diff options
Diffstat (limited to 'usr/src/lib/krb5/kadm5')
38 files changed, 2378 insertions, 1605 deletions
diff --git a/usr/src/lib/krb5/kadm5/adb.h b/usr/src/lib/krb5/kadm5/adb.h index 6c6f6a53bc..28448888d5 100644 --- a/usr/src/lib/krb5/kadm5/adb.h +++ b/usr/src/lib/krb5/kadm5/adb.h @@ -1,5 +1,5 @@ /* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -69,8 +69,10 @@ typedef struct _osa_adb_db_ent_t { int magic; DB *db; HASHINFO info; + BTREEINFO btinfo; char *filename; osa_adb_lock_t lock; + int opencnt; } osa_adb_db_ent, *osa_adb_db_t, *osa_adb_princ_t, *osa_adb_policy_t; /* an osa_pw_hist_ent stores all the key_datas for a single password */ @@ -92,12 +94,12 @@ typedef struct _osa_princ_ent_t { typedef struct _osa_policy_ent_t { int version; char *name; - rpc_u_int32 pw_min_life; - rpc_u_int32 pw_max_life; - rpc_u_int32 pw_min_length; - rpc_u_int32 pw_min_classes; - rpc_u_int32 pw_history_num; - rpc_u_int32 policy_refcnt; + uint32_t pw_min_life; + uint32_t pw_max_life; + uint32_t pw_min_length; + uint32_t pw_min_classes; + uint32_t pw_history_num; + uint32_t policy_refcnt; } osa_policy_ent_rec, *osa_policy_ent_t; typedef void (*osa_adb_iter_princ_func) (void *, osa_princ_ent_t); @@ -115,6 +117,8 @@ typedef void (*osa_adb_iter_policy_func) (void *, osa_policy_ent_t); */ bool_t xdr_osa_princ_ent_rec(XDR *xdrs, osa_princ_ent_t objp); bool_t xdr_osa_policy_ent_rec(XDR *xdrs, osa_policy_ent_t objp); +bool_t xdr_osa_pw_hist_ent(XDR *xdrs, osa_pw_hist_ent *objp); +bool_t xdr_krb5_key_data(XDR *xdrs, krb5_key_data *objp); /* * Functions @@ -122,6 +126,10 @@ bool_t xdr_osa_policy_ent_rec(XDR *xdrs, osa_policy_ent_t objp); osa_adb_ret_t osa_adb_create_db(char *filename, char *lockfile, int magic); osa_adb_ret_t osa_adb_destroy_db(char *filename, char *lockfile, int magic); +osa_adb_ret_t osa_adb_rename_db(char *filefrom, char *lockfrom, + char *fileto, char *lockto, int magic); +osa_adb_ret_t osa_adb_rename_policy_db(kadm5_config_params *fromparams, + kadm5_config_params *toparams); osa_adb_ret_t osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfile, int magic); osa_adb_ret_t osa_adb_fini_db(osa_adb_db_t db, int magic); diff --git a/usr/src/lib/krb5/kadm5/adb_err.h b/usr/src/lib/krb5/kadm5/adb_err.h index f8024341b0..602a124151 100644 --- a/usr/src/lib/krb5/kadm5/adb_err.h +++ b/usr/src/lib/krb5/kadm5/adb_err.h @@ -17,11 +17,8 @@ * */ +#include <com_err.h> -/* - * adb_err.h: - * This file is automatically generated; please do not edit it. - */ #define OSA_ADB_NOERR (28810240L) #define OSA_ADB_DUP (28810241L) #define OSA_ADB_NOENT (28810242L) @@ -38,5 +35,16 @@ #define OSA_ADB_NOEXCL_PERM (28810253L) #define ERROR_TABLE_BASE_adb (28810240L) +extern const struct error_table et_adb_error_table; + +#if !defined(_WIN32) /* for compatibility with older versions... */ +extern void initialize_adb_error_table (void) /*@modifies internalState@*/; +#else +#define initialize_adb_error_table() +#endif + +#if !defined(_WIN32) +#define init_adb_err_tbl initialize_adb_error_table #define adb_err_base ERROR_TABLE_BASE_adb +#endif diff --git a/usr/src/lib/krb5/kadm5/admin.h b/usr/src/lib/krb5/kadm5/admin.h index ce78ab0bb3..d4d98c66f9 100644 --- a/usr/src/lib/krb5/kadm5/admin.h +++ b/usr/src/lib/krb5/kadm5/admin.h @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -28,12 +28,36 @@ extern "C" { * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING * */ - - +/* + * lib/kadm5/admin.h + * + * Copyright 2001 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/admin.h,v 1.43.2.1 2000/05/19 22:24:14 raeburn Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/admin.h,v 1.54 2004/08/21 02:31:09 tlyu Exp $ */ #include <sys/types.h> @@ -46,14 +70,14 @@ extern "C" { #include <kadm5/adb_err.h> #include <kadm5/chpass_util_strings.h> -#define KADM5_ADMIN_SERVICE_P "kadmin@admin" -#define KADM5_ADMIN_SERVICE "kadmin/admin" -#define KADM5_CHANGEPW_SERVICE_P "kadmin@changepw" -#define KADM5_CHANGEPW_SERVICE "kadmin/changepw" -#define KADM5_HIST_PRINCIPAL "kadmin/history" -#define KADM5_ADMIN_HOST_SERVICE "kadmin" -#define KADM5_CHANGEPW_HOST_SERVICE "changepw" -#define KADM5_KIPROP_HOST_SERVICE "kiprop" +#define KADM5_ADMIN_SERVICE_P "kadmin@admin" +#define KADM5_ADMIN_SERVICE "kadmin/admin" +#define KADM5_CHANGEPW_SERVICE_P "kadmin@changepw" +#define KADM5_CHANGEPW_SERVICE "kadmin/changepw" +#define KADM5_HIST_PRINCIPAL "kadmin/history" +#define KADM5_ADMIN_HOST_SERVICE "kadmin" +#define KADM5_CHANGEPW_HOST_SERVICE "changepw" +#define KADM5_KIPROP_HOST_SERVICE "kiprop" typedef krb5_principal kadm5_princ_t; typedef char *kadm5_policy_t; @@ -61,51 +85,51 @@ typedef long kadm5_ret_t; typedef int rpc_int32; typedef unsigned int rpc_u_int32; -#define KADM5_PW_FIRST_PROMPT \ - ((char *)error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT)) -#define KADM5_PW_SECOND_PROMPT \ - ((char *)error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT)) +#define KADM5_PW_FIRST_PROMPT \ + (error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT)) +#define KADM5_PW_SECOND_PROMPT \ + (error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT)) /* - * Succsessfull return code + * Successful return code */ -#define KADM5_OK 0 +#define KADM5_OK 0 /* * Field masks */ /* kadm5_principal_ent_t */ -#define KADM5_PRINCIPAL 0x000001 -#define KADM5_PRINC_EXPIRE_TIME 0x000002 -#define KADM5_PW_EXPIRATION 0x000004 -#define KADM5_LAST_PWD_CHANGE 0x000008 -#define KADM5_ATTRIBUTES 0x000010 -#define KADM5_MAX_LIFE 0x000020 -#define KADM5_MOD_TIME 0x000040 -#define KADM5_MOD_NAME 0x000080 -#define KADM5_KVNO 0x000100 -#define KADM5_MKVNO 0x000200 -#define KADM5_AUX_ATTRIBUTES 0x000400 -#define KADM5_POLICY 0x000800 -#define KADM5_POLICY_CLR 0x001000 +#define KADM5_PRINCIPAL 0x000001 +#define KADM5_PRINC_EXPIRE_TIME 0x000002 +#define KADM5_PW_EXPIRATION 0x000004 +#define KADM5_LAST_PWD_CHANGE 0x000008 +#define KADM5_ATTRIBUTES 0x000010 +#define KADM5_MAX_LIFE 0x000020 +#define KADM5_MOD_TIME 0x000040 +#define KADM5_MOD_NAME 0x000080 +#define KADM5_KVNO 0x000100 +#define KADM5_MKVNO 0x000200 +#define KADM5_AUX_ATTRIBUTES 0x000400 +#define KADM5_POLICY 0x000800 +#define KADM5_POLICY_CLR 0x001000 /* version 2 masks */ -#define KADM5_MAX_RLIFE 0x002000 -#define KADM5_LAST_SUCCESS 0x004000 -#define KADM5_LAST_FAILED 0x008000 -#define KADM5_FAIL_AUTH_COUNT 0x010000 -#define KADM5_KEY_DATA 0x020000 -#define KADM5_TL_DATA 0x040000 +#define KADM5_MAX_RLIFE 0x002000 +#define KADM5_LAST_SUCCESS 0x004000 +#define KADM5_LAST_FAILED 0x008000 +#define KADM5_FAIL_AUTH_COUNT 0x010000 +#define KADM5_KEY_DATA 0x020000 +#define KADM5_TL_DATA 0x040000 /* all but KEY_DATA and TL_DATA */ -#define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff +#define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff /* kadm5_policy_ent_t */ -#define KADM5_PW_MAX_LIFE 0x004000 -#define KADM5_PW_MIN_LIFE 0x008000 -#define KADM5_PW_MIN_LENGTH 0x010000 -#define KADM5_PW_MIN_CLASSES 0x020000 -#define KADM5_PW_HISTORY_NUM 0x040000 -#define KADM5_REF_COUNT 0x080000 +#define KADM5_PW_MAX_LIFE 0x004000 +#define KADM5_PW_MIN_LIFE 0x008000 +#define KADM5_PW_MIN_LENGTH 0x010000 +#define KADM5_PW_MIN_CLASSES 0x020000 +#define KADM5_PW_HISTORY_NUM 0x040000 +#define KADM5_REF_COUNT 0x080000 /* kadm5_config_params */ #define KADM5_CONFIG_REALM 0x0000001 @@ -150,23 +174,23 @@ typedef unsigned int rpc_u_int32; /* * permission bits */ -#define KADM5_PRIV_GET 0x01 -#define KADM5_PRIV_ADD 0x02 -#define KADM5_PRIV_MODIFY 0x04 -#define KADM5_PRIV_DELETE 0x08 +#define KADM5_PRIV_GET 0x01 +#define KADM5_PRIV_ADD 0x02 +#define KADM5_PRIV_MODIFY 0x04 +#define KADM5_PRIV_DELETE 0x08 /* * API versioning constants */ -#define KADM5_MASK_BITS 0xffffff00 +#define KADM5_MASK_BITS 0xffffff00 -#define KADM5_STRUCT_VERSION_MASK 0x12345600 -#define KADM5_STRUCT_VERSION_1 (KADM5_STRUCT_VERSION_MASK|0x01) -#define KADM5_STRUCT_VERSION KADM5_STRUCT_VERSION_1 +#define KADM5_STRUCT_VERSION_MASK 0x12345600 +#define KADM5_STRUCT_VERSION_1 (KADM5_STRUCT_VERSION_MASK|0x01) +#define KADM5_STRUCT_VERSION KADM5_STRUCT_VERSION_1 -#define KADM5_API_VERSION_MASK 0x12345700 -#define KADM5_API_VERSION_1 (KADM5_API_VERSION_MASK|0x01) -#define KADM5_API_VERSION_2 (KADM5_API_VERSION_MASK|0x02) +#define KADM5_API_VERSION_MASK 0x12345700 +#define KADM5_API_VERSION_1 (KADM5_API_VERSION_MASK|0x01) +#define KADM5_API_VERSION_2 (KADM5_API_VERSION_MASK|0x02) #ifdef KRB5_DNS_LOOKUP /* @@ -192,12 +216,12 @@ typedef struct _kadm5_principal_ent_t_v2 { /* version 2 fields */ krb5_deltat max_renewable_life; - krb5_timestamp last_success; - krb5_timestamp last_failed; - krb5_kvno fail_auth_count; + krb5_timestamp last_success; + krb5_timestamp last_failed; + krb5_kvno fail_auth_count; krb5_int16 n_key_data; krb5_int16 n_tl_data; - krb5_tl_data *tl_data; + krb5_tl_data *tl_data; krb5_key_data *key_data; } kadm5_principal_ent_rec_v2, *kadm5_principal_ent_t_v2; @@ -216,9 +240,13 @@ typedef struct _kadm5_principal_ent_t_v1 { long aux_attributes; } kadm5_principal_ent_rec_v1, *kadm5_principal_ent_t_v1; - +#if USE_KADM5_API_VERSION == 1 +typedef struct _kadm5_principal_ent_t_v1 + kadm5_principal_ent_rec, *kadm5_principal_ent_t; +#else typedef struct _kadm5_principal_ent_t_v2 -kadm5_principal_ent_rec, *kadm5_principal_ent_t; + kadm5_principal_ent_rec, *kadm5_principal_ent_t; +#endif typedef struct _kadm5_policy_ent_t { char *policy; @@ -248,33 +276,37 @@ typedef enum { * Data structure returned by kadm5_get_config_params() */ typedef struct _kadm5_config_params { - long mask; - char *realm; - char *profile; - int kadmind_port; - char *admin_server; - char *dbname; - char *admin_dbname; - char *admin_lockfile; - char *admin_keytab; - char *acl_file; - char *dict_file; - int mkey_from_kbd; - char *stash_file; - char *mkey_name; - krb5_enctype enctype; - krb5_deltat max_life; - krb5_deltat max_rlife; - krb5_timestamp expiration; - krb5_flags flags; - krb5_key_salt_tuple *keysalts; - krb5_int32 num_keysalts; - char *kpasswd_server; - int kpasswd_port; - krb5_chgpwd_prot kpasswd_protocol; - bool_t iprop_enabled; - int iprop_ulogsize; - char *iprop_polltime; + long mask; + char * realm; + char * profile; + int kadmind_port; + int kpasswd_port; + + char * admin_server; + + char * dbname; + char * admin_dbname; + char * admin_lockfile; + char * admin_keytab; + char * acl_file; + char * dict_file; + + int mkey_from_kbd; + char * stash_file; + char * mkey_name; + krb5_enctype enctype; + krb5_deltat max_life; + krb5_deltat max_rlife; + krb5_timestamp expiration; + krb5_flags flags; + krb5_key_salt_tuple *keysalts; + krb5_int32 num_keysalts; + char *kpasswd_server; + + krb5_chgpwd_prot kpasswd_protocol; + bool_t iprop_enabled; + int iprop_ulogsize; + char *iprop_polltime; } kadm5_config_params; /*********************************************************************** @@ -287,13 +319,13 @@ typedef struct _kadm5_config_params { * Data structure returned by krb5_read_realm_params() */ typedef struct __krb5_realm_params { - char *realm_profile; - char *realm_dbname; - char *realm_mkey_name; - char *realm_stash_file; - char *realm_kdc_ports; - char *realm_kdc_tcp_ports; - char *realm_acl_file; + char * realm_profile; + char * realm_dbname; + char * realm_mkey_name; + char * realm_stash_file; + char * realm_kdc_ports; + char * realm_kdc_tcp_ports; + char * realm_acl_file; krb5_int32 realm_kadmind_port; krb5_enctype realm_enctype; krb5_deltat realm_max_life; @@ -301,13 +333,14 @@ typedef struct __krb5_realm_params { krb5_timestamp realm_expiration; krb5_flags realm_flags; krb5_key_salt_tuple *realm_keysalts; + unsigned int realm_reject_bad_transit:1; unsigned int realm_kadmind_port_valid:1; unsigned int realm_enctype_valid:1; unsigned int realm_max_life_valid:1; unsigned int realm_max_rlife_valid:1; unsigned int realm_expiration_valid:1; unsigned int realm_flags_valid:1; - unsigned int realm_filler:7; + unsigned int realm_reject_bad_transit_valid:1; krb5_int32 realm_num_keysalts; } krb5_realm_params; @@ -315,52 +348,63 @@ typedef struct __krb5_realm_params { * functions */ - -kadm5_ret_t -kadm5_get_master(krb5_context context, const char *realm, char **master); - kadm5_ret_t kadm5_get_adm_host_srv_name(krb5_context context, - const char *realm, char **host_service_name); + const char *realm, char **host_service_name); kadm5_ret_t kadm5_get_cpw_host_srv_name(krb5_context context, - const char *realm, char **host_service_name); + const char *realm, char **host_service_name); +#if USE_KADM5_API_VERSION > 1 krb5_error_code kadm5_get_config_params(krb5_context context, char *kdcprofile, char *kdcenv, kadm5_config_params *params_in, kadm5_config_params *params_out); -/* SUNWresync121 XXX */ -krb5_error_code kadm5_free_config_params(krb5_context context, - kadm5_config_params *params); +krb5_error_code kadm5_free_config_params(krb5_context context, + kadm5_config_params *params); krb5_error_code kadm5_free_realm_params(krb5_context kcontext, kadm5_config_params *params); -kadm5_ret_t kadm5_init(char *client_name, char *pass, - char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - void **server_handle); +krb5_error_code kadm5_get_admin_service_name(krb5_context, char *, + char *, size_t); +#endif +kadm5_ret_t kadm5_init(char *client_name, char *pass, + char *service_name, +#if USE_KADM5_API_VERSION == 1 + char *realm, +#else + kadm5_config_params *params, +#endif + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + void **server_handle); kadm5_ret_t kadm5_init_with_password(char *client_name, char *pass, char *service_name, +#if USE_KADM5_API_VERSION == 1 + char *realm, +#else kadm5_config_params *params, +#endif krb5_ui_4 struct_version, krb5_ui_4 api_version, void **server_handle); kadm5_ret_t kadm5_init_with_skey(char *client_name, char *keytab, char *service_name, +#if USE_KADM5_API_VERSION == 1 + char *realm, +#else kadm5_config_params *params, +#endif krb5_ui_4 struct_version, krb5_ui_4 api_version, void **server_handle); - +#if USE_KADM5_API_VERSION > 1 kadm5_ret_t kadm5_init_with_creds(char *client_name, krb5_ccache cc, char *service_name, @@ -368,6 +412,9 @@ kadm5_ret_t kadm5_init_with_creds(char *client_name, krb5_ui_4 struct_version, krb5_ui_4 api_version, void **server_handle); +#endif +kadm5_ret_t kadm5_lock(void *server_handle); +kadm5_ret_t kadm5_unlock(void *server_handle); kadm5_ret_t kadm5_flush(void *server_handle); kadm5_ret_t kadm5_destroy(void *server_handle); kadm5_ret_t kadm5_create_principal(void *server_handle, @@ -385,13 +432,17 @@ kadm5_ret_t kadm5_modify_principal(void *server_handle, kadm5_principal_ent_t ent, long mask); kadm5_ret_t kadm5_rename_principal(void *server_handle, - krb5_principal, krb5_principal); - + krb5_principal,krb5_principal); +#if USE_KADM5_API_VERSION == 1 kadm5_ret_t kadm5_get_principal(void *server_handle, - krb5_principal principal, - kadm5_principal_ent_t ent, - long mask); - + krb5_principal principal, + kadm5_principal_ent_t *ent); +#else +kadm5_ret_t kadm5_get_principal(void *server_handle, + krb5_principal principal, + kadm5_principal_ent_t ent, + long mask); +#endif kadm5_ret_t kadm5_chpass_principal(void *server_handle, krb5_principal principal, char *pass); @@ -401,6 +452,11 @@ kadm5_ret_t kadm5_chpass_principal_3(void *server_handle, int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, char *pass); +#if USE_KADM5_API_VERSION == 1 +kadm5_ret_t kadm5_randkey_principal(void *server_handle, + krb5_principal principal, + krb5_keyblock **keyblock); +#else /* * Solaris Kerberos: @@ -415,7 +471,6 @@ kadm5_ret_t kadm5_randkey_principal(void *server_handle, krb5_principal principal, krb5_keyblock **keyblocks, int *n_keys); - kadm5_ret_t kadm5_randkey_principal_3(void *server_handle, krb5_principal principal, krb5_boolean keepold, @@ -423,6 +478,7 @@ kadm5_ret_t kadm5_randkey_principal_3(void *server_handle, krb5_key_salt_tuple *ks_tuple, krb5_keyblock **keyblocks, int *n_keys); +#endif kadm5_ret_t kadm5_setv4key_principal(void *server_handle, krb5_principal principal, krb5_keyblock *keyblock); @@ -440,6 +496,12 @@ kadm5_ret_t kadm5_setkey_principal_3(void *server_handle, krb5_keyblock *keyblocks, int n_keys); +kadm5_ret_t kadm5_decrypt_key(void *server_handle, + kadm5_principal_ent_t entry, krb5_int32 + ktype, krb5_int32 stype, krb5_int32 + kvno, krb5_keyblock *keyblock, + krb5_keysalt *keysalt, int *kvnop); + kadm5_ret_t kadm5_create_policy(void *server_handle, kadm5_policy_ent_t ent, long mask); @@ -466,20 +528,24 @@ kadm5_ret_t kadm5_modify_policy(void *server_handle, kadm5_ret_t kadm5_modify_policy_internal(void *server_handle, kadm5_policy_ent_t entry, long mask); - +#if USE_KADM5_API_VERSION == 1 +kadm5_ret_t kadm5_get_policy(void *server_handle, + kadm5_policy_t policy, + kadm5_policy_ent_t *ent); +#else kadm5_ret_t kadm5_get_policy(void *server_handle, kadm5_policy_t policy, kadm5_policy_ent_t ent); - +#endif kadm5_ret_t kadm5_get_privs(void *server_handle, - long *privs); + long *privs); kadm5_ret_t kadm5_chpass_principal_util(void *server_handle, krb5_principal princ, char *new_pw, char **ret_pw, char *msg_ret, - int msg_len); + unsigned int msg_len); kadm5_ret_t kadm5_free_principal_ent(void *server_handle, kadm5_principal_ent_t @@ -495,14 +561,261 @@ kadm5_ret_t kadm5_get_policies(void *server_handle, char *exp, char ***pols, int *count); - +#if USE_KADM5_API_VERSION > 1 kadm5_ret_t kadm5_free_key_data(void *server_handle, krb5_int16 *n_key_data, krb5_key_data *key_data); +#endif + +kadm5_ret_t kadm5_free_name_list(void *server_handle, char **names, + int count); + +#if USE_KADM5_API_VERSION == 1 +/* + * OVSEC_KADM_API_VERSION_1 should be, if possible, compile-time + * compatible with KADM5_API_VERSION_2. Basically, this means we have + * to continue to provide all the old ovsec_kadm function and symbol + * names. + */ + +#define OVSEC_KADM_ACLFILE "/krb5/ovsec_adm.acl" +#define OVSEC_KADM_WORDFILE "/krb5/ovsec_adm.dict" -kadm5_ret_t kadm5_free_name_list(void *server_handle, - char **names, int count); +#define OVSEC_KADM_ADMIN_SERVICE "ovsec_adm/admin" +#define OVSEC_KADM_CHANGEPW_SERVICE "ovsec_adm/changepw" +#define OVSEC_KADM_HIST_PRINCIPAL "ovsec_adm/history" +typedef krb5_principal ovsec_kadm_princ_t; +typedef krb5_keyblock ovsec_kadm_keyblock; +typedef char *ovsec_kadm_policy_t; +typedef long ovsec_kadm_ret_t; + +enum ovsec_kadm_salttype { OVSEC_KADM_SALT_V4, OVSEC_KADM_SALT_NORMAL }; +enum ovsec_kadm_saltmod { OVSEC_KADM_MOD_KEEP, OVSEC_KADM_MOD_V4, OVSEC_KADM_MOD_NORMAL }; + +#define OVSEC_KADM_PW_FIRST_PROMPT \ + ((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT)) +#define OVSEC_KADM_PW_SECOND_PROMPT \ + ((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT)) + +/* + * Successful return code + */ +#define OVSEC_KADM_OK 0 + +/* + * Create/Modify masks + */ +/* principal */ +#define OVSEC_KADM_PRINCIPAL 0x000001 +#define OVSEC_KADM_PRINC_EXPIRE_TIME 0x000002 +#define OVSEC_KADM_PW_EXPIRATION 0x000004 +#define OVSEC_KADM_LAST_PWD_CHANGE 0x000008 +#define OVSEC_KADM_ATTRIBUTES 0x000010 +#define OVSEC_KADM_MAX_LIFE 0x000020 +#define OVSEC_KADM_MOD_TIME 0x000040 +#define OVSEC_KADM_MOD_NAME 0x000080 +#define OVSEC_KADM_KVNO 0x000100 +#define OVSEC_KADM_MKVNO 0x000200 +#define OVSEC_KADM_AUX_ATTRIBUTES 0x000400 +#define OVSEC_KADM_POLICY 0x000800 +#define OVSEC_KADM_POLICY_CLR 0x001000 +/* policy */ +#define OVSEC_KADM_PW_MAX_LIFE 0x004000 +#define OVSEC_KADM_PW_MIN_LIFE 0x008000 +#define OVSEC_KADM_PW_MIN_LENGTH 0x010000 +#define OVSEC_KADM_PW_MIN_CLASSES 0x020000 +#define OVSEC_KADM_PW_HISTORY_NUM 0x040000 +#define OVSEC_KADM_REF_COUNT 0x080000 + +/* + * permission bits + */ +#define OVSEC_KADM_PRIV_GET 0x01 +#define OVSEC_KADM_PRIV_ADD 0x02 +#define OVSEC_KADM_PRIV_MODIFY 0x04 +#define OVSEC_KADM_PRIV_DELETE 0x08 + +/* + * API versioning constants + */ +#define OVSEC_KADM_MASK_BITS 0xffffff00 + +#define OVSEC_KADM_STRUCT_VERSION_MASK 0x12345600 +#define OVSEC_KADM_STRUCT_VERSION_1 (OVSEC_KADM_STRUCT_VERSION_MASK|0x01) +#define OVSEC_KADM_STRUCT_VERSION OVSEC_KADM_STRUCT_VERSION_1 + +#define OVSEC_KADM_API_VERSION_MASK 0x12345700 +#define OVSEC_KADM_API_VERSION_1 (OVSEC_KADM_API_VERSION_MASK|0x01) + + +typedef struct _ovsec_kadm_principal_ent_t { + krb5_principal principal; + krb5_timestamp princ_expire_time; + krb5_timestamp last_pwd_change; + krb5_timestamp pw_expiration; + krb5_deltat max_life; + krb5_principal mod_name; + krb5_timestamp mod_date; + krb5_flags attributes; + krb5_kvno kvno; + krb5_kvno mkvno; + char *policy; + long aux_attributes; +} ovsec_kadm_principal_ent_rec, *ovsec_kadm_principal_ent_t; + +typedef struct _ovsec_kadm_policy_ent_t { + char *policy; + long pw_min_life; + long pw_max_life; + long pw_min_length; + long pw_min_classes; + long pw_history_num; + long policy_refcnt; +} ovsec_kadm_policy_ent_rec, *ovsec_kadm_policy_ent_t; + +/* + * functions + */ +ovsec_kadm_ret_t ovsec_kadm_init(char *client_name, char *pass, + char *service_name, char *realm, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + void **server_handle); +ovsec_kadm_ret_t ovsec_kadm_init_with_password(char *client_name, + char *pass, + char *service_name, + char *realm, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + void **server_handle); +ovsec_kadm_ret_t ovsec_kadm_init_with_skey(char *client_name, + char *keytab, + char *service_name, + char *realm, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + void **server_handle); +ovsec_kadm_ret_t ovsec_kadm_flush(void *server_handle); +ovsec_kadm_ret_t ovsec_kadm_destroy(void *server_handle); +ovsec_kadm_ret_t ovsec_kadm_create_principal(void *server_handle, + ovsec_kadm_principal_ent_t ent, + long mask, char *pass); +ovsec_kadm_ret_t ovsec_kadm_delete_principal(void *server_handle, + krb5_principal principal); +ovsec_kadm_ret_t ovsec_kadm_modify_principal(void *server_handle, + ovsec_kadm_principal_ent_t ent, + long mask); +ovsec_kadm_ret_t ovsec_kadm_rename_principal(void *server_handle, + krb5_principal,krb5_principal); +ovsec_kadm_ret_t ovsec_kadm_get_principal(void *server_handle, + krb5_principal principal, + ovsec_kadm_principal_ent_t *ent); +ovsec_kadm_ret_t ovsec_kadm_chpass_principal(void *server_handle, + krb5_principal principal, + char *pass); +ovsec_kadm_ret_t ovsec_kadm_randkey_principal(void *server_handle, + krb5_principal principal, + krb5_keyblock **keyblock); +ovsec_kadm_ret_t ovsec_kadm_create_policy(void *server_handle, + ovsec_kadm_policy_ent_t ent, + long mask); +/* + * ovsec_kadm_create_policy_internal is not part of the supported, + * exposed API. It is available only in the server library, and you + * shouldn't use it unless you know why it's there and how it's + * different from ovsec_kadm_create_policy. + */ +ovsec_kadm_ret_t ovsec_kadm_create_policy_internal(void *server_handle, + ovsec_kadm_policy_ent_t + entry, long mask); +ovsec_kadm_ret_t ovsec_kadm_delete_policy(void *server_handle, + ovsec_kadm_policy_t policy); +ovsec_kadm_ret_t ovsec_kadm_modify_policy(void *server_handle, + ovsec_kadm_policy_ent_t ent, + long mask); +/* + * ovsec_kadm_modify_policy_internal is not part of the supported, + * exposed API. It