, *linenop);
}
krb5_db_free_principal(kcontext, &dbent, 1);
@@ -2070,12 +2067,13 @@ process_k5beta_record(fname, kcontext, filep, verbose, linenop, pol_db)
free(mod_name);
if (name)
free(name);
- } else {
+ }
+ else {
if (nmatched != EOF)
fprintf(stderr, gettext(rhead_err_fmt),
fname, *linenop);
else
- retval = -1;
+ retval = -1;
}
if (shortcopy1)
@@ -2083,111 +2081,7 @@ process_k5beta_record(fname, kcontext, filep, verbose, linenop, pol_db)
if (shortcopy2)
free(shortcopy2);
- return (retval);
-}
-
-static int
-get_k5beta6_tag_data(FILE *filep, krb5_db_entry dbentry, const char **try2read)
-{
- int error = 0;
- int i;
-
- krb5_int32 t1, t2, t3, t4, t5, t6, t7, t8, t9;
- int nread;
- krb5_tl_data *tl;
-
- for (tl = dbentry.tl_data; tl; tl = tl->tl_data_next) {
- nread = fscanf(filep, "%d\t%d\t", &t1, &t2);
- if (nread == 2) {
- tl->tl_data_type = (krb5_int16) t1;
- tl->tl_data_length = (krb5_int16) t2;
- if (tl->tl_data_length) {
- if (!(tl->tl_data_contents =
- (krb5_octet *)
- malloc((size_t) t2 + 1)) ||
- read_octet_string(filep,
- tl->tl_data_contents, t2)) {
- *try2read = read_tcontents;
- error++;
- break;
- }
- } else {
- /* Should be a null field */
- nread = fscanf(filep, "%d", &t9);
- if ((nread != 1) || (t9 != -1)) {
- error++;
- *try2read = read_tcontents;
- break;
- }
- }
- } else {
- *try2read = read_ttypelen;
- error++;
- break;
- }
- }
-
- return (error);
-}
-
-static int
-get_k5beta6_key_data(FILE *filep, krb5_db_entry dbentry, const char **try2read)
-{
- int error = 0;
- int i, j;
-
- krb5_int32 t1, t2, t3, t4, t5, t6, t7, t8, t9;
- int nread;
- krb5_key_data *kdatap;
-
- for (i = 0; !error && (i < dbentry.n_key_data); i++) {
- kdatap = &dbentry.key_data[i];
- nread = fscanf(filep, "%d\t%d\t", &t1, &t2);
- if (nread == 2) {
- kdatap->key_data_ver = (krb5_int16) t1;
- kdatap->key_data_kvno = (krb5_int16) t2;
-
- for (j = 0; j < t1; j++) {
- nread = fscanf(filep, "%d\t%d\t", &t3, &t4);
- if (nread == 2) {
- kdatap->key_data_type[j] = t3;
- kdatap->key_data_length[j] = t4;
- if (t4) {
- if (!(kdatap->
- key_data_contents[j] =
- (krb5_octet *)
- malloc((size_t) t4
- + 1)) ||
- read_octet_string(filep,
- kdatap->
- key_data_contents[j],
- t4)) {
- *try2read =
- read_kcontents;
- error++;
- break;
- }
- } else {
- /* Should be a null field */
- nread = fscanf(filep,
- "%d", &t9);
- if ((nread != 1) ||
- (t9 != -1)) {
- error++;
- *try2read =
- read_kcontents;
- break;
- }
- }
- } else {
- *try2read = read_ktypelen;
- error++;
- break;
- }
- }
- }
- }
- return (error);
+ return(retval);
}
/*
@@ -2235,12 +2129,12 @@ process_k5beta6_record(fname, kcontext, filep, verbose, linenop, pol_db)
/* Get memory for and form tagged data linked list */
tlp = &dbentry.tl_data;
for (i=0; i<t3; i++) {
- if ((*tlp = (krb5_tl_data *)
- malloc(sizeof (krb5_tl_data)))) {
+ if ((*tlp = (krb5_tl_data *) malloc(sizeof(krb5_tl_data)))) {
memset(*tlp, 0, sizeof(krb5_tl_data));
tlp = &((*tlp)->tl_data_next);
dbentry.n_tl_data++;
- } else {
+ }
+ else {
error++;
break;
}
@@ -2260,8 +2154,7 @@ process_k5beta6_record(fname, kcontext, filep, verbose, linenop, pol_db)
dbentry.n_key_data = t4;
dbentry.e_length = t5;
if (kp) {
- memset(kp, 0,
- (size_t) (t4 * sizeof (krb5_key_data)));
+ memset(kp, 0, (size_t) (t4*sizeof(krb5_key_data)));
dbentry.key_data = kp;
kp = (krb5_key_data *) NULL;
}
@@ -2270,31 +2163,23 @@ process_k5beta6_record(fname, kcontext, filep, verbose, linenop, pol_db)
dbentry.e_data = op;
op = (krb5_octet *) NULL;
}
+
/* Read in and parse the principal name */
if (!read_string(filep, name, t2, linenop) &&
- !(kret = krb5_parse_name(kcontext,
- name, &dbentry.princ))) {
+ !(kret = krb5_parse_name(kcontext, name, &dbentry.princ))) {
/* Get the fixed principal attributes */
- nread = fscanf(filep, "%d\t%d\t%d\t%d"
- "\t%d\t%d\t%d\t%d\t",
- &t2, &t3, &t4, &t5,
- &t6, &t7, &t8, &t9);
+ nread = fscanf(filep, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t",
+ &t2, &t3, &t4, &t5, &t6, &t7, &t8, &t9);
if (nread == 8) {
dbentry.attributes = (krb5_flags) t2;
dbentry.max_life = (krb5_deltat) t3;
- dbentry.max_renewable_life =
- (krb5_deltat) t4;
- dbentry.expiration =
- (krb5_timestamp) t5;
- dbentry.pw_expiration =
- (krb5_timestamp) t6;
- dbentry.last_success =
- (krb5_timestamp) t7;
- dbentry.last_failed =
- (krb5_timestamp) t8;
- dbentry.fail_auth_count =
- (krb5_kvno) t9;
+ dbentry.max_renewable_life = (krb5_deltat) t4;
+ dbentry.expiration = (krb5_timestamp) t5;
+ dbentry.pw_expiration = (krb5_timestamp) t6;
+ dbentry.last_success = (krb5_timestamp) t7;
+ dbentry.last_failed = (krb5_timestamp) t8;
+ dbentry.fail_auth_count = (krb5_kvno) t9;
} else {
try2read = read_nint_data;
error++;
@@ -2303,27 +2188,94 @@ process_k5beta6_record(fname, kcontext, filep, verbose, linenop, pol_db)
/*
* Get the tagged data.
*
- * Really, this code ought to discard tl data
- * types that it knows are special to the
- * current version and were not supported
- * in the previous version. But it's a pain
- * to implement that here, and doing it at
- * dump time has almost as good an effect,
- * so that's what I did. [krb5-admin/89/
+ * Really, this code ought to discard tl data types
+ * that it knows are special to the current version
+ * and were not supported in the previous version.
+ * But it's a pain to implement that here, and doing
+ * it at dump time has almost as good an effect, so
+ * that's what I did. [krb5-admin/89]
*/
if (!error && dbentry.n_tl_data) {
- error = get_k5beta6_tag_data(
- filep,
- dbentry,
- &try2read);
+ for (tl = dbentry.tl_data; tl; tl = tl->tl_data_next) {
+ nread = fscanf(filep, "%d\t%d\t", &t1, &t2);
+ if (nread == 2) {
+ tl->tl_data_type = (krb5_int16) t1;
+ tl->tl_data_length = (krb5_int16) t2;
+ if (tl->tl_data_length) {
+ if (!(tl->tl_data_contents =
+ (krb5_octet *) malloc((size_t) t2+1)) ||
+ read_octet_string(filep,
+ tl->tl_data_contents,
+ t2)) {
+ try2read = read_tcontents;
+ error++;
+ break;
}
+ }
+ else {
+ /* Should be a null field */
+ nread = fscanf(filep, "%d", &t9);
+ if ((nread != 1) || (t9 != -1)) {
+ error++;
+ try2read = read_tcontents;
+ break;
+ }
+ }
+ }
+ else {
+ try2read = read_ttypelen;
+ error++;
+ break;
+ }
+ }
+ }
+
/* Get the key data */
if (!error && dbentry.n_key_data) {
- error = get_k5beta6_key_data(
- filep,
- dbentry,
- &try2read);
+ for (i=0; !error && (i<dbentry.n_key_data); i++) {
+ kdatap = &dbentry.key_data[i];
+ nread = fscanf(filep, "%d\t%d\t", &t1, &t2);
+ if (nread == 2) {
+ kdatap->key_data_ver = (krb5_int16) t1;
+ kdatap->key_data_kvno = (krb5_int16) t2;
+
+ for (j=0; j<t1; j++) {
+ nread = fscanf(filep, "%d\t%d\t", &t3, &t4);
+ if (nread == 2) {
+ kdatap->key_data_type[j] = t3;
+ kdatap->key_data_length[j] = t4;
+ if (t4) {
+ if (!(kdatap->key_data_contents[j] =
+ (krb5_octet *)
+ malloc((size_t) t4+1)) ||
+ read_octet_string(filep,
+ kdatap->key_data_contents[j],
+ t4)) {
+ try2read = read_kcontents;
+ error++;
+ break;
}
+ }
+ else {
+ /* Should be a null field */
+ nread = fscanf(filep, "%d", &t9);
+ if ((nread != 1) || (t9 != -1)) {
+ error++;
+ try2read = read_kcontents;
+ break;
+ }
+ }
+ }
+ else {
+ try2read = read_ktypelen;
+ error++;
+ break;
+ }
+ }
+ }
+ }
+ }
+
/* Get the extra data */
if (!error && dbentry.e_length) {
if (read_octet_string(filep,
@@ -2332,7 +2284,8 @@ process_k5beta6_record(fname, kcontext, filep, verbose, linenop, pol_db)
try2read = read_econtents;
error++;
}
- } else {
+ }
+ else {
nread = fscanf(filep, "%d", &t9);
if ((nread != 1) || (t9 != -1)) {
error++;
@@ -2345,20 +2298,19 @@ process_k5beta6_record(fname, kcontext, filep, verbose, linenop, pol_db)
find_record_end(filep, fname, *linenop);
/*
- * We have either read in all the data or
- * choked.
+ * We have either read in all the data or choked.
*/
if (!error) {
one = 1;
- if ((kret = krb5_db_put_principal(
- kcontext,
+ if ((kret = krb5_db_put_principal(kcontext,
&dbentry,
&one))) {
fprintf(stderr,
gettext(store_err_fmt),
fname, *linenop,
name, error_message(kret));
- } else {
+ }
+ else {
if (verbose)
fprintf(stderr,
gettext(
@@ -2366,21 +2318,23 @@ process_k5beta6_record(fname, kcontext, filep, verbose, linenop, pol_db)
name);
retval = 0;
}
- } else {
+ }
+ else {
fprintf(stderr, gettext(read_err_fmt),
fname, *linenop, try2read);
}
- } else {
+ }
+ else {
if (kret)
fprintf(stderr, gettext(parse_err_fmt),
- fname, *linenop, name,
- error_message(kret));
+ fname, *linenop, name, error_message(kret));
else
- fprintf(stderr, gettext(no_mem_fmt),
+ fprintf(stderr, gettext(no_mem_fmt),
fname, *linenop);
}
- } else {
- fprintf(stderr,
+ }
+ else {
+ fprintf(stderr,
gettext(rhead_err_fmt), fname, *linenop);
}
@@ -2391,14 +2345,15 @@ process_k5beta6_record(fname, kcontext, filep, verbose, linenop, pol_db)
if (name)
free(name);
krb5_db_free_principal(kcontext, &dbentry, 1);
- } else {
+ }
+ else {
if (nread == EOF)
retval = -1;
}
return(retval);
}
-int
+static int
process_k5beta7_policy(fname, kcontext, filep, verbose, linenop, pol_db)
char *fname;
krb5_context kcontext;
@@ -2419,12 +2374,12 @@ process_k5beta7_policy(fname, kcontext, filep, verbose, linenop, pol_db)
&rec.pw_min_length, &rec.pw_min_classes,
&rec.pw_history_num, &rec.policy_refcnt);
if (nread == EOF)
- return (-1);
+ return -1;
else if (nread != 7) {
fprintf(stderr,
gettext("cannot parse policy on line %d (%d read)\n"),
*linenop, nread);
- return (1);
+ return 1;
}
if ((ret = osa_adb_create_policy(pol_db, &rec))) {
@@ -2432,17 +2387,17 @@ process_k5beta7_policy(fname, kcontext, filep, verbose, linenop, pol_db)
((ret = osa_adb_put_policy(pol_db, &rec)))) {
fprintf(stderr, gettext("cannot create policy on line %d: %s\n"),
*linenop, error_message(ret));
- return (1);
+ return 1;
}
}
if (verbose)
fprintf(stderr, gettext("created policy %s\n"), rec.name);
- return (0);
+ return 0;
}
/*
- * process_k5beta7_record() - Handle a dump record in krb5b6 format.
+ * process_k5beta7_record() - Handle a dump record in krb5b7 format.
*
* Returns -1 for end of file, 0 for success and 1 for failure.
*/
@@ -2460,9 +2415,9 @@ process_k5beta7_record(fname, kcontext, filep, verbose, linenop, pol_db)
nread = fscanf(filep, "%100s\t", rectype);
if (nread == EOF)
- return (-1);
+ return -1;
else if (nread != 1)
- return (1);
+ return 1;
if (strcmp(rectype, "princ") == 0)
process_k5beta6_record(fname, kcontext, filep, verbose,
linenop, pol_db);
@@ -2473,10 +2428,10 @@ process_k5beta7_record(fname, kcontext, filep, verbose, linenop, pol_db)
fprintf(stderr,
gettext("unknown record type \"%s\" on line %d\n"),
rectype, *linenop);
- return (1);
+ return 1;
}
- return (0);
+ return 0;
}
/*
@@ -2498,9 +2453,9 @@ process_ov_record(fname, kcontext, filep, verbose, linenop, pol_db)
nread = fscanf(filep, "%100s\t", rectype);
if (nread == EOF)
- return (-1);
+ return -1;
else if (nread != 1)
- return (1);
+ return 1;
if (strcmp(rectype, "princ") == 0)
process_ov_principal(fname, kcontext, filep, verbose,
linenop, pol_db);
@@ -2508,15 +2463,15 @@ process_ov_record(fname, kcontext, filep, verbose, linenop, pol_db)
process_k5beta7_policy(fname, kcontext, filep, verbose,
linenop, pol_db);
else if (strcmp(rectype, "End") == 0)
- return (-1);
+ return -1;
else {
fprintf(stderr,
gettext("unknown record type \"%s\" on line %d\n"),
rectype, *linenop);
- return (1);
+ return 1;
}
- return (0);
+ return 0;
}
/*
@@ -2546,7 +2501,8 @@ restore_dump(programname, kcontext, dumpfile, f, verbose, dump, pol_db)
f,
verbose,
&lineno,
- pol_db)));
+ pol_db)))
+ ;
if (error != -1)
fprintf(stderr, gettext(err_line_fmt),
programname, lineno, dumpfile);
@@ -2557,7 +2513,8 @@ restore_dump(programname, kcontext, dumpfile, f, verbose, dump, pol_db)
}
/*
- * Usage: load_db [-i] [-old] [-ov] [-b6] [-verbose] [-update] [-hash] filename
+ * Usage: load_db [-i] [-old] [-ov] [-b6] [-b7] [-verbose] [-update] [-hash]
+ * filename
*/
void
load_db(argc, argv)
@@ -2603,13 +2560,15 @@ load_db(argc, argv)
log_ctx = util_context->kdblog_context;
for (aindex = 1; aindex < argc; aindex++) {
- if (strcmp(argv[aindex], oldoption) == 0)
+ if (!strcmp(argv[aindex], oldoption))
load = &old_version;
- else if (strcmp(argv[aindex], b6option) == 0)
+ else if (!strcmp(argv[aindex], b6option))
load = &beta6_version;
- else if (strcmp(argv[aindex], ovoption) == 0)
+ else if (!strcmp(argv[aindex], b7option))
+ load = &beta7_version;
+ else if (!strcmp(argv[aindex], ovoption))
load = &ov_version;
- else if (!strcmp(argv[aindex], ipropoption)) {
+ else if (!strcmp(argv[aindex], ipropoption)) {
if (log_ctx && log_ctx->iproprole) {
load = &iprop_version;
add_update = FALSE;
@@ -2618,9 +2577,10 @@ load_db(argc, argv)
exit_status++;
return;
}
- } else if (strcmp(argv[aindex], verboseoption) == 0)
+ }
+ else if (!strcmp(argv[aindex], verboseoption))
verbose = 1;
- else if (strcmp(argv[aindex], updateoption) == 0)
+ else if (!strcmp(argv[aindex], updateoption))
update = 1;
else if (!strcmp(argv[aindex], hashoption))
crflags = KRB5_KDB_CREATE_HASH;
@@ -2677,21 +2637,16 @@ load_db(argc, argv)
f = stdin;
/*
- * Auto-detect dump version if we weren't told, verify if we were
- * told.
+ * Auto-detect dump version if we weren't told, verify if we
+ * were told.
*/
fgets(buf, sizeof(buf), f);
if (load) {
- /*
- * only check what we know; some headers only contain a
- * prefix
- */
+ /* only check what we know; some headers only contain a prefix */
if (strncmp(buf, load->header, strlen(load->header)) != 0) {
- fprintf(stderr, gettext(head_bad_fmt),
- programname, dumpfile);
+ fprintf(stderr, gettext(head_bad_fmt), programname, dumpfile);
exit_status++;
- if (dumpfile)
- fclose(f);
+ if (dumpfile) fclose(f);
return;
}
} else {
@@ -2702,15 +2657,16 @@ load_db(argc, argv)
load = &beta6_version;
else if (strcmp(buf, beta7_version.header) == 0)
load = &beta7_version;
+ else if (strcmp(buf, r1_3_version.header) == 0)
+ load = &r1_3_version;
else if (strncmp(buf, ov_version.header,
strlen(ov_version.header)) == 0)
load = &ov_version;
- else {
+ else {
fprintf(stderr, gettext(head_bad_fmt),
programname, dumpfile);
exit_status++;
- if (dumpfile)
- fclose(f);
+ if (dumpfile) fclose(f);
return;
}
}
@@ -2722,6 +2678,7 @@ load_db(argc, argv)
exit_status++;
return;
}
+
/*
* Cons up params for the new databases. If we are not in update
* mode use a temp name that we'll rename later.
@@ -2740,6 +2697,7 @@ load_db(argc, argv)
return;
}
}
+
/*
* If not an update restoration, create the temp database. Always
* create a temp policy db, even if we are not loading a dump file
@@ -2760,22 +2718,22 @@ load_db(argc, argv)
programname, error_message(kret));
exit_status++;
kadm5_free_config_params(kcontext, &newparams);
- if (dumpfile)
- fclose(f);
+ if (dumpfile) fclose(f);
return;
}
+
/*
* Point ourselves at the new databases.
*/
- if ((kret = krb5_db_set_name(kcontext,
- (update) ? dbname : dbname_tmp))) {
+ if ((kret = krb5_db_set_name(kcontext,
+ (update) ? dbname : dbname_tmp))) {
fprintf(stderr, gettext(dbname_err_fmt),
programname,
(update) ? dbname : dbname_tmp, error_message(kret));
exit_status++;
goto error;
}
- if ((kret = osa_adb_open_policy(&tmppol_db, &newparams))) {
+ if ((kret = osa_adb_open_policy(&tmppol_db, &newparams))) {
fprintf(stderr,
gettext("%s: %s while opening policy database\n"),
programname, error_message(kret));
@@ -2787,7 +2745,7 @@ load_db(argc, argv)
* the update fails.
*/
if (update) {
- if ((kret = osa_adb_get_lock(tmppol_db, OSA_ADB_PERMANENT))) {
+ if ((kret = osa_adb_get_lock(tmppol_db, OSA_ADB_PERMANENT))) {
fprintf(stderr,
gettext("%s: %s while "
"permanently locking database\n"),
@@ -2800,8 +2758,8 @@ load_db(argc, argv)
/*
* Initialize the database.
*/
- if ((kret = krb5_db_init(kcontext))) {
- fprintf(stderr, gettext(dbinit_err_fmt),
+ if ((kret = krb5_db_init(kcontext))) {
+ fprintf(stderr, gettext(dbinit_err_fmt),
programname, error_message(kret));
exit_status++;
goto error;
@@ -2812,13 +2770,13 @@ load_db(argc, argv)
if (!update) {
kret = krb5_db_lock(kcontext, KRB5_LOCKMODE_EXCLUSIVE);
if (kret) {
- fprintf(stderr, gettext(dblock_err_fmt),
+ fprintf(stderr, gettext(dblock_err_fmt),
programname, error_message(kret));
exit_status++;
goto error;
}
}
-
+
if (log_ctx && log_ctx->iproprole) {
if (add_update)
caller = FKCOMMAND;
@@ -2866,27 +2824,27 @@ load_db(argc, argv)
}
}
- if (restore_dump(programname, kcontext,
- (dumpfile) ? dumpfile : stdin_name,
+ if (restore_dump(programname, kcontext, (dumpfile) ? dumpfile : stdin_name,
f, verbose, load, tmppol_db)) {
fprintf(stderr, gettext(restfail_fmt),
programname, load->name);
exit_status++;
}
+
if (!update && (kret = krb5_db_unlock(kcontext))) {
/* change this error? */
fprintf(stderr, gettext(dbunlockerr_fmt),
programname, dbname_tmp, error_message(kret));
exit_status++;
}
- if ((kret = krb5_db_fini(kcontext))) {
+ if ((kret = krb5_db_fini(kcontext))) {
fprintf(stderr, gettext(close_err_fmt),
programname, error_message(kret));
exit_status++;
}
if (!update && load->create_kadm5 &&
- ((kret = kadm5_create_magic_princs(&newparams, kcontext)))) {
+ ((kret = kadm5_create_magic_princs(&newparams, kcontext)))) {
/* error message printed by create_magic_princs */
exit_status++;
}
@@ -2895,28 +2853,27 @@ load_db(argc, argv)
error:
/*
- * If not an update: if there was an error, destroy the temp
- * database, otherwise rename it into place.
+ * If not an update: if there was an error, destroy the temp database,
+ * otherwise rename it into place.
*
* If an update: if there was no error, unlock the database.
*/
if (!update) {
if (exit_status) {
- if ((kret =
- krb5_db_destroy(kcontext, dbname_tmp))) {
+ if ((kret = krb5_db_destroy(kcontext, dbname_tmp))) {
fprintf(stderr, gettext(dbdelerr_fmt),
- programname, dbname_tmp,
- error_message(kret));
+ programname, dbname_tmp, error_message(kret));
exit_status++;
}
- if ((kret = osa_adb_destroy_policy_db(&newparams))) {
+ if ((kret = osa_adb_destroy_policy_db(&newparams))) {
fprintf(stderr,
gettext("%s: %s while destroying "
"policy database\n"),
programname, error_message(kret));
exit_status++;
}
- } else {
+ }
+ else {
if ((kret = krb5_db_rename(kcontext,
dbname_tmp,
dbname))) {
@@ -2925,13 +2882,15 @@ error:
error_message(kret));
exit_status++;
}
- if ((kret = osa_adb_close_policy(tmppol_db))) {
- fprintf(stderr, gettext(close_err_fmt),
+
+ if ((kret = osa_adb_close_policy(tmppol_db))) {
+ fprintf(stderr, gettext(close_err_fmt),
programname, error_message(kret));
exit_status++;
}
- if ((kret = osa_adb_rename_policy_db(&newparams,
- &global_params))) {
+
+ if ((kret = osa_adb_rename_policy_db(&newparams,
+ &global_params))) {
fprintf(stderr,
gettext("%s: %s while renaming "
"policy db %s to %s\n"),
@@ -2941,25 +2900,26 @@ error:
exit_status++;
}
}
- } else { /* update */
- if (!exit_status && ((kret = osa_adb_release_lock(tmppol_db)))) {
- fprintf(stderr,
+ } else /* update */ {
+ if (! exit_status && ((kret = osa_adb_release_lock(tmppol_db)))) {
+ fprintf(stderr,
gettext("%s: %s while releasing permanent lock\n"),
programname, error_message(kret));
exit_status++;
}
- if (tmppol_db && ((kret = osa_adb_close_policy(tmppol_db)))) {
- fprintf(stderr, gettext(close_err_fmt),
+
+ if (tmppol_db && ((kret = osa_adb_close_policy(tmppol_db)))) {
+ fprintf(stderr, gettext(close_err_fmt),
programname, error_message(kret));
exit_status++;
}
}
if (dumpfile) {
- (void) krb5_lock_file(kcontext,
- fileno(f), KRB5_LOCKMODE_UNLOCK);
+ (void) krb5_lock_file(kcontext, fileno(f), KRB5_LOCKMODE_UNLOCK);
fclose(f);
}
+
if (dbname_tmp)
free(dbname_tmp);
krb5_free_context(kcontext);
diff --git a/usr/src/cmd/krb5/kadmin/dbutil/import_err.h b/usr/src/cmd/krb5/kadmin/dbutil/import_err.h
index 95f9693dc4..e35cdfe0ab 100644
--- a/usr/src/cmd/krb5/kadmin/dbutil/import_err.h
+++ b/usr/src/cmd/krb5/kadmin/dbutil/import_err.h
@@ -1,11 +1,8 @@
/*
- * Copyright (c) 1997-2000 by Sun Microsystems, Inc.
- * All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
*/
-#ifndef _IMPORT_ERR_H
-#define _IMPORT_ERR_H
-
#pragma ident "%Z%%M% %I% %E% SMI"
/*
@@ -25,45 +22,49 @@
*
*/
-#ifdef __cplusplus
-extern "C" {
-#endif
-
/*
* import_err.h:
* This file is automatically generated; please do not edit it.
*/
-#define IMPORT_NO_ERR (37349888L)
-#define IMPORT_BAD_FILE (37349889L)
-#define IMPORT_BAD_TOKEN (37349890L)
-#define IMPORT_BAD_VERSION (37349891L)
-#define IMPORT_BAD_RECORD (37349892L)
-#define IMPORT_BAD_FOOTER (37349893L)
-#define IMPORT_FAILED (37349894L)
-#define IMPORT_COUNT_MESSAGE (37349895L)
-#define IMPORT_MISMATCH_COUNT (37349896L)
-#define IMPORT_UNK_OPTION (37349897L)
-#define IMPORT_WARN_DB (37349898L)
-#define IMPORT_RENAME_FAILED (37349899L)
-#define IMPORT_EXTRA_DATA (37349900L)
-#define IMPORT_CONFIRM (37349901L)
-#define IMPORT_OPEN_DUMP (37349902L)
-#define IMPORT_IMPORT (37349903L)
-#define IMPORT_TTY (37349904L)
-#define IMPORT_RENAME_OPEN (37349905L)
-#define IMPORT_RENAME_LOCK (37349906L)
-#define IMPORT_RENAME_UNLOCK (37349907L)
-#define IMPORT_RENAME_CLOSE (37349908L)
-#define IMPORT_SINGLE_RECORD (37349909L)
-#define IMPORT_PLURAL_RECORDS (37349910L)
-#define IMPORT_GET_PARAMS (37349911L)
-#define ERROR_TABLE_BASE_imp (37349888L)
-/* for compatibility with older versions... */
-#define imp_err_base ERROR_TABLE_BASE_imp
+#include <com_err.h>
-#ifdef __cplusplus
-}
+#define IMPORT_NO_ERR (37349888L)
+#define IMPORT_BAD_FILE (37349889L)
+#define IMPORT_BAD_TOKEN (37349890L)
+#define IMPORT_BAD_VERSION (37349891L)
+#define IMPORT_BAD_RECORD (37349892L)
+#define IMPORT_BAD_FOOTER (37349893L)
+#define IMPORT_FAILED (37349894L)
+#define IMPORT_COUNT_MESSAGE (37349895L)
+#define IMPORT_MISMATCH_COUNT (37349896L)
+#define IMPORT_UNK_OPTION (37349897L)
+#define IMPORT_WARN_DB (37349898L)
+#define IMPORT_RENAME_FAILED (37349899L)
+#define IMPORT_EXTRA_DATA (37349900L)
+#define IMPORT_CONFIRM (37349901L)
+#define IMPORT_OPEN_DUMP (37349902L)
+#define IMPORT_IMPORT (37349903L)
+#define IMPORT_TTY (37349904L)
+#define IMPORT_RENAME_OPEN (37349905L)
+#define IMPORT_RENAME_LOCK (37349906L)
+#define IMPORT_RENAME_UNLOCK (37349907L)
+#define IMPORT_RENAME_CLOSE (37349908L)
+#define IMPORT_SINGLE_RECORD (37349909L)
+#define IMPORT_PLURAL_RECORDS (37349910L)
+#define IMPORT_GET_PARAMS (37349911L)
+#define ERROR_TABLE_BASE_imp (37349888L)
+
+extern const struct error_table et_imp_error_table;
+
+#if !defined(_WIN32)
+/* for compatibility with older versions... */
+extern void initialize_imp_error_table (void) /*@modifies internalState@*/;
+#else
+#define initialize_imp_error_table()
#endif
-#endif /* !_IMPORT_ERR_H */
+#if !defined(_WIN32)
+#define init_imp_err_tbl initialize_imp_error_table
+#define imp_err_base ERROR_TABLE_BASE_imp
+#endif
diff --git a/usr/src/cmd/krb5/kadmin/dbutil/kadm5_create.c b/usr/src/cmd/krb5/kadmin/dbutil/kadm5_create.c
index 8c6108a7a6..1e89515519 100644
--- a/usr/src/cmd/krb5/kadmin/dbutil/kadm5_create.c
+++ b/usr/src/cmd/krb5/kadmin/dbutil/kadm5_create.c
@@ -37,10 +37,6 @@
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
-#if !defined(lint) && !defined(__CODECENTER__)
-static char *rcsid = "$Header: /cvs/krbdev/krb5/src/kadmin/dbutil/kadm5_create.c,v 1.6 1998/10/30 02:52:37 marc Exp $";
-#endif
-
#include "string_table.h"
#include <stdio.h>
@@ -48,6 +44,8 @@ static char *rcsid = "$Header: /cvs/krbdev/krb5/src/kadmin/dbutil/kadm5_create.c
#include <string.h>
#include <kadm5/adb.h>
#include <kadm5/admin.h>
+#include <krb5/adm_proto.h>
+
#include <krb5.h>
#include <krb5/kdb.h>
@@ -63,8 +61,10 @@ int
add_admin_princ(void *handle, krb5_context context,
krb5_principal principal, int attrs, int lifetime);
-#define KADM5_ERR 1
-#define KADM5_OK 0
+static int add_admin_princs(void *handle, krb5_context context, char *realm);
+
+#define ERR 1
+#define OK 0
#define ADMIN_LIFETIME 60*60*3 /* 3 hours */
#define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
@@ -82,18 +82,15 @@ extern char *progname;
* principals in the KDC database and sets their attributes
* appropriately.
*/
-int
-kadm5_create(kadm5_config_params * params)
+int kadm5_create(kadm5_config_params *params)
{
int retval;
- void *handle;
krb5_context context;
- FILE *f;
kadm5_config_params lparams;
- if (retval = krb5_init_context(&context))
- exit(KADM5_ERR);
+ if ((retval = krb5_init_context(&context)))
+ exit(ERR);
(void) memset(&lparams, 0, sizeof (kadm5_config_params));
@@ -101,14 +98,15 @@ kadm5_create(kadm5_config_params * params)
* The lock file has to exist before calling kadm5_init, but
* params->admin_lockfile may not be set yet...
*/
- if (retval = kadm5_get_config_params(context, NULL, NULL,
- params, &lparams)) {
- com_err(progname, retval, gettext(str_INITING_KCONTEXT));
- return (1);
+ if ((retval = kadm5_get_config_params(context, NULL, NULL,
+ params, &lparams))) {
+ com_err(progname, retval, gettext("while looking up the Kerberos configuration"));
+ return 1;
}
- if (retval = osa_adb_create_policy_db(&lparams)) {
+
+ if ((retval = osa_adb_create_policy_db(&lparams))) {
com_err(progname, retval, gettext(str_CREATING_POLICY_DB));
- return (1);
+ return 1;
}
retval = kadm5_create_magic_princs(&lparams, context);
@@ -116,28 +114,33 @@ kadm5_create(kadm5_config_params * params)
kadm5_free_config_params(context, &lparams);
krb5_free_context(context);
- return (retval);
+ return retval;
}
-int
-kadm5_create_magic_princs(kadm5_config_params * params,
- krb5_context *context)
+int kadm5_create_magic_princs(kadm5_config_params *params,
+ krb5_context context)
{
int retval;
void *handle;
+ retval = krb5_klog_init(context, "admin_server", progname, 0);
+ if (retval)
+ return retval;
if ((retval = kadm5_init(progname, NULL, NULL, params,
KADM5_STRUCT_VERSION,
KADM5_API_VERSION_2,
&handle))) {
- com_err(progname, retval, gettext(str_INITING_KCONTEXT));
- return (retval);
+ com_err(progname, retval, gettext("while initializing the Kerberos admin interface"));
+ return retval;
}
+
retval = add_admin_princs(handle, context, params->realm);
kadm5_destroy(handle);
- return (retval);
+ krb5_klog_close(context);
+
+ return retval;
}
/*
@@ -157,14 +160,13 @@ kadm5_create_magic_princs(kadm5_config_params * params,
*
* Requires: both strings are null-terminated
*/
-char *
-build_name_with_realm(char *name, char *realm)
+static char *build_name_with_realm(char *name, char *realm)
{
char *n;
n = (char *) malloc(strlen(name) + strlen(realm) + 2);
sprintf(n, "%s@%s", name, realm);
- return (n);
+ return n;
}
/*
@@ -187,8 +189,7 @@ build_name_with_realm(char *name, char *realm)
* printed. If any of these existing principal do not have the proper
* attributes, a warning message is printed.
*/
-int
-add_admin_princs(void *handle, krb5_context context, char *realm)
+static int add_admin_princs(void *handle, krb5_context context, char *realm)
{
krb5_error_code ret = 0;
@@ -236,7 +237,7 @@ add_admin_princs(void *handle, krb5_context context, char *realm)
clean_and_exit:
- return (ret);
+ return ret;
}
/*
@@ -255,8 +256,8 @@ clean_and_exit:
*
* Returns:
*
- * KADM5_OK on success
- * KADM5_ERR on serious errors
+ * OK on success
+ * ERR on serious errors
*
* Effects:
*
@@ -267,8 +268,7 @@ clean_and_exit:
* attributes attrs and max life of lifetime (if not zero).
*/
-int
-add_admin_princ(void *handle, krb5_context context,
+int add_admin_princ(void *handle, krb5_context context,
krb5_principal principal, int attrs, int lifetime)
{
char *fullname;
@@ -278,23 +278,23 @@ add_admin_princ(void *handle, krb5_context context,
memset(&ent, 0, sizeof(ent));
if (krb5_unparse_name(context, principal, &fullname))
- return (KADM5_ERR);
+ return ERR;
ent.principal = principal;
ent.max_life = lifetime;
ent.attributes = attrs | KRB5_KDB_DISALLOW_ALL_TIX;
- if (ret = kadm5_create_principal(handle, &ent,
- (KADM5_PRINCIPAL |
- KADM5_MAX_LIFE |
- KADM5_ATTRIBUTES),
- "to-be-random")) {
+ ret = kadm5_create_principal(handle, &ent,
+ (KADM5_PRINCIPAL | KADM5_MAX_LIFE |
+ KADM5_ATTRIBUTES),
+ "to-be-random");
+ if (ret) {
if (ret != KADM5_DUP) {
com_err(progname, ret,
gettext(str_PUT_PRINC), fullname);
krb5_free_principal(context, ent.principal);
free(fullname);
- return (KADM5_ERR);
+ return ERR;
}
} else {
/* only randomize key if we created the principal */
@@ -302,25 +302,26 @@ add_admin_princ(void *handle, krb5_context context,
if (ret) {
com_err(progname, ret,
gettext(str_RANDOM_KEY), fullname);
- krb5_free_principal(context, ent.principal);
- free(fullname);
- return (KADM5_ERR);
- }
- ent.attributes = attrs;
- ret = kadm5_modify_principal(handle, &ent, KADM5_ATTRIBUTES);
- if (ret) {
- com_err(progname, ret,
- gettext(str_PUT_PRINC), fullname);
- krb5_free_principal(context, ent.principal);
- free(fullname);
- return (KADM5_ERR);
- }
- }
+ krb5_free_principal(context, ent.principal);
+ free(fullname);
+ return ERR;
+ }
+
+ ent.attributes = attrs;
+ ret = kadm5_modify_principal(handle, &ent, KADM5_ATTRIBUTES);
+ if (ret) {
+ com_err(progname, ret,
+ gettext(str_PUT_PRINC), fullname);
+ krb5_free_principal(context, ent.principal);
+ free(fullname);
+ return ERR;
+ }
+ }
- krb5_free_principal(context, ent.principal);
- free(fullname);
+ krb5_free_principal(context, ent.principal);
+ free(fullname);
- return (KADM5_OK);
+ return OK;
}
int
@@ -334,7 +335,7 @@ add_admin_old_princ(void *handle, krb5_context context,
fullname = build_name_with_realm(name, realm);
if (ret = krb5_parse_name(context, fullname, &principal)) {
com_err(progname, ret, gettext(str_PARSE_NAME));
- return (KADM5_ERR);
+ return (ERR);
}
return (add_admin_princ(handle, context, principal, attrs, lifetime));
@@ -352,7 +353,7 @@ add_admin_sname_princ(void *handle, krb5_context context,
com_err(progname, ret,
gettext("Could not get host based "
"service name for %s principal\n"), sname);
- return (KADM5_ERR);
+ return (ERR);
}
return (add_admin_princ(handle, context, principal, attrs, lifetime));
}
diff --git a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_create.c b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_create.c
index 350f9b54c7..b0afb7e984 100644
--- a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_create.c
+++ b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_create.c
@@ -94,8 +94,7 @@ enum ap_op {
TGT_KEY /* special handling for tgt key */
};
-krb5_key_salt_tuple def_kslist =
- {ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL};
+krb5_key_salt_tuple def_kslist = { ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL };
struct realm_info {
krb5_deltat max_life;
@@ -106,7 +105,6 @@ struct realm_info {
krb5_int32 nkslist;
krb5_key_salt_tuple *kslist;
} rblock = { /* XXX */
-
KRB5_KDB_MAX_LIFE,
KRB5_KDB_MAX_RLIFE,
KRB5_KDB_EXPIRATION,
@@ -122,10 +120,11 @@ struct iterate_args {
krb5_db_entry *dbentp;
};
-static krb5_error_code add_principal(krb5_context,
- krb5_principal,
- enum ap_op,
- struct realm_info *,
+static krb5_error_code add_principal
+ (krb5_context,
+ krb5_principal,
+ enum ap_op,
+ struct realm_info *,
krb5_keyblock *);
/*
@@ -151,10 +150,8 @@ krb5_data tgt_princ_entries[] = {
krb5_data db_creator_entries[] = {
{0, sizeof("db_creation")-1, "db_creation"} };
-/*
- * XXX knows about contents of krb5_principal, and that tgt names
- * are of form TGT/REALM@REALM
- */
+/* XXX knows about contents of krb5_principal, and that tgt names
+ are of form TGT/REALM@REALM */
krb5_principal_data tgt_princ = {
0, /* magic number */
{0, 0, 0}, /* krb5_data realm */
@@ -179,8 +176,7 @@ extern osa_adb_policy_t policy_db;
extern kadm5_config_params global_params;
extern krb5_context util_context;
-void
-kdb5_create(argc, argv)
+void kdb5_create(argc, argv)
int argc;
char *argv[];
{
@@ -196,7 +192,7 @@ kdb5_create(argc, argv)
kdb_log_context *log_ctx;
krb5_keyblock mkey;
krb5_data master_salt = { 0, NULL };
-
+
if (strrchr(argv[0], '/'))
argv[0] = strrchr(argv[0], '/')+1;
@@ -224,41 +220,41 @@ kdb5_create(argc, argv)
log_ctx = util_context->kdblog_context;
retval = krb5_db_set_name(util_context, global_params.dbname);
- if (!retval)
- retval = EEXIST;
+ if (!retval) retval = EEXIST;
if (retval == EEXIST || retval == EACCES || retval == EPERM) {
/* it exists ! */
com_err(argv[0], 0,
gettext("The database '%s' appears to already exist"),
global_params.dbname);
- exit_status++;
- return;
+ exit_status++; return;
}
+/* SUNW14resync XXX */
+#if 0
+ printf ("Loading random data\n");
+ retval = krb5_c_random_os_entropy (util_context, 1, NULL);
+ if (retval) {
+ com_err (argv[0], retval, "Loading random data");
+ exit_status++; return;
+ }
+#endif
/* assemble & parse the master key name */
if ((retval = krb5_db_setup_mkey_name(util_context,
global_params.mkey_name,
global_params.realm,
&mkey_fullname, &master_princ))) {
- com_err(argv[0], retval,
+ com_err(argv[0], retval,
gettext("while setting up master key name"));
- exit_status++;
- return;
+ exit_status++; return;
}
- krb5_princ_set_realm_data(util_context,
- &db_create_princ, global_params.realm);
- krb5_princ_set_realm_length(util_context,
- &db_create_princ,
- strlen(global_params.realm));
- krb5_princ_set_realm_data(util_context,
- &tgt_princ, global_params.realm);
- krb5_princ_set_realm_length(util_context,
- &tgt_princ, strlen(global_params.realm));
- krb5_princ_component(util_context, &tgt_princ, 1)->data =
- global_params.realm;
- krb5_princ_component(util_context, &tgt_princ, 1)->length =
- strlen(global_params.realm);
+
+ krb5_princ_set_realm_data(util_context, &db_create_princ, global_params.realm);
+ krb5_princ_set_realm_length(util_context, &db_create_princ, strlen(global_params.realm));
+ krb5_princ_set_realm_data(util_context, &tgt_princ, global_params.realm);
+ krb5_princ_set_realm_length(util_context, &tgt_princ, strlen(global_params.realm));
+ krb5_princ_component(util_context, &tgt_princ,1)->data = global_params.realm;
+ krb5_princ_component(util_context, &tgt_princ,1)->length = strlen(global_params.realm);
printf(gettext("Initializing database '%s' for realm '%s',\n"
"master key name '%s'\n"),
@@ -279,17 +275,15 @@ kdb5_create(argc, argv)
"master key to verify"),
pw_str, &pw_size);
if (retval) {
- com_err(argv[0], retval,
+ com_err(argv[0], retval,
gettext("while reading master key from keyboard"));
- exit_status++;
- return;
+ exit_status++; return;
}
mkey_password = pw_str;
}
pwd.data = mkey_password;
pwd.length = strlen(mkey_password);
-
retval = krb5_principal2salt(util_context, master_princ, &master_salt);
if (retval) {
com_err(argv[0], retval,
@@ -298,8 +292,9 @@ kdb5_create(argc, argv)
goto cleanup;
}
- if (retval = krb5_c_string_to_key(util_context, global_params.enctype,
- &pwd, &master_salt, &mkey)) {
+ retval = krb5_c_string_to_key(util_context, global_params.enctype,
+ &pwd, &master_salt, &mkey);
+ if (retval) {
com_err(argv[0], retval,
gettext("while transforming master key from password"));
exit_status++;
@@ -393,10 +388,11 @@ kdb5_create(argc, argv)
* it; delete the file below if it was not requested. DO NOT EXIT
* BEFORE DELETING THE KEYFILE if do_stash is not set.
*/
- if (retval = krb5_db_store_mkey(util_context,
- global_params.stash_file,
- master_princ,
- &mkey)) {
+ retval = krb5_db_store_mkey(util_context,
+ global_params.stash_file,
+ master_princ,
+ &mkey);
+ if (retval) {
com_err(argv[0], errno, gettext("while storing key"));
printf(gettext("Warning: couldn't stash master key.\n"));
}
@@ -405,13 +401,11 @@ kdb5_create(argc, argv)
memset(pw_str, 0, pw_size);
if (kadm5_create(&global_params)) {
- if (!do_stash)
- unlink(global_params.stash_file);
- exit_status++;
- goto cleanup;
+ if (!do_stash) unlink(global_params.stash_file);
+ exit_status++;
+ goto cleanup;
}
- if (!do_stash)
- unlink(global_params.stash_file);
+ if (!do_stash) unlink(global_params.stash_file);
cleanup:
if (pw_str) {
@@ -426,7 +420,6 @@ cleanup:
(void) krb5_db_fini(util_context);
return;
-
}
static krb5_error_code
@@ -439,7 +432,6 @@ tgt_keysalt_iterate(ksent, ptr)
struct iterate_args *iargs;
krb5_keyblock key;
krb5_int32 ind;
- krb5_pointer rseed;
krb5_data pwd;
iargs = (struct iterate_args *) ptr;
@@ -453,7 +445,8 @@ tgt_keysalt_iterate(ksent, ptr)
*/
pwd.data = mkey_password;
pwd.length = strlen(mkey_password);
- if (kret = krb5_c_random_seed(context, &pwd))
+ kret = krb5_c_random_seed(context, &pwd);
+ if (kret)
return kret;
if (!(kret = krb5_dbe_create_key_data(iargs->ctx, iargs->dbentp))) {
@@ -474,11 +467,12 @@ tgt_keysalt_iterate(ksent, ptr)
}
static krb5_error_code
-add_principal(krb5_context context,
- krb5_principal princ,
- enum ap_op op,
- struct realm_info *pblock,
- krb5_keyblock *mkey)
+add_principal(context, princ, op, pblock, mkey)
+ krb5_context context;
+ krb5_principal princ;
+ enum ap_op op;
+ struct realm_info *pblock;
+ krb5_keyblock *mkey;
{
krb5_error_code retval;
krb5_db_entry entry;
@@ -508,17 +502,17 @@ add_principal(krb5_context context,
switch (op) {
case MASTER_KEY:
- entry.key_data = (krb5_key_data *) malloc(sizeof (krb5_key_data));
- if (entry.key_data == NULL)
+ if ((entry.key_data=(krb5_key_data*)malloc(sizeof(krb5_key_data)))
+ == NULL)
goto error_out;
-
memset((char *) entry.key_data, 0, sizeof(krb5_key_data));
entry.n_key_data = 1;
entry.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
if ((retval = krb5_dbekd_encrypt_key_data(context, pblock->key,
- mkey, NULL, 1, entry.key_data)))
- goto error_out;
+ mkey, NULL,
+ 1, entry.key_data)))
+ goto error_out;
break;
case TGT_KEY:
iargs.ctx = context;
@@ -532,10 +526,10 @@ add_principal(krb5_context context,
1,
tgt_keysalt_iterate,
(krb5_pointer) &iargs)))
- return (retval);
+ return retval;
break;
case NULL_KEY:
- return (EOPNOTSUPP);
+ return EOPNOTSUPP;
default:
break;
}
@@ -543,6 +537,6 @@ add_principal(krb5_context context,
retval = krb5_db_put_principal(context, &entry, &nentries);
error_out:;
- krb5_dbe_free_contents(context, &entry);
- return (retval);
+ krb5_dbe_free_contents(context, &entry);
+ return retval;
}
diff --git a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_destroy.c b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_destroy.c
index a02d5fda1c..fde0bf7b49 100644
--- a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_destroy.c
+++ b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_destroy.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -82,7 +82,6 @@
#include <libintl.h>
#include "kdb5_util.h"
-extern int errno;
extern int exit_status;
extern krb5_boolean dbactive;
extern kadm5_config_params global_params;
@@ -98,9 +97,9 @@ kdb5_destroy(argc, argv)
int optchar;
char *dbname;
char buf[5];
- char dbfilename[MAXPATHLEN];
krb5_error_code retval, retval1, retval2;
krb5_context context;
+ int force = 0;
char ufilename[MAX_FILENAME];
krb5_init_context(&context);
@@ -110,29 +109,42 @@ kdb5_destroy(argc, argv)
dbname = global_params.dbname;
- printf(gettext("Deleting KDC database stored in '%s', "
- "are you sure?\n"), dbname);
- printf(gettext("(type 'yes' or 'y' to confirm)? "));
-
- if (fgets(buf, sizeof (buf), stdin) == NULL) {
- exit_status++;
- return;
+ optind = 1;
+ while ((optchar = getopt(argc, argv, "f")) != -1) {
+ switch(optchar) {
+ case 'f':
+ force++;
+ break;
+ case '?':
+ default:
+ usage();
+ return;
+ /*NOTREACHED*/
+ }
}
- if ((strncmp(buf, gettext("yes\n"),
+ if (!force) {
+ printf(gettext("Deleting KDC database stored in '%s', "
+ "are you sure?\n"), dbname);
+ printf(gettext("(type 'yes' or 'y' to confirm)? "));
+ if (fgets(buf, sizeof(buf), stdin) == NULL) {
+ exit_status++; return;
+ }
+ if ((strncmp(buf, gettext("yes\n"),
strlen(gettext("yes\n"))) != 0) &&
(strncmp(buf, gettext("y\n"),
strlen(gettext("y\n"))) != 0)) {
printf(gettext("database not deleted !! '%s'...\n"),
dbname);
- exit_status++;
- return;
+ exit_status++; return;
+ }
+ printf(gettext("OK, deleting database '%s'...\n"), dbname);
}
- printf(gettext("OK, deleting database '%s'...\n"), dbname);
- if (retval = krb5_db_set_name(context, dbname)) {
+
+ retval = krb5_db_set_name(context, dbname);
+ if (retval) {
com_err(argv[0], retval, "'%s'",dbname);
- exit_status++;
- return;
+ exit_status++; return;
}
retval1 = krb5_db_destroy(context, dbname);
@@ -160,14 +172,12 @@ kdb5_destroy(argc, argv)
if (retval1) {
com_err(argv[0], retval1,
gettext("deleting database '%s'"), dbname);
- exit_status++;
- return;
+ exit_status++; return;
}
if (retval2) {
com_err(argv[0], retval2,
gettext("destroying policy database"));
- exit_status++;
- return;
+ exit_status++; return;
}
if (global_params.iprop_enabled) {
@@ -184,5 +194,6 @@ kdb5_destroy(argc, argv)
}
dbactive = FALSE;
- printf(gettext("** Database '%s' destroyed.\n"), dbname);
+ printf(gettext("** Database '%s' destroyed.\n"), dbname);
+ return;
}
diff --git a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_stash.c b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_stash.c
index a29b2bbfd6..6e61fa1454 100644
--- a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_stash.c
+++ b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_stash.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2005 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -52,6 +52,33 @@
* Store the master database key in a file.