is available only in the server library, and you + * shouldn't use it unless you know why it's there and how it's + * different from ovsec_kadm_modify_policy. + */ +ovsec_kadm_ret_t ovsec_kadm_modify_policy_internal(void *server_handle, + ovsec_kadm_policy_ent_t + entry, long mask); +ovsec_kadm_ret_t ovsec_kadm_get_policy(void *server_handle, + ovsec_kadm_policy_t policy, + ovsec_kadm_policy_ent_t *ent); +ovsec_kadm_ret_t ovsec_kadm_get_privs(void *server_handle, + long *privs); + +ovsec_kadm_ret_t ovsec_kadm_chpass_principal_util(void *server_handle, + krb5_principal princ, + char *new_pw, + char **ret_pw, + char *msg_ret); + +ovsec_kadm_ret_t ovsec_kadm_free_principal_ent(void *server_handle, + ovsec_kadm_principal_ent_t + ent); +ovsec_kadm_ret_t ovsec_kadm_free_policy_ent(void *server_handle, + ovsec_kadm_policy_ent_t ent); + +ovsec_kadm_ret_t ovsec_kadm_free_name_list(void *server_handle, + char **names, int count); + +ovsec_kadm_ret_t ovsec_kadm_get_principals(void *server_handle, + char *exp, char ***princs, + int *count); + +ovsec_kadm_ret_t ovsec_kadm_get_policies(void *server_handle, + char *exp, char ***pols, + int *count); + +#define OVSEC_KADM_FAILURE KADM5_FAILURE +#define OVSEC_KADM_AUTH_GET KADM5_AUTH_GET +#define OVSEC_KADM_AUTH_ADD KADM5_AUTH_ADD +#define OVSEC_KADM_AUTH_MODIFY KADM5_AUTH_MODIFY +#define OVSEC_KADM_AUTH_DELETE KADM5_AUTH_DELETE +#define OVSEC_KADM_AUTH_INSUFFICIENT KADM5_AUTH_INSUFFICIENT +#define OVSEC_KADM_BAD_DB KADM5_BAD_DB +#define OVSEC_KADM_DUP KADM5_DUP +#define OVSEC_KADM_RPC_ERROR KADM5_RPC_ERROR +#define OVSEC_KADM_NO_SRV KADM5_NO_SRV +#define OVSEC_KADM_BAD_HIST_KEY KADM5_BAD_HIST_KEY +#define OVSEC_KADM_NOT_INIT KADM5_NOT_INIT +#define OVSEC_KADM_UNK_PRINC KADM5_UNK_PRINC +#define OVSEC_KADM_UNK_POLICY KADM5_UNK_POLICY +#define OVSEC_KADM_BAD_MASK KADM5_BAD_MASK +#define OVSEC_KADM_BAD_CLASS KADM5_BAD_CLASS +#define OVSEC_KADM_BAD_LENGTH KADM5_BAD_LENGTH +#define OVSEC_KADM_BAD_POLICY KADM5_BAD_POLICY +#define OVSEC_KADM_BAD_PRINCIPAL KADM5_BAD_PRINCIPAL +#define OVSEC_KADM_BAD_AUX_ATTR KADM5_BAD_AUX_ATTR +#define OVSEC_KADM_BAD_HISTORY KADM5_BAD_HISTORY +#define OVSEC_KADM_BAD_MIN_PASS_LIFE KADM5_BAD_MIN_PASS_LIFE +#define OVSEC_KADM_PASS_Q_TOOSHORT KADM5_PASS_Q_TOOSHORT +#define OVSEC_KADM_PASS_Q_CLASS KADM5_PASS_Q_CLASS +#define OVSEC_KADM_PASS_Q_DICT KADM5_PASS_Q_DICT +#define OVSEC_KADM_PASS_REUSE KADM5_PASS_REUSE +#define OVSEC_KADM_PASS_TOOSOON KADM5_PASS_TOOSOON +#define OVSEC_KADM_POLICY_REF KADM5_POLICY_REF +#define OVSEC_KADM_INIT KADM5_INIT +#define OVSEC_KADM_BAD_PASSWORD KADM5_BAD_PASSWORD +#define OVSEC_KADM_PROTECT_PRINCIPAL KADM5_PROTECT_PRINCIPAL +#define OVSEC_KADM_BAD_SERVER_HANDLE KADM5_BAD_SERVER_HANDLE +#define OVSEC_KADM_BAD_STRUCT_VERSION KADM5_BAD_STRUCT_VERSION +#define OVSEC_KADM_OLD_STRUCT_VERSION KADM5_OLD_STRUCT_VERSION +#define OVSEC_KADM_NEW_STRUCT_VERSION KADM5_NEW_STRUCT_VERSION +#define OVSEC_KADM_BAD_API_VERSION KADM5_BAD_API_VERSION +#define OVSEC_KADM_OLD_LIB_API_VERSION KADM5_OLD_LIB_API_VERSION +#define OVSEC_KADM_OLD_SERVER_API_VERSION KADM5_OLD_SERVER_API_VERSION +#define OVSEC_KADM_NEW_LIB_API_VERSION KADM5_NEW_LIB_API_VERSION +#define OVSEC_KADM_NEW_SERVER_API_VERSION KADM5_NEW_SERVER_API_VERSION +#define OVSEC_KADM_SECURE_PRINC_MISSING KADM5_SECURE_PRINC_MISSING +#define OVSEC_KADM_NO_RENAME_SALT KADM5_NO_RENAME_SALT + +#endif /* USE_KADM5_API_VERSION == 1 */ krb5_chgpwd_prot _kadm5_get_kpasswd_protocol(void *server_handle); kadm5_ret_t kadm5_chpass_principal_v2(void *server_handle, diff --git a/usr/src/lib/krb5/kadm5/admin_internal.h b/usr/src/lib/krb5/kadm5/admin_internal.h index f63f783e8a..60d55a52e8 100644 --- a/usr/src/lib/krb5/kadm5/admin_internal.h +++ b/usr/src/lib/krb5/kadm5/admin_internal.h @@ -21,7 +21,6 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/admin_internal.h,v 1.13.18.1 2000/05/19 22:24:14 raeburn Exp $ */ #ifndef __KADM5_ADMIN_INTERNAL_H__ @@ -82,18 +81,17 @@ * * Got that? */ -int _kadm5_check_handle(); - #define _KADM5_CHECK_HANDLE(handle) \ -{ int code; if ((code = _kadm5_check_handle((void *)handle))) return code; } +{ int ecode; if ((ecode = _kadm5_check_handle((void *)handle))) return ecode;} +int _kadm5_check_handle(void *handle); kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle, void *lhandle, krb5_principal princ, char *new_pw, char **ret_pw, char *msg_ret, - int msg_len); + unsigned int msg_len); /* this is needed by the alt_prof code I stole. The functions maybe shouldn't be named krb5_*, but they are. */ diff --git a/usr/src/lib/krb5/kadm5/admin_xdr.h b/usr/src/lib/krb5/kadm5/admin_xdr.h index b1ef2a11d9..8eff0ca9f1 100644 --- a/usr/src/lib/krb5/kadm5/admin_xdr.h +++ b/usr/src/lib/krb5/kadm5/admin_xdr.h @@ -21,65 +21,61 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/admin_xdr.h,v 1.5 1996/07/22 20:35:33 marc Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/admin_xdr.h,v 1.7 2001/07/25 19:02:29 epeisach Exp $ * - * $Log: admin_xdr.h,v $ - * Revision 1.5 1996/07/22 20:35:33 marc - * this commit includes all the changes on the OV_9510_INTEGRATION and - * OV_MERGE branches. This includes, but is not limited to, the new openvision - * admin system, and major changes to gssapi to add functionality, and bring - * the implementation in line with rfc1964. before committing, the - * code was built and tested for netbsd and solaris. - * - * Revision 1.4.4.1 1996/07/18 03:08:25 marc - * merged in changes from OV_9510_BP to OV_9510_FINAL1 - * - * Revision 1.4.2.1 1996/06/20 02:16:37 marc - * File added to the repository on a branch - * - * Revision 1.4 1996/05/30 16:36:34 bjaspan - * finish updating to kadm5 naming (oops) - * - * Revision 1.3 1996/05/22 00:28:19 bjaspan - * rename to kadm5 - * - * Revision 1.2 1996/05/12 06:30:10 marc - * - fixup includes and data types to match beta6 - * - * Revision 1.1 1993/11/09 04:06:01 shanzer - * Initial revision - * */ #include <kadm5/admin.h> #include "kadm_rpc.h" +bool_t xdr_ui_4(XDR *xdrs, krb5_ui_4 *objp); bool_t xdr_nullstring(XDR *xdrs, char **objp); +bool_t xdr_nulltype(XDR *xdrs, void **objp, xdrproc_t proc); bool_t xdr_krb5_timestamp(XDR *xdrs, krb5_timestamp *objp); bool_t xdr_krb5_kvno(XDR *xdrs, krb5_kvno *objp); bool_t xdr_krb5_deltat(XDR *xdrs, krb5_deltat *objp); bool_t xdr_krb5_flags(XDR *xdrs, krb5_flags *objp); +bool_t xdr_krb5_ui_4(XDR *xdrs, krb5_ui_4 *objp); +bool_t xdr_krb5_int16(XDR *xdrs, krb5_int16 *objp); +bool_t xdr_krb5_ui_2(XDR *xdrs, krb5_ui_2 *objp); +bool_t xdr_krb5_key_data_nocontents(XDR *xdrs, krb5_key_data *objp); +bool_t xdr_krb5_key_salt_tuple(XDR *xdrs, krb5_key_salt_tuple *objp); +bool_t xdr_krb5_tl_data(XDR *xdrs, krb5_tl_data **tl_data_head); bool_t xdr_kadm5_ret_t(XDR *xdrs, kadm5_ret_t *objp); +bool_t xdr_kadm5_principal_ent_rec_v1(XDR *xdrs, kadm5_principal_ent_rec *objp); bool_t xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp); bool_t xdr_kadm5_policy_ent_rec(XDR *xdrs, kadm5_policy_ent_rec *objp); bool_t xdr_kadm5_policy_ent_t(XDR *xdrs, kadm5_policy_ent_t *objp); bool_t xdr_kadm5_principal_ent_t(XDR *xdrs, kadm5_principal_ent_t *objp); bool_t xdr_cprinc_arg(XDR *xdrs, cprinc_arg *objp); +bool_t xdr_cprinc3_arg(XDR *xdrs, cprinc3_arg *objp); +bool_t xdr_generic_ret(XDR *xdrs, generic_ret *objp); bool_t xdr_dprinc_arg(XDR *xdrs, dprinc_arg *objp); bool_t xdr_mprinc_arg(XDR *xdrs, mprinc_arg *objp); bool_t xdr_rprinc_arg(XDR *xdrs, rprinc_arg *objp); bool_t xdr_chpass_arg(XDR *xdrs, chpass_arg *objp); +bool_t xdr_chpass3_arg(XDR *xdrs, chpass3_arg *objp); +bool_t xdr_setv4key_arg(XDR *xdrs, setv4key_arg *objp); +bool_t xdr_setkey_arg(XDR *xdrs, setkey_arg *objp); +bool_t xdr_setkey3_arg(XDR *xdrs, setkey3_arg *objp); bool_t xdr_chrand_arg(XDR *xdrs, chrand_arg *objp); +bool_t xdr_chrand3_arg(XDR *xdrs, chrand3_arg *objp); bool_t xdr_chrand_ret(XDR *xdrs, chrand_ret *objp); bool_t xdr_gprinc_arg(XDR *xdrs, gprinc_arg *objp); -bool_t xdr_gprinc_arg(XDR *xdrs, gprinc_arg *objp); +bool_t xdr_gprinc_ret(XDR *xdrs, gprinc_ret *objp); +bool_t xdr_gprincs_arg(XDR *xdrs, gprincs_arg *objp); +bool_t xdr_gprincs_ret(XDR *xdrs, gprincs_ret *objp); bool_t xdr_cpol_arg(XDR *xdrs, cpol_arg *objp); bool_t xdr_dpol_arg(XDR *xdrs, dpol_arg *objp); bool_t xdr_mpol_arg(XDR *xdrs, mpol_arg *objp); bool_t xdr_gpol_arg(XDR *xdrs, gpol_arg *objp); bool_t xdr_gpol_ret(XDR *xdrs, gpol_ret *objp); +bool_t xdr_gpols_arg(XDR *xdrs, gpols_arg *objp); +bool_t xdr_gpols_ret(XDR *xdrs, gpols_ret *objp); +bool_t xdr_getprivs_ret(XDR *xdrs, getprivs_ret *objp); bool_t xdr_krb5_principal(XDR *xdrs, krb5_principal *objp); bool_t xdr_krb5_octet(XDR *xdrs, krb5_octet *objp); bool_t xdr_krb5_int32(XDR *xdrs, krb5_int32 *objp); bool_t xdr_krb5_enctype(XDR *xdrs, krb5_enctype *objp); +bool_t xdr_krb5_salttype(XDR *xdrs, krb5_int32 *objp); bool_t xdr_krb5_keyblock(XDR *xdrs, krb5_keyblock *objp); diff --git a/usr/src/lib/krb5/kadm5/alt_prof.c b/usr/src/lib/krb5/kadm5/alt_prof.c index 5c465f4702..b3ea033280 100644 --- a/usr/src/lib/krb5/kadm5/alt_prof.c +++ b/usr/src/lib/krb5/kadm5/alt_prof.c @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -26,7 +26,7 @@ /* * lib/kadm/alt_prof.c * - * Copyright 1995 by the Massachusetts Institute of Technology. + * Copyright 1995,2001 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -41,7 +41,10 @@ * this permission notice appear in supporting documentation, and that * the name of M.I.T. not be used in advertising or publicity pertaining * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. * @@ -69,6 +72,20 @@ krb5_error_code kadm5_free_config_params(); "des-cbc-md5:normal " \ "des-cbc-crc:normal" +static krb5_key_salt_tuple *copy_key_salt_tuple(ksalt, len) +krb5_key_salt_tuple *ksalt; +krb5_int32 len; +{ + krb5_key_salt_tuple *knew; + + if((knew = (krb5_key_salt_tuple *) + malloc((len ) * sizeof(krb5_key_salt_tuple)))) { + memcpy(knew, ksalt, len * sizeof(krb5_key_salt_tuple)); + return knew; + } + return 0; +} + /* * krb5_aprof_init() - Initialize alternate profile context. * @@ -82,36 +99,36 @@ krb5_error_code kadm5_free_config_params(); */ krb5_error_code krb5_aprof_init(fname, envname, acontextp) -char *fname; -char *envname; -krb5_pointer *acontextp; + char *fname; + char *envname; + krb5_pointer *acontextp; { - krb5_error_code kret; - const char *namelist[2]; - profile_t profile; - - namelist[1] = (char *)NULL; - profile = (profile_t)NULL; - if (envname) { - if ((namelist[0] = getenv(envname))) { - kret = profile_init(namelist, &profile); - if (kret) - return (kret); - *acontextp = (krb5_pointer) profile; - return (0); - } - } - profile = (profile_t)NULL; - if (fname) { - kret = profile_init_path(fname, &profile); - if (kret == ENOENT) { - profile = 0; - } else if (kret) - return (kret); - *acontextp = (krb5_pointer) profile; - return (0); + krb5_error_code kret; + const_profile_filespec_t namelist[2]; + profile_t profile; + + namelist[1] = (profile_filespec_t) NULL; + profile = (profile_t) NULL; + if (envname) { + if ((namelist[0] = getenv(envname))) { + kret = profile_init(namelist, &profile); + if (kret) + return kret; + *acontextp = (krb5_pointer) profile; + return 0; } - return (0); + } + profile = (profile_t) NULL; + if (fname) { + kret = profile_init_path(fname, &profile); + if (kret == ENOENT) { + profile = 0; + } else if (kret) + return kret; + *acontextp = (krb5_pointer) profile; + return 0; + } + return 0; } /* @@ -127,13 +144,71 @@ krb5_pointer *acontextp; */ krb5_error_code krb5_aprof_getvals(acontext, hierarchy, retdata) -krb5_pointer acontext; -const char **hierarchy; -char ***retdata; + krb5_pointer acontext; + const char **hierarchy; + char ***retdata; { - return (profile_get_values((profile_t)acontext, - hierarchy, - retdata)); + return(profile_get_values((profile_t) acontext, + hierarchy, + retdata)); +} + +/* + * krb5_aprof_get_boolean() + * + * Parameters: + * acontext - opaque context for alternate profile + * hierarchy - hierarchy of value to retrieve + * retdata - Returned data value + * Returns: + * error codes + */ + +static krb5_error_code +string_to_boolean (const char *string, krb5_boolean *out) +{ + static const char *const yes[] = { "y", "yes", "true", "t", "1", "on" }; + static const char *const no[] = { "n", "no", "false", "f", "nil", "0", "off" }; + int i; + + for (i = 0; i < sizeof(yes)/sizeof(yes[0]); i++) + if (!strcasecmp(string, yes[i])) { + *out = 1; + return 0; + } + for (i = 0; i < sizeof(no)/sizeof(no[0]); i++) + if (!strcasecmp(string, no[i])) { + *out = 0; + return 0; + } + return PROF_BAD_BOOLEAN; +} + +krb5_error_code +krb5_aprof_get_boolean(krb5_pointer acontext, const char **hierarchy, + int uselast, krb5_boolean *retdata) +{ + krb5_error_code kret; + char **values; + char *valp; + int idx; + krb5_boolean val; + + kret = krb5_aprof_getvals (acontext, hierarchy, &values); + if (kret) + return kret; + idx = 0; + if (uselast) { + while (values[idx]) + idx++; + idx--; + } + valp = values[idx]; + kret = string_to_boolean (valp, &val); + if (kret) + return kret; + *retdata = val; + return 0; } /* @@ -153,31 +228,31 @@ char ***retdata; */ krb5_error_code krb5_aprof_get_deltat(acontext, hierarchy, uselast, deltatp) -krb5_pointer acontext; -const char **hierarchy; -krb5_boolean uselast; -krb5_deltat *deltatp; + krb5_pointer acontext; + const char **hierarchy; + krb5_boolean uselast; + krb5_deltat *deltatp; { - krb5_error_code kret; - char **values; - char *valp; - int index; - - if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) { - index = 0; - if (uselast) { - for (index = 0; values[index]; index++); - index--; - } - valp = values[index]; - kret = krb5_string_to_deltat(valp, deltatp); - - /* Free the string storage */ - for (index = 0; values[index]; index++) - krb5_xfree(values[index]); - krb5_xfree(values); + krb5_error_code kret; + char **values; + char *valp; + int idx; + + if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) { + idx = 0; + if (uselast) { + for (idx=0; values[idx]; idx++); + idx--; } - return (kret); + valp = values[idx]; + kret = krb5_string_to_deltat(valp, deltatp); + + /* Free the string storage */ + for (idx=0; values[idx]; idx++) + krb5_xfree(values[idx]); + krb5_xfree(values); + } + return(kret); } /* @@ -196,31 +271,31 @@ krb5_deltat *deltatp; */ krb5_error_code krb5_aprof_get_string(acontext, hierarchy, uselast, stringp) -krb5_pointer acontext; -const char **hierarchy; -krb5_boolean uselast; -char **stringp; + krb5_pointer acontext; + const char **hierarchy; + krb5_boolean uselast; + char **stringp; { - krb5_error_code kret; - char **values; - int index, i; - - if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) { - index = 0; - if (uselast) { - for (index = 0; values[index]; index++); - index--; - } + krb5_error_code kret; + char **values; + int idx, i; + + if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) { + idx = 0; + if (uselast) { + for (idx=0; values[idx]; idx++); + idx--; + } - *stringp = values[index]; + *stringp = values[idx]; - /* Free the string storage */ - for (i = 0; values[i]; i++) - if (i != index) - krb5_xfree(values[i]); - krb5_xfree(values); - } - return (kret); + /* Free the string storage */ + for (i=0; values[i]; i++) + if (i != idx) + krb5_xfree(values[i]); + krb5_xfree(values); + } + return(kret); } /* @@ -240,31 +315,31 @@ char **stringp; */ krb5_error_code krb5_aprof_get_int32(acontext, hierarchy, uselast, intp) -krb5_pointer acontext; -const char **hierarchy; -krb5_boolean uselast; -krb5_int32 *intp; + krb5_pointer acontext; + const char **hierarchy; + krb5_boolean uselast; + krb5_int32 *intp; { - krb5_error_code kret; - char **values; - int index; - - if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) { - index = 0; - if (uselast) { - for (index = 0; values[index]; index++); - index--; - } + krb5_error_code kret; + char **values; + int idx; + + if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) { + idx = 0; + if (uselast) { + for (idx=0; values[idx]; idx++); + idx--; + } - if (sscanf(values[index], "%d", intp) != 1) - kret = EINVAL; + if (sscanf(values[idx], "%d", intp) != 1) + kret = EINVAL; - /* Free the string storage */ - for (index = 0; values[index]; index++) - krb5_xfree(values[index]); - krb5_xfree(values); - } - return (kret); + /* Free the string storage */ + for (idx=0; values[idx]; idx++) + krb5_xfree(values[idx]); + krb5_xfree(values); + } + return(kret); } /* @@ -278,10 +353,10 @@ krb5_int32 *intp; */ krb5_error_code krb5_aprof_finish(acontext) -krb5_pointer acontext; + krb5_pointer acontext; { - profile_release(acontext); - return (0); + profile_release(acontext); + return(0); } /* @@ -292,13 +367,13 @@ krb5_pointer acontext; * * Arguments: * - * context(r) krb5_context to use - * profile(r) profile file to use - * envname(r) envname that contains a profile name to + * context (r) krb5_context to use + * profile (r) profile file to use + * envname (r) envname that contains a profile name to * override profile - * params_in(r) params structure containing user-supplied + * params_in (r) params structure containing user-supplied * values, or NULL - * params_out(w) params structure to be filled in + * params_out (w) params structure to be filled in * * Effects: * @@ -314,21 +389,21 @@ krb5_pointer acontext; */ krb5_error_code kadm5_get_config_params(context, kdcprofile, kdcenv, params_in, params_out) -krb5_context context; -char *kdcprofile; -char *kdcenv; -kadm5_config_params *params_in, *params_out; + krb5_context context; + char *kdcprofile; + char *kdcenv; + kadm5_config_params *params_in, *params_out; { - char *filename; - char *envname; - char *lrealm; - krb5_pointer aprofile = 0; - const char *hierarchy[4]; - char *svalue; - krb5_int32 ivalue; - kadm5_config_params params, empty_params; - - krb5_error_code kret = 0; + char *filename; + char *envname; + char *lrealm; + krb5_pointer aprofile = 0; + const char *hierarchy[4]; + char *svalue; + krb5_int32 ivalue; + kadm5_config_params params, empty_params; + + krb5_error_code kret = 0; krb5_error_code dnsret = 1; #ifdef KRB5_DNS_LOOKUP @@ -337,47 +412,47 @@ kadm5_config_params *params_in, *params_out; krb5_data dns_realm; #endif /* KRB5_DNS_LOOKUP */ - memset((char *)¶ms, 0, sizeof (params)); - memset((char *)&empty_params, 0, sizeof (empty_params)); - - if (params_in == NULL) params_in = &empty_params; - - if (params_in->mask & KADM5_CONFIG_REALM) { - lrealm = params.realm = strdup(params_in->realm); - if (params.realm) - params.mask |= KADM5_CONFIG_REALM; - } else { - kret = krb5_get_default_realm(context, &lrealm); - if (kret) - goto cleanup; - params.realm = lrealm; - params.mask |= KADM5_CONFIG_REALM; - } - if (params_in->mask & KADM5_CONFIG_PROFILE) { - filename = params.profile = strdup(params_in->profile); - if (params.profile) - params.mask |= KADM5_CONFIG_PROFILE; - envname = NULL; - } else { - /* - * XXX These defaults should to work on both client and - * server. kadm5_get_config_params can be implemented as a - * wrapper function in each library that provides correct - * defaults for NULL values. - */ - filename = (kdcprofile) ? kdcprofile : DEFAULT_KDC_PROFILE; - envname = (kdcenv) ? kdcenv : KDC_PROFILE_ENV; - if (context->profile_secure == TRUE) envname = 0; - } - - kret = krb5_aprof_init(filename, envname, &aprofile); - if (kret) - goto cleanup; - - /* Initialize realm parameters */ - hierarchy[0] = "realms"; - hierarchy[1] = lrealm; - hierarchy[3] = (char *)NULL; + memset((char *) ¶ms, 0, sizeof(params)); + memset((char *) &empty_params, 0, sizeof(empty_params)); + + if (params_in == NULL) params_in = &empty_params; + + if (params_in->mask & KADM5_CONFIG_REALM) { + lrealm = params.realm = strdup(params_in->realm); + if (params.realm) + params.mask |= KADM5_CONFIG_REALM; + } else { + kret = krb5_get_default_realm(context, &lrealm); + if (kret) + goto cleanup; + params.realm = lrealm; + params.mask |= KADM5_CONFIG_REALM; + } + if (params_in->mask & KADM5_CONFIG_PROFILE) { + filename = params.profile = strdup(params_in->profile); + if (params.profile) + params.mask |= KADM5_CONFIG_PROFILE; + envname = NULL; + } else { + /* + * XXX These defaults should to work on both client and + * server. kadm5_get_config_params can be implemented as a + * wrapper function in each library that provides correct + * defaults for NULL values. + */ + filename = (kdcprofile) ? kdcprofile : DEFAULT_KDC_PROFILE; + envname = (kdcenv) ? kdcenv : KDC_PROFILE_ENV; + if (context->profile_secure == TRUE) envname = 0; + } + + kret = krb5_aprof_init(filename, envname, &aprofile); + if (kret) + goto cleanup; + + /* Initialize realm parameters */ + hierarchy[0] = "realms"; + hierarchy[1] = lrealm; + hierarchy[3] = (char *) NULL; #ifdef KRB5_DNS_LOOKUP /* @@ -388,17 +463,17 @@ kadm5_config_params *params_in, *params_out; dns_realm.magic = 0; #endif /* KRB5_DNS_LOOKUP */ - /* Get the value for the admin server */ - hierarchy[2] = "admin_server"; - if (params_in->mask & KADM5_CONFIG_ADMIN_SERVER) { - params.admin_server = strdup(params_in->admin_server); - if (params.admin_server) - params.mask |= KADM5_CONFIG_ADMIN_SERVER; - } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - params.admin_server = svalue; - params.mask |= KADM5_CONFIG_ADMIN_SERVER; - } + /* Get the value for the admin server */ + hierarchy[2] = "admin_server"; + if (params_in->mask & KADM5_CONFIG_ADMIN_SERVER) { + params.admin_server = strdup(params_in->admin_server); + if (params.admin_server) + params.mask |= KADM5_CONFIG_ADMIN_SERVER; + } else if (aprofile && + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + params.admin_server = svalue; + params.mask |= KADM5_CONFIG_ADMIN_SERVER; + } #ifdef KRB5_DNS_LOOKUP else if (strcmp(envname, "KRB5_CONFIG") == 0) { /* @@ -421,167 +496,182 @@ kadm5_config_params *params_in, *params_out; } #endif /* KRB5_DNS_LOOKUP */ - if ((params.mask & KADM5_CONFIG_ADMIN_SERVER) && dnsret) { - char *p; - if (p = strchr(params.admin_server, ':')) { - params.kadmind_port = atoi(p+1); - params.mask |= KADM5_CONFIG_KADMIND_PORT; - *p = '\0'; - } - } - - /* Get the value for the database */ - hierarchy[2] = "database_name"; - if (params_in->mask & KADM5_CONFIG_DBNAME) { - params.dbname = strdup(params_in->dbname); - if (params.dbname) - params.mask |= KADM5_CONFIG_DBNAME; - } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - params.dbname = svalue; - params.mask |= KADM5_CONFIG_DBNAME; - } else { - params.dbname = strdup(DEFAULT_KDB_FILE); - if (params.dbname) - params.mask |= KADM5_CONFIG_DBNAME; - } - - /* - * admin database name and lockfile are now always derived from dbname - */ - if (params.mask & KADM5_CONFIG_DBNAME) { - params.admin_dbname = (char *)malloc(strlen(params.dbname) - + 7); - if (params.admin_dbname) { - sprintf(params.admin_dbname, "%s.kadm5", - params.dbname); - params.mask |= KADM5_CONFIG_ADBNAME; - } - } - - if (params.mask & KADM5_CONFIG_ADBNAME) { - params.admin_lockfile = - (char *)malloc(strlen(params.admin_dbname)+ 6); - if (params.admin_lockfile) { - sprintf(params.admin_lockfile, "%s.lock", - params.admin_dbname); - params.mask |= KADM5_CONFIG_ADB_LOCKFILE; - } - } - - /* Get the value for the admin(policy) database lock file */ - hierarchy[2] = "admin_keytab"; - if (params_in->mask & KADM5_CONFIG_ADMIN_KEYTAB) { - params.admin_keytab = strdup(params_in->admin_keytab); - if (params.admin_keytab) - params.mask |= KADM5_CONFIG_ADMIN_KEYTAB; - } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - params.mask |= KADM5_CONFIG_ADMIN_KEYTAB; - params.admin_keytab = svalue; - } else if (params.admin_keytab = (char *)getenv("KRB5_KTNAME")) { - params.admin_keytab = strdup(params.admin_keytab); - if (params.admin_keytab) - params.mask |= KADM5_CONFIG_ADMIN_KEYTAB; - } else { - params.admin_keytab = strdup(DEFAULT_KADM5_KEYTAB); - if (params.admin_keytab) - params.mask |= KADM5_CONFIG_ADMIN_KEYTAB; - } - - /* Get the name of the acl file */ - hierarchy[2] = "acl_file"; - if (params_in->mask & KADM5_CONFIG_ACL_FILE) { - params.acl_file = strdup(params_in->acl_file); - if (params.acl_file) - params.mask |= KADM5_CONFIG_ACL_FILE; + if ((params.mask & KADM5_CONFIG_ADMIN_SERVER) && dnsret) { + char *p; + p = strchr(params.admin_server, ':'); + if (p) { + params.kadmind_port = atoi(p+1); + params.mask |= KADM5_CONFIG_KADMIND_PORT; + *p = '\0'; + } + } + + /* Get the value for the database */ + hierarchy[2] = "database_name"; + if (params_in->mask & KADM5_CONFIG_DBNAME) { + params.dbname = strdup(params_in->dbname); + if (params.dbname) + params.mask |= KADM5_CONFIG_DBNAME; + } else if (aprofile && + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + params.dbname = svalue; + params.mask |= KADM5_CONFIG_DBNAME; + } else { + params.dbname = strdup(DEFAULT_KDB_FILE); + if (params.dbname) + params.mask |= KADM5_CONFIG_DBNAME; + } + + /* + * admin database name and lockfile are now always derived from dbname + */ + if (params.mask & KADM5_CONFIG_DBNAME) { + params.admin_dbname = (char *) malloc(strlen(params.dbname) + 7); + if (params.admin_dbname) { + sprintf(params.admin_dbname, "%s.kadm5", params.dbname); + params.mask |= KADM5_CONFIG_ADBNAME; + } + } + + if (params.mask & KADM5_CONFIG_ADBNAME) { + params.admin_lockfile = (char *) malloc(strlen(params.admin_dbname) + + 6); + if (params.admin_lockfile) { + sprintf(params.admin_lockfile, "%s.lock", params.admin_dbname); + params.mask |= KADM5_CONFIG_ADB_LOCKFILE; + } + } + + /* Get the value for the admin (policy) database lock file*/ + hierarchy[2] = "admin_keytab"; + if (params_in->mask & KADM5_CONFIG_ADMIN_KEYTAB) { + params.admin_keytab = strdup(params_in->admin_keytab); + if (params.admin_keytab) + params.mask |= KADM5_CONFIG_ADMIN_KEYTAB; + } else if (aprofile && + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + params.mask |= KADM5_CONFIG_ADMIN_KEYTAB; + params.admin_keytab = svalue; + } else if ((params.admin_keytab = (char *) getenv("KRB5_KTNAME"))) { + params.admin_keytab = strdup(params.admin_keytab); + if (params.admin_keytab) + params.mask |= KADM5_CONFIG_ADMIN_KEYTAB; + } else { + params.admin_keytab = strdup(DEFAULT_KADM5_KEYTAB); + if (params.admin_keytab) + params.mask |= KADM5_CONFIG_ADMIN_KEYTAB; + } + + /* Get the name of the acl file */ + hierarchy[2] = "acl_file"; + if (params_in->mask & KADM5_CONFIG_ACL_FILE) { + params.acl_file = strdup(params_in->acl_file); + if (params.acl_file) + params.mask |= KADM5_CONFIG_ACL_FILE; + } else if (aprofile && + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + params.mask |= KADM5_CONFIG_ACL_FILE; + params.acl_file = svalue; + } else { + params.acl_file = strdup(DEFAULT_KADM5_ACL_FILE); + if (params.acl_file) + params.mask |= KADM5_CONFIG_ACL_FILE; + } + + /* Get the name of the dict file */ + hierarchy[2] = "dict_file"; + if (params_in->mask & KADM5_CONFIG_DICT_FILE) { + params.dict_file = strdup(params_in->dict_file); + if (params.dict_file) + params.mask |= KADM5_CONFIG_DICT_FILE; + } else if (aprofile && + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + params.mask |= KADM5_CONFIG_DICT_FILE; + params.dict_file = svalue; + } + + /* Get the value for the kadmind port */ + if (! (params.mask & KADM5_CONFIG_KADMIND_PORT)) { + hierarchy[2] = "kadmind_port"; + if (params_in->mask & KADM5_CONFIG_KADMIND_PORT) { + params.mask |= KADM5_CONFIG_KADMIND_PORT; + params.kadmind_port = params_in->kadmind_port; + } else if (aprofile && + !krb5_aprof_get_int32(aprofile, hierarchy, TRUE, + &ivalue)) { + params.kadmind_port = ivalue; + params.mask |= KADM5_CONFIG_KADMIND_PORT; + } else { + params.kadmind_port = DEFAULT_KADM5_PORT; + params.mask |= KADM5_CONFIG_KADMIND_PORT; + } + } + + /* Get the value for the kpasswd port */ + if (! (params.mask & KADM5_CONFIG_KPASSWD_PORT)) { + hierarchy[2] = "kpasswd_port"; + if (params_in->mask & KADM5_CONFIG_KPASSWD_PORT) { + params.mask |= KADM5_CONFIG_KPASSWD_PORT; + params.kpasswd_port = params_in->kpasswd_port; } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - params.mask |= KADM5_CONFIG_ACL_FILE; - params.acl_file = svalue; + !krb5_aprof_get_int32(aprofile, hierarchy, TRUE, + &ivalue)) { + params.kpasswd_port = ivalue; + params.mask |= KADM5_CONFIG_KPASSWD_PORT; } else { - params.acl_file = strdup(DEFAULT_KADM5_ACL_FILE); - if (params.acl_file) - params.mask |= KADM5_CONFIG_ACL_FILE; - } - - /* Get the name of the dict file */ - hierarchy[2] = "dict_file"; - if (params_in->mask & KADM5_CONFIG_DICT_FILE) { - params.dict_file = strdup(params_in->dict_file); - if (params.dict_file) - params.mask |= KADM5_CONFIG_DICT_FILE; - } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - params.mask |= KADM5_CONFIG_DICT_FILE; - params.dict_file = svalue; - } - - /* Get the value for the kadmind port */ - if (! (params.mask & KADM5_CONFIG_KADMIND_PORT)) { - hierarchy[2] = "kadmind_port"; - if (params_in->mask & KADM5_CONFIG_KADMIND_PORT) { - params.mask |= KADM5_CONFIG_KADMIND_PORT; - params.kadmind_port = params_in->kadmind_port; - } else if (aprofile && - !krb5_aprof_get_int32(aprofile, hierarchy, TRUE, - &ivalue)) { - params.kadmind_port = ivalue; - params.mask |= KADM5_CONFIG_KADMIND_PORT; - } else { - params.kadmind_port = DEFAULT_KADM5_PORT; - params.mask |= KADM5_CONFIG_KADMIND_PORT; - } - } - - /* Get the value for the master key name */ - hierarchy[2] = "master_key_name"; - if (params_in->mask & KADM5_CONFIG_MKEY_NAME) { - params.mkey_name = strdup(params_in->mkey_name); - if (params.mkey_name) - params.mask |= KADM5_CONFIG_MKEY_NAME; - } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - params.mask |= KADM5_CONFIG_MKEY_NAME; - params.mkey_name = svalue; + params.kpasswd_port = DEFAULT_KPASSWD_PORT; + params.mask |= KADM5_CONFIG_KPASSWD_PORT; } - - /* Get the value for the master key type */ - hierarchy[2] = "master_key_type"; - if (params_in->mask & KADM5_CONFIG_ENCTYPE) { - params.mask |= KADM5_CONFIG_ENCTYPE; - params.enctype = params_in->enctype; - } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - if (!krb5_string_to_enctype(svalue, ¶ms.enctype)) { - params.mask |= KADM5_CONFIG_ENCTYPE; - krb5_xfree(svalue); - } - } else { - params.mask |= KADM5_CONFIG_ENCTYPE; - params.enctype = DEFAULT_KDC_ENCTYPE; - } - - /* Get the value for mkey_from_kbd */ - if (params_in->mask & KADM5_CONFIG_MKEY_FROM_KBD) { - params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; - params.mkey_from_kbd = params_in->mkey_from_kbd; - } - - /* Get the value for the stashfile */ - hierarchy[2] = "key_stash_file"; - if (params_in->mask & KADM5_CONFIG_STASH_FILE) { - params.stash_file = strdup(params_in->stash_file); - if (params.stash_file) - params.mask |= KADM5_CONFIG_STASH_FILE; - } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - params.mask |= KADM5_CONFIG_STASH_FILE; - params.stash_file = svalue; - } - - /* - * Get the value for maximum ticket lifetime. + } + + /* Get the value for the master key name */ + hierarchy[2] = "master_key_name"; + if (params_in->mask & KADM5_CONFIG_MKEY_NAME) { + params.mkey_name = strdup(params_in->mkey_name); + if (params.mkey_name) + params.mask |= KADM5_CONFIG_MKEY_NAME; + } else if (aprofile && + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + params.mask |= KADM5_CONFIG_MKEY_NAME; + params.mkey_name = svalue; + } + + /* Get the value for the master key type */ + hierarchy[2] = "master_key_type"; + if (params_in->mask & KADM5_CONFIG_ENCTYPE) { + params.mask |= KADM5_CONFIG_ENCTYPE; + params.enctype = params_in->enctype; + } else if (aprofile && + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + if (!krb5_string_to_enctype(svalue, ¶ms.enctype)) { + params.mask |= KADM5_CONFIG_ENCTYPE; + krb5_xfree(svalue); + } + } else { + params.mask |= KADM5_CONFIG_ENCTYPE; + params.enctype = DEFAULT_KDC_ENCTYPE; + } + + /* Get the value for mkey_from_kbd */ + if (params_in->mask & KADM5_CONFIG_MKEY_FROM_KBD) { + params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; + params.mkey_from_kbd = params_in->mkey_from_kbd; + } + + /* Get the value for the stashfile */ + hierarchy[2] = "key_stash_file"; + if (params_in->mask & KADM5_CONFIG_STASH_FILE) { + params.stash_file = strdup(params_in->stash_file); + if (params.stash_file) + params.mask |= KADM5_CONFIG_STASH_FILE; + } else if (aprofile && + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + params.mask |= KADM5_CONFIG_STASH_FILE; + params.stash_file = svalue; + } + + /* + * Get the value for maximum ticket lifetime. * See SEAM documentation or the Bug ID 4184504 * We have changed the logic so that the entries are * created in the database with the maximum duration @@ -589,86 +679,86 @@ kadm5_config_params *params_in, *params_out; * However this wil get negotiated down when * as or tgs request is processed by KDC. */ - hierarchy[2] = "max_life"; - if (params_in->mask & KADM5_CONFIG_MAX_LIFE) { - params.mask |= KADM5_CONFIG_MAX_LIFE; - params.max_life = params_in->max_life; - } else { - params.mask |= KADM5_CONFIG_MAX_LIFE; - params.max_life = KRB5_INT32_MAX; - } - - /* Get the value for maximum renewable ticket lifetime. */ - hierarchy[2] = "max_renewable_life"; - if (params_in->mask & KADM5_CONFIG_MAX_RLIFE) { - params.mask |= KADM5_CONFIG_MAX_RLIFE; - params.max_rlife = params_in->max_rlife; - } else { - params.mask |= KADM5_CONFIG_MAX_RLIFE; - params.max_rlife = KRB5_INT32_MAX; - } - - /* Get the value for the default principal expiration */ - hierarchy[2] = "default_principal_expiration"; - if (params_in->mask & KADM5_CONFIG_EXPIRATION) { - params.mask |= KADM5_CONFIG_EXPIRATION; - params.expiration = params_in->expiration; - } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - if (!krb5_string_to_timestamp(svalue, ¶ms.expiration)) { - params.mask |= KADM5_CONFIG_EXPIRATION; - krb5_xfree(svalue); - } - } else { - params.mask |= KADM5_CONFIG_EXPIRATION; - params.expiration = 0; - } - - /* Get the value for the default principal flags */ - hierarchy[2] = "default_principal_flags"; - if (params_in->mask & KADM5_CONFIG_FLAGS) { - params.mask |= KADM5_CONFIG_FLAGS; - params.flags = params_in->flags; - } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - char *sp, *ep, *tp; - - sp = svalue; - params.flags = 0; - while (sp) { - if ((ep = strchr(sp, (int)',')) || - (ep = strchr(sp, (int)' ')) || - (ep = strchr(sp, (int)'\t'))) { - /* Fill in trailing whitespace of sp */ - tp = ep - 1; - while (isspace(*tp) && (tp < sp)) { - *tp = '\0'; - tp--; - } - *ep = '\0'; - ep++; - /* Skip over trailing whitespace of ep */ - while (isspace(*ep) && (*ep)) ep++; - } - /* Convert this flag */ - if (krb5_string_to_flags(sp, - "+", - "-", - ¶ms.flags)) - break; - sp = ep; - } - if (!sp) - params.mask |= KADM5_CONFIG_FLAGS; - krb5_xfree(svalue); - } else { - params.mask |= KADM5_CONFIG_FLAGS; - params.flags = KRB5_KDB_DEF_FLAGS; - } - - /* Get the value for the supported enctype/salttype matrix */ - hierarchy[2] = "supported_enctypes"; - if (params_in->mask & KADM5_CONFIG_ENCTYPES) { + hierarchy[2] = "max_life"; + if (params_in->mask & KADM5_CONFIG_MAX_LIFE) { + params.mask |= KADM5_CONFIG_MAX_LIFE; + params.max_life = params_in->max_life; + } else { + params.max_life = KRB5_INT32_MAX; + params.mask |= KADM5_CONFIG_MAX_LIFE; + } + + /* Get the value for maximum renewable ticket lifetime. */ + hierarchy[2] = "max_renewable_life"; + if (params_in->mask & KADM5_CONFIG_MAX_RLIFE) { + params.mask |= KADM5_CONFIG_MAX_RLIFE; + params.max_rlife = params_in->max_rlife; + } else { + params.max_rlife = KRB5_INT32_MAX; + params.mask |= KADM5_CONFIG_MAX_RLIFE; + } + + /* Get the value for the default principal expiration */ + hierarchy[2] = "default_principal_expiration"; + if (params_in->mask & KADM5_CONFIG_EXPIRATION) { + params.mask |= KADM5_CONFIG_EXPIRATION; + params.expiration = params_in->expiration; + } else if (aprofile && + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + if (!krb5_string_to_timestamp(svalue, ¶ms.expiration)) { + params.mask |= KADM5_CONFIG_EXPIRATION; + krb5_xfree(svalue); + } + } else { + params.mask |= KADM5_CONFIG_EXPIRATION; + params.expiration = 0; + } + + /* Get the value for the default principal flags */ + hierarchy[2] = "default_principal_flags"; + if (params_in->mask & KADM5_CONFIG_FLAGS) { + params.mask |= KADM5_CONFIG_FLAGS; + params.flags = params_in->flags; + } else if (aprofile && + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + char *sp, *ep, *tp; + + sp = svalue; + params.flags = 0; + while (sp) { + if ((ep = strchr(sp, (int) ',')) || + (ep = strchr(sp, (int) ' ')) || + (ep = strchr(sp, (int) '\t'))) { + /* Fill in trailing whitespace of sp */ + tp = ep - 1; + while (isspace((int) *tp) && (tp > sp)) { + *tp = '\0'; + tp--; + } + *ep = '\0'; + ep++; + /* Skip over trailing whitespace of ep */ + while (isspace((int) *ep) && (*ep)) ep++; + } + /* Convert this flag */ + if (krb5_string_to_flags(sp, + "+", + "-", + ¶ms.flags)) + break; + sp = ep; + } + if (!sp) + params.mask |= KADM5_CONFIG_FLAGS; + krb5_xfree(svalue); + } else { + params.mask |= KADM5_CONFIG_FLAGS; + params.flags = KRB5_KDB_DEF_FLAGS; + } + + /* Get the value for the supported enctype/salttype matrix */ + hierarchy[2] = "supported_enctypes"; + if (params_in->mask & KADM5_CONFIG_ENCTYPES) { params.mask |= KADM5_CONFIG_ENCTYPES; if (params_in->num_keysalts > 0) { params.keysalts = malloc(params_in->num_keysalts * @@ -680,30 +770,29 @@ kadm5_config_params *params_in, *params_out; (void) memcpy(params.keysalts, params_in->keysalts, (params_in->num_keysalts * sizeof (*params.keysalts))); - params.num_keysalts = params_in->num_keysalts; - } - } else { - svalue = NULL; - if (aprofile) - krb5_aprof_get_string(aprofile, hierarchy, - TRUE, &svalue); - if (svalue == NULL) - svalue = strdup(DEFAULT_ENCTYPE_LIST); - - params.keysalts = NULL; - params.num_keysalts = 0; - krb5_string_to_keysalts(svalue, - ", \t", /* Tuple separators */ - ":.-", /* Key/salt separators */ - 0, /* No duplicates */ - ¶ms.keysalts, - ¶ms.num_keysalts); - if (params.num_keysalts) - params.mask |= KADM5_CONFIG_ENCTYPES; - - if (svalue) - krb5_xfree(svalue); - } + params.num_keysalts = params_in->num_keysalts; + } + } else { + svalue = NULL; + if (aprofile) + krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue); + if (svalue == NULL) + svalue = strdup(DEFAULT_ENCTYPE_LIST); + + params.keysalts = NULL; + params.num_keysalts = 0; + krb5_string_to_keysalts(svalue, + ", \t",/* Tuple separators */ + ":.-", /* Key/salt separators */ + 0, /* No duplicates */ + ¶ms.keysalts, + ¶ms.num_keysalts); + if (params.num_keysalts) + params.mask |= KADM5_CONFIG_ENCTYPES; + + if (svalue) + krb5_xfree(svalue); + } hierarchy[2] = "kpasswd_server"; if (params_in->mask & KADM5_CONFIG_KPASSWD_SERVER) { @@ -883,18 +972,18 @@ kadm5_config_params *params_in, *params_out; *params_out = params; cleanup: - if (aprofile) - krb5_aprof_finish(aprofile); - if (kret) { - (void) kadm5_free_config_params(context, ¶ms); - params_out->mask = 0; - } + if (aprofile) + krb5_aprof_finish(aprofile); + if (kret) { + kadm5_free_config_params(context, ¶ms); + params_out->mask = 0; + } #ifdef KRB5_DNS_LOOKUP if (dns_realm.data) free(dns_realm.data); #endif /* KRB5_DNS_LOOKUP */ - return (kret); + return(kret); } /* * kadm5_free_config_params() - Free data allocated by above. @@ -902,10 +991,10 @@ cleanup: /*ARGSUSED*/ krb5_error_code kadm5_free_config_params(context, params) -krb5_context context; -kadm5_config_params *params; + krb5_context context; + kadm5_config_params *params; { - if (params) { + if (params) { if (params->profile) { krb5_xfree(params->profile); params->profile = NULL; @@ -963,11 +1052,52 @@ kadm5_config_params *params; return (0); } -/* +krb5_error_code +kadm5_get_admin_service_name(krb5_context ctx, + char *realm_in, + char *admin_name, + size_t maxlen) +{ + krb5_error_code ret; + kadm5_config_params params_in, params_out; + struct hostent *hp; + + memset(¶ms_in, 0, sizeof(params_in)); + memset(¶ms_out, 0, sizeof(params_out)); + + params_in.mask |= KADM5_CONFIG_REALM; + params_in.realm = realm_in; + ret = kadm5_get_config_params(ctx, DEFAULT_PROFILE_PATH, + "KRB5_CONFIG", ¶ms_in, ¶ms_out); + if (ret) + return ret; + + if (!(params_out.mask & KADM5_CONFIG_ADMIN_SERVER)) { + ret = KADM5_MISSING_KRB5_CONF_PARAMS; + goto err_params; + } + + hp = gethostbyname(params_out.admin_server); + if (hp == NULL) { + ret = errno; + goto err_params; + } + if (strlen(hp->h_name) + sizeof("kadmin/") > maxlen) { + ret = ENOMEM; + goto err_params; + } + sprintf(admin_name, "kadmin/%s", hp->h_name); + +err_params: + kadm5_free_config_params(ctx, ¶ms_out); + return ret; +} + +/*********************************************************************** * This is the old krb5_realm_read_params, which I mutated into - * kadm5_get_config_params but which old code(kdb5_* and krb5kdc) + * kadm5_get_config_params but which old code (kdb5_* and krb5kdc) * still uses. - */ + ***********************************************************************/ /* * krb5_read_realm_params() - Read per-realm parameters from KDC @@ -975,154 +1105,161 @@ kadm5_config_params *params; */ krb5_error_code krb5_read_realm_params(kcontext, realm, kdcprofile, kdcenv, rparamp) -krb5_context kcontext; -char *realm; -char *kdcprofile; -char *kdcenv; -krb5_realm_params **rparamp; + krb5_context kcontext; + char *realm; + char *kdcprofile; + char *kdcenv; + krb5_realm_params **rparamp; { - char *filename; - char *envname; - char *lrealm; - krb5_pointer aprofile = 0; - krb5_realm_params *rparams; - const char *hierarchy[4]; - char *svalue; - krb5_int32 ivalue; - krb5_deltat dtvalue; - - krb5_error_code kret; - - filename = (kdcprofile) ? kdcprofile : DEFAULT_KDC_PROFILE; - envname = (kdcenv) ? kdcenv : KDC_PROFILE_ENV; - - if (kcontext->profile_secure == TRUE) envname = 0; - - rparams = (krb5_realm_params *) NULL; - if (realm) - lrealm = strdup(realm); - else { - kret = krb5_get_default_realm(kcontext, &lrealm); - if (kret) - goto cleanup; - } - - kret = krb5_aprof_init(filename, envname, &aprofile); + char *filename; + char *envname; + char *lrealm; + krb5_pointer aprofile = 0; + krb5_realm_params *rparams; + const char *hierarchy[4]; + char *svalue; + krb5_int32 ivalue; + krb5_boolean bvalue; + krb5_deltat dtvalue; + + krb5_error_code kret; + + filename = (kdcprofile) ? kdcprofile : DEFAULT_KDC_PROFILE; + envname = (kdcenv) ? kdcenv : KDC_PROFILE_ENV; + + if (kcontext->profile_secure == TRUE) envname = 0; + + rparams = (krb5_realm_params *) NULL; + if (realm) + lrealm = strdup(realm); + else { + kret = krb5_get_default_realm(kcontext, &lrealm); if (kret) - goto cleanup; - - rparams = (krb5_realm_params *) malloc(sizeof (krb5_realm_params)); - if (rparams == 0) { - kret = ENOMEM; - goto cleanup; - } - - /* Initialize realm parameters */ - memset((char *)rparams, 0, sizeof (krb5_realm_params)); - - /* Get the value for the database */ - hierarchy[0] = "realms"; - hierarchy[1] = lrealm; - hierarchy[2] = "database_name"; - hierarchy[3] = (char *)NULL; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_dbname = svalue; - - /* Get the value for the KDC port list */ - hierarchy[2] = "kdc_ports"; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_kdc_ports = svalue; - hierarchy[2] = "kdc_tcp_ports"; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_kdc_tcp_ports = svalue; - - /* Get the name of the acl file */ - hierarchy[2] = "acl_file"; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_acl_file = svalue; - - /* Get the value for the kadmind port */ - hierarchy[2] = "kadmind_port"; - if (!krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) { - rparams->realm_kadmind_port = ivalue; - rparams->realm_kadmind_port_valid = 1; - } - - /* Get the value for the master key name */ - hierarchy[2] = "master_key_name"; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_mkey_name = svalue; - - /* Get the value for the master key type */ - hierarchy[2] = "master_key_type"; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - if (!krb5_string_to_enctype(svalue, &rparams->realm_enctype)) - rparams->realm_enctype_valid = 1; - krb5_xfree(svalue); - } - - /* Get the value for the stashfile */ - hierarchy[2] = "key_stash_file"; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_stash_file = svalue; - - /* Get the value for maximum ticket lifetime. */ - hierarchy[2] = "max_life"; - if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) { - rparams->realm_max_life = dtvalue; - rparams->realm_max_life_valid = 1; - } - - /* Get the value for maximum renewable ticket lifetime. */ - hierarchy[2] = "max_renewable_life"; - if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) { - rparams->realm_max_rlife = dtvalue; - rparams->realm_max_rlife_valid = 1; - } - - /* Get the value for the default principal expiration */ - hierarchy[2] = "default_principal_expiration"; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - if (!krb5_string_to_timestamp(svalue, - &rparams->realm_expiration)) - rparams->realm_expiration_valid = 1; - krb5_xfree(svalue); - } - - /* Get the value for the default principal flags */ - hierarchy[2] = "default_principal_flags"; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - char *sp, *ep, *tp; - - sp = svalue; - rparams->realm_flags = 0; - while (sp) { - if ((ep = strchr(sp, (int)',')) || - (ep = strchr(sp, (int)' ')) || - (ep = strchr(sp, (int)'\t'))) { - /* Fill in trailing whitespace of sp */ - tp = ep - 1; - while (isspace(*tp) && (tp < sp)) { - *tp = '\0'; - tp--; - } - *ep = '\0'; - ep++; - /* Skip over trailing whitespace of ep */ - while (isspace(*ep) && (*ep)) ep++; - } - /* Convert this flag */ - if (krb5_string_to_flags(sp, - "+", - "-", - &rparams->realm_flags)) - break; - sp = ep; + goto cleanup; + } + + kret = krb5_aprof_init(filename, envname, &aprofile); + if (kret) + goto cleanup; + + rparams = (krb5_realm_params *) malloc(sizeof(krb5_realm_params)); + if (rparams == 0) { + kret = ENOMEM; + goto cleanup; + } + + /* Initialize realm parameters */ + memset((char *) rparams, 0, sizeof(krb5_realm_params)); + + /* Get the value for the database */ + hierarchy[0] = "realms"; + hierarchy[1] = lrealm; + hierarchy[2] = "database_name"; + hierarchy[3] = (char *) NULL; + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) + rparams->realm_dbname = svalue; + + /* Get