*/
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+
#define KDB5_DISPATCH
#define KRB5_KDB5_DBM__
#include <k5-int.h>
@@ -78,8 +105,7 @@
#include <kadm5/admin.h>
#include <stdio.h>
#include <libintl.h>
-
-extern int errno;
+#include "kdb5_util.h"
extern krb5_principal master_princ;
extern kadm5_config_params global_params;
@@ -89,8 +115,8 @@ extern int close_policy_db;
void
kdb5_stash(argc, argv)
-int argc;
-char *argv[];
+ int argc;
+ char *argv[];
{
extern char *optarg;
extern int optind;
@@ -104,8 +130,6 @@ char *argv[];
krb5_context context;
krb5_keyblock mkey;
- int enctypedone = 0;
-
if (strrchr(argv[0], '/'))
argv[0] = strrchr(argv[0], '/')+1;
@@ -142,67 +166,71 @@ char *argv[];
global_params.enctype);
else
com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP, tmp);
- exit_status++;
- return;
+ exit_status++; return;
}
- if (retval = krb5_db_set_name(context, dbname)) {
+ retval = krb5_db_set_name(context, dbname);
+ if (retval) {
com_err(argv[0], retval,
gettext("while setting active database to '%s'"),
dbname);
- exit_status++;
- return;
+ exit_status++; return;
}
/* assemble & parse the master key name */
- if (retval = krb5_db_setup_mkey_name(context, mkey_name, realm,
- &mkey_fullname, &master_princ)) {
+ retval = krb5_db_setup_mkey_name(context, mkey_name, realm,
+ &mkey_fullname, &master_princ);
+ if (retval) {
com_err(argv[0], retval,
gettext("while setting up master key name"));
- exit_status++;
- return;
+ exit_status++; return;
}
- if (retval = krb5_db_init(context)) {
+
+ retval = krb5_db_init(context);
+ if (retval) {
com_err(argv[0], retval,
gettext("while initializing the database '%s'"),
- dbname);
- exit_status++;
- return;
+ dbname);
+ exit_status++; return;
}
/* TRUE here means read the keyboard, but only once */
- if (retval = krb5_db_fetch_mkey(context, master_princ,
- global_params.enctype,
- TRUE, FALSE, (char *) NULL,
- 0, &mkey)) {
+ retval = krb5_db_fetch_mkey(context, master_princ,
+ global_params.enctype,
+ TRUE, FALSE, (char *) NULL,
+ 0, &mkey);
+ if (retval) {
com_err(argv[0], retval, gettext("while reading master key"));
(void) krb5_db_fini(context);
- exit_status++;
- return;
+ exit_status++; return;
}
- if (retval = krb5_db_verify_master_key(context, master_princ, &mkey)) {
+
+ retval = krb5_db_verify_master_key(context, master_princ, &mkey);
+ if (retval) {
com_err(argv[0], retval, gettext("while verifying master key"));
krb5_free_keyblock_contents(context, &mkey);
(void) krb5_db_fini(context);
- exit_status++;
- return;
+ exit_status++; return;
}
- if (retval = krb5_db_store_mkey(context, keyfile, master_princ,
- &mkey)) {
+
+ retval = krb5_db_store_mkey(context, keyfile, master_princ,
+ &mkey);
+ if (retval) {
com_err(argv[0], errno, gettext("while storing key"));
krb5_free_keyblock_contents(context, &mkey);
(void) krb5_db_fini(context);
- exit_status++;
- return;
+ exit_status++; return;
}
krb5_free_keyblock_contents(context, &mkey);
- if (retval = krb5_db_fini(context)) {
+
+ retval = krb5_db_fini(context);
+ if (retval) {
com_err(argv[0], retval,
gettext("closing database '%s'"), dbname);
- exit_status++;
- return;
+ exit_status++; return;
}
krb5_free_context(context);
exit_status = 0;
+ return;
}
diff --git a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.c b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.c
index c0d1a141d8..850ec6db3e 100644
--- a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.c
+++ b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2005 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -53,6 +53,32 @@
*/
/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+/*
* Yes, I know this is a hack, but we need admin.h without including the
* rpc.h header. Additionally, our rpc.h header brings in
* a des.h header which causes other problems.
@@ -108,23 +134,24 @@ krb5_context util_context;
osa_adb_policy_t policy_db;
kadm5_config_params global_params;
-void
-usage()
+void usage()
{
- fprintf(stderr, "%s: "
- "kdb5_util cmd [-r realm] [-d dbname] [-k mkeytype] [-M mkeyname]\n"
- "\t [-f] [stashfile] [-P password] [-m ] [cmd options]\n"
- "\tcreate [-s]\n"
- "\tdestroy \n"
- "\tstash \n"
- "\tdump [-old] [-ov] [-b6] [-verbose] [filename [princs...]]\n"
- "\tload [-old] [-ov] [-b6] [-verbose] [-update] filename\n"
+ fprintf(stderr, "%s: "
+ "kdb5_util [-r realm] [-d dbname] [-k mkeytype] [-M mkeyname]\n"
+ "\t [-f | -sf stashfilename] [-P password] [-m] cmd [cmd_options]\n"
+ "\tcreate [-s]\n"
+ "\tdestroy [-f]\n"
+ "\tstash [-f keyfile]\n"
+ "\tdump [-old] [-ov] [-b6] [-verbose] [filename [princs...]]\n"
+ "\t [-mkey_convert] [-new_mkey_file mkey_file]\n"
+ "\t [-rev] [-recurse] [filename [princs...]]\n"
+ "\tload [-old] [-ov] [-b6] [-verbose] [-update] filename\n"
#ifdef SUNWOFF
- "\tload_v4 [-t] [-n] [-v] [-K] [-s stashfile] inputfile\n"
+ "\tload_v4 [-t] [-n] [-v] [-K] [-s stashfile] inputfile\n"
#endif
- "\tark [-e etype_list] principal\n",
+ "\tark [-e etype_list] principal\n",
gettext("Usage"));
- exit(1);
+ exit(1);
}
krb5_keyblock master_key;
@@ -137,55 +164,48 @@ char *progname;
krb5_boolean manual_mkey = FALSE;
krb5_boolean dbactive = FALSE;
-int kdb5_create(int, char **);
-int kdb5_destroy(int, char **);
-int kdb5_stash(int, char **);
-int dump_db(int, char **);
-int load_db(int, char **);
-int open_db_and_mkey();
-int add_random_key(int, char **);
+static int open_db_and_mkey(void);
+
+static void add_random_key(int, char **);
-typedef int (*cmd_func)(int, char **);
+typedef void (*cmd_func)(int, char **);
struct _cmd_table {
char *name;
cmd_func func;
int opendb;
} cmd_table[] = {
- "create", kdb5_create, 0,
- "destroy", kdb5_destroy, 1,
- "stash", kdb5_stash, 1,
- "dump", dump_db, 1,
- "load", load_db, 0,
- "ark", add_random_key, 1,
- NULL, NULL, 0,
+ {"create", kdb5_create, 0},
+ {"destroy", kdb5_destroy, 1},
+ {"stash", kdb5_stash, 1},
+ {"dump", dump_db, 1},
+ {"load", load_db, 0},
+ {"ark", add_random_key, 1},
+ {NULL, NULL, 0},
};
-struct _cmd_table *
-cmd_lookup(name)
+static struct _cmd_table *cmd_lookup(name)
char *name;
{
struct _cmd_table *cmd = cmd_table;
-
while (cmd->name) {
if (strcmp(cmd->name, name) == 0)
- return (cmd);
+ return cmd;
else
cmd++;
}
- return (NULL);
+ return NULL;
}
-#define ARG_VAL (--argc > 0 ? (optarg = *(++argv)) : (char *)(usage(), NULL))
+#define ARG_VAL (--argc > 0 ? (koptarg = *(++argv)) : (char *)(usage(), NULL))
-int
-main(argc, argv)
+int main(argc, argv)
int argc;
char *argv[];
{
struct _cmd_table *cmd = NULL;
- char *optarg, **cmd_argv;
+ char *koptarg, **cmd_argv;
int cmd_argc;
krb5_error_code retval;
@@ -218,17 +238,16 @@ main(argc, argv)
memset(cmd_argv, 0, sizeof(char *)*argc);
cmd_argc = 1;
- argv++;
- argc--;
+ argv++; argc--;
while (*argv) {
if (strcmp(*argv, "-P") == 0 && ARG_VAL) {
- mkey_password = optarg;
+ mkey_password = koptarg;
manual_mkey = TRUE;
} else if (strcmp(*argv, "-d") == 0 && ARG_VAL) {
- global_params.dbname = optarg;
+ global_params.dbname = koptarg;
global_params.mask |= KADM5_CONFIG_DBNAME;
} else if (strcmp(*argv, "-r") == 0 && ARG_VAL) {
- global_params.realm = optarg;
+ global_params.realm = koptarg;
global_params.mask |= KADM5_CONFIG_REALM;
/* not sure this is really necessary */
if ((retval = krb5_set_default_realm(util_context,
@@ -239,20 +258,20 @@ main(argc, argv)
exit(1);
}
} else if (strcmp(*argv, "-k") == 0 && ARG_VAL) {
- if (krb5_string_to_enctype(optarg,
+ if (krb5_string_to_enctype(koptarg,
&global_params.enctype))
com_err(argv[0], 0,
gettext("%s is an invalid enctype"),
- optarg);
+ koptarg);
else
global_params.mask |= KADM5_CONFIG_ENCTYPE;
} else if (strcmp(*argv, "-M") == 0 && ARG_VAL) {
- global_params.mkey_name = optarg;
+ global_params.mkey_name = koptarg;
global_params.mask |= KADM5_CONFIG_MKEY_NAME;
} else if (((strcmp(*argv, "-sf") == 0)
/* SUNWresync121 - carry the old -f forward too */
|| (strcmp(*argv, "-f") == 0)) && ARG_VAL) {
- global_params.stash_file = optarg;
+ global_params.stash_file = koptarg;
global_params.mask |= KADM5_CONFIG_STASH_FILE;
} else if (strcmp(*argv, "-m") == 0) {
manual_mkey = TRUE;
@@ -266,19 +285,20 @@ main(argc, argv)
} else {
cmd_argv[cmd_argc++] = *argv;
}
- argv++;
- argc--;
+ argv++; argc--;
}
if (cmd_argv[0] == NULL)
usage();
- if (retval = kadm5_get_config_params(util_context, NULL, NULL,
- &global_params, &global_params)) {
+ retval = kadm5_get_config_params(util_context, NULL, NULL,
+ &global_params, &global_params);
+ if (retval) {
com_err(argv[0], retval,
gettext("while retreiving configuration parameters"));
exit(1);
}
+
/*
* Dump creates files which should not be world-readable. It is
* easiest to do a single umask call here.
@@ -295,7 +315,7 @@ main(argc, argv)
cmd = cmd_lookup(cmd_argv[0]);
if (cmd->opendb && open_db_and_mkey())
- return (exit_status);
+ return exit_status;
if (global_params.iprop_enabled == TRUE)
ulog_set_role(util_context, IPROP_MASTER);
@@ -309,7 +329,7 @@ main(argc, argv)
}
kadm5_free_config_params(util_context, &global_params);
krb5_free_context(util_context);
- return (exit_status);
+ return exit_status;
}
#if 0
@@ -317,8 +337,7 @@ main(argc, argv)
* This function is no longer used in kdb5_util (and it would no
* longer work, anyway).
*/
-void
-set_dbname(argc, argv)
+void set_dbname(argc, argv)
int argc;
char *argv[];
{
@@ -348,8 +367,8 @@ set_dbname(argc, argv)
}
(void) set_dbname_help(argv[0], argv[1]);
+ return;
}
-
#endif
/*
@@ -361,8 +380,7 @@ set_dbname(argc, argv)
* cannot be fetched (the master key stash file may not exist when the
* program is run).
*/
-int
-open_db_and_mkey()
+static int open_db_and_mkey()
{
krb5_error_code retval;
int nentries;
@@ -385,12 +403,13 @@ open_db_and_mkey()
exit_status++;
return(1);
}
- if (retval = osa_adb_open_policy(&policy_db, &global_params)) {
+ if ((retval = osa_adb_open_policy(&policy_db, &global_params))) {
com_err(progname, retval,
gettext("opening policy database"));
exit_status++;
- return (1);
+ return (1);
}
+
/* assemble & parse the master key name */
if ((retval = krb5_db_setup_mkey_name(util_context,
@@ -423,6 +442,7 @@ open_db_and_mkey()
(void) krb5_db_fini(util_context);
return(1);
}
+
krb5_db_free_principal(util_context, &master_entry, nentries);
/* the databases are now open, and the master principal exists */
@@ -431,13 +451,13 @@ open_db_and_mkey()
if (mkey_password) {
pwd.data = mkey_password;
pwd.length = strlen(mkey_password);
- retval = krb5_principal2salt(util_context,
- master_princ, &scratch);
+ retval = krb5_principal2salt(util_context, master_princ, &scratch);
if (retval) {
com_err(progname, retval,
gettext("while calculated master key salt"));
- return(1);
+ return(1);
}
+
/* If no encryption type is set, use the default */
if (global_params.enctype == ENCTYPE_UNKNOWN) {
global_params.enctype = DEFAULT_KDC_ENCTYPE;
@@ -491,7 +511,7 @@ open_db_and_mkey()
valid_master_key = 1;
dbactive = TRUE;
- return (0);
+ return 0;
}
#ifdef HAVE_GETCWD
@@ -505,7 +525,7 @@ quit()
static krb5_boolean finished = 0;
if (finished)
- return (0);
+ return 0;
retval = krb5_db_fini(util_context);
krb5_free_keyblock_contents(util_context, &master_key);
finished = TRUE;
@@ -513,12 +533,12 @@ quit()
if (retval && retval != KRB5_KDB_DBNOTINITED) {
com_err(progname, retval, gettext("while closing database"));
exit_status++;
- return (1);
+ return 1;
}
- return (0);
+ return 0;
}
-int
+static void
add_random_key(argc, argv)
int argc;
char **argv;
@@ -526,7 +546,7 @@ add_random_key(argc, argv)
krb5_error_code ret;
krb5_principal princ;
krb5_db_entry dbent;
- int n, i;
+ int n;
krb5_boolean more;
krb5_timestamp now;
@@ -554,23 +574,27 @@ add_random_key(argc, argv)
ret = krb5_parse_name(util_context, pr_str, &princ);
if (ret) {
com_err(me, ret, gettext("while parsing principal name %s"), pr_str);
- return 1;
+ exit_status++;
+ return;
}
n = 1;
ret = krb5_db_get_principal(util_context, princ, &dbent,
&n, &more);
if (ret) {
com_err(me, ret, gettext("while fetching principal %s"), pr_str);
- return 1;
+ exit_status++;
+ return;
}
if (n != 1) {
fprintf(stderr, gettext("principal %s not found\n"), pr_str);
- return 1;
+ exit_status++;
+ return;
}
if (more) {
fprintf(stderr, gettext("principal %s not unique\n"), pr_str);
krb5_dbe_free_contents(util_context, &dbent);
- return 1;
+ exit_status++;
+ return;
}
ret = krb5_string_to_keysalts(ks_str,
", \t", ":.-", 0,
@@ -578,7 +602,8 @@ add_random_key(argc, argv)
&num_keysalts);
if (ret) {
com_err(me, ret, gettext("while parsing keysalts %s"), ks_str);
- return 1;
+ exit_status++;
+ return;
}
if (!num_keysalts || keysalts == NULL) {
num_keysalts = global_params.num_keysalts;
@@ -594,27 +619,30 @@ add_random_key(argc, argv)
if (ret) {
com_err(me, ret, gettext("while randomizing principal %s"), pr_str);
krb5_dbe_free_contents(util_context, &dbent);
- return 1;
+ exit_status++;
+ return;
}
dbent.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
ret = krb5_timeofday(util_context, &now);
if (ret) {
com_err(me, ret, gettext("while getting time"));
krb5_dbe_free_contents(util_context, &dbent);
- return 1;
+ exit_status++;
+ return;
}
ret = krb5_dbe_update_last_pwd_change(util_context, &dbent, now);
if (ret) {
com_err(me, ret, gettext("while setting changetime"));
krb5_dbe_free_contents(util_context, &dbent);
- return 1;
+ exit_status++;
+ return;
}
ret = krb5_db_put_principal(util_context, &dbent, &n);
krb5_dbe_free_contents(util_context, &dbent);
if (ret) {
com_err(me, ret, gettext("while saving principal %s"), pr_str);
- return 1;
+ exit_status++;
+ return;
}
printf("%s changed\n", pr_str);
- return 0;
}
diff --git a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.h b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.h
index 84643664a3..2244295c29 100644
--- a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.h
+++ b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2005 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -39,7 +39,7 @@ extern "C" {
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -47,40 +47,68 @@ extern "C" {
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
-
#include <kdb/kdb_log.h>
-
-#define MAX_HEADER 1024
-#define REALM_SEP '@'
-#define REALM_SEP_STR "@"
+#define MAX_HEADER 1024
+#define REALM_SEP '@'
+#define REALM_SEP_STR "@"
extern char *progname;
extern char *Err_no_database;
+extern krb5_boolean dbactive;
+extern int exit_status;
+extern krb5_context util_context;
+extern kadm5_config_params global_params;
+extern int valid_master_key;
+extern krb5_db_entry master_db;
+
+extern void usage(void);
+
+extern void add_key
+ (char const *, char const *,
+ krb5_const_principal, const krb5_keyblock *,
+ krb5_kvno, krb5_keysalt *);
+extern int set_dbname_help
+ (char *, char *);
+
+extern char *kdb5_util_Init (int, char **);
+
+extern int quit (void);
+
+extern int check_for_match
+ (char *, int, krb5_db_entry *, int, int);
+
+extern void parse_token
+ (char *, int *, int *, char *);
+
+extern int create_db_entry (krb5_principal, krb5_db_entry *);
-void add_key
-(char const *, char const *,
- krb5_const_principal, const krb5_keyblock *,
- krb5_kvno, krb5_keysalt *);
-int set_dbname_help
- (char *, char *);
+extern int kadm5_create_magic_princs (kadm5_config_params *params,
+ krb5_context context);
-char *kdb5_util_Init (int, char **);
+extern int process_ov_principal (char *fname, krb5_context kcontext,
+ FILE *filep, int verbose,
+ int *linenop,
+ void *pol_db);
-int quit();
+extern void load_db (int argc, char **argv);
+extern void dump_db (int argc, char **argv);
+extern void kdb5_create (int argc, char **argv);
+extern void kdb5_destroy (int argc, char **argv);
+extern void kdb5_stash (int argc, char **argv);
-int check_for_match
- (char *, int, krb5_db_entry *, int, int);
+extern void update_ok_file (char *file_name);
-void parse_token
- (char *, int *, int *, char *);
+extern int kadm5_create (kadm5_config_params *params);
-int create_db_entry
- (krb5_principal, krb5_db_entry *);
+void usage (void);
#ifdef __cplusplus
}
diff --git a/usr/src/cmd/krb5/kadmin/dbutil/nstrtok.h b/usr/src/cmd/krb5/kadmin/dbutil/nstrtok.h
new file mode 100644
index 0000000000..fab4740862
--- /dev/null
+++ b/usr/src/cmd/krb5/kadmin/dbutil/nstrtok.h
@@ -0,0 +1,7 @@
+
+#pragma ident "%Z%%M% %I% %E% SMI"
+
+
+/* Prototype for nstrtok */
+char *nstrtok(char *, const char *delim);
+
diff --git a/usr/src/cmd/krb5/kadmin/dbutil/ovload.c b/usr/src/cmd/krb5/kadmin/dbutil/ovload.c
index 2cdfc39276..4c8990d39d 100644
--- a/usr/src/cmd/krb5/kadmin/dbutil/ovload.c
+++ b/usr/src/cmd/krb5/kadmin/dbutil/ovload.c
@@ -21,212 +21,210 @@
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
+#ifdef HAVE_MEMORY_H
#include <memory.h>
+#endif
#include <kadm5/adb.h>
#include "import_err.h"
+#include "kdb5_util.h"
+#include "nstrtok.h"
-#define LINESIZE 32768 /* XXX */
-#define PLURAL(count) (((count) == 1) ? \
- error_message(IMPORT_SINGLE_RECORD) : \
- error_message(IMPORT_PLURAL_RECORDS))
+#define LINESIZE 32768 /* XXX */
+#define PLURAL(count) (((count) == 1) ? error_message(IMPORT_SINGLE_RECORD) : error_message(IMPORT_PLURAL_RECORDS))
-int
-parse_pw_hist_ent(current, hist)
-char *current;
-osa_pw_hist_ent *hist;
+static int parse_pw_hist_ent(current, hist)
+ char *current;
+ osa_pw_hist_ent *hist;
{
- int tmp, i, j, ret;
- char *cp;
-
- ret = 0;
- hist->n_key_data = 1;
-
- hist->key_data = (krb5_key_data *) malloc(hist->n_key_data *
- sizeof (krb5_key_data));
- if (hist->key_data == NULL)
- return (ENOMEM);
- memset(hist->key_data, 0, sizeof (krb5_key_data) * hist->n_key_data);
-
- for (i = 0; i < hist->n_key_data; i++) {
- krb5_key_data *key_data = &hist->key_data[i];
-
- key_data->key_data_ver = 1;
-
- if ((cp = strtok((char *) NULL, "\t")) == NULL) {
- com_err(NULL, IMPORT_BAD_RECORD, "%s", current);
- ret = IMPORT_FAILED;
- goto done;
- }
- key_data->key_data_type[0] = atoi(cp);
-
- if ((cp = strtok((char *) NULL, "\t")) == NULL) {
- com_err(NULL, IMPORT_BAD_RECORD, "%s", current);
- ret = IMPORT_FAILED;
- goto done;
- }
- key_data->key_data_length[0] = atoi(cp);
-
- if ((cp = strtok((char *) NULL, "\t")) == NULL) {
- com_err(NULL, IMPORT_BAD_RECORD, "%s", current);
- ret = IMPORT_FAILED;
- goto done;
- }
- if (!(key_data->key_data_contents[0] = (krb5_octet *)
- malloc(key_data->key_data_length[0] + 1))) {
- ret = ENOMEM;
- goto done;
- }
- for (j = 0; j < key_data->key_data_length[0]; j++) {
- if (sscanf(cp, "%02x", &tmp) != 1) {
- com_err(NULL, IMPORT_BAD_RECORD, "%s", current);
- ret = IMPORT_FAILED;
- goto done;
- }
- key_data->key_data_contents[0][j] = tmp;
- cp = strchr(cp, ' ') + 1;
- }
- }
-
+ int tmp, i, j, ret;
+ char *cp;
+
+ ret = 0;
+ hist->n_key_data = 1;
+
+ hist->key_data = (krb5_key_data *) malloc(hist->n_key_data *
+ sizeof(krb5_key_data));
+ if (hist->key_data == NULL)
+ return ENOMEM;
+ memset(hist->key_data, 0, sizeof(krb5_key_data)*hist->n_key_data);
+
+ for (i = 0; i < hist->n_key_data; i++) {
+ krb5_key_data *key_data = &hist->key_data[i];
+
+ key_data->key_data_ver = 1;
+
+ if((cp = nstrtok((char *) NULL, "\t")) == NULL) {
+ com_err(NULL, IMPORT_BAD_RECORD, "%s", current);
+ ret = IMPORT_FAILED;
+ goto done;
+ }
+ key_data->key_data_type[0] = atoi(cp);
+
+ if((cp = nstrtok((char *) NULL, "\t")) == NULL) {
+ com_err(NULL, IMPORT_BAD_RECORD, "%s", current);
+ ret = IMPORT_FAILED;
+ goto done;
+ }
+ key_data->key_data_length[0] = atoi(cp);
+
+ if((cp = nstrtok((char *) NULL, "\t")) == NULL) {
+ com_err(NULL, IMPORT_BAD_RECORD, "%s", current);
+ ret = IMPORT_FAILED;
+ goto done;
+ }
+ if(!(key_data->key_data_contents[0] =
+ (krb5_octet *) malloc(key_data->key_data_length[0]+1))) {
+ ret = ENOMEM;
+ goto done;
+ }
+ for(j = 0; j < key_data->key_data_length[0]; j++) {
+ if(sscanf(cp, "%02x", &tmp) != 1) {
+ com_err(NULL, IMPORT_BAD_RECORD, "%s", current);
+ ret = IMPORT_FAILED;
+ goto done;
+ }
+ key_data->key_data_contents[0][j] = tmp;
+ cp = strchr(cp, ' ') + 1;
+ }
+ }
+
done:
- return (ret);
+ return ret;
}
/*
* Function: parse_principal
- *
+ *
* Purpose: parse principal line in db dump file
*
* Arguments:
- * <return value> 0 on sucsess, error code on failure
+ * <return value> 0 on success, error code on failure
*
* Requires:
* principal database to be opened.
- * strtok(3) to have a valid buffer in memory.
- *
+ * nstrtok(3) to have a valid buffer in memory.
+ *
* Effects:
* [effects]
*
* Modifies:
* [modifies]
- *
+ *
*/
-int
-process_ov_principal(fname, kcontext, filep, verbose, linenop, pol_db)
-char *fname;
-krb5_context kcontext;
-FILE *filep;
-int verbose;
-int *linenop;
-void *pol_db;
+int process_ov_principal(fname, kcontext, filep, verbose, linenop, pol_db)
+ char *fname;
+ krb5_context kcontext;
+ FILE *filep;
+ int verbose;
+ int *linenop;
+ void *pol_db;
{
- XDR xdrs;
- osa_princ_ent_t rec;
- osa_adb_ret_t ret;
- krb5_tl_data tl_data;
- krb5_principal princ;
- krb5_db_entry kdb;
- char *current;
- char *cp;
- int tmp, x, i, one;
- unsigned int more;
- char line[LINESIZE];
-
- if (fgets(line, LINESIZE, filep) == (char *) NULL) {
- return (IMPORT_BAD_FILE);
- }
- if ((cp = strtok(line, "\t")) == NULL)
- return (IMPORT_BAD_FILE);
- if ((rec = (osa_princ_ent_t)
- malloc(sizeof (osa_princ_ent_rec))) == NULL)
- return (ENOMEM);
- memset(rec, 0, sizeof (osa_princ_ent_rec));
- if ((ret = krb5_parse_name(kcontext, cp, &princ)))
- goto done;
- krb5_unparse_name(kcontext, princ, &current);
- if ((cp = strtok((char *) NULL, "\t")) == NULL) {
- com_err(NULL, IMPORT_BAD_RECORD, "%s", current);
- ret = IMPORT_FAILED;
- goto done;
- } else {
- if (strcmp(cp, "")) {
- if ((rec->policy = (char *)
- malloc(strlen(cp) + 1)) == NULL) {
- ret = ENOMEM;
- goto done;
- }
- strcpy(rec->policy, cp);
- } else
- rec->policy = NULL;
- }
- if ((cp = strtok((char *) NULL, "\t")) == NULL) {
- com_err(NULL, IMPORT_BAD_RECORD, "%s", current);
- ret = IMPORT_FAILED;
- goto done;
- }
- rec->aux_attributes = strtol(cp, (char **) NULL, 16);
- if ((cp = strtok((char *) NULL, "\t")) == NULL) {
- com_err(NULL, IMPORT_BAD_RECORD, "%s", current);
- ret = IMPORT_FAILED;
- goto done;
- }
- rec->old_key_len = atoi(cp);
- if ((cp = strtok((char *) NULL, "\t")) == NULL) {
- com_err(NULL, IMPORT_BAD_RECORD, "%s", current);
- ret = IMPORT_FAILED;
- goto done;
- }
- rec->old_key_next = atoi(cp);
- if ((cp = strtok((char *) NULL, "\t")) == NULL) {
- com_err(NULL, IMPORT_BAD_RECORD, "%s", current);
- ret = IMPORT_FAILED;
+ XDR xdrs;
+ osa_princ_ent_t rec;
+ osa_adb_ret_t ret;
+ krb5_tl_data tl_data;
+ krb5_principal princ;
+ krb5_db_entry kdb;
+ char *current;
+ char *cp;
+ int x, one;
+ krb5_boolean more;
+ char line[LINESIZE];
+
+ if (fgets(line, LINESIZE, filep) == (char *) NULL) {
+ return IMPORT_BAD_FILE;
+ }
+ if((cp = nstrtok(line, "\t")) == NULL)
+ return IMPORT_BAD_FILE;
+ if((rec = (osa_princ_ent_t) malloc(sizeof(osa_princ_ent_rec))) == NULL)
+ return ENOMEM;
+ memset(rec, 0, sizeof(osa_princ_ent_rec));
+ if((ret = krb5_parse_name(kcontext, cp, &princ)))
+ goto done;
+ krb5_unparse_name(kcontext, princ, &current);
+ if((cp = nstrtok((char *) NULL, "\t")) == NULL) {
+ com_err(NULL, IMPORT_BAD_RECORD, "%s", current);
+ ret = IMPORT_FAILED;
+ goto done;
+ } else {
+ if(strcmp(cp, "")) {
+ if((rec->policy = (char *) malloc(strlen(cp)+1)) == NULL) {
+ ret = ENOMEM;
goto done;
- }
- rec->admin_history_kvno = atoi(cp);
- if (!rec->old_key_len) {
- rec->old_keys = NULL;
- } else {
- if (!(rec->old_keys = (osa_pw_hist_ent *)
- malloc(sizeof (osa_pw_hist_ent) * rec->old_key_len))) {
- ret = ENOMEM;
- goto done;
- }
- memset(rec->old_keys, 0,
- sizeof (osa_pw_hist_ent) * rec->old_key_len);
- for (x = 0; x < rec->old_key_len; x++)
- parse_pw_hist_ent(current, &rec->old_keys[x]);
- }
-
- xdralloc_create(&xdrs, XDR_ENCODE);
- if (!xdr_osa_princ_ent_rec(&xdrs, rec)) {
- xdr_destroy(&xdrs);
- ret = OSA_ADB_XDR_FAILURE;
- goto done;
- }
- tl_data.tl_data_type = KRB5_TL_KADM_DATA;
- tl_data.tl_data_length = xdr_getpos(&xdrs);
- tl_data.tl_data_contents = (krb5_octet *) xdralloc_getdata(&xdrs);
-
- one = 1;
- ret = krb5_db_get_principal(kcontext, princ, &kdb, &one,
- &more);
- if (ret)
- goto done;
-
- if (ret = krb5_dbe_update_tl_data(kcontext, &kdb,
- &tl_data))
- goto done;
-
- if (ret = krb5_db_put_principal(kcontext, &kdb, &one))
- goto done;
-
- xdr_destroy(&xdrs);
-
- (*linenop)++;
+ }
+ strcpy(rec->policy, cp);
+ } else rec->policy = NULL;
+ }
+ if((cp = nstrtok((char *) NULL, "\t")) == NULL) {
+ com_err(NULL, IMPORT_BAD_RECORD, "%s", current);
+ ret = IMPORT_FAILED;
+ goto done;
+ }
+ rec->aux_attributes = strtol(cp, (char **)NULL, 16);
+ if((cp = nstrtok((char *) NULL, "\t")) == NULL) {
+ com_err(NULL, IMPORT_BAD_RECORD, "%s", current);
+ ret = IMPORT_FAILED;
+ goto done;
+ }
+ rec->old_key_len = atoi(cp);
+ if((cp = nstrtok((char *) NULL, "\t")) == NULL) {
+ com_err(NULL, IMPORT_BAD_RECORD, "%s", current);
+ ret = IMPORT_FAILED;
+ goto done;
+ }
+ rec->old_key_next = atoi(cp);
+ if((cp = nstrtok((char *) NULL, "\t")) == NULL) {
+ com_err(NULL, IMPORT_BAD_RECORD, "%s", current);
+ ret = IMPORT_FAILED;
+ goto done;
+ }
+ rec->admin_history_kvno = atoi(cp);
+ if (! rec->old_key_len) {
+ rec->old_keys = NULL;
+ } else {
+ if(!(rec->old_keys = (osa_pw_hist_ent *)
+ malloc(sizeof(osa_pw_hist_ent) * rec->old_key_len))) {
+ ret = ENOMEM;
+ goto done;
+ }
+ memset(rec->old_keys,0,
+ sizeof(osa_pw_hist_ent) * rec->old_key_len);
+ for(x = 0; x < rec->old_key_len; x++)
+ parse_pw_hist_ent(current, &rec->old_keys[x]);
+ }
+
+ xdralloc_create(&xdrs, XDR_ENCODE);
+ if (! xdr_osa_princ_ent_rec(&xdrs, rec)) {
+ xdr_destroy(&xdrs);
+ ret = OSA_ADB_XDR_FAILURE;
+ goto done;
+ }
+
+ tl_data.tl_data_type = KRB5_TL_KADM_DATA;
+ tl_data.tl_data_length = xdr_getpos(&xdrs);
+ tl_data.tl_data_contents = (krb5_octet *) xdralloc_getdata(&xdrs);
+
+ one = 1;
+ ret = krb5_db_get_principal(kcontext, princ, &kdb, &one, &more);
+ if (ret)
+ goto done;
+
+ ret = krb5_dbe_update_tl_data(kcontext, &kdb, &tl_data);
+ if (ret)
+ goto done;
+
+ ret = krb5_db_put_principal(kcontext, &kdb, &one);
+ if (ret)
+ goto done;
+
+ xdr_destroy(&xdrs);
+
+ (*linenop)++;
done:
- free(current);
- krb5_free_principal(kcontext, princ);
- osa_free_princ_ent(rec);
- return (ret);
+ free(current);
+ krb5_free_principal(kcontext, princ);
+ osa_free_princ_ent(rec);
+ return ret;
}
diff --git a/usr/src/cmd/krb5/kadmin/dbutil/string_table.c b/usr/src/cmd/krb5/kadmin/dbutil/string_table.c
index 534eaba055..4917341201 100644
--- a/usr/src/cmd/krb5/kadmin/dbutil/string_table.c
+++ b/usr/src/cmd/krb5/kadmin/dbutil/string_table.c
@@ -20,18 +20,9 @@
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
- *
- * $Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/kadmin/\
- * dbutil/string_table.c,v 1.3 1996/08/05 18:38:26 bjaspan Exp $
+ *
*/
-#if !defined(lint) && !defined(__CODECENTER__)
-static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev/"
- ".cvsroot/src/kadmin/dbutil/string_table.c,v 1.3 "
- "1996/08/05 18:38:26 bjaspan Exp $";
-
-#endif
-
/* String table of messages for kadm5_create */
/*
* I18n HACK. We define gettext(s) to be s so that we can extract the
@@ -41,9 +32,6 @@ static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev/"
#define gettext(s) s
-char *str_INITING_KCONTEXT =
-gettext("while initializing the kerberos context");
-
char *str_PARSE_NAME = gettext("while parsing admin principal name.");
char *str_HISTORY_PARSE_NAME =
@@ -115,7 +103,7 @@ gettext("%s: Created %s principal.\n"); /* whoami, princ_name */
char *str_INIT_KDB = gettext("while initializing kdb.");
-char *str_NO_KDB =
+char *str_NO_KDB =
gettext("while initializing kdb.\nThe Kerberos KDC database "
"needs to exist in /krb5.\nIf you haven't run "
"kdb5_create you need to do so before running this command.");
@@ -124,14 +112,14 @@ gettext("while initializing kdb.\nThe Kerberos KDC database "
char *str_INIT_RANDOM_KEY =
gettext("while initializing random key generator.");
-char *str_TOO_MANY_ADMIN_PRINC =
+char *str_TOO_MANY_ADMIN_PRINC =
gettext("while fetching admin princ. Can only have one admin principal.");
-char *str_TOO_MANY_CHANGEPW_PRINC =
+char *str_TOO_MANY_CHANGEPW_PRINC =
gettext("while fetching changepw princ. "
"Can only have one changepw principal.");
-char *str_TOO_MANY_HIST_PRINC =
+char *str_TOO_MANY_HIST_PRINC =
gettext("while fetching history princ. "
"Can only have one history principal.");
diff --git a/usr/src/cmd/krb5/kadmin/dbutil/string_table.h b/usr/src/cmd/krb5/kadmin/dbutil/string_table.h
index 4012e54eb5..160d9730ec 100644
--- a/usr/src/cmd/krb5/kadmin/dbutil/string_table.h
+++ b/usr/src/cmd/krb5/kadmin/dbutil/string_table.h
@@ -1,6 +1,6 @@
/*
- * Copyright (c) 1997-2000 by Sun Microsystems, Inc.
- * All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
*/
#ifndef _STRING_TABLE_H
@@ -38,8 +38,7 @@ extern "C" {
*/
#ifndef _OVSEC_ADM_STRINGS_
-
-extern char *str_INITING_KCONTEXT;
+
extern char *str_PARSE_NAME;
extern char *str_HISTORY_PARSE_NAME;
extern char *str_ADMIN_PRINC_EXISTS;
@@ -68,8 +67,8 @@ extern char *str_TOO_MANY_ADMIN_PRINC;
extern char *str_TOO_MANY_CHANGEPW_PRINC;
extern char *str_TOO_MANY_HIST_PRINC;
extern char *str_WHILE_DESTROYING_ADMIN_SESSION;
-
-#endif /* _OVSEC_ADM_STRINGS_ */
+
+#endif /* _OVSEC_ADM_STRINGS_ */
#ifdef __cplusplus
}
diff --git a/usr/src/cmd/krb5/kadmin/dbutil/strtok.c b/usr/src/cmd/krb5/kadmin/dbutil/strtok.c
new file mode 100644
index 0000000000..ce9258e517
--- /dev/null
+++ b/usr/src/cmd/krb5/kadmin/dbutil/strtok.c
@@ -0,0 +1,107 @@
+/*
+ * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
+ *
+ */
+
+/*
+ * Copyright (c) 1988 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that: (1) source distributions retain this entire copyright
+ * notice and comment, and (2) distributions including binaries display
+ * the following acknowledgement: ``This product includes software
+ * developed by the University of California, Berkeley and its contributors''
+ * in the documentation or other materials provided with the distribution
+ * and in all advertising materials mentioning features or use of this
+ * software. Neither the name of the University nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#pragma ident "%Z%%M% %I% %E% SMI"
+
+#include <stddef.h>
+#include <string.h>
+#include "nstrtok.h"
+
+/*
+ * Function: nstrtok
+ *
+ * Purpose: the same as strtok ... just different. does not deal with
+ * multiple tokens in row.
+ *
+ * Arguments:
+ * s (input) string to scan
+ * delim (input) list of delimiters
+ * <return value> string or null on error.
+ *
+ * Requires:
+ * nuttin
+ *
+ * Effects:
+ * sets last to string
+ *
+ * Modifies:
+ * last
+ *
+ */
+
+char *
+nstrtok(s, delim)
+ register char *s;
+ register const char *delim;
+{
+ register const char *spanp;
+ register int c, sc;
+ char *tok;
+ static char *last;
+
+
+ if (s == NULL && (s = last) == NULL)
+ return (NULL);
+
+ /*
+ * Skip (span) leading delimiters (s += strspn(s, delim), sort of).
+ */
+#ifdef OLD
+cont:
+ c = *s++;
+ for (spanp = delim; (sc = *spanp++) != 0;) {
+ if (c == sc)
+ goto cont;
+ }
+
+ if (c == 0) { /* no non-delimiter characters */
+ last = NULL;
+ return (NULL);
+ }
+ tok = s - 1;
+#else
+ tok = s;
+#endif
+
+ /*
+ * Scan token (scan for delimiters: s += strcspn(s, delim), sort of).
+ * Note that delim must have one NUL; we stop if we see that, too.
+ */
+ for (;;) {
+ c = *s++;
+ spanp = delim;
+ do {
+ if ((sc = *spanp++) == c) {
+ if (c == 0)
+ s = NULL;
+ else
+ s[-1] = 0;
+ last = s;
+ return (tok);
+ }
+ } while (sc != 0);
+ }
+ /* NOTREACHED */
+}
+
diff --git a/usr/src/cmd/krb5/kadmin/dbutil/util.c b/usr/src/cmd/krb5/kadmin/dbutil/util.c
index 529120bb1f..f2bda0fc38 100644
--- a/usr/src/cmd/krb5/kadmin/dbutil/util.c
+++ b/usr/src/cmd/krb5/kadmin/dbutil/util.c
@@ -28,7 +28,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -36,18 +36,21 @@
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* Utilities for kdb5_edit.
- *
+ *
* Some routines derived from code contributed by the Sandia National
* Laboratories. Sandia National Laboratories also makes no
* representations about the suitability of the modifications, or
* additions to this software for any purpose. It is provided "as is"
* without express or implied warranty.
- *
+ *
*/
#define KDB5_DISPATCH
@@ -71,7 +74,6 @@
#define krb5_dbm_db_close_database krb5_db_close_database
#define krb5_dbm_db_open_database krb5_db_open_database
-#include <kadm5/admin.h>
#include "./kdb5_edit.h"
#ifndef HAVE_STRSTR
@@ -80,117 +82,117 @@ strstr(s1, s2)
char *s1;
char *s2;
{
- int s2len;
- int i;
- char *temp_ptr;
-
- temp_ptr = s1;
- for (i = 0; i < strlen(s1); i++) {
- if (memcmp(temp_ptr, s2, strlen(s2)) == 0)
- return (temp_ptr);
- temp_ptr += 1;
- }
- return ((char *) 0);
+ int s2len;
+ int i;
+ char *temp_ptr;
+
+ temp_ptr = s1;
+ for ( i = 0; i < strlen(s1); i++) {
+ if (memcmp(temp_ptr, s2, strlen(s2)) == 0) return(temp_ptr);
+ temp_ptr += 1;
+ }
+ return ((char *) 0);
}
-
-#endif /* HAVE_STRSTR */
+#endif /* HAVE_STRSTR */
void
parse_token(token_in, must_be_first_char, num_tokens, tokens_out)
char *token_in;
-int *must_be_first_char;
-int *num_tokens;
+int *must_be_first_char;
+int *num_tokens;
char *tokens_out;
{
- int i, j;
- int token_count = 0;
+ int i, j;
+ int token_count = 0;
- i = 0;
- j = 0;
+ i = 0;
+ j = 0;
/* Eliminate Up Front Asterisks */
- *must_be_first_char = 1;
- for (i = 0; token_in[i] == '*'; i++) {
- *must_be_first_char = 0;
- }
+ *must_be_first_char = 1;
+ for (i = 0; token_in[i] == '*'; i++) {
+ *must_be_first_char = 0;
+ }
- if (i == strlen(token_in)) {
- *num_tokens = 0;
- return;
- }
- /* Fill first token_out */
- token_count++;
- while ((token_in[i] != '*') && (token_in[i] != '\0')) {
- tokens_out[j] = token_in[i];
- j++;
- i++;
- }
+ if (i == strlen(token_in)) {
+ *num_tokens = 0;
+ return;
+ }
- if (i == strlen(token_in)) {
- tokens_out[j] = '\0';
- *num_tokens = token_count;
- return;
- }
- /* Then All Subsequent Tokens */
- while (i < strlen(token_in)) {
- if (token_in[i] == '*') {
- token_count++;
- tokens_out[j] = '\t';
- } else {
- tokens_out[j] = token_in[i];
- }
- i++;
- j++;
- }
+ /* Fill first token_out */
+ token_count++;
+ while ((token_in[i] != '*') && (token_in[i] != '\0')) {
+ tokens_out[j] = token_in[i];
+ j++;
+ i++;
+ }
+
+ if (i == strlen(token_in)) {
tokens_out[j] = '\0';
+ *num_tokens = token_count;
+ return;
+ }
- if (tokens_out[j - 1] == '\t') {
- token_count--;
- tokens_out[j - 1] = '\0';
+ /* Then All Subsequent Tokens */
+ while (i < strlen(token_in)) {
+ if (token_in[i] == '*') {
+ token_count++;
+ tokens_out[j] = '\t';
+ } else {
+ tokens_out[j] = token_in[i];
}
- *num_tokens = token_count;
+ i++;
+ j++;
+ }
+ tokens_out[j] = '\0';
+
+ if (tokens_out[j - 1] == '\t') {
+ token_count--;
+ tokens_out[j - 1] = '\0';
+ }
+
+ *num_tokens = token_count;
+ return;
}
int
-check_for_match(search_field, must_be_first_character, chk_entry,
- num_tokens, type)
+check_for_match(search_field, must_be_first_character, chk_entry,
+ num_tokens, type)
int must_be_first_character;
char *search_field;
krb5_db_entry *chk_entry;
int num_tokens;
int type;
{
- char token1[256];
- char *found1;
- char token2[256];
- char *found2;
- char token3[256];
- char *found3;
- char *local_entry;
+ char token1[256];
+ char *found1;
+ char token2[256];
+ char *found2;
+ char token3[256];
+ char *found3;
+ char *local_entry;
- local_entry = chk_entry->princ->data[type].data;
+ local_entry = chk_entry->princ->data[type].data;
- token1[0] = token2[0] = token3[0] = '\0';
+ token1[0] = token2[0] = token3[0] = '\0';
- (void) sscanf(search_field, "%s\t%s\t%s", token1, token2, token3);
+ (void) sscanf(search_field, "%s\t%s\t%s", token1, token2, token3);
- found1 = strstr(local_entry, token1);
+ found1 = strstr(local_entry, token1);
- if (must_be_first_character && (found1 != local_entry))
- return (0);
+ if (must_be_first_character && (found1 != local_entry)) return(0);
- if (found1 && (num_tokens == 1))
- return (1);
+ if (found1 && (num_tokens == 1)) return(1);
- if (found1 && (num_tokens > 1)) {
- found2 = strstr(local_entry, token2);
- if (found2 && (found2 > found1) && (num_tokens == 2))
- return (1);
- }
- if ((found2 > found1) && (num_tokens == 3)) {
- found3 = strstr(local_entry, token3);
- if (found3 && (found3 > found2) && (found2 > found1))
- return (1);
- }
- return (0);
+ if (found1 && (num_tokens > 1)) {
+ found2 = strstr(local_entry, token2);
+ if (found2 && (found2 > found1) && (num_tokens == 2)) return(1);
+ }
+
+ if ((found2 > found1) && (num_tokens == 3)) {
+ found3 = strstr(local_entry, token3);
+ if (found3 && (found3 > found2) && (found2 > found1)) return(1);
+ }
+ return(0);
}
+
diff --git a/usr/src/cmd/krb5/kadmin/kpasswd/Makefile b/usr/src/cmd/krb5/kadmin/kpasswd/Makefile
index 1cc3124c7d..70e67264ea 100644
--- a/usr/src/cmd/krb5/kadmin/kpasswd/Makefile
+++ b/usr/src/cmd/krb5/kadmin/kpasswd/Makefile
@@ -1,5 +1,5 @@
#
-# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
+# Copyright 2006 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "%Z%%M% %I% %E% SMI"
@@ -29,7 +29,7 @@ CPPFLAGS += -I$(SRC)/lib/gss_mechs/mech_krb5/include \
-I$(SRC)/lib/krb5 \
-DHAVE_LIBSOCKET=1 -DHAVE_LIBNSL=1 -DHAVE_UNISTD_H=1 \
-DHAVE_SYS_TIMEB_H=1 -DHAVE_ALLOCA_H=1 -DHAVE_FTIME=1 \
- -DHAVE_TIMEZONE -DUSE_KADM5_API_VERSION=1
+ -DHAVE_TIMEZONE -DUSE_KADM5_API_VERSION=2
COPTFLAG += $(XESS) #-I$(KINCDIR)
diff --git a/usr/src/cmd/krb5/kadmin/kpasswd/kpasswd.c b/usr/src/cmd/krb5/kadmin/kpasswd/kpasswd.c
index f4a2efbfdf..ef7c0b3bf1 100644
--- a/usr/src/cmd/krb5/kadmin/kpasswd/kpasswd.c
+++ b/usr/src/cmd/krb5/kadmin/kpasswd/kpasswd.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1998-2002 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -25,21 +25,21 @@
/*
* Copyright 1993-1994 OpenVision Technologies, Inc., All Rights Reserved.
- *
- * $Header: /cvs/krbdev/krb5/src/kadmin/passwd/kpasswd.c,v 1.24 1997/02/20\
- * 06:12:57 probe Exp $
+ *
+ * $Header: /cvs/krbdev/krb5/src/kadmin/passwd/kpasswd.c,v 1.25 2001/02/26 18:22:08 epeisach Exp $
*
*
*/
-static char rcsid[] = "$Id: kpasswd.c,v 1.24 1997/02/20 "
- "06:12:57 probe Exp $";
+static char rcsid[] = "$Id: kpasswd.c,v 1.25 2001/02/26 18:22:08 epeisach Exp $";
#include <kadm5/admin.h>
#include <krb5.h>
#include "kpasswd_strings.h"
-#define string_text error_message
+#define string_text error_message
+
+#include "kpasswd.h"
#include <stdio.h>
#include <pwd.h>
@@ -52,7 +52,7 @@ extern void display_intro_message();
extern long read_old_password();
extern long read_new_password();
-#define MISC_EXIT_STATUS 6
+#define MISC_EXIT_STATUS 6
/*
* Function: kpasswd
@@ -67,7 +67,7 @@ extern long read_new_password();
* read_new_password (f) function to read new and change password
* display_intro_message (f) function to display intro message
* whoami (extern) argv[0]
- *
+ *
* Returns:
* exit status of 0 for success
* 1 principal unknown
@@ -77,10 +77,10 @@ extern long read_new_password();
* 5 password not typed
* 6 misc error
* 7 incorrect usage
- *
+ *
* Requires:
* Passwords cannot be more than 255 characters long.
- *
+ *
* Effects:
*
* If argc is 2, the password for the principal specified in argv[1]
@@ -93,7 +93,7 @@ extern long read_new_password();
* read_new_password is called to read the new password and change the
* principal's password (presumably ovsec_kadm_chpass_principal).
* admin system is de-initialized before the function returns.
- *
+ *
* Modifies:
*
* Changes the principal's password.