the value for the KDC port list */ + hierarchy[2] = "kdc_ports"; + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) + rparams->realm_kdc_ports = svalue; + hierarchy[2] = "kdc_tcp_ports"; + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) + rparams->realm_kdc_tcp_ports = svalue; + + /* Get the name of the acl file */ + hierarchy[2] = "acl_file"; + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) + rparams->realm_acl_file = svalue; + + /* Get the value for the kadmind port */ + hierarchy[2] = "kadmind_port"; + if (!krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) { + rparams->realm_kadmind_port = ivalue; + rparams->realm_kadmind_port_valid = 1; + } + + /* Get the value for the master key name */ + hierarchy[2] = "master_key_name"; + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) + rparams->realm_mkey_name = svalue; + + /* Get the value for the master key type */ + hierarchy[2] = "master_key_type"; + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + if (!krb5_string_to_enctype(svalue, &rparams->realm_enctype)) + rparams->realm_enctype_valid = 1; + krb5_xfree(svalue); + } + + /* Get the value for the stashfile */ + hierarchy[2] = "key_stash_file"; + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) + rparams->realm_stash_file = svalue; + + /* Get the value for maximum ticket lifetime. */ + hierarchy[2] = "max_life"; + if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) { + rparams->realm_max_life = dtvalue; + rparams->realm_max_life_valid = 1; + } + + /* Get the value for maximum renewable ticket lifetime. */ + hierarchy[2] = "max_renewable_life"; + if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) { + rparams->realm_max_rlife = dtvalue; + rparams->realm_max_rlife_valid = 1; + } + + /* Get the value for the default principal expiration */ + hierarchy[2] = "default_principal_expiration"; + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + if (!krb5_string_to_timestamp(svalue, + &rparams->realm_expiration)) + rparams->realm_expiration_valid = 1; + krb5_xfree(svalue); + } + + hierarchy[2] = "reject_bad_transit"; + if (!krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) { + rparams->realm_reject_bad_transit = bvalue; + rparams->realm_reject_bad_transit_valid = 1; + } + + /* Get the value for the default principal flags */ + hierarchy[2] = "default_principal_flags"; + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + char *sp, *ep, *tp; + + sp = svalue; + rparams->realm_flags = 0; + while (sp) { + if ((ep = strchr(sp, (int) ',')) || + (ep = strchr(sp, (int) ' ')) || + (ep = strchr(sp, (int) '\t'))) { + /* Fill in trailing whitespace of sp */ + tp = ep - 1; + while (isspace((int) *tp) && (tp < sp)) { + *tp = '\0'; + tp--; } - if (!sp) - rparams->realm_flags_valid = 1; - krb5_xfree(svalue); + *ep = '\0'; + ep++; + /* Skip over trailing whitespace of ep */ + while (isspace((int) *ep) && (*ep)) ep++; + } + /* Convert this flag */ + if (krb5_string_to_flags(sp, + "+", + "-", + &rparams->realm_flags)) + break; + sp = ep; } + if (!sp) + rparams->realm_flags_valid = 1; + krb5_xfree(svalue); + } /* Get the value for the supported enctype/salttype matrix */ /* @@ -1151,44 +1288,47 @@ krb5_realm_params **rparamp; krb5_xfree(svalue); svalue = NULL; } - cleanup: - if (aprofile) - krb5_aprof_finish(aprofile); - if (lrealm) - free(lrealm); - if (kret) { - if (rparams) - krb5_free_realm_params(kcontext, rparams); - rparams = 0; - } - *rparamp = rparams; - return (kret); + if (aprofile) + krb5_aprof_finish(aprofile); + if (lrealm) + free(lrealm); + if (kret) { + if (rparams) + krb5_free_realm_params(kcontext, rparams); + rparams = 0; + } + *rparamp = rparams; + return(kret); } /* * krb5_free_realm_params() - Free data allocated by above. */ -/*ARGSUSED*/ krb5_error_code krb5_free_realm_params(kcontext, rparams) -krb5_context kcontext; -krb5_realm_params *rparams; + krb5_context kcontext; + krb5_realm_params *rparams; { - if (rparams) { - if (rparams->realm_profile) - krb5_xfree(rparams->realm_profile); - if (rparams->realm_dbname) - krb5_xfree(rparams->realm_dbname); - if (rparams->realm_mkey_name) - krb5_xfree(rparams->realm_mkey_name); - if (rparams->realm_stash_file) - krb5_xfree(rparams->realm_stash_file); - if (rparams->realm_keysalts) - krb5_xfree(rparams->realm_keysalts); - if (rparams->realm_kdc_ports) - krb5_xfree(rparams->realm_kdc_ports); - krb5_xfree(rparams); - } - return (0); + if (rparams) { + if (rparams->realm_profile) + krb5_xfree(rparams->realm_profile); + if (rparams->realm_dbname) + krb5_xfree(rparams->realm_dbname); + if (rparams->realm_mkey_name) + krb5_xfree(rparams->realm_mkey_name); + if (rparams->realm_stash_file) + krb5_xfree(rparams->realm_stash_file); + if (rparams->realm_keysalts) + krb5_xfree(rparams->realm_keysalts); + if (rparams->realm_kdc_ports) + krb5_xfree(rparams->realm_kdc_ports); + if (rparams->realm_kdc_tcp_ports) + krb5_xfree(rparams->realm_kdc_tcp_ports); + if (rparams->realm_acl_file) + krb5_xfree(rparams->realm_acl_file); + krb5_xfree(rparams); + } + return(0); } + diff --git a/usr/src/lib/krb5/kadm5/chpass_util.c b/usr/src/lib/krb5/kadm5/chpass_util.c index e72bc03b61..18422e0924 100644 --- a/usr/src/lib/krb5/kadm5/chpass_util.c +++ b/usr/src/lib/krb5/kadm5/chpass_util.c @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -33,7 +33,9 @@ #include <stdio.h> +#ifdef HAVE_MEMORY_H #include <memory.h> +#endif #include <time.h> #include <locale.h> @@ -49,8 +51,7 @@ const char *chpw_error_message(kadm5_ret_t code); /* * Function: kadm5_chpass_principal_util * - * Purpose: Wrapper around chpass_principal. We can read new pw, - * change pw and return useful messages + * Purpose: Wrapper around chpass_principal. We can read new pw, change pw and return useful messages * * Arguments: * @@ -91,7 +92,7 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle, char *new_pw, char **ret_pw, char *msg_ret, - int msg_len) + unsigned int msg_len) { int code, code2; unsigned int pwsize; @@ -99,7 +100,7 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle, char *new_password; kadm5_principal_ent_rec princ_ent; kadm5_policy_ent_rec policy_ent; - krb5_chgpwd_prot passwd_protocol; + krb5_chgpwd_prot passwd_protocol; _KADM5_CHECK_HANDLE(server_handle); @@ -113,8 +114,7 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle, if ((code = (int) krb5_init_context(&context)) == 0) { pwsize = sizeof(buffer); - code = krb5_read_password(context, - KADM5_PW_FIRST_PROMPT, + code = krb5_read_password(context, KADM5_PW_FIRST_PROMPT, KADM5_PW_SECOND_PROMPT, buffer, &pwsize); krb5_free_context(context); @@ -184,7 +184,7 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle, #ifdef ZEROPASSWD if (!ret_pw) - memset(buffer, 0, sizeof (buffer)); + memset(buffer, 0, sizeof(buffer)); /* in case we read a new password */ #endif if (code == KADM5_OK) { @@ -194,15 +194,12 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle, } if ((code != KADM5_PASS_Q_TOOSHORT) && - (code != KADM5_PASS_REUSE) && - (code != KADM5_PASS_Q_CLASS) && - (code != KADM5_PASS_Q_DICT) && - (code != KADM5_PASS_TOOSOON)) { + (code != KADM5_PASS_REUSE) &&(code != KADM5_PASS_Q_CLASS) && + (code != KADM5_PASS_Q_DICT) && (code != KADM5_PASS_TOOSOON)) { /* Can't get more info for other errors */ sprintf(buffer, "%s %s", error_message(code), string_text(CHPASS_UTIL_WHILE_TRYING_TO_CHANGE)); - sprintf(msg_ret, "%s\n%s\n", - string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED), + sprintf(msg_ret, "%s\n%s\n", string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED), buffer); return(code); } @@ -260,8 +257,7 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle, code2 = kadm5_get_policy(lhandle, princ_ent.policy, &policy_ent); if (code2 != 0) { - sprintf(msg_ret, "%s %s\n%s %s\n\n%s\n ", - error_message(code2), + sprintf(msg_ret, "%s %s\n%s %s\n\n%s\n ", error_message(code2), string_text(CHPASS_UTIL_GET_POLICY_INFO), error_message(code), string_text(CHPASS_UTIL_WHILE_TRYING_TO_CHANGE), @@ -271,17 +267,16 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle, } if (code == KADM5_PASS_Q_TOOSHORT) { - sprintf(msg_ret, - string_text(CHPASS_UTIL_PASSWORD_TOO_SHORT), + sprintf(msg_ret, string_text(CHPASS_UTIL_PASSWORD_TOO_SHORT), policy_ent.pw_min_length); (void) kadm5_free_principal_ent(lhandle, &princ_ent); (void) kadm5_free_policy_ent(lhandle, &policy_ent); return(code); } + if (code == KADM5_PASS_Q_CLASS) { - sprintf(msg_ret, - string_text(CHPASS_UTIL_TOO_FEW_CLASSES), + sprintf(msg_ret, string_text(CHPASS_UTIL_TOO_FEW_CLASSES), policy_ent.pw_min_classes); (void) kadm5_free_principal_ent(lhandle, &princ_ent); (void) kadm5_free_policy_ent(lhandle, &policy_ent); @@ -292,26 +287,23 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle, time_t until; char *time_string, *ptr; - until = princ_ent.last_pwd_change + - policy_ent.pw_min_life; + until = princ_ent.last_pwd_change + policy_ent.pw_min_life; time_string = ctime(&until); - if (*(ptr = &time_string[strlen(time_string)-1]) == - '\n') + if (*(ptr = &time_string[strlen(time_string)-1]) == '\n') *ptr = '\0'; - sprintf(msg_ret, - string_text(CHPASS_UTIL_PASSWORD_TOO_SOON), + sprintf(msg_ret, string_text(CHPASS_UTIL_PASSWORD_TOO_SOON), time_string); (void) kadm5_free_principal_ent(lhandle, &princ_ent); (void) kadm5_free_policy_ent(lhandle, &policy_ent); return(code); } else { + /* We should never get here, but just in case ... */ sprintf(buffer, "%s %s", error_message(code), string_text(CHPASS_UTIL_WHILE_TRYING_TO_CHANGE)); - sprintf(msg_ret, "%s\n%s\n", - string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED), + sprintf(msg_ret, "%s\n%s\n", string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED), buffer); (void) kadm5_free_principal_ent(lhandle, &princ_ent); (void) kadm5_free_policy_ent(lhandle, &policy_ent); diff --git a/usr/src/lib/krb5/kadm5/chpass_util_strings.h b/usr/src/lib/krb5/kadm5/chpass_util_strings.h index 1b51f9af60..e3b147b486 100644 --- a/usr/src/lib/krb5/kadm5/chpass_util_strings.h +++ b/usr/src/lib/krb5/kadm5/chpass_util_strings.h @@ -40,5 +40,16 @@ #define CHPASS_UTIL_WHILE_READING_PASSWORD (-1492553969L) #define ERROR_TABLE_BASE_ovku (-1492553984L) +extern const struct error_table et_ovku_error_table; + +#if !defined(_WIN32) /* for compatibility with older versions... */ +extern void initialize_ovku_error_table (void) /*@modifies internalState@*/; +#else +#define initialize_ovku_error_table() +#endif + +#if !defined(_WIN32) +#define init_ovku_err_tbl initialize_ovku_error_table #define ovku_err_base ERROR_TABLE_BASE_ovku +#endif diff --git a/usr/src/lib/krb5/kadm5/clnt/Makefile.com b/usr/src/lib/krb5/kadm5/clnt/Makefile.com index 4f4d2c2f11..2a9db0023a 100644 --- a/usr/src/lib/krb5/kadm5/clnt/Makefile.com +++ b/usr/src/lib/krb5/kadm5/clnt/Makefile.com @@ -78,7 +78,7 @@ CPPFLAGS += -I.. -I../.. -I../../.. -I$(SRC)/lib/gss_mechs/mech_krb5/include \ -DHAVE_LIBSOCKET=1 -DHAVE_LIBNSL=1 -DSETRPCENT_TYPE=void \ -DENDRPCENT_TYPE=void -DHAVE_SYS_ERRLIST=1 -DNEED_SYS_ERRLIST=1 \ -DHAVE_SYSLOG_H=1 -DHAVE_OPENLOG=1 -DHAVE_SYSLOG=1 -DHAVE_CLOSELOG=1 \ - -DHAVE_STRFTIME=1 -DHAVE_VSPRINTF=1 + -DHAVE_STRFTIME=1 -DHAVE_VSPRINTF=1 -DUSE_KADM5_API_VERSION=2 CFLAGS += $(CCVERBOSE) -I.. LDLIBS += -lc diff --git a/usr/src/lib/krb5/kadm5/clnt/client_init.c b/usr/src/lib/krb5/kadm5/clnt/client_init.c index 44d0fb4a9d..838f8fb18e 100644 --- a/usr/src/lib/krb5/kadm5/clnt/client_init.c +++ b/usr/src/lib/krb5/kadm5/clnt/client_init.c @@ -42,7 +42,9 @@ #include <stdio.h> #include <netdb.h> +#ifdef HAVE_MEMORY_H #include <memory.h> +#endif #include <string.h> #include <com_err.h> #include <sys/types.h> @@ -55,19 +57,22 @@ #endif #include <libintl.h> +#include <kadm5/admin.h> +#include <kadm5/kadm_rpc.h> +#include "client_internal.h" + #include <syslog.h> #include <gssapi/gssapi.h> #include <gssapi_krb5.h> #include <gssapiP_krb5.h> -#include <kadm5/kadm_rpc.h> #include <rpc/clnt.h> -#include <kadm5/admin.h> -#include "client_internal.h" + #include <iprop_hdr.h> #include "iprop.h" #define ADM_CCACHE "/tmp/ovsec_adm.XXXXXX" +static int old_auth_gssapi = 0; /* connection timeout to kadmind in seconds */ #define KADMIND_CONNECT_TIMEOUT 25 @@ -93,7 +98,7 @@ kadm5_ret_t kadm5_init_with_creds(char *client_name, krb5_ui_4 api_version, void **server_handle) { - return _kadm5_init_any(client_name, INIT_CREDS, NULL, ccache, + return _kadm5_init_any(client_name, INIT_CREDS, NULL, ccache, service_name, params, struct_version, api_version, server_handle); @@ -107,19 +112,19 @@ kadm5_ret_t kadm5_init_with_password(char *client_name, char *pass, krb5_ui_4 api_version, void **server_handle) { - return _kadm5_init_any(client_name, INIT_PASS, pass, NULL, + return _kadm5_init_any(client_name, INIT_PASS, pass, NULL, service_name, params, struct_version, api_version, server_handle); } kadm5_ret_t kadm5_init(char *client_name, char *pass, - char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - void **server_handle) + char *service_name, + kadm5_config_params *params, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + void **server_handle) { - return _kadm5_init_any(client_name, INIT_PASS, pass, NULL, + return _kadm5_init_any(client_name, INIT_PASS, pass, NULL, service_name, params, struct_version, api_version, server_handle); } @@ -131,7 +136,7 @@ kadm5_ret_t kadm5_init_with_skey(char *client_name, char *keytab, krb5_ui_4 api_version, void **server_handle) { - return _kadm5_init_any(client_name, INIT_SKEY, keytab, NULL, + return _kadm5_init_any(client_name, INIT_SKEY, keytab, NULL, service_name, params, struct_version, api_version, server_handle); } @@ -579,132 +584,132 @@ static kadm5_ret_t _kadm5_init_any(char *client_name, krb5_ui_4 api_version, void **server_handle) { - int i; - krb5_creds creds; - krb5_ccache ccache = NULL; - krb5_timestamp now; - OM_uint32 gssstat, minor_stat; - kadm5_server_handle_t handle; - kadm5_config_params params_local; - int code = 0; - krb5_get_init_creds_opt opt; - gss_buffer_desc input_name; - krb5_error_code kret; - krb5_int32 starttime; - char *server = NULL; - krb5_principal serverp = NULL, clientp = NULL; - bool_t cpw = FALSE; + int i; + krb5_creds creds; + krb5_ccache ccache = NULL; + krb5_timestamp now; + OM_uint32 gssstat, minor_stat; + kadm5_server_handle_t handle; + kadm5_config_params params_local; + int code = 0; + krb5_get_init_creds_opt opt; + gss_buffer_desc input_name; + krb5_error_code kret; + krb5_int32 starttime; + char *server = NULL; + krb5_principal serverp = NULL, clientp = NULL; + bool_t cpw = FALSE; ADMIN_LOGO(LOG_ERR, dgettext(TEXT_DOMAIN, "entering kadm5_init_any\n")); - if (! server_handle) { - return (EINVAL); - } - - if (! (handle = malloc(sizeof(*handle)))) { - return (ENOMEM); - } - if (! (handle->lhandle = malloc(sizeof(*handle)))) { - free(handle); - return (ENOMEM); - } - - handle->magic_number = KADM5_SERVER_HANDLE_MAGIC; - handle->struct_version = struct_version; - handle->api_version = api_version; - handle->clnt = 0; - handle->cache_name = 0; - handle->destroy_cache = 0; - *handle->lhandle = *handle; - handle->lhandle->api_version = KADM5_API_VERSION_2; - handle->lhandle->struct_version = KADM5_STRUCT_VERSION; - handle->lhandle->lhandle = handle->lhandle; - - kret = krb5_init_context(&handle->context); + if (! server_handle) { + return EINVAL; + } + + if (! (handle = malloc(sizeof(*handle)))) { + return ENOMEM; + } + if (! (handle->lhandle = malloc(sizeof(*handle)))) { + free(handle); + return ENOMEM; + } + + handle->magic_number = KADM5_SERVER_HANDLE_MAGIC; + handle->struct_version = struct_version; + handle->api_version = api_version; + handle->clnt = 0; + handle->cache_name = 0; + handle->destroy_cache = 0; + *handle->lhandle = *handle; + handle->lhandle->api_version = KADM5_API_VERSION_2; + handle->lhandle->struct_version = KADM5_STRUCT_VERSION; + handle->lhandle->lhandle = handle->lhandle; + + kret = krb5_init_context(&handle->context); if (kret) { free(handle->lhandle); free(handle); return (kret); } - if(service_name == NULL || client_name == NULL) { - krb5_free_context(handle->context); - free(handle->lhandle); - free(handle); - return (EINVAL); - } - memset((char *) &creds, 0, sizeof(creds)); - - /* - * Verify the version numbers before proceeding; we can't use - * CHECK_HANDLE because not all fields are set yet. - */ - GENERIC_CHECK_HANDLE(handle, KADM5_OLD_LIB_API_VERSION, + if(service_name == NULL || client_name == NULL) { + krb5_free_context(handle->context); + free(handle->lhandle); + free(handle); + return EINVAL; + } + memset((char *) &creds, 0, sizeof(creds)); + + /* + * Verify the version numbers before proceeding; we can't use + * CHECK_HANDLE because not all fields are set yet. + */ + GENERIC_CHECK_HANDLE(handle, KADM5_OLD_LIB_API_VERSION, KADM5_NEW_LIB_API_VERSION); - - /* - * Acquire relevant profile entries. In version 2, merge values - * in params_in with values from profile, based on - * params_in->mask. - * - * In version 1, we've given a realm (which may be NULL) instead - * of params_in. So use that realm, make params_in contain an - * empty mask, and behave like version 2. - */ - memset((char *) ¶ms_local, 0, sizeof(params_local)); - if (api_version == KADM5_API_VERSION_1) { - if (params_in) - params_local.mask = KADM5_CONFIG_REALM; - params_in = ¶ms_local; + + /* + * Acquire relevant profile entries. In version 2, merge values + * in params_in with values from profile, based on + * params_in->mask. + * + * In version 1, we've given a realm (which may be NULL) instead + * of params_in. So use that realm, make params_in contain an + * empty mask, and behave like version 2. + */ + memset((char *) ¶ms_local, 0, sizeof(params_local)); + if (api_version == KADM5_API_VERSION_1) { + if (params_in) + params_local.mask = KADM5_CONFIG_REALM; + params_in = ¶ms_local; } #define ILLEGAL_PARAMS ( \ - KADM5_CONFIG_ACL_FILE | KADM5_CONFIG_ADB_LOCKFILE | \ - KADM5_CONFIG_DBNAME | KADM5_CONFIG_ADBNAME | \ - KADM5_CONFIG_DICT_FILE | KADM5_CONFIG_ADMIN_KEYTAB | \ - KADM5_CONFIG_STASH_FILE | KADM5_CONFIG_MKEY_NAME | \ - KADM5_CONFIG_ENCTYPE | KADM5_CONFIG_MAX_LIFE | \ - KADM5_CONFIG_MAX_RLIFE | KADM5_CONFIG_EXPIRATION | \ - KADM5_CONFIG_FLAGS | KADM5_CONFIG_ENCTYPES | \ - KADM5_CONFIG_MKEY_FROM_KBD) - - if (params_in && params_in->mask & ILLEGAL_PARAMS) { + KADM5_CONFIG_ACL_FILE | KADM5_CONFIG_ADB_LOCKFILE | \ + KADM5_CONFIG_DBNAME | KADM5_CONFIG_ADBNAME | \ + KADM5_CONFIG_DICT_FILE | KADM5_CONFIG_ADMIN_KEYTAB | \ + KADM5_CONFIG_STASH_FILE | KADM5_CONFIG_MKEY_NAME | \ + KADM5_CONFIG_ENCTYPE | KADM5_CONFIG_MAX_LIFE | \ + KADM5_CONFIG_MAX_RLIFE | KADM5_CONFIG_EXPIRATION | \ + KADM5_CONFIG_FLAGS | KADM5_CONFIG_ENCTYPES | \ + KADM5_CONFIG_MKEY_FROM_KBD) + + if (params_in && params_in->mask & ILLEGAL_PARAMS) { krb5_free_context(handle->context); free(handle->lhandle); - free(handle); + free(handle); ADMIN_LOG(LOG_ERR, dgettext(TEXT_DOMAIN, "bad client parameters, returning %d"), KADM5_BAD_CLIENT_PARAMS); - return (KADM5_BAD_CLIENT_PARAMS); - } + return KADM5_BAD_CLIENT_PARAMS; + } - if ((code = kadm5_get_config_params(handle->context, + if ((code = kadm5_get_config_params(handle->context, DEFAULT_PROFILE_PATH, "KRB5_CONFIG", params_in, &handle->params))) { - krb5_free_context(handle->context); - free(handle->lhandle); - free(handle); + krb5_free_context(handle->context); + free(handle->lhandle); + free(handle); ADMIN_LOG(LOG_ERR, dgettext(TEXT_DOMAIN, "failed to get config_params, return: %d\n"), code); - return(code); - } + return(code); + } #define REQUIRED_PARAMS (KADM5_CONFIG_REALM | \ KADM5_CONFIG_ADMIN_SERVER | \ KADM5_CONFIG_KADMIND_PORT) - if ((handle->params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) { + if ((handle->params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) { (void) kadm5_free_config_params(handle->context, &handle->params); - krb5_free_context(handle->context); + krb5_free_context(handle->context); free(handle->lhandle); - free(handle); + free(handle); ADMIN_LOGO(LOG_ERR, dgettext(TEXT_DOMAIN, "missing config parameters\n")); - return (KADM5_MISSING_CONF_PARAMS); - } + return KADM5_MISSING_KRB5_CONF_PARAMS; + } /* * Acquire a service ticket for service_name@realm in the name of @@ -775,52 +780,61 @@ static kadm5_ret_t _kadm5_init_any(char *client_name, /* XXX temporarily fix a bug in krb5_cc_get_type */ #undef krb5_cc_get_type #define krb5_cc_get_type(context, cache) ((cache)->ops->prefix) - - if (init_type == INIT_CREDS) { - ccache = ccache_in; - handle->cache_name = (char *) - malloc(strlen(krb5_cc_get_type(handle->context, ccache)) + - strlen(krb5_cc_get_name(handle->context, ccache)) + 2); - - if (handle->cache_name == NULL) { - code = ENOMEM; - goto error; - } - sprintf(handle->cache_name, "%s:%s", - krb5_cc_get_type(handle->context, ccache), - krb5_cc_get_name(handle->context, ccache)); - } else { - handle->cache_name = - (char *) malloc(strlen(ADM_CCACHE)+strlen("FILE:")+1); - if (handle->cache_name == NULL) { - code = ENOMEM; - goto error; - } - sprintf(handle->cache_name, "FILE:%s", ADM_CCACHE); - mktemp(handle->cache_name + strlen("FILE:")); - - if ((code = krb5_cc_resolve(handle->context, - handle->cache_name, &ccache))) - goto error; + + + if (init_type == INIT_CREDS) { + ccache = ccache_in; + handle->cache_name = (char *) + malloc(strlen(krb5_cc_get_type(handle->context, ccache)) + + strlen(krb5_cc_get_name(handle->context, ccache)) + 2); + if (handle->cache_name == NULL) { + code = ENOMEM; + goto error; + } + sprintf(handle->cache_name, "%s:%s", + krb5_cc_get_type(handle->context, ccache), + krb5_cc_get_name(handle->context, ccache)); + } else { +#if 0 + handle->cache_name = + (char *) malloc(strlen(ADM_CCACHE)+strlen("FILE:")+1); + if (handle->cache_name == NULL) { + code = ENOMEM; + goto error; + } + sprintf(handle->cache_name, "FILE:%s", ADM_CCACHE); + mktemp(handle->cache_name + strlen("FILE:")); +#endif + { + static int counter = 0; + handle->cache_name = malloc(sizeof("MEMORY:kadm5_") + + 3*sizeof(counter)); + sprintf(handle->cache_name, "MEMORY:kadm5_%u", counter++); + } + + if ((code = krb5_cc_resolve(handle->context, handle->cache_name, + &ccache))) + goto error; - if ((code = krb5_cc_initialize (handle->context, ccache, + if ((code = krb5_cc_initialize (handle->context, ccache, creds.client))) - goto error; + goto error; - handle->destroy_cache = 1; - } - handle->lhandle->cache_name = handle->cache_name; + handle->destroy_cache = 1; + } + handle->lhandle->cache_name = handle->cache_name; ADMIN_LOG(LOG_ERR, dgettext(TEXT_DOMAIN, "cache created: %s\n"), handle->cache_name); - - if ((code = krb5_timeofday(handle->context, &now))) - goto error; + + if ((code = krb5_timeofday(handle->context, &now))) + goto error; - /* - * Get a ticket, use the method specified in init_type. - */ - creds.times.starttime = 0; /* start timer at KDC */ - creds.times.endtime = 0; /* endtime will be limited by service */ + /* + * Get a ticket, use the method specified in init_type. + */ + + creds.times.starttime = 0; /* start timer at KDC */ + creds.times.endtime = 0; /* endtime will be limited by service */ memset(&opt, 0, sizeof (opt)); krb5_get_init_creds_opt_init(&opt); @@ -854,19 +868,16 @@ static kadm5_ret_t _kadm5_init_any(char *client_name, creds.times.starttime, server, &opt); - if (pass) - krb5_kt_close(handle->context, kt); - } - } - - /* Improved error messages */ - if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) - code = KADM5_BAD_PASSWORD; + if (pass) krb5_kt_close(handle->context, kt); + } + } - if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) - code = KADM5_SECURE_PRINC_MISSING; + /* Improved error messages */ + if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) code = KADM5_BAD_PASSWORD; + if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) + code = KADM5_SECURE_PRINC_MISSING; - if (code != 0) { + if (code != 0) { ADMIN_LOGO(LOG_ERR, dgettext(TEXT_DOMAIN, "failed to obtain credentials cache\n")); goto error; @@ -882,8 +893,8 @@ static kadm5_ret_t _kadm5_init_any(char *client_name, ADMIN_LOGO(LOG_ERR, dgettext(TEXT_DOMAIN, "obtained credentials cache\n")); #ifdef ZEROPASSWD - if (pass != NULL) - memset(pass, 0, strlen(pass)); + if (pass != NULL) + memset(pass, 0, strlen(pass)); #endif if (init_type != INIT_PASS || @@ -903,19 +914,19 @@ static kadm5_ret_t _kadm5_init_any(char *client_name, goto cleanup; error: - /* - * Note that it is illegal for this code to execute if "handle" - * has not been allocated and initialized. I.e., don't use "goto - * error" before the block of code at the top of the function - * that allocates and initializes "handle". - */ - if (handle->cache_name) + /* + * Note that it is illegal for this code to execute if "handle" + * has not been allocated and initialized. I.e., don't use "goto + * error" before the block of code at the top of the function + * that allocates and initializes "handle". + */ + if (handle->cache_name) free(handle->cache_name); - if (handle->destroy_cache && ccache) + if (handle->destroy_cache && ccache) krb5_cc_destroy(handle->context, ccache); - if(handle->clnt && handle->clnt->cl_auth) + if(handle->clnt && handle->clnt->cl_auth) AUTH_DESTROY(handle->clnt->cl_auth); - if(handle->clnt) + if(handle->clnt) clnt_destroy(handle->clnt); (void) kadm5_free_config_params(handle->context, &handle->params); @@ -935,76 +946,91 @@ cleanup: if (serverp && serverp != creds.server) krb5_free_principal(handle->context, serverp); - krb5_free_cred_contents(handle->context, &creds); + krb5_free_cred_contents(handle->context, &creds); /* * Dont clean up the handle if the code is OK (code==0) * because it is returned to the caller in the 'server_handle' * ptr. */ - if (code) { + if (code) { krb5_free_context(handle->context); free(handle->lhandle); free(handle); } - return (code); + return code; } kadm5_ret_t kadm5_destroy(void *server_handle) { - krb5_ccache ccache = NULL; - int code = KADM5_OK; - kadm5_server_handle_t handle = + krb5_ccache ccache = NULL; + int code = KADM5_OK; + kadm5_server_handle_t handle = (kadm5_server_handle_t) server_handle; OM_uint32 min_stat; - CHECK_HANDLE(server_handle); - - if (handle->destroy_cache && handle->cache_name) { + CHECK_HANDLE(server_handle); +/* SUNW14resync: + * krb5_cc_resolve() will resolve a ccache with the same data that + * handle->my_cred points to. If the ccache is a MEMORY ccache then + * gss_release_cred() will free that data (it doesn't do this when ccache + * is a FILE ccache). + * if'ed out to avoid the double free. + */ +#if 0 + if (handle->destroy_cache && handle->cache_name) { if ((code = krb5_cc_resolve(handle->context, handle->cache_name, &ccache)) == 0) code = krb5_cc_destroy (handle->context, ccache); - } - if (handle->cache_name) + } +#endif + if (handle->cache_name) free(handle->cache_name); - - if (handle->clnt && handle->clnt->cl_auth) { + if (handle->clnt && handle->clnt->cl_auth) { /* * Since kadm5 doesn't use the default credentials we * must clean this up manually. */ if (handle->my_cred != GSS_C_NO_CREDENTIAL) (void) gss_release_cred(&min_stat, &handle->my_cred); - AUTH_DESTROY(handle->clnt->cl_auth); + AUTH_DESTROY(handle->clnt->cl_auth); } - if (handle->clnt) + if (handle->clnt) clnt_destroy(handle->clnt); - if (handle->lhandle) - free (handle->lhandle); + if (handle->lhandle) + free (handle->lhandle); - kadm5_free_config_params(handle->context, &handle->params); - krb5_free_context(handle->context); + kadm5_free_config_params(handle->context, &handle->params); + krb5_free_context(handle->context); - handle->magic_number = 0; - free(handle); + handle->magic_number = 0; + free(handle); - return (code); + return code; +} +/* not supported on client */ +kadm5_ret_t kadm5_lock(void *server_handle) +{ + return EINVAL; } -/*ARGSUSED*/ -kadm5_ret_t -kadm5_flush(void *server_handle) +/* not supported on client */ +kadm5_ret_t kadm5_unlock(void *server_handle) { - return (KADM5_OK); + return EINVAL; } -int -_kadm5_check_handle(void *handle) +kadm5_ret_t kadm5_flush(void *server_handle) { - CHECK_HANDLE(handle); - return (0); + return KADM5_OK; +} + +int _kadm5_check_handle(void *handle) +{ + CHECK_HANDLE(handle); + return 0; } /* diff --git a/usr/src/lib/krb5/kadm5/clnt/client_internal.h b/usr/src/lib/krb5/kadm5/clnt/client_internal.h index 756d4b4a05..ff739b4b91 100644 --- a/usr/src/lib/krb5/kadm5/clnt/client_internal.h +++ b/usr/src/lib/krb5/kadm5/clnt/client_internal.h @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -29,9 +29,9 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/clnt/client_internal.h, v 1.1 1996/07/24 22:22:43 tlyu Exp $ - * - * $Log: client_internal.h, v $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/clnt/client_internal.h,v 1.1 1996/07/24 22:22:43 tlyu Exp $ + * + * $Log: client_internal.h,v $ * Revision 1.1 1996/07/24 22:22:43 tlyu * * Makefile.in, configure.in: break out client lib into a * subdirectory @@ -97,31 +97,32 @@ typedef struct _kadm5_server_handle_t { krb5_ui_4 magic_number; krb5_ui_4 struct_version; krb5_ui_4 api_version; - char *cache_name; + char * cache_name; int destroy_cache; - CLIENT *clnt; + CLIENT * clnt; krb5_context context; gss_cred_id_t my_cred; kadm5_config_params params; struct _kadm5_server_handle_t *lhandle; } kadm5_server_handle_rec, *kadm5_server_handle_t; - -#define CLIENT_CHECK_HANDLE(handle) \ +#define CLIENT_CHECK_HANDLE(handle) \ { \ -kadm5_server_handle_t srvr = (kadm5_server_handle_t)handle; \ + kadm5_server_handle_t srvr = \ + (kadm5_server_handle_t) handle; \ + \ if (srvr->params.kpasswd_protocol == KRB5_CHGPWD_RPCSEC && ! srvr->clnt) \ - return (KADM5_BAD_SERVER_HANDLE); \ + return KADM5_BAD_SERVER_HANDLE; \ if (! srvr->cache_name) \ - return (KADM5_BAD_SERVER_HANDLE); \ + return KADM5_BAD_SERVER_HANDLE; \ if (! srvr->lhandle) \ -return (KADM5_BAD_SERVER_HANDLE); \ + return KADM5_BAD_SERVER_HANDLE; \ } -#define CHECK_HANDLE(handle) \ -GENERIC_CHECK_HANDLE(handle, KADM5_OLD_LIB_API_VERSION, \ -KADM5_NEW_LIB_API_VERSION) \ -CLIENT_CHECK_HANDLE(handle) +#define CHECK_HANDLE(handle) \ + GENERIC_CHECK_HANDLE(handle, KADM5_OLD_LIB_API_VERSION, \ + KADM5_NEW_LIB_API_VERSION) \ + CLIENT_CHECK_HANDLE(handle) #ifdef __cplusplus } diff --git a/usr/src/lib/krb5/kadm5/clnt/client_principal.c b/usr/src/lib/krb5/kadm5/clnt/client_principal.c index b6fc1103f4..92fc52d122 100644 --- a/usr/src/lib/krb5/kadm5/clnt/client_principal.c +++ b/usr/src/lib/krb5/kadm5/clnt/client_principal.c @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -26,19 +26,27 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/clnt/client_principal.c,v 1.8 2000/02/27 22:18:15 tlyu Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/clnt/client_principal.c,v 1.11 2004/06/16 03:11:53 tlyu Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/clnt/client_principal.c,v 1.8 2000/02/27 22:18:15 tlyu Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/clnt/client_principal.c,v 1.11 2004/06/16 03:11:53 tlyu Exp $"; #endif #include <rpc/rpc.h> /* SUNWresync121 XXX */ #include <kadm5/admin.h> #include <kadm5/kadm_rpc.h> +#ifdef HAVE_MEMORY_H #include <memory.h> +#endif #include "client_internal.h" +#ifdef DEBUG /* SUNWresync14 XXX */ +#define eret() clnt_perror(handle->clnt, "null ret"); return KADM5_RPC_ERROR; +#else +#define eret() return KADM5_RPC_ERROR; +#endif + kadm5_ret_t kadm5_create_principal(void *server_handle, kadm5_principal_ent_t princ, long mask, @@ -93,7 +101,7 @@ kadm5_create_principal(void *server_handle, krb5_free_principal(handle->context, arg.rec.mod_name); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); return r->code; } @@ -154,7 +162,7 @@ kadm5_create_principal_3(void *server_handle, krb5_free_principal(handle->context, arg.rec.mod_name); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); return r->code; } @@ -173,7 +181,7 @@ kadm5_delete_principal(void *server_handle, krb5_principal principal) arg.api_version = handle->api_version; r = delete_principal_1(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); return r->code; } @@ -226,7 +234,7 @@ kadm5_modify_principal(void *server_handle, krb5_free_principal(handle->context, arg.rec.mod_name); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); return r->code; } @@ -251,7 +259,7 @@ kadm5_get_principal(void *server_handle, arg.api_version = handle->api_version; r = get_principal_1(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); if (handle->api_version == KADM5_API_VERSION_1) { kadm5_principal_ent_t_v1 *entp; @@ -291,7 +299,7 @@ kadm5_get_principals(void *server_handle, arg.api_version = handle->api_version; r = get_princs_1(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); if(r->code == 0) { *count = r->count; *princs = r->princs; @@ -320,7 +328,7 @@ kadm5_rename_principal(void *server_handle, return EINVAL; r = rename_principal_1(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); return r->code; } @@ -342,7 +350,7 @@ kadm5_chpass_principal(void *server_handle, return EINVAL; r = chpass_principal_1(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); return r->code; } @@ -369,7 +377,7 @@ kadm5_chpass_principal_3(void *server_handle, return EINVAL; r = chpass_principal3_1(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); return r->code; } @@ -392,7 +400,7 @@ kadm5_setv4key_principal(void *server_handle, return EINVAL; r = setv4key_principal_1(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); return r->code; } @@ -402,7 +410,6 @@ kadm5_setkey_principal(void *server_handle, krb5_keyblock *keyblocks, int n_keys) { - setkey_arg arg; generic_ret *r; kadm5_server_handle_t handle = server_handle; @@ -418,7 +425,7 @@ kadm5_setkey_principal(void *server_handle, return EINVAL; r = setkey_principal_1(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); return r->code; } @@ -448,7 +455,7 @@ kadm5_setkey_principal_3(void *server_handle, return EINVAL; r = setkey_principal3_1(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); return r->code; } @@ -527,7 +534,6 @@ kadm5_randkey_principal_3(void *server_handle, { chrand3_arg arg; chrand_ret *r; - krb5_keyblock new; kadm5_server_handle_t handle = server_handle; int i, ret; @@ -549,27 +555,30 @@ kadm5_randkey_principal_3(void *server_handle, return EINVAL; r = chrand_principal3_1(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); if (handle->api_version == KADM5_API_VERSION_1) { if (key) krb5_copy_keyblock(handle->context, &r->key, key); - } else if (key && (r->n_keys > 0)) { - *key = (krb5_keyblock *) - malloc(r->n_keys*sizeof(krb5_keyblock)); - if (*key == NULL) - return ENOMEM; - for (i = 0; i < r->n_keys; i++) { - ret = krb5_copy_keyblock_contents(handle->context, - &r->keys[i], - &(*key)[i]); - if (ret) { - free(*key); - *key = NULL; - return ENOMEM; - } - } - if (n_keys) - *n_keys = r->n_keys; + } else { + if (n_keys) + *n_keys = r->n_keys; + if (key) { + if(r->n_keys) { + *key = (krb5_keyblock *) + malloc(r->n_keys*sizeof(krb5_keyblock)); + if (*key == NULL) + return ENOMEM; + for (i = 0; i < r->n_keys; i++) { + ret = krb5_copy_keyblock_contents(handle->context, + &r->keys[i], + &(*key)[i]); + if (ret) { + free(*key); + return ENOMEM; + } + } + } else *key = NULL; + } } return r->code; diff --git a/usr/src/lib/krb5/kadm5/clnt/client_rpc.c b/usr/src/lib/krb5/kadm5/clnt/client_rpc.c index bbe65e38bc..1e029e1bf7 100644 --- a/usr/src/lib/krb5/kadm5/clnt/client_rpc.c +++ b/usr/src/lib/krb5/kadm5/clnt/client_rpc.c @@ -1,5 +1,5 @@ /* - * Copyright 2003 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -27,7 +27,9 @@ #include <kadm5/kadm_rpc.h> #include <krb5.h> #include <kadm5/admin.h> +#ifdef HAVE_MEMORY_H #include <memory.h> +#endif /* Default timeout can be changed using clnt_control() */ static struct timeval TIMEOUT = { 25, 0 }; @@ -51,7 +53,7 @@ create_principal_1(argp, clnt) generic_ret * create_principal3_1(argp, clnt) - cprinc_arg *argp; + cprinc3_arg *argp; CLIENT *clnt; { static generic_ret res; @@ -138,7 +140,7 @@ get_principal_1(argp, clnt) gprincs_ret * get_princs_1(argp, clnt) - gprinc_arg *argp; + gprincs_arg *argp; CLIENT *clnt; { static gprincs_ret res; @@ -172,7 +174,7 @@ chpass_principal_1(argp, clnt) generic_ret * chpass_principal3_1(argp, clnt) - chpass_arg *argp; + chpass3_arg *argp; CLIENT *clnt; { static generic_ret res; @@ -229,7 +231,7 @@ setkey_principal_1(argp, clnt) generic_ret * setkey_principal3_1(argp, clnt) - setkey_arg *argp; + setkey3_arg *argp; CLIENT *clnt; { static generic_ret res; @@ -265,7 +267,7 @@ chrand_principal_1(argp, clnt) chrand_ret * chrand_principal3_1(argp, clnt) - chrand_arg *argp; + chrand3_arg *argp; CLIENT *clnt; { static chrand_ret res; @@ -352,7 +354,7 @@ get_policy_1(argp, clnt) gpols_ret * get_pols_1(argp, clnt) - gprinc_arg *argp; + gpols_arg *argp; CLIENT *clnt; { static gpols_ret res; diff --git a/usr/src/lib/krb5/kadm5/clnt/clnt_chpass_util.c b/usr/src/lib/krb5/kadm5/clnt/clnt_chpass_util.c index 4ce989fad3..ffbf55a090 100644 --- a/usr/src/lib/krb5/kadm5/clnt/clnt_chpass_util.c +++ b/usr/src/lib/krb5/kadm5/clnt/clnt_chpass_util.c @@ -26,7 +26,7 @@ kadm5_ret_t kadm5_chpass_principal_util(void *server_handle, char *new_pw, char **ret_pw, char *msg_ret, - int msg_len) + unsigned int msg_len) { kadm5_server_handle_t handle = server_handle; diff --git a/usr/src/lib/krb5/kadm5/clnt/clnt_policy.c b/usr/src/lib/krb5/kadm5/clnt/clnt_policy.c index 1161389f66..15ee88ef8a 100644 --- a/usr/src/lib/krb5/kadm5/clnt/clnt_policy.c +++ b/usr/src/lib/krb5/kadm5/clnt/clnt_policy.c @@ -1,5 +1,5 @@ /* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -26,7 +26,7 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/clnt/clnt_policy.c,v 1.2 1998/02/14 02:32:57 tlyu Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/clnt/clnt_policy.c,v 1.4 2004/02/19 01:22:26 raeburn Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) @@ -86,7 +86,6 @@ kadm5_delete_policy(void *server_handle, char *name) kadm5_ret_t kadm5_modify_policy(void *server_handle, kadm5_policy_ent_t policy, long mask) - { mpol_arg arg; generic_ret *r; @@ -109,7 +108,6 @@ kadm5_modify_policy(void *server_handle, kadm5_ret_t kadm5_get_policy(void *server_handle, char *name, kadm5_policy_ent_t ent) - { gpol_arg arg; gpol_ret *r; diff --git a/usr/src/lib/krb5/kadm5/clnt/mapfile-vers b/usr/src/lib/krb5/kadm5/clnt/mapfile-vers index f47b2d722b..241e1286b1 100644 --- a/usr/src/lib/krb5/kadm5/clnt/mapfile-vers +++ b/usr/src/lib/krb5/kadm5/clnt/mapfile-vers @@ -27,10 +27,14 @@ SUNWprivate_1.1 { global: + _kadm5_get_kpasswd_protocol; + chpass_principal3_1; chpass_principal_1; chpw_error_message; + chrand_principal3_1; chrand_principal_1; create_policy_1; + create_principal3_1; create_principal_1; delete_policy_1; delete_principal_1; @@ -58,11 +62,10 @@ SUNWprivate_1.1 { kadm5_free_policy_ent; kadm5_free_principal_ent; kadm5_get_adm_host_srv_name; + kadm5_get_admin_service_name; kadm5_get_config_params; kadm5_get_cpw_host_srv_name; kadm5_get_kiprop_host_srv_name; - _kadm5_get_kpasswd_protocol; - kadm5_get_master; kadm5_get_policies; kadm5_get_policy; kadm5_get_principal; @@ -73,14 +76,18 @@ SUNWprivate_1.1 { kadm5_init_with_creds; kadm5_init_with_password; kadm5_init_with_skey; + kadm5_lock; kadm5_modify_policy; kadm5_modify_principal; kadm5_randkey_principal; kadm5_randkey_principal_3; kadm5_randkey_principal_old; kadm5_rename_principal; + kadm5_setkey_principal; kadm5_setkey_principal_3; + kadm5_unlock; krb5_aprof_finish; + krb5_aprof_get_boolean; krb5_aprof_get_deltat; krb5_aprof_get_int32; krb5_aprof_get_string; @@ -104,10 +111,15 @@ SUNWprivate_1.1 { modify_policy_1; modify_principal_1; rename_principal_1; + setkey_principal3_1; + setkey_principal_1; + xdr_chpass3_arg; xdr_chpass_arg; + xdr_chrand3_arg; xdr_chrand_arg; xdr_chrand_ret; xdr_cpol_arg; + xdr_cprinc3_arg; xdr_cprinc_arg; xdr_dpol_arg; xdr_dprinc_arg; @@ -129,19 +141,24 @@ SUNWprivate_1.1 { xdr_krb5_enctype; xdr_krb5_flags; xdr_krb5_int16; - xdr_krb5_keyblock; xdr_krb5_key_data_nocontents; + xdr_krb5_key_salt_tuple; + xdr_krb5_keyblock; xdr_krb5_kvno; xdr_krb5_octet; xdr_krb5_principal; + xdr_krb5_salttype; xdr_krb5_timestamp; xdr_krb5_tl_data; + xdr_krb5_ui_2; xdr_krb5_ui_4; xdr_mpol_arg; xdr_mprinc_arg; xdr_nullstring; xdr_nulltype; xdr_rprinc_arg; + xdr_setkey3_arg; + xdr_setkey_arg; xdr_ui_4; local: *; diff --git a/usr/src/lib/krb5/kadm5/kadm_err.h b/usr/src/lib/krb5/kadm5/kadm_err.h index 4e636670a1..c4463ff13a 100644 --- a/usr/src/lib/krb5/kadm5/kadm_err.h +++ b/usr/src/lib/krb5/kadm5/kadm_err.h @@ -1,5 +1,5 @@ /* - * Copyright 2000-2002 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -81,10 +81,22 @@ #define KADM5_SETKEY_DUP_ENCTYPES (43787571L) #define KADM5_SETV4KEY_INVAL_ENCTYPE (43787572L) #define KADM5_SETKEY3_ETYPE_MISMATCH (43787573L) -#define KADM5_RPC_ERROR_CANTENCODEARGS (43787574L) -#define KADM5_RPC_ERROR_CANTDECODEARGS (43787575L) +#define KADM5_MISSING_KRB5_CONF_PARAMS (43787574L) +#define KADM5_RPC_ERROR_CANTENCODEARGS (43787575L) +#define KADM5_RPC_ERROR_CANTDECODEARGS (43787576L) #define ERROR_TABLE_BASE_ovk (43787520L) +extern const struct error_table et_ovk_error_table; + +#if !defined(_WIN32) /* for compatibility with older versions... */ +extern void initialize_ovk_error_table (void) /*@modifies internalState@*/; +#else +#define initialize_ovk_error_table() +#endif + +#if !defined(_WIN32) +#define init_ovk_err_tbl initialize_ovk_error_table #define ovk_err_base ERROR_TABLE_BASE_ovk +#endif diff --git a/usr/src/lib/krb5/kadm5/kadm_rpc.h b/usr/src/lib/krb5/kadm5/kadm_rpc.h index 54d5869fb4..9521c9f923 100644 --- a/usr/src/lib/krb5/kadm5/kadm_rpc.h +++ b/usr/src/lib/krb5/kadm5/kadm_rpc.h @@ -17,6 +17,8 @@ * */ +#ifndef __KADM_RPC_H__ +#define __KADM_RPC_H__ #include <rpc/types.h> @@ -254,44 +256,99 @@ bool_t xdr_getprivs_ret(); #define KADM ((krb5_ui_4)2112) #define KADMVERS ((krb5_ui_4)2) #define CREATE_PRINCIPAL ((krb5_ui_4)1) -extern generic_ret *create_principal_1(); +extern generic_ret *create_principal_1_svc(cprinc_arg *arg, + struct svc_req *rqstp); +extern generic_ret *create_principal_1(cprinc_arg *argp, CLIENT *clnt); + #define DELETE_PRINCIPAL ((krb5_ui_4)2) -extern generic_ret *delete_principal_1(); +extern generic_ret *delete_principal_1_svc(dprinc_arg *arg, + struct svc_req *rqstp); +extern generic_ret *delete_principal_1(dprinc_arg *argp, CLIENT *clnt); + #define MODIFY_PRINCIPAL ((krb5_ui_4)3) -extern generic_ret *modify_principal_1(); +extern generic_ret *modify_principal_1_svc(mprinc_arg *arg, + struct svc_req *rqstp); +extern generic_ret *modify_principal_1(mprinc_arg *argp, CLIENT *clnt); + #define RENAME_PRINCIPAL ((krb5_ui_4)4) -extern generic_ret *rename_principal_1(); +extern generic_ret *rename_principal_1_svc(rprinc_arg *arg, + struct svc_req *rqstp); +extern generic_ret *rename_principal_1(rprinc_arg *argp, CLIENT *clnt); + #define GET_PRINCIPAL ((krb5_ui_4)5) -extern gprinc_ret *get_principal_1(); +extern gprinc_ret *get_principal_1_svc(gprinc_arg *arg, struct svc_req *rqstp); +extern gprinc_ret *get_principal_1(gprinc_arg *argp, CLIENT *clnt); + #define CHPASS_PRINCIPAL ((krb5_ui_4)6) -extern generic_ret *chpass_principal_1(); +extern generic_ret *chpass_principal_1_svc(chpass_arg *arg, + struct svc_req *rqstp); +extern generic_ret *chpass_principal_1(chpass_arg *argp, CLIENT *clnt); + #define CHRAND_PRINCIPAL ((krb5_ui_4)7) -extern chrand_ret *chrand_principal_1(); +extern chrand_ret *chrand_principal_1_svc(chrand_arg *arg, + struct svc_req *rqstp); +extern chrand_ret *chrand_principal_1(chrand_arg *argp, CLIENT *clnt); + #define CREATE_POLICY ((krb5_ui_4)8) -extern generic_ret *create_policy_1(); +extern generic_ret *create_policy_1_svc(cpol_arg *arg, struct svc_req *rqstp); +extern generic_ret *create_policy_1(cpol_arg *argp, CLIENT *clnt); + #define DELETE_POLICY ((krb5_ui_4)9) -extern generic_ret *delete_policy_1(); +extern generic_ret *delete_policy_1_svc(dpol_arg *arg, struct svc_req *rqstp); +extern generic_ret *delete_policy_1(dpol_arg *argp, CLIENT *clnt); + #define MODIFY_POLICY ((krb5_ui_4)10) -extern generic_ret *modify_policy_1(); +extern generic_ret *modify_policy_1_svc(mpol_arg *arg, struct svc_req *rqstp); +extern generic_ret *modify_policy_1(mpol_arg *argp, CLIENT *clnt); + #define GET_POLICY ((krb5_ui_4)11) -extern gpol_ret *get_policy_1(); +extern gpol_ret *get_policy_1_svc(gpol_arg *arg, struct svc_req *rqstp); +extern gpol_ret *get_policy_1(gpol_arg *argp, CLIENT *clnt); + #define GET_PRIVS ((krb5_ui_4)12) -extern getprivs_ret *get_privs_1(); +extern getprivs_ret *get_privs_1_svc(krb5_ui_4 *arg, struct svc_req *rqstp); +extern getprivs_ret *get_privs_1(void *argp, CLIENT *clnt); + #define INIT ((krb5_ui_4)13) +extern generic_ret *init_1_svc(krb5_ui_4 *arg, struct svc_req *rqstp); extern generic_ret *init_1(); + #define GET_PRINCS ((krb5_ui_4) 14) -extern gprincs_ret *get_princs_1(); +extern gprincs_ret *get_princs_1_svc(gprincs_arg *arg, struct svc_req *rqstp); +extern gprincs_ret *get_princs_1(gprincs_arg *argp, CLIENT *clnt); + #define GET_POLS ((krb5_ui_4) 15) -extern gpols_ret *get_pols_1(); +extern gpols_ret *get_pols_1_svc(gpols_arg *arg, struct svc_req *rqstp); +extern gpols_ret *get_pols_1(gpols_arg *argp, CLIENT *clnt); + #define SETKEY_PRINCIPAL ((krb5_ui_4) 16) -extern generic_ret *setkey_principal_1(); +extern generic_ret *setkey_principal_1_svc(setkey_arg *arg, + struct svc_req *rqstp); +extern generic_ret *setkey_principal_1(setkey_arg *argp, CLIENT *clnt); + #define SETV4KEY_PRINCIPAL ((krb5_ui_4) 17) -extern generic_ret *setv4key_principal_1(); +extern generic_ret *setv4key_principal_1_svc(setv4key_arg *arg, + struct svc_req *rqstp); +extern generic_ret *setv4key_principal_1(setv4key_arg *argp, CLIENT *clnt); + #define CREATE_PRINCIPAL3 ((krb5_ui_4) 18) -extern generic_ret *create_principal3_1(); +extern generic_ret *create_principal3_1_svc(cprinc3_arg *arg, + struct svc_req *rqstp); +extern generic_ret *create_principal3_1(cprinc3_arg *argp, CLIENT *clnt); + #define CHPASS_PRINCIPAL3 ((krb5_ui_4) 19) -extern generic_ret *chpass_principal3_1(); +extern generic_ret *chpass_principal3_1_svc(chpass3_arg *arg, + struct svc_req *rqstp); +extern generic_ret *chpass_principal3_1(chpass3_arg *argp, CLIENT *clnt); + #define CHRAND_PRINCIPAL3 ((krb5_ui_4) 20) -extern chrand_ret *chrand_principal3_1(); +extern chrand_ret *chrand_principal3_1_svc(chrand3_arg *arg, + struct svc_req *rqstp); +extern chrand_ret *chrand_principal3_1(chrand3_arg *argp, CLIENT *clnt); + #define SETKEY_PRINCIPAL3 ((krb5_ui_4) 21) -extern generic_ret *setkey_principal3_1(); +extern generic_ret *setkey_principal3_1_svc(setkey3_arg *arg, + struct svc_req *rqstp); +extern generic_ret *setkey_principal3_1(setkey3_arg *argp, CLIENT *clnt); + +#endif /* __KADM_RPC_H__ */ diff --git a/usr/src/lib/krb5/kadm5/kadm_rpc_xdr.c b/usr/src/lib/krb5/kadm5/kadm_rpc_xdr.c index fef7da4749..d9d5697458 100644 --- a/usr/src/lib/krb5/kadm5/kadm_rpc_xdr.c +++ b/usr/src/lib/krb5/kadm5/kadm_rpc_xdr.c @@ -1,5 +1,5 @@ /* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -52,7 +52,7 @@ bool_t xdr_ui_4(XDR *xdrs, krb5_ui_4 *objp) { /* Assumes that krb5_ui_4 and u_int32 are both four bytes long. This should not be a harmful assumption. */ - return xdr_u_int(xdrs, (rpc_u_int32 *) objp); + return xdr_u_int(xdrs, (uint32_t *) objp); } @@ -150,7 +150,7 @@ xdr_krb5_timestamp(XDR *xdrs, krb5_timestamp *objp) /* This assumes that int32 and krb5_timestamp are the same size. This shouldn't be a problem, since we've got a unit test which checks for this. */ - if (!xdr_int(xdrs, (rpc_int32 *) objp)) { + if (!xdr_int(xdrs, (int32_t *) objp)) { return (FALSE); } return (TRUE); @@ -181,7 +181,7 @@ xdr_krb5_deltat(XDR *xdrs, krb5_deltat *objp) /* This assumes that int32 and krb5_deltat are the same size. This shouldn't be a problem, since we've got a unit test which checks for this. */ - if (!xdr_int(xdrs, (rpc_int32 *) objp)) { + if (!xdr_int(xdrs, (int32_t *) objp)) { return (FALSE); } return (TRUE); @@ -193,7 +193,7 @@ xdr_krb5_flags(XDR *xdrs, krb5_flags *objp) /* This assumes that int32 and krb5_flags are the same size. This shouldn't be a problem, since we've got a unit test which checks for this. */ - if (!xdr_int(xdrs, (rpc_int32 *) objp)) { + if (!xdr_int(xdrs, (int32_t *) objp)) { return (FALSE); } return (TRUE); @@ -202,7 +202,7 @@ xdr_krb5_flags(XDR *xdrs, krb5_flags *objp) bool_t xdr_krb5_ui_4(XDR *xdrs, krb5_ui_4 *objp) { - if (!xdr_u_int(xdrs, (rpc_u_int32 *) objp)) { + if (!xdr_u_int(xdrs, (uint32_t *) objp)) { return (FALSE); } return (TRUE); @@ -223,6 +223,30 @@ xdr_krb5_int16(XDR *xdrs, krb5_int16 *objp) return(TRUE); } +/* + * Function: xdr_krb5_ui_2 + * + * Purpose: XDR function which serves as a wrapper for xdr_u_int, + * to prevent compiler warnings about type clashes between u_int + * and krb5_ui_2. + */ +bool_t +xdr_krb5_ui_2(XDR *xdrs, krb5_ui_2 *objp) +{ + unsigned int tmp; + + tmp = (unsigned int) *objp; + + if (!xdr_u_int(xdrs, &tmp)) + return(FALSE); + + *objp = (krb5_ui_2) tmp; + + return(TRUE); +} + + + bool_t xdr_krb5_key_data_nocontents(XDR *xdrs, krb5_key_data *objp) { /* @@ -285,7 +309,7 @@ bool_t xdr_krb5_tl_data(XDR *xdrs, krb5_tl_data **tl_data_head) { krb5_tl_data *tl, *tl2; bool_t more; - uint len; + unsigned int len; switch (xdrs->x_op) { case XDR_FREE: @@ -346,10 +370,10 @@ bool_t xdr_krb5_tl_data(XDR *xdrs, krb5_tl_data **tl_data_head) bool_t xdr_kadm5_ret_t(XDR *xdrs, kadm5_ret_t *objp) { - rpc_u_int32 tmp; + uint32_t tmp; if (xdrs->x_op == XDR_ENCODE) - tmp = (rpc_u_int32) *objp; + tmp = (uint32_t) *objp; if (!xdr_u_int(xdrs, &tmp)) return (FALSE); @@ -1021,7 +1045,7 @@ xdr_krb5_enctype(XDR *xdrs, krb5_enctype *objp) bool_t xdr_krb5_salttype(XDR *xdrs, krb5_int32 *objp) { - if (!xdr_int(xdrs, (rpc_int32 *) objp)) /* SUNWresync121 XXX */ + if (!xdr_int(xdrs, (int32_t *) objp)) /* SUNWresync121 XXX */ return FALSE; return TRUE; } diff --git a/usr/src/lib/krb5/kadm5/server_internal.h b/usr/src/lib/krb5/kadm5/server_internal.h index 9f11e51d2d..e0c473f900 100644 --- a/usr/src/lib/krb5/kadm5/server_internal.h +++ b/usr/src/lib/krb5/kadm5/server_internal.h @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" @@ -25,7 +25,7 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/server_internal.h,v 1.27 1996/10/21 20:29:58 bjaspan Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/server_internal.h,v 1.31 2001/07/08 12:24:56 epeisach Exp $ */ /* @@ -37,7 +37,9 @@ #ifndef __KADM5_SERVER_INTERNAL_H__ #define __KADM5_SERVER_INTERNAL_H__ +#ifdef HAVE_MEMORY_H #include <memory.h> +#endif #include <stdlib.h> #include "k5-int.h" #include <krb5/kdb.h> @@ -77,11 +79,21 @@ krb5_error_code kdb_put_entry(kadm5_server_handle_t handle, krb5_db_entry *kdb, osa_princ_ent_rec *adb); krb5_error_code kdb_delete_entry(kadm5_server_handle_t handle, krb5_principal name); +krb5_error_code kdb_iter_entry(kadm5_server_handle_t handle, + void (*iter_fct)(void *, krb5_principal), + void *data); int init_dict(kadm5_config_params *); int find_word(const char *word); void destroy_dict(void); +/* XXX this ought to be in libkrb5.a, but isn't */ +kadm5_ret_t krb5_copy_key_data_contents(krb5_context context, + krb5_key_data *from, + krb5_key_data *to); +kadm5_ret_t krb5_free_key_data_contents(krb5_context context, + krb5_key_data *key); + /* * *Warning* * *Warning* This is going to break if we diff --git a/usr/src/lib/krb5/kadm5/srv/Makefile.com b/usr/src/lib/krb5/kadm5/srv/Makefile.com index 20fde869e3..adc8b81255 100644 --- a/usr/src/lib/krb5/kadm5/srv/Makefile.com +++ b/usr/src/lib/krb5/kadm5/srv/Makefile.com @@ -86,7 +86,8 @@ CPPFLAGS += -I.. -I../.. -I../../.. \ -DENDRPCENT_TYPE=void -DHAVE_SYS_ERRLIST=1 -DNEED_SYS_ERRLIST=1 \ -DHAVE_SYSLOG_H=1 -DHAVE_OPENLOG=1 -DHAVE_SYSLOG=1 -DHAVE_CLOSELOG=1 \ -DHAVE_STEP=1 -DHAVE_RE_COMP=1 -DHAVE_RE_EXEC=1 -DHAVE_REGCOMP=1 \ - -DHAVE_REGEXEC=1 -DHAVE_STRFTIME=1 -DHAVE_VSPRINTF=1 + -DHAVE_REGEXEC=1 -DHAVE_STRFTIME=1 -DHAVE_VSPRINTF=1 \ + -DUSE_KADM5_API_VERSION=2 CFLAGS += $(CCVERBOSE) -I.. diff --git a/usr/src/lib/krb5/kadm5/srv/adb_free.c b/usr/src/lib/krb5/kadm5/srv/adb_free.c index 1cef66e694..e9618da443 100644 --- a/usr/src/lib/krb5/kadm5/srv/adb_free.c +++ b/usr/src/lib/krb5/kadm5/srv/adb_free.c @@ -21,9 +21,13 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/srv/adb_free.c,v 1.2 1996/10/18 19:45:49 bjaspan Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_free.c,v 1.3 2000/06/01 02:02:03 tritan Exp $ * * $Log: adb_free.c,v $ + * Revision 1.3 2000/06/01 02:02:03 tritan + * Check for existance of <memory.h>. + * (from Nathan Neulinger <nneul@umr.edu>) + * * Revision 1.2 1996/10/18 19:45:49 bjaspan * * svr_misc_free.c, server_dict.c, adb_policy.c, adb_free.c: * include stdlib.h instead of malloc.h [krb5-admin/35] @@ -68,11 +72,13 @@ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/srv/adb_free.c,v 1.2 1996/10/18 19:45:49 bjaspan Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_free.c,v 1.3 2000/06/01 02:02:03 tritan Exp $"; #endif #include "adb.h" +#ifdef HAVE_MEMORY_H #include <memory.h> +#endif #include <stdlib.h> void diff --git a/usr/src/lib/krb5/kadm5/srv/adb_openclose.c b/usr/src/lib/krb5/kadm5/srv/adb_openclose.c index b3a0fedde2..8c1ad3862f 100644 --- a/usr/src/lib/krb5/kadm5/srv/adb_openclose.c +++ b/usr/src/lib/krb5/kadm5/srv/adb_openclose.c @@ -25,11 +25,11 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_openclose.c,v 1.4.2.1 2000/05/19 22:24:16 raeburn Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_openclose.c,v 1.8 2002/10/08 20:20:29 tlyu Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_openclose.c,v 1.4.2.1 2000/05/19 22:24:16 raeburn Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_openclose.c,v 1.8 2002/10/08 20:20:29 tlyu Exp $"; #endif #include <sys/file.h> @@ -50,15 +50,17 @@ osa_adb_ret_t osa_adb_create_db(char *filename, char *lockfilename, { int lf; DB *db; - HASHINFO info; + BTREEINFO btinfo; - memset(&info, 0, sizeof(info)); - info.hash = NULL; - info.bsize = 256; - info.ffactor = 8; - info.nelem = 25000; - info.lorder = 0; - db = dbopen(filename, O_RDWR | O_CREAT | O_EXCL, 0600, DB_HASH, &info); + memset(&btinfo, 0, sizeof(btinfo)); + btinfo.flags = 0; + btinfo.cachesize = 0; + btinfo.psize = 4096; + btinfo.lorder = 0; + btinfo.minkeypage = 0; + btinfo.compare = NULL; + btinfo.prefix = NULL; + db = dbopen(filename, O_RDWR | O_CREAT | O_EXCL, 0600, DB_BTREE, &btinfo); if (db == NULL) return errno; if (db->close(db) < 0) @@ -94,23 +96,23 @@ osa_adb_ret_t osa_adb_rename_db(char *filefrom, char *lockfrom, ret != EEXIST) return ret; - if (ret = osa_adb_init_db(&fromdb, filefrom, lockfrom, magic)) + if ((ret = osa_adb_init_db(&fromdb, filefrom, lockfrom, magic))) return ret; - if (ret = osa_adb_init_db(&todb, fileto, lockto, magic)) { + if ((ret = osa_adb_init_db(&todb, fileto, lockto, magic))) { (void) osa_adb_fini_db(fromdb, magic); return ret; } - if (ret = osa_adb_get_lock(fromdb, OSA_ADB_PERMANENT)) { + if ((ret = osa_adb_get_lock(fromdb, OSA_ADB_PERMANENT))) { (void) osa_adb_fini_db(fromdb, magic); (void) osa_adb_fini_db(todb, magic); return ret; } - if (ret = osa_adb_get_lock(todb, OSA_ADB_PERMANENT)) { + if ((ret = osa_adb_get_lock(todb, OSA_ADB_PERMANENT))) { (void) osa_adb_fini_db(fromdb, magic); (void) osa_adb_fini_db(todb, magic); return ret; } - if (rename(filefrom, fileto) < 0) { + if ((rename(filefrom, fileto) < 0)) { (void) osa_adb_fini_db(fromdb, magic); (void) osa_adb_fini_db(todb, magic); return errno; @@ -119,7 +121,7 @@ osa_adb_ret_t osa_adb_rename_db(char *filefrom, char *lockfrom, * Do not release the lock on fromdb because it is being renamed * out of existence; no one can ever use it again. */ - if (ret = osa_adb_release_lock(todb)) { + if ((ret = osa_adb_release_lock(todb))) { (void) osa_adb_fini_db(fromdb, magic); (void) osa_adb_fini_db(todb, magic); return ret; @@ -152,6 +154,13 @@ osa_adb_ret_t osa_adb_init_db(osa_adb_db_t *dbp, char *filename, db->info.nelem = 25000; db->info.lorder = 0; + db->btinfo.flags = 0; + db->btinfo.cachesize = 0; + db->btinfo.psize = 4096; + db->btinfo.lorder = 0; + db->btinfo.minkeypage = 0; + db->btinfo.compare = NULL; + db->btinfo.prefix = NULL; /* * A process is allowed to open the same database multiple times * and access it via different handles. If the handles use @@ -201,7 +210,7 @@ osa_adb_ret_t osa_adb_init_db(osa_adb_db_t *dbp, char *filename, /* now initialize lockp->lockinfo if necessary */ if (lockp->lockinfo.lockfile == NULL) { - if (code = krb5_init_context(&lockp->lockinfo.context)) { + if ((code = krb5_init_context(&lockp->lockinfo.context))) { free(db); return((osa_adb_ret_t) code); } @@ -229,6 +238,7 @@ osa_adb_ret_t osa_adb_init_db(osa_adb_db_t *dbp, char *filename, db->lock = &lockp->lockinfo; db->lock->refcnt++; + db->opencnt = 0; db->filename = strdup(filename); db->magic = magic; @@ -330,8 +340,6 @@ osa_adb_ret_t osa_adb_get_lock(osa_adb_db_t db, int mode) if (perm) { if (unlink(db->lock->filename) < 0) { - int ret; - /* somehow we can't delete the file, but we already */ /* have the lock, so release it and return */ @@ -369,9 +377,9 @@ osa_adb_ret_t osa_adb_release_lock(osa_adb_db_t db) 0600); if ((db->lock->lockfile = fdopen(fd, "w+F")) == NULL) return OSA_ADB_NOLOCKFILE; - } else if (ret = krb5_lock_file(db->lock->context, + } else if ((ret = krb5_lock_file(db->lock->context, fileno(db->lock->lockfile), - KRB5_LOCKMODE_UNLOCK)) + KRB5_LOCKMODE_UNLOCK))) return ret; db->lock->lockmode = 0; @@ -386,22 +394,36 @@ osa_adb_ret_t osa_adb_open_and_lock(osa_adb_princ_t db, int locktype) ret = osa_adb_get_lock(db, locktype); if (ret != OSA_ADB_OK) return ret; - - db->db = dbopen(db->filename, O_RDWR, 0600, DB_HASH, &db->info); - if (db->db == NULL) { + if (db->opencnt) + goto open_ok; + + db->db = dbopen(db->filename, O_RDWR, 0600, DB_BTREE, &db->btinfo); + if (db->db != NULL) + goto open_ok; + switch (errno) { +#ifdef EFTYPE + case EFTYPE: +#endif + case EINVAL: + db->db = dbopen(db->filename, O_RDWR, 0600, DB_HASH, &db->info); + if (db->db != NULL) + goto open_ok; + default: (void) osa_adb_release_lock(db); - if(errno == EINVAL) + if (errno == EINVAL) return OSA_ADB_BAD_DB; return errno; } +open_ok: + db->opencnt++; return OSA_ADB_OK; } osa_adb_ret_t osa_adb_close_and_unlock(osa_adb_princ_t db) { - int ret; - - if(db->db->close(db->db) == -1) { + if (--db->opencnt) + return osa_adb_release_lock(db); + if(db->db != NULL && db->db->close(db->db) == -1) { (void) osa_adb_release_lock(db); return OSA_ADB_FAILURE; } @@ -410,4 +432,3 @@ osa_adb_ret_t osa_adb_close_and_unlock(osa_adb_princ_t db) return(osa_adb_release_lock(db)); } - diff --git a/usr/src/lib/krb5/kadm5/srv/adb_policy.c b/usr/src/lib/krb5/kadm5/srv/adb_policy.c index 16e464d106..460eb11621 100644 --- a/usr/src/lib/krb5/kadm5/srv/adb_policy.c +++ b/usr/src/lib/krb5/kadm5/srv/adb_policy.c @@ -21,11 +21,11 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_policy.c,v 1.4 1996/10/18 19:45:50 bjaspan Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_policy.c,v 1.7 2003/01/05 23:27:59 hartmans Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_policy.c,v 1.4 1996/10/18 19:45:50 bjaspan Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_policy.c,v 1.7 2003/01/05 23:27:59 hartmans Exp $"; #endif #include <sys/file.h> @@ -33,28 +33,27 @@ static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_policy.c,v #include "adb.h" #include <stdlib.h> #include <string.h> +#include <errno.h> -extern int errno; extern caddr_t xdralloc_getdata(XDR *xdrs); extern void xdralloc_create(XDR *xdrs, enum xdr_op op); -extern osa_adb_ret_t osa_adb_rename_db(char *filefrom, char *lockfrom, - char *fileto, char *lockto, int magic); + #define OPENLOCK(db, mode) \ { \ - int ret; \ + int olret; \ if (db == NULL) \ return EINVAL; \ else if (db->magic != OSA_ADB_POLICY_DB_MAGIC) \ return OSA_ADB_DBINIT; \ - else if ((ret = osa_adb_open_and_lock(db, mode)) != OSA_ADB_OK) \ - return ret; \ + else if ((olret = osa_adb_open_and_lock(db, mode)) != OSA_ADB_OK) \ + return olret; \ } #define CLOSELOCK(db) \ { \ - int ret; \ - if ((ret = osa_adb_close_and_unlock(db)) != OSA_ADB_OK) \ - return ret; \ + int cl_ret; \ + if ((cl_ret = osa_adb_close_and_unlock(db)) != OSA_ADB_OK) \ + return cl_ret; \ } osa_adb_ret_t osa_adb_create_policy_db(kadm5_config_params *params) @@ -101,7 +100,7 @@ osa_adb_ret_t osa_adb_close_policy(osa_adb_princ_t db) * * Arguments: * entry (input) pointer to the entry to be added - * <return value> OSA_ADB_OK on sucsess, else error code. + * <return value> OSA_ADB_OK on success, else error code. * * Requires: * entry have a valid name. @@ -176,7 +175,7 @@ error: * Arguments: * db (input) database handle * name (input) name of policy - * <return value> OSA_ADB_OK on sucsess, or error code. + * <return value> OSA_ADB_OK on success, or error code. * * Requires: * db being valid. @@ -234,7 +233,7 @@ error: * db (input) db handle * name (input) name of policy * entry (output) policy entry - * <return value> 0 on sucsess, error code on failure. + * <return value> 0 on success, error code on failure. * * Requires: * Effects: @@ -300,7 +299,7 @@ error: * Arguments: * db (input) db handle * entry (input) policy entry - * <return value> 0 on sucsess error code on failure. + * <return value> 0 on success error code on failure. * * Requires: * [requires] @@ -373,7 +372,7 @@ error: * db (input) db handle * func (input) fucntion pointer to call * data opaque data type - * <return value> 0 on sucsess error code on failure + * <return value> 0 on success error code on failure * * Requires: * Effects: diff --git a/usr/src/lib/krb5/kadm5/srv/adb_xdr.c b/usr/src/lib/krb5/kadm5/srv/adb_xdr.c index 1f882fea51..2ab1b85b6d 100644 --- a/usr/src/lib/krb5/kadm5/srv/adb_xdr.c +++ b/usr/src/lib/krb5/kadm5/srv/adb_xdr.c @@ -1,5 +1,5 @@ /* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -26,7 +26,7 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_xdr.c,v 1.2 1998/02/14 02:31:34 tlyu Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_xdr.c,v 1.4 2001/07/25 19:03:35 epeisach Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) @@ -38,10 +38,9 @@ static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_xdr.c,v 1. #include <rpc/rpc.h> /* SUNWresync121 XXX */ #include "adb.h" #include "admin_xdr.h" +#ifdef HAVE_MEMORY_H #include <memory.h> - -extern bool_t -xdr_krb5_int16(XDR *xdrs, krb5_int16 *objp); +#endif bool_t xdr_krb5_key_data(XDR *xdrs, krb5_key_data *objp) @@ -56,9 +55,10 @@ xdr_krb5_key_data(XDR *xdrs, krb5_key_data *objp) return(FALSE); if (!xdr_krb5_int16(xdrs, &objp->key_data_type[1])) return(FALSE); - if (!xdr_krb5_int16(xdrs, &objp->key_data_length[0])) + /* SUNW14resync */ + if (!xdr_krb5_ui_2(xdrs, (krb5_ui_2 *)&objp->key_data_length[0])) return(FALSE); - if (!xdr_krb5_int16(xdrs, &objp->key_data_length[1])) + if (!xdr_krb5_ui_2(xdrs, (krb5_ui_2 *)&objp->key_data_length[1])) return(FALSE); tmp = (unsigned int) objp->key_data_length[0]; diff --git a/usr/src/lib/krb5/kadm5/srv/mapfile-vers b/usr/src/lib/krb5/kadm5/srv/mapfile-vers index 074d6da1ce..4a92d4a409 100644 --- a/usr/src/lib/krb5/kadm5/srv/mapfile-vers +++ b/usr/src/lib/krb5/kadm5/srv/mapfile-vers @@ -36,19 +36,12 @@ SUNW_1.1 { SUNWprivate_1.1 { global: - acl_check; - acl_finish; - acl_impose_restrictions; - acl_init; + __kadm5_get_priv; + _kadm5_get_kpasswd_protocol; adb_policy_close; adb_policy_init; destroy_dict; find_word; - free_history_entry; - get_either_iter; - get_pols_iter; - get_princs_iter; - glob_to_regexp; handle_chpw; hist_db; hist_encblock; @@ -59,7 +52,6 @@ SUNWprivate_1.1 { kadm5_chpass_principal; kadm5_chpass_principal_3; kadm5_chpass_principal_util; - kadm5_chpass_principal_v2; kadm5_create_policy; kadm5_create_policy_internal; kadm5_create_principal; @@ -76,20 +68,18 @@ SUNWprivate_1.1 { kadm5_get_adm_host_srv_name; kadm5_get_config_params; kadm5_get_cpw_host_srv_name; - kadm5_get_either; kadm5_get_kiprop_host_srv_name; - _kadm5_get_kpasswd_protocol; kadm5_get_master; kadm5_get_policies; kadm5_get_policy; kadm5_get_principal; kadm5_get_principals; - __kadm5_get_priv; + kadm5_get_privs; kadm5_init; kadm5_init_iprop; kadm5_init_with_creds; kadm5_init_with_password; - kadm5_init_with_skey; + kadm5_lock; kadm5_modify_policy; kadm5_modify_policy_internal; kadm5_modify_principal; @@ -98,6 +88,11 @@ SUNWprivate_1.1 { kadm5_rename_principal; kadm5_setkey_principal; kadm5_setkey_principal_3; + kadm5_unlock; + kadm5int_acl_check; + kadm5int_acl_finish; + kadm5int_acl_impose_restrictions; + kadm5int_acl_init;kadm5_init_with_skey; kdb_delete_entry; kdb_free_entry; kdb_get_entry; @@ -106,6 +101,7 @@ SUNWprivate_1.1 { kdb_iter_entry; kdb_put_entry; krb5_aprof_finish; + krb5_aprof_get_boolean; krb5_aprof_get_deltat; krb5_aprof_get_int32; krb5_aprof_get_string; @@ -149,9 +145,6 @@ SUNWprivate_1.1 { osa_free_policy_ent; osa_free_princ_ent; passwd_check; - xdralloc_create; - xdralloc_getdata; - xdralloc_release; xdr_chpass3_arg; xdr_chpass_arg; xdr_chrand3_arg; @@ -180,14 +173,17 @@ SUNWprivate_1.1 { xdr_krb5_enctype; xdr_krb5_flags; xdr_krb5_int16; - xdr_krb5_keyblock; xdr_krb5_key_data; xdr_krb5_key_data_nocontents; + xdr_krb5_key_salt_tuple; + xdr_krb5_keyblock; xdr_krb5_kvno; xdr_krb5_octet; xdr_krb5_principal; + xdr_krb5_salttype; xdr_krb5_timestamp; xdr_krb5_tl_data; + xdr_krb5_ui_2; xdr_krb5_ui_4; xdr_mpol_arg; xdr_mprinc_arg; @@ -200,6 +196,9 @@ SUNWprivate_1.1 { xdr_setkey3_arg; xdr_setkey_arg; xdr_ui_4; + xdralloc_create; + xdralloc_getdata; + xdralloc_release; local: *; }; diff --git a/usr/src/lib/krb5/kadm5/srv/server_acl.c b/usr/src/lib/krb5/kadm5/srv/server_acl.c index fe31b9312d..df25e8ad65 100644 --- a/usr/src/lib/krb5/kadm5/srv/server_acl.c +++ b/usr/src/lib/krb5/kadm5/srv/server_acl.c @@ -129,11 +129,11 @@ static const char *acl_catchall_entry = NULL; /* - * acl_get_line() - Get a line from the ACL file. + * kadm5int_acl_get_line() - Get a line from the ACL file. * Lines ending with \ are continued on the next line */ static char * -acl_get_line(fp, lnp) +kadm5int_acl_get_line(fp, lnp) FILE *fp; int *lnp; /* caller should set to 1 before first call */ { @@ -190,10 +190,10 @@ acl_get_line(fp, lnp) } /* - * acl_parse_line() - Parse the contents of an ACL line. + * kadm5int_acl_parse_line() - Parse the contents of an ACL line. */ static aent_t * -acl_parse_line(lp) +kadm5int_acl_parse_line(lp) const char *lp; { static char acle_principal[BUFSIZ]; @@ -205,7 +205,7 @@ acl_parse_line(lp) int t, found, opok, nmatch; DPRINT(DEBUG_CALLS, acl_debug_level, - ("* acl_parse_line(line=%20s)\n", lp)); + ("* kadm5int_acl_parse_line(line=%20s)\n", lp)); /* * Format is still simple: * entry ::= [<whitespace>] <principal> <whitespace> <opstring> @@ -229,7 +229,7 @@ acl_parse_line(lp) for (op=acle_ops; *op; op++) { char rop; - rop = (isupper(*op)) ? tolower(*op) : *op; + rop = (isupper((int) *op)) ? tolower((int) *op) : *op; found = 0; for (t=0; acl_op_table[t].ao_op; t++) { if (rop == acl_op_table[t].ao_op) { @@ -272,7 +272,7 @@ acl_parse_line(lp) char *trailing; trailing = &acle_restrictions[strlen(acle_restrictions)-1]; - while ( isspace(*trailing) ) + while ( isspace((int) *trailing) ) trailing--; trailing[1] = '\0'; acle->ae_restriction_string = strdup(acle_restrictions); @@ -285,12 +285,12 @@ acl_parse_line(lp) } } DPRINT(DEBUG_CALLS, acl_debug_level, - ("X acl_parse_line() = %x\n", (long) acle)); + ("X kadm5int_acl_parse_line() = %x\n", (long) acle)); return(acle); } /* - * acl_parse_restrictions() - Parse optional restrictions field + * kadm5int_acl_parse_restrictions() - Parse optional restrictions field * * Allowed restrictions are: * [+-]flagname (recognized by krb5_string_to_flags) @@ -304,23 +304,22 @@ acl_parse_line(lp) * Returns: 0 on success, or system errors */ static krb5_error_code -acl_parse_restrictions(s, rpp) +kadm5int_acl_parse_restrictions(s, rpp) char *s; restriction_t **rpp; { char *sp, *tp, *ap; static const char *delims = "\t\n\f\v\r ,"; - krb5_error_code ret; krb5_deltat dt; krb5_flags flag; krb5_error_code code; DPRINT(DEBUG_CALLS, acl_debug_level, - ("* acl_parse_restrictions(s=%20s, rpp=0x%08x)\n", s, (long)rpp)); + ("* kadm5int_acl_parse_restrictions(s=%20s, rpp=0x%08x)\n", s, (long)rpp)); *rpp = (restriction_t *) NULL; code = 0; - if (s) + if (s) { if (!(sp = strdup(s)) /* Don't munge the original */ || !