@@ -101,129 +101,113 @@ extern long read_new_password();
*/
int
kpasswd(context, argc, argv)
-krb5_context context;
-int argc;
-char *argv[];
+ krb5_context context;
+ int argc;
+ char *argv[];
{
- kadm5_ret_t code;
- krb5_ccache ccache = NULL;
- krb5_principal princ = 0;
- char *princ_str;
- struct passwd *pw = 0;
- int pwsize;
- char password[255]; /* I don't really like 255 */
- /* but that's what kinit uses */
- char msg_ret[1024], admin_realm[1024];
- kadm5_principal_ent_rec principal_entry;
- kadm5_policy_ent_rec policy_entry;
- void *server_handle;
- kadm5_config_params params;
- char *cpw_service;
+ kadm5_ret_t code;
+ krb5_ccache ccache = NULL;
+ krb5_principal princ = 0;
+ char *princ_str;
+ struct passwd *pw = 0;
+ unsigned int pwsize;
+ char password[255]; /* I don't really like 255 but that's what kinit uses */
+ char msg_ret[1024], admin_realm[1024];
+ kadm5_principal_ent_rec principal_entry;
+ kadm5_policy_ent_rec policy_entry;
+ void *server_handle;
+ kadm5_config_params params;
+ char *cpw_service;
memset((char *)&params, 0, sizeof (params));
memset(&principal_entry, 0, sizeof (principal_entry));
memset(&policy_entry, 0, sizeof (policy_entry));
- if (argc > 2) {
- com_err(whoami, KPW_STR_USAGE, 0);
- return (7);
- /* NOTREACHED */
- }
- /*
- * Get principal name to change
- */
+ if (argc > 2) {
+ com_err(whoami, KPW_STR_USAGE, 0);
+ return(7);
+ /*NOTREACHED*/
+ }
- /*
- * Look on the command line first, followed by the default
- * credential cache, followed by defaulting to the Unix user name
- */
+ /************************************
+ * Get principal name to change *
+ ************************************/
- if (argc == 2)
- princ_str = strdup(argv[1]);
- else {
- code = krb5_cc_default(context, &ccache);
- /* If we succeed, find who is in the credential cache */
- if (code == 0) {
- /* Get default principal from cache if one exists */
- code = krb5_cc_get_principal(context, ccache, &princ);
- /*
- * if we got a principal, unparse it, otherwise get
- * out of the if with an error code
- */
- (void) krb5_cc_close(context, ccache);
- if (code == 0) {
- code = krb5_unparse_name(context,
- princ, &princ_str);
- if (code != 0) {
- com_err(whoami, code,
- string_text(
- KPW_STR_UNPARSE_NAME));
- return (MISC_EXIT_STATUS);
- }
- }
- }
- /* this is a crock.. we want to compare against */
- /*
- * "KRB5_CC_DOESNOTEXIST" but there is no such error code,
- * and
- */
- /*
- * both the file and stdio types return FCC_NOFILE. If
- * there is
- */
- /* ever another ccache type (or if the error codes are ever */
- /* fixed), this code will have to be updated. */
- if (code && code != KRB5_FCC_NOFILE) {
- com_err(whoami, code,
- string_text(KPW_STR_WHILE_LOOKING_AT_CC));
- return (MISC_EXIT_STATUS);
- }
- /* if either krb5_cc failed check the passwd file */
- if (code != 0) {
- pw = getpwuid(getuid());
- if (pw == NULL) {
- com_err(whoami, 0,
- string_text(KPW_STR_NOT_IN_PASSWD_FILE));
- return (MISC_EXIT_STATUS);
- }
- princ_str = strdup(pw->pw_name);
- }
+ /* Look on the command line first, followed by the default credential
+ cache, followed by defaulting to the Unix user name */
+
+ if (argc == 2)
+ princ_str = strdup(argv[1]);
+ else {
+ code = krb5_cc_default(context, &ccache);
+ /* If we succeed, find who is in the credential cache */
+ if (code == 0) {
+ /* Get default principal from cache if one exists */
+ code = krb5_cc_get_principal(context, ccache, &princ);
+ /* if we got a principal, unparse it, otherwise get out of the if
+ with an error code */
+ (void) krb5_cc_close(context, ccache);
+ if (code == 0) {
+ code = krb5_unparse_name(context, princ, &princ_str);
+ if (code != 0) {
+ com_err(whoami, code, string_text(KPW_STR_UNPARSE_NAME));
+ return(MISC_EXIT_STATUS);
}
+ }
+ }
- display_intro_message(string_text(KPW_STR_CHANGING_PW_FOR), princ_str);
+ /* this is a crock.. we want to compare against */
+ /* "KRB5_CC_DOESNOTEXIST" but there is no such error code, and */
+ /* both the file and stdio types return FCC_NOFILE. If there is */
+ /* ever another ccache type (or if the error codes are ever */
+ /* fixed), this code will have to be updated. */
+ if (code && code != KRB5_FCC_NOFILE) {
+ com_err(whoami, code, string_text(KPW_STR_WHILE_LOOKING_AT_CC));
+ return(MISC_EXIT_STATUS);
+ }
- /*
- * Need to get a krb5_principal, unless we started from with one
- * from the credential cache
- */
+ /* if either krb5_cc failed check the passwd file */
+ if (code != 0) {
+ pw = getpwuid( getuid());
+ if (pw == NULL) {
+ com_err(whoami, 0, string_text(KPW_STR_NOT_IN_PASSWD_FILE));
+ return(MISC_EXIT_STATUS);
+ }
+ princ_str = strdup(pw->pw_name);
+ }
+ }
+
+ display_intro_message(string_text(KPW_STR_CHANGING_PW_FOR), princ_str);
- if (!princ) {
- code = krb5_parse_name(context, princ_str, &princ);
- if (code != 0) {
- com_err(whoami, code,
- string_text(KPW_STR_PARSE_NAME), princ_str);
- free(princ_str);
- return (MISC_EXIT_STATUS);
- }
- }
- pwsize = sizeof (password);
- code = read_old_password(context, password, &pwsize);
+ /* Need to get a krb5_principal, unless we started from with one from
+ the credential cache */
- if (code != 0) {
- memset(password, 0, sizeof (password));
- com_err(whoami, code,
- string_text(KPW_STR_WHILE_READING_PASSWORD));
- krb5_free_principal(context, princ);
- free(princ_str);
- return (MISC_EXIT_STATUS);
- }
- if (pwsize == 0) {
- memset(password, 0, sizeof (password));
- com_err(whoami, 0, string_text(KPW_STR_NO_PASSWORD_READ));
- krb5_free_principal(context, princ);
- free(princ_str);
- return (5);
- }
+ if (! princ) {
+ code = krb5_parse_name (context, princ_str, &princ);
+ if (code != 0) {
+ com_err(whoami, code, string_text(KPW_STR_PARSE_NAME), princ_str);
+ free(princ_str);
+ return(MISC_EXIT_STATUS);
+ }
+ }
+
+ pwsize = sizeof(password);
+ code = read_old_password(context, password, &pwsize);
+
+ if (code != 0) {
+ memset(password, 0, sizeof(password));
+ com_err(whoami, code, string_text(KPW_STR_WHILE_READING_PASSWORD));
+ krb5_free_principal(context, princ);
+ free(princ_str);
+ return(MISC_EXIT_STATUS);
+ }
+ if (pwsize == 0) {
+ memset(password, 0, sizeof(password));
+ com_err(whoami, 0, string_text(KPW_STR_NO_PASSWORD_READ));
+ krb5_free_principal(context, princ);
+ free(princ_str);
+ return(5);
+ }
snprintf(admin_realm, sizeof (admin_realm),
krb5_princ_realm(context, princ)->data);
@@ -346,23 +330,22 @@ char *argv[];
}
} /* if protocol == KRB5_CHGPWD_RPCSEC */
- pwsize = sizeof (password);
- code = read_new_password(server_handle, password,
- &pwsize, msg_ret, sizeof (msg_ret), princ);
- memset(password, 0, sizeof (password));
-
- if (code)
- com_err(whoami, 0, msg_ret);
+ pwsize = sizeof(password);
+ code = read_new_password(server_handle, password, &pwsize, msg_ret, sizeof (msg_ret), princ);
+ memset(password, 0, sizeof(password));
- krb5_free_principal(context, princ);
- free(princ_str);
+ if (code)
+ com_err(whoami, 0, msg_ret);
- (void) kadm5_destroy(server_handle);
+ krb5_free_principal(context, princ);
+ free(princ_str);
- if (code == KRB5_LIBOS_CANTREADPWD)
- return (5);
- else if (code)
- return (4);
- else
- return (0);
+ (void) kadm5_destroy(server_handle);
+
+ if (code == KRB5_LIBOS_CANTREADPWD)
+ return(5);
+ else if (code)
+ return(4);
+ else
+ return(0);
}
diff --git a/usr/src/cmd/krb5/kadmin/kpasswd/kpasswd.h b/usr/src/cmd/krb5/kadmin/kpasswd/kpasswd.h
new file mode 100644
index 0000000000..e53d868f0c
--- /dev/null
+++ b/usr/src/cmd/krb5/kadmin/kpasswd/kpasswd.h
@@ -0,0 +1,49 @@
+/*
+ * kadmin/passwd/kpasswd.h
+ *
+ * Copyright 2001 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * Prototypes for the kpasswd program callback functions.
+ */
+
+#pragma ident "%Z%%M% %I% %E% SMI"
+
+
+#ifndef __KPASSWD_H__
+#define __KPASSWD_H__
+
+int kpasswd(krb5_context context, int argc, char *argv[]);
+
+long read_old_password(krb5_context context, char *password,
+ unsigned int *pwsize);
+
+long read_new_password(void *server_handle, char *password,
+ unsigned int *pwsize, char *msg_ret,
+ int msg_len, krb5_principal princ);
+
+void display_intro_message(const char *fmt_string, const char *arg_string);
+
+#endif /* __KPASSWD_H__ */
+
+
diff --git a/usr/src/cmd/krb5/kadmin/kpasswd/kpasswd_strings.h b/usr/src/cmd/krb5/kadmin/kpasswd/kpasswd_strings.h
index 7d29943edc..86de60b65a 100644
--- a/usr/src/cmd/krb5/kadmin/kpasswd/kpasswd_strings.h
+++ b/usr/src/cmd/krb5/kadmin/kpasswd/kpasswd_strings.h
@@ -17,33 +17,45 @@
*
*/
+#include <com_err.h>
/*
* kpasswd_strings.h:
* This file is automatically generated; please do not edit it.
*/
-#define KPW_STR_USAGE (-1767084800L)
-#define KPW_STR_PRIN_UNKNOWN (-1767084799L)
-#define KPW_STR_WHILE_LOOKING_AT_CC (-1767084798L)
-#define KPW_STR_OLD_PASSWORD_INCORRECT (-1767084797L)
-#define KPW_STR_CANT_OPEN_ADMIN_SERVER (-1767084796L)
-#define KPW_STR_NEW_PASSWORD_MISMATCH (-1767084795L)
-#define KPW_STR_PASSWORD_CHANGED (-1767084794L)
-#define KPW_STR_PASSWORD_NOT_CHANGED (-1767084793L)
-#define KPW_STR_PARSE_NAME (-1767084792L)
-#define KPW_STR_UNPARSE_NAME (-1767084791L)
-#define KPW_STR_NOT_IN_PASSWD_FILE (-1767084790L)
-#define KPW_STR_CHANGING_PW_FOR (-1767084789L)
-#define KPW_STR_OLD_PASSWORD_PROMPT (-1767084788L)
-#define KPW_STR_WHILE_READING_PASSWORD (-1767084787L)
-#define KPW_STR_NO_PASSWORD_READ (-1767084786L)
-#define KPW_STR_WHILE_TRYING_TO_CHANGE (-1767084785L)
-#define KPW_STR_WHILE_DESTROYING_ADMIN_SESSION (-1767084784L)
-#define KPW_STR_WHILE_FREEING_PRINCIPAL (-1767084783L)
-#define KPW_STR_WHILE_FREEING_POLICY (-1767084782L)
-#define KPW_STR_CANT_GET_POLICY_INFO (-1767084781L)
-#define KPW_STR_POLICY_EXPLANATION (-1767084780L)
-#define ERROR_TABLE_BASE_kpws (-1767084800L)
+#define KPW_STR_USAGE (-1767084800L)
+#define KPW_STR_PRIN_UNKNOWN (-1767084799L)
+#define KPW_STR_WHILE_LOOKING_AT_CC (-1767084798L)
+#define KPW_STR_OLD_PASSWORD_INCORRECT (-1767084797L)
+#define KPW_STR_CANT_OPEN_ADMIN_SERVER (-1767084796L)
+#define KPW_STR_NEW_PASSWORD_MISMATCH (-1767084795L)
+#define KPW_STR_PASSWORD_CHANGED (-1767084794L)
+#define KPW_STR_PASSWORD_NOT_CHANGED (-1767084793L)
+#define KPW_STR_PARSE_NAME (-1767084792L)
+#define KPW_STR_UNPARSE_NAME (-1767084791L)
+#define KPW_STR_NOT_IN_PASSWD_FILE (-1767084790L)
+#define KPW_STR_CHANGING_PW_FOR (-1767084789L)
+#define KPW_STR_OLD_PASSWORD_PROMPT (-1767084788L)
+#define KPW_STR_WHILE_READING_PASSWORD (-1767084787L)
+#define KPW_STR_NO_PASSWORD_READ (-1767084786L)
+#define KPW_STR_WHILE_TRYING_TO_CHANGE (-1767084785L)
+#define KPW_STR_WHILE_DESTROYING_ADMIN_SESSION (-1767084784L)
+#define KPW_STR_WHILE_FREEING_PRINCIPAL (-1767084783L)
+#define KPW_STR_WHILE_FREEING_POLICY (-1767084782L)
+#define KPW_STR_CANT_GET_POLICY_INFO (-1767084781L)
+#define KPW_STR_POLICY_EXPLANATION (-1767084780L)
+#define ERROR_TABLE_BASE_kpws (-1767084800L)
+extern const struct error_table et_kpws_error_table;
+
+#if !defined(_WIN32)
/* for compatibility with older versions... */
-#define kpws_err_base ERROR_TABLE_BASE_kpws
+extern void initialize_kpws_error_table (void) /*@modifies internalState@*/;
+#else
+#define initialize_kpws_error_table()
+#endif
+
+#if !defined(_WIN32)
+#define init_kpws_err_tbl initialize_kpws_error_table
+#define kpws_err_base ERROR_TABLE_BASE_kpws
+#endif
diff --git a/usr/src/cmd/krb5/kadmin/kpasswd/tty_kpasswd.c b/usr/src/cmd/krb5/kadmin/kpasswd/tty_kpasswd.c
index ec1618155e..63ee6d3772 100644
--- a/usr/src/cmd/krb5/kadmin/kpasswd/tty_kpasswd.c
+++ b/usr/src/cmd/krb5/kadmin/kpasswd/tty_kpasswd.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -25,22 +25,21 @@
/*
* Copyright 1993-1994 OpenVision Technologies, Inc., All Rights Reserved.
- *
- * $Header: /cvs/krbdev/krb5/src/kadmin/passwd/tty_kpasswd.c,v 1.7\
- * 1997/02/20 06:13:01 probe Exp $
+ *
+ * $Header: /cvs/krbdev/krb5/src/kadmin/passwd/tty_kpasswd.c,v 1.9 2001/02/26 18:22:08 epeisach Exp $
*
*
*/
-static char rcsid[] = "$Id: tty_kpasswd.c,v 1.7 "
- "1997/02/20 06:13:01 probe Exp $";
+static char rcsid[] = "$Id: tty_kpasswd.c,v 1.9 2001/02/26 18:22:08 epeisach Exp $";
#include <kadm5/admin.h>
#include <krb5.h>
#include "kpasswd_strings.h"
-#define string_text error_message
+#define string_text error_message
+#include "kpasswd.h"
#include <stdio.h>
#include <pwd.h>
#include <string.h>
@@ -49,39 +48,34 @@ static char rcsid[] = "$Id: tty_kpasswd.c,v 1.7 "
char *whoami;
-void
-display_intro_message(fmt_string, arg_string)
-char *fmt_string;
-char *arg_string;
+void display_intro_message(fmt_string, arg_string)
+ const char *fmt_string;
+ const char *arg_string;
{
- com_err(whoami, 0, fmt_string, arg_string);
+ com_err(whoami, 0, fmt_string, arg_string);
}
-long
-read_old_password(context, password, pwsize)
-krb5_context context;
-char *password;
-unsigned int *pwsize;
+long read_old_password(context, password, pwsize)
+ krb5_context context;
+ char *password;
+ unsigned int *pwsize;
{
- long code = krb5_read_password(context,
+ long code = krb5_read_password(context,
(char *) string_text(KPW_STR_OLD_PASSWORD_PROMPT),
- 0, password, pwsize);
-
- return (code);
+ 0, password, pwsize);
+ return code;
}
-long
-read_new_password(server_handle, password, pwsize,
- msg_ret, msg_len, princ)
-void *server_handle;
-char *password;
-int *pwsize;
-char *msg_ret;
-int msg_len;
-krb5_principal princ;
+long read_new_password(server_handle, password, pwsize, msg_ret, msg_len, princ)
+ void *server_handle;
+ char *password;
+ unsigned int *pwsize;
+ char *msg_ret;
+ int msg_len;
+ krb5_principal princ;
{
return (kadm5_chpass_principal_util(server_handle, princ, NULL,
- NULL /* don't need new pw back */,
+ NULL /* don't need new pw back */,
msg_ret, msg_len));
}
@@ -91,13 +85,13 @@ krb5_principal princ;
*/
int
main(argc, argv)
-int argc;
-char *argv[];
+ int argc;
+ char *argv[];
{
- krb5_context context;
- int retval;
+ krb5_context context;
+ int retval;
- whoami = (whoami = strrchr(argv[0], '/')) ? whoami + 1 : argv[0];
+ whoami = (whoami = strrchr(argv[0], '/')) ? whoami + 1 : argv[0];
(void) setlocale(LC_ALL, "");
@@ -107,15 +101,17 @@ char *argv[];
(void) textdomain(TEXT_DOMAIN);
- if (retval = krb5_init_context(&context)) {
+ retval = krb5_init_context(&context);
+ if (retval) {
com_err(whoami, retval, gettext("initializing krb5 context"));
- exit(retval);
- }
+ exit(retval);
+ }
/* initialize_kpws_error_table(); SUNWresync121 */
- retval = kpasswd(context, argc, argv);
- if (!retval)
- printf(string_text(KPW_STR_PASSWORD_CHANGED));
+ retval = kpasswd(context, argc, argv);
+
+ if (!retval)
+ printf(string_text(KPW_STR_PASSWORD_CHANGED));
- exit(retval);
+ exit(retval);
}
diff --git a/usr/src/cmd/krb5/kadmin/ktutil/ktutil.c b/usr/src/cmd/krb5/kadmin/ktutil/ktutil.c
index 47e5b1bf24..848a14da62 100644
--- a/usr/src/cmd/krb5/kadmin/ktutil/ktutil.c
+++ b/usr/src/cmd/krb5/kadmin/ktutil/ktutil.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -33,7 +33,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -47,7 +47,7 @@
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* SS user interface for ktutil.
*/
@@ -66,14 +66,12 @@ extern ss_request_table ktutil_cmds;
krb5_context kcontext;
krb5_kt_list ktlist = NULL;
-int
-main(argc, argv)
-int argc;
-char *argv[];
+int main(argc, argv)
+ int argc;
+ char *argv[];
{
- krb5_error_code retval;
- extern krb5_kt_ops krb5_ktf_writable_ops;
- int sci_idx;
+ krb5_error_code retval;
+ int sci_idx;
(void) setlocale(LC_ALL, "");
@@ -83,84 +81,75 @@ char *argv[];
(void) textdomain(TEXT_DOMAIN);
- retval = krb5_init_context(&kcontext);
- if (retval) {
+ retval = krb5_init_context(&kcontext);
+ if (retval) {
com_err(argv[0], retval, gettext("while initializing krb5"));
- exit(1);
- }
- retval = krb5_kt_register(kcontext, &krb5_ktf_writable_ops);
- if (retval) {
- com_err(argv[0], retval,
- gettext("while registering writable key table functions"));
- exit(1);
- }
+ exit(1);
+ }
retval = ktutil_initialize_cmds_table (&ktutil_cmds);
if (retval) {
com_err(argv[0], retval,
gettext("while localizing command description messages"));
exit(1);
}
- sci_idx = ss_create_invocation("ktutil", "5.0", (char *) NULL,
- &ktutil_cmds, &retval);
- if (retval) {
- ss_perror(sci_idx, retval, gettext("creating invocation"));
- exit(1);
- }
- ss_listen(sci_idx, &retval);
- ktutil_free_kt_list(kcontext, ktlist);
- exit(0);
+ sci_idx = ss_create_invocation("ktutil", "5.0", (char *) NULL,
+ &ktutil_cmds, &retval);
+ if (retval) {
+ ss_perror(sci_idx, retval, gettext("creating invocation"));
+ exit(1);
+ }
+ retval = ss_listen(sci_idx);
+ ktutil_free_kt_list(kcontext, ktlist);
+ exit(0);
}
-void
-ktutil_clear_list(argc, argv)
-int argc;
-char *argv[];
+void ktutil_clear_list(argc, argv)
+ int argc;
+ char *argv[];
{
- krb5_error_code retval;
+ krb5_error_code retval;
- if (argc != 1) {
+ if (argc != 1) {
fprintf(stderr, gettext("%s: invalid arguments\n"), argv[0]);
- return;
- }
- retval = ktutil_free_kt_list(kcontext, ktlist);
- if (retval)
+ return;
+ }
+ retval = ktutil_free_kt_list(kcontext, ktlist);
+ if (retval)
com_err(argv[0], retval, gettext("while freeing ktlist"));
- ktlist = NULL;
+ ktlist = NULL;
}
-void
-ktutil_read_v5(argc, argv)
-int argc;
-char *argv[];
+void ktutil_read_v5(argc, argv)
+ int argc;
+ char *argv[];
{
- krb5_error_code retval;
+ krb5_error_code retval;
- if (argc != 2) {
+ if (argc != 2) {
fprintf(stderr,
gettext("%s: must specify keytab to read\n"), argv[0]);
- return;
- }
- retval = ktutil_read_keytab(kcontext, argv[1], &ktlist);
- if (retval)
+ return;
+ }
+ retval = ktutil_read_keytab(kcontext, argv[1], &ktlist);
+ if (retval)
com_err(argv[0], retval,
gettext("while reading keytab \"%s\""), argv[1]);
}
-void
-ktutil_read_v4(argc, argv)
-int argc;
-char *argv[];
+void ktutil_read_v4(argc, argv)
+ int argc;
+ char *argv[];
{
#ifdef KRB5_KRB4_COMPAT
- krb5_error_code retval;
+ krb5_error_code retval;
- if (argc != 2) {
+ if (argc != 2) {
fprintf(stderr,
gettext("%s: must specify the srvtab to read\n"), argv[0]);
- return;
- }
- retval = ktutil_read_srvtab(kcontext, argv[1], &ktlist);
- if (retval)
+ return;
+ }
+ retval = ktutil_read_srvtab(kcontext, argv[1], &ktlist);
+ if (retval)
com_err(argv[0], retval,
gettext("while reading srvtab \"%s\""), argv[1]);
#else
@@ -168,39 +157,37 @@ char *argv[];
#endif
}
-void
-ktutil_write_v5(argc, argv)
-int argc;
-char *argv[];
+void ktutil_write_v5(argc, argv)
+ int argc;
+ char *argv[];
{
- krb5_error_code retval;
+ krb5_error_code retval;
- if (argc != 2) {
+ if (argc != 2) {
fprintf(stderr,
gettext("%s: must specify keytab to write\n"), argv[0]);
- return;
- }
- retval = ktutil_write_keytab(kcontext, ktlist, argv[1]);
- if (retval)
+ return;
+ }
+ retval = ktutil_write_keytab(kcontext, ktlist, argv[1]);
+ if (retval)
com_err(argv[0], retval,
gettext("while writing keytab \"%s\""), argv[1]);
}
-void
-ktutil_write_v4(argc, argv)
-int argc;
-char *argv[];
+void ktutil_write_v4(argc, argv)
+ int argc;
+ char *argv[];
{
#ifdef KRB5_KRB4_COMPAT
- krb5_error_code retval;
+ krb5_error_code retval;
- if (argc != 2) {
+ if (argc != 2) {
fprintf(stderr,
gettext("%s: must specify srvtab to write\n"), argv[0]);
- return;
- }
- retval = ktutil_write_srvtab(kcontext, ktlist, argv[1]);
- if (retval)
+ return;
+ }
+ retval = ktutil_write_srvtab(kcontext, ktlist, argv[1]);
+ if (retval)
com_err(argv[0], retval,
gettext("while writing srvtab \"%s\""), argv[1]);
#else
@@ -252,108 +239,102 @@ void ktutil_add_entry(argc, argv)
com_err(argv[0], retval, gettext("while adding new entry"));
}
-void
-ktutil_delete_entry(argc, argv)
-int argc;
-char *argv[];
+void ktutil_delete_entry(argc, argv)
+ int argc;
+ char *argv[];
{
- krb5_error_code retval;
+ krb5_error_code retval;
- if (argc != 2) {
- fprintf(stderr,
- gettext("%s: must specify entry to delete\n"), argv[0]);
- return;
- }
- retval = ktutil_delete(kcontext, &ktlist, atoi(argv[1]));
- if (retval)
- com_err(argv[0], retval,
+ if (argc != 2) {
+ fprintf(stderr,
+ gettext("%s: must specify entry to delete\n"), argv[0]);
+ return;
+ }
+ retval = ktutil_delete(kcontext, &ktlist, atoi(argv[1]));
+ if (retval)
+ com_err(argv[0], retval,
gettext("while deleting entry %d"), atoi(argv[1]));
}
-void
-ktutil_list(argc, argv)
-int argc;
-char *argv[];
+void ktutil_list(argc, argv)
+ int argc;
+ char *argv[];
{
- krb5_error_code retval;
- krb5_kt_list lp;
- struct tm *stime;
- int show_time = 0, show_keys = 0, show_enctype = 0;
- int i, j;
- char *pname;
-
- for (i = 1; i < argc; i++) {
- if ((strlen(argv[i]) == 2) && strncmp(argv[i], "-t", 2) == 0) {
- show_time++;
- continue;
- }
- if ((strlen(argv[i]) == 2) && strncmp(argv[i], "-k", 2) == 0) {
- show_keys++;
- continue;
- }
- if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) {
- show_enctype++;
- continue;
- }
- if ((strlen(argv[i]) == 2) &&
- (strncmp(argv[i], "-e", 2) == 0)) {
- show_enctype = 1;
- continue;
- }
- fprintf(stderr, gettext("%s: illegal arguments\n"), argv[0]);
- return;
+ krb5_error_code retval;
+ krb5_kt_list lp;
+ int show_time = 0, show_keys = 0, show_enctype = 0;
+ int i, j;
+ char *pname;
+
+ for (i = 1; i < argc; i++) {
+ if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-t", 2)) {
+ show_time++;
+ continue;
+ }
+ if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) {
+ show_keys++;
+ continue;
+ }
+ if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) {
+ show_enctype++;
+ continue;
}
+
+ fprintf(stderr, "%s: %s [-t] [-k] [-e]\n", gettext("usage"), argv[0]);
+ return;
+ }
+ if (show_time) {
+ printf(gettext("slot KVNO Timestamp Principal\n"));
+ printf("---- ---- ----------------- ---------------------------------------------------\n");
+ } else {
+ printf(gettext("slot KVNO Principal\n"));
+ printf("---- ---- ---------------------------------------------------------------------\n");
+ }
+ for (i = 1, lp = ktlist; lp; i++, lp = lp->next) {
+ retval = krb5_unparse_name(kcontext, lp->entry->principal, &pname);
+ if (retval) {
+ com_err(argv[0], retval,
+ gettext("while unparsing principal name"));
+ return;
+ }
+ printf("%4d %4d ", i, lp->entry->vno);
if (show_time) {
- printf(gettext("slot KVNO Timestamp Principal\n"));
- printf("---- ---- ----------------- ---------------------------------------------------\n");
- } else {
- printf(gettext("slot KVNO Principal\n"));
- printf("---- ---- ---------------------------------------------------------------------\n");
+ char fmtbuf[18];
+ char fill;
+ time_t tstamp;
+
+ (void) localtime(&tstamp);
+ lp->entry->timestamp = tstamp;
+ fill = ' ';
+ if (!krb5_timestamp_to_sfstring((krb5_timestamp)lp->entry->
+ timestamp,
+ fmtbuf,
+ sizeof(fmtbuf),
+ &fill))
+ printf("%s ", fmtbuf);
}
- for (i = 1, lp = ktlist; lp; i++, lp = lp->next) {
- retval = krb5_unparse_name(kcontext,
- lp->entry->principal, &pname);
- if (retval) {
- com_err(argv[0], retval,
- gettext("while unparsing principal name"));
- return;
+ printf("%40s", pname);
+ if (show_enctype) {
+ static char buf[256];
+ if ((retval = krb5_enctype_to_string(
+ lp->entry->key.enctype, buf, 256))) {
+ com_err(argv[0], retval,
+ gettext("While converting "
+ "enctype to string"));
+ return;
}
- printf("%4d %4d ", i, lp->entry->vno);
- if (show_time) {
- char fmtbuf[18];
- char fill;
-
- stime = localtime((time_t *) & lp->entry->timestamp);
- fill = ' ';
- if (!krb5_timestamp_to_sfstring(
- (krb5_timestamp) lp->entry->timestamp,
- fmtbuf,
- sizeof (fmtbuf),
- &fill))
- printf("%s ", fmtbuf);
- }
- printf("%40s", pname);
- if (show_enctype) {
- static char buf[256];
-
- if ((retval = krb5_enctype_to_string(
- lp->entry->key.enctype, buf, 256))) {
- com_err(argv[0], retval,
- gettext("While converting "
- "enctype to string"));
- return;
- }
- printf(" (%s) ", buf);
- }
- if (show_keys) {
- printf(" (0x");
- for (j = 0; j < lp->entry->key.length; j++)
- printf("%02x", lp->entry->key.contents[j]);
- printf(")");
- }
- printf("\n");
- krb5_xfree(pname);
+ printf(" (%s) ", buf);
}
+
+ if (show_keys) {
+ printf(" (0x");
+ for (j = 0; j < lp->entry->key.length; j++)
+ printf("%02x", lp->entry->key.contents[j]);
+ printf(")");
+ }
+ printf("\n");
+ krb5_xfree(pname);
+ }
}
diff --git a/usr/src/cmd/krb5/kadmin/ktutil/ktutil.h b/usr/src/cmd/krb5/kadmin/ktutil/ktutil.h
index 3cdd5d1d4d..74afbc0d5b 100644
--- a/usr/src/cmd/krb5/kadmin/ktutil/ktutil.h
+++ b/usr/src/cmd/krb5/kadmin/ktutil/ktutil.h
@@ -28,7 +28,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -42,49 +42,54 @@
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*/
typedef struct _krb5_kt_list {
- struct _krb5_kt_list *next;
- krb5_keytab_entry *entry;
+ struct _krb5_kt_list *next;
+ krb5_keytab_entry *entry;
} *krb5_kt_list;
-krb5_error_code ktutil_free_kt_list
-(krb5_context,
- krb5_kt_list);
-
-krb5_error_code ktutil_delete
-(krb5_context,
- krb5_kt_list *,
- int);
-
-krb5_error_code ktutil_add
- (krb5_context,
- krb5_kt_list *,
- char *,
- krb5_kvno,
- char *,
- int);
-
-krb5_error_code ktutil_read_keytab
-(krb5_context,
- char *,
- krb5_kt_list *);
-
-krb5_error_code ktutil_write_keytab
-(krb5_context,
- krb5_kt_list,
- char *);
+krb5_error_code ktutil_free_kt_list (krb5_context, krb5_kt_list);
-#ifdef KRB5_KRB4_COMPAT
-krb5_error_code ktutil_read_srvtab
-(krb5_context,
- char *,
- krb5_kt_list *);
-krb5_error_code ktutil_write_srvtab
-(krb5_context,
- krb5_kt_list,
- char *);
+krb5_error_code ktutil_delete (krb5_context, krb5_kt_list *, int);
+
+krb5_error_code ktutil_add (krb5_context,
+ krb5_kt_list *,
+ char *,
+ krb5_kvno,
+ char *,
+ int);
+krb5_error_code ktutil_read_keytab (krb5_context,
+ char *,
+ krb5_kt_list *);
+
+krb5_error_code ktutil_write_keytab (krb5_context,
+ krb5_kt_list,
+ char *);
+
+#ifdef KRB5_KRB4_COMPAT
+krb5_error_code ktutil_read_srvtab (krb5_context,
+ char *,
+ krb5_kt_list *);
+krb5_error_code ktutil_write_srvtab (krb5_context,
+ krb5_kt_list,
+ char *);
#endif
+
+void ktutil_add_entry (int, char *[]);
+
+void ktutil_clear_list (int, char *[]);
+
+void ktutil_read_v5 (int, char *[]);
+
+void ktutil_read_v4 (int, char *[]);
+
+void ktutil_write_v5 (int, char *[]);
+
+void ktutil_write_v4 (int, char *[]);
+
+void ktutil_delete_entry (int, char *[]);
+
+void ktutil_list (int, char *[]);
diff --git a/usr/src/cmd/krb5/kadmin/ktutil/ktutil_ct.c b/usr/src/cmd/krb5/kadmin/ktutil/ktutil_ct.c
index 854e0b3074..bf6a2ba1f9 100644
--- a/usr/src/cmd/krb5/kadmin/ktutil/ktutil_ct.c
+++ b/usr/src/cmd/krb5/kadmin/ktutil/ktutil_ct.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -38,116 +38,116 @@
#define gettext(s) s
#ifndef __STDC__
-#define const
+#define const
#endif
-static char const *const ssu00001[] = {
- "clear_list",
- "clear",
- (char const *) 0
+static char const * const ssu00001[] = {
+"clear_list",
+ "clear",
+ (char const *)0
};
extern void ktutil_clear_list __SS_PROTO;
-static char const *const ssu00002[] = {
- "read_kt",
- "rkt",
- (char const *) 0
+static char const * const ssu00002[] = {
+"read_kt",
+ "rkt",
+ (char const *)0
};
extern void ktutil_read_v5 __SS_PROTO;
-static char const *const ssu00003[] = {
- "read_st",
- "rst",
- (char const *) 0
+static char const * const ssu00003[] = {
+"read_st",
+ "rst",
+ (char const *)0
};
extern void ktutil_read_v4 __SS_PROTO;
-static char const *const ssu00004[] = {
- "write_kt",
- "wkt",
- (char const *) 0
+static char const * const ssu00004[] = {
+"write_kt",
+ "wkt",
+ (char const *)0
};
extern void ktutil_write_v5 __SS_PROTO;
-static char const *const ssu00005[] = {
- "write_st",
- "wst",
- (char const *) 0
+static char const * const ssu00005[] = {
+"write_st",
+ "wst",
+ (char const *)0
};
extern void ktutil_write_v4 __SS_PROTO;
-static char const *const ssu00006[] = {
- "add_entry",
- "addent",
- (char const *) 0
+static char const * const ssu00006[] = {
+"add_entry",
+ "addent",
+ (char const *)0
};
extern void ktutil_add_entry __SS_PROTO;
-static char const *const ssu00007[] = {
- "delete_entry",
- "delent",
- (char const *) 0
+static char const * const ssu00007[] = {
+"delete_entry",
+ "delent",
+ (char const *)0
};
extern void ktutil_delete_entry __SS_PROTO;
-static char const *const ssu00008[] = {
- "list",
- "l",
- (char const *) 0
+static char const * const ssu00008[] = {
+"list",
+ "l",
+ (char const *)0
};
extern void ktutil_list __SS_PROTO;
-static char const *const ssu00009[] = {
- "list_requests",
- "lr",
- "?",
- (char const *) 0
+static char const * const ssu00009[] = {
+"list_requests",
+ "lr",
+ "?",
+ (char const *)0
};
extern void ss_list_requests __SS_PROTO;
-static char const *const ssu00010[] = {
- "quit",
- "exit",
- "q",
- (char const *) 0
+static char const * const ssu00010[] = {
+"quit",
+ "exit",
+ "q",
+ (char const *)0
};
extern void ss_quit __SS_PROTO;
static ss_request_entry ssu00011[] = {
- {ssu00001,
- ktutil_clear_list,
+ { ssu00001,
+ ktutil_clear_list,
gettext("Clear the current keylist."),
- 0},
- {ssu00002,
- ktutil_read_v5,
+ 0 },
+ { ssu00002,
+ ktutil_read_v5,
gettext("Read a krb5 keytab into the current keylist."),
- 0},
- {ssu00003,
- ktutil_read_v4,
+ 0 },
+ { ssu00003,
+ ktutil_read_v4,
gettext("Read a krb4 srvtab into the current keylist."),
- 0},
- {ssu00004,
- ktutil_write_v5,
+ 0 },
+ { ssu00004,
+ ktutil_write_v5,
gettext("Write the current keylist to a krb5 keytab."),
- 0},
- {ssu00005,
- ktutil_write_v4,
+ 0 },
+ { ssu00005,
+ ktutil_write_v4,
gettext("Write the current keylist to a krb4 srvtab."),
- 0},
- {ssu00006,
- ktutil_add_entry,
+ 0 },
+ { ssu00006,
+ ktutil_add_entry,
gettext("Add an entry to the current keylist."),
- 0},
- {ssu00007,
- ktutil_delete_entry,
+ 0 },
+ { ssu00007,
+ ktutil_delete_entry,
gettext("Delete an entry from the current keylist."),
- 0},
- {ssu00008,
- ktutil_list,
+ 0 },
+ { ssu00008,
+ ktutil_list,
gettext("List the current keylist."),
- 0},
- {ssu00009,
- ss_list_requests,
+ 0 },
+ { ssu00009,
+ ss_list_requests,
gettext("List available requests."),
- 0},
- {ssu00010,
- ss_quit,
+ 0 },
+ { ssu00010,
+ ss_quit,
gettext("Exit program."),
- 0},
- {0, 0, 0, 0}
+ 0 },
+ { 0, 0, 0, 0 }
};
-ss_request_table ktutil_cmds = {2, ssu00011};
+ss_request_table ktutil_cmds = { 2, ssu00011 };
#undef gettext
diff --git a/usr/src/cmd/krb5/kadmin/ktutil/ktutil_funcs.c b/usr/src/cmd/krb5/kadmin/ktutil/ktutil_funcs.c
index 1393292591..89859da78e 100644
--- a/usr/src/cmd/krb5/kadmin/ktutil/ktutil_funcs.c
+++ b/usr/src/cmd/krb5/kadmin/ktutil/ktutil_funcs.c
@@ -5,6 +5,7 @@
#pragma ident "%Z%%M% %I% %E% SMI"
+
/*
* kadmin/ktutil/ktutil_funcs.c
*
@@ -69,16 +70,16 @@ krb5_error_code ktutil_free_kt_list(context, list)
* Delete a numbered entry in a kt_list. Takes a pointer to a kt_list
* in case head gets deleted.
*/
-krb5_error_code ktutil_delete(context, list, index)
+krb5_error_code ktutil_delete(context, list, idx)
krb5_context context;
krb5_kt_list *list;
- int index;
+ int idx;
{
krb5_kt_list lp, prev;
int i;
for (lp = *list, i = 1; lp; prev = lp, lp = lp->next, i++) {
- if (i == index) {
+ if (i == idx) {
if (i == 1)
*list = lp->next;
else
@@ -117,7 +118,8 @@ krb5_error_code ktutil_add(context, list, princ_str, kvno,
char promptstr[1024];
char *cp;
- int i, tmp, pwsize = BUFSIZ;
+ int i, tmp;
+ unsigned int pwsize = BUFSIZ;
retval = krb5_parse_name(context, princ_str, &princ);
if (retval)
@@ -211,7 +213,7 @@ krb5_error_code ktutil_add(context, list, princ_str, kvno,
i = 0;
for (cp = buf; *cp; cp += 2) {
- if (!isxdigit(cp[0]) || !isxdigit(cp[1])) {
+ if (!isxdigit((int) cp[0]) || !isxdigit((int) cp[1])) {
fprintf(stderr, "addent: %s",
gettext("Illegal character in key.\n"));
retval = 0;
@@ -296,7 +298,7 @@ krb5_error_code ktutil_read_keytab(context, name, list)
}
if (entry)
free((char *)entry);
- if (retval)
+ if (retval) {
if (retval == KRB5_KT_END)
retval = 0;
else {
@@ -305,6 +307,7 @@ krb5_error_code ktutil_read_keytab(context, name, list)
if (back)
back->next = NULL;
}
+ }
if (!*list)
*list = tail;
krb5_kt_end_seq_get(context, kt, &cursor);
@@ -353,12 +356,12 @@ krb5_error_code ktutil_write_keytab(context, list, name)
* including the null terminator.
*/
-int getstr(fp, s, n)
+static int getstr(fp, s, n)
FILE *fp;
register char *s;
int n;
{
- register count = n;
+ register int count = n;
while (fread(s, 1, 1, fp) > 0 && --count)
if (*s++ == '\0')
return (n - count);
@@ -512,10 +515,22 @@ krb5_error_code ktutil_write_srvtab(context, list, name)
lp1 = prev->next;
}
lp1->entry = lp->entry;
- } else if (lp1->entry->vno < lp->entry->vno)
- /* Check if lp->entry is newer kvno; if so, update */
- lp1->entry = lp->entry;
+ } else {
+ /* This heuristic should be roughly the same as in the
+ keytab-reading code in libkrb5. */
+ int offset = 0;
+ if (lp1->entry->vno > 240 || lp->entry->vno > 240) {
+ offset = 128;
+ }
+#define M(X) (((X) + offset) % 256)
+ if (M(lp1->entry->vno) < M(lp->entry->vno))
+ /* Check if lp->entry is newer kvno; if so, update */
+ lp1->entry = lp->entry;
+ }
}
+ umask(0077); /*Changing umask for all of ktutil is OK
+ * We don't ever write out anything that should use
+ * default umask.*/
fp = fopen(name, "w");
if (!fp) {
retval = EIO;
diff --git a/usr/src/cmd/krb5/kadmin/server/ipropd_svc.c b/usr/src/cmd/krb5/kadmin/server/ipropd_svc.c
index 7bae9b7de9..dd15cc7ac4 100644
--- a/usr/src/cmd/krb5/kadmin/server/ipropd_svc.c
+++ b/usr/src/cmd/krb5/kadmin/server/ipropd_svc.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -151,7 +151,7 @@ iprop_get_updates_1(kdb_last_t *arg, struct svc_req *rqstp)
whoami);
goto out;
}
- if (!acl_check(handle->context,
+ if (!kadm5int_acl_check(handle->context,
name,
ACL_IPROP,
NULL,
@@ -271,7 +271,7 @@ iprop_full_resync_1(
whoami);
goto out;
}
- if (!acl_check(handle->context,
+ if (!kadm5int_acl_check(handle->context,
name,
ACL_IPROP,
NULL,
diff --git a/usr/src/cmd/krb5/kadmin/server/kadm_rpc_svc.c b/usr/src/cmd/krb5/kadmin/server/kadm_rpc_svc.c
index 3fb857739f..2eab293cd3 100644
--- a/usr/src/cmd/krb5/kadmin/server/kadm_rpc_svc.c
+++ b/usr/src/cmd/krb5/kadmin/server/kadm_rpc_svc.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2002 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -36,14 +36,27 @@ static char *rcsid = "$Header: /cvs/krbdev/krb5/src/kadmin/server/kadm_rpc_svc.c
#include <stdio.h>
#include <rpc/rpc.h> /* SUNWresync 121 XXX */
+#include <gssapi_krb5.h> /* for gss_nt_krb5_name */
#include <syslog.h>
+#ifdef HAVE_MEMORY_H
#include <memory.h>
+#endif
#include <rpc/rpcsec_gss.h>
#include <kadm5/kadm_rpc.h>
#include <krb5.h>
#include <kadm5/admin.h>
#include <libintl.h>
+#include <krb5/adm_proto.h>
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#include "misc.h"
+#include "kadm5/server_internal.h"
+
+extern void *global_server_handle;
+void log_badauth(OM_uint32 major, OM_uint32 minor,
+ struct sockaddr_in *addr, char *data);
/*
* Function: kadm_1
*
@@ -61,8 +74,7 @@ static char *rcsid = "$Header: /cvs/krbdev/krb5/src/kadmin/server/kadm_rpc_svc.c
* Modifies:
*/
-void
-kadm_1(rqstp, transp)
+void kadm_1(rqstp, transp)
struct svc_req *rqstp;
register SVCXPRT *transp;
{
@@ -86,11 +98,10 @@ kadm_1(rqstp, transp)
setkey3_arg setkey_principal3_1_arg;
} argument;
char *result;
-
bool_t (*xdr_argument)(), (*xdr_result)();
char *(*local)();
- if (rqstp->rq_cred.oa_flavor != RPCSEC_GSS) {
+ if (rqstp->rq_cred.oa_flavor != RPCSEC_GSS) {
krb5_klog_syslog(LOG_ERR,
gettext("Authentication attempt failed: invalid "
"RPC authentication flavor %d"),
@@ -107,154 +118,154 @@ kadm_1(rqstp, transp)
case CREATE_PRINCIPAL:
xdr_argument = xdr_cprinc_arg;
xdr_result = xdr_generic_ret;
- local = (char *(*)()) create_principal_1;
+ local = (char *(*)()) create_principal_1_svc;
break;
case DELETE_PRINCIPAL:
xdr_argument = xdr_dprinc_arg;
xdr_result = xdr_generic_ret;
- local = (char *(*)()) delete_principal_1;
+ local = (char *(*)()) delete_principal_1_svc;
break;
case MODIFY_PRINCIPAL:
xdr_argument = xdr_mprinc_arg;
xdr_result = xdr_generic_ret;
- local = (char *(*)()) modify_principal_1;
+ local = (char *(*)()) modify_principal_1_svc;
break;
case RENAME_PRINCIPAL:
xdr_argument = xdr_rprinc_arg;
xdr_result = xdr_generic_ret;
- local = (char *(*)()) rename_principal_1;
+ local = (char *(*)()) rename_principal_1_svc;
break;
case GET_PRINCIPAL:
xdr_argument = xdr_gprinc_arg;
xdr_result = xdr_gprinc_ret;
- local = (char *(*)()) get_principal_1;
+ local = (char *(*)()) get_principal_1_svc;
break;
case GET_PRINCS:
xdr_argument = xdr_gprincs_arg;
xdr_result = xdr_gprincs_ret;
- local = (char *(*)()) get_princs_1;
+ local = (char *(*)()) get_princs_1_svc;
break;
case CHPASS_PRINCIPAL:
xdr_argument = xdr_chpass_arg;
xdr_result = xdr_generic_ret;
- local = (char *(*)()) chpass_principal_1;
+ local = (char *(*)()) chpass_principal_1_svc;
break;
#ifdef SUNWOFF
case SETV4KEY_PRINCIPAL:
xdr_argument = xdr_setv4key_arg;
xdr_result = xdr_generic_ret;
- local = (char *(*)()) setv4key_principal_1;
+ local = (char *(*)()) setv4key_principal_1_svc;
break;
#endif
case SETKEY_PRINCIPAL:
xdr_argument = xdr_setkey_arg;
xdr_result = xdr_generic_ret;
- local = (char *(*)()) setkey_principal_1;
+ local = (char *(*)()) setkey_principal_1_svc;
break;
case CHRAND_PRINCIPAL:
xdr_argument = xdr_chrand_arg;
xdr_result = xdr_chrand_ret;
- local = (char *(*)()) chrand_principal_1;
+ local = (char *(*)()) chrand_principal_1_svc;
break;
case CREATE_POLICY:
xdr_argument = xdr_cpol_arg;
xdr_result = xdr_generic_ret;
- local = (char *(*)()) create_policy_1;
+ local = (char *(*)()) create_policy_1_svc;
break;
case DELETE_POLICY:
xdr_argument = xdr_dpol_arg;
xdr_result = xdr_generic_ret;
- local = (char *(*)()) delete_policy_1;
+ local = (char *(*)()) delete_policy_1_svc;
break;
case MODIFY_POLICY:
xdr_argument = xdr_mpol_arg;
xdr_result = xdr_generic_ret;
- local = (char *(*)()) modify_policy_1;
+ local = (char *(*)()) modify_policy_1_svc;
break;
case GET_POLICY:
xdr_argument = xdr_gpol_arg;
xdr_result = xdr_gpol_ret;
- local = (char *(*)()) get_policy_1;
+ local = (char *(*)()) get_policy_1_svc;
break;
case GET_POLS:
xdr_argument = xdr_gpols_arg;
xdr_result = xdr_gpols_ret;
- local = (char *(*)()) get_pols_1;
+ local = (char *(*)()) get_pols_1_svc;
break;
case GET_PRIVS:
- xdr_argument = xdr_u_int;
+ xdr_argument = xdr_u_int;
xdr_result = xdr_getprivs_ret;
- local = (char *(*)()) get_privs_1;
+ local = (char *(*)()) get_privs_1_svc;
break;
case INIT:
- xdr_argument = xdr_u_int;
+ xdr_argument = xdr_u_int;
xdr_result = xdr_generic_ret;
- local = (char *(*)()) init_1;
+ local = (char *(*)()) init_1_svc;
break;
case CREATE_PRINCIPAL3:
xdr_argument = xdr_cprinc3_arg;
xdr_result = xdr_generic_ret;
- local = (char *(*)()) create_principal3_1;
+ local = (char *(*)()) create_principal3_1_svc;
break;
case CHPASS_PRINCIPAL3:
xdr_argument = xdr_chpass3_arg;
xdr_result = xdr_generic_ret;
- local = (char *(*)()) chpass_principal3_1;
+ local = (char *(*)()) chpass_principal3_1_svc;
break;
case CHRAND_PRINCIPAL3:
xdr_argument = xdr_chrand3_arg;
xdr_result = xdr_chrand_ret;
- local = (char *(*)()) chrand_principal3_1;
+ local = (char *(*)()) chrand_principal3_1_svc;
break;
case SETKEY_PRINCIPAL3:
xdr_argument = xdr_setkey3_arg;
xdr_result = xdr_generic_ret;
- local = (char *(*)()) setkey_principal3_1;
+ local = (char *(*)()) setkey_principal3_1_svc;
break;
default:
- krb5_klog_syslog(LOG_ERR,
+ krb5_klog_syslog(LOG_ERR,
gettext("Invalid KADM5 procedure number: %d"),
rqstp->rq_proc);
svcerr_noproc(transp);
return;
}
memset((char *)&argument, 0, sizeof(argument));
- if (!svc_getargs(transp, xdr_argument, (char *) &argument)) {
+ if (!svc_getargs(transp, xdr_argument, (char *) &argument)) {
svcerr_decode(transp);
return;
}
result = (*local)(&argument, rqstp);
- if (result != NULL &&
- !svc_sendreply(transp, xdr_result, (char *) result)) {
+ if (result != NULL && !svc_sendreply(transp, xdr_result, (char *) result)) {
krb5_klog_syslog(LOG_ERR,
gettext("WARNING! Unable to send function results, "
"continuing."));
svcerr_systemerr(transp);
}
- if (!svc_freeargs(transp, xdr_argument, (char *) &argument)) {
- krb5_klog_syslog(LOG_ERR,
+ if (!svc_freeargs(transp, xdr_argument, (char *) &argument)) {
+ krb5_klog_syslog(LOG_ERR,
gettext("WARNING! Unable to free arguments, "
"continuing."));
}
+ return;
}
diff --git a/usr/src/cmd/krb5/kadmin/server/misc.c b/usr/src/cmd/krb5/kadmin/server/misc.c
index 18a14df98e..03bdf8758d 100644
--- a/usr/src/cmd/krb5/kadmin/server/misc.c
+++ b/usr/src/cmd/krb5/kadmin/server/misc.c
@@ -21,25 +21,16 @@
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
*
- * $Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/kadmin/\
- * server/misc.c,v 1.10 1996/07/22 20:28:55 marc Exp $
*/
-#if !defined(lint) && !defined(__CODECENTER__)
-static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev"
- "/.cvsroot/src/kadmin/server/misc.c,v 1.10 1996/07/22 20:28:55 "
- "marc Exp $";
-
-#endif
-
#include <kadm5/adb.h>
#include <kadm5/server_internal.h>
#include <krb5/kdb.h>
#include "misc.h"
/*
- * Function: chpass_principal_wrapper
- *
+ * Function: chpass_principal_wrapper_3
+ *
* Purpose: wrapper to kadm5_chpass_principal that checks to see if
* pw_min_life has been reached. if not it returns an error.
* otherwise it calls kadm5_chpass_principal
@@ -47,123 +38,134 @@ static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev"
* Arguments:
* principal (input) krb5_principals whose password we are
* changing
- * passoword (input) passowrd we are going to change to.
- * <return value> 0 on sucsess error code on failure.
+ * keepold (input) whether to preserve old keys
+ * n_ks_tuple (input) the number of key-salt tuples in ks_tuple
+ * ks_tuple (input) array of tuples indicating the caller's
+ * requested enctypes/salttypes
+ * password (input) password we are going to change to.
+ * <return value> 0 on success error code on failure.
*
* Requires:
* kadm5_init to have been run.
- *
+ *
* Effects:
* calls kadm5_chpass_principal which changes the kdb and the
* the admin db.
*
*/
kadm5_ret_t
-chpass_principal_wrapper(void *server_handle,
- krb5_principal principal, char *password)
+chpass_principal_wrapper_3(void *server_handle,
+ krb5_principal principal,
+ krb5_boolean keepold,
+ int n_ks_tuple,
+ krb5_key_salt_tuple *ks_tuple,
+ char *password)
{
- krb5_int32 now;
- kadm5_ret_t ret;
- kadm5_policy_ent_rec pol;
- kadm5_principal_ent_rec princ;
- kadm5_server_handle_t handle = server_handle;
-
- if (ret = krb5_timeofday(handle->context, &now))
- return (ret);
-
- if ((ret = kadm5_get_principal(handle->lhandle, principal,
- &princ,
- KADM5_PRINCIPAL_NORMAL_MASK)) !=
- KADM5_OK)
- return (ret);
- if (princ.aux_attributes & KADM5_POLICY) {
- if ((ret = kadm5_get_policy(handle->lhandle,
- princ.policy, &pol)) != KADM5_OK) {
- (void) kadm5_free_principal_ent(handle->lhandle,
- &princ);
- return (ret);
- }
- if ((now - princ.last_pwd_change) < pol.pw_min_life &&
- !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
- (void) kadm5_free_policy_ent(handle->lhandle, &pol);
- (void) kadm5_free_principal_ent(handle->lhandle,
- &princ);
- return (KADM5_PASS_TOOSOON);
- }
- if (ret = kadm5_free_policy_ent(handle->lhandle, &pol)) {
- (void) kadm5_free_principal_ent(handle->lhandle,
- &princ);
- return (ret);
- }
- }
- if (ret = kadm5_free_principal_ent(handle->lhandle, &princ))
- return (ret);
+ kadm5_ret_t ret;
+
+ ret = check_min_life(server_handle, principal);
+ if (ret)
+ return ret;
- return (kadm5_chpass_principal(server_handle, principal, password));
+ return kadm5_chpass_principal_3(server_handle, principal,
+ keepold, n_ks_tuple, ks_tuple,
+ password);
}
/*
- * Function: randkey_principal_wrapper
- *
+ * Function: randkey_principal_wrapper_3
+ *
* Purpose: wrapper to kadm5_randkey_principal which checks the
- * passwords min. life.
+ * password's min. life.
*
* Arguments:
* principal (input) krb5_principal whose password we are
* changing
+ * keepold (input) whether to preserve old keys
+ * n_ks_tuple (input) the number of key-salt tuples in ks_tuple
+ * ks_tuple (input) array of tuples indicating the caller's
+ * requested enctypes/salttypes
* key (output) new random key
- * < return value > 0, error code on error.
+ * <return value> 0, error code on error.
*
* Requires:
* kadm5_init needs to be run
- *
+ *
* Effects:
* calls kadm5_randkey_principal
*
*/
kadm5_ret_t
-randkey_principal_wrapper(void *server_handle,
- krb5_principal principal,
- krb5_keyblock ** keys, int *n_keys)
+randkey_principal_wrapper_3(void *server_handle,
+ krb5_principal principal,
+ krb5_boolean keepold,
+ int n_ks_tuple,
+ krb5_key_salt_tuple *ks_tuple,
+ krb5_keyblock **keys, int *n_keys)
{
+ kadm5_ret_t ret;
+
+ ret = check_min_life(server_handle, principal);
+ if (ret)
+ return ret;
+ return kadm5_randkey_principal_3(server_handle, principal,
+ keepold, n_ks_tuple, ks_tuple,
+ keys, n_keys);
+}
- krb5_int32 now;
- kadm5_ret_t ret;
- kadm5_policy_ent_rec pol;
- kadm5_principal_ent_rec princ;
- kadm5_server_handle_t handle = server_handle;
-
- if (ret = krb5_timeofday(handle->context, &now))
- return (ret);
-
- if ((ret = kadm5_get_principal(handle->lhandle,
- principal, &princ,
- KADM5_PRINCIPAL_NORMAL_MASK)) !=
- OSA_ADB_OK)
- return (ret);
- if (princ.aux_attributes & KADM5_POLICY) {
- if ((ret = kadm5_get_policy(handle->lhandle,
- princ.policy, &pol)) != KADM5_OK) {
- (void) kadm5_free_principal_ent(handle->lhandle,
- &princ);
- return (ret);
- }
- if ((now - princ.last_pwd_change) < pol.pw_min_life &&
- !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
- (void) kadm5_free_policy_ent(handle->lhandle, &pol);
- (void) kadm5_free_principal_ent(handle->lhandle,
- &princ);
- return (KADM5_PASS_TOOSOON);
- }
- if (ret = kadm5_free_policy_ent(handle->lhandle, &pol)) {
- (void) kadm5_free_principal_ent(handle->lhandle,
- &princ);
- return (ret);
- }
+kadm5_ret_t
+chpass_util_wrapper(void *server_handle, krb5_principal princ,
+ char *new_pw, char **ret_pw,
+ char *msg_ret, unsigned int msg_len)
+{
+ kadm5_ret_t ret;
+
+ ret = check_min_life(server_handle, princ);
+ if (ret)
+ return ret;
+
+ return kadm5_chpass_principal_util(server_handle, princ,
+ new_pw, ret_pw,
+ msg_ret, msg_len);
+}
+
+kadm5_ret_t
+check_min_life(void *server_handle, krb5_principal principal)
+{
+ krb5_int32 now;
+ kadm5_ret_t ret;
+ kadm5_policy_ent_rec pol;
+ kadm5_principal_ent_rec princ;
+ kadm5_server_handle_t handle = server_handle;
+
+ ret = krb5_timeofday(handle->context, &now);
+ if (ret)
+ return ret;
+
+ ret = kadm5_get_principal(handle->lhandle, principal,
+ &princ, KADM5_PRINCIPAL_NORMAL_MASK);
+ if(ret != OSA_ADB_OK)
+ return ret;
+ if(princ.aux_attributes & KADM5_POLICY) {
+ if((ret=kadm5_get_policy(handle->lhandle,
+ princ.policy, &pol)) != KADM5_OK) {
+ (void) kadm5_free_principal_ent(handle->lhandle, &princ);
+ return ret;
+ }
+ if((now - princ.last_pwd_change) < pol.pw_min_life &&
+ !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
+ (void) kadm5_free_policy_ent(handle->lhandle, &pol);
+ (void) kadm5_free_principal_ent(handle->lhandle, &princ);
+ return KADM5_PASS_TOOSOON;
}
- if (ret = kadm5_free_principal_ent(handle->lhandle, &princ))
- return (ret);
- return (kadm5_randkey_principal(server_handle,
- principal, keys, n_keys));
+
+ ret = kadm5_free_policy_ent(handle->lhandle, &pol);
+ if (ret) {
+ (void) kadm5_free_principal_ent(handle->lhandle, &princ);
+ return ret;
+ }
+ }
+
+ return kadm5_free_principal_ent(handle->lhandle, &princ);
}
diff --git a/usr/src/cmd/krb5/kadmin/server/misc.h b/usr/src/cmd/krb5/kadmin/server/misc.h
index 7ba418fc7f..bc6a749c74 100644
--- a/usr/src/cmd/krb5/kadmin/server/misc.h
+++ b/usr/src/cmd/krb5/kadmin/server/misc.h
@@ -1,6 +1,6 @@
/*
- * Copyright (c) 1997-2000 by Sun Microsystems, Inc.
- * All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
*/
#ifndef _MISC_H
@@ -33,69 +33,45 @@ extern "C" {
/*
* Copyright 1994 OpenVision Technologies, Inc., All Rights Reserved
*
- * $Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/kadmin/\
- * server/misc.h,v 1.6 1996/07/22 20:28:56 marc Exp $
- *
- * $Log: misc.h,v $
- * Revision 1.6 1996/07/22 20:28:56 marc
- * this commit includes all the changes on the OV_9510_INTEGRATION and
- * OV_MERGE branches. This includes, but is not limited to, the new openvision
- * admin system, and major changes to gssapi to add functionality, and bring
- * the implementation in line with rfc1964. before committing, the
- * code was built and tested for netbsd and solaris.
- *
- * Revision 1.5.4.1 1996/07/18 03:03:40 marc
- * merged in changes from OV_9510_BP to OV_9510_FINAL1
- *
- * Revision 1.5.2.1 1996/06/20 21:57:20 marc
- * File added to the repository on a branch
- *
- * Revision 1.5 1996/05/30 21:13:24 bjaspan
- * kadm5_get_principal_v1 takes a kadm5_principal_ent_t_v1
- * add kadm5_get_policy_v1
- *
- * Revision 1.4 1996/05/20 21:39:05 bjaspan
- * rename to kadm5
- * add kadm5_get_principal_v1
- *
- * Revision 1.3 1994/09/13 18:24:41 jik
- * Back out randkey changes.
- *
- * Revision 1.2 1994/09/12 20:26:12 jik
- * randkey_principal_wrapper now takes a new_kvno option.
- *
- * Revision 1.1 1994/08/11 17:00:44 jik
- * Initial revision
- *
*/
kadm5_ret_t
-chpass_principal_wrapper(void *server_handle,
- krb5_principal principal,
- char *password);
+chpass_principal_wrapper_3(void *server_handle,
+ krb5_principal principal,
+ krb5_boolean keepold,
+ int n_ks_tuple,
+ krb5_key_salt_tuple *ks_tuple,
+ char *password);
kadm5_ret_t
-randkey_principal_wrapper(void *server_handle,
- krb5_principal principal,
- krb5_keyblock ** key,
- int *n_keys);
+randkey_principal_wrapper_3(void *server_handle,
+ krb5_principal principal,
+ krb5_boolean keepold,
+ int n_ks_tuple,
+ krb5_key_salt_tuple *ks_tuple,
+ krb5_keyblock **keys, int *n_keys);
kadm5_ret_t
-kadm5_get_principal_v1(void *server_handle,
- krb5_principal principal,
- kadm5_principal_ent_t_v1 * ent);
+chpass_util_wrapper(void *server_handle, krb5_principal princ,
+ char *new_pw, char **ret_pw,
+ char *msg_ret, unsigned int msg_len);
-kadm5_ret_t
-kadm5_get_policy_v1(void *server_handle, kadm5_policy_t name,
- kadm5_policy_ent_t * ent);
+kadm5_ret_t check_min_life(void *server_handle, krb5_principal principal);
+
+kadm5_ret_t kadm5_get_principal_v1(void *server_handle,
+ krb5_principal principal,
+ kadm5_principal_ent_t_v1 *ent);
-/* BSM */
-extern void audit_kadmind_auth(SVCXPRT *, in_port_t, char *, char *,
- char *, int);
-extern void audit_kadmind_unauth(SVCXPRT *, in_port_t, char *, char *, char *);
+kadm5_ret_t kadm5_get_policy_v1(void *server_handle, kadm5_policy_t name,
+ kadm5_policy_ent_t *ent);
+
+#ifdef SVC_GETARGS
+void kadm_1(struct svc_req *, SVCXPRT *);
+#endif
#ifdef __cplusplus
}
#endif
#endif /* !_MISC_H */
+
diff --git a/usr/src/cmd/krb5/kadmin/server/ovsec_kadmd.c b/usr/src/cmd/krb5/kadmin/server/ovsec_kadmd.c
index 9f8ab69426..e19dfd8d88 100644
--- a/usr/src/cmd/krb5/kadmin/server/ovsec_kadmd.c
+++ b/usr/src/cmd/krb5/kadmin/server/ovsec_kadmd.c
@@ -22,42 +22,72 @@
*
*/
-
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
*/
/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government. It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. FundsXpress makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+
+/*
* SUNWresync121 XXX
* Beware future resyncers, this file is much diff from MIT (1.0...)
*/
-#include <stdio.h>
-#include <stdio_ext.h>
-#include <signal.h>
-#include <syslog.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <unistd.h>
-#include <netinet/in.h>
-#include <arpa/inet.h> /* inet_ntoa */
-#include <netdb.h>
-#include <gssapi/gssapi.h>
-#include <rpc/rpc.h>
-#include <kadm5/admin.h>
-#include <kadm5/kadm_rpc.h>
-#include <kadm5/server_internal.h>
-#include <server_acl.h>
-#include <krb5/adm_proto.h>
-#include <string.h>
-#include <gssapi_krb5.h>
-#include <libintl.h>
-#include <locale.h>
-#include <sys/resource.h>
-#include <kdb/kdb_log.h>
+#include <stdio.h>
+#include <stdio_ext.h>
+#include <signal.h>
+#include <syslog.h>
+#include <sys/types.h>
+#ifdef _AIX
+#include <sys/select.h>
+#endif
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <unistd.h>
+#include <netinet/in.h>
+#include <arpa/inet.h> /* inet_ntoa */
+#include <gssapi/gssapi.h>
+#include <rpc/rpc.h>
+#include <kadm5/admin.h>
+#include <kadm5/kadm_rpc.h>
+#include <server_acl.h>
+#include <krb5/adm_proto.h>
+#include <string.h>
+#include <kadm5/server_internal.h>
+#include <gssapi_krb5.h>
+#include <libintl.h>
+#include <locale.h>
+#include <sys/resource.h>
+#include <kdb/kdb_log.h>
+#include <kdb/kdb_kt.h>
#include <rpc/rpcsec_gss.h>
+#include "misc.h"
#ifndef FD_SETSIZE
#define FD_SETSIZE 256
@@ -67,6 +97,12 @@
#define MAX(a, b) (((a) > (b)) ? (a) : (b))
#endif
+#if defined(NEED_DAEMON_PROTO)
+extern int daemon(int, int);
+#endif
+
+
+
static int signal_request_exit = 0;
static int schpw;
kadm5_config_params chgpw_params;
@@ -80,6 +116,7 @@ krb5_error_code log_kt_error(char*, char*);
static struct sigaction s_action;
#endif /* POSIX_SIGNALS */
+
#define TIMEOUT 15
typedef struct _auth_gssapi_name {
@@ -92,7 +129,7 @@ void *global_server_handle;
/*
* This is a kludge, but the server needs these constants to be
- * compatible with old clients. They are defined in <kadm5/admin.h>,
+ * compatible with old clients. They are defined in <kadm5/admin.h>,
* but only if USE_KADM5_API_VERSION == 1.
*/
#define OVSEC_KADM_ADMIN_SERVICE_P "ovsec_adm@admin"
@@ -113,6 +150,8 @@ extern kadm5_ret_t kiprop_get_adm_host_srv_name(
static krb5_context context; /* XXX yuck. the signal handlers need this */
+static krb5_context hctx;
+
in_port_t l_port = 0; /* global local port num, for BSM audits */
int nofork = 0; /* global; don't fork (debug mode) */
@@ -120,7 +159,7 @@ int nofork = 0; /* global; don't fork (debug mode) */
/*
* Function: usage
- *
+ *
* Purpose: print out the server usage message
*
* Arguments:
@@ -129,8 +168,7 @@ int nofork = 0; /* global; don't fork (debug mode) */
* Modifies:
*/
-void
-usage()
+static void usage()
{
fprintf(stderr, gettext("Usage: kadmind [-r realm] [-m] [-d] "
"[-p port-number]\n"));
@@ -154,9 +192,9 @@ usage()
* displayed on stderr, each preceeded by "GSS-API error <msg>: " and
* followed by a newline.
*/
-static void display_status_1();
+static void display_status_1(char *, OM_uint32, int);
-void display_status(msg, maj_stat, min_stat)
+static void display_status(msg, maj_stat, min_stat)
char *msg;
OM_uint32 maj_stat;
OM_uint32 min_stat;
@@ -366,7 +404,6 @@ set_svc_domnames(char *svcname, char **dnames,
int
main(int argc, char *argv[])
{
- void kadm_1(struct svc_req *, SVCXPRT *);
SVCXPRT *transp;
extern char *optarg;
extern int optind, opterr;
@@ -489,7 +526,16 @@ main(int argc, char *argv[])
}
krb5_klog_init(context, "admin_server", whoami, 1);
-
+ /* SUNW14resync */
+#if 0
+ krb5_klog_syslog(LOG_INFO, "Seeding random number generator");
+ ret = krb5_c_random_os_entropy(context, 1, NULL);
+ if(ret) {
+ krb5_klog_syslog(LOG_ERR, "Error getting random seed: %s, aborting",
+ error_message(ret));
+ exit(1);
+ }
+#endif
/*
* When using the Horowitz/IETF protocol for
@@ -574,8 +620,7 @@ main(int argc, char *argv[])
krb5_klog_close(context);
exit(1);
}
-#define REQUIRED_PARAMS (KADM5_CONFIG_REALM | KADM5_CONFIG_ACL_FILE | \
- KADM5_CONFIG_ADMIN_KEYTAB)
+#define REQUIRED_PARAMS (KADM5_CONFIG_REALM | KADM5_CONFIG_ACL_FILE)
if ((params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) {
krb5_klog_syslog(LOG_ERR,
@@ -584,7 +629,7 @@ main(int argc, char *argv[])
(params.mask & REQUIRED_PARAMS) ^ REQUIRED_PARAMS);
fprintf(stderr,
gettext("%s: Missing required configuration values "
- "(%x) while initializing, aborting\n"), whoami,
+ "(%lx) while initializing, aborting\n"), whoami,
(params.mask & REQUIRED_PARAMS) ^ REQUIRED_PARAMS);
krb5_klog_close(context);
exit(1);
@@ -820,7 +865,7 @@ main(int argc, char *argv[])
(gss_OID) nt_krb5_name_oid,
&gss_oldchangepw_name);
}
- if (ret = acl_init(context, 0, params.acl_file)) {
+ if (ret = kadm5int_acl_init(context, 0, params.acl_file)) {
krb5_klog_syslog(LOG_ERR, gettext("Cannot initialize acl file: %s"),
error_message(ret));
fprintf(stderr, gettext("%s: Cannot initialize acl file: %s\n"),
diff --git a/usr/src/cmd/krb5/kadmin/server/server_glue_v1.c b/usr/src/cmd/krb5/kadmin/server/server_glue_v1.c
index 6769e55bd1..74bfce56b3 100644
--- a/usr/src/cmd/krb5/kadmin/server/server_glue_v1.c
+++ b/usr/src/cmd/krb5/kadmin/server/server_glue_v1.c
@@ -19,6 +19,7 @@
#include <kadm5/admin.h>
+#include "misc.h"
/*
* In server_stubs.c, kadmind has to be able to call kadm5 functions
@@ -36,19 +37,15 @@
* typecasts instead.
*/
-kadm5_ret_t
-kadm5_get_principal_v1(void *server_handle,
- krb5_principal principal,
- kadm5_principal_ent_t_v1 * ent)
+kadm5_ret_t kadm5_get_principal_v1(void *server_handle,
+ krb5_principal principal,
+ kadm5_principal_ent_t_v1 *ent)
{
- return (kadm5_get_principal(server_handle, principal,
- (kadm5_principal_ent_t) ent, 0));
+ return kadm5_get_principal(server_handle, principal,(kadm5_principal_ent_t) ent, 0);
}
-kadm5_ret_t
-kadm5_get_policy_v1(void *server_handle, kadm5_policy_t name,
- kadm5_policy_ent_t * ent)
+kadm5_ret_t kadm5_get_policy_v1(void *server_handle, kadm5_policy_t name,
+ kadm5_policy_ent_t *ent)
{
- return (kadm5_get_policy(server_handle, name,
- (kadm5_policy_ent_t) ent));
+ return kadm5_get_policy(server_handle, name,(kadm5_policy_ent_t) ent);
}
diff --git a/usr/src/cmd/krb5/kadmin/server/server_stubs.c b/usr/src/cmd/krb5/kadmin/server/server_stubs.c
index 52e755b71d..b992cc5e57 100644
--- a/usr/src/cmd/krb5/kadmin/server/server_stubs.c
+++ b/usr/src/cmd/krb5/kadmin/server/server_stubs.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -26,17 +26,8 @@
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
*
- * $Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/
- * kadmin/server/server_stubs.c,v 1.34 1996/07/22 20:29:13 marc Exp $
*/
-#if !defined(lint) && !defined(__CODECENTER__)
-static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev"
- "/.cvsroot/src/kadmin/server/server_stubs.c,v 1.34 "
- "1996/07/22 20:29:13 marc Exp $";
-
-#endif
-
#include <gssapi/gssapi.h>
#include <gssapi_krb5.h> /* for gss_nt_krb5_name */
#include <krb5.h>
@@ -47,27 +38,37 @@ static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev"
#include <security/pam_appl.h>
#include <syslog.h>
+#include <arpa/inet.h> /* inet_ntoa */
+#include <krb5/adm_proto.h> /* krb5_klog_syslog */
#include <libintl.h>
#include "misc.h"
-#define LOG_UNAUTH gettext("Unauthorized request: %s, %s, " \
+#define LOG_UNAUTH gettext("Unauthorized request: %s, %s, " \
"client=%s, service=%s, addr=%s")
-#define LOG_DONE gettext("Request: %s, %s, %s, client=%s, " \
+#define LOG_DONE gettext("Request: %s, %s, %s, client=%s, " \
"service=%s, addr=%s")
-extern gss_name_t gss_changepw_name;
-extern gss_name_t gss_oldchangepw_name;
-extern void *global_server_handle;
+extern gss_name_t gss_changepw_name;
+extern gss_name_t gss_oldchangepw_name;
+extern void * global_server_handle;
extern short l_port;
char buf[33];
-#define CHANGEPW_SERVICE(rqstp) \
+#define CHANGEPW_SERVICE(rqstp) \
(cmp_gss_names_rel_1(acceptor_name(rqstp), gss_changepw_name) |\
- (gss_oldchangepw_name && \
- cmp_gss_names_rel_1(acceptor_name(rqstp), \
+ (gss_oldchangepw_name && \
+ cmp_gss_names_rel_1(acceptor_name(rqstp), \
gss_oldchangepw_name)))
+
+static int gss_to_krb5_name(kadm5_server_handle_t handle,
+ gss_name_t gss_name, krb5_principal *princ);
+
+static int gss_name_to_string(gss_name_t gss_name, gss_buffer_desc *str);
+
+static gss_name_t acceptor_name(struct svc_req * rqstp);
+
kadm5_ret_t
kadm5_get_priv(void *server_handle,
long *privs, gss_name_t clnt);
@@ -120,26 +121,25 @@ client_addr(struct svc_req * req, char *buf)
return (buf);
}
-int
-cmp_gss_names(gss_name_t n1, gss_name_t n2)
+static int cmp_gss_names(gss_name_t n1, gss_name_t n2)
{
- OM_uint32 emaj, emin;
- int equal;
+ OM_uint32 emaj, emin;
+ int equal;
- if (GSS_ERROR(emaj = gss_compare_name(&emin, n1, n2, &equal)))
- return (0);
+ if (GSS_ERROR(emaj = gss_compare_name(&emin, n1, n2, &equal)))
+ return(0);
- return (equal);
+ return(equal);
}
/* Does a comparison of the names and then releases the first entity */
/* For use above in CHANGEPW_SERVICE */
-int cmp_gss_names_rel_1(gss_name_t n1, gss_name_t n2)
+static int cmp_gss_names_rel_1(gss_name_t n1, gss_name_t n2)
{
OM_uint32 min_stat;
int ret;
-
- ret = cmp_gss_names(n1, n2);
+
+ ret = cmp_gss_names(n1, n2);
if (n1) (void) gss_release_name(&min_stat, &n1);
return ret;
}
@@ -155,29 +155,10 @@ int cmp_gss_names_rel_1(gss_name_t n1, gss_name_t n2)
* handle The server handle.
*/
-static int
-check_handle(void *handle)
+static int check_handle(void *handle)
{
- CHECK_HANDLE(handle);
- return (0);
-}
-
-int
-gss_to_krb5_name(kadm5_server_handle_t handle,
- gss_name_t gss_name, krb5_principal * princ)
-{
- OM_uint32 stat, min_stat;
- gss_buffer_desc gss_str;
- gss_OID gss_type;
- int success;
-
- stat = gss_display_name(&min_stat, gss_name, &gss_str, &gss_type);
- if ((stat != GSS_S_COMPLETE) ||
- (!g_OID_equal(gss_type, gss_nt_krb5_name)))
- return (0);
- success = (krb5_parse_name(handle->context, gss_str.value, princ) == 0);
- gss_release_buffer(&min_stat, &gss_str);
- return (success);
+ CHECK_HANDLE(handle);
+ return 0;
}
/*
@@ -193,46 +174,46 @@ gss_to_krb5_name(kadm5_server_handle_t handle,
* rqstp (input) The RPC request
* handle (output) The returned handle
* <return value> (output) An error code, or 0 if no error occurred
- *
+ *
* Effects:
* Returns a pointer to allocated storage containing the server
* handle. If an error occurs, then no allocated storage is
* returned, and the return value of the function will be a
* non-zero com_err code.
- *
+ *
* The allocated storage for the handle should be freed with
* free_server_handle (see below) when it is no longer needed.
*/
-static kadm5_ret_t
-new_server_handle(krb5_ui_4 api_version,
- struct svc_req * rqstp,
- kadm5_server_handle_t *out_handle)
+static kadm5_ret_t new_server_handle(krb5_ui_4 api_version,
+ struct svc_req *rqstp,
+ kadm5_server_handle_t
+ *out_handle)
{
- kadm5_server_handle_t handle;
+ kadm5_server_handle_t handle;
gss_name_t name;
OM_uint32 min_stat;
- if (!(handle = (kadm5_server_handle_t)
- malloc(sizeof (*handle))))
- return (ENOMEM);
+ if (! (handle = (kadm5_server_handle_t)
+ malloc(sizeof(*handle))))
+ return ENOMEM;
- *handle = *(kadm5_server_handle_t) global_server_handle;
- handle->api_version = api_version;
+ *handle = *(kadm5_server_handle_t)global_server_handle;
+ handle->api_version = api_version;
- if (!(name = get_clnt_name(rqstp))) {
- free(handle);
- return (KADM5_FAILURE);
- }
- if (!gss_to_krb5_name(handle, name, &handle->current_caller)) {
- free(handle);
+ if (!(name = get_clnt_name(rqstp))) {
+ free(handle);
+ return KADM5_FAILURE;
+ }
+ if (! gss_to_krb5_name(handle, name, &handle->current_caller)) {
+ free(handle);
gss_release_name(&min_stat, &name);
- return (KADM5_FAILURE);
+ return KADM5_FAILURE;
}
gss_release_name(&min_stat, &name);
- *out_handle = handle;
- return (0);
+ *out_handle = handle;
+ return 0;
}
/*
@@ -243,39 +224,10 @@ new_server_handle(krb5_ui_4 api_version,
* Arguments:
* handle (input/output) The handle to free
*/
-static void
-free_server_handle(kadm5_server_handle_t handle)
+static void free_server_handle(kadm5_server_handle_t handle)
{
- krb5_free_principal(handle->context, handle->current_caller);
- free(handle);
-}
-
-gss_name_t
-acceptor_name(struct svc_req * rqstp)
-{
- OM_uint32 maj_stat, min_stat;
- gss_name_t name;
- rpc_gss_rawcred_t *raw_cred;
- void *cookie;
- gss_buffer_desc name_buff;
-
- rpc_gss_getcred(rqstp, &raw_cred, NULL, &cookie);
- name_buff.value = raw_cred->svc_principal;
- name_buff.length = strlen(raw_cred->svc_principal);
- maj_stat = gss_import_name(&min_stat, &name_buff,
- (gss_OID) gss_nt_krb5_name, &name);
- if (maj_stat != GSS_S_COMPLETE) {
- gss_release_buffer(&min_stat, &name_buff);
- return (NULL);
- }
- maj_stat = gss_display_name(&min_stat, name, &name_buff, NULL);
- if (maj_stat != GSS_S_COMPLETE) {
- gss_release_buffer(&min_stat, &name_buff);
- return (NULL);
- }
- gss_release_buffer(&min_stat, &name_buff);
-
- return (name);
+ krb5_free_principal(handle->context, handle->current_caller);
+ free(handle);
}
/*
@@ -296,11 +248,11 @@ acceptor_name(struct svc_req * rqstp)
* on success and -1 on failure. On failure client_name and server_name
* will point to null.
*/
-int
-setup_gss_names(struct svc_req * rqstp,
+/* SUNW14resync */
+int setup_gss_names(struct svc_req *rqstp,
char **client_name, char **server_name)
{
- OM_uint32 maj_stat, min_stat;
+ OM_uint32 maj_stat, min_stat;
rpc_gss_rawcred_t *raw_cred;
gss_buffer_desc name_buf;
char *tmp, *val;
@@ -358,18 +310,44 @@ setup_gss_names(struct svc_req * rqstp,
return (tmp ? 0 : -1);
}
-int
-cmp_gss_krb5_name(kadm5_server_handle_t handle,
- gss_name_t gss_name, krb5_principal princ)
+static gss_name_t acceptor_name(struct svc_req * rqstp)
{
- krb5_principal princ2;
- int stat;
+ OM_uint32 maj_stat, min_stat;
+ gss_name_t name;
+ rpc_gss_rawcred_t *raw_cred;
+ void *cookie;
+ gss_buffer_desc name_buff;
- if (!gss_to_krb5_name(handle, gss_name, &princ2))
- return (0);
- stat = krb5_principal_compare(handle->context, princ, princ2);
- krb5_free_principal(handle->context, princ2);
- return (stat);
+ rpc_gss_getcred(rqstp, &raw_cred, NULL, &cookie);
+ name_buff.value = raw_cred->svc_principal;
+ name_buff.length = strlen(raw_cred->svc_principal);
+ maj_stat = gss_import_name(&min_stat, &name_buff,
+ (gss_OID) gss_nt_krb5_name, &name);
+ if (maj_stat != GSS_S_COMPLETE) {
+ gss_release_buffer(&min_stat, &name_buff);
+ return (NULL);
+ }
+ maj_stat = gss_display_name(&min_stat, name, &name_buff, NULL);
+ if (maj_stat != GSS_S_COMPLETE) {
+ gss_release_buffer(&min_stat, &name_buff);
+ return (NULL);
+ }
+ gss_release_buffer(&min_stat, &name_buff);
+
+ return name;
+}
+
+static int cmp_gss_krb5_name(kadm5_server_handle_t handle,
+ gss_name_t gss_name, krb5_principal princ)
+{
+ krb5_principal princ2;
+ int status;
+
+ if (! gss_to_krb5_name(handle, gss_name, &princ2))
+ return 0;
+ status = krb5_principal_compare(handle->context, princ, princ2);
+ krb5_free_principal(handle->context, princ2);
+ return status;
}
@@ -438,75 +416,102 @@ int verify_pam_pw(char *userdata, char *pwd) {
return (result);
}
+static int gss_to_krb5_name(kadm5_server_handle_t handle,
+ gss_name_t gss_name, krb5_principal *princ)
+{
+ OM_uint32 status, minor_stat;
+ gss_buffer_desc gss_str;
+ gss_OID gss_type;
+ int success;
+
+ status = gss_display_name(&minor_stat, gss_name, &gss_str, &gss_type);
+ if ((status != GSS_S_COMPLETE) || (!g_OID_equal(gss_type, gss_nt_krb5_name)))
+ return 0;
+ success = (krb5_parse_name(handle->context, gss_str.value, princ) == 0);
+ gss_release_buffer(&minor_stat, &gss_str);
+ return success;
+}
+
+static int
+gss_name_to_string(gss_name_t gss_name, gss_buffer_desc *str)
+{
+ OM_uint32 status, minor_stat;
+ gss_OID gss_type;
+
+ status = gss_display_name(&minor_stat, gss_name, str, &gss_type);
+ if ((status != GSS_S_COMPLETE) || (gss_type != gss_nt_krb5_name))
+ return 1;
+ return 0;
+}
+
generic_ret *
-create_principal_1(cprinc_arg * arg, struct svc_req * rqstp)
+create_principal_1_svc(cprinc_arg *arg, struct svc_req *rqstp)
{
- static generic_ret ret;
- char *prime_arg = NULL;
- char *client_name = NULL, *service_name = NULL;
- int policy_migrate = 0;
+ static generic_ret ret;
+ char *prime_arg = NULL;
+ char *client_name = NULL, *service_name = NULL;
+ int policy_migrate = 0;
- OM_uint32 min_stat;
- kadm5_server_handle_t handle;
- kadm5_ret_t retval;
- restriction_t *rp;
- gss_name_t name = NULL;
+ OM_uint32 minor_stat;
+ kadm5_server_handle_t handle;
+ kadm5_ret_t retval;
+ restriction_t *rp;
+ gss_name_t name = NULL;
- xdr_free(xdr_generic_ret, (char *) &ret);
+ xdr_free(xdr_generic_ret, (char *) &ret);
- if (ret.code = new_server_handle(arg->api_version, rqstp, &handle))
- return (&ret);
+ if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
+ return &ret;
- if (ret.code = check_handle((void *) handle))
+ if ((ret.code = check_handle((void *)handle)))
goto error;
- ret.api_version = handle->api_version;
+ ret.api_version = handle->api_version;
- if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
- ret.code = KADM5_FAILURE;
- goto error;
- }
- if (krb5_unparse_name(handle->context, arg->rec.principal,
- &prime_arg)) {
- ret.code = KADM5_BAD_PRINCIPAL;
- goto error;
- }
+ if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
+ ret.code = KADM5_FAILURE;
+ goto error;
+ }
+ if (krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg)) {
+ ret.code = KADM5_BAD_PRINCIPAL;
+ goto error;
+ }
if (!(name = get_clnt_name(rqstp))) {
ret.code = KADM5_FAILURE;
goto error;
}
- if (acl_check(handle->context, name, ACL_MIGRATE,
+ if (kadm5int_acl_check(handle->context, name, ACL_MIGRATE,
arg->rec.principal, &rp) &&
verify_pam_pw(prime_arg, arg->passwd)) {
policy_migrate = 1;
}
- if (CHANGEPW_SERVICE(rqstp)
- || (!acl_check(handle->context, name, ACL_ADD,
+ if (CHANGEPW_SERVICE(rqstp)
+ || (!kadm5int_acl_check(handle->context, name, ACL_ADD,
arg->rec.principal, &rp) &&
!(policy_migrate))
- || acl_impose_restrictions(handle->context,
- &arg->rec, &arg->mask, rp)) {
- ret.code = KADM5_AUTH_ADD;
+ || kadm5int_acl_impose_restrictions(handle->context,
+ &arg->rec, &arg->mask, rp)) {
+ ret.code = KADM5_AUTH_ADD;
audit_kadmind_unauth(rqstp->rq_xprt, l_port,
"kadm5_create_principal",
prime_arg, client_name);
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH,
- "kadm5_create_principal", prime_arg, client_name,
+ krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",
+ prime_arg, client_name,
service_name, client_addr(rqstp, buf));
- } else {
- ret.code = kadm5_create_principal((void *) handle,
- &arg->rec, arg->mask,
- arg->passwd);
+ } else {
+ ret.code = kadm5_create_principal((void *)handle,
+ &arg->rec, arg->mask,
+ arg->passwd);
audit_kadmind_auth(rqstp->rq_xprt, l_port,
"kadm5_create_principal",
prime_arg, client_name, ret.code);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal",
- prime_arg, ((ret.code == 0) ? "success" :
- error_message(ret.code)),
- client_name, service_name, client_addr(rqstp, buf));
+ krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal",
+ prime_arg,((ret.code == 0) ? "success" :
+ error_message(ret.code)),
+ client_name, service_name, client_addr(rqstp, buf));
if (policy_migrate && (ret.code == 0)) {
arg->rec.policy = strdup("default");
@@ -530,27 +535,27 @@ create_principal_1(cprinc_arg * arg, struct svc_req * rqstp)
}
error:
- if (name)
- gss_release_name(&min_stat, &name);
- free_server_handle(handle);
- if (prime_arg)
- free(prime_arg);
- if (client_name)
- free(client_name);
- if (service_name)
- free(service_name);
- return (&ret);
+ if (name)
+ gss_release_name(&minor_stat, &name);
+ free_server_handle(handle);
+ if (prime_arg)
+ free(prime_arg);
+ if (client_name)
+ free(client_name);
+ if (service_name)
+ free(service_name);
+ return (&ret);
}
generic_ret *
-create_principal3_1(cprinc3_arg *arg, struct svc_req *rqstp)
+create_principal3_1_svc(cprinc3_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg = NULL;
char *client_name = NULL, *service_name = NULL;
int policy_migrate = 0;
- OM_uint32 min_stat;
+ OM_uint32 minor_stat;
kadm5_server_handle_t handle;
kadm5_ret_t retval;
restriction_t *rp;
@@ -558,19 +563,19 @@ create_principal3_1(cprinc3_arg *arg, struct svc_req *rqstp)
xdr_free(xdr_generic_ret, (char *) &ret);
- if (ret.code = new_server_handle(arg->api_version, rqstp, &handle))
+ if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
return &ret;
- if (ret.code = check_handle((void *)handle))
+ if ((ret.code = check_handle((void *)handle)))
goto error;
ret.api_version = handle->api_version;
if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
- ret.code = KADM5_FAILURE;
+ ret.code = KADM5_FAILURE;
goto error;
}
if (krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg)) {
- ret.code = KADM5_BAD_PRINCIPAL;
+ ret.code = KADM5_BAD_PRINCIPAL;
goto error;
}
if (!(name = get_clnt_name(rqstp))) {
@@ -578,22 +583,22 @@ create_principal3_1(cprinc3_arg *arg, struct svc_req *rqstp)
goto error;
}
- if (acl_check(handle->context, name, ACL_MIGRATE,
+ if (kadm5int_acl_check(handle->context, name, ACL_MIGRATE,
arg->rec.principal, &rp) &&
verify_pam_pw(prime_arg, arg->passwd)) {
policy_migrate = 1;
}
if (CHANGEPW_SERVICE(rqstp)
- || (!acl_check(handle->context, name, ACL_ADD,
+ || (!kadm5int_acl_check(handle->context, name, ACL_ADD,
arg->rec.principal, &rp) &&
!(policy_migrate))
- || acl_impose_restrictions(handle->context,
+ || kadm5int_acl_impose_restrictions(handle->context,
&arg->rec, &arg->mask, rp)) {
ret.code = KADM5_AUTH_ADD;
krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",
- prime_arg, client_name, service_name,
- client_addr(rqstp, buf));
+ prime_arg, client_name, service_name,
+ client_addr(rqstp, buf));
} else {
ret.code = kadm5_create_principal_3((void *)handle,
&arg->rec, arg->mask,
@@ -601,7 +606,7 @@ create_principal3_1(cprinc3_arg *arg, struct svc_req *rqstp)
arg->ks_tuple,
arg->passwd);
krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal",
- prime_arg,((ret.code == 0) ? "success" :
+ prime_arg,((ret.code == 0) ? "success" :
error_message(ret.code)),
client_name, service_name,
client_addr(rqstp, buf));
@@ -629,390 +634,384 @@ create_principal3_1(cprinc3_arg *arg, struct svc_req *rqstp)
error:
if (name)
- gss_release_name(&min_stat, &name);
+ gss_release_name(&minor_stat, &name);
free_server_handle(handle);
if (client_name)
- free(client_name);
+ free(client_name);
if (service_name)
- free(service_name);
+ free(service_name);
if (prime_arg)
- free(prime_arg);
- return (&ret);
+ free(prime_arg);
+ return &ret;
}
generic_ret *
-delete_principal_1(dprinc_arg * arg, struct svc_req * rqstp)
+delete_principal_1_svc(dprinc_arg *arg, struct svc_req *rqstp)
{
- static generic_ret ret;
- char *prime_arg = NULL;
- char *client_name = NULL, *service_name = NULL;
- OM_uint32 min_stat;
- kadm5_server_handle_t handle;
- gss_name_t name = NULL;
+ static generic_ret ret;
+ char *prime_arg = NULL;
+ char *client_name = NULL, *service_name = NULL;
+ OM_uint32 min_stat;
+ kadm5_server_handle_t handle;
+ gss_name_t name = NULL;
- xdr_free(xdr_generic_ret, (char *) &ret);
+ xdr_free(xdr_generic_ret, (char *) &ret);
- if (ret.code = new_server_handle(arg->api_version, rqstp, &handle))
- return (&ret);
+ if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
+ return &ret;
- if (ret.code = check_handle((void *) handle))
+ if ((ret.code = check_handle((void *)handle)))
goto error;
- ret.api_version = handle->api_version;
+ ret.api_version = handle->api_version;
- if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
- ret.code = KADM5_FAILURE;
+ if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
+ ret.code = KADM5_FAILURE;
goto error;
- }
- if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
- ret.code = KADM5_BAD_PRINCIPAL;
+ }
+ if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
+ ret.code = KADM5_BAD_PRINCIPAL;
goto error;
- }
+ }
if (!(name = get_clnt_name(rqstp))) {
ret.code = KADM5_FAILURE;
goto error;
}
-
- if (CHANGEPW_SERVICE(rqstp)
- || !acl_check(handle->context, name, ACL_DELETE,
- arg->princ, NULL)) {
- ret.code = KADM5_AUTH_DELETE;
+
+ if (CHANGEPW_SERVICE(rqstp)
+ || !kadm5int_acl_check(handle->context, name, ACL_DELETE,
+ arg->princ, NULL)) {
+ ret.code = KADM5_AUTH_DELETE;
audit_kadmind_unauth(rqstp->rq_xprt, l_port,
"kadm5_delete_principal",
prime_arg, client_name);
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH,
- "kadm5_delete_principal", prime_arg, client_name,
+ krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_principal",
+ prime_arg, client_name,
service_name, client_addr(rqstp, buf));
- } else {
- ret.code = kadm5_delete_principal((void *) handle, arg->princ);
+ } else {
+ ret.code = kadm5_delete_principal((void *)handle, arg->princ);
audit_kadmind_auth(rqstp->rq_xprt, l_port,
"kadm5_delete_principal",
prime_arg, client_name, ret.code);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE,
- "kadm5_delete_principal", prime_arg,
- ((ret.code == 0) ? "success" : error_message(ret.code)),
- client_name, service_name, client_addr(rqstp, buf));
- }
+ krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_principal", prime_arg,
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ client_name, service_name, client_addr(rqstp, buf));
+ }
error:
- if (name)
- gss_release_name(&min_stat, &name);
- if (prime_arg)
- free(prime_arg);
- free_server_handle(handle);
- if (client_name)
- free(client_name);
- if (service_name)
- free(service_name);
- return (&ret);
+ if (name)
+ gss_release_name(&min_stat, &name);
+ if (prime_arg)
+ free(prime_arg);
+ free_server_handle(handle);
+ if (client_name)
+ free(client_name);
+ if (service_name)
+ free(service_name);
+ return &ret;
}
generic_ret *
-modify_principal_1(mprinc_arg * arg, struct svc_req * rqstp)
+modify_principal_1_svc(mprinc_arg *arg, struct svc_req *rqstp)
{
- static generic_ret ret;
- char *prime_arg = NULL;
- char *client_name = NULL, *service_name = NULL;
- OM_uint32 min_stat;
- kadm5_server_handle_t handle;
- restriction_t *rp;
- gss_name_t name = NULL;
+ static generic_ret ret;
+ char *prime_arg = NULL;
+ char *client_name = NULL, *service_name = NULL;
+ OM_uint32 min_stat;
+ kadm5_server_handle_t handle;
+ restriction_t *rp;
+ gss_name_t name = NULL;
- xdr_free(xdr_generic_ret, (char *) &ret);
+ xdr_free(xdr_generic_ret, (char *) &ret);
- if (ret.code = new_server_handle(arg->api_version, rqstp, &handle))
- return (&ret);
+ if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
+ return &ret;
- if (ret.code = check_handle((void *) handle))
+ if ((ret.code = check_handle((void *)handle)))
goto error;
- if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
- ret.code = KADM5_FAILURE;
- goto error;
- }
- if (krb5_unparse_name(handle->context, arg->rec.principal,
- &prime_arg)) {
- ret.code = KADM5_BAD_PRINCIPAL;
+ if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
+ ret.code = KADM5_FAILURE;
goto error;
- }
+ }
+ if (krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg)) {
+ ret.code = KADM5_BAD_PRINCIPAL;
+ goto error;
+ }
if (!(name = get_clnt_name(rqstp))) {
ret.code = KADM5_FAILURE;
goto error;
}
- if (CHANGEPW_SERVICE(rqstp)
- || !acl_check(handle->context, name, ACL_MODIFY,
- arg->rec.principal, &rp)
- || acl_impose_restrictions(handle->context,
- &arg->rec, &arg->mask, rp)) {
- ret.code = KADM5_AUTH_MODIFY;
+ if (CHANGEPW_SERVICE(rqstp)
+ || !kadm5int_acl_check(handle->context, name, ACL_MODIFY,
+ arg->rec.principal, &rp)
+ || kadm5int_acl_impose_restrictions(handle->context,
+ &arg->rec, &arg->mask, rp)) {
+ ret.code = KADM5_AUTH_MODIFY;
audit_kadmind_unauth(rqstp->rq_xprt, l_port,
"kadm5_modify_principal",
prime_arg, client_name);
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH,
- "kadm5_modify_principal", prime_arg, client_name,
+ krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_principal",
+ prime_arg, client_name,
service_name, client_addr(rqstp, buf));
- } else {
- ret.code = kadm5_modify_principal((void *) handle, &arg->rec,
- arg->mask);
+ } else {
+ ret.code = kadm5_modify_principal((void *)handle, &arg->rec,
+ arg->mask);
audit_kadmind_auth(rqstp->rq_xprt, l_port,
"kadm5_modify_principal",
prime_arg, client_name, ret.code);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_principal",
- prime_arg, ((ret.code == 0) ? "success" :
- error_message(ret.code)),
- client_name, service_name, client_addr(rqstp, buf));
- }
+ krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_principal",
+ prime_arg, ((ret.code == 0) ? "success" :
+ error_message(ret.code)),
+ client_name, service_name, client_addr(rqstp, buf));
+ }
error:
- if (name)
- gss_release_name(&min_stat, &name);
- free_server_handle(handle);
- if (prime_arg)
- free(prime_arg);
- if (client_name)
- free(client_name);
- if (service_name)
- free(service_name);
- return (&ret);
+ if (name)
+ gss_release_name(&min_stat, &name);
+ free_server_handle(handle);
+ if (prime_arg)
+ free(prime_arg);
+ if (client_name)
+ free(client_name);
+ if (service_name)
+ free(service_name);
+ return &ret;
}
generic_ret *
-rename_principal_1(rprinc_arg * arg, struct svc_req * rqstp)
+rename_principal_1_svc(rprinc_arg *arg, struct svc_req *rqstp)
{
- static generic_ret ret;
- char *prime_arg1 = NULL, *prime_arg2 = NULL;
- char prime_arg[BUFSIZ];
- char *client_name = NULL, *service_name = NULL;
- OM_uint32 min_stat;
- kadm5_server_handle_t handle;
- restriction_t *rp;
- gss_name_t name = NULL;
+ static generic_ret ret;
+ char *prime_arg1 = NULL, *prime_arg2 = NULL;
+ char prime_arg[BUFSIZ];
+ char *client_name = NULL, *service_name = NULL;
+ OM_uint32 min_stat;
+ kadm5_server_handle_t handle;
+ restriction_t *rp;
+ gss_name_t name = NULL;
- xdr_free(xdr_generic_ret, (char *) &ret);
+ xdr_free(xdr_generic_ret, (char *) &ret);
- if (ret.code = new_server_handle(arg->api_version, rqstp, &handle))
- return (&ret);
+ if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
+ return &ret;
- if (ret.code = check_handle((void *) handle))
- goto error;
- if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
- ret.code = KADM5_FAILURE;
- goto error;
- }
- if (krb5_unparse_name(handle->context, arg->src, &prime_arg1)) {
- ret.code = KADM5_BAD_PRINCIPAL;
- goto error;
- }
- if (krb5_unparse_name(handle->context, arg->dest, &prime_arg2)) {
- ret.code = KADM5_BAD_PRINCIPAL;
- goto error;
- }
- sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2);
- ret.code = KADM5_OK;
+ if ((ret.code = check_handle((void *)handle)))
+ goto error;
+ if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
+ ret.code = KADM5_FAILURE;
+ goto error;
+ }
+ if (krb5_unparse_name(handle->context, arg->src, &prime_arg1) ||
+ krb5_unparse_name(handle->context, arg->dest, &prime_arg2)) {
+ ret.code = KADM5_BAD_PRINCIPAL;
+ goto error;
+ }
+ sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2);
+
+ ret.code = KADM5_OK;
if (!(name = get_clnt_name(rqstp))) {
ret.code = KADM5_FAILURE;
goto error;
}
- if (!CHANGEPW_SERVICE(rqstp)) {
- if (!acl_check(handle->context, name,
- ACL_DELETE, arg->src, NULL))
- ret.code = KADM5_AUTH_DELETE;
- /* any restrictions at all on the ADD kills the RENAME */
- if (!acl_check(handle->context, name,
- ACL_ADD, arg->dest, &rp)) {
- if (ret.code == KADM5_AUTH_DELETE)
- ret.code = KADM5_AUTH_INSUFFICIENT;
- else
- ret.code = KADM5_AUTH_ADD;
- }
- } else
- ret.code = KADM5_AUTH_INSUFFICIENT;
-
- if (ret.code != KADM5_OK) {
+ if (! CHANGEPW_SERVICE(rqstp)) {
+ if (!kadm5int_acl_check(handle->context, name,
+ ACL_DELETE, arg->src, NULL))
+ ret.code = KADM5_AUTH_DELETE;
+ /* any restrictions at all on the ADD kills the RENAME */
+ if (!kadm5int_acl_check(handle->context, name,
+ ACL_ADD, arg->dest, &rp)) {
+ if (ret.code == KADM5_AUTH_DELETE)
+ ret.code = KADM5_AUTH_INSUFFICIENT;
+ else
+ ret.code = KADM5_AUTH_ADD;
+ }
+ } else
+ ret.code = KADM5_AUTH_INSUFFICIENT;
+ if (ret.code != KADM5_OK) {
audit_kadmind_unauth(rqstp->rq_xprt, l_port,
"kadm5_rename_principal",
prime_arg, client_name);
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH,
- "kadm5_rename_principal", prime_arg, client_name,
+ krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_rename_principal",
+ prime_arg, client_name,
service_name, client_addr(rqstp, buf));
- } else {
- ret.code = kadm5_rename_principal((void *) handle, arg->src,
- arg->dest);
+ } else {
+ ret.code = kadm5_rename_principal((void *)handle, arg->src,
+ arg->dest);
audit_kadmind_auth(rqstp->rq_xprt, l_port,
"kadm5_rename_principal",
prime_arg, client_name, ret.code);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal",
- prime_arg, ((ret.code == 0) ? "success" :
- error_message(ret.code)),
- client_name, service_name, client_addr(rqstp, buf));
- }
+ krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal",
+ prime_arg, ((ret.code == 0) ? "success" :
+ error_message(ret.code)),
+ client_name, service_name, client_addr(rqstp, buf));
+ }
error:
- if (name)
- gss_release_name(&min_stat, &name);
- free_server_handle(handle);
- if (prime_arg1)
- free(prime_arg1);
- if (prime_arg2)
- free(prime_arg2);
- if (client_name)
- free(client_name);
- if (service_name)
- free(service_name);
- return (&ret);
+ if (name)
+ gss_release_name(&min_stat, &name);
+ free_server_handle(handle);
+ if (prime_arg1)
+ free(prime_arg1);
+ if (prime_arg2)
+ free(prime_arg2);
+ if (client_name)
+ free(client_name);
+ if (service_name)
+ free(service_name);
+ return &ret;
}
gprinc_ret *
-get_principal_1(gprinc_arg * arg, struct svc_req * rqstp)
+get_principal_1_svc(gprinc_arg *arg, struct svc_req *rqstp)
{
- static gprinc_ret ret;
- kadm5_principal_ent_t_v1 e;
- char *prime_arg = NULL, *funcname;
- char *client_name = NULL, *service_name = NULL;
- OM_uint32 min_stat;
- kadm5_server_handle_t handle;
- gss_name_t name = NULL;
+ static gprinc_ret ret;
+ kadm5_principal_ent_t_v1 e;
+ char *prime_arg = NULL, *funcname;
+ char *client_name = NULL, *service_name = NULL;
+ OM_uint32 min_stat;
+ kadm5_server_handle_t handle;
+ gss_name_t name = NULL;
- xdr_free(xdr_gprinc_ret, (char *) &ret);
+ xdr_free(xdr_gprinc_ret, (char *) &ret);
- if (ret.code = new_server_handle(arg->api_version, rqstp, &handle))
- return (&ret);
+ if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
+ return &ret;
- if (ret.code = check_handle((void *) handle))
+ if ((ret.code = check_handle((void *)handle)))
goto error;
- ret.api_version = handle->api_version;
+ ret.api_version = handle->api_version;
- funcname = handle->api_version == KADM5_API_VERSION_1 ?