(*rpp = (restriction_t *) malloc(sizeof(restriction_t)))) { code = ENOMEM; @@ -378,6 +377,7 @@ acl_parse_restrictions(s, rpp) } } } + } if (sp) free(sp); if (*rpp && code) { @@ -387,19 +387,19 @@ acl_parse_restrictions(s, rpp) *rpp = (restriction_t *) NULL; } DPRINT(DEBUG_CALLS, acl_debug_level, - ("X acl_parse_restrictions() = %d, mask=0x%08x\n", + ("X kadm5int_acl_parse_restrictions() = %d, mask=0x%08x\n", code, (*rpp) ? (*rpp)->mask : 0)); return code; } /* - * acl_impose_restrictions() - impose restrictions, modifying *recp, *maskp + * kadm5int_acl_impose_restrictions() - impose restrictions, modifying *recp, *maskp * * Returns: 0 on success; * malloc or timeofday errors */ krb5_error_code -acl_impose_restrictions(kcontext, recp, maskp, rp) +kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp) krb5_context kcontext; kadm5_principal_ent_rec *recp; long *maskp; @@ -409,7 +409,7 @@ acl_impose_restrictions(kcontext, recp, maskp, rp) krb5_int32 now; DPRINT(DEBUG_CALLS, acl_debug_level, - ("* acl_impose_restrictions(..., *maskp=0x%08x, rp=0x%08x)\n", + ("* kadm5int_acl_impose_restrictions(..., *maskp=0x%08x, rp=0x%08x)\n", *maskp, (long)rp)); if (!rp) return 0; @@ -462,20 +462,20 @@ acl_impose_restrictions(kcontext, recp, maskp, rp) *maskp |= KADM5_MAX_RLIFE; } DPRINT(DEBUG_CALLS, acl_debug_level, - ("X acl_impose_restrictions() = 0, *maskp=0x%08x\n", *maskp)); + ("X kadm5int_acl_impose_restrictions() = 0, *maskp=0x%08x\n", *maskp)); return 0; } /* - * acl_free_entries() - Free all ACL entries. + * kadm5int_acl_free_entries() - Free all ACL entries. */ static void -acl_free_entries() +kadm5int_acl_free_entries() { aent_t *ap; aent_t *np; - DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_free_entries()\n")); + DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_free_entries()\n")); for (ap=acl_list_head; ap; ap = np) { if (ap->ae_name) free(ap->ae_name); @@ -497,14 +497,14 @@ acl_free_entries() } acl_list_head = acl_list_tail = (aent_t *) NULL; acl_inited = 0; - DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_free_entries()\n")); + DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_free_entries()\n")); } /* - * acl_load_acl_file() - Open and parse the ACL file. + * kadm5int_acl_load_acl_file() - Open and parse the ACL file. */ static int -acl_load_acl_file() +kadm5int_acl_load_acl_file() { FILE *afp; char *alinep; @@ -512,16 +512,17 @@ acl_load_acl_file() int alineno; int retval = 1; - DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_load_acl_file()\n")); + DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_load_acl_file()\n")); /* Open the ACL file for read */ - if (afp = fopen(acl_acl_file, "rF")) { + afp = fopen(acl_acl_file, "rF"); + if (afp) { alineno = 1; aentpp = &acl_list_head; /* Get a non-comment line */ - while (alinep = acl_get_line(afp, &alineno)) { + while ((alinep = kadm5int_acl_get_line(afp, &alineno))) { /* Parse it */ - *aentpp = acl_parse_line(alinep); + *aentpp = kadm5int_acl_parse_line(alinep); /* If syntax error, then fall out */ if (!*aentpp) { krb5_klog_syslog(LOG_ERR, ACL_SYN_ERR_MSG, @@ -536,7 +537,8 @@ acl_load_acl_file() fclose(afp); if (acl_catchall_entry) { - if (*aentpp = acl_parse_line(acl_catchall_entry)) { + *aentpp = kadm5int_acl_parse_line(acl_catchall_entry); + if (*aentpp) { acl_list_tail = *aentpp; } else { @@ -551,7 +553,7 @@ acl_load_acl_file() krb5_klog_syslog(LOG_ERR, ACL_CANTOPEN_MSG, error_message(errno), acl_acl_file); if (acl_catchall_entry && - (acl_list_head = acl_parse_line((char *)acl_catchall_entry))) { + (acl_list_head = kadm5int_acl_parse_line((char *)acl_catchall_entry))) { acl_list_tail = acl_list_head; } else { @@ -563,20 +565,20 @@ acl_load_acl_file() } if (!retval) { - acl_free_entries(); + kadm5int_acl_free_entries(); } DPRINT(DEBUG_CALLS, acl_debug_level, - ("X acl_load_acl_file() = %d\n", retval)); + ("X kadm5int_acl_load_acl_file() = %d\n", retval)); return(retval); } /* - * acl_match_data() - See if two data entries match. + * kadm5int_acl_match_data() - See if two data entries match. * * Wildcarding is only supported for a whole component. */ static krb5_boolean -acl_match_data(e1, e2, targetflag, ws) +kadm5int_acl_match_data(e1, e2, targetflag, ws) krb5_data *e1, *e2; int targetflag; wildstate_t *ws; @@ -591,7 +593,7 @@ acl_match_data(e1, e2, targetflag, ws) if (ws && !targetflag) { if (ws->nwild >= 9) { DPRINT(DEBUG_ACL, acl_debug_level, - ("Too many wildcards in ACL entry %s\n", e1->data)); + ("Too many wildcards in ACL entry %s\n", e1->data)); } else ws->backref[ws->nwild++] = e2; @@ -602,7 +604,7 @@ acl_match_data(e1, e2, targetflag, ws) int n = e1->data[1] - '1'; if (n >= ws->nwild) { DPRINT(DEBUG_ACL, acl_debug_level, - ("Too many backrefs in ACL entry %s\n", e1->data)); + ("Too many backrefs in ACL entry %s\n", e1->data)); } else if ((ws->backref[n]->length == e2->length) && (!strncmp(ws->backref[n]->data, e2->data, e2->length))) @@ -619,10 +621,10 @@ acl_match_data(e1, e2, targetflag, ws) } /* - * acl_find_entry() - Find a matching entry. + * kadm5int_acl_find_entry() - Find a matching entry. */ static aent_t * -acl_find_entry(kcontext, principal, dest_princ) +kadm5int_acl_find_entry(kcontext, principal, dest_princ) krb5_context kcontext; krb5_principal principal; krb5_principal dest_princ; @@ -633,7 +635,7 @@ acl_find_entry(kcontext, principal, dest_princ) int matchgood; wildstate_t state; - DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_find_entry()\n")); + DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_find_entry()\n")); memset((char *)&state, 0, sizeof state); for (entry=acl_list_head; entry; entry = entry->ae_next) { if (entry->ae_name_bad) @@ -656,12 +658,12 @@ acl_find_entry(kcontext, principal, dest_princ) continue; } matchgood = 0; - if (acl_match_data(&entry->ae_principal->realm, + if (kadm5int_acl_match_data(&entry->ae_principal->realm, &principal->realm, 0, (wildstate_t *)0) && (entry->ae_principal->length == principal->length)) { matchgood = 1; for (i=0; i<principal->length; i++) { - if (!acl_match_data(&entry->ae_principal->data[i], + if (!kadm5int_acl_match_data(&entry->ae_principal->data[i], &principal->data[i], 0, &state)) { matchgood = 0; break; @@ -673,46 +675,44 @@ acl_find_entry(kcontext, principal, dest_princ) continue; /* We've matched the principal. If we have a target, then try it */ - if (entry->ae_target) { - if (!strcmp(entry->ae_target, "*")) - break; + if (entry->ae_target && strcmp(entry->ae_target, "*")) { if (!entry->ae_target_princ && !entry->ae_target_bad) { kret = krb5_parse_name(kcontext, entry->ae_target, &entry->ae_target_princ); if (kret) entry->ae_target_bad = 1; } - } - if (entry->ae_target_bad) { - DPRINT(DEBUG_ACL, acl_debug_level, - ("Bad target in ACL entry for %s\n", entry->ae_name)); - entry->ae_name_bad = 1; - continue; - } - if (entry->ae_target && !dest_princ) - matchgood = 0; - else if (entry->ae_target && entry->ae_target_princ && dest_princ) { - if (acl_match_data(&entry->ae_target_princ->realm, - &dest_princ->realm, 1, (wildstate_t *)0) && - (entry->ae_target_princ->length == dest_princ->length)) { - for (i=0; i<dest_princ->length; i++) { - if (!acl_match_data(&entry->ae_target_princ->data[i], - &dest_princ->data[i], 1, &state)) { - matchgood = 0; - break; + if (entry->ae_target_bad) { + DPRINT(DEBUG_ACL, acl_debug_level, + ("Bad target in ACL entry for %s\n", entry->ae_name)); + entry->ae_name_bad = 1; + continue; + } + if (!dest_princ) + matchgood = 0; + else if (entry->ae_target_princ && dest_princ) { + if (kadm5int_acl_match_data(&entry->ae_target_princ->realm, + &dest_princ->realm, 1, (wildstate_t *)0) && + (entry->ae_target_princ->length == dest_princ->length)) { + for (i=0; i<dest_princ->length; i++) { + if (!kadm5int_acl_match_data(&entry->ae_target_princ->data[i], + &dest_princ->data[i], 1, &state)) { + matchgood = 0; + break; + } } - } + } + else + matchgood = 0; } - else - matchgood = 0; - } + } if (!matchgood) continue; if (entry->ae_restriction_string && !entry->ae_restriction_bad && !entry->ae_restrictions - && acl_parse_restrictions(entry->ae_restriction_string, + && kadm5int_acl_parse_restrictions(entry->ae_restriction_string, &entry->ae_restrictions)) { DPRINT(DEBUG_ACL, acl_debug_level, ("Bad restrictions in ACL entry for %s\n", entry->ae_name)); @@ -724,15 +724,15 @@ acl_find_entry(kcontext, principal, dest_princ) } break; } - DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_find_entry()=%x\n",entry)); + DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_find_entry()=%x\n",entry)); return(entry); } /* - * acl_init() - Initialize ACL context. + * kadm5int_acl_init() - Initialize ACL context. */ krb5_error_code -acl_init(kcontext, debug_level, acl_file) +kadm5int_acl_init(kcontext, debug_level, acl_file) krb5_context kcontext; int debug_level; char *acl_file; @@ -742,30 +742,30 @@ acl_init(kcontext, debug_level, acl_file) kret = 0; acl_debug_level = debug_level; DPRINT(DEBUG_CALLS, acl_debug_level, - ("* acl_init(afile=%s)\n", + ("* kadm5int_acl_init(afile=%s)\n", ((acl_file) ? acl_file : "(null)"))); acl_acl_file = (acl_file) ? acl_file : (char *) KRB5_DEFAULT_ADMIN_ACL; - acl_inited = acl_load_acl_file(); + acl_inited = kadm5int_acl_load_acl_file(); - DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_init() = %d\n", kret)); + DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_init() = %d\n", kret)); return(kret); } /* - * acl_finish - Terminate ACL context. + * kadm5int_acl_finish - Terminate ACL context. */ void -acl_finish(kcontext, debug_level) +kadm5int_acl_finish(kcontext, debug_level) krb5_context kcontext; int debug_level; { - DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_finish()\n")); - acl_free_entries(); - DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_finish()\n")); + DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_finish()\n")); + kadm5int_acl_free_entries(); + DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_finish()\n")); } /* - * acl_check() - Is this operation permitted for this principal? + * kadm5int_acl_check() - Is this operation permitted for this principal? * this code used not to be based on gssapi. In order * to minimize porting hassles, I've put all the * gssapi hair in this function. This might not be @@ -773,7 +773,7 @@ acl_finish(kcontext, debug_level) * solution is, of course, a real authorization service.) */ krb5_boolean -acl_check(kcontext, caller, opmask, principal, restrictions) +kadm5int_acl_check(kcontext, caller, opmask, principal, restrictions) krb5_context kcontext; gss_name_t caller; krb5_int32 opmask; @@ -806,7 +806,9 @@ acl_check(kcontext, caller, opmask, principal, restrictions) return(code); retval = 0; - if (aentry = acl_find_entry(kcontext, caller_princ, principal)) { + + aentry = kadm5int_acl_find_entry(kcontext, caller_princ, principal); + if (aentry) { if ((aentry->ae_op_allowed & opmask) == opmask) { retval = 1; if (restrictions) { @@ -828,8 +830,6 @@ acl_check(kcontext, caller, opmask, principal, restrictions) kadm5_ret_t kadm5_get_privs(void *server_handle, long *privs) { - kadm5_server_handle_t handle = server_handle; - CHECK_HANDLE(server_handle); /* this is impossible to do with the current interface. For now, @@ -869,7 +869,7 @@ __kadm5_get_priv(void *server_handle, long *privs, gss_name_t client) if (k_error) return(retval); - if (aentry = acl_find_entry(handle->context, caller_principal, + if (aentry = kadm5int_acl_find_entry(handle->context, caller_principal, (krb5_principal)NULL)) *privs = aentry->ae_op_allowed; krb5_free_principal(handle->context, caller_principal); diff --git a/usr/src/lib/krb5/kadm5/srv/server_acl.h b/usr/src/lib/krb5/kadm5/srv/server_acl.h index 756c3d7b4a..ffe618c82c 100644 --- a/usr/src/lib/krb5/kadm5/srv/server_acl.h +++ b/usr/src/lib/krb5/kadm5/srv/server_acl.h @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -118,20 +118,20 @@ typedef struct _restriction { char *policy; } restriction_t; -krb5_error_code acl_init +krb5_error_code kadm5int_acl_init (krb5_context, int, char *); -void acl_finish +void kadm5int_acl_finish (krb5_context, int); -krb5_boolean acl_check +krb5_boolean kadm5int_acl_check (krb5_context, gss_name_t, krb5_int32, krb5_principal, restriction_t **); -krb5_error_code acl_impose_restrictions +krb5_error_code kadm5int_acl_impose_restrictions (krb5_context, kadm5_principal_ent_rec *, long *, diff --git a/usr/src/lib/krb5/kadm5/srv/server_dict.c b/usr/src/lib/krb5/kadm5/srv/server_dict.c index f823502d4e..f79262da8c 100644 --- a/usr/src/lib/krb5/kadm5/srv/server_dict.c +++ b/usr/src/lib/krb5/kadm5/srv/server_dict.c @@ -21,11 +21,11 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/srv/server_dict.c,v 1.2 1996/10/18 19:45:52 bjaspan Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_dict.c,v 1.7 2003/01/05 23:27:59 hartmans Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/srv/server_dict.c,v 1.2 1996/10/18 19:45:52 bjaspan Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_dict.c,v 1.7 2003/01/05 23:27:59 hartmans Exp $"; #endif #include <sys/types.h> @@ -33,19 +33,23 @@ static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroo #include <fcntl.h> #include <sys/stat.h> #include <unistd.h> +#include <errno.h> #include <kadm5/admin.h> #include <stdlib.h> #include <stdio.h> #include <string.h> +#ifdef HAVE_MEMORY_H #include <memory.h> +#endif +#include "adm_proto.h" #include <syslog.h> #include <libintl.h> #include "server_internal.h" static char **word_list = NULL; /* list of word pointers */ static char *word_block = NULL; /* actual word data */ -static int word_count = 0; /* number of words */ -extern int errno; +static unsigned int word_count = 0; /* number of words */ + /* * Function: word_compare @@ -65,7 +69,7 @@ extern int errno; static int word_compare(const void *s1, const void *s2) { - return (strcasecmp(*(char **)s1, *(char **)s2)); + return (strcasecmp(*(const char **)s1, *(const char **)s2)); } /* @@ -75,7 +79,7 @@ word_compare(const void *s1, const void *s2) * * Arguments: * none - * <return value> KADM5_OK on sucsess errno on failure; + * <return value> KADM5_OK on success errno on failure; * (but success on ENOENT) * * Requires: @@ -106,7 +110,7 @@ int init_dict(kadm5_config_params *params) if(word_list != NULL && word_block != NULL) return KADM5_OK; if (! (params->mask & KADM5_CONFIG_DICT_FILE)) { - syslog(LOG_INFO, + krb5_klog_syslog(LOG_INFO, dgettext(TEXT_DOMAIN, "No dictionary file specified, continuing " "without one.")); @@ -114,7 +118,7 @@ int init_dict(kadm5_config_params *params) } if ((fd = open(params->dict_file, O_RDONLY)) == -1) { if (errno == ENOENT) { - syslog(LOG_ERR, + krb5_klog_syslog(LOG_ERR, dgettext(TEXT_DOMAIN, "WARNING! Cannot find dictionary file %s, " "continuing without one."), params->dict_file); diff --git a/usr/src/lib/krb5/kadm5/srv/server_init.c b/usr/src/lib/krb5/kadm5/srv/server_init.c index 7d2ee2a540..7f32ba7f79 100644 --- a/usr/src/lib/krb5/kadm5/srv/server_init.c +++ b/usr/src/lib/krb5/kadm5/srv/server_init.c @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -26,12 +26,12 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. * - * $Id: server_init.c,v 1.5 1997/10/13 15:03:13 epeisach Exp $ + * $Id: server_init.c,v 1.8 2002/10/15 15:40:49 epeisach Exp $ * $Source: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_init.c,v $ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_init.c,v 1.5 1997/10/13 15:03:13 epeisach Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_init.c,v 1.8 2002/10/15 15:40:49 epeisach Exp $"; #endif #include <stdio.h> @@ -138,7 +138,8 @@ kadm5_ret_t kadm5_init(char *client_name, char *pass, return ENOMEM; memset(handle, 0, sizeof(*handle)); - if (ret = (int) krb5_init_context(&(handle->context))) { + ret = (int) krb5_init_context(&(handle->context)); + if (ret) { free(handle); return(ret); } @@ -178,11 +179,10 @@ kadm5_ret_t kadm5_init(char *client_name, char *pass, return KADM5_BAD_SERVER_PARAMS; } - if (ret = kadm5_get_config_params(handle->context, - (char *) NULL, - (char *) NULL, - params_in, - &handle->params)) { + ret = kadm5_get_config_params(handle->context, (char *) NULL, + (char *) NULL, params_in, + &handle->params); + if (ret) { krb5_free_context(handle->context); free(handle); return(ret); @@ -195,23 +195,26 @@ kadm5_ret_t kadm5_init(char *client_name, char *pass, KADM5_CONFIG_FLAGS | \ KADM5_CONFIG_MAX_LIFE | KADM5_CONFIG_MAX_RLIFE | \ KADM5_CONFIG_EXPIRATION | KADM5_CONFIG_ENCTYPES) + if ((handle->params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) { krb5_free_context(handle->context); free(handle); return KADM5_MISSING_CONF_PARAMS; } - /* - * Set the db_name based on configuration before calling - * krb5_db_init, so it will get used. - */ - if (ret = krb5_db_set_name(handle->context, - handle->params.dbname)) { + /* + * Set the db_name based on configuration before calling + * krb5_db_init, so it will get used. + */ + + ret = krb5_db_set_name(handle->context, handle->params.dbname); + if (ret) { free(handle); return(ret); } - if (ret = krb5_db_init(handle->context)) { + ret = krb5_db_init(handle->context); + if (ret) { krb5_free_context(handle->context); free(handle); return(ret); @@ -225,69 +228,73 @@ kadm5_ret_t kadm5_init(char *client_name, char *pass, return ret; } - if (! (handle->lhandle = malloc(sizeof(*handle)))) { - krb5_db_fini(handle->context); - krb5_free_context(handle->context); - free(handle); - return ENOMEM; - } - *handle->lhandle = *handle; - handle->lhandle->api_version = KADM5_API_VERSION_2; - handle->lhandle->struct_version = KADM5_STRUCT_VERSION; - handle->lhandle->lhandle = handle->lhandle; - - /* can't check the handle until current_caller is set */ - if (ret = check_handle((void *) handle)) { - free(handle); - return ret; - } - - /* - * The KADM5_API_VERSION_1 spec said "If pass (or keytab) is NULL - * or an empty string, reads the master password from [the stash - * file]. Otherwise, the non-NULL password is ignored and the - * user is prompted for it via the tty." However, the code was - * implemented the other way: when a non-NULL password was - * provided, the stash file was used. This is somewhat more - * sensible, as then a local or remote client that provides a - * password does not prompt the user. This code maintains the - * previous actual behavior, and not the old spec behavior, - * because that is how the unit tests are written. - * - * In KADM5_API_VERSION_2, this decision is controlled by - * params. - * - * kdb_init_master's third argument is "from_keyboard". - */ - if (ret = kdb_init_master(handle, handle->params.realm, - (handle->api_version == KADM5_API_VERSION_1 ? - ((pass == NULL) || !(strlen(pass))) : - ((handle->params.mask & - KADM5_CONFIG_MKEY_FROM_KBD) && - handle->params.mkey_from_kbd)) - )) { + if (! (handle->lhandle = malloc(sizeof(*handle)))) { krb5_db_fini(handle->context); krb5_free_context(handle->context); free(handle); - return ret; + return ENOMEM; } - - if ((ret = kdb_init_hist(handle, handle->params.realm))) { + *handle->lhandle = *handle; + handle->lhandle->api_version = KADM5_API_VERSION_2; + handle->lhandle->struct_version = KADM5_STRUCT_VERSION; + handle->lhandle->lhandle = handle->lhandle; + + /* can't check the handle until current_caller is set */ + ret = check_handle((void *) handle); + if (ret) { + free(handle); + return ret; + } + + /* + * The KADM5_API_VERSION_1 spec said "If pass (or keytab) is NULL + * or an empty string, reads the master password from [the stash + * file]. Otherwise, the non-NULL password is ignored and the + * user is prompted for it via the tty." However, the code was + * implemented the other way: when a non-NULL password was + * provided, the stash file was used. This is somewhat more + * sensible, as then a local or remote client that provides a + * password does not prompt the user. This code maintains the + * previous actual behavior, and not the old spec behavior, + * because that is how the unit tests are written. + * + * In KADM5_API_VERSION_2, this decision is controlled by + * params. + * + * kdb_init_master's third argument is "from_keyboard". + */ + ret = kdb_init_master(handle, handle->params.realm, + (handle->api_version == KADM5_API_VERSION_1 ? + ((pass == NULL) || !(strlen(pass))) : + ((handle->params.mask & KADM5_CONFIG_MKEY_FROM_KBD) + && handle->params.mkey_from_kbd) + )); + if (ret) { + krb5_db_fini(handle->context); + krb5_free_context(handle->context); + free(handle); + return ret; + } + + ret = kdb_init_hist(handle, handle->params.realm); + if (ret) { krb5_db_fini(handle->context); krb5_free_context(handle->context); free(handle); return ret; } - if (ret = init_dict(&handle->params)) { - krb5_db_fini(handle->context); + ret = init_dict(&handle->params); + if (ret) { + krb5_db_fini(handle->context); krb5_free_principal(handle->context, handle->current_caller); krb5_free_context(handle->context); free(handle); return ret; } - if (ret = adb_policy_init(handle)) { + ret = adb_policy_init(handle); + if (ret) { krb5_db_fini(handle->context); krb5_free_principal(handle->context, handle->current_caller); krb5_free_context(handle->context); @@ -321,6 +328,38 @@ kadm5_ret_t kadm5_destroy(void *server_handle) return KADM5_OK; } +kadm5_ret_t kadm5_lock(void *server_handle) +{ + kadm5_server_handle_t handle = server_handle; + kadm5_ret_t ret; + + CHECK_HANDLE(server_handle); + ret = osa_adb_open_and_lock(handle->policy_db, OSA_ADB_EXCLUSIVE); + if (ret) + return ret; + ret = krb5_db_lock(handle->context, KRB5_LOCKMODE_EXCLUSIVE); + if (ret) + return ret; + + return KADM5_OK; +} + +kadm5_ret_t kadm5_unlock(void *server_handle) +{ + kadm5_server_handle_t handle = server_handle; + kadm5_ret_t ret; + + CHECK_HANDLE(server_handle); + ret = osa_adb_close_and_unlock(handle->policy_db); + if (ret) + return ret; + ret = krb5_db_unlock(handle->context); + if (ret) + return ret; + + return KADM5_OK; +} + kadm5_ret_t kadm5_flush(void *server_handle) { kadm5_server_handle_t handle = server_handle; diff --git a/usr/src/lib/krb5/kadm5/srv/server_kdb.c b/usr/src/lib/krb5/kadm5/srv/server_kdb.c index 431d718ed1..0beac7d875 100644 --- a/usr/src/lib/krb5/kadm5/srv/server_kdb.c +++ b/usr/src/lib/krb5/kadm5/srv/server_kdb.c @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" @@ -25,11 +25,11 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_kdb.c,v 1.2 1998/10/30 02:54:39 marc Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_kdb.c,v 1.4 2003/06/13 22:30:59 tlyu Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_kdb.c,v 1.2 1998/10/30 02:54:39 marc Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_kdb.c,v 1.4 2003/06/13 22:30:59 tlyu Exp $"; #endif #include <stdio.h> @@ -59,7 +59,10 @@ krb5_error_code kdb_init_master(kadm5_server_handle_t handle, { int ret = 0; char *realm; - krb5_keyblock tmk; + krb5_boolean from_kbd = FALSE; + + if (from_keyboard) + from_kbd = TRUE; if (r == NULL) { if ((ret = krb5_get_default_realm(handle->context, &realm))) @@ -73,14 +76,15 @@ krb5_error_code kdb_init_master(kadm5_server_handle_t handle, realm, NULL, &master_princ))) goto done; - if (ret = krb5_db_fetch_mkey(handle->context, master_princ, - handle->params.enctype, - from_keyboard, - FALSE /* only prompt once */, - handle->params.stash_file, - NULL /* I'm not sure about this, - but it's what the kdc does --marc */, - &handle->master_keyblock)) + + ret = krb5_db_fetch_mkey(handle->context, master_princ, + handle->params.enctype, from_kbd, + FALSE /* only prompt once */, + handle->params.stash_file, + NULL /* I'm not sure about this, + but it's what the kdc does --marc */, + &handle->master_keyblock); + if (ret) goto done; if ((ret = krb5_db_init(handle->context)) != KSUCCESS) @@ -171,11 +175,10 @@ krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, char *r) ks[0].ks_enctype = handle->params.enctype; ks[0].