- "kadm5_get_principal (V1)" : "kadm5_get_principal";
+ funcname = handle->api_version == KADM5_API_VERSION_1 ?
+ "kadm5_get_principal (V1)" : "kadm5_get_principal";
- if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
- ret.code = KADM5_FAILURE;
+ if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
+ ret.code = KADM5_FAILURE;
goto error;
- }
- if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
- ret.code = KADM5_BAD_PRINCIPAL;
+ }
+ if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
+ ret.code = KADM5_BAD_PRINCIPAL;
goto error;
- }
+ }
if (!(name = get_clnt_name(rqstp))) {
ret.code = KADM5_FAILURE;
goto error;
}
- if (!cmp_gss_krb5_name(handle, name, arg->princ) &&
- (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context,
- name,
- ACL_INQUIRE,
- arg->princ,
- NULL))) {
- ret.code = KADM5_AUTH_GET;
+ if (! cmp_gss_krb5_name(handle, name, arg->princ) &&
+ (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
+ name,
+ ACL_INQUIRE,
+ arg->princ,
+ NULL))) {
+ ret.code = KADM5_AUTH_GET;
audit_kadmind_unauth(rqstp->rq_xprt, l_port,
funcname,
prime_arg, client_name);
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
- prime_arg, client_name, service_name,
+ krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
+ prime_arg, client_name, service_name,
client_addr(rqstp, buf));
- } else {
- if (handle->api_version == KADM5_API_VERSION_1) {
- ret.code = kadm5_get_principal_v1((void *) handle,
- arg->princ, &e);
- if (ret.code == KADM5_OK) {
- memcpy(&ret.rec, e,
- sizeof (kadm5_principal_ent_rec_v1));
- free(e);
- }
- } else {
- ret.code = kadm5_get_principal((void *) handle,
- arg->princ, &ret.rec,
- arg->mask);
- }
-
+ } else {
+ if (handle->api_version == KADM5_API_VERSION_1) {
+ ret.code = kadm5_get_principal_v1((void *)handle,
+ arg->princ, &e);
+ if(ret.code == KADM5_OK) {
+ memcpy(&ret.rec, e, sizeof(kadm5_principal_ent_rec_v1));
+ free(e);
+ }
+ } else {
+ ret.code = kadm5_get_principal((void *)handle,
+ arg->princ, &ret.rec,
+ arg->mask);
+ }
+
audit_kadmind_auth(rqstp->rq_xprt, l_port,
funcname,
prime_arg, client_name, ret.code);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
- prime_arg,
- ((ret.code == 0) ? "success" : error_message(ret.code)),
- client_name, service_name, client_addr(rqstp, buf));
- }
+ krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
+ prime_arg,
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ client_name, service_name, client_addr(rqstp, buf));
+ }
error:
if (name)
- gss_release_name(&min_stat, &name);
- free_server_handle(handle);
- if (prime_arg)
- free(prime_arg);
- if (client_name)
- free(client_name);
- if (service_name)
- free(service_name);
- return (&ret);
+ gss_release_name(&min_stat, &name);
+ free_server_handle(handle);
+ if (prime_arg)
+ free(prime_arg);
+ if (client_name)
+ free(client_name);
+ if (service_name)
+ free(service_name);
+ return &ret;
}
gprincs_ret *
-get_princs_1(gprincs_arg * arg, struct svc_req * rqstp)
+get_princs_1_svc(gprincs_arg *arg, struct svc_req *rqstp)
{
- static gprincs_ret ret;
- char *prime_arg = NULL;
- char *client_name = NULL, *service_name = NULL;
- OM_uint32 min_stat;
- kadm5_server_handle_t handle;
- gss_name_t name = NULL;
+ static gprincs_ret ret;
+ char *prime_arg = NULL;
+ char *client_name = NULL, *service_name = NULL;
+ OM_uint32 min_stat;
+ kadm5_server_handle_t handle;
+ gss_name_t name = NULL;
- xdr_free(xdr_gprincs_ret, (char *) &ret);
+ xdr_free(xdr_gprincs_ret, (char *) &ret);
- if (ret.code = new_server_handle(arg->api_version, rqstp, &handle))
- return (&ret);
+ if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
+ return &ret;
- if (ret.code = check_handle((void *) handle))
+ if ((ret.code = check_handle((void *)handle)))
goto error;
- ret.api_version = handle->api_version;
+ ret.api_version = handle->api_version;
- if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
- ret.code = KADM5_FAILURE;
+ if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
+ ret.code = KADM5_FAILURE;
goto error;
- }
- prime_arg = arg->exp;
- if (prime_arg == NULL)
- prime_arg = "*";
+ }
+ prime_arg = arg->exp;
+ if (prime_arg == NULL)
+ prime_arg = "*";
if (!(name = get_clnt_name(rqstp))) {
ret.code = KADM5_FAILURE;
goto error;
}
- if (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context,
- name,
- ACL_LIST,
- NULL,
- NULL)) {
- ret.code = KADM5_AUTH_LIST;
+ if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
+ name,
+ ACL_LIST,
+ NULL,
+ NULL)) {
+ ret.code = KADM5_AUTH_LIST;
audit_kadmind_unauth(rqstp->rq_xprt, l_port,
"kadm5_get_principals",
prime_arg, client_name);
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_principals",
- prime_arg, client_name,
+ krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_principals",
+ prime_arg, client_name,
service_name, client_addr(rqstp, buf));
- } else {
- ret.code = kadm5_get_principals((void *) handle,
- arg->exp, &ret.princs,
- &ret.count);
+ } else {
+ ret.code = kadm5_get_principals((void *)handle,
+ arg->exp, &ret.princs,
+ &ret.count);
audit_kadmind_auth(rqstp->rq_xprt, l_port,
"kadm5_get_principals",
prime_arg, client_name, ret.code);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_principals",
- prime_arg,
- ((ret.code == 0) ? "success" : error_message(ret.code)),
- client_name, service_name, client_addr(rqstp, buf));
+ krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_principals",
+ prime_arg,
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ client_name, service_name, client_addr(rqstp, buf));
}
error:
@@ -1027,30 +1026,30 @@ error:
}
generic_ret *
-chpass_principal_1(chpass_arg * arg, struct svc_req * rqstp)
+chpass_principal_1_svc(chpass_arg *arg, struct svc_req *rqstp)
{
- static generic_ret ret;
- char *prime_arg = NULL;
- char *client_name = NULL, *service_name = NULL;
- OM_uint32 min_stat;
- kadm5_server_handle_t handle;
- gss_name_t name = NULL;
+ static generic_ret ret;
+ char *prime_arg = NULL;
+ char *client_name = NULL, *service_name = NULL;
+ OM_uint32 min_stat;
+ kadm5_server_handle_t handle;
+ gss_name_t name = NULL;
- xdr_free(xdr_generic_ret, (char *) &ret);
+ xdr_free(xdr_generic_ret, (char *) &ret);
- if (ret.code = new_server_handle(arg->api_version, rqstp, &handle))
- return (&ret);
+ if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
+ return &ret;
- if (ret.code = check_handle((void *) handle))
+ if ((ret.code = check_handle((void *)handle)))
goto error;
- ret.api_version = handle->api_version;
+ ret.api_version = handle->api_version;
- if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
- ret.code = KADM5_FAILURE;
+ if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
+ ret.code = KADM5_FAILURE;
goto error;
- }
- if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
- ret.code = KADM5_BAD_PRINCIPAL;
+ }
+ if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
+ ret.code = KADM5_BAD_PRINCIPAL;
goto error;
}
if (!(name = get_clnt_name(rqstp))) {
@@ -1058,34 +1057,33 @@ chpass_principal_1(chpass_arg * arg, struct svc_req * rqstp)
goto error;
}
- if (cmp_gss_krb5_name(handle, name, arg->princ)) {
- ret.code = chpass_principal_wrapper((void *) handle, arg->princ,
- arg->pass);
- } else if (!(CHANGEPW_SERVICE(rqstp)) &&
- acl_check(handle->context, name,
- ACL_CHANGEPW, arg->princ, NULL)) {
- ret.code = kadm5_chpass_principal((void *) handle, arg->princ,
- arg->pass);
- } else {
+ if (cmp_gss_krb5_name(handle, name, arg->princ)) {
+ ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ,
+ FALSE, 0, NULL, arg->pass);
+ } else if (!(CHANGEPW_SERVICE(rqstp)) &&
+ kadm5int_acl_check(handle->context, name,
+ ACL_CHANGEPW, arg->princ, NULL)) {
+ ret.code = kadm5_chpass_principal((void *)handle, arg->princ,
+ arg->pass);
+ } else {
audit_kadmind_unauth(rqstp->rq_xprt, l_port,
"kadm5_chpass_principal",
prime_arg, client_name);
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH,
- "kadm5_chpass_principal", prime_arg, client_name,
+ krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal",
+ prime_arg, client_name,
service_name, client_addr(rqstp, buf));
- ret.code = KADM5_AUTH_CHANGEPW;
- }
-
- if (ret.code != KADM5_AUTH_CHANGEPW) {
+ ret.code = KADM5_AUTH_CHANGEPW;
+ }
+ if(ret.code != KADM5_AUTH_CHANGEPW) {
audit_kadmind_auth(rqstp->rq_xprt, l_port,
"kadm5_chpass_principal",
prime_arg, client_name, ret.code);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal",
- prime_arg, ((ret.code == 0) ? "success" :
- error_message(ret.code)),
- client_name, service_name, client_addr(rqstp, buf));
- }
+ krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal",
+ prime_arg, ((ret.code == 0) ? "success" :
+ error_message(ret.code)),
+ client_name, service_name, client_addr(rqstp, buf));
+ }
error:
if (name)
@@ -1101,7 +1099,7 @@ error:
}
generic_ret *
-chpass_principal3_1(chpass3_arg *arg, struct svc_req *rqstp)
+chpass_principal3_1_svc(chpass3_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg = NULL;
@@ -1113,19 +1111,19 @@ chpass_principal3_1(chpass3_arg *arg, struct svc_req *rqstp)
xdr_free(xdr_generic_ret, (char *) &ret);
- if (ret.code = new_server_handle(arg->api_version, rqstp, &handle))
+ if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
return &ret;
- if (ret.code = check_handle((void *)handle))
+ if ((ret.code = check_handle((void *)handle)))
goto error;
ret.api_version = handle->api_version;
if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
- ret.code = KADM5_FAILURE;
+ ret.code = KADM5_FAILURE;
goto error;
}
if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
- ret.code = KADM5_BAD_PRINCIPAL;
+ ret.code = KADM5_BAD_PRINCIPAL;
goto error;
}
if (!(name = get_clnt_name(rqstp))) {
@@ -1134,10 +1132,13 @@ chpass_principal3_1(chpass3_arg *arg, struct svc_req *rqstp)
}
if (cmp_gss_krb5_name(handle, name, arg->princ)) {
- ret.code = chpass_principal_wrapper((void *)handle, arg->princ,
- arg->pass);
+ ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ,
+ arg->keepold,
+ arg->n_ks_tuple,
+ arg->ks_tuple,
+ arg->pass);
} else if (!(CHANGEPW_SERVICE(rqstp)) &&
- acl_check(handle->context, name,
+ kadm5int_acl_check(handle->context, name,
ACL_CHANGEPW, arg->princ, NULL)) {
ret.code = kadm5_chpass_principal_3((void *)handle, arg->princ,
arg->keepold,
@@ -1146,14 +1147,14 @@ chpass_principal3_1(chpass3_arg *arg, struct svc_req *rqstp)
arg->pass);
} else {
krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal",
- prime_arg, client_name, service_name,
- client_addr(rqstp, buf));
+ prime_arg, client_name, service_name,
+ client_addr(rqstp, buf));
ret.code = KADM5_AUTH_CHANGEPW;
}
if(ret.code != KADM5_AUTH_CHANGEPW) {
krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal",
- prime_arg, ((ret.code == 0) ? "success" :
+ prime_arg, ((ret.code == 0) ? "success" :
error_message(ret.code)),
client_name, service_name,
client_addr(rqstp, buf));
@@ -1164,17 +1165,17 @@ error:
gss_release_name(&min_stat, &name);
free_server_handle(handle);
if (client_name)
- free(client_name);
+ free(client_name);
if (service_name)
- free(service_name);
+ free(service_name);
if (prime_arg)
- free(prime_arg);
+ free(prime_arg);
return (&ret);
}
#ifdef SUNWOFF
generic_ret *
-setv4key_principal_1(setv4key_arg *arg, struct svc_req *rqstp)
+setv4key_principal_1_svc(setv4key_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg = NULL;
@@ -1186,19 +1187,19 @@ setv4key_principal_1(setv4key_arg *arg, struct svc_req *rqstp)
xdr_free(xdr_generic_ret, (char *) &ret);
- if (ret.code = new_server_handle(arg->api_version, rqstp, &handle))
+ if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
return &ret;
- if (ret.code = check_handle((void *)handle))
+ if ((ret.code = check_handle((void *)handle)))
goto error;
ret.api_version = handle->api_version;
if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
- ret.code = KADM5_FAILURE;
+ ret.code = KADM5_FAILURE;
goto error;
}
if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
- ret.code = KADM5_BAD_PRINCIPAL;
+ ret.code = KADM5_BAD_PRINCIPAL;
goto error;
}
if (!(name = get_clnt_name(rqstp))) {
@@ -1207,13 +1208,14 @@ setv4key_principal_1(setv4key_arg *arg, struct svc_req *rqstp)
}
if (!(CHANGEPW_SERVICE(rqstp)) &&
- acl_check(handle->context, name, ACL_SETKEY, arg->princ, NULL)) {
+ kadm5int_acl_check(handle->context, name,
+ ACL_SETKEY, arg->princ, NULL)) {
ret.code = kadm5_setv4key_principal((void *)handle, arg->princ,
arg->keyblock);
} else {
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setv4key_principal",
- prime_arg, client_name, service_name,
- client_addr(rqstp, buf));
+ krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setv4key_principal",
+ prime_arg, client_name, service_name,
+ client_addr(rqstp, buf));
ret.code = KADM5_AUTH_SETKEY;
}
@@ -1240,7 +1242,7 @@ error:
#endif
generic_ret *
-setkey_principal_1(setkey_arg *arg, struct svc_req *rqstp)
+setkey_principal_1_svc(setkey_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg;
@@ -1252,28 +1254,28 @@ setkey_principal_1(setkey_arg *arg, struct svc_req *rqstp)
xdr_free(xdr_generic_ret, (char *) &ret);
- if (ret.code = new_server_handle(arg->api_version, rqstp, &handle))
+ if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
return &ret;
- if (ret.code = check_handle((void *)handle))
+ if ((ret.code = check_handle((void *)handle)))
goto error;
ret.api_version = handle->api_version;
if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
- ret.code = KADM5_FAILURE;
+ ret.code = KADM5_FAILURE;
goto error;
}
if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
- ret.code = KADM5_BAD_PRINCIPAL;
+ ret.code = KADM5_BAD_PRINCIPAL;
goto error;
}
if (!(name = get_clnt_name(rqstp))) {
- ret.code = KADM5_FAILURE;
+ ret.code = KADM5_FAILURE;
goto error;
}
if (!(CHANGEPW_SERVICE(rqstp)) &&
- acl_check(handle->context, name, ACL_SETKEY, arg->princ, NULL)) {
+ kadm5int_acl_check(handle->context, name, ACL_SETKEY, arg->princ, NULL)) {
ret.code = kadm5_setkey_principal((void *)handle, arg->princ,
arg->keyblocks, arg->n_keys);
} else {
@@ -1296,16 +1298,16 @@ error:
gss_release_name(&min_stat, &name);
free_server_handle(handle);
if (client_name)
- free(client_name);
+ free(client_name);
if (service_name)
- free(service_name);
+ free(service_name);
if (prime_arg)
- free(prime_arg);
+ free(prime_arg);
return (&ret);
}
generic_ret *
-setkey_principal3_1(setkey3_arg *arg, struct svc_req *rqstp)
+setkey_principal3_1_svc(setkey3_arg *arg, struct svc_req *rqstp)
{
static generic_ret ret;
char *prime_arg = NULL;
@@ -1317,28 +1319,29 @@ setkey_principal3_1(setkey3_arg *arg, struct svc_req *rqstp)
xdr_free(xdr_generic_ret, (char *) &ret);
- if (ret.code = new_server_handle(arg->api_version, rqstp, &handle))
+ if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
return &ret;
- if (ret.code = check_handle((void *)handle))
+ if ((ret.code = check_handle((void *)handle)))
goto error;
ret.api_version = handle->api_version;
if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
- ret.code = KADM5_FAILURE;
+ ret.code = KADM5_FAILURE;
goto error;
}
if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
- ret.code = KADM5_BAD_PRINCIPAL;
+ ret.code = KADM5_BAD_PRINCIPAL;
goto error;
}
if (!(name = get_clnt_name(rqstp))) {
- ret.code = KADM5_FAILURE;
+ ret.code = KADM5_FAILURE;
goto error;
}
if (!(CHANGEPW_SERVICE(rqstp)) &&
- acl_check(handle->context, name, ACL_SETKEY, arg->princ, NULL)) {
+ kadm5int_acl_check(handle->context, name,
+ ACL_SETKEY, arg->princ, NULL)) {
ret.code = kadm5_setkey_principal_3((void *)handle, arg->princ,
arg->keepold,
arg->n_ks_tuple,
@@ -1352,11 +1355,11 @@ setkey_principal3_1(setkey3_arg *arg, struct svc_req *rqstp)
}
if(ret.code != KADM5_AUTH_SETKEY) {
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal",
+ krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal",
prime_arg, ((ret.code == 0) ? "success" :
- error_message(ret.code)),
- client_name, service_name,
- client_addr(rqstp, buf));
+ error_message(ret.code)),
+ client_name, service_name,
+ client_addr(rqstp, buf));
}
error:
@@ -1366,100 +1369,101 @@ error:
if (client_name)
free(client_name);
if (service_name)
- free(service_name);
+ free(service_name);
if (prime_arg)
- free(prime_arg);
- return (&ret);
+ free(prime_arg);
+ return &ret;
}
chrand_ret *
-chrand_principal_1(chrand_arg * arg, struct svc_req * rqstp)
+chrand_principal_1_svc(chrand_arg *arg, struct svc_req *rqstp)
{
- static chrand_ret ret;
- krb5_keyblock *k;
- int nkeys;
- char *prime_arg = NULL, *funcname;
- char *client_name = NULL, *service_name = NULL;
- OM_uint32 min_stat;
- kadm5_server_handle_t handle;
- gss_name_t name = NULL;
+ static chrand_ret ret;
+ krb5_keyblock *k;
+ int nkeys;
+ char *prime_arg = NULL, *funcname;
+ char *client_name = NULL, *service_name = NULL;
+ OM_uint32 min_stat;
+ kadm5_server_handle_t handle;
+ gss_name_t name = NULL;
- xdr_free(xdr_chrand_ret, (char *) &ret);
+ xdr_free(xdr_chrand_ret, (char *) &ret);
- if (ret.code = new_server_handle(arg->api_version, rqstp, &handle))
- return (&ret);
+ if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
+ return &ret;
- if (ret.code = check_handle((void *) handle))
+ if ((ret.code = check_handle((void *)handle)))
goto error;
- ret.api_version = handle->api_version;
- funcname = handle->api_version == KADM5_API_VERSION_1 ?
- "kadm5_randkey_principal (V1)" : "kadm5_randkey_principal";
+ ret.api_version = handle->api_version;
- if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
- ret.code = KADM5_FAILURE;
+ funcname = handle->api_version == KADM5_API_VERSION_1 ?
+ "kadm5_randkey_principal (V1)" : "kadm5_randkey_principal";
+
+ if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
+ ret.code = KADM5_FAILURE;
goto error;
- }
- if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
- ret.code = KADM5_BAD_PRINCIPAL;
+ }
+ if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
+ ret.code = KADM5_BAD_PRINCIPAL;
goto error;
- }
+ }
if (!(name = get_clnt_name(rqstp))) {
ret.code = KADM5_FAILURE;
goto error;
}
- if (cmp_gss_krb5_name(handle, name, arg->princ)) {
- ret.code = randkey_principal_wrapper((void *) handle,
- arg->princ, &k, &nkeys);
- } else if (!(CHANGEPW_SERVICE(rqstp)) &&
- acl_check(handle->context, name,
- ACL_CHANGEPW, arg->princ, NULL)) {
- ret.code = kadm5_randkey_principal((void *) handle, arg->princ,
- &k, &nkeys);
- } else {
+ if (cmp_gss_krb5_name(handle, name, arg->princ)) {
+ ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ,
+ FALSE, 0, NULL, &k, &nkeys);
+ } else if (!(CHANGEPW_SERVICE(rqstp)) &&
+ kadm5int_acl_check(handle->context, name,
+ ACL_CHANGEPW, arg->princ, NULL)) {
+ ret.code = kadm5_randkey_principal((void *)handle, arg->princ,
+ &k, &nkeys);
+ } else {
audit_kadmind_unauth(rqstp->rq_xprt, l_port,
funcname, prime_arg, client_name);
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
- prime_arg, client_name, service_name,
- client_addr(rqstp, buf));
- ret.code = KADM5_AUTH_CHANGEPW;
- }
+ krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
+ prime_arg, client_name, service_name,
+ client_addr(rqstp, buf));
+ ret.code = KADM5_AUTH_CHANGEPW;
+ }
- if (ret.code == KADM5_OK) {
- if (handle->api_version == KADM5_API_VERSION_1) {
- krb5_copy_keyblock_contents(handle->context,
- k, &ret.key);
- krb5_free_keyblock(handle->context, k);
- } else {
- ret.keys = k;
- ret.n_keys = nkeys;
- }
- }
- if (ret.code != KADM5_AUTH_CHANGEPW) {
+ if(ret.code == KADM5_OK) {
+ if (handle->api_version == KADM5_API_VERSION_1) {
+ krb5_copy_keyblock_contents(handle->context, k, &ret.key);
+ krb5_free_keyblock(handle->context, k);
+ } else {
+ ret.keys = k;
+ ret.n_keys = nkeys;
+ }
+ }
+
+ if(ret.code != KADM5_AUTH_CHANGEPW) {
audit_kadmind_auth(rqstp->rq_xprt, l_port,
funcname, prime_arg, client_name, ret.code);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
- prime_arg, ((ret.code == 0) ? "success" :
- error_message(ret.code)),
- client_name, service_name, client_addr(rqstp, buf));
- }
+ krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
+ prime_arg, ((ret.code == 0) ? "success" :
+ error_message(ret.code)),
+ client_name, service_name, client_addr(rqstp, buf));
+ }
error:
if (name)
gss_release_name(&min_stat, &name);
free_server_handle(handle);
if (prime_arg)
- free(prime_arg);
- if (client_name)
- free(client_name);
- if (service_name)
- free(service_name);
- return (&ret);
+ free(prime_arg);
+ if (client_name)
+ free(client_name);
+ if (service_name)
+ free(service_name);
+ return &ret;
}
chrand_ret *
-chrand_principal3_1(chrand3_arg *arg, struct svc_req *rqstp)
+chrand_principal3_1_svc(chrand3_arg *arg, struct svc_req *rqstp)
{
static chrand_ret ret;
krb5_keyblock *k;
@@ -1473,10 +1477,10 @@ chrand_principal3_1(chrand3_arg *arg, struct svc_req *rqstp)
xdr_free(xdr_chrand_ret, (char *) &ret);
- if (ret.code = new_server_handle(arg->api_version, rqstp, &handle))
+ if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
return &ret;
- if (ret.code = check_handle((void *)handle))
+ if ((ret.code = check_handle((void *)handle)))
goto error;
ret.api_version = handle->api_version;
@@ -1488,7 +1492,7 @@ chrand_principal3_1(chrand3_arg *arg, struct svc_req *rqstp)
goto error;
}
if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
- ret.code = KADM5_BAD_PRINCIPAL;
+ ret.code = KADM5_BAD_PRINCIPAL;
goto error;
}
if (!(name = get_clnt_name(rqstp))) {
@@ -1497,10 +1501,13 @@ chrand_principal3_1(chrand3_arg *arg, struct svc_req *rqstp)
}
if (cmp_gss_krb5_name(handle, name, arg->princ)) {
- ret.code = randkey_principal_wrapper((void *)handle,
- arg->princ, &k, &nkeys);
+ ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ,
+ arg->keepold,
+ arg->n_ks_tuple,
+ arg->ks_tuple,
+ &k, &nkeys);
} else if (!(CHANGEPW_SERVICE(rqstp)) &&
- acl_check(handle->context, name,
+ kadm5int_acl_check(handle->context, name,
ACL_CHANGEPW, arg->princ, NULL)) {
ret.code = kadm5_randkey_principal_3((void *)handle, arg->princ,
arg->keepold,
@@ -1509,8 +1516,8 @@ chrand_principal3_1(chrand3_arg *arg, struct svc_req *rqstp)
&k, &nkeys);
} else {
krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
- prime_arg, client_name, service_name,
- client_addr(rqstp, buf));
+ prime_arg, client_name, service_name,
+ client_addr(rqstp, buf));
ret.code = KADM5_AUTH_CHANGEPW;
}
@@ -1526,10 +1533,10 @@ chrand_principal3_1(chrand3_arg *arg, struct svc_req *rqstp)
if(ret.code != KADM5_AUTH_CHANGEPW) {
krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
- prime_arg, ((ret.code == 0) ? "success" :
+ prime_arg, ((ret.code == 0) ? "success" :
error_message(ret.code)),
- client_name, service_name,
- client_addr(rqstp, buf));
+ client_name, service_name,
+ client_addr(rqstp, buf));
}
error:
@@ -1545,190 +1552,190 @@ error:
return (&ret);
}
-
generic_ret *
-create_policy_1(cpol_arg * arg, struct svc_req * rqstp)
+create_policy_1_svc(cpol_arg *arg, struct svc_req *rqstp)
{
- static generic_ret ret;
- char *prime_arg = NULL;
- char *client_name = NULL, *service_name = NULL;
- OM_uint32 min_stat;
- kadm5_server_handle_t handle;
- gss_name_t name = NULL;
+ static generic_ret ret;
+ char *prime_arg = NULL;
+ char *client_name = NULL, *service_name = NULL;
+ OM_uint32 min_stat;
+ kadm5_server_handle_t handle;
+ gss_name_t name = NULL;
- xdr_free(xdr_generic_ret, (char *) &ret);
+ xdr_free(xdr_generic_ret, (char *) &ret);
- if (ret.code = new_server_handle(arg->api_version, rqstp, &handle))
- return (&ret);
+ if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
+ return &ret;
- if (ret.code = check_handle((void *) handle))
+ if ((ret.code = check_handle((void *)handle)))
goto error;
- ret.api_version = handle->api_version;
- if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
- ret.code = KADM5_FAILURE;
+ ret.api_version = handle->api_version;
+
+ if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
+ ret.code = KADM5_FAILURE;
goto error;
- }
- prime_arg = arg->rec.policy;
+ }
+ prime_arg = arg->rec.policy;
if (!(name = get_clnt_name(rqstp))) {
ret.code = KADM5_FAILURE;
goto error;
}
- if (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context,
- name,
- ACL_ADD, NULL, NULL)) {
- ret.code = KADM5_AUTH_ADD;
+ if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
+ name,
+ ACL_ADD, NULL, NULL)) {
+ ret.code = KADM5_AUTH_ADD;
audit_kadmind_unauth(rqstp->rq_xprt, l_port,
"kadm5_create_policy",
prime_arg, client_name);
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy",
- prime_arg, client_name,
- service_name, client_addr(rqstp, buf));
-
- } else {
- ret.code = kadm5_create_policy((void *) handle, &arg->rec,
- arg->mask);
+ krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy",
+ prime_arg, client_name,
+ service_name, client_addr(rqstp, buf));
+
+ } else {
+ ret.code = kadm5_create_policy((void *)handle, &arg->rec,
+ arg->mask);
audit_kadmind_auth(rqstp->rq_xprt, l_port,
"kadm5_create_policy",
prime_arg, client_name, ret.code);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_policy",
- ((prime_arg == NULL) ? "(null)" : prime_arg),
- ((ret.code == 0) ? "success" : error_message(ret.code)),
- client_name, service_name, client_addr(rqstp, buf));
- }
+ krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_policy",
+ ((prime_arg == NULL) ? "(null)" : prime_arg),
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ client_name, service_name, client_addr(rqstp, buf));
+ }
error:
if (name)
gss_release_name(&min_stat, &name);
- free_server_handle(handle);
- if (client_name)
- free(client_name);
- if (service_name)
- free(service_name);
- return (&ret);
+ free_server_handle(handle);
+ if (client_name)
+ free(client_name);
+ if (service_name)
+ free(service_name);
+ return &ret;
}
generic_ret *
-delete_policy_1(dpol_arg * arg, struct svc_req * rqstp)
+delete_policy_1_svc(dpol_arg *arg, struct svc_req *rqstp)
{
- static generic_ret ret;
- char *prime_arg = NULL;
- char *client_name = NULL, *service_name = NULL;
- OM_uint32 min_stat;
- kadm5_server_handle_t handle;
- gss_name_t name = NULL;
+ static generic_ret ret;
+ char *prime_arg = NULL;
+ char *client_name = NULL, *service_name = NULL;
+ OM_uint32 min_stat;
+ kadm5_server_handle_t handle;
+ gss_name_t name = NULL;
- xdr_free(xdr_generic_ret, (char *) &ret);
+ xdr_free(xdr_generic_ret, (char *) &ret);
- if (ret.code = new_server_handle(arg->api_version, rqstp, &handle))
- return (&ret);
+ if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
+ return &ret;
- if (ret.code = check_handle((void *) handle))
+ if ((ret.code = check_handle((void *)handle)))
goto error;
- ret.api_version = handle->api_version;
+ ret.api_version = handle->api_version;
- if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
- ret.code = KADM5_FAILURE;
+ if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
+ ret.code = KADM5_FAILURE;
goto error;
- }
- prime_arg = arg->name;
-
+ }
+ prime_arg = arg->name;
+
if (!(name = get_clnt_name(rqstp))) {
ret.code = KADM5_FAILURE;
goto error;
}
- if (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context,
+ if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
name,
- ACL_DELETE, NULL, NULL)) {
+ ACL_DELETE, NULL, NULL)) {
audit_kadmind_unauth(rqstp->rq_xprt, l_port,
"kadm5_delete_policy",
prime_arg, client_name);
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy",
- prime_arg, client_name, service_name,
- client_addr(rqstp, buf));
- ret.code = KADM5_AUTH_DELETE;
- } else {
- ret.code = kadm5_delete_policy((void *) handle, arg->name);
+ krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy",
+ prime_arg, client_name, service_name,
+ client_addr(rqstp, buf));
+ ret.code = KADM5_AUTH_DELETE;
+ } else {
+ ret.code = kadm5_delete_policy((void *)handle, arg->name);
audit_kadmind_auth(rqstp->rq_xprt, l_port,
"kadm5_delete_policy",
prime_arg, client_name, ret.code);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_policy",
- ((prime_arg == NULL) ? "(null)" : prime_arg),
- ((ret.code == 0) ? "success" : error_message(ret.code)),
- client_name, service_name, client_addr(rqstp, buf));
- }
+ krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_policy",
+ ((prime_arg == NULL) ? "(null)" : prime_arg),
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ client_name, service_name, client_addr(rqstp, buf));
+ }
error:
if (name)
gss_release_name(&min_stat, &name);
- free_server_handle(handle);
- if (client_name)
- free(client_name);
- if (service_name)
- free(service_name);
- return (&ret);
+ free_server_handle(handle);
+ if (client_name)
+ free(client_name);
+ if (service_name)
+ free(service_name);
+ return &ret;
}
generic_ret *
-modify_policy_1(mpol_arg * arg, struct svc_req * rqstp)
+modify_policy_1_svc(mpol_arg *arg, struct svc_req *rqstp)
{
- static generic_ret ret;
- char *prime_arg = NULL;
- char *client_name = NULL, *service_name = NULL;
- OM_uint32 min_stat;
- kadm5_server_handle_t handle;
- gss_name_t name = NULL;
+ static generic_ret ret;
+ char *prime_arg = NULL;
+ char *client_name = NULL, *service_name = NULL;
+ OM_uint32 min_stat;
+ kadm5_server_handle_t handle;
+ gss_name_t name = NULL;
- xdr_free(xdr_generic_ret, (char *) &ret);
+ xdr_free(xdr_generic_ret, (char *) &ret);
- if (ret.code = new_server_handle(arg->api_version, rqstp, &handle))
- return (&ret);
+ if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
+ return &ret;
- if (ret.code = check_handle((void *) handle))
+ if ((ret.code = check_handle((void *)handle)))
goto error;
- ret.api_version = handle->api_version;
+ ret.api_version = handle->api_version;
- if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
- ret.code = KADM5_FAILURE;
+ if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
+ ret.code = KADM5_FAILURE;
goto error;
- }
- prime_arg = arg->rec.policy;
+ }
+ prime_arg = arg->rec.policy;
- if (!(name = get_clnt_name(rqstp))) {
- ret.code = KADM5_FAILURE;
+ if (!(name = get_clnt_name(rqstp))) {
+ ret.code = KADM5_FAILURE;
goto error;
- }
+ }
- if (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context,
+ if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
name,
- ACL_MODIFY, NULL, NULL)) {
+ ACL_MODIFY, NULL, NULL)) {
audit_kadmind_unauth(rqstp->rq_xprt, l_port,
"kadm5_modify_policy",
prime_arg, client_name);
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy",
- prime_arg, client_name,
- service_name, client_addr(rqstp, buf));
- ret.code = KADM5_AUTH_MODIFY;
- } else {
- ret.code = kadm5_modify_policy((void *) handle, &arg->rec,
- arg->mask);
+ krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy",
+ prime_arg, client_name,
+ service_name, client_addr(rqstp, buf));
+ ret.code = KADM5_AUTH_MODIFY;
+ } else {
+ ret.code = kadm5_modify_policy((void *)handle, &arg->rec,
+ arg->mask);
audit_kadmind_auth(rqstp->rq_xprt, l_port,
"kadm5_modify_policy",
prime_arg, client_name, ret.code);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_policy",
- ((prime_arg == NULL) ? "(null)" : prime_arg),
- ((ret.code == 0) ? "success" : error_message(ret.code)),
- client_name, service_name, client_addr(rqstp, buf));
- }
+ krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_policy",
+ ((prime_arg == NULL) ? "(null)" : prime_arg),
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ client_name, service_name, client_addr(rqstp, buf));
+ }
error:
if (name)
@@ -1741,37 +1748,38 @@ error:
return (&ret);
}
-gpol_ret *
-get_policy_1(gpol_arg * arg, struct svc_req * rqstp)
+gpol_ret *
+get_policy_1_svc(gpol_arg *arg, struct svc_req *rqstp)
{
- static gpol_ret ret;
- kadm5_ret_t ret2;
- char *prime_arg = NULL, *funcname;
- char *client_name = NULL, *service_name = NULL;
- OM_uint32 min_stat;
- kadm5_policy_ent_t e;
- kadm5_principal_ent_rec caller_ent;
- krb5_principal caller;
- kadm5_server_handle_t handle;
- gss_name_t name = NULL;
+ static gpol_ret ret;
+ kadm5_ret_t ret2;
+ char *prime_arg = NULL, *funcname;
+ char *client_name = NULL, *service_name = NULL;
+ OM_uint32 min_stat;
+ kadm5_policy_ent_t e;
+ kadm5_principal_ent_rec caller_ent;
+ krb5_principal caller;
+ kadm5_server_handle_t handle;
+ gss_name_t name = NULL;
- xdr_free(xdr_gpol_ret, (char *) &ret);
+ xdr_free(xdr_gpol_ret, (char *) &ret);
- if (ret.code = new_server_handle(arg->api_version, rqstp, &handle))
- return (&ret);
+ if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
+ return &ret;
- if (ret.code = check_handle((void *) handle))
+ if ((ret.code = check_handle((void *) handle)))
goto error;
- ret.api_version = handle->api_version;
- funcname = handle->api_version == KADM5_API_VERSION_1 ?
- "kadm5_get_policy (V1)" : "kadm5_get_policy";
+ ret.api_version = handle->api_version;
- if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
- ret.code = KADM5_FAILURE;
+ funcname = handle->api_version == KADM5_API_VERSION_1 ?
+ "kadm5_get_policy (V1)" : "kadm5_get_policy";
+
+ if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
+ ret.code = KADM5_FAILURE;
goto error;
- }
- prime_arg = arg->name;
+ }
+ prime_arg = arg->name;
ret.code = KADM5_AUTH_GET;
if (!(name = get_clnt_name(rqstp))) {
@@ -1779,7 +1787,7 @@ get_policy_1(gpol_arg * arg, struct svc_req * rqstp)
goto error;
}
- if (!CHANGEPW_SERVICE(rqstp) && acl_check(handle->context,
+ if (!CHANGEPW_SERVICE(rqstp) && kadm5int_acl_check(handle->context,
name,
ACL_INQUIRE, NULL, NULL))
ret.code = KADM5_OK;
@@ -1791,42 +1799,39 @@ get_policy_1(gpol_arg * arg, struct svc_req * rqstp)
if (ret.code == KADM5_OK) {
if (caller_ent.aux_attributes & KADM5_POLICY &&
strcmp(caller_ent.policy, arg->name) == 0) {
- ret.code = KADM5_OK;
- } else
- ret.code = KADM5_AUTH_GET;
- ret2 = kadm5_free_principal_ent(handle->lhandle,
- &caller_ent);
- ret.code = ret.code ? ret.code : ret2;
- }
- }
-
- if (ret.code == KADM5_OK) {
- if (handle->api_version == KADM5_API_VERSION_1) {
- ret.code = kadm5_get_policy_v1((void *) handle,
- arg->name, &e);
- if (ret.code == KADM5_OK) {
- memcpy(&ret.rec, e,
- sizeof (kadm5_policy_ent_rec));
- free(e);
- }
- } else {
- ret.code = kadm5_get_policy((void *) handle, arg->name,
- &ret.rec);
- }
-
+ ret.code = KADM5_OK;
+ } else ret.code = KADM5_AUTH_GET;
+ ret2 = kadm5_free_principal_ent(handle->lhandle,
+ &caller_ent);
+ ret.code = ret.code ? ret.code : ret2;
+ }
+ }
+
+ if (ret.code == KADM5_OK) {
+ if (handle->api_version == KADM5_API_VERSION_1) {
+ ret.code = kadm5_get_policy_v1((void *)handle, arg->name, &e);
+ if(ret.code == KADM5_OK) {
+ memcpy(&ret.rec, e, sizeof(kadm5_policy_ent_rec));
+ free(e);
+ }
+ } else {
+ ret.code = kadm5_get_policy((void *)handle, arg->name,
+ &ret.rec);
+ }
+
audit_kadmind_auth(rqstp->rq_xprt, l_port,
funcname, prime_arg, client_name, ret.code);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
- ((prime_arg == NULL) ? "(null)" : prime_arg),
- ((ret.code == 0) ? "success" : error_message(ret.code)),
- client_name, service_name, client_addr(rqstp, buf));
+ krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
+ ((prime_arg == NULL) ? "(null)" : prime_arg),
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ client_name, service_name, client_addr(rqstp, buf));
} else {
audit_kadmind_unauth(rqstp->rq_xprt, l_port,
funcname, prime_arg, client_name);
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
- prime_arg, client_name,
- service_name, client_addr(rqstp, buf));
- }
+ krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
+ prime_arg, client_name,
+ service_name, client_addr(rqstp, buf));
+ }
error:
if (name)
@@ -1841,61 +1846,62 @@ error:
}
gpols_ret *
-get_pols_1(gpols_arg * arg, struct svc_req * rqstp)
+get_pols_1_svc(gpols_arg *arg, struct svc_req *rqstp)
{
- static gpols_ret ret;
- char *prime_arg = NULL;
- char *client_name = NULL, *service_name = NULL;
- OM_uint32 min_stat;
- kadm5_server_handle_t handle;
- gss_name_t name = NULL;
+ static gpols_ret ret;
+ char *prime_arg = NULL;
+ char *client_name = NULL, *service_name = NULL;
+ OM_uint32 min_stat;
+ kadm5_server_handle_t handle;
+ gss_name_t name = NULL;
- xdr_free(xdr_gpols_ret, (char *) &ret);
+ xdr_free(xdr_gpols_ret, (char *) &ret);
- if (ret.code = new_server_handle(arg->api_version, rqstp, &handle))
- return (&ret);
+ if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
+ return &ret;
- if (ret.code = check_handle((void *) handle))
+ if ((ret.code = check_handle((void *)handle)))
goto error;
- ret.api_version = handle->api_version;
- if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
- ret.code = KADM5_FAILURE;
- goto error;
- }
- prime_arg = arg->exp;
- if (prime_arg == NULL)
- prime_arg = "*";
+ ret.api_version = handle->api_version;
+
+ if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
+ ret.code = KADM5_FAILURE;
+ goto error;
+ }
+ prime_arg = arg->exp;
+ if (prime_arg == NULL)
+ prime_arg = "*";
if (!(name = get_clnt_name(rqstp))) {
ret.code = KADM5_FAILURE;
goto error;
}
- if (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context,
- name,
- ACL_LIST, NULL, NULL)) {
- ret.code = KADM5_AUTH_LIST;
+ if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
+ name,
+ ACL_LIST, NULL, NULL)) {
+ ret.code = KADM5_AUTH_LIST;
audit_kadmind_unauth(rqstp->rq_xprt, l_port,
"kadm5_get_policies",
prime_arg, client_name);
- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies",
- prime_arg, client_name, service_name,
- client_addr(rqstp, buf));
- } else {
- ret.code = kadm5_get_policies((void *) handle,
+ krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies",
+ prime_arg, client_name, service_name,
+ client_addr(rqstp, buf));
+ } else {
+ ret.code = kadm5_get_policies((void *)handle,
arg->exp, &ret.pols,
&ret.count);
audit_kadmind_auth(rqstp->rq_xprt, l_port,
"kadm5_get_policies",
prime_arg, client_name, ret.code);
- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_policies",
- prime_arg,
- ((ret.code == 0) ? "success" : error_message(ret.code)),
- client_name, service_name, client_addr(rqstp, buf));
- }
+ krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_policies",
+ prime_arg,
+ ((ret.code == 0) ? "success" : error_message(ret.code)),
+ client_name, service_name, client_addr(rqstp, buf));
+ }
error:
if (name)
@@ -1908,28 +1914,28 @@ error:
return (&ret);
}
-getprivs_ret *
-get_privs_1(krb5_ui_4 * arg, struct svc_req * rqstp)
+getprivs_ret * get_privs_1_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
{
- static getprivs_ret ret;
- char *client_name = NULL, *service_name = NULL;
- OM_uint32 min_stat;
- kadm5_server_handle_t handle;
- gss_name_t name = NULL;
+ static getprivs_ret ret;
+ char *client_name = NULL, *service_name = NULL;
+ OM_uint32 min_stat;
+ kadm5_server_handle_t handle;
+ gss_name_t name = NULL;
- xdr_free(xdr_getprivs_ret, (char *) &ret);
+ xdr_free(xdr_getprivs_ret, (char *) &ret);
- if (ret.code = new_server_handle(*arg, rqstp, &handle))
- return (&ret);
+ if ((ret.code = new_server_handle(*arg, rqstp, &handle)))
+ return &ret;
- if (ret.code = check_handle((void *) handle))
+ if ((ret.code = check_handle((void *)handle)))
goto error;
- ret.api_version = handle->api_version;
- if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
- ret.code = KADM5_FAILURE;
- goto error;
- }
+ ret.api_version = handle->api_version;
+
+ if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
+ ret.code = KADM5_FAILURE;
+ goto error;
+ }
if (!(name = get_clnt_name(rqstp))) {
ret.code = KADM5_FAILURE;
goto error;
@@ -1956,26 +1962,26 @@ error:
return (&ret);
}
-generic_ret *
-init_1(krb5_ui_4 * arg, struct svc_req * rqstp)
+generic_ret *init_1_svc(krb5_ui_4 *arg, struct svc_req *rqstp)
{
- static generic_ret ret;
+ static generic_ret ret;
char *client_name, *service_name;
kadm5_server_handle_t handle;
- xdr_free(xdr_generic_ret, (char *) &ret);
+ xdr_free(xdr_generic_ret, (char *) &ret);
- if (ret.code = new_server_handle(*arg, rqstp, &handle))
- return (&ret);
- if (!(ret.code = check_handle((void *) handle))) {
- ret.api_version = handle->api_version;
- }
- free_server_handle(handle);
+ if ((ret.code = new_server_handle(*arg, rqstp, &handle)))
+ return &ret;
+ if (! (ret.code = check_handle((void *)handle))) {
+ ret.api_version = handle->api_version;
+ }
- if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
- ret.code = KADM5_FAILURE;
- return (&ret);
- }
+ free_server_handle(handle);
+
+ if (setup_gss_names(rqstp, &client_name, &service_name) < 0) {
+ ret.code = KADM5_FAILURE;
+ return &ret;
+ }
audit_kadmind_auth(rqstp->rq_xprt, l_port,
(ret.api_version == KADM5_API_VERSION_1 ?
@@ -1983,8 +1989,9 @@ init_1(krb5_ui_4 * arg, struct svc_req * rqstp)
NULL, client_name, ret.code);
krb5_klog_syslog(LOG_NOTICE, LOG_DONE,
(ret.api_version == KADM5_API_VERSION_1 ?
- "kadm5_init (V1)" : "kadm5_init"),
- client_name, (ret.code == 0) ? "success" : error_message(ret.code),
+ "kadm5_init (V1)" : "kadm5_init"),
+ client_name,
+ (ret.code == 0) ? "success" : error_message(ret.code),
client_name, service_name, client_addr(rqstp, buf));
free(client_name);
free(service_name);
diff --git a/usr/src/cmd/krb5/kdestroy/kdestroy.c b/usr/src/cmd/krb5/kdestroy/kdestroy.c
index fb3e6ac96b..df578d13e1 100644
--- a/usr/src/cmd/krb5/kdestroy/kdestroy.c
+++ b/usr/src/cmd/krb5/kdestroy/kdestroy.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2003 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -38,6 +38,9 @@
#include <com_err.h>
#include <string.h>
#include <stdio.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
#include <locale.h>
#include <rpc/types.h>
#include <rpc/rpcsys.h>
@@ -77,7 +80,7 @@ int default_k4 = 0;
#endif
-void usage()
+static void usage()
{
#define KRB_AVAIL_STRING(x) ((x)?gettext("available"):gettext("not available"))
@@ -240,7 +243,8 @@ main(argc, argv)
exit(1);
}
} else {
- if (code = krb5_cc_default(kcontext, &cache)) {
+ code = krb5_cc_default(kcontext, &cache);
+ if (code) {
com_err(progname, code, gettext("while getting default ccache"));
exit(1);
}
diff --git a/usr/src/cmd/krb5/kinit/kinit.c b/usr/src/cmd/krb5/kinit/kinit.c
index aca4caa01e..62f5736d08 100644
--- a/usr/src/cmd/krb5/kinit/kinit.c
+++ b/usr/src/cmd/krb5/kinit/kinit.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -73,15 +73,17 @@ extern int getopt();
#ifdef HAVE_PWD_H
#include <pwd.h>
+static
char * get_name_from_os()
{
struct passwd *pw;
- if (pw = getpwuid((int) getuid()))
+ if ((pw = getpwuid((int) getuid())))
return pw->pw_name;
return 0;
}
#else /* HAVE_PWD_H */
#ifdef _WIN32
+static
char * get_name_from_os()
{
static char name[1024];
@@ -94,6 +96,7 @@ char * get_name_from_os()
}
}
#else /* _WIN32 */
+static
char * get_name_from_os()
{
return 0;
@@ -101,8 +104,6 @@ char * get_name_from_os()
#endif /* _WIN32 */
#endif /* HAVE_PWD_H */
-static char *progname;
-
static char* progname_v5 = 0;
#ifdef KRB5_KRB4_COMPAT
static char* progname_v4 = 0;
@@ -123,7 +124,7 @@ static int default_k4 = 0;
static int authed_k5 = 0;
static int authed_k4 = 0;
-#define KRB4_BACKUP_DEFAULT_LIFE_SECS 10*60*60 /* 10 hours */
+#define KRB4_BACKUP_DEFAULT_LIFE_SECS 24*60*60 /* 1 day */
#define ROOT_UNAME "root"
typedef enum { INIT_PW, INIT_KT, RENEW, VALIDATE } action_type;
@@ -236,10 +237,11 @@ struct option long_options[] = {
/* Save the program name for the error messages */
static char *progname;
-void
-usage(void)
+static void
+usage(progname)
{
#define USAGE_BREAK "\n\t"
+
#ifdef GETOPT_LONG
#define USAGE_LONG_FORWARDABLE " | --forwardable | --noforwardable"
#define USAGE_LONG_PROXIABLE " | --proxiable | --noproxiable"
@@ -260,7 +262,7 @@ usage(void)
USAGE_BREAK_LONG
"[-p | -P" USAGE_LONG_PROXIABLE "] "
USAGE_BREAK_LONG
- "[-A" USAGE_LONG_ADDRESSES "] "
+ "[-a | -A" USAGE_LONG_ADDRESSES "] "
USAGE_BREAK
"[-v] [-R] "
"[-k [-t keytab_file]] "
@@ -283,12 +285,13 @@ usage(void)
#ifdef KRB5_KRB4_COMPAT
#define USAGE_OPT_FMT "%s%-50s%s\n"
+#define ULINE(indent, col1, col2) \
+fprintf(stderr, USAGE_OPT_FMT, indent, col1, col2)
#else
#define USAGE_OPT_FMT "%s%s\n"
-#endif
-
#define ULINE(indent, col1, col2) \
-fprintf(stderr, USAGE_OPT_FMT, indent, col1, col2)
+fprintf(stderr, USAGE_OPT_FMT, indent, col1)
+#endif
ULINE(" ", "options:", "valid with Kerberos:");
fprintf(stderr, "\t-5 Kerberos 5 (%s)\n", KRB_AVAIL_STRING(got_k5));
@@ -307,6 +310,7 @@ fprintf(stderr, USAGE_OPT_FMT, indent, col1, col2)
ULINE("\t", gettext("-p proxiable"), OPTTYPE_KRB5);
ULINE("\t", gettext("-P not proxiable"), OPTTYPE_KRB5);
ULINE("\t", gettext("-A do not include addresses"), OPTTYPE_KRB5);
+ ULINE("\t", gettext("-a include addresses"), OPTTYPE_KRB5);
ULINE("\t", gettext("-v validate"), OPTTYPE_KRB5);
ULINE("\t", gettext("-R renew"), OPTTYPE_BOTH);
ULINE("\t", gettext("-k use keytab"), OPTTYPE_BOTH);
@@ -318,11 +322,12 @@ fprintf(stderr, USAGE_OPT_FMT, indent, col1, col2)
exit(2);
}
-char *
-parse_options(argc, argv, opts)
+static char *
+parse_options(argc, argv, opts, progname)
int argc;
char **argv;
struct k_opts* opts;
+ char *progname;
{
krb5_error_code code;
int errflg = 0;
@@ -330,7 +335,7 @@ parse_options(argc, argv, opts)
int use_k5 = 0;
int i;
- while ((i = GETOPT(argc, argv, "r:fpFP54AVl:s:c:kt:RS:v"))
+ while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:RS:v"))
!= -1) {
switch (i) {
case 'V':
@@ -516,7 +521,7 @@ parse_options(argc, argv, opts)
}
if (errflg) {
- usage();
+ usage(progname);
}
got_k5 = got_k5 && use_k5;
@@ -526,7 +531,7 @@ parse_options(argc, argv, opts)
return opts->principal_name;
}
-int
+static int
k5_begin(opts, k5, k4)
struct k_opts* opts;
struct k5_data* k5;
@@ -534,12 +539,12 @@ struct k4_data* k4;
{
char* progname = progname_v5;
krb5_error_code code = 0;
- char* cp;
if (!got_k5)
return 0;
- if (code = krb5_init_context(&k5->ctx)) {
+ code = krb5_init_context(&k5->ctx);
+ if (code) {
com_err(progname, code, gettext("while initializing Kerberos 5 library"));
return 0;
}
@@ -575,21 +580,25 @@ struct k4_data* k4;
/* No principal name specified */
if (opts->action == INIT_KT) {
/* Use the default host/service name */
- if (code = krb5_sname_to_principal(k5->ctx, NULL, NULL,
- KRB5_NT_SRV_HST, &k5->me)) {
- com_err(progname, code, gettext(
- "when creating default server principal name"));
- return 0;
- }
+ code = krb5_sname_to_principal(k5->ctx, NULL, NULL,
+ KRB5_NT_SRV_HST, &k5->me);
+ if (code) {
+ com_err(progname, code, gettext(
+ "when creating default server principal name"));
+ return 0;
+ }
} else {
- /* Get default principal from cache if one exists */
- if (code = krb5_cc_get_principal(k5->ctx, k5->cc, &k5->me)) {
- char *name = get_name_from_os();
- if (!name)
- {
- fprintf(stderr, gettext("Unable to identify user\n"));
- return 0;
- }
+ /* Get default principal from cache if one exists */
+ code = krb5_cc_get_principal(k5->ctx, k5->cc,
+ &k5->me);
+ if (code)
+ {
+ char *name = get_name_from_os();
+ if (!name)
+ {
+ fprintf(stderr, gettext("Unable to identify user\n"));
+ return 0;
+ }
/* use strcmp to ensure only "root" is matched */
if (strcmp(name, ROOT_UNAME) == 0)
{
@@ -599,21 +608,25 @@ struct k4_data* k4;
"when creating default server principal name"));
return 0;
}
- } else if (code = krb5_parse_name(k5->ctx, name, &k5->me)) {
- com_err(progname, code, gettext("when parsing name %s"),
- name);
- return 0;
+ } else
+ if ((code = krb5_parse_name(k5->ctx, name,
+ &k5->me)))
+ {
+ com_err(progname, code, gettext("when parsing name %s"),
+ name);
+ return 0;
}
- }
- }
+ }
+ }
}
- if (code = krb5_unparse_name(k5->ctx, k5->me, &k5->name)) {
+
+ code = krb5_unparse_name(k5->ctx, k5->me, &k5->name);
+ if (code) {
com_err(progname, code, gettext("when unparsing name"));
return 0;
}
opts->principal_name = k5->name;
-
#ifdef KRB5_KRB4_COMPAT
if (got_k4)
{
@@ -630,7 +643,7 @@ struct k4_data* k4;
return 1;
}
-void
+static void
k5_end(k5)
struct k5_data* k5;
{
@@ -645,7 +658,7 @@ k5_end(k5)
memset(k5, 0, sizeof(*k5));
}
-int
+static int
k4_begin(opts, k4)
struct k_opts* opts;
struct k4_data* k4;
@@ -665,8 +678,9 @@ k4_begin(opts, k4)
if (opts->principal_name)
{
/* Use specified name */
- if (k_errno = kname_parse(k4->aname, k4->inst, k4->realm,
- opts->principal_name))
+ k_errno = kname_parse(k4->aname, k4->inst, k4->realm,
+ opts->principal_name);
+ if (k_errno)
{
fprintf(stderr, "%s: %s\n", progname,
krb_get_err_text(k_errno));
@@ -682,8 +696,9 @@ k4_begin(opts, k4)
return 0;
} else {
/* Get default principal from cache if one exists */
- if (k_errno = krb_get_tf_fullname(tkt_string(), k4->aname,
- k4->inst, k4->realm))
+ k_errno = krb_get_tf_fullname(tkt_string(), k4->aname,
+ k4->inst, k4->realm);
+ if (k_errno)
{
char *name = get_name_from_os();
if (!name)
@@ -691,8 +706,9 @@ k4_begin(opts, k4)
fprintf(stderr, "Unable to identify user\n");
return 0;
}
- if (k_errno = kname_parse(k4->aname, k4->inst, k4->realm,
- name))
+ k_errno = kname_parse(k4->aname, k4->inst, k4->realm,
+ name);
+ if (k_errno)
{
fprintf(stderr, "%s: %s\n", progname,
krb_get_err_text(k_errno));
@@ -733,7 +749,7 @@ k4_begin(opts, k4)
return 1;
}
-void
+static void
k4_end(k4)
struct k4_data* k4;
{
@@ -745,7 +761,7 @@ static char stash_password[1024];
static int got_password = 0;
#endif /* KRB5_KRB4_COMPAT */
-krb5_error_code
+static krb5_error_code
KRB5_CALLCONV
kinit_prompter(
krb5_context ctx,
@@ -771,11 +787,10 @@ kinit_prompter(
got_password = 1;
#endif
}
-
return rc;
}
-int
+static int
k5_kinit(opts, k5)
struct k_opts* opts;
struct k5_data* k5;
@@ -905,7 +920,6 @@ k5_kinit(opts, k5)
goto cleanup;
}
krb5_get_init_creds_opt_set_address_list(&options, addresses);
- krb5_free_addresses(k5->ctx, addresses);
}
if (opts->no_addresses)
krb5_get_init_creds_opt_set_address_list(&options, NULL);
@@ -920,8 +934,6 @@ k5_kinit(opts, k5)
}
}
-
-
switch (opts->action) {
case INIT_PW:
code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
@@ -982,13 +994,15 @@ k5_kinit(opts, k5)
opts->lifetime = my_creds.times.endtime - my_creds.times.authtime;
}
- if (code = krb5_cc_initialize(k5->ctx, k5->cc, k5->me)) {
+ code = krb5_cc_initialize(k5->ctx, k5->cc, k5->me);
+ if (code) {
com_err(progname, code, gettext("when initializing cache %s"),
opts->k5_cache_name?opts->k5_cache_name:"");
goto cleanup;
}
- if (code = krb5_cc_store_cred(k5->ctx, k5->cc, &my_creds)) {
+ code = krb5_cc_store_cred(k5->ctx, k5->cc, &my_creds);
+ if (code) {
com_err(progname, code, gettext("while storing credentials"));
goto cleanup;
}
@@ -1012,7 +1026,7 @@ k5_kinit(opts, k5)
return notix?0:1;
}
-int
+static int
k4_kinit(opts, k4, ctx)
struct k_opts* opts;
struct k4_data* k4;
@@ -1035,17 +1049,13 @@ k4_kinit(opts, k4, ctx)
if (!k4->lifetime)
k4->lifetime = KRB4_BACKUP_DEFAULT_LIFE_SECS;
- k4->lifetime /= (5 * 60);
- if (k4->lifetime < 1)
- k4->lifetime = 1;
- if (k4->lifetime > 255)
- k4->lifetime = 255;
+ k4->lifetime = krb_time_to_life(0, k4->lifetime);
switch (opts->action)
{
case INIT_PW:
if (!got_password) {
- int pwsize = sizeof(stash_password);
+ unsigned int pwsize = sizeof(stash_password);
krb5_error_code code;
char prompt[1024];
@@ -1074,7 +1084,7 @@ k4_kinit(opts, k4, ctx)
fprintf(stderr, "%s: %s\n", progname,
krb_get_err_text(k_errno));
if (authed_k5)
- fprintf(stderr, gettext("Maybe your KDC does not support v4. "
+ fprintf(stderr, gettext("Maybe your KDC does not support v4. "
"Try the -5 option next time.\n"));
return 0;
}
@@ -1087,17 +1097,25 @@ k4_kinit(opts, k4, ctx)
fprintf(stderr, gettext("%s: renewal of krb4 tickets is not supported\n"),
progname);
return 0;
+#else
+ /* These cases are handled by the 524 code - this prevents the compiler
+ warnings of not using all the enumerated types.
+ */
+ case INIT_KT:
+ case RENEW:
+ case VALIDATE:
+ return 0;
#endif
}
#endif
return 0;
}
-char*
-getvprogname(v)
- char *v;
+static char*
+getvprogname(v, progname)
+ char *v, *progname;
{
- int len = strlen(progname) + 2 + strlen(v) + 2;
+ unsigned int len = strlen(progname) + 2 + strlen(v) + 2;
char *ret = malloc(len);
if (ret)
sprintf(ret, "%s(v%s)", progname, v);
@@ -1108,7 +1126,7 @@ getvprogname(v)
#ifdef HAVE_KRB524
/* Convert krb5 tickets to krb4. */
-int try_convert524(k5)
+static int try_convert524(k5)
struct k5_data* k5;
{
char * progname = progname_v524;
@@ -1128,9 +1146,6 @@ int try_convert524(k5)
initialized.
*/
- /* or do this directly with krb524_convert_creds_kdc */
- krb524_init_ets(k5->ctx);
-
if ((code = krb5_build_principal(k5->ctx,
&kpcserver,
krb5_princ_realm(k5->ctx, k5->me)->length,
@@ -1217,10 +1232,10 @@ main(argc, argv)
(void) textdomain(TEXT_DOMAIN);
progname = GET_PROGNAME(argv[0]);
- progname_v5 = getvprogname("5");
+ progname_v5 = getvprogname("5", progname);
#ifdef KRB5_KRB4_COMPAT
- progname_v4 = getvprogname("4");
- progname_v524 = getvprogname("524");
+ progname_v4 = getvprogname("4", progname);
+ progname_v524 = getvprogname("524", progname);
#endif
/* Ensure we can be driven from a pipe */
@@ -1246,7 +1261,7 @@ main(argc, argv)
memset(&k5, 0, sizeof(k5));
memset(&k4, 0, sizeof(k4));
- parse_options(argc, argv, &opts);
+ parse_options(argc, argv, &opts, progname);
got_k5 = k5_begin(&opts, &k5, &k4);
got_k4 = k4_begin(&opts, &k4);
@@ -1270,7 +1285,8 @@ main(argc, argv)
k5_end(&k5);
k4_end(&k4);
- if ((got_k5 && !authed_k5) || (got_k4 && !authed_k4))
+ if ((got_k5 && !authed_k5) || (got_k4 && !authed_k4) ||
+ (!got_k5 && !got_k4))
exit(1);
return 0;
}
diff --git a/usr/src/cmd/krb5/klist/klist.c b/usr/src/cmd/krb5/klist/klist.c
index 9e1e938c30..f564e6790b 100644
--- a/usr/src/cmd/krb5/klist/klist.c
+++ b/usr/src/cmd/krb5/klist/klist.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2005 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
@@ -36,7 +36,6 @@
#include <k5-int.h>
#include "com_err.h"
#include <krb5.h>
-
#ifdef KRB5_KRB4_COMPAT
#include <kerberosIV/krb.h>
#endif /* KRB5_KRB4_COMPAT */
@@ -48,7 +47,9 @@
#include <libintl.h>
#include <locale.h>
#include <netinet/in.h>
+#if defined(HAVE_ARPA_INET_H)
#include <arpa/inet.h>
+#endif
#include <inet/ip.h>
#include <inet/ip6.h>
@@ -58,9 +59,10 @@
#define GET_PROGNAME(x) max(max(strrchr((x), '/'), strrchr((x), '\\')) + 1,(x))
#endif /* _WIN32 */
+#ifndef _WIN32
#include <sys/socket.h>
#include <netdb.h>
-
+#endif
extern int optind;
@@ -74,15 +76,13 @@ size_t timestamp_width;
krb5_context kcontext;
char * etype_string (krb5_enctype );
-void show_credential (char *,
- krb5_context,
- krb5_creds *);
+void show_credential (krb5_creds *);
void do_ccache (char *);
void do_keytab (char *);
void printtime (time_t);
void one_addr (krb5_address *);
-void fillit (FILE *, int, int);
+void fillit (FILE *, unsigned int, int);
void show_addr(krb5_address *a);
#ifdef KRB5_KRB4_COMPAT
@@ -109,7 +109,7 @@ static int default_k4 = 1;
static int default_k4 = 0;
#endif /* KRB5_KRB4_COMPAT */
-void usage()
+static void usage()
{
#define KRB_AVAIL_STRING(x) ((x)?gettext("available"):gettext("not available"))
@@ -140,7 +140,9 @@ void usage()
int
-main(int argc, char *argv[])
+main(argc, argv)
+ int argc;
+ char **argv;
{
int c;
char *name;
@@ -260,7 +262,7 @@ main(int argc, char *argv[])
if (!krb5_timestamp_to_sfstring(now, tmp, 20, (char *) NULL) ||
!krb5_timestamp_to_sfstring(now, tmp, sizeof(tmp),
(char *) NULL))
- timestamp_width = strlen(tmp);
+ timestamp_width = (int) strlen(tmp);
else
timestamp_width = 15;
}
@@ -321,42 +323,40 @@ void do_keytab(name)
}
if ((code = krb5_kt_get_name(kcontext, kt, buf, BUFSIZ))) {
- com_err(progname, code,
+ com_err(progname, code,
gettext("while getting keytab name"));
exit(1);
}
- printf(gettext("Keytab name: %s\n"), buf);
+ printf(gettext("Keytab name: %s\n"), buf);
if ((code = krb5_kt_start_seq_get(kcontext, kt, &cursor))) {
- com_err(progname, code,
+ com_err(progname, code,
gettext("while starting keytab scan"));
exit(1);
}
if (show_time) {
- printf(gettext("KVNO Timestamp"));
- fillit(stdout, timestamp_width -
- sizeof (gettext("Timestamp")) + 2, (int)' ');
- printf(gettext("Principal\n"));
- printf("---- ");
+ printf(gettext("KVNO Timestamp"));
+ fillit(stdout, timestamp_width -
+ sizeof (gettext("Timestamp")) + 2, (int)' ');
+ printf(gettext("Principal\n"));
+ printf("---- ");
fillit(stdout, timestamp_width, (int) '-');
printf(" ");
- fillit(stdout, 78 - timestamp_width -
+ fillit(stdout, 78 - timestamp_width -
sizeof (gettext("KVNO")), (int)'-');
printf("\n");
} else {
- printf(gettext("KVNO Principal\n"));
- printf("---- ------------------------------"
+ printf(gettext("KVNO Principal\n"));
+ printf("---- ------------------------------"
"--------------------------------------"
"------\n");
}
- while ((code = krb5_kt_next_entry(kcontext, kt,
- &entry, &cursor)) == 0) {
- if (code = krb5_unparse_name(kcontext,
- entry.principal, &pname)) {
- com_err(progname, code,
+ while ((code = krb5_kt_next_entry(kcontext, kt, &entry, &cursor)) == 0) {
+ if ((code = krb5_unparse_name(kcontext, entry.principal, &pname))) {
+ com_err(progname, code,
gettext("while unparsing principal name"));
exit(1);
}
@@ -443,7 +443,7 @@ void do_ccache(name)
gettext("while setting cache "
"flags(ticket cache %s:%s)"),
krb5_cc_get_type(kcontext, cache),
- krb5_cc_get_name(kcontext, cache));
+ krb5_cc_get_name(kcontext, cache));
}
exit(1);
}
@@ -463,7 +463,7 @@ void do_ccache(name)
printf(gettext("Ticket cache: %s:%s\nDefault principal: "
"%s\n\n"),
krb5_cc_get_type(kcontext, cache),
- krb5_cc_get_name(kcontext, cache), defname);
+ krb5_cc_get_name(kcontext, cache), defname);
fputs(gettext("Valid starting"), stdout);
fillit(stdout, timestamp_width -
sizeof (gettext("Valid starting")) + 3, (int)' ');
@@ -490,7 +490,7 @@ void do_ccache(name)
creds.times.endtime > now)
exit_status = 0;
} else {
- show_credential(progname, kcontext, &creds);
+ show_credential(&creds);
}
krb5_free_cred_contents(kcontext, &creds);
}
@@ -537,7 +537,7 @@ etype_string(enctype)
return buf;
}
-char *
+static char *
flags_string(cred)
register krb5_creds *cred;
{
@@ -566,6 +566,12 @@ flags_string(cred)
buf[i++] = 'H';
if (cred->ticket_flags & TKT_FLG_PRE_AUTH)
buf[i++] = 'A';
+ if (cred->ticket_flags & TKT_FLG_TRANSIT_POLICY_CHECKED)
+ buf[i++] = 'T';
+ if (cred->ticket_flags & TKT_FLG_OK_AS_DELEGATE)
+ buf[i++] = 'O'; /* D/d are taken. Use short strings? */
+ if (cred->ticket_flags & TKT_FLG_ANONYMOUS)
+ buf[i++] = 'a';
buf[i] = '\0';
return(buf);
}
@@ -585,9 +591,7 @@ printtime(tv)
}
void
-show_credential(progname, kcontext, cred)
- char * progname;
- krb5_context kcontext;
+show_credential(cred)
register krb5_creds * cred;
{
krb5_error_code retval;
@@ -657,18 +661,22 @@ show_credential(progname, kcontext, cred)
if (show_etype) {
retval = decode_krb5_ticket(&cred->ticket, &tkt);
- if (retval == 0) {
- if (!extra_field)
- fputs("\t",stdout);
- else
- fputs(", ",stdout);
- printf(gettext("Etype(skey, tkt): %s, "),
- etype_string(cred->keyblock.enctype));
- printf("%s ",
- etype_string(tkt->enc_part.enctype));
+ if (retval)
+ goto err_tkt;
+
+ if (!extra_field)
+ fputs("\t",stdout);
+ else
+ fputs(", ",stdout);
+ printf(gettext("Etype(skey, tkt): %s, "),
+ etype_string(cred->keyblock.enctype));
+ printf("%s ",
+ etype_string(tkt->enc_part.enctype));
+ extra_field++;
+
+ err_tkt:
+ if (tkt != NULL)
krb5_free_ticket(kcontext, tkt);
- extra_field++;
- }
}
/* if any additional info was printed, extra_field is non-zero */
@@ -762,7 +770,7 @@ void one_addr(a)
void
fillit(f, num, c)
FILE *f;
- int num;
+ unsigned int num;
int c;
{
int i;
@@ -812,7 +820,8 @@ do_v4_ccache(name)
*/
/* Open ticket file */
- if (k_errno = tf_init(file, R_TKT_FIL)) {
+ k_errno = tf_init(file, R_TKT_FIL);
+ if (k_errno) {
fprintf(stderr, "%s: %s\n", progname, krb_get_err_text (k_errno));
exit(1);
}
@@ -832,7 +841,7 @@ do_v4_ccache(name)
}
/* Open ticket file */
- if (k_errno = tf_init(file, R_TKT_FIL)) {
+ if ((k_errno = tf_init(file, R_TKT_FIL))) {
fprintf(stderr, "%s: %s\n", progname, krb_get_err_text (k_errno));
exit(1);
}
@@ -861,7 +870,7 @@ do_v4_ccache(name)
}
printtime(c.issue_date);
fputs(" ", stdout);
- printtime(c.issue_date + ((unsigned char) c.lifetime) * 5 * 60);
+ printtime(krb_life_to_time(c.issue_date, c.lifetime));
printf(" %s%s%s%s%s\n",
c.service, (c.instance[0] ? "." : ""), c.instance,
(c.realm[0] ? "@" : ""), c.realm);
diff --git a/usr/src/cmd/krb5/krb5kdc/dispatch.c b/usr/src/cmd/krb5/krb5kdc/dispatch.c
index 8d01e92ceb..c1ccabe1f2 100644
--- a/usr/src/cmd/krb5/krb5kdc/dispatch.c
+++ b/usr/src/cmd/krb5/krb5kdc/dispatch.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -44,15 +44,16 @@
#include <string.h>
extern krb5_error_code setup_server_realm(krb5_principal);
+static krb5_int32 last_usec = 0, last_os_random = 0;
krb5_error_code
-dispatch(krb5_data *pkt, const krb5_fulladdr *from, int portnum,
- krb5_data **response)
+dispatch(krb5_data *pkt, const krb5_fulladdr *from, krb5_data **response)
{
krb5_error_code retval;
krb5_kdc_req *as_req;
-
+ krb5_int32 now, now_usec;
+
/* decode incoming packet, and dispatch */
#ifndef NOCACHE
@@ -67,15 +68,37 @@ dispatch(krb5_data *pkt, const krb5_fulladdr *from, int portnum,
if (name == 0)
name = "[unknown address type]";
krb5_klog_syslog(LOG_INFO,
- "DISPATCH: repeated (retransmitted?) request from %s port %d, resending previous response",
- name, portnum);
+ "DISPATCH: repeated (retransmitted?) request from %s, resending previous response",
+ name);
return 0;
}
#endif
+/* SUNW14resync XXX */
+#if 0
+ retval = krb5_crypto_us_timeofday(&now, &now_usec);
+ if (retval == 0) {
+ krb5_int32 usec_difference = now_usec-last_usec;
+ krb5_data data;
+ if(last_os_random == 0)
+ last_os_random = now;
+ /* Grab random data from OS every hour*/
+ if(now-last_os_random >= 60*60) {
+ krb5_c_random_os_entropy(kdc_context, 0, NULL);
+ last_os_random = now;
+ }
+
+ data.length = sizeof(krb5_int32);
+ data.data = (void *) &usec_difference;
+
+ krb5_c_random_add_entropy(kdc_context,
+ KRB5_C_RANDSOURCE_TIMING, &data);
+ last_usec = now_usec;
+ }
+#endif
/* try TGS_REQ first; they are more common! */
if (krb5_is_tgs_req(pkt)) {
- retval = process_tgs_req(pkt, from, portnum, response);
+ retval = process_tgs_req(pkt, from, response);
} else if (krb5_is_as_req(pkt)) {
if (!(retval = decode_krb5_as_req(pkt, &as_req))) {
/*
@@ -83,11 +106,15 @@ dispatch(krb5_data *pkt, const krb5_fulladdr *from, int portnum,
* pointer.
*/
if (!(retval = setup_server_realm(as_req->server))) {
- retval = process_as_req(as_req, from, portnum, response);
+ retval = process_as_req(as_req, from, response);
}
krb5_free_kdc_req(kdc_context, as_req);
}
}
+#ifdef KRB5_KRB4_COMPAT
+ else if (pkt->data[0] == 4) /* old version */
+ retval = process_v4(pkt, from, response);
+#endif
else
retval = KRB5KRB_AP_ERR_MSG_TYPE;
#ifndef NOCACHE
diff --git a/usr/src/cmd/krb5/krb5kdc/do_as_req.c b/usr/src/cmd/krb5/krb5kdc/do_as_req.c
index 6e715caa69..22f3e97d37 100644
--- a/usr/src/cmd/krb5/krb5kdc/do_as_req.c
+++ b/usr/src/cmd/krb5/krb5kdc/do_as_req.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2005 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -34,6 +34,7 @@
* KDC Routines to deal with AS_REQ's
*/
+#define NEED_SOCKETS
#include "k5-int.h"
#include "com_err.h"
@@ -52,20 +53,14 @@
#include "adm_proto.h"
#include "extern.h"
-static krb5_error_code prepare_error_as (krb5_kdc_req *,
- int,
- krb5_data *,
- krb5_data **);
+static krb5_error_code prepare_error_as (krb5_kdc_req *, int, krb5_data *,
+ krb5_data **, const char *);
/*ARGSUSED*/
krb5_error_code
-process_as_req(request, from, portnum, response)
-register krb5_kdc_req *request;
-const krb5_fulladdr *from; /* who sent it ? */
-int portnum;
-krb5_data **response; /* filled in with a response packet */
+process_as_req(krb5_kdc_req *request, const krb5_fulladdr *from,
+ krb5_data **response)
{
-
krb5_db_entry client, server;
krb5_kdc_rep reply;
krb5_enc_kdc_rep_part reply_encpart;
@@ -87,22 +82,28 @@ krb5_data **response; /* filled in with a response packet */
register int i;
krb5_timestamp until, rtime;
long long tmp_client_times, tmp_server_times, tmp_realm_times;
- char *cname = 0, *sname = 0, *fromstring = 0;
+ char *cname = 0, *sname = 0;
+ const char *fromstring = 0;
+ char ktypestr[128];
+ char rep_etypestr[128];
+ char fromstringbuf[70];
struct in_addr from_in4; /* IPv4 address of sender */
ticket_reply.enc_part.ciphertext.data = 0;
e_data.data = 0;
- reply.padata = 0; /* avoid bogus free in error_out */
(void) memset(&encrypting_key, 0, sizeof(krb5_keyblock));
+ reply.padata = 0; /* avoid bogus free in error_out */
(void) memset(&session_key, 0, sizeof(krb5_keyblock));
-#ifdef HAVE_NETINET_IN_H
- if (from->address->addrtype == ADDRTYPE_INET) {
+ ktypes2str(ktypestr, sizeof(ktypestr),
+ request->nktypes, request->ktype);
+
(void) memcpy(&from_in4, from->address->contents, /* SUNW */
sizeof (struct in_addr));
- fromstring = inet_ntoa(from_in4);
- }
-#endif
+
+ fromstring = inet_ntop(ADDRTYPE2FAMILY (from->address->addrtype),
+ &from_in4,
+ fromstringbuf, sizeof(fromstringbuf));
if (!fromstring)
fromstring = "<unknown>";
@@ -190,7 +191,7 @@ krb5_data **response; /* filled in with a response packet */
}
if ((errcode = krb5_c_make_random_key(kdc_context, useenctype,
- &session_key))) {
+ &session_key))) {
/* random key failed */
status = "RANDOM_KEY_FAILED";
goto errout;
@@ -240,8 +241,8 @@ krb5_data **response; /* filled in with a response packet */
tmp_realm_times = (long long) enc_tkt_reply.times.starttime + max_life_for_realm;
- enc_tkt_reply.times.endtime =
- min(until,
+ enc_tkt_reply.times.endtime =
+ min(until,
min(tmp_client_times,
min(tmp_server_times,
min(tmp_realm_times,KRB5_KDB_EXPIRATION))));
@@ -270,9 +271,9 @@ krb5_data **response; /* filled in with a response packet */
tmp_realm_times = (double) enc_tkt_reply.times.starttime + max_renewable_life_for_realm;
enc_tkt_reply.times.renew_till =
- min(rtime, min(tmp_client_times,
- min(tmp_server_times,
- min(tmp_realm_times,KRB5_KDB_EXPIRATION))));
+ min(rtime, min(tmp_client_times,
+ min(tmp_server_times,
+ min(tmp_realm_times,KRB5_KDB_EXPIRATION))));
} else
enc_tkt_reply.times.renew_till = 0; /* XXX */
@@ -347,9 +348,6 @@ krb5_data **response; /* filled in with a response packet */
status = "DECRYPT_SERVER_KEY";
goto errout;
}
- if ((encrypting_key.enctype == ENCTYPE_DES_CBC_CRC) &&
- (isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5)))
- encrypting_key.enctype = ENCTYPE_DES_CBC_MD5;
errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key, &ticket_reply);
krb5_free_keyblock_contents(kdc_context, &encrypting_key);
@@ -439,11 +437,20 @@ krb5_data **response; /* filled in with a response packet */
memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length);
free(reply.enc_part.ciphertext.data);
- audit_krb5kdc_as_req(&from_in4, (in_port_t)from->port, (in_port_t)portnum,
+ /* SUNW14resync:
+ * The third argument to audit_krb5kdc_as_req() is zero as the local
+ * portnumber is no longer passed to process_as_req().
+ */
+ audit_krb5kdc_as_req(&from_in4, (in_port_t)from->port, 0,
cname, sname, 0);
-
- krb5_klog_syslog(LOG_INFO, "AS_REQ %s(%d): ISSUE: authtime %d, %s for %s",
- fromstring, portnum, authtime, cname, sname);
+ rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), &reply);
+ krb5_klog_syslog(LOG_INFO,
+ "AS_REQ (%s) %s: ISSUE: authtime %d, "
+ "%s, %s for %s",
+ ktypestr,
+ fromstring, authtime,
+ rep_etypestr,
+ cname, sname);
#ifdef KRBCONF_KDC_MODIFIES_KDB
/*
@@ -457,24 +464,28 @@ krb5_data **response; /* filled in with a response packet */
errout:
if (status) {
audit_krb5kdc_as_req(&from_in4, (in_port_t)from->port,
- (in_port_t)portnum, cname, sname, errcode);
- krb5_klog_syslog(LOG_INFO, "AS_REQ %s(%d): %s: %s for %s%s%s",
- fromstring, portnum, status,
+ 0, cname, sname, errcode);
+ krb5_klog_syslog(LOG_INFO, "AS_REQ (%s) %s: %s: %s for %s%s%s",
+ ktypestr,
+ fromstring, status,
cname ? cname : "<unknown client>",
sname ? sname : "<unknown server>",
errcode ? ", " : "",
errcode ? error_message(errcode) : "");
}
if (errcode) {
+ if (status == 0)
+ status = error_message (errcode);
errcode -= ERROR_TABLE_BASE_krb5;
if (errcode < 0 || errcode > 128)
errcode = KRB_ERR_GENERIC;
- errcode = prepare_error_as(request, errcode, &e_data, response);
+ errcode = prepare_error_as(request, errcode, &e_data, response,
+ status);
}
- krb5_free_keyblock_contents(kdc_context, &encrypting_key);
-
+ if (encrypting_key.contents)
+ krb5_free_keyblock_contents(kdc_context, &encrypting_key);
if (reply.padata)
krb5_free_pa_data(kdc_context, reply.padata);
@@ -495,7 +506,7 @@ errout:
kdc_active_realm->realm_dbname);
krb5_db_init(kdc_context);
/* Reset master key */
- krb5_db_set_mkey(kdc_context, &kdc_active_realm->realm_encblock);
+ krb5_db_set_mkey(kdc_context, &kdc_active_realm->realm_mkey);
}
#endif /* KRBCONF_KDC_MODIFIES_KDB */
krb5_db_free_principal(kdc_context, &client, c_nprincs);
@@ -516,11 +527,8 @@ errout:
}
static krb5_error_code
-prepare_error_as (request, error, e_data, response)
-register krb5_kdc_req *request;
-int error;
-krb5_data *e_data;
-krb5_data **response;
+prepare_error_as (krb5_kdc_req *request, int error, krb5_data *e_data,
+ krb5_data **response, const char *status)
{
krb5_error errpkt;
krb5_error_code retval;
@@ -535,10 +543,10 @@ krb5_data **response;
errpkt.error = error;
errpkt.server = request->server;
errpkt.client = request->client;
- errpkt.text.length = strlen(error_message(error+KRB5KDC_ERR_NONE))+1;
+ errpkt.text.length = strlen(status)+1;
if (!(errpkt.text.data = malloc(errpkt.text.length)))
return ENOMEM;
- (void) strcpy(errpkt.text.data, error_message(error+KRB5KDC_ERR_NONE));
+ (void) strcpy(errpkt.text.data, status);
if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) {
free(errpkt.text.data);
diff --git a/usr/src/cmd/krb5/krb5kdc/do_tgs_req.c b/usr/src/cmd/krb5/krb5kdc/do_tgs_req.c
index d09b29fedf..9f0f5fc79a 100644
--- a/usr/src/cmd/krb5/krb5kdc/do_tgs_req.c
+++ b/usr/src/cmd/krb5/krb5kdc/do_tgs_req.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2005 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -8,7 +8,7 @@
/*
* kdc/do_tgs_req.c
*
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2001 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -34,6 +34,7 @@
* KDC Routines to deal with TGS_REQ's
*/
+#define NEED_SOCKETS
#include "k5-int.h"
#include "com_err.h"
@@ -53,27 +54,18 @@
extern krb5_error_code setup_server_realm(krb5_principal);
-static void find_alternate_tgs (krb5_kdc_req *,
- krb5_db_entry *,
- krb5_boolean *,
- int *,
- const krb5_fulladdr *,
- int,
- char *);
+static void find_alternate_tgs (krb5_kdc_req *, krb5_db_entry *,
+ krb5_boolean *, int *,
+ const krb5_fulladdr *from, char *cname);
-static krb5_error_code prepare_error_tgs (krb5_kdc_req *,
- krb5_ticket *,
- int,
- const char *,
- krb5_data **);
+static krb5_error_code prepare_error_tgs (krb5_kdc_req *, krb5_ticket *,
+ int, const char *, krb5_data **,
+ const char *);
/*ARGSUSED*/
krb5_error_code
-process_tgs_req(pkt, from, portnum, response)
-krb5_data *pkt;
-const krb5_fulladdr *from; /* who sent it ? */
-int portnum;
-krb5_data **response; /* filled in with a response packet */
+process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
+ krb5_data **response)
{
krb5_keyblock * subkey;
krb5_kdc_req *request = 0;
@@ -93,7 +85,8 @@ krb5_data **response; /* filled in with a response packet */
krb5_timestamp until, rtime;
krb5_keyblock encrypting_key;
krb5_key_data *server_key;
- char *cname = 0, *sname = 0, *tmp = 0, *fromstring = 0;
+ char *cname = 0, *sname = 0, *tmp = 0;
+ const char *fromstring = 0;
krb5_last_req_entry *nolrarray[2], nolrentry;
/* krb5_address *noaddrarray[1]; */
krb5_enctype useenctype;
@@ -101,6 +94,9 @@ krb5_data **response; /* filled in with a response packet */
register int i;
int firstpass = 1;
const char *status = 0;
+ char ktypestr[128];
+ char rep_etypestr[128];
+ char fromstringbuf[70];
long long tmp_server_times, tmp_realm_times;
(void) memset(&encrypting_key, 0, sizeof(krb5_keyblock));
@@ -110,17 +106,17 @@ krb5_data **response; /* filled in with a response packet */
if (retval)
return retval;
+ ktypes2str(ktypestr, sizeof(ktypestr),
+ request->nktypes, request->ktype);
/*
* setup_server_realm() sets up the global realm-specific data pointer.
*/
if ((retval = setup_server_realm(request->server)))
return retval;
-#ifdef HAVE_NETINET_IN_H
- if (from->address->addrtype == ADDRTYPE_INET)
- fromstring =
- (char *) inet_ntoa(*(struct in_addr *)from->address->contents);
-#endif
+ fromstring = inet_ntop(ADDRTYPE2FAMILY(from->address->addrtype),
+ from->address->contents,
+ fromstringbuf, sizeof(fromstringbuf));
if (!fromstring)
fromstring = "<unknown>";
@@ -172,7 +168,6 @@ krb5_data **response; /* filled in with a response packet */
nprincs = 0;
goto cleanup;
}
-
tgt_again:
if (more) {
status = "NON_UNIQUE_PRINCIPAL";
@@ -190,11 +185,11 @@ tgt_again:
krb5_data *tgs_1 =
krb5_princ_component(kdc_context, tgs_server, 1);
- if (server_1->length != tgs_1->length ||
+ if (!tgs_1 || server_1->length != tgs_1->length ||
memcmp(server_1->data, tgs_1->data, tgs_1->length)) {
krb5_db_free_principal(kdc_context, &server, nprincs);
find_alternate_tgs(request, &server, &more, &nprincs,
- from, portnum, cname); /* SUNW */
+ from, cname);
firstpass = 0;
goto tgt_again;
}
@@ -402,7 +397,7 @@ tgt_again:
request->rtime =
min(request->till,
min(KRB5_KDB_EXPIRATION,
- header_ticket->enc_part2->times.renew_till));
+ header_ticket->enc_part2->times.renew_till));
}
}
rtime = (request->rtime == 0) ? kdc_infinity : request->rtime;
@@ -523,6 +518,36 @@ tgt_again:
}
newtransited = 1;
}
+ if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
+ errcode = krb5_check_transited_list (kdc_context,
+ &enc_tkt_reply.transited.tr_contents,
+ krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
+ krb5_princ_realm (kdc_context, request->server));
+ if (errcode == 0) {
+ setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
+ } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
+ krb5_klog_syslog (LOG_INFO,
+ "bad realm transit path from '%s' to '%s' via '%.*s'",
+ cname ? cname : "<unknown client>",
+ sname ? sname : "<unknown server>",
+ enc_tkt_reply.transited.tr_contents.length,
+ enc_tkt_reply.transited.tr_contents.data);
+ else
+ krb5_klog_syslog (LOG_ERR,
+ "unexpected error checking transit from '%s' to '%s' via '%.*s': %s",
+ cname ? cname : "<unknown client>",
+ sname ? sname : "<unknown server>",
+ enc_tkt_reply.transited.tr_contents.length,
+ enc_tkt_reply.transited.tr_contents.data,
+ error_message (errcode));
+ } else
+ krb5_klog_syslog (LOG_INFO, "not checking transit path");
+ if (reject_bad_transit
+ && !isflagset (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED)) {
+ errcode = KRB5KDC_ERR_POLICY;
+ status = "BAD_TRANSIT";
+ goto cleanup;
+ }
ticket_reply.enc_part2 = &enc_tkt_reply;
@@ -537,31 +562,30 @@ tgt_again:
* Make sure the client for the second ticket matches
* requested server.
*/
- if (!krb5_principal_compare(kdc_context, request->server,
- request->second_ticket[st_idx]->enc_part2->client)) {
- if ((errcode = krb5_unparse_name(kdc_context,
- request->second_ticket[st_idx]->enc_part2->client,
- &tmp)))
+ krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
+ krb5_principal client2 = t2enc->client;
+ if (!krb5_principal_compare(kdc_context, request->server, client2)) {
+ if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))
tmp = 0;
audit_krb5kdc_tgs_req_2ndtktmm(
(struct in_addr *)from->address->contents,
(in_port_t)from->port,
- (in_port_t)portnum, cname, sname);
- krb5_klog_syslog(LOG_INFO, "TGS_REQ %s(%d): 2ND_TKT_MISMATCH: authtime %d, %s for %s, 2nd tkt client %s",
- fromstring, portnum, authtime,
- cname ? cname : "<unknown client>",
- sname ? sname : "<unknown server>",
- tmp ? tmp : "<unknown>");
+ 0, cname, sname);
+ krb5_klog_syslog(LOG_INFO,
+ "TGS_REQ %s: 2ND_TKT_MISMATCH: "
+ "authtime %d, %s for %s, 2nd tkt client %s",
+ fromstring, authtime,
+ cname ? cname : "<unknown client>",
+ sname ? sname : "<unknown server>",
+ tmp ? tmp : "<unknown>");
errcode = KRB5KDC_ERR_SERVER_NOMATCH;
goto cleanup;
}
ticket_reply.enc_part.kvno = 0;
- ticket_reply.enc_part.enctype =
- request->second_ticket[st_idx]->enc_part2->session->enctype;
- if ((errcode = krb5_encrypt_tkt_part(kdc_context,
- request->second_ticket[st_idx]->enc_part2->session,
- &ticket_reply))) {
+ ticket_reply.enc_part.enctype = t2enc->session->enctype;
+ if ((errcode = krb5_encrypt_tkt_part(kdc_context, t2enc->session,
+ &ticket_reply))) {
status = "2ND_TKT_ENCRYPT";
goto cleanup;
}
@@ -587,9 +611,6 @@ tgt_again:
status = "DECRYPT_SERVER_KEY";
goto cleanup;
}
- if ((encrypting_key.enctype == ENCTYPE_DES_CBC_CRC) &&
- (isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5)))
- encrypting_key.enctype = ENCTYPE_DES_CBC_MD5;
errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
&ticket_reply);
krb5_free_keyblock_contents(kdc_context, &encrypting_key);
@@ -646,42 +667,51 @@ tgt_again:
}
if (ticket_reply.enc_part.ciphertext.data) {
- memset(ticket_reply.enc_part.ciphertext.data, 0,
+ memset(ticket_reply.enc_part.ciphertext.data, 0,
ticket_reply.enc_part.ciphertext.length);
- free(ticket_reply.enc_part.ciphertext.data);
+ free(ticket_reply.enc_part.ciphertext.data);
ticket_reply.enc_part.ciphertext.data = NULL;
}
/* these parts are left on as a courtesy from krb5_encode_kdc_rep so we
can use them in raw form if needed. But, we don't... */
if (reply.enc_part.ciphertext.data) {
- memset(reply.enc_part.ciphertext.data, 0,
+ memset(reply.enc_part.ciphertext.data, 0,
reply.enc_part.ciphertext.length);
- free(reply.enc_part.ciphertext.data);
+ free(reply.enc_part.ciphertext.data);
reply.enc_part.ciphertext.data = NULL;
}
cleanup:
if (status) {
audit_krb5kdc_tgs_req((struct in_addr *)from->address->contents,
- (in_port_t)from->port, (in_port_t)portnum,
+ (in_port_t)from->port, 0,
cname ? cname : "<unknown client>",
sname ? sname : "<unknown client>",
errcode);
- krb5_klog_syslog(LOG_INFO,
- "TGS_REQ %s(%d): %s: authtime %d, %s for %s%s%s",
- fromstring, portnum, status, authtime,
- cname ? cname : "<unknown client>",
- sname ? sname : "<unknown server>",
- errcode ? ", " : "",
- errcode ? error_message(errcode) : "");
+ if (!errcode)
+ rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), &reply);
+ krb5_klog_syslog(LOG_INFO,
+ "TGS_REQ (%s) %s: %s: authtime %d, "
+ "%s%s %s for %s%s%s",
+ ktypestr,
+ fromstring, status, authtime,
+ !errcode ? rep_etypestr : "",
+ !errcode ? "," : "",
+ cname ? cname : "<unknown client>",
+ sname ? sname : "<unknown server>",
+ errcode ? ", " : "",
+ errcode ? error_message(errcode) : "");
}
+
if (errcode) {
+ if (status == 0)
+ status = error_message (errcode);
errcode -= ERROR_TABLE_BASE_krb5;
if (errcode < 0 || errcode > 128)
errcode = KRB_ERR_GENERIC;
retval = prepare_error_tgs(request, header_ticket, errcode,
- fromstring, response);
+ fromstring, response, status);
}
if (header_ticket)
@@ -703,12 +733,8 @@ cleanup:
}
static krb5_error_code
-prepare_error_tgs (request, ticket, error, ident, response)
-register krb5_kdc_req *request;
-krb5_ticket *ticket;
-int error;
-const char *ident;
-krb5_data **response;
+prepare_error_tgs (krb5_kdc_req *request, krb5_ticket *ticket, int error,
+ const char *ident, krb5_data **response, const char *status)
{
krb5_error errpkt;
krb5_error_code retval;
@@ -726,10 +752,10 @@ krb5_data **response;
errpkt.client = ticket->enc_part2->client;
else
errpkt.client = 0;
- errpkt.text.length = strlen(error_message(error+KRB5KDC_ERR_NONE))+1;
+ errpkt.text.length = strlen(status) + 1;
if (!(errpkt.text.data = malloc(errpkt.text.length)))
return ENOMEM;
- (void) strcpy(errpkt.text.data, error_message(error+KRB5KDC_ERR_NONE));
+ (void) strcpy(errpkt.text.data, status);
if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) {
free(errpkt.text.data);
@@ -754,15 +780,9 @@ krb5_data **response;
* some intermediate realm.
*/
static void
-find_alternate_tgs(request, server, more, nprincs, from, portnum, cname)
-krb5_kdc_req *request;
-krb5_db_entry *server;
-krb5_boolean *more;
-int *nprincs;
-const krb5_fulladdr *from; /* who sent it ? */
-int portnum;
-char *cname;
-
+find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server,
+ krb5_boolean *more, int *nprincs,
+ const krb5_fulladdr *from, char *cname)
{
krb5_error_code retval;
krb5_principal *plist, *pl2;
@@ -822,17 +842,18 @@ char *cname;
krb5_free_principal(kdc_context, request->server);
request->server = tmpprinc;
if (krb5_unparse_name(kdc_context, request->server, &sname)) {
+
audit_krb5kdc_tgs_req_alt_tgt(
(struct in_addr *)from->address->contents,
(in_port_t)from->port,
- (in_port_t)portnum, cname, "<unparseable>", 0);
+ 0, cname, "<unparseable>", 0);
krb5_klog_syslog(LOG_INFO,
"TGS_REQ: issuing alternate <un-unparseable> TGT");
} else {
audit_krb5kdc_tgs_req_alt_tgt(
(struct in_addr *)from->address->contents,
(in_port_t)from->port,
- (in_port_t)portnum, cname, sname, 0);
+ 0, cname, sname, 0);
krb5_klog_syslog(LOG_INFO,
"TGS_REQ: issuing TGT %s", sname);
free(sname);
@@ -848,4 +869,3 @@ char *cname;
krb5_free_realm_tree(kdc_context, plist);
return;
}
-
diff --git a/usr/src/cmd/krb5/krb5kdc/extern.h b/usr/src/cmd/krb5/krb5kdc/extern.h
index b5f2bfab8d..7ab087ef7f 100644
--- a/usr/src/cmd/krb5/krb5kdc/extern.h
+++ b/usr/src/cmd/krb5/krb5kdc/extern.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -15,7 +15,7 @@ extern "C" {
#endif
/*
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990,2001 by the Massachusetts Institute of Technology.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
@@ -60,13 +60,10 @@ typedef struct __kdc_realm_data {
char * realm_mpname; /* Master principal name for realm */
krb5_principal realm_mprinc; /* Master principal for realm */
krb5_keyblock realm_mkey; /* Master key for this realm */
- krb5_kvno realm_mkvno; /* Master key vno for this realm */
/*
* TGS per-realm data.
*/
krb5_principal realm_tgsprinc; /* TGS principal for this realm */
- krb5_keyblock realm_tgskey; /* TGS' key for this realm */
- krb5_kvno realm_tgskvno; /* TGS' key vno for this realm */
/*
* Other per-realm data.
*/
@@ -77,14 +74,15 @@ typedef struct __kdc_realm_data {
*/
krb5_deltat realm_maxlife; /* Maximum ticket life for realm */
krb5_deltat realm_maxrlife; /* Maximum renewable life for realm */
- void *realm_kstypes; /* Key/Salts supported for realm */
- krb5_int32 realm_nkstypes; /* Number of key/salts */
+ krb5_boolean realm_reject_bad_transit; /* Accept unverifiable transited_realm ? */
} kdc_realm_t;
extern kdc_realm_t **kdc_realmlist;
extern int kdc_numrealms;
extern kdc_realm_t *kdc_active_realm;
+kdc_realm_t *find_realm_data (char *, krb5_ui_4);
+
/*
* Replace previously used global variables with the active (e.g. request's)
* realm data. This allows us to support multiple realms with minimal logic
@@ -95,12 +93,11 @@ extern kdc_realm_t *kdc_active_realm;
#define max_renewable_life_for_realm kdc_active_realm->realm_maxrlife
#define master_keyblock kdc_active_realm->realm_mkey
#define master_princ kdc_active_realm->realm_mprinc
-#define tgs_key kdc_active_realm->realm_tgskey
-#define tgs_kvno kdc_active_realm->realm_tgskvno
#define tgs_server_struct *(kdc_active_realm->realm_tgsprinc)
#define tgs_server kdc_active_realm->realm_tgsprinc
#define dbm_db_name kdc_active_realm->realm_dbname
#define primary_port kdc_active_realm->realm_pport
+#define reject_bad_transit kdc_active_realm->realm_reject_bad_transit
/* various externs for KDC */
extern krb5_data empty_string; /* an empty string */
diff --git a/usr/src/cmd/krb5/krb5kdc/kdc_preauth.c b/usr/src/cmd/krb5/krb5kdc/kdc_preauth.c
index b0f0504d3c..bb16e1d53a 100644
--- a/usr/src/cmd/krb5/krb5kdc/kdc_preauth.c
+++ b/usr/src/cmd/krb5/krb5kdc/kdc_preauth.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2005 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -8,7 +8,7 @@
/*
* kdc/kdc_preauth.c
*
- * Copyright 1995 by the Massachusetts Institute of Technology.
+ * Copyright 1995, 2003 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
@@ -65,26 +65,38 @@
#include "com_err.h"
#include <assert.h>
#include <stdio.h>
+#include "adm_proto.h"
#include <libintl.h>
#include <syslog.h>
+#include <assert.h>
+
+/* XXX This is ugly and should be in a header file somewhere */
+#ifndef KRB5INT_DES_TYPES_DEFINED
+#define KRB5INT_DES_TYPES_DEFINED
+typedef unsigned char des_cblock[8]; /* crypto-block size */
+#endif
+typedef des_cblock mit_des_cblock;
+extern void mit_des_fixup_key_parity (mit_des_cblock );
+extern int mit_des_is_weak_key (mit_des_cblock );
+
typedef krb5_error_code (*verify_proc)
(krb5_context, krb5_db_entry *client,
- krb5_kdc_req *request,
- krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data);
+ krb5_kdc_req *request,
+ krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data);
typedef krb5_error_code (*edata_proc)
(krb5_context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_pa_data *data);
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_pa_data *data);
typedef krb5_error_code (*return_proc)
(krb5_context, krb5_pa_data * padata,
- krb5_db_entry *client,
- krb5_kdc_req *request, krb5_kdc_rep *reply,
- krb5_key_data *client_key,
- krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa);
+ krb5_db_entry *client,
+ krb5_kdc_req *request, krb5_kdc_rep *reply,
+ krb5_key_data *client_key,
+ krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa);
typedef struct _krb5_preauth_systems {
char * name;
@@ -97,54 +109,50 @@ typedef struct _krb5_preauth_systems {
static krb5_error_code verify_enc_timestamp
(krb5_context, krb5_db_entry *client,
- krb5_kdc_req *request,
- krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data);
+ krb5_kdc_req *request,
+ krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data);
static krb5_error_code get_etype_info
(krb5_context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_pa_data *data);
-
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_pa_data *data);
static krb5_error_code
get_etype_info2(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
+ krb5_db_entry *client, krb5_db_entry *server,
krb5_pa_data *pa_data);
-
static krb5_error_code
-return_etype_info2(krb5_context, krb5_pa_data * padata,
- krb5_db_entry *client,
- krb5_kdc_req *request, krb5_kdc_rep *reply,
- krb5_key_data *client_key,
- krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa);
-
+return_etype_info2(krb5_context, krb5_pa_data * padata,
+ krb5_db_entry *client,
+ krb5_kdc_req *request, krb5_kdc_rep *reply,
+ krb5_key_data *client_key,
+ krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa);
static krb5_error_code return_pw_salt
(krb5_context, krb5_pa_data * padata,
- krb5_db_entry *client,
- krb5_kdc_req *request, krb5_kdc_rep *reply,
- krb5_key_data *client_key,
- krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa);
+ krb5_db_entry *client,
+ krb5_kdc_req *request, krb5_kdc_rep *reply,
+ krb5_key_data *client_key,
+ krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa);
/* SAM preauth support */
static krb5_error_code verify_sam_response
- (krb5_context, krb5_db_entry *client,
- krb5_kdc_req *request,
- krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data);
+ (krb5_context, krb5_db_entry *client,
+ krb5_kdc_req *request,
+ krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data);
static krb5_error_code get_sam_edata
(krb5_context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_pa_data *data);
-
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_pa_data *data);
static krb5_error_code return_sam_data
(krb5_context, krb5_pa_data * padata,
- krb5_db_entry *client,
- krb5_kdc_req *request, krb5_kdc_rep *reply,
- krb5_key_data *client_key,
- krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa);
+ krb5_db_entry *client,
+ krb5_kdc_req *request, krb5_kdc_rep *reply,
+ krb5_key_data *client_key,
+ krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa);
/*
* Preauth property flags
*/
@@ -172,12 +180,12 @@ static krb5_preauth_systems preauth_systems[] = {
0
},
{
- "etype-info2",
+ "etype-info2",
KRB5_PADATA_ETYPE_INFO2,
0,
- get_etype_info2,
+ get_etype_info2,
0,
- return_etype_info2
+ return_etype_info2
},
{
"pw-salt",
@@ -221,9 +229,9 @@ find_pa_system(int type, krb5_preauth_systems **preauth)
return 0;
}
-const char *missing_required_preauth(client, server, enc_tkt_reply)
- krb5_db_entry *client, *server;
- krb5_enc_tkt_part *enc_tkt_reply;
+const char *missing_required_preauth(krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_enc_tkt_part *enc_tkt_reply)
{
#if 0
/*
@@ -258,11 +266,8 @@ const char *missing_required_preauth(client, server, enc_tkt_reply)
return 0;
}
-void get_preauth_hint_list(
- krb5_kdc_req *request,
- krb5_db_entry *client,
- krb5_db_entry *server,
- krb5_data *e_data)
+void get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_data *e_data)
{
int hw_only;
krb5_preauth_systems *ap;
@@ -329,11 +334,8 @@ errout:
*/
krb5_error_code
-check_padata (
- krb5_context context,
- krb5_db_entry * client,
- krb5_kdc_req * request,
- krb5_enc_tkt_part * enc_tkt_reply)
+check_padata (krb5_context context, krb5_db_entry *client,
+ krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply)
{
krb5_error_code retval = 0;
krb5_pa_data **padata;
@@ -388,16 +390,15 @@ check_padata (
if (!pa_found)
krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s",
error_message (retval));
-
- /* The following switch statement allows us
- * to return some preauth system errors back to the client.
- */
- switch(retval) {
+/* The following switch statement allows us
+ * to return some preauth system errors back to the client.
+ */
+ switch(retval) {
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
- case KRB5KRB_AP_ERR_SKEW:
- return retval;
- default:
- return KRB5KDC_ERR_PREAUTH_FAILED;
+ case KRB5KRB_AP_ERR_SKEW:
+ return retval;
+ default:
+ return KRB5KDC_ERR_PREAUTH_FAILED;
}
}
@@ -406,13 +407,9 @@ check_padata (
* structures which should be returned by the KDC to the client
*/
krb5_error_code
-return_padata(
- krb5_context context,
- krb5_db_entry * client,
- krb5_kdc_req * request,
- krb5_kdc_rep * reply,
- krb5_key_data * client_key,
- krb5_keyblock * encrypting_key)
+return_padata(krb5_context context, krb5_db_entry *client,
+ krb5_kdc_req *request, krb5_kdc_rep *reply,
+ krb5_key_data *client_key, krb5_keyblock *encrypting_key)
{
krb5_error_code retval;
krb5_pa_data ** padata;
@@ -466,6 +463,7 @@ cleanup:
krb5_free_pa_data(context, send_pa_list);
return (retval);
}
+
static krb5_boolean
enctype_requires_etype_info_2(krb5_enctype enctype)
{
@@ -480,7 +478,7 @@ enctype_requires_etype_info_2(krb5_enctype enctype)
return 0;
default:
if (krb5_c_valid_enctype(enctype))
- return 1;
+ return 1;
else return 0;
}
}
@@ -496,13 +494,11 @@ request_contains_enctype (krb5_context context, const krb5_kdc_req *request,
return 0;
}
+
static krb5_error_code
-verify_enc_timestamp(
- krb5_context context,
- krb5_db_entry * client,
- krb5_kdc_req * request,
- krb5_enc_tkt_part * enc_tkt_reply,
- krb5_pa_data * pa)
+verify_enc_timestamp(krb5_context context, krb5_db_entry *client,
+ krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
+ krb5_pa_data *pa)
{
krb5_pa_enc_ts * pa_enc = 0;
krb5_error_code retval;
@@ -514,7 +510,7 @@ verify_enc_timestamp(
krb5_int32 start;
krb5_timestamp timenow;
krb5_error_code decrypt_err;
-
+
(void) memset(&key, 0, sizeof(krb5_keyblock));
scratch.data = (char *) pa->contents;
scratch.length = pa->length;
@@ -574,7 +570,6 @@ cleanup:
krb5_free_data_contents(context, &enc_ts_data);
if (pa_enc)
free(pa_enc);
-
/*
* If we get NO_MATCHING_KEY and decryption previously failed, and
* we failed to find any other keys of the correct enctype after
@@ -583,15 +578,14 @@ cleanup:
*/
if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0)
retval = decrypt_err;
-
return retval;
}
static krb5_error_code
_make_etype_info_entry(krb5_context context,
- krb5_kdc_req *request, krb5_key_data *client_key,
- krb5_enctype etype, krb5_etype_info_entry **entry,
- int etype_info2)
+ krb5_kdc_req *request, krb5_key_data *client_key,
+ krb5_enctype etype, krb5_etype_info_entry **entry,
+ int etype_info2)
{
krb5_data salt;
krb5_etype_info_entry * tmp_entry;
@@ -618,16 +612,16 @@ _make_etype_info_entry(krb5_context context,
case ENCTYPE_DES_CBC_CRC:
case ENCTYPE_DES_CBC_MD4:
case ENCTYPE_DES_CBC_MD5:
- tmp_entry->s2kparams.data = malloc(1);
- if (tmp_entry->s2kparams.data == NULL) {
+ tmp_entry->s2kparams.data = malloc(1);
+ if (tmp_entry->s2kparams.data == NULL) {
retval = ENOMEM;
goto fail;
- }
- tmp_entry->s2kparams.length = 1;
- tmp_entry->s2kparams.data[0] = 1;
- break;
+ }
+ tmp_entry->s2kparams.length = 1;
+ tmp_entry->s2kparams.data[0] = 1;
+ break;
default:
- break;
+ break;
}
}
@@ -642,7 +636,7 @@ _make_etype_info_entry(krb5_context context,
fail:
if (tmp_entry) {
if (tmp_entry->s2kparams.data)
- free(tmp_entry->s2kparams.data);
+ free(tmp_entry->s2kparams.data);
free(tmp_entry);
}
if (salt.data)
@@ -653,81 +647,81 @@ fail:
* This function returns the etype information for a particular
* client, to be passed back in the preauth list in the KRB_ERROR
* message. It supports generating both etype_info and etype_info2
- * as most of the work is the same.
+ * as most of the work is the same.
*/
static krb5_error_code
etype_info_helper(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_pa_data *pa_data, int etype_info2)
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_pa_data *pa_data, int etype_info2)
{
krb5_etype_info_entry ** entry = 0;
krb5_key_data *client_key;
krb5_error_code retval;
krb5_data * scratch;
krb5_enctype db_etype;
- int i = 0;
- int start = 0;
+ int i = 0;
+ int start = 0;
int seen_des = 0;
- entry = malloc((client->n_key_data * 2 + 1) *
- sizeof(krb5_etype_info_entry *));
+ entry = malloc((client->n_key_data * 2 + 1) * sizeof(krb5_etype_info_entry *));
if (entry == NULL)
return ENOMEM;
entry[0] = NULL;
while (1) {
retval = krb5_dbe_search_enctype(context, client, &start, -1,
- -1, 0, &client_key);
+ -1, 0, &client_key);
if (retval == KRB5_KDB_NO_MATCHING_KEY)
- break;
+ break;
if (retval)
- goto cleanup;
+ goto cleanup;
db_etype = client_key->key_data_type[0];
if (db_etype == ENCTYPE_DES_CBC_MD4)
- db_etype = ENCTYPE_DES_CBC_MD5;
+ db_etype = ENCTYPE_DES_CBC_MD5;
+
if (request_contains_enctype(context, request, db_etype)) {
- assert(etype_info2 ||
- !enctype_requires_etype_info_2(db_etype));
- if ((retval = _make_etype_info_entry(context, request, client_key,
- db_etype, &entry[i], etype_info2)) != 0) {
+ assert(etype_info2 ||
+ !enctype_requires_etype_info_2(db_etype));
+ if ((retval = _make_etype_info_entry(context, request, client_key,
+ db_etype, &entry[i], etype_info2)) != 0) {
goto cleanup;
- }
- entry[i+1] = 0;
- i++;
+ }
+ entry[i+1] = 0;
+ i++;
}
- /*
- * If there is a des key in the kdb, try the "similar" enctypes,
- * avoid duplicate entries.
+ /*
+ * If there is a des key in the kdb, try the "similar" enctypes,
+ * avoid duplicate entries.
*/
if (!seen_des) {
- switch (db_etype) {
- case ENCTYPE_DES_CBC_MD5:
+ switch (db_etype) {
+ case ENCTYPE_DES_CBC_MD5:
db_etype = ENCTYPE_DES_CBC_CRC;
break;
- case ENCTYPE_DES_CBC_CRC:
+ case ENCTYPE_DES_CBC_CRC:
db_etype = ENCTYPE_DES_CBC_MD5;
break;
- default:
+ default:
continue;
- }
- if (request_contains_enctype(context, request, db_etype)) {
+ }
+ if (request_contains_enctype(context, request, db_etype)) {
if ((retval = _make_etype_info_entry(context, request,
- client_key, db_etype, &entry[i], etype_info2)) != 0) {
- goto cleanup;
+ client_key, db_etype, &entry[i], etype_info2)) != 0) {
+ goto cleanup;
}
- entry[i+1] = 0;
+ entry[i+1] = 0;
i++;
- }
- seen_des++;
+ }
+ seen_des++;
}
}
if (etype_info2)
retval = encode_krb5_etype_info2((const krb5_etype_info_entry **) entry,
- &scratch);
- else
- retval = encode_krb5_etype_info((const krb5_etype_info_entry **) entry, &scratch);
+ &scratch);
+ else retval = encode_krb5_etype_info((const krb5_etype_info_entry **) entry,
+ &scratch);
if (retval)
goto cleanup;
pa_data->contents = (unsigned char *)scratch->data;
@@ -748,40 +742,39 @@ cleanup:
static krb5_error_code
get_etype_info(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_pa_data *pa_data)
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_pa_data *pa_data)
{
int i;
for (i=0; i < request->nktypes; i++) {
- if (enctype_requires_etype_info_2(request->ktype[i]))
- return KRB5KDC_ERR_PADATA_TYPE_NOSUPP ;;;; /*Caller will
- * skip this
- * type*/
+ if (enctype_requires_etype_info_2(request->ktype[i]))
+ return KRB5KDC_ERR_PADATA_TYPE_NOSUPP ;;;; /*Caller will
+ * skip this
+ * type*/
}
return etype_info_helper(context, request, client, server, pa_data, 0);
}
static krb5_error_code
get_etype_info2(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_pa_data *pa_data)
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_pa_data *pa_data)
{
return etype_info_helper( context, request, client, server, pa_data, 1);
}
static krb5_error_code
-return_etype_info2(krb5_context context, krb5_pa_data * padata,
- krb5_db_entry *client,
- krb5_kdc_req *request, krb5_kdc_rep *reply,
- krb5_key_data *client_key,
- krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa)
+return_etype_info2(krb5_context context, krb5_pa_data * padata,
+ krb5_db_entry *client,
+ krb5_kdc_req *request, krb5_kdc_rep *reply,
+ krb5_key_data *client_key,
+ krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa)
{
krb5_error_code retval;
krb5_pa_data *tmp_padata;
krb5_etype_info_entry **entry = NULL;
krb5_data *scratch = NULL;
-
tmp_padata = malloc( sizeof(krb5_pa_data));
if (tmp_padata == NULL)
return ENOMEM;
@@ -794,61 +787,51 @@ return_etype_info2(krb5_context context, krb5_pa_data * padata,
entry[0] = NULL;
entry[1] = NULL;
/* using encrypting_key->enctype as this is specified in rfc4120 */
- retval = _make_etype_info_entry(context, request,
- client_key, encrypting_key->enctype,
- entry, 1);
+ retval = _make_etype_info_entry(context, request, client_key, encrypting_key->enctype,
+ entry, 1);
if (retval)
goto cleanup;
-
- retval = encode_krb5_etype_info2((const krb5_etype_info_entry **) entry,
- &scratch);
+ retval = encode_krb5_etype_info2((const krb5_etype_info_entry **) entry, &scratch);
if (retval)
goto cleanup;
tmp_padata->contents = (uchar_t *)scratch->data;
tmp_padata->length = scratch->length;
*send_pa = tmp_padata;
- /* For cleanup - we no longer own the contents of the krb5_data
+ /* For cleanup - we no longer own the contents of the krb5_data
* only to pointer to the krb5_data
*/
- scratch->data = 0;
+ scratch->data = 0;
cleanup:
if (entry)
krb5_free_etype_info(context, entry);
if (retval) {
if (tmp_padata)
- free(tmp_padata);
+ free(tmp_padata);
}
if (scratch)
- krb5_free_data(context, scratch);
+ krb5_free_data(context, scratch);
return retval;
}
static krb5_error_code
-return_pw_salt(context, in_padata, client, request, reply, client_key,
- encrypting_key, send_pa)
- krb5_context context;
- krb5_pa_data * in_padata;
- krb5_db_entry * client;
- krb5_kdc_req * request;
- krb5_kdc_rep * reply;
- krb5_key_data * client_key;
- krb5_keyblock * encrypting_key;
- krb5_pa_data ** send_pa;
+return_pw_salt(krb5_context context, krb5_pa_data *in_padata,
+ krb5_db_entry *client, krb5_kdc_req *request,
+ krb5_kdc_rep *reply, krb5_key_data *client_key,
+ krb5_keyblock *encrypting_key, krb5_pa_data **send_pa)
{
krb5_error_code retval;
krb5_pa_data * padata;
krb5_data * scratch;
krb5_data salt_data;
int i;
-
+
for (i = 0; i < request->nktypes; i++) {
if (enctype_requires_etype_info_2(request->ktype[i]))
- return 0;
+ return 0;
}
-
if (client_key->key_data_ver == 1 ||
client_key->key_data_type[1] == KRB5_KDB_SALTTYPE_NORMAL)
return 0;
@@ -921,16 +904,10 @@ cleanup:
}
static krb5_error_code
-return_sam_data(context, in_padata, client, request, reply, client_key,
- encrypting_key, send_pa)
- krb5_context context;
- krb5_pa_data * in_padata;
- krb5_db_entry * client;
- krb5_kdc_req * request;
- krb5_kdc_rep * reply;
- krb5_key_data * client_key;
- krb5_keyblock * encrypting_key;
- krb5_pa_data ** send_pa;
+return_sam_data(krb5_context context, krb5_pa_data *in_padata,
+ krb5_db_entry *client, krb5_kdc_req *request,
+ krb5_kdc_rep *reply, krb5_key_data *client_key,
+ krb5_keyblock *encrypting_key, krb5_pa_data **send_pa)
{
krb5_error_code retval;
krb5_data scratch;
@@ -1070,12 +1047,9 @@ static struct {
};
static krb5_error_code
-get_sam_edata(context, request, client, server, pa_data)
- krb5_context context;
- krb5_kdc_req * request;
- krb5_db_entry * client;
- krb5_db_entry * server;
- krb5_pa_data * pa_data;
+get_sam_edata(krb5_context context, krb5_kdc_req *request,
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_pa_data *pa_data)
{
krb5_error_code retval;
krb5_sam_challenge sc;
@@ -1104,7 +1078,8 @@ get_sam_edata(context, request, client, server, pa_data)
*/
{
- int npr = 1, more;
+ int npr = 1;
+ krb5_boolean more;
krb5_db_entry assoc;
krb5_key_data *assoc_key;
krb5_principal newp;
@@ -1131,7 +1106,7 @@ get_sam_edata(context, request, client, server, pa_data)
strlen(sam_ptr->name);
npr = 1;
retval = krb5_db_get_principal(kdc_context, newp, &assoc, &npr, (uint *)&more);
- if(!retval) {
+ if(!retval && npr) {
sc.sam_type = sam_ptr->sam_type;
break;
}
@@ -1289,6 +1264,7 @@ get_sam_edata(context, request, client, server, pa_data)
int i;
(void) memset(&session_key, 0, sizeof(krb5_keyblock));
+
(void) memset(inputblock, 0, 8);
retval = krb5_c_make_random_key(kdc_context, ENCTYPE_DES_CBC_CRC,
@@ -1457,12 +1433,9 @@ cleanup:
}
static krb5_error_code
-verify_sam_response(context, client, request, enc_tkt_reply, pa)
- krb5_context context;
- krb5_db_entry * client;
- krb5_kdc_req * request;
- krb5_enc_tkt_part * enc_tkt_reply;
- krb5_pa_data * pa;
+verify_sam_response(krb5_context context, krb5_db_entry *client,
+ krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
+ krb5_pa_data *pa)
{
krb5_error_code retval;
krb5_data scratch;
@@ -1544,7 +1517,8 @@ verify_sam_response(context, client, request, enc_tkt_reply, pa)
rep.server = "SAM/rc"; /* Should not match any principal name. */
rep.ctime = psr->stime;
rep.cusec = psr->susec;
- if (retval = krb5_rc_store(kdc_context, kdc_rcache, &rep)) {
+ retval = krb5_rc_store(kdc_context, kdc_rcache, &rep);
+ if (retval) {
com_err("krb5kdc", retval, gettext("SAM psr replay attack!"));
goto cleanup;
}
@@ -1592,6 +1566,8 @@ verify_sam_response(context, client, request, enc_tkt_reply, pa)
if (sr) free(sr);
if (psr) free(psr);
if (esre) free(esre);
+ if (princ_psr) free(princ_psr);
+ if (princ_req) free(princ_req);
return retval;
}
diff --git a/usr/src/cmd/krb5/krb5kdc/kdc_util.c b/usr/src/cmd/krb5/krb5kdc/kdc_util.c
index 9424a3fb09..6158ca00f1 100644
--- a/usr/src/cmd/krb5/krb5kdc/kdc_util.c
+++ b/usr/src/cmd/krb5/krb5kdc/kdc_util.c
@@ -34,9 +34,11 @@
#include "kdc_util.h"
#include "extern.h"
#include <stdio.h>
+#include <ctype.h>
#include <syslog.h>
#include "adm.h"
#include "adm_proto.h"
+#include <limits.h>
#ifdef USE_RCACHE
static char *kdc_current_rcname = (char *) NULL;
@@ -48,9 +50,7 @@ krb5_deltat rc_lifetime; /* See kdc_initialize_rcache() */
* initialize the replay cache.
*/
krb5_error_code
-kdc_initialize_rcache(kcontext, rcache_name)
- krb5_context kcontext;
- char *rcache_name;
+kdc_initialize_rcache(krb5_context kcontext, char *rcache_name)
{
krb5_error_code retval;
char *rcname;
@@ -91,10 +91,8 @@ kdc_initialize_rcache(kcontext, rcache_name)
* The replacement should be freed with krb5_free_authdata().
*/
krb5_error_code
-concat_authorization_data(first, second, output)
-krb5_authdata **first;
-krb5_authdata **second;
-krb5_authdata ***output;
+concat_authorization_data(krb5_authdata **first, krb5_authdata **second,
+ krb5_authdata ***output)
{
register int i, j;
register krb5_authdata **ptr, **retdata;
@@ -140,9 +138,7 @@ krb5_authdata ***output;
}
krb5_boolean
-realm_compare(princ1, princ2)
- krb5_principal princ1;
- krb5_principal princ2;
+realm_compare(krb5_principal princ1, krb5_principal princ2)
{
krb5_data *realm1 = krb5_princ_realm(kdc_context, princ1);
krb5_data *realm2 = krb5_princ_realm(kdc_context, princ2);
@@ -155,11 +151,9 @@ realm_compare(princ1, princ2)
* Returns TRUE if the kerberos principal is the name of a Kerberos ticket
* service.
*/
-krb5_boolean krb5_is_tgs_principal(principal)
- krb5_principal principal;
+krb5_boolean krb5_is_tgs_principal(krb5_principal principal)
{
-
- if (krb5_princ_size(kdc_context, principal) > 0 &&
+ if ((krb5_princ_size(kdc_context, principal) > 0) &&
(krb5_princ_component(kdc_context, principal, 0)->length ==
KRB5_TGS_NAME_SIZE) &&
(!memcmp(krb5_princ_component(kdc_context, principal, 0)->data,
@@ -173,11 +167,8 @@ krb5_boolean krb5_is_tgs_principal(principal)
* for source data.
*/
static krb5_error_code
-comp_cksum(kcontext, source, ticket, his_cksum)
- krb5_context kcontext;
- krb5_data * source;
- krb5_ticket * ticket;
- krb5_checksum * his_cksum;
+comp_cksum(krb5_context kcontext, krb5_data *source, krb5_ticket *ticket,
+ krb5_checksum *his_cksum)
{
krb5_error_code retval;
krb5_boolean valid;
@@ -202,12 +193,9 @@ comp_cksum(kcontext, source, ticket, his_cksum)
}
krb5_error_code
-kdc_process_tgs_req(request, from, pkt, ticket, subkey)
- krb5_kdc_req * request;
- const krb5_fulladdr * from;
- krb5_data * pkt;
- krb5_ticket ** ticket;
- krb5_keyblock ** subkey;
+kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from,
+ krb5_data *pkt, krb5_ticket **ticket,
+ krb5_keyblock **subkey)
{
krb5_pa_data ** tmppa;
krb5_ap_req * apreq;
@@ -218,8 +206,8 @@ kdc_process_tgs_req(request, from, pkt, ticket, subkey)
krb5_auth_context auth_context = NULL;
krb5_authenticator * authenticator = NULL;
krb5_checksum * his_cksum = NULL;
- krb5_keyblock * key = NULL;
- krb5_kvno kvno = 0;
+/* krb5_keyblock * key = NULL;*/
+/* krb5_kvno kvno = 0;*/
if (!request->padata)
return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
@@ -328,8 +316,8 @@ kdc_process_tgs_req(request, from, pkt, ticket, subkey)
goto cleanup_auth_context;
}
- if ((retval = krb5_auth_con_getremotesubkey(kdc_context,
- auth_context, subkey)))
+ if ((retval = krb5_auth_con_getrecvsubkey(kdc_context,
+ auth_context, subkey)))
goto cleanup_auth_context;
if ((retval = krb5_auth_con_getauthenticator(kdc_context, auth_context,
@@ -396,17 +384,13 @@ cleanup:
* much else. -- tlyu
*/
krb5_error_code
-kdc_get_server_key(ticket, key, kvno)
- krb5_ticket * ticket;
- krb5_keyblock ** key;
- krb5_kvno * kvno; /* XXX nothing uses this */
+kdc_get_server_key(krb5_ticket *ticket, krb5_keyblock **key, krb5_kvno *kvno)
{
krb5_error_code retval;
krb5_db_entry server;
krb5_boolean more;
int nprincs;
krb5_key_data * server_key;
- int i;
nprincs = 1;
@@ -456,9 +440,7 @@ static krb5_last_req_entry nolrentry = { KV5M_LAST_REQ_ENTRY, KRB5_LRQ_NONE, 0 }
static krb5_last_req_entry *nolrarray[] = { &nolrentry, 0 };
krb5_error_code
-fetch_last_req_info(dbentry, lrentry)
-krb5_db_entry *dbentry;
-krb5_last_req_entry ***lrentry;
+fetch_last_req_info(krb5_db_entry *dbentry, krb5_last_req_entry ***lrentry)
{
*lrentry = nolrarray;
return 0;
@@ -468,8 +450,7 @@ krb5_last_req_entry ***lrentry;
/* XXX! This is a temporary place-holder */
krb5_error_code
-check_hot_list(ticket)
-krb5_ticket *ticket;
+check_hot_list(krb5_ticket *ticket)
{
return 0;
}
@@ -499,11 +480,9 @@ krb5_ticket *ticket;
* If r2 is not a subrealm, SUBREALM returns 0.
*/
static int
-subrealm(r1,r2)
-char *r1;
-char *r2;
+subrealm(char *r1, char *r2)
{
- int l1,l2;
+ size_t l1,l2;
l1 = strlen(r1);
l2 = strlen(r2);
if(l2 <= l1) return(0);
@@ -573,12 +552,9 @@ char *r2;
*/
krb5_error_code
-add_to_transited(tgt_trans, new_trans, tgs, client, server)
- krb5_data * tgt_trans;
- krb5_data * new_trans;
- krb5_principal tgs;
- krb5_principal client;
- krb5_principal server;
+add_to_transited(krb5_data *tgt_trans, krb5_data *new_trans,
+ krb5_principal tgs, krb5_principal client,
+ krb5_principal server)
{
krb5_error_code retval;
char *realm;
@@ -634,20 +610,21 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server)
/* read field into current */
for (i = 0; *otrans != '\0';) {
- if (*otrans == '\\')
- if (*(++otrans) == '\0')
- break;
- else
- continue;
- if (*otrans == ',') {
- otrans++;
- break;
- }
- current[i++] = *otrans++;
- if (i >= MAX_REALM_LN) {
- retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
- goto fail;
- }
+ if (*otrans == '\\') {
+ if (*(++otrans) == '\0')
+ break;
+ else
+ continue;
+ }
+ if (*otrans == ',') {
+ otrans++;
+ break;
+ }
+ current[i++] = *otrans++;
+ if (i >= MAX_REALM_LN) {
+ retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ goto fail;
+ }
}
current[i] = '\0';
@@ -690,20 +667,21 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server)
/* read field into next */
for (i = 0; *otrans != '\0';) {
- if (*otrans == '\\')
- if (*(++otrans) == '\0')
- break;
- else
- continue;
- if (*otrans == ',') {
- otrans++;
- break;
- }
- next[i++] = *otrans++;
- if (i >= MAX_REALM_LN) {
- retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
- goto fail;
- }
+ if (*otrans == '\\') {
+ if (*(++otrans) == '\0')
+ break;
+ else
+ continue;
+ }
+ if (*otrans == ',') {
+ otrans++;
+ break;
+ }
+ next[i++] = *otrans++;
+ if (i >= MAX_REALM_LN) {
+ retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+ goto fail;
+ }
}
next[i] = '\0';
nlst = i - 1;
@@ -734,10 +712,10 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server)
}
strncat(current, ",", sizeof(current) - 1 - strlen(current));
if (pl > 0) {
- strncat(current, realm, pl);
+ strncat(current, realm, (unsigned) pl);
}
else {
- strncat(current, realm+strlen(realm)+pl, -pl);
+ strncat(current, realm+strlen(realm)+pl, (unsigned) (-pl));
}
}
@@ -760,10 +738,10 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server)
goto fail;
}
if (pl1 > 0) {
- strncat(current, realm, pl1);
+ strncat(current, realm, (unsigned) pl1);
}
else {
- strncat(current, realm+strlen(realm)+pl1, -pl1);
+ strncat(current, realm+strlen(realm)+pl1, (unsigned) (-pl1));
}
}
else { /* If not a subrealm */
@@ -789,10 +767,10 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server)
strncat(current,",", sizeof(current) - 1 - strlen(current));
current[sizeof(current) - 1] = '\0';
if (pl > 0) {
- strncat(current, exp, pl);
+ strncat(current, exp, (unsigned) pl);
}
else {
- strncat(current, exp+strlen(exp)+pl, -pl);
+ strncat(current, exp+strlen(exp)+pl, (unsigned)(-pl));
}
}
}
@@ -854,20 +832,16 @@ fail:
* as a com_err error number!
*/
#define AS_INVALID_OPTIONS (KDC_OPT_FORWARDED | KDC_OPT_PROXY |\
- KDC_OPT_VALIDATE | KDC_OPT_RENEW | KDC_OPT_ENC_TKT_IN_SKEY)
-
+KDC_OPT_VALIDATE | KDC_OPT_RENEW | KDC_OPT_ENC_TKT_IN_SKEY)
int
-validate_as_request(request, client, server, kdc_time, status)
-register krb5_kdc_req *request;
-krb5_db_entry client;
-krb5_db_entry server;
-krb5_timestamp kdc_time;
-const char **status;
+validate_as_request(register krb5_kdc_req *request, krb5_db_entry client,
+ krb5_db_entry server, krb5_timestamp kdc_time,
+ const char **status)
{
int errcode;
/*
- * If an illegal option is set, complain.
+ * If an option is set that is only allowed in TGS requests, complain.
*/
if (request->kdc_options & AS_INVALID_OPTIONS) {
*status = "INVALID AS OPTIONS";
@@ -995,8 +969,7 @@ const char **status;
* returns -1 on failure.
*/
static int
-asn1length(astream)
-unsigned char **astream;
+asn1length(unsigned char **astream)
{
int length; /* resulting length */
int sublen; /* sublengths */
@@ -1047,11 +1020,8 @@ unsigned char **astream;
* returns 0 on success, -1 otherwise.
*/
int
-fetch_asn1_field(astream, level, field, data)
-unsigned char *astream;
-unsigned int level;
-unsigned int field;
-krb5_data *data;
+fetch_asn1_field(unsigned char *astream, unsigned int level,
+ unsigned int field, krb5_data *data)
{
unsigned char *estream; /* end of stream */
int classes; /* # classes seen so far this level */
@@ -1138,23 +1108,18 @@ krb5_data *data;
KDC_OPT_VALIDATE)
int
-validate_tgs_request(request, server, ticket, kdc_time, status)
-register krb5_kdc_req *request;
-krb5_db_entry server;
-krb5_ticket *ticket;
-krb5_timestamp kdc_time;
-const char **status;
+validate_tgs_request(register krb5_kdc_req *request, krb5_db_entry server,
+ krb5_ticket *ticket, krb5_timestamp kdc_time,
+ const char **status)
{
int errcode;
int st_idx = 0;
- krb5_flags badflags;
/*
* If an illegal option is set, ignore it.
*/
- badflags = request->kdc_options & ~(TGS_OPTIONS_HANDLED);
- request->kdc_options &= ~badflags;
-
+ request->kdc_options &= TGS_OPTIONS_HANDLED;
+
/* Check to see if server has expired */
if (server.expiration && server.expiration < kdc_time) {
*status = "SERVICE EXPIRED";
@@ -1197,7 +1162,8 @@ const char **status;
return KRB_AP_ERR_NOT_US;
}
/* ...and that the second component matches the server realm... */
- if ((krb5_princ_component(kdc_context, ticket->server, 1)->length !=
+ if ((krb5_princ_size(kdc_context, ticket->server) <= 1) ||
+ (krb5_princ_component(kdc_context, ticket->server, 1)->length !=
krb5_princ_realm(kdc_context, request->server)->length) ||
memcmp(krb5_princ_component(kdc_context, ticket->server, 1)->data,
krb5_princ_realm(kdc_context, request->server)->data,
@@ -1387,10 +1353,8 @@ const char **status;
* keytype, and 0 if not.
*/
int
-dbentry_has_key_for_enctype(context, client, enctype)
- krb5_context context;
- krb5_db_entry * client;
- krb5_enctype enctype;
+dbentry_has_key_for_enctype(krb5_context context, krb5_db_entry *client,
+ krb5_enctype enctype)
{
krb5_error_code retval;
krb5_key_data *datap;
@@ -1413,10 +1377,8 @@ dbentry_has_key_for_enctype(context, client, enctype)
* options bits for now.
*/
int
-dbentry_supports_enctype(context, client, enctype)
- krb5_context context;
- krb5_db_entry * client;
- krb5_enctype enctype;
+dbentry_supports_enctype(krb5_context context, krb5_db_entry *client,
+ krb5_enctype enctype)
{
/*
* If it's DES_CBC_MD5, there's a bit in the attribute mask which
@@ -1454,19 +1416,18 @@ dbentry_supports_enctype(context, client, enctype)
* requested, and what the KDC and the application server can support.
*/
krb5_enctype
-select_session_keytype(context, server, nktypes, ktype)
- krb5_context context;
- krb5_db_entry * server;
- int nktypes;
- krb5_enctype *ktype;
+select_session_keytype(krb5_context context, krb5_db_entry *server,
+ int nktypes, krb5_enctype *ktype)
{
int i;
- krb5_enctype dfl = 0;
for (i = 0; i < nktypes; i++) {
if (!krb5_c_valid_enctype(ktype[i]))
continue;
+ if (!krb5_is_permitted_enctype(context, ktype[i]))
+ continue;
+
if (dbentry_supports_enctype(context, server, ktype[i]))
return ktype[i];
}
@@ -1477,17 +1438,14 @@ select_session_keytype(context, server, nktypes, ktype)
* This function returns salt information for a particular client_key
*/
krb5_error_code
-get_salt_from_key(context, client, client_key, salt)
- krb5_context context;
- krb5_principal client;
- krb5_key_data * client_key;
- krb5_data * salt;
+get_salt_from_key(krb5_context context, krb5_principal client,
+ krb5_key_data *client_key, krb5_data *salt)
{
krb5_error_code retval;
krb5_data * realm;
salt->data = 0;
- salt->length = -1;
+ salt->length = SALT_TYPE_NO_LENGTH;
if (client_key->key_data_ver == 1)
return 0;
@@ -1548,3 +1506,82 @@ void limit_string(char *name)
name[i] = '\0';
return;
}
+
+/*
+ * L10_2 = log10(2**x), rounded up; log10(2) ~= 0.301.
+ */
+#define L10_2(x) ((int)(((x * 301) + 999) / 1000))
+
+/*
+ * Max length of sprintf("%ld") for an int of type T; includes leading
+ * minus sign and terminating NUL.
+ */
+#define D_LEN(t) (L10_2(sizeof(t) * CHAR_BIT) + 2)
+
+void
+ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype)
+{
+ int i;
+ char stmp[D_LEN(krb5_enctype) + 1];
+ char *p;
+
+ if (nktypes < 0
+ || len < (sizeof(" etypes {...}") + D_LEN(int))) {
+ *s = '\0';
+ return;
+ }
+
+ sprintf(s, "%d etypes {", nktypes);
+ for (i = 0; i < nktypes; i++) {
+ sprintf(stmp, "%s%ld", i ? " " : "", (long)ktype[i]);
+ if (strlen(s) + strlen(stmp) + sizeof("}") > len)
+ break;
+ strcat(s, stmp);
+ }
+ if (i < nktypes) {
+ /*
+ * We broke out of the loop. Try to truncate the list.
+ */
+ p = s + strlen(s);
+ while (p - s + sizeof("...}") > len) {
+ while (p > s && *p != ' ' && *p != '{')
+ *p-- = '\0';
+ if (p > s && *p == ' ') {
+ *p-- = '\0';
+ continue;
+ }
+ }
+ strcat(s, "...");
+ }
+ strcat(s, "}");
+ return;
+}
+
+void
+rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep)
+{
+ char stmp[sizeof("ses=") + D_LEN(krb5_enctype)];
+
+ if (len < (3 * D_LEN(krb5_enctype)
+ + sizeof("etypes {rep= tkt= ses=}"))) {
+ *s = '\0';
+ return;
+ }
+
+ sprintf(s, "etypes {rep=%ld", (long)rep->enc_part.enctype);
+
+ if (rep->ticket != NULL) {
+ sprintf(stmp, " tkt=%ld", (long)rep->ticket->enc_part.enctype);
+ strcat(s, stmp);
+ }
+
+ if (rep->ticket != NULL
+ && rep->ticket->enc_part2 != NULL
+ && rep->ticket->enc_part2->session != NULL) {
+ sprintf(stmp, " ses=%ld",
+ (long)rep->ticket->enc_part2->session->enctype);
+ strcat(s, stmp);
+ }
+ strcat(s, "}");
+ return;
+}
diff --git a/usr/src/cmd/krb5/krb5kdc/kdc_util.h b/usr/src/cmd/krb5/krb5kdc/kdc_util.h
index 615b4558cb..4c4f8d9127 100644
--- a/usr/src/cmd/krb5/krb5kdc/kdc_util.h
+++ b/usr/src/cmd/krb5/krb5kdc/kdc_util.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2005 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -32,7 +32,7 @@
*/
#ifndef __KRB5_KDC_UTIL__
-#define __KRB5_KDC_UTIL__
+#define __KRB5_KDC_UTIL__
#pragma ident "%Z%%M% %I% %E% SMI"
@@ -109,21 +109,24 @@ get_salt_from_key (krb5_context, krb5_principal,
void limit_string (char *name);
+void
+ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype);
+
+void
+rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep);
+
/* do_as_req.c */
krb5_error_code process_as_req (krb5_kdc_req *,
const krb5_fulladdr *,
- int,
krb5_data ** );
/* do_tgs_req.c */
krb5_error_code process_tgs_req (krb5_data *,
const krb5_fulladdr *,
- int,
krb5_data ** );
/* dispatch.c */
krb5_error_code dispatch (krb5_data *,
const krb5_fulladdr *,
- int,
krb5_data **);
/* main.c */
@@ -166,13 +169,7 @@ krb5_boolean kdc_check_lookaside (krb5_data *, const krb5_fulladdr *,
krb5_data **);
void kdc_insert_lookaside (krb5_data *, const krb5_fulladdr *,
krb5_data *);
-
-/* sock2p.c */
-#ifndef HAVE_INET_NTOP
-/* It's provided by sock2p.c in this case. */
-extern const char *inet_ntop (int, const void *, char *, size_t);
-#endif
-extern void sockaddr2p (const struct sockaddr *, char *, size_t, int *);
+void kdc_free_lookaside(krb5_context);
/* which way to convert key? */
#define CONVERT_INTO_DB 0
@@ -185,8 +182,9 @@ extern void sockaddr2p (const struct sockaddr *, char *, size_t, int *);
#ifdef KRB5_KRB4_COMPAT
krb5_error_code process_v4 (const krb5_data *,
const krb5_fulladdr *,
- int is_secondary,
krb5_data **);
+void process_v4_mode (const char *, const char *);
+void enable_v4_crossrealm(char *);
#else
#define process_v4(foo,bar,quux,foobar) KRB5KRB_AP_ERR_BADVERSION
#endif
diff --git a/usr/src/cmd/krb5/krb5kdc/main.c b/usr/src/cmd/krb5/krb5kdc/main.c
index 0cf052f686..ba3393f41b 100644
--- a/usr/src/cmd/krb5/krb5kdc/main.c
+++ b/usr/src/cmd/krb5/krb5kdc/main.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2005 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -53,7 +53,13 @@
#include <netinet/in.h>
#endif
-kdc_realm_t *find_realm_data (char *, krb5_ui_4);
+#ifdef KRB5_KRB4_COMPAT
+#include <des.h>
+#endif
+
+#if defined(NEED_DAEMON_PROTO)
+extern int daemon(int, int);
+#endif
void usage (char *);
@@ -84,9 +90,7 @@ static struct sigaction s_action;
* Find the realm entry for a given realm.
*/
kdc_realm_t *
-find_realm_data(rname, rsize)
- char *rname;
- krb5_ui_4 rsize;
+find_realm_data(char *rname, krb5_ui_4 rsize)
{
int i;
for (i=0; i<kdc_numrealms; i++) {
@@ -98,8 +102,7 @@ find_realm_data(rname, rsize)
}
krb5_error_code
-setup_server_realm(sprinc)
- krb5_principal sprinc;
+setup_server_realm(krb5_principal sprinc)
{
krb5_error_code kret;
kdc_realm_t *newrealm;
@@ -118,8 +121,7 @@ setup_server_realm(sprinc)
}
static void
-finish_realm(rdp)
- kdc_realm_t *rdp;
+finish_realm(kdc_realm_t *rdp)
{
if (rdp->realm_dbname)
free(rdp->realm_dbname);
@@ -131,8 +133,6 @@ finish_realm(rdp)
free(rdp->realm_ports);
if (rdp->realm_tcp_ports)
free(rdp->realm_tcp_ports);
- if (rdp->realm_kstypes)
- free(rdp->realm_kstypes);
if (rdp->realm_keytab)
krb5_kt_close(rdp->realm_context, rdp->realm_keytab);
if (rdp->realm_context) {
@@ -142,15 +142,12 @@ finish_realm(rdp)
memset(rdp->realm_mkey.contents, 0, rdp->realm_mkey.length);
free(rdp->realm_mkey.contents);
}
- if (rdp->realm_tgskey.length && rdp->realm_tgskey.contents) {
- memset(rdp->realm_tgskey.contents, 0, rdp->realm_tgskey.length);
- free(rdp->realm_tgskey.contents);
- }
krb5_db_fini(rdp->realm_context);
if (rdp->realm_tgsprinc)
krb5_free_principal(rdp->realm_context, rdp->realm_tgsprinc);
krb5_free_context(rdp->realm_context);
}
+ memset((char *) rdp, 0, sizeof(*rdp));
free(rdp);
}
@@ -162,32 +159,14 @@ finish_realm(rdp)
* realm data and we should be all set to begin operation for that realm.
*/
static krb5_error_code
-init_realm(progname, rdp, realm, def_dbname, def_mpname,
- def_enctype, def_udp_ports, def_tcp_ports, def_manual)
- char *progname;
- kdc_realm_t *rdp;
- char *realm;
- char *def_dbname;
- char *def_mpname;
- krb5_enctype def_enctype;
- char *def_udp_ports;
- char *def_tcp_ports;
- krb5_boolean def_manual;
+init_realm(char *progname, kdc_realm_t *rdp, char *realm, char *def_dbname,
+ char *def_mpname, krb5_enctype def_enctype, char *def_udp_ports,
+ char *def_tcp_ports, krb5_boolean def_manual)
{
krb5_error_code kret;
krb5_boolean manual;
- krb5_db_entry db_entry;
- int num2get;
- krb5_boolean more;
- krb5_boolean db_inited;
krb5_realm_params *rparams;
- krb5_key_data *kdata;
- krb5_key_salt_tuple *kslist;
- krb5_int32 nkslist;
- int i;
- krb5_deltat now, krb5_kdb_max_time;
- db_inited = 0;
memset((char *) rdp, 0, sizeof(kdc_realm_t));
if (!realm) {
kret = EINVAL;
@@ -208,7 +187,7 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname,
com_err(progname, kret, gettext("while reading realm parameters"));
goto whoops;
}
-
+
/* Handle profile file name */
if (rparams && rparams->realm_profile)
rdp->realm_profile = strdup(rparams->realm_profile);
@@ -249,50 +228,20 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname,
rdp->realm_mkey.enctype = (krb5_enctype) rparams->realm_enctype;
else
rdp->realm_mkey.enctype = manual ? def_enctype : ENCTYPE_UNKNOWN;
- if ((kret = krb5_timeofday(rdp->realm_context, &now))) {
- com_err(progname, kret, gettext("while getting timeofday"));
- goto whoops;
- }
- /* Handle ticket maximum life */
- if (rparams && rparams->realm_max_life_valid)
- rdp->realm_maxlife = rparams->realm_max_life;
+ /* Handle reject-bad-transit flag */
+ if (rparams && rparams->realm_reject_bad_transit_valid)
+ rdp->realm_reject_bad_transit = rparams->realm_reject_bad_transit;
else
- rdp->realm_maxlife = KRB5_KDB_EXPIRATION - now - 3600;
+ rdp->realm_reject_bad_transit = 1;
+
+ /* Handle ticket maximum life */
+ rdp->realm_maxlife = (rparams && rparams->realm_max_life_valid) ?
+ rparams->realm_max_life : KRB5_KDB_MAX_LIFE;
/* Handle ticket renewable maximum life */
- if (rparams && rparams->realm_max_rlife_valid)
- rdp->realm_maxrlife = rparams->realm_max_rlife;
- else
- rdp->realm_maxrlife = KRB5_KDB_EXPIRATION - now - 3600;
-
- /* Handle key/salt list */
- if (rparams && rparams->realm_num_keysalts) {
- rdp->realm_kstypes = rparams->realm_keysalts;
- rdp->realm_nkstypes = rparams->realm_num_keysalts;
- rparams->realm_keysalts = NULL;
- rparams->realm_num_keysalts = 0;
- kslist = (krb5_key_salt_tuple *) rdp->realm_kstypes;
- nkslist = rdp->realm_nkstypes;
- } else {
- /*
- * XXX Initialize default key/salt list.
- */
- if ((kslist = (krb5_key_salt_tuple *)
- malloc(sizeof(krb5_key_salt_tuple)))) {
- kslist->ks_enctype = ENCTYPE_DES_CBC_CRC;
- kslist->ks_salttype = KRB5_KDB_SALTTYPE_NORMAL;
- rdp->realm_kstypes = kslist;
- rdp->realm_nkstypes = 1;
- nkslist = 1;
- }
- else {
- com_err(progname, ENOMEM,
- gettext("while setting up key/salt list for realm %s"),
- realm);
- exit(1);
- }
- }
+ rdp->realm_maxrlife = (rparams && rparams->realm_max_rlife_valid) ?
+ rparams->realm_max_rlife : KRB5_KDB_MAX_RLIFE;
if (rparams)
krb5_free_realm_params(rdp->realm_context, rparams);
@@ -344,8 +293,7 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname,
gettext("while initializing database "),
gettext("for realm %s"), realm);
goto whoops;
- } else
- db_inited = 1;
+ }
/* Verify the master key */
if ((kret = krb5_db_verify_master_key(rdp->realm_context,
@@ -357,52 +305,6 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname,
goto whoops;
}
- /* Fetch the master key and get its version number */
- num2get = 1;
- kret = krb5_db_get_principal(rdp->realm_context, rdp->realm_mprinc,
- &db_entry, &num2get, &more);
- if (!kret) {
- if (num2get != 1)
- kret = KRB5_KDB_NOMASTERKEY;
- else {
- if (more) {
- krb5_db_free_principal(rdp->realm_context,
- &db_entry,
- num2get);
- kret = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
- }
- }
- }
- if (kret) {
- com_err(progname, kret,
- gettext("while fetching master entry for realm %s"),
- realm);
- goto whoops;
- }
-
- /*
- * Get the most recent master key. Search the key list in
- * the order specified by the key/salt list.
- */
- kdata = (krb5_key_data *) NULL;
- for (i=0; i<nkslist; i++) {
- if (!(kret = krb5_dbe_find_enctype(rdp->realm_context,
- &db_entry,
- kslist[i].ks_enctype,
- -1,
- -1,
- &kdata)))
- break;
- }
- if (!kdata) {
- com_err(progname, kret,
- gettext("while finding master key for realm %s"),
- realm);
- goto whoops;
- }
- rdp->realm_mkvno = kdata->key_data_kvno;
- krb5_db_free_principal(rdp->realm_context, &db_entry, num2get);
-
if ((kret = krb5_db_set_mkey(rdp->realm_context, &rdp->realm_mkey))) {
com_err(progname, kret,
gettext("while processing master key for realm %s"),
@@ -411,8 +313,7 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname,
}
/* Set up the keytab */
- if ((kret = krb5_ktkdb_resolve(rdp->realm_context,
- NULL,
+ if ((kret = krb5_ktkdb_resolve(rdp->realm_context, NULL,
&rdp->realm_keytab))) {
com_err(progname, kret,
gettext("while resolving kdb keytab for realm %s"),
@@ -430,68 +331,7 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname,
goto whoops;
}
- /* Get the TGS database entry */
- num2get = 1;
- if (!(kret = krb5_db_get_principal(rdp->realm_context,
- rdp->realm_tgsprinc,
- &db_entry,
- &num2get,
- &more))) {
- if (num2get != 1)
- kret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
- else {
- if (more) {
- krb5_db_free_principal(rdp->realm_context,
- &db_entry,
- num2get);
- kret = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
- }
- }
- }
- if (kret) {
- com_err(progname, kret,
- gettext("while fetching TGS entry for realm %s"),
- realm);
- goto whoops;
- }
- /*
- * Get the most recent TGS key. Search the key list in
- * the order specified by the key/salt list.
- */
- kdata = (krb5_key_data *) NULL;
- for (i=0; i<nkslist; i++) {
- if (!(kret = krb5_dbe_find_enctype(rdp->realm_context,
- &db_entry,
- kslist[i].ks_enctype,
- -1,
- -1,
- &kdata)))
- break;
- }
- if (!kdata) {
- com_err(progname, kret,
- gettext("while finding TGS key for realm %s"),
- realm);
- goto whoops;
- }
- if (!(kret = krb5_dbekd_decrypt_key_data(rdp->realm_context,
- &rdp->realm_mkey,
- kdata,
- &rdp->realm_tgskey, NULL))){
- rdp->realm_tgskvno = kdata->key_data_kvno;
- }
- krb5_db_free_principal(rdp->realm_context,
- &db_entry,
- num2get);
- if (kret) {
- com_err(progname, kret,
- gettext("while decrypting TGS key for realm %s"),
- realm);
- goto whoops;
- }
-
if (!rkey_init_done) {
- krb5_timestamp now;
krb5_data seed;
#ifdef KRB5_KRB4_COMPAT
krb5_keyblock temp_key;
@@ -501,18 +341,14 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname,
* generators.
*/
- if ((kret = krb5_timeofday(rdp->realm_context, &now)))
- goto whoops;
- seed.length = sizeof(now);
- seed.data = (char *) &now;
- if ((kret = krb5_c_random_seed(rdp->realm_context, &seed)))
- goto whoops;
-
seed.length = rdp->realm_mkey.length;
seed.data = (char *)rdp->realm_mkey.contents;
-
- if ((kret = krb5_c_random_seed(rdp->realm_context, &seed)))
+/* SUNW14resync - XXX */
+#if 0
+ if ((kret = krb5_c_random_add_entropy(rdp->realm_context,
+ KRB5_C_RANDSOURCE_TRUSTEDPARTY, &seed)))
goto whoops;
+#endif
#ifdef KRB5_KRB4_COMPAT
if ((kret = krb5_c_make_random_key(rdp->realm_context,
@@ -532,14 +368,14 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname,
* If we choked, then clean up any dirt we may have dropped on the floor.
*/
if (kret) {
+
finish_realm(rdp);
}
return(kret);
}
krb5_sigtype
-request_exit(signo)
- int signo;
+request_exit(int signo)
{
signal_requests_exit = 1;
@@ -551,8 +387,7 @@ request_exit(signo)
}
krb5_sigtype
-request_hup(signo)
- int signo;
+request_hup(int signo)
{
signal_requests_hup = 1;
@@ -564,7 +399,7 @@ request_hup(signo)
}
void
-setup_signal_handlers()
+setup_signal_handlers(void)
{
#ifdef POSIX_SIGNALS
(void) sigemptyset(&s_action.sa_mask);
@@ -584,24 +419,20 @@ setup_signal_handlers()
}
krb5_error_code
-setup_sam()
+setup_sam(void)
{
return krb5_c_make_random_key(kdc_context, ENCTYPE_DES_CBC_MD5, &psr_key);
}
void
-usage(name)
-char *name;
+usage(char *name)
{
fprintf(stderr, gettext("usage: %s [-d dbpathname] [-r dbrealmname] [-R replaycachename ]\n\t[-m] [-k masterenctype] [-M masterkeyname] [-p port] [-n]\n"), name);
return;
}
void
-initialize_realms(kcontext, argc, argv)
- krb5_context kcontext;
- int argc;
- char **argv;
+initialize_realms(krb5_context kcontext, int argc, char **argv)
{
int c;
char *db_name = (char *) NULL;
@@ -620,10 +451,6 @@ initialize_realms(kcontext, argc, argv)
char *v4mode = 0;
#endif
extern char *optarg;
-#ifdef ATHENA_DES3_KLUDGE
- extern struct krb5_keytypes krb5_enctypes_list[];
- extern int krb5_enctypes_length;
-#endif
if (!krb5_aprof_init(DEFAULT_KDC_PROFILE, KDC_PROFILE_ENV, &aprof)) {
hierarchy[0] = "kdcdefaults";
@@ -715,19 +542,11 @@ initialize_realms(kcontext, argc, argv)
v4mode = strdup(optarg);
#endif
break;
- case '3':
-#ifdef ATHENA_DES3_KLUDGE
- if (krb5_enctypes_list[krb5_enctypes_length-1].etype
- != ENCTYPE_LOCAL_DES3_HMAC_SHA1) {
- fprintf(stderr,
- "internal inconsistency in enctypes_list"
- " while disabling\n"
- "des3-marc-hmac-sha1 enctype\n");
- exit(1);
- }
- krb5_enctypes_length--;
- break;
+ case 'X':
+#ifdef KRB5_KRB4_COMPAT
+ enable_v4_crossrealm(argv[0]);
#endif
+ break;
case '?':
default:
usage(argv[0]);
@@ -750,6 +569,8 @@ initialize_realms(kcontext, argc, argv)
if ((retval = krb5_get_default_realm(kcontext, &lrealm))) {
com_err(argv[0], retval,
gettext("while attempting to retrieve default realm"));
+ fprintf (stderr, "%s: %s, %s", argv[0], error_message (retval),
+ gettext("attempting to retrieve default realm\n"));
exit(1);
}
if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) {
@@ -771,7 +592,8 @@ initialize_realms(kcontext, argc, argv)
* Now handle the replay cache.
*/
if ((retval = kdc_initialize_rcache(kcontext, rcname))) {
- com_err(argv[0], retval, gettext("while initializing KDC replay cache"));
+ com_err(argv[0], retval, gettext("while initializing KDC replay cache '%s'"),
+ rcname);
exit(1);
}
#endif
@@ -787,8 +609,7 @@ initialize_realms(kcontext, argc, argv)
}
void
-finish_realms(prog)
- char *prog;
+finish_realms(char *prog)
{
int i;
@@ -824,13 +645,10 @@ finish_realms(prog)
exit
*/
-int main(argc, argv)
- int argc;
- char *argv[];
+int main(int argc, char **argv)
{
krb5_error_code retval;
krb5_context kcontext;
- int *port_list;
int errout = 0;
(void) setlocale(LC_ALL, "");
@@ -851,7 +669,6 @@ int main(argc, argv)
}
memset((char *) kdc_realmlist, 0,
(size_t) (sizeof(kdc_realm_t *) * KRB5_KDC_MAX_REALMS));
- port_list = NULL;
/*
* A note about Kerberos contexts: This context, "kcontext", is used
@@ -874,7 +691,8 @@ int main(argc, argv)
setup_signal_handlers();
- if (retval = setup_sam()) {
+ retval = setup_sam();
+ if (retval) {
com_err(argv[0], retval, gettext("while initializing SAM"));
finish_realms(argv[0]);
return 1;
@@ -906,6 +724,18 @@ int main(argc, argv)
krb5_klog_syslog(LOG_INFO, "shutting down");
krb5_klog_close(kdc_context);
finish_realms(argv[0]);
+ if (kdc_realmlist)
+ free(kdc_realmlist);
+#ifdef USE_RCACHE
+ (void) krb5_rc_close(kcontext, kdc_rcache);
+#endif
+#ifndef NOCACHE
+ kdc_free_lookaside(kcontext);
+#endif
krb5_free_context(kcontext);
return errout;
}
+
+
+
+
diff --git a/usr/src/cmd/krb5/krb5kdc/network.c b/usr/src/cmd/krb5/krb5kdc/network.c
index ffa738b800..0913e8ad87 100644
--- a/usr/src/cmd/krb5/krb5kdc/network.c
+++ b/usr/src/cmd/krb5/krb5kdc/network.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2005 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -93,8 +93,7 @@ set_sa_port(struct sockaddr *addr, int port)
}
}
-static int
-ipv6_enabled()
+static int ipv6_enabled()
{
#ifdef KRB5_USE_INET6
static int result = -1;
@@ -107,9 +106,9 @@ ipv6_enabled()
} else
result = 0;
}
- return (result);
+ return result;
#else
- return (0);
+ return 0;
#endif
}
@@ -127,7 +126,7 @@ setv6only(int sock, int value)
}
#endif
-
+
static const char *paddr (struct sockaddr *sa)
{
static char buf[100];
@@ -137,7 +136,7 @@ static const char *paddr (struct sockaddr *sa)
NI_NUMERICHOST|NI_NUMERICSERV))
strcpy(buf, "<unprintable>");
else {
- int len = sizeof(buf) - strlen(buf);
+ unsigned int len = sizeof(buf) - strlen(buf);
char *p = buf + strlen(buf);
if (len > 2+strlen(portbuf)) {
*p++ = '.';
@@ -150,10 +149,12 @@ static const char *paddr (struct sockaddr *sa)
/* KDC data. */
+enum kdc_conn_type { CONN_UDP, CONN_TCP_LISTENER, CONN_TCP };
+
/* Per-connection info. */
struct connection {
int fd;
- enum { CONN_UDP, CONN_TCP_LISTENER, CONN_TCP } type;
+ enum kdc_conn_type type;
void (*service)(struct connection *, const char *, int);
/* Solaris Kerberos: for auditing */
in_port_t port; /* local port */
@@ -189,7 +190,7 @@ struct connection {
} u;
};
-
+
#define SET(TYPE) struct { TYPE *data; int n, max; }
/* Start at the top and work down -- this should allow for deletions
@@ -270,10 +271,12 @@ static krb5_error_code add_tcp_port(int port)
return 0;
}
+
#define USE_AF AF_INET
#define USE_TYPE SOCK_DGRAM
#define USE_PROTO 0
#define SOCKET_ERRNO errno
+#include "foreachaddr.h"
struct socksetup {
const char *prog;
@@ -281,7 +284,7 @@ struct socksetup {
};
static struct connection *
-add_fd (struct socksetup *data, int sock, int conntype,
+add_fd (struct socksetup *data, int sock, enum kdc_conn_type conntype,
void (*service)(struct connection *, const char *, int))
{
struct connection *newconn;
@@ -305,7 +308,6 @@ add_fd (struct socksetup *data, int sock, int conntype,
newconn->type = conntype;
newconn->fd = sock;
newconn->service = service;
-
return newconn;
}
@@ -340,11 +342,8 @@ delete_fd (struct connection *xconn)
FOREACH_ELT(connections, i, conn)
if (conn == xconn) {
DEL(connections, i);
- /* Solaris kerberos: fix memory leak */
- free(xconn);
- return;
+ break;
}
-
free(xconn);
}
@@ -354,7 +353,7 @@ setnbio(int sock)
static const int one = 1;
return ioctlsocket(sock, FIONBIO, (const void *)&one);
}
-
+
static int
setnolinger(int s)
{
@@ -478,8 +477,8 @@ setup_tcp_listener_ports(struct socksetup *data)
if (add_tcp_listener_fd(data, s4) == 0)
close(s4);
else
- krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s port %d",
- s4, paddr((struct sockaddr *)&sin4), port);
+ krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s",
+ s4, paddr((struct sockaddr *)&sin4));
}
#ifdef KRB5_USE_INET6
if (s6 >= 0) {
@@ -490,8 +489,8 @@ setup_tcp_listener_ports(struct socksetup *data)
close(s6);
s6 = -1;
} else
- krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s port %d",
- s6, paddr((struct sockaddr *)&sin6), port);
+ krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s",
+ s6, paddr((struct sockaddr *)&sin6));
if (s4 < 0)
krb5_klog_syslog(LOG_INFO,
"assuming IPv6 socket accepts IPv4");
@@ -537,6 +536,10 @@ setup_udp_port(void *P_data, struct sockaddr *addr)
case AF_LINK:
return 0;
#endif
+#ifdef AF_DLI /* Direct Link Interface - DEC Ultrix/OSF1 link layer? */
+ case AF_DLI:
+ return 0;
+#endif
default:
krb5_klog_syslog (LOG_INFO,
"skipping unrecognized local address family %d",
@@ -564,8 +567,8 @@ setup_udp_port(void *P_data, struct sockaddr *addr)
FD_SET (sock, &sstate.rfds);
if (sock >= sstate.max)
sstate.max = sock + 1;
- krb5_klog_syslog (LOG_INFO, "listening on fd %d: udp %s port %d", sock,
- paddr((struct sockaddr *)addr), port);
+ krb5_klog_syslog (LOG_INFO, "listening on fd %d: udp %s", sock,
+ paddr((struct sockaddr *)addr));
if (add_udp_fd (data, sock) == 0)
return 1;
}
@@ -617,6 +620,8 @@ scan_for_newlines:
}
#endif
+/* XXX */
+extern int krb5int_debug_sendto_kdc;
extern void (*krb5int_sendtokdc_debug_handler)(const void*, size_t);
krb5_error_code
@@ -632,6 +637,7 @@ setup_network(const char *prog)
FD_ZERO(&sstate.xfds);
sstate.max = 0;
+/* krb5int_debug_sendto_kdc = 1; */
krb5int_sendtokdc_debug_handler = klog_handler;
/* Handle each realm's ports */
@@ -732,7 +738,7 @@ static void process_packet(struct connection *conn, const char *prog,
krb5_data *response;
char pktbuf[MAX_DGRAM_SIZE];
int port_fd = conn->fd;
-
+
response = NULL;
saddr_len = sizeof(saddr);
cc = recvfrom(port_fd, pktbuf, sizeof(pktbuf), 0,
@@ -755,7 +761,7 @@ static void process_packet(struct connection *conn, const char *prog,
faddr.address = &addr;
init_addr(&faddr, ss2sa(&saddr));
/* this address is in net order */
- if ((retval = dispatch(&request, &faddr, conn->port, &response))) {
+ if ((retval = dispatch(&request, &faddr, &response))) {
com_err(prog, retval, gettext("while dispatching (udp)"));
return;
}
@@ -826,6 +832,10 @@ static void accept_tcp_connection(struct connection *conn, const char *prog,
strcpy(p, tmpbuf);
}
}
+#if 0
+ krb5_klog_syslog(LOG_INFO, "accepted TCP connection on socket %d from %s",
+ s, newconn->u.tcp.addrbuf);
+#endif
newconn->u.tcp.addr_s = addr_s;
newconn->u.tcp.addrlen = addrlen;
@@ -865,6 +875,7 @@ static void accept_tcp_connection(struct connection *conn, const char *prog,
newconn->u.tcp.addrbuf);
delete_fd(newconn);
close(s);
+ tcp_data_counter--;
return;
}
newconn->u.tcp.offset = 0;
@@ -896,24 +907,20 @@ kill_tcp_connection(struct connection *conn)
sstate.max--;
close(conn->fd);
conn->fd = -1;
- tcp_data_counter--;
- /* Solaris kerberos: fix memory leak */
delete_fd(conn);
+ tcp_data_counter--;
}
static void
process_tcp_connection(struct connection *conn, const char *prog, int selflags)
{
-
if (selflags & SSF_WRITE) {
ssize_t nwrote;
SOCKET_WRITEV_TEMP tmp;
- krb5_error_code e;
nwrote = SOCKET_WRITEV(conn->fd, conn->u.tcp.sgp, conn->u.tcp.sgnum,
tmp);
if (nwrote < 0) {
- e = SOCKET_ERRNO;
goto kill_tcp_connection;
}
if (nwrote == 0)
@@ -991,11 +998,10 @@ process_tcp_connection(struct connection *conn, const char *prog, int selflags)
conn->u.tcp.offset += nread;
if (conn->u.tcp.offset < conn->u.tcp.msglen + 4)
return;
-
/* have a complete message, and exactly one message */
request.length = conn->u.tcp.msglen;
request.data = conn->u.tcp.buffer + 4;
- err = dispatch(&request, &conn->u.tcp.faddr, conn->port,
+ err = dispatch(&request, &conn->u.tcp.faddr,
&conn->u.tcp.response);
if (err) {
com_err(prog, err, gettext("while dispatching (tcp)"));
@@ -1083,6 +1089,11 @@ closedown_network(const char *prog)
if (conn->fd >= 0)
(void) close(conn->fd);
DEL (connections, i);
+ /* There may also be per-connection data in the tcp structure
+ (tcp.buffer, tcp.response) that we're not freeing here.
+ That should only happen if we quit with a connection in
+ progress. */
+ free(conn);
}
FREE_SET_DATA(connections);
FREE_SET_DATA(udp_port_data);
diff --git a/usr/src/cmd/krb5/krb5kdc/policy.c b/usr/src/cmd/krb5/krb5kdc/policy.c
index 38b9114faa..f2039fc12e 100644
--- a/usr/src/cmd/krb5/krb5kdc/policy.c
+++ b/usr/src/cmd/krb5/krb5kdc/policy.c
@@ -33,12 +33,9 @@
#include "kdc_util.h"
int
-against_local_policy_as(request, client, server, kdc_time, status)
-register krb5_kdc_req *request;
-krb5_db_entry client;
-krb5_db_entry server;
-krb5_timestamp kdc_time;
-const char **status;
+against_local_policy_as(register krb5_kdc_req *request, krb5_db_entry client,
+ krb5_db_entry server, krb5_timestamp kdc_time,
+ const char **status)
{
#if 0
/* An AS request must include the addresses field */
@@ -55,11 +52,8 @@ const char **status;
* This is where local policy restrictions for the TGS should placed.
*/
krb5_error_code
-against_local_policy_tgs(request, server, ticket, status)
-register krb5_kdc_req *request;
-krb5_db_entry server;
-krb5_ticket *ticket;
-const char **status;
+against_local_policy_tgs(register krb5_kdc_req *request, krb5_db_entry server,
+ krb5_ticket *ticket, const char **status)
{
#if 0
/*
diff --git a/usr/src/cmd/krb5/krb5kdc/replay.c b/usr/src/cmd/krb5/krb5kdc/replay.c
index dd96cb1d96..d944bbada7 100644
--- a/usr/src/cmd/krb5/krb5kdc/replay.c
+++ b/usr/src/cmd/krb5/krb5kdc/replay.c
@@ -74,10 +74,8 @@ static int num_entries = 0;
FALSE if the caller should do the work */
krb5_boolean
-kdc_check_lookaside(inpkt, from, outpkt)
- register krb5_data *inpkt;
- register const krb5_fulladdr *from;
- register krb5_data **outpkt;
+kdc_check_lookaside(krb5_data *inpkt, const krb5_fulladdr *from,
+ krb5_data **outpkt)
{
krb5_int32 timenow;
register krb5_kdc_replay_ent *eptr, *last, *hold;
@@ -130,10 +128,8 @@ kdc_check_lookaside(inpkt, from, outpkt)
already there, and can fail softly due to other weird errors. */
void
-kdc_insert_lookaside(inpkt, from, outpkt)
- register krb5_data *inpkt;
- register const krb5_fulladdr *from;
- register krb5_data *outpkt;
+kdc_insert_lookaside(krb5_data *inpkt, const krb5_fulladdr *from,
+ krb5_data *outpkt)
{
register krb5_kdc_replay_ent *eptr;
krb5_int32 timenow;
@@ -175,4 +171,23 @@ kdc_insert_lookaside(inpkt, from, outpkt)
return;
}
+/* frees memory associated with the lookaside queue for memory profiling */
+void
+kdc_free_lookaside(krb5_context kcontext)
+{
+ register krb5_kdc_replay_ent *eptr, *last, *hold;
+ if (root_ptr.next) {
+ for (last = &root_ptr, eptr = root_ptr.next;
+ eptr; eptr = eptr->next) {
+ krb5_free_data(kcontext, eptr->req_packet);
+ krb5_free_data(kcontext, eptr->reply_packet);
+ krb5_free_address(kcontext, eptr->addr);
+ hold = eptr;
+ last->next = eptr->next;
+ eptr = last;
+ free(hold);
+ }
+ }
+}
+
#endif /* NOCACHE */
diff --git a/usr/src/cmd/krb5/slave/kprop.c b/usr/src/cmd/krb5/slave/kprop.c
index a4eb7e5a24..af5d00403d 100644
--- a/usr/src/cmd/krb5/slave/kprop.c
+++ b/usr/src/cmd/krb5/slave/kprop.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2005 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -36,7 +36,6 @@
#include <errno.h>
#include <stdio.h>
-#include <stdlib.h>
#include <ctype.h>
#include <sys/file.h>
#include <signal.h>
@@ -73,27 +72,27 @@ krb5_address sender_addr;
krb5_address receiver_addr;
void PRS
- (int, char **);
+ (int, char **);
void get_tickets
- (krb5_context);
+ (krb5_context);
static void usage
- (void);
+ (void);
krb5_error_code open_connection
- (char *, int *, char *, int);
+ (char *, int *, char *, unsigned int);
void kerberos_authenticate
- (krb5_context, krb5_auth_context *,
+ (krb5_context, krb5_auth_context *,
int, krb5_principal, krb5_creds **);
int open_database
- (krb5_context, char *, int *);
+ (krb5_context, char *, int *);
void close_database
- (krb5_context, int);
+ (krb5_context, int);
void xmit_database
- (krb5_context, krb5_auth_context, krb5_creds *,
+ (krb5_context, krb5_auth_context, krb5_creds *,
int, int, int);
void send_error
- (krb5_context, krb5_creds *, int, char *, krb5_error_code);
+ (krb5_context, krb5_creds *, int, char *, krb5_error_code);
void update_last_prop_file
- (char *, char *);
+ (char *, char *);
static void usage()
{
@@ -134,7 +133,8 @@ main(argc, argv)
get_tickets(context);
database_fd = open_database(context, file, &database_size);
- if (retval = open_connection(slave_host, &fd, Errmsg, sizeof(Errmsg))) {
+ retval = open_connection(slave_host, &fd, Errmsg, sizeof(Errmsg));
+ if (retval) {
com_err(progname, retval, gettext("%s while opening connection to %s"),
Errmsg, slave_host);
exit(1);
@@ -155,6 +155,7 @@ main(argc, argv)
close_database(context, database_fd);
exit(0);
}
+
void PRS(argc, argv)
int argc;
char **argv;
@@ -202,16 +203,12 @@ void PRS(argc, argv)
slave_host = *argv;
else
usage();
-
}
void get_tickets(context)
krb5_context context;
{
- char my_host_name[MAXHOSTNAMELEN];
char buf[BUFSIZ];
- char *cp;
- struct hostent *hp;
krb5_error_code retval;
static char tkstring[] = "/tmp/kproptktXXXXXX";
krb5_keytab keytab = NULL;
@@ -262,11 +259,13 @@ void get_tickets(context)
com_err(progname, errno, gettext("while setting client principal name"));
exit(1);
}
-
if (realm) {
- (void) krb5_xfree(krb5_princ_realm(context, my_principal)->data);
- krb5_princ_set_realm_length(context, my_principal, strlen(realm));
- krb5_princ_set_realm_data(context, my_principal, strdup(realm));
+ retval = krb5_set_principal_realm(context, my_principal, realm);
+ if (retval) {
+ com_err(progname, errno,
+ gettext("while setting client principal realm"));
+ exit(1);
+ }
}
#if 0
krb5_princ_type(context, my_principal) = KRB5_NT_PRINCIPAL;
@@ -277,12 +276,16 @@ void get_tickets(context)
*/
(void) mktemp(tkstring);
snprintf(buf, sizeof (buf), gettext("FILE:%s"), tkstring);
- if (retval = krb5_cc_resolve(context, buf, &ccache)) {
+
+ retval = krb5_cc_resolve(context, buf, &ccache);
+ if (retval) {
com_err(progname, retval, gettext("while opening credential cache %s"),
buf);
exit(1);
}
- if (retval = krb5_cc_initialize(context, ccache, my_principal)) {
+
+ retval = krb5_cc_initialize(context, ccache, my_principal);
+ if (retval) {
com_err (progname, retval, gettext("when initializing cache %s"),
buf);
exit(1);
@@ -303,21 +306,26 @@ void get_tickets(context)
exit(1);
}
if (realm) {
- (void) krb5_xfree(krb5_princ_realm(context, creds.server)->data);
- krb5_princ_set_realm_length(context, creds.server, strlen(realm));
- krb5_princ_set_realm_data(context, creds.server, strdup(realm));
+ retval = krb5_set_principal_realm(context, creds.server, realm);
+ if (retval) {
+ com_err(progname, errno,
+ gettext("while setting server principal realm"));
+ exit(1);
+ }
}
/*
* Now fill in the client....
*/
- if (retval = krb5_copy_principal(context, my_principal, &creds.client)) {
+ retval = krb5_copy_principal(context, my_principal, &creds.client);
+ if (retval) {
com_err(progname, retval, gettext("While copying client principal"));
(void) krb5_cc_destroy(context, ccache);
exit(1);
}
if (srvtab) {
- if (retval = krb5_kt_resolve(context, srvtab, &keytab)) {
+ retval = krb5_kt_resolve(context, srvtab, &keytab);
+ if (retval) {
com_err(progname, retval, gettext("while resolving keytab"));
(void) krb5_cc_destroy(context, ccache);
exit(1);
@@ -345,12 +353,13 @@ void get_tickets(context)
if (keytab)
(void) krb5_kt_close(context, keytab);
-
+
/*
* Now destroy the cache right away --- the credentials we
* need will be in my_creds.
*/
- if (retval = krb5_cc_destroy(context, ccache)) {
+ retval = krb5_cc_destroy(context, ccache);
+ if (retval) {
com_err(progname, retval, gettext("while destroying ticket cache"));
exit(1);
}
@@ -363,10 +372,10 @@ void get_tickets(context)
krb5_error_code
open_connection(host, fd, Errmsg, ErrmsgSz)
- char *host;
- int *fd;
- char *Errmsg;
- int ErrmsgSz;
+ char *host;
+ int *fd;
+ char *Errmsg;
+ unsigned int ErrmsgSz;
{
int s;
krb5_error_code retval;
@@ -437,7 +446,6 @@ open_connection(host, fd, Errmsg, ErrmsgSz)
freeaddrinfo(aitop);
return(retval);
}
-
*fd = s;
/*
@@ -486,43 +494,46 @@ void kerberos_authenticate(context, auth_context, fd, me, new_creds)
krb5_error *error = NULL;
krb5_ap_rep_enc_part *rep_result;
- if (retval = krb5_auth_con_init(context, auth_context))
+ retval = krb5_auth_con_init(context, auth_context);
+ if (retval)
exit(1);
krb5_auth_con_setflags(context, *auth_context,
KRB5_AUTH_CONTEXT_DO_SEQUENCE);
- if (retval = krb5_auth_con_setaddrs(context, *auth_context, &sender_addr,
- &receiver_addr)) {
+ retval = krb5_auth_con_setaddrs(context, *auth_context, &sender_addr,
+ &receiver_addr);
+ if (retval) {
com_err(progname, retval, gettext("in krb5_auth_con_setaddrs"));
exit(1);
}
- if (retval = krb5_sendauth(context, auth_context, (void *)&fd,
- kprop_version, me, creds.server,
- AP_OPTS_MUTUAL_REQUIRED, NULL, &creds, NULL,
- &error, &rep_result, new_creds)) {
- com_err(progname, retval, gettext("while authenticating to server"));
- if (error) {
- if (error->error == KRB_ERR_GENERIC) {
- if (error->text.data)
- fprintf(stderr,
- gettext("Generic remote error: %s\n"),
- error->text.data);
- } else if (error->error) {
- com_err(progname,
- error->error + ERROR_TABLE_BASE_krb5,
- gettext("signalled from server"));
- if (error->text.data)
- fprintf(stderr,
- gettext("Error text from server: %s\n"),
- error->text.data);
- }
- krb5_free_error(context, error);
- }
- exit(1);
+ retval = krb5_sendauth(context, auth_context, (void *)&fd,
+ kprop_version, me, creds.server,
+ AP_OPTS_MUTUAL_REQUIRED, NULL, &creds, NULL,
+ &error, &rep_result, new_creds);
+ if (retval) {
+ com_err(progname, retval, gettext("while authenticating to server"));
+ if (error) {
+ if (error->error == KRB_ERR_GENERIC) {
+ if (error->text.data)
+ fprintf(stderr,
+ gettext("Generic remote error: %s\n"),
+ error->text.data);
+ } else if (error->error) {
+ com_err(progname,
+ (krb5_error_code) error->error + ERROR_TABLE_BASE_krb5,
+ gettext("signalled from server"));
+ if (error->text.data)
+ fprintf(stderr,
+ gettext("Error text from server: %s\n"),
+ error->text.data);
+ }
+ krb5_free_error(context, error);
}
- krb5_free_ap_rep_enc_part(context, rep_result);
+ exit(1);
+ }
+ krb5_free_ap_rep_enc_part(context, rep_result);
}
char * dbpathname;
@@ -601,7 +612,8 @@ close_database(context, fd)
int fd;
{
int err;
- if (err = krb5_lock_file(context, fd, KRB5_LOCKMODE_UNLOCK))
+ err = krb5_lock_file(context, fd, KRB5_LOCKMODE_UNLOCK);
+ if (err)
com_err(progname, err, gettext("while unlocking database '%s'"), dbpathname);
free(dbpathname);
(void)close(fd);
@@ -618,20 +630,24 @@ close_database(context, fd)
* will abort the entire operation.
*/
void
-xmit_database(context, auth_context, my_creds, fd, database_fd, database_size)
+xmit_database(context, auth_context, my_creds, fd, database_fd,
+ in_database_size)
krb5_context context;
krb5_auth_context auth_context;
krb5_creds *my_creds;
int fd;
int database_fd;
- int database_size;
+ int in_database_size;
{
- krb5_int32 send_size, sent_size, n;
+ krb5_int32 sent_size, n;
krb5_data inbuf, outbuf;
char buf[KPROP_BUFSIZ];
krb5_error_code retval;
krb5_error *error;
-
+ /* These must be 4 bytes */
+ krb5_ui_4 database_size = in_database_size;
+ krb5_ui_4 send_size;
+
/*
* Send over the size
*/
@@ -639,36 +655,42 @@ xmit_database(context, auth_context, my_creds, fd, database_fd, database_size)
inbuf.data = (char *) &send_size;
inbuf.length = sizeof(send_size); /* must be 4, really */
/* KPROP_CKSUMTYPE */
- if (retval = krb5_mk_safe(context, auth_context, &inbuf,
- &outbuf, NULL)) {
+ retval = krb5_mk_safe(context, auth_context, &inbuf,
+ &outbuf, NULL);
+ if (retval) {
com_err(progname, retval, gettext("while encoding database size"));
send_error(context, my_creds, fd, gettext("while encoding database size"), retval);
exit(1);
}
- if (retval = krb5_write_message(context, (void *) &fd, &outbuf)) {
+
+ retval = krb5_write_message(context, (void *) &fd, &outbuf);
+ if (retval) {
krb5_free_data_contents(context, &outbuf);
com_err(progname, retval, gettext("while sending database size"));
exit(1);
}
krb5_free_data_contents(context, &outbuf);
- /*
- * Initialize the initial vector.
- */
- if (retval = krb5_auth_con_initivector(context, auth_context)) {
- send_error(context, my_creds, fd,
+ /*
+ * Initialize the initial vector.
+ */
+ retval = krb5_auth_con_initivector(context, auth_context);
+ if (retval) {
+ send_error(context, my_creds, fd,
gettext("failed while initializing i_vector"), retval);
- com_err(progname, retval, gettext("while allocating i_vector"));
- exit(1);
- }
+ com_err(progname, retval, gettext("while allocating i_vector"));
+ exit(1);
+ }
+
/*
* Send over the file, block by block....
*/
inbuf.data = buf;
sent_size = 0;
- while (n = read(database_fd, buf, sizeof(buf))) {
+ while ((n = read(database_fd, buf, sizeof(buf)))) {
inbuf.length = n;
- if (retval = krb5_mk_priv(context, auth_context, &inbuf,
- &outbuf, NULL)) {
+ retval = krb5_mk_priv(context, auth_context, &inbuf,
+ &outbuf, NULL);
+ if (retval) {
snprintf(buf, sizeof (buf),
gettext("while encoding database block starting at %d"),
sent_size);
@@ -676,7 +698,9 @@ xmit_database(context, auth_context, my_creds, fd, database_fd, database_size)
send_error(context, my_creds, fd, buf, retval);
exit(1);
}
- if (retval = krb5_write_message(context, (void *)&fd,&outbuf)) {
+
+ retval = krb5_write_message(context, (void *)&fd,&outbuf);
+ if (retval) {
krb5_free_data_contents(context, &outbuf);
com_err(progname, retval,
gettext("while sending database block starting at %d"),
@@ -694,11 +718,13 @@ xmit_database(context, auth_context, my_creds, fd, database_fd, database_size)
KRB5KRB_ERR_GENERIC);
exit(1);
}
+
/*
* OK, we've sent the database; now let's wait for a success
* indication from the remote end.
*/
- if (retval = krb5_read_message(context, (void *) &fd, &inbuf)) {
+ retval = krb5_read_message(context, (void *) &fd, &inbuf);
+ if (retval) {
com_err(progname, retval,
gettext("while reading response from server"));
exit(1);
@@ -708,7 +734,8 @@ xmit_database(context, auth_context, my_creds, fd, database_fd, database_size)
* the error message
*/
if (krb5_is_krb_error(&inbuf)) {
- if (retval = krb5_rd_error(context, &inbuf, &error)) {
+ retval = krb5_rd_error(context, &inbuf, &error);
+ if (retval) {
com_err(progname, retval,
gettext("while decoding error response from server"));
exit(1);
@@ -719,7 +746,9 @@ xmit_database(context, auth_context, my_creds, fd, database_fd, database_size)
gettext("Generic remote error: %s\n"),
error->text.data);
} else if (error->error) {
- com_err(progname, error->error + ERROR_TABLE_BASE_krb5,
+ com_err(progname,
+ (krb5_error_code) error->error +
+ ERROR_TABLE_BASE_krb5,
gettext("signalled from server"));
if (error->text.data)
fprintf(stderr,
@@ -729,11 +758,14 @@ xmit_database(context, auth_context, my_creds, fd, database_fd, database_size)
krb5_free_error(context, error);
exit(1);
}
- if (retval = krb5_rd_safe(context,auth_context,&inbuf,&outbuf,NULL)) {
+
+ retval = krb5_rd_safe(context,auth_context,&inbuf,&outbuf,NULL);
+ if (retval) {
com_err(progname, retval,
gettext("while decoding final size packet from server"));
exit(1);
}
+
memcpy((char *)&send_size, outbuf.data, sizeof(send_size));
send_size = ntohl(send_size);
if (send_size != database_size) {
@@ -770,7 +802,8 @@ send_error(context, my_creds, fd, err_text, err_code)
else
text = error_message(err_code);
error.text.length = strlen(text) + 1;
- if (error.text.data = malloc(error.text.length)) {
+ error.text.data = malloc((unsigned int) error.text.length);
+ if (error.text.data) {
strcpy(error.text.data, text);
if (!krb5_mk_error(context, &error, &outbuf)) {
(void) krb5_write_message(context, (void *)&fd,&outbuf);
@@ -804,8 +837,8 @@ void update_last_prop_file(hostname, file_name)
* have already specified a host name and therefore would be redundant.
*/
if (strcmp(file_name, KPROP_DEFAULT_FILE) == 0) {
- strcat(file_last_prop, ".");
- strcat(file_last_prop, hostname);
+ strcat(file_last_prop, ".");
+ strcat(file_last_prop, hostname);
}
strcat(file_last_prop, last_prop);
if ((fd = THREEPARAMOPEN(file_last_prop, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) {
diff --git a/usr/src/cmd/krb5/slave/kprop.h b/usr/src/cmd/krb5/slave/kprop.h
index 83ee7763c5..b71a5e5c19 100644
--- a/usr/src/cmd/krb5/slave/kprop.h
+++ b/usr/src/cmd/krb5/slave/kprop.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
@@ -22,7 +22,7 @@ extern "C" {
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -36,18 +36,17 @@ extern "C" {
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
*
*/
-#define KPROP_SERVICE_NAME "host"
-#define TGT_SERVICE_NAME "krbtgt"
-#define KPROP_SERVICE "krb5_prop"
-#define KPROP_CKSUMTYPE CKSUMTYPE_RSA_MD4_DES
+#define KPROP_SERVICE_NAME "host"
+#define TGT_SERVICE_NAME "krbtgt"
+#define KPROP_SERVICE "krb5_prop"
-#define KPROP_PROT_VERSION "kprop5_01"
+#define KPROP_PROT_VERSION "kprop5_01"
-#define KPROP_BUFSIZ 32768
+#define KPROP_BUFSIZ 32768
extern krb5_address *cvtkaddr(struct sockaddr_storage *ss, krb5_address *krbap);
diff --git a/usr/src/cmd/krb5/slave/kpropd.c b/usr/src/cmd/krb5/slave/kpropd.c
index 189a99929e..a5d6b7aa6f 100644
--- a/usr/src/cmd/krb5/slave/kpropd.c
+++ b/usr/src/cmd/krb5/slave/kpropd.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2005 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*
* All rights reserved.
@@ -61,6 +61,7 @@
* write...
*/
+
#include <stdio.h>
#include <ctype.h>
#include <sys/file.h>
@@ -129,7 +130,6 @@ char *kdb5_util = KPROPD_DEFAULT_KDB5_UTIL;
char *kerb_database = NULL;
char *acl_file_name = KPROPD_ACL_FILE;
-int database_fd;
krb5_address sender_addr;
krb5_address receiver_addr;
short port = 0;
@@ -139,36 +139,35 @@ void PRS
int do_standalone
(iprop_role iproprole);
void doit
- (int);
+ (int);
krb5_error_code do_iprop(kdb_log_context *log_ctx);
void kerberos_authenticate
- (krb5_context,
+ (krb5_context,
int,
krb5_principal *,
krb5_enctype *,
struct sockaddr_storage);
-
krb5_boolean authorized_principal
- (krb5_context,
+ (krb5_context,
krb5_principal,
krb5_enctype);
void recv_database
- (krb5_context,
+ (krb5_context,
int,
int,
krb5_data *);
void load_database
- (krb5_context,
+ (krb5_context,
char *,
char *);
void send_error
- (krb5_context,
+ (krb5_context,
int,
krb5_error_code,
char *);
void recv_error
- (krb5_context,
+ (krb5_context,
krb5_data *);
int convert_polltime
(char *);
@@ -283,64 +282,59 @@ int do_standalone(iprop_role iproprole)
gettext("in setsockopt(SO_REUSEADDR)"));
}
ret = bind(finet, (struct sockaddr *) &sin6, sizeof(sin6));
- }
+ }
- if (ret < 0) {
- perror(gettext("bind"));
- com_err(progname, errno,
+ if (ret < 0) {
+ perror(gettext("bind"));
+ com_err(progname, errno,
gettext("while binding listener socket"));
- exit(1);
+ exit(1);
+ }
}
- }
-
- if (!debug && (iproprole != IPROP_SLAVE))
- daemon(1, 0);
-
+ if (!debug && (iproprole != IPROP_SLAVE))
+ daemon(1, 0);
#ifdef PID_FILE
- if ((pidfile = fopen(PID_FILE, "w")) != NULL) {
- fprintf(pidfile, gettext("%d\n"), getpid());
- fclose(pidfile);
- } else
- com_err(progname, errno,
+ if ((pidfile = fopen(PID_FILE, "w")) != NULL) {
+ fprintf(pidfile, gettext("%d\n"), getpid());
+ fclose(pidfile);
+ } else
+ com_err(progname, errno,
gettext("while opening pid file %s for writing"),
PID_FILE);
#endif
-
- if (listen(finet, 5) < 0) {
- com_err(progname, errno, gettext("in listen call"));
- exit(1);
- }
-
- while (1) {
- int child_pid;
-
- s = accept(finet, (struct sockaddr *) &sin6, &sin6_size);
-
- if (s < 0) {
- if (errno != EINTR)
- com_err(progname, errno,
- gettext("from accept system call"));
- continue;
+ if (listen(finet, 5) < 0) {
+ com_err(progname, errno, gettext("in listen call"));
+ exit(1);
}
+ while (1) {
+ int child_pid;
- if (debug && (iproprole != IPROP_SLAVE))
- child_pid = 0;
- else
- child_pid = fork();
+ s = accept(finet, (struct sockaddr *) &sin6, &sin6_size);
- switch (child_pid) {
- case -1:
- com_err(progname, errno, gettext("while forking"));
- exit(1);
+ if (s < 0) {
+ if (errno != EINTR)
+ com_err(progname, errno,
+ gettext("from accept system call"));
+ continue;
+ }
+ if (debug && (iproprole != IPROP_SLAVE))
+ child_pid = 0;
+ else
+ child_pid = fork();
+ switch (child_pid) {
+ case -1:
+ com_err(progname, errno, gettext("while forking"));
+ exit(1);
/*NOTREACHED*/
- case 0:
+ case 0:
/* child */
- (void) close(finet);
- doit(s);
- close(s);
- _exit(0);
+ (void) close(finet);
+
+ doit(s);
+ close(s);
+ _exit(0);
/*NOTREACHED*/
- default:
+ default:
/* parent */
if (wait(&status) < 0) {
com_err(progname, errno,
@@ -373,8 +367,9 @@ void doit(fd)
krb5_error_code retval;
krb5_data confmsg;
int lock_fd;
- int omask;
+ mode_t omask;
krb5_enctype etype;
+ int database_fd;
char ntop[NI_MAXHOST] = "";
krb5_context doit_context;
kdb_log_context *log_ctx;
@@ -389,7 +384,6 @@ void doit(fd)
ulog_set_role(doit_context, IPROP_SLAVE);
fromlen = (socklen_t)sizeof (from);
-
if (getpeername(fd, (struct sockaddr *) &from, &fromlen) < 0) {
fprintf(stderr, "%s: ", progname);
perror(gettext("getpeername"));
@@ -461,18 +455,19 @@ void doit(fd)
kerberos_authenticate(doit_context, fd, &client, &etype, from);
if (!authorized_principal(doit_context, client, etype)) {
- char *name;
+ char *name;
- if (retval = krb5_unparse_name(doit_context, client, &name)) {
- com_err(progname, retval,
+ retval = krb5_unparse_name(doit_context, client, &name);
+ if (retval) {
+ com_err(progname, retval,
gettext("While unparsing client name"));
- exit(1);
- }
- syslog(LOG_WARNING,
+ exit(1);
+ }
+ syslog(LOG_WARNING,
gettext("Rejected connection from unauthorized principal %s"),
- name);
- free(name);
- exit(1);
+ name);
+ free(name);
+ exit(1);
}
omask = umask(077);
lock_fd = open(temp_file_name, O_RDWR|O_CREAT, 0600);
@@ -519,8 +514,8 @@ void doit(fd)
* Send the acknowledgement message generated in
* recv_database, then close the socket.
*/
- if (retval = krb5_write_message(doit_context, (void *) &fd,
- &confmsg)) {
+ retval = krb5_write_message(doit_context, (void *) &fd, &confmsg);
+ if (retval) {
krb5_free_data_contents(doit_context, &confmsg);
com_err(progname, retval,
gettext("while sending # of received bytes"));
@@ -532,7 +527,7 @@ void doit(fd)
gettext("while trying to close database file"));
exit(1);
}
-
+
exit(0);
}
@@ -1075,9 +1070,12 @@ void PRS(argc,argv)
exit(1);
}
if (realm) {
- (void) krb5_xfree(krb5_princ_realm(context, server)->data);
- krb5_princ_set_realm_length(context, server, strlen(realm));
- krb5_princ_set_realm_data(context, server, strdup(realm));
+ retval = krb5_set_principal_realm(kpropd_context, server, realm);
+ if (retval) {
+ com_err(progname, errno,
+ gettext("while constructing my service realm"));
+ exit(1);
+ }
}
/*
* Construct the name of the temporary file.
@@ -1162,7 +1160,9 @@ kerberos_authenticate(context, fd, clientp, etype, ss)
if (debug) {
char *name;
- if (retval = krb5_unparse_name(context, server, &name)) {
+
+ retval = krb5_unparse_name(context, server, &name);
+ if (retval) {
com_err(progname, retval, gettext("While unparsing server name"));
exit(1);
}
@@ -1171,42 +1171,46 @@ kerberos_authenticate(context, fd, clientp, etype, ss)
free(name);
}
- if (retval = krb5_auth_con_init(context, &auth_context)) {
+ retval = krb5_auth_con_init(context, &auth_context);
+ if (retval) {
syslog(LOG_ERR, gettext("Error in krb5_auth_con_init: %s"),
- error_message(retval));
+ error_message(retval));
exit(1);
}
- if (retval = krb5_auth_con_setflags(context, auth_context,
- KRB5_AUTH_CONTEXT_DO_SEQUENCE)) {
+ retval = krb5_auth_con_setflags(context, auth_context,
+ KRB5_AUTH_CONTEXT_DO_SEQUENCE);
+ if (retval) {
syslog(LOG_ERR, gettext("Error in krb5_auth_con_setflags: %s"),
error_message(retval));
exit(1);
}
- if (retval = krb5_auth_con_setaddrs(context, auth_context, &receiver_addr,
- &sender_addr)) {
+ retval = krb5_auth_con_setaddrs(context, auth_context, &receiver_addr,
+ &sender_addr);
+ if (retval) {
syslog(LOG_ERR, gettext("Error in krb5_auth_con_setaddrs: %s"),
error_message(retval));
exit(1);
}
if (srvtab) {
- if (retval = krb5_kt_resolve(context, srvtab, &keytab)) {
+ retval = krb5_kt_resolve(context, srvtab, &keytab);
+ if (retval) {
syslog(LOG_ERR, gettext("Error in krb5_kt_resolve: %s"), error_message(retval));
exit(1);
}
}
- if (retval = krb5_recvauth(context, &auth_context, (void *) &fd,
- kprop_version, server, 0, keytab, &ticket)){
- syslog(LOG_ERR, gettext("Error in krb5_recvauth: %s"),
- error_message(retval));
+ retval = krb5_recvauth(context, &auth_context, (void *) &fd,
+ kprop_version, server, 0, keytab, &ticket);
+ if (retval) {
+ syslog(LOG_ERR, gettext("Error in krb5_recvauth: %s"), error_message(retval));
exit(1);
}
- if (retval = krb5_copy_principal(context,
- ticket->enc_part2->client, clientp)) {
+ retval = krb5_copy_principal(context, ticket->enc_part2->client, clientp);
+ if (retval) {
syslog(LOG_ERR, gettext("Error in krb5_copy_prinicpal: %s"),
error_message(retval));
exit(1);
@@ -1218,14 +1222,15 @@ kerberos_authenticate(context, fd, clientp, etype, ss)
char * name;
char etypebuf[100];
- if (retval = krb5_unparse_name(context, *clientp, &name)) {
+ retval = krb5_unparse_name(context, *clientp, &name);
+ if (retval) {
com_err(progname, retval,
gettext("While unparsing client name"));
exit(1);
}
- if (retval = krb5_enctype_to_string(*etype, etypebuf,
- sizeof(etypebuf))) {
+ retval = krb5_enctype_to_string(*etype, etypebuf, sizeof(etypebuf));
+ if (retval) {
com_err(progname, retval, gettext("While unparsing ticket etype"));
exit(1);
}
@@ -1269,11 +1274,11 @@ authorized_principal(context, p, auth_etype)
/* if the next character is not whitespace or nul, then
the match is only partial. continue on to new lines. */
- if (*ptr && !isspace(*ptr))
+ if (*ptr && !isspace((int) *ptr))
continue;
/* otherwise, skip trailing whitespace */
- for (; *ptr && isspace(*ptr); ptr++) ;
+ for (; *ptr && isspace((int) *ptr); ptr++) ;
/* now, look for an etype string. if there isn't one,
return true. if there is an invalid string, continue.
@@ -1302,7 +1307,7 @@ recv_database(context, fd, database_fd, confmsg)
int database_fd;
krb5_data *confmsg;
{
- int database_size;
+ krb5_ui_4 database_size; /* This must be 4 bytes */
int received_size, n;
char buf[1024];
krb5_data inbuf, outbuf;
@@ -1311,7 +1316,8 @@ recv_database(context, fd, database_fd, confmsg)
/*
* Receive and decode size from client
*/
- if (retval = krb5_read_message(context, (void *) &fd, &inbuf)) {
+ retval = krb5_read_message(context, (void *) &fd, &inbuf);
+ if (retval) {
send_error(context, fd, retval, gettext("while reading database size"));
com_err(progname, retval,
gettext("while reading size of database from client"));
@@ -1319,8 +1325,10 @@ recv_database(context, fd, database_fd, confmsg)
}
if (krb5_is_krb_error(&inbuf))
recv_error(context, &inbuf);
- if (retval = krb5_rd_safe(context,auth_context,&inbuf,&outbuf,NULL)) {
- send_error(context, fd, retval, gettext("while decoding database size"));
+ retval = krb5_rd_safe(context,auth_context,&inbuf,&outbuf,NULL);
+ if (retval) {
+ send_error(context, fd, retval, gettext(
+ "while decoding database size"));
krb5_free_data_contents(context, &inbuf);
com_err(progname, retval,
gettext("while decoding database size from client"));
@@ -1331,21 +1339,24 @@ recv_database(context, fd, database_fd, confmsg)
krb5_free_data_contents(context, &outbuf);
database_size = ntohl(database_size);
- /*
- * Initialize the initial vector.
- */
- if (retval = krb5_auth_con_initivector(context, auth_context)) {
- send_error(context, fd, retval, gettext("failed while initializing i_vector"));
- com_err(progname, retval, gettext("while initializing i_vector"));
- exit(1);
- }
+ /*
+ * Initialize the initial vector.
+ */
+ retval = krb5_auth_con_initivector(context, auth_context);
+ if (retval) {
+ send_error(context, fd, retval, gettext(
+ "failed while initializing i_vector"));
+ com_err(progname, retval, gettext("while initializing i_vector"));
+ exit(1);
+ }
/*
* Now start receiving the database from the net
*/
received_size = 0;
while (received_size < database_size) {
- if (retval = krb5_read_message(context, (void *) &fd, &inbuf)) {
+ retval = krb5_read_message(context, (void *) &fd, &inbuf);
+ if (retval) {
snprintf(buf, sizeof (buf),
gettext("while reading database block starting at offset %d"),
received_size);
@@ -1355,8 +1366,9 @@ recv_database(context, fd, database_fd, confmsg)
}
if (krb5_is_krb_error(&inbuf))
recv_error(context, &inbuf);
- if (retval = krb5_rd_priv(context, auth_context, &inbuf,
- &outbuf, NULL)) {
+ retval = krb5_rd_priv(context, auth_context, &inbuf,
+ &outbuf, NULL);
+ if (retval) {
snprintf(buf, sizeof (buf),
gettext("while decoding database block starting at offset %d"),
received_size);
@@ -1384,6 +1396,7 @@ recv_database(context, fd, database_fd, confmsg)
/* SUNWresync121: our krb5...contents sets length to 0 */
krb5_free_data_contents(context, &inbuf);
krb5_free_data_contents(context, &outbuf);
+
}
/*
* OK, we've seen the entire file. Did we get too many bytes?
@@ -1401,7 +1414,8 @@ recv_database(context, fd, database_fd, confmsg)
database_size = htonl(database_size);
inbuf.data = (char *) &database_size;
inbuf.length = sizeof(database_size);
- if (retval = krb5_mk_safe(context,auth_context,&inbuf,confmsg,NULL)) {
+ retval = krb5_mk_safe(context,auth_context,&inbuf,confmsg,NULL);
+ if (retval) {
com_err(progname, retval,
gettext("while encoding # of receieved bytes"));
send_error(context, fd, retval,
@@ -1443,7 +1457,8 @@ send_error(context, fd, err_code, err_text)
}
}
error.text.length = strlen(text) + 1;
- if (error.text.data = malloc(error.text.length)) {
+ error.text.data = malloc(error.text.length);
+ if (error.text.data) {
strcpy(error.text.data, text);
if (!krb5_mk_error(context, &error, &outbuf)) {
(void) krb5_write_message(context, (void *)&fd,&outbuf);
@@ -1461,7 +1476,8 @@ recv_error(context, inbuf)
krb5_error *error;
krb5_error_code retval;
- if (retval = krb5_rd_error(context, inbuf, &error)) {
+ retval = krb5_rd_error(context, inbuf, &error);
+ if (retval) {
com_err(progname, retval,
gettext("while decoding error packet from client"));
exit(1);
@@ -1484,25 +1500,35 @@ recv_error(context, inbuf)
}
void
-load_database(context, kdb5_util, database_file_name)
+load_database(context, kdb_util, database_file_name)
krb5_context context;
- char *kdb5_util;
+ char *kdb_util;
char *database_file_name;
{
static char *edit_av[10];
- int error_ret, save_stderr;
+ int error_ret, save_stderr = -1;
int child_pid;
int count;
+
+ /* <sys/param.h> has been included, so BSD will be defined on
+ BSD systems */
+#if BSD > 0 && BSD <= 43
+#ifndef WEXITSTATUS
+#define WEXITSTATUS(w) (w).w_retcode
+#endif
+ union wait waitb;
+#else
int waitb;
+#endif
krb5_error_code retval;
kdb_log_context *log_ctx;
if (debug)
- printf(gettext("calling kdb5_util to load database\n"));
+ printf(gettext("calling kdb_util to load database\n"));
log_ctx = context->kdblog_context;
- edit_av[0] = kdb5_util;
+ edit_av[0] = kdb_util;
count = 1;
if (realm) {
edit_av[count++] = "-r";
@@ -1523,7 +1549,7 @@ load_database(context, kdb5_util, database_file_name)
switch(child_pid = fork()) {
case -1:
com_err(progname, errno, gettext("while trying to fork %s"),
- kdb5_util);
+ kdb_util);
exit(1);
/*NOTREACHED*/
case 0:
@@ -1537,12 +1563,12 @@ load_database(context, kdb5_util, database_file_name)
dup(0);
}
- execv(kdb5_util, edit_av);
+ execv(kdb_util, edit_av);
retval = errno;
if (!debug)
dup2(save_stderr, 2);
com_err(progname, retval, gettext("while trying to exec %s"),
- kdb5_util);
+ kdb_util);
_exit(1);
/*NOTREACHED*/
default:
@@ -1550,15 +1576,16 @@ load_database(context, kdb5_util, database_file_name)
printf(gettext("Child PID is %d\n"), child_pid);
if (wait(&waitb) < 0) {
com_err(progname, errno, gettext("while waiting for %s"),
- kdb5_util);
+ kdb_util);
exit(1);
}
}
- if ((error_ret = WEXITSTATUS(waitb)) != 0) {
+ error_ret = WEXITSTATUS(waitb);
+ if (error_ret) {
com_err(progname, 0,
- gettext("%s returned a bad exit status (%d)"), kdb5_util,
- error_ret);
+ gettext("%s returned a bad exit status (%d)"),
+ kdb_util, error_ret);
exit(1);
}
return;
generated by cgit v1.2.3 (git 2.39.1) at 2025-06-21 14:44:27 +0000