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL; ret = kadm5_create_principal_3(handle, &ent, - (KADM5_PRINCIPAL | - KADM5_MAX_LIFE | - KADM5_ATTRIBUTES), + (KADM5_PRINCIPAL | KADM5_MAX_LIFE | + KADM5_ATTRIBUTES), 1, ks, - "to-be-random"); + "to-be-random"); if (ret) goto done; @@ -200,12 +203,12 @@ krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, char *r) } ret = krb5_dbe_find_enctype(handle->context, &hist_db, - handle->params.enctype, -1, -1, &key_data); + handle->params.enctype, -1, -1, &key_data); if (ret) goto done; ret = krb5_dbekd_decrypt_key_data(handle->context, - &handle->master_keyblock, key_data, &hist_key, NULL); + &handle->master_keyblock, key_data, &hist_key, NULL); if (ret) goto done; @@ -247,8 +250,9 @@ kdb_get_entry(kadm5_server_handle_t handle, krb5_tl_data tl_data; XDR xdrs; - if (ret = krb5_db_get_principal(handle->context, principal, kdb, &nprincs, - &more)) + ret = krb5_db_get_principal(handle->context, principal, kdb, &nprincs, + &more); + if (ret) return(ret); if (more) { @@ -357,11 +361,13 @@ kdb_put_entry(kadm5_server_handle_t handle, krb5_tl_data tl_data; int one; - if (ret = krb5_timeofday(handle->context, &now)) + ret = krb5_timeofday(handle->context, &now); + if (ret) return(ret); - if (ret = krb5_dbe_update_mod_princ_data(handle->context, kdb, now, - handle->current_caller)) + ret = krb5_dbe_update_mod_princ_data(handle->context, kdb, now, + handle->current_caller); + if (ret) return(ret); xdralloc_create(&xdrs, XDR_ENCODE); @@ -382,7 +388,8 @@ kdb_put_entry(kadm5_server_handle_t handle, one = 1; - if (ret = krb5_db_put_principal(handle->context, kdb, &one)) + ret = krb5_db_put_principal(handle->context, kdb, &one); + if (ret) return(ret); return(0); @@ -424,9 +431,11 @@ kdb_iter_entry(kadm5_server_handle_t handle, id.func = iter_fct; id.data = data; - if (ret = krb5_db_iterate(handle->context, kdb_iter_func, &id)) + ret = krb5_db_iterate(handle->context, kdb_iter_func, &id); + if (ret) return(ret); return(0); } + diff --git a/usr/src/lib/krb5/kadm5/srv/server_misc.c b/usr/src/lib/krb5/kadm5/srv/server_misc.c index 8ec8658c32..b2283e973b 100644 --- a/usr/src/lib/krb5/kadm5/srv/server_misc.c +++ b/usr/src/lib/krb5/kadm5/srv/server_misc.c @@ -21,11 +21,11 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_misc.c,v 1.2 1997/08/07 00:23:11 tlyu Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_misc.c,v 1.4 2001/06/18 18:58:00 epeisach Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_misc.c,v 1.2 1997/08/07 00:23:11 tlyu Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_misc.c,v 1.4 2001/06/18 18:58:00 epeisach Exp $"; #endif #include "k5-int.h" @@ -61,6 +61,7 @@ adb_policy_close(kadm5_server_handle_t handle) return KADM5_OK; } +#ifdef HESIOD /* stolen from v4sever/kadm_funcs.c */ static char * reverse(str) @@ -81,7 +82,9 @@ reverse(str) return(newstr); } +#endif /* HESIOD */ +#if 0 static int lower(str) char *str; @@ -97,7 +100,9 @@ lower(str) } return(effect); } +#endif +#ifdef HESIOD static int str_check_gecos(gecos, pwstr) char *gecos; @@ -130,6 +135,7 @@ str_check_gecos(gecos, pwstr) } return 0; } +#endif /* HESIOD */ /* some of this is stolen from gatekeeper ... */ kadm5_ret_t @@ -153,17 +159,17 @@ passwd_check(kadm5_server_handle_t handle, return KADM5_PASS_Q_TOOSHORT; s = password; while ((c = *s++)) { - if (islower(c)) { + if (islower((int) c)) { nlower = 1; continue; } - else if (isupper(c)) { + else if (isupper((int) c)) { nupper = 1; continue; - } else if (isdigit(c)) { + } else if (isdigit((int) c)) { ndigit = 1; continue; - } else if (ispunct(c)) { + } else if (ispunct((int) c)) { npunct = 1; continue; } else { @@ -176,13 +182,12 @@ passwd_check(kadm5_server_handle_t handle, if((find_word(password) == KADM5_OK)) return KADM5_PASS_Q_DICT; else { - char *cp; - int c, n = krb5_princ_size(handle->context, principal); + int i, n = krb5_princ_size(handle->context, principal); cp = krb5_princ_realm(handle->context, principal)->data; if (strcasecmp(cp, password) == 0) return KADM5_PASS_Q_DICT; - for (c = 0; c < n ; c++) { - cp = krb5_princ_component(handle->context, principal, c)->data; + for (i = 0; i < n ; i++) { + cp = krb5_princ_component(handle->context, principal, i)->data; if (strcasecmp(cp, password) == 0) return KADM5_PASS_Q_DICT; #ifdef HESIOD diff --git a/usr/src/lib/krb5/kadm5/srv/svr_chpass_util.c b/usr/src/lib/krb5/kadm5/srv/svr_chpass_util.c index c8ea05e655..e010d27f68 100644 --- a/usr/src/lib/krb5/kadm5/srv/svr_chpass_util.c +++ b/usr/src/lib/krb5/kadm5/srv/svr_chpass_util.c @@ -1,5 +1,5 @@ /* - * Copyright 1997-2002 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -31,7 +31,7 @@ kadm5_ret_t kadm5_chpass_principal_util(void *server_handle, char *new_pw, char **ret_pw, char *msg_ret, - int msg_len) + unsigned int msg_len) { kadm5_server_handle_t handle = server_handle; diff --git a/usr/src/lib/krb5/kadm5/srv/svr_iters.c b/usr/src/lib/krb5/kadm5/srv/svr_iters.c index 075ed7a0db..a20db95242 100644 --- a/usr/src/lib/krb5/kadm5/srv/svr_iters.c +++ b/usr/src/lib/krb5/kadm5/srv/svr_iters.c @@ -21,11 +21,11 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/srv/svr_iters.c,v 1.2 1996/11/07 21:43:14 bjaspan Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_iters.c,v 1.6 2003/01/12 18:17:02 epeisach Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/srv/svr_iters.c,v 1.2 1996/11/07 21:43:14 bjaspan Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_iters.c,v 1.6 2003/01/12 18:17:02 epeisach Exp $"; #endif #if defined(HAVE_COMPILE) && defined(HAVE_STEP) @@ -42,7 +42,6 @@ static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroo #include <string.h> #include <kadm5/admin.h> #include "adb.h" -#include <dyn/dyn.h> #ifdef SOLARIS_REGEXPS #include <regexpr.h> #endif @@ -59,7 +58,9 @@ kdb_iter_entry(kadm5_server_handle_t handle, struct iter_data { krb5_context context; - DynObject matches; + char **names; + int n_names, sz_names; + unsigned int malloc_failed; char *exp; #ifdef SOLARIS_REGEXPS char *expbuf; @@ -96,7 +97,7 @@ struct iter_data { * other characters are copied * regexp is anchored with ^ and $ */ -kadm5_ret_t glob_to_regexp(char *glob, char *realm, char **regexp) +static kadm5_ret_t glob_to_regexp(char *glob, char *realm, char **regexp) { int append_realm; char *p; @@ -151,26 +152,38 @@ kadm5_ret_t glob_to_regexp(char *glob, char *realm, char **regexp) return KADM5_OK; } -void get_either_iter(struct iter_data *data, char *name) +static void get_either_iter(struct iter_data *data, char *name) { - if ( + int match; #ifdef SOLARIS_REGEXPS - (step(name, data->expbuf) != 0) + match = (step(name, data->expbuf) != 0); #endif #ifdef POSIX_REGEXPS - (regexec(&data->preg, name, 0, NULL, 0) == 0) + match = (regexec(&data->preg, name, 0, NULL, 0) == 0); #endif #ifdef BSD_REGEXPS - (re_exec(name) != 0) + match = (re_exec(name) != 0); #endif - ) - { - (void) DynAdd(data->matches, &name); + if (match) { + if (data->n_names == data->sz_names) { + int new_sz = data->sz_names * 2; + char **new_names = realloc(data->names, + new_sz * sizeof(char *)); + if (new_names) { + data->names = new_names; + data->sz_names = new_sz; + } else { + data->malloc_failed = 1; + free(name); + return; + } + } + data->names[data->n_names++] = name; } else free(name); } -void get_pols_iter(void *data, osa_policy_ent_t entry) +static void get_pols_iter(void *data, osa_policy_ent_t entry) { char *name; @@ -179,7 +192,7 @@ void get_pols_iter(void *data, osa_policy_ent_t entry) get_either_iter(data, name); } -void get_princs_iter(void *data, krb5_principal princ) +static void get_princs_iter(void *data, krb5_principal princ) { struct iter_data *id = (struct iter_data *) data; char *name; @@ -189,15 +202,18 @@ void get_princs_iter(void *data, krb5_principal princ) get_either_iter(data, name); } -kadm5_ret_t kadm5_get_either(int princ, +static kadm5_ret_t kadm5_get_either(int princ, void *server_handle, char *exp, char ***princs, int *count) { struct iter_data data; - char *msg, *regexp; - int ret; +#ifdef BSD_REGEXPS + char *msg; +#endif + char *regexp; + int i, ret; kadm5_server_handle_t handle = server_handle; *count = 0; @@ -227,7 +243,11 @@ kadm5_ret_t kadm5_get_either(int princ, return EINVAL; } - if ((data.matches = DynCreate(sizeof(char *), -4)) == NULL) { + data.n_names = 0; + data.sz_names = 10; + data.malloc_failed = 0; + data.names = malloc(sizeof(char *) * data.sz_names); + if (data.names == NULL) { free(regexp); return ENOMEM; } @@ -239,16 +259,21 @@ kadm5_ret_t kadm5_get_either(int princ, ret = osa_adb_iter_policy(handle->policy_db, get_pols_iter, (void *)&data); } + free(regexp); +#ifdef POSIX_REGEXPS + regfree(&data.preg); +#endif + if (ret == OSA_ADB_OK && data.malloc_failed) + ret = ENOMEM; if (ret != OSA_ADB_OK) { - free(regexp); - DynDestroy(data.matches); + for (i = 0; i < data.n_names; i++) + free(data.names[i]); + free(data.names); return ret; } - (*princs) = (char **) DynArray(data.matches); - *count = DynSize(data.matches); - DynRelease(data.matches); - free(regexp); + *princs = data.names; + *count = data.n_names; return KADM5_OK; } diff --git a/usr/src/lib/krb5/kadm5/srv/svr_misc_free.c b/usr/src/lib/krb5/kadm5/srv/svr_misc_free.c index fa3b7e58a6..a552c4e2b4 100644 --- a/usr/src/lib/krb5/kadm5/srv/svr_misc_free.c +++ b/usr/src/lib/krb5/kadm5/srv/svr_misc_free.c @@ -21,12 +21,12 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/srv/svr_misc_free.c,v 1.2 1996/10/18 19:45:53 bjaspan Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_misc_free.c,v 1.2 1996/10/18 19:45:53 bjaspan Exp $ * */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/srv/svr_misc_free.c,v 1.2 1996/10/18 19:45:53 bjaspan Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_misc_free.c,v 1.2 1996/10/18 19:45:53 bjaspan Exp $"; #endif #include <kadm5/admin.h> #include <stdlib.h> diff --git a/usr/src/lib/krb5/kadm5/srv/svr_policy.c b/usr/src/lib/krb5/kadm5/srv/svr_policy.c index b651f4b40d..de1abc1c9b 100644 --- a/usr/src/lib/krb5/kadm5/srv/svr_policy.c +++ b/usr/src/lib/krb5/kadm5/srv/svr_policy.c @@ -21,11 +21,11 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/srv/svr_policy.c,v 1.1 1996/07/24 22:23:36 tlyu Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_policy.c,v 1.2 2001/06/20 05:01:37 mitchb Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/srv/svr_policy.c,v 1.1 1996/07/24 22:23:36 tlyu Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_policy.c,v 1.2 2001/06/20 05:01:37 mitchb Exp $"; #endif #include <sys/types.h> @@ -49,7 +49,7 @@ static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroo * entry (input) The policy entry to be written out to the DB. * mask (input) Specifies which fields in entry are to ge written out * and which get default values. - * <return value> 0 if sucsessfull otherwise an error code is returned. + * <return value> 0 if successful otherwise an error code is returned. * * Requires: * Entry must be a valid principal entry, and mask have a valid value. @@ -82,14 +82,14 @@ kadm5_create_policy(void *server_handle, * entry (input) The policy entry to be written out to the DB. * mask (input) Specifies which fields in entry are to ge written out * and which get default values. - * <return value> 0 if sucsessfull otherwise an error code is returned. + * <return value> 0 if successful otherwise an error code is returned. * * Requires: * Entry must be a valid principal entry, and mask have a valid value. * * Effects: * Writes the data to the database, and does a database sync if - * sucsessfull. + * successful. * */ diff --git a/usr/src/lib/krb5/kadm5/srv/svr_principal.c b/usr/src/lib/krb5/kadm5/srv/svr_principal.c index 92e498808d..19f3946f73 100644 --- a/usr/src/lib/krb5/kadm5/srv/svr_principal.c +++ b/usr/src/lib/krb5/kadm5/srv/svr_principal.c @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -26,11 +26,11 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_principal.c,v 1.19 2000/02/27 22:18:16 tlyu Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_principal.c,v 1.30.8.1 2004/12/20 21:16:20 tlyu Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_principal.c,v 1.19 2000/02/27 22:18:16 tlyu Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_principal.c,v 1.30.8.1 2004/12/20 21:16:20 tlyu Exp $"; #endif #include <sys/types.h> @@ -44,6 +44,9 @@ static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_principal. #include "server_internal.h" #include <stdarg.h> #include <stdlib.h> +#ifdef USE_PASSWORD_SERVER +#include <sys/wait.h> +#endif extern krb5_principal master_princ; extern krb5_principal hist_princ; @@ -56,8 +59,8 @@ extern kadm5_ret_t krb5_free_key_data_contents(krb5_context context, krb5_key_data *key); static int decrypt_key_data(krb5_context context, - krb5_keyblock *, int n_key_data, krb5_key_data *key_data, - krb5_keyblock **keyblocks, int *n_keys); + krb5_keyblock *, int n_key_data, krb5_key_data *key_data, + krb5_keyblock **keyblocks, int *n_keys); /* * XXX Functions that ought to be in libkrb5.a, but aren't. @@ -135,8 +138,9 @@ kadm5_create_principal(void *server_handle, * Default to using the new API with the default set of * key/salt combinations. */ - return (kadm5_create_principal_3(server_handle, entry, mask, - 0, NULL, password)); + return + kadm5_create_principal_3(server_handle, entry, mask, + 0, NULL, password); } kadm5_ret_t kadm5_create_principal_3(void *server_handle, @@ -200,8 +204,8 @@ kadm5_create_principal_3(void *server_handle, return ret; } } - if (ret = passwd_check(handle, password, (mask & KADM5_POLICY), - &polent, entry->principal)) { + if ((ret = passwd_check(handle, password, (mask & KADM5_POLICY), + &polent, entry->principal))) { if (mask & KADM5_POLICY) (void) kadm5_free_policy_ent(handle->lhandle, &polent); return ret; @@ -211,10 +215,10 @@ kadm5_create_principal_3(void *server_handle, * "defaults" for fields that were not specified by the * mask. */ - if (ret = krb5_timeofday(handle->context, &now)) { - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return ret; + if ((ret = krb5_timeofday(handle->context, &now))) { + if (mask & KADM5_POLICY) + (void) kadm5_free_policy_ent(handle->lhandle, &polent); + return ret; } kdb.magic = KRB5_KDB_MAGIC_NUMBER; @@ -229,7 +233,7 @@ kadm5_create_principal_3(void *server_handle, kdb.attributes = handle->params.flags; kdb.attributes |= entry->attributes; } else { - kdb.attributes = handle->params.flags; + kdb.attributes = handle->params.flags; } if ((mask & KADM5_MAX_LIFE)) @@ -265,28 +269,28 @@ kadm5_create_principal_3(void *server_handle, to free the entire kdb entry, and that will try to free the principal. */ - if (ret = krb5_copy_principal(handle->context, - entry->principal, &(kdb.princ))) { + if ((ret = krb5_copy_principal(handle->context, + entry->principal, &(kdb.princ)))) { if (mask & KADM5_POLICY) (void) kadm5_free_policy_ent(handle->lhandle, &polent); return(ret); } - if (ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now)) { - krb5_dbe_free_contents(handle->context, &kdb); - if (mask & KADM5_POLICY) + if ((ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now))) { + krb5_dbe_free_contents(handle->context, &kdb); + if (mask & KADM5_POLICY) (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return(ret); + return(ret); } /* initialize the keys */ - if (ret = krb5_dbe_cpw(handle->context, &handle->master_keyblock, - n_ks_tuple?ks_tuple:handle->params.keysalts, - n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, - password, - (mask & KADM5_KVNO)?entry->kvno:1, - FALSE, &kdb)) { + if ((ret = krb5_dbe_cpw(handle->context, &handle->master_keyblock, + n_ks_tuple?ks_tuple:handle->params.keysalts, + n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, + password, + (mask & KADM5_KVNO)?entry->kvno:1, + FALSE, &kdb))) { krb5_dbe_free_contents(handle->context, &kdb); if (mask & KADM5_POLICY) (void) kadm5_free_policy_ent(handle->lhandle, &polent); @@ -383,7 +387,7 @@ kadm5_delete_principal(void *server_handle, krb5_principal principal) if (principal == NULL) return EINVAL; - if (ret = kdb_get_entry(handle, principal, &kdb, &adb)) + if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) return(ret); if ((adb.aux_attributes & KADM5_POLICY)) { @@ -399,9 +403,9 @@ kadm5_delete_principal(void *server_handle, krb5_principal principal) return(ret); } } - if (ret = kadm5_free_policy_ent(handle->lhandle, &polent)) { - kdb_free_entry(handle, &kdb, &adb); - return ret; + if ((ret = kadm5_free_policy_ent(handle->lhandle, &polent))) { + kdb_free_entry(handle, &kdb, &adb); + return ret; } } @@ -420,7 +424,7 @@ kadm5_modify_principal(void *server_handle, kadm5_policy_ent_rec npol, opol; int have_npol = 0, have_opol = 0; krb5_db_entry kdb; - krb5_tl_data *tl_data_orig, *tl_data_tail; + krb5_tl_data *tl_data_orig; osa_princ_ent_rec adb; kadm5_server_handle_t handle = server_handle; @@ -447,7 +451,8 @@ kadm5_modify_principal(void *server_handle, } } - if (ret = kdb_get_entry(handle, entry->principal, &kdb, &adb)) + ret = kdb_get_entry(handle, entry->principal, &kdb, &adb); + if (ret) return(ret); /* @@ -488,6 +493,7 @@ kadm5_modify_principal(void *server_handle, break; default: goto done; + break; } npol.policy_refcnt++; } @@ -501,12 +507,13 @@ kadm5_modify_principal(void *server_handle, /* set pw_max_life based on new policy */ if (npol.pw_max_life) { - if (ret = krb5_dbe_lookup_last_pwd_change(handle->context, &kdb, - &(kdb.pw_expiration))) - goto done; - kdb.pw_expiration += npol.pw_max_life; + ret = krb5_dbe_lookup_last_pwd_change(handle->context, &kdb, + &(kdb.pw_expiration)); + if (ret) + goto done; + kdb.pw_expiration += npol.pw_max_life; } else { - kdb.pw_expiration = 0; + kdb.pw_expiration = 0; } } @@ -519,6 +526,7 @@ kadm5_modify_principal(void *server_handle, case KADM5_UNK_POLICY: ret = KADM5_BAD_DB; goto done; + break; case KADM5_OK: have_opol = 1; if (adb.policy) @@ -530,6 +538,7 @@ kadm5_modify_principal(void *server_handle, break; default: goto done; + break; } } @@ -644,7 +653,8 @@ kadm5_rename_principal(void *server_handle, } krb5_free_principal(handle->context, kdb.princ); - if (ret = krb5_copy_principal(handle->context, target, &kdb.princ)) { + ret = krb5_copy_principal(handle->context, target, &kdb.princ); + if (ret) { kdb.princ = NULL; /* so freeing the dbe doesn't lose */ goto done; } @@ -730,17 +740,19 @@ kadm5_get_principal(void *server_handle, krb5_principal principal, /* this is a little non-sensical because the function returns two */ /* values that must be checked separately against the mask */ if ((mask & KADM5_MOD_NAME) || (mask & KADM5_MOD_TIME)) { - if (ret = krb5_dbe_lookup_mod_princ_data(handle->context, &kdb, - &(entry->mod_date), - &(entry->mod_name))) { - goto done; - } - if (! (mask & KADM5_MOD_TIME)) - entry->mod_date = 0; - if (! (mask & KADM5_MOD_NAME)) { - krb5_free_principal(handle->context, entry->principal); - entry->principal = NULL; - } + ret = krb5_dbe_lookup_mod_princ_data(handle->context, &kdb, + &(entry->mod_date), + &(entry->mod_name)); + if (ret) { + goto done; + } + + if (! (mask & KADM5_MOD_TIME)) + entry->mod_date = 0; + if (! (mask & KADM5_MOD_NAME)) { + krb5_free_principal(handle->context, entry->principal); + entry->principal = NULL; + } } if (mask & KADM5_ATTRIBUTES) @@ -771,7 +783,7 @@ kadm5_get_principal(void *server_handle, krb5_principal principal, if (mask & KADM5_FAIL_AUTH_COUNT) entry->fail_auth_count = kdb.fail_auth_count; if (mask & KADM5_TL_DATA) { - krb5_tl_data td, *tl, *tl2; + krb5_tl_data *tl, *tl2; entry->tl_data = NULL; @@ -803,9 +815,10 @@ kadm5_get_principal(void *server_handle, krb5_principal principal, entry->key_data = NULL; for (i = 0; i < entry->n_key_data; i++) - if (ret = krb5_copy_key_data_contents(handle->context, - &kdb.key_data[i], - &entry->key_data[i])) + ret = krb5_copy_key_data_contents(handle->context, + &kdb.key_data[i], + &entry->key_data[i]); + if (ret) goto done; } } @@ -883,37 +896,38 @@ check_pw_reuse(krb5_context context, krb5_keyblock *master_keyblock, krb5_keyblock *hist_keyblock, int n_new_key_data, krb5_key_data *new_key_data, - int n_pw_hist_data, osa_pw_hist_ent *pw_hist_data) + unsigned int n_pw_hist_data, osa_pw_hist_ent *pw_hist_data) { int x, y, z; krb5_keyblock newkey, histkey; krb5_error_code ret; for (x = 0; x < n_new_key_data; x++) { - if (ret = krb5_dbekd_decrypt_key_data(context, - master_keyblock, - &(new_key_data[x]), - &newkey, NULL)) + ret = krb5_dbekd_decrypt_key_data(context, + master_keyblock, + &(new_key_data[x]), + &newkey, NULL); + if (ret) return(ret); for (y = 0; y < n_pw_hist_data; y++) { for (z = 0; z < pw_hist_data[y].n_key_data; z++) { - if (ret = - krb5_dbekd_decrypt_key_data(context, - hist_keyblock, - &pw_hist_data[y].key_data[z], - &histkey, NULL)) - return(ret); - - if ((newkey.length == histkey.length) && - (newkey.enctype == histkey.enctype) && - (memcmp(newkey.contents, histkey.contents, - histkey.length) == 0)) { - krb5_free_keyblock_contents(context, &histkey); - krb5_free_keyblock_contents(context, &newkey); - - return(KADM5_PASS_REUSE); - } - krb5_free_keyblock_contents(context, &histkey); + ret = krb5_dbekd_decrypt_key_data(context, + hist_keyblock, + &pw_hist_data[y].key_data[z], + &histkey, NULL); + if (ret) + return(ret); + + if ((newkey.length == histkey.length) && + (newkey.enctype == histkey.enctype) && + (memcmp(newkey.contents, histkey.contents, + histkey.length) == 0)) { + krb5_free_keyblock_contents(context, &histkey); + krb5_free_keyblock_contents(context, &newkey); + + return(KADM5_PASS_REUSE); + } + krb5_free_keyblock_contents(context, &histkey); } } krb5_free_keyblock_contents(context, &newkey); @@ -958,25 +972,29 @@ int create_history_entry(krb5_context context, memset(hist->key_data, 0, n_key_data*sizeof(krb5_key_data)); for (i = 0; i < n_key_data; i++) { - if (ret = krb5_dbekd_decrypt_key_data(context, - master_keyblock, - &key_data[i], - &key, &salt)) - return ret; - if (ret = krb5_dbekd_encrypt_key_data(context, - &hist_key, - &key, &salt, - key_data[i].key_data_kvno, - &hist->key_data[i])) - return ret; - krb5_free_keyblock_contents(context, &key); - /* krb5_free_keysalt(context, &salt); */ + ret = krb5_dbekd_decrypt_key_data(context, + master_keyblock, + &key_data[i], + &key, &salt); + if (ret) + return ret; + + ret = krb5_dbekd_encrypt_key_data(context, &hist_key, + &key, &salt, + key_data[i].key_data_kvno, + &hist->key_data[i]); + if (ret) + return ret; + + krb5_free_keyblock_contents(context, &key); + /* krb5_free_keysalt(context, &salt); */ } hist->n_key_data = n_key_data; return 0; } +static void free_history_entry(krb5_context context, osa_pw_hist_ent *hist) { int i; @@ -1013,14 +1031,13 @@ void free_history_entry(krb5_context context, osa_pw_hist_ent *hist) * adb->old_key_len). */ #define KADM_MOD(x) (x + adb->old_key_next) % adb->old_key_len -static kadm5_ret_t add_to_history( - krb5_context context, - osa_princ_ent_t adb, - kadm5_policy_ent_t pol, - osa_pw_hist_ent *pw) +static kadm5_ret_t add_to_history(krb5_context context, + osa_princ_ent_t adb, + kadm5_policy_ent_t pol, + osa_pw_hist_ent *pw) { - osa_pw_hist_ent *histp; - int i; + osa_pw_hist_ent *histp; + int i; /* A history of 1 means just check the current password */ if (pol->pw_history_num == 1) @@ -1120,8 +1137,9 @@ kadm5_chpass_principal(void *server_handle, * Default to using the new API with the default set of * key/salt combinations. */ - return (kadm5_chpass_principal_3(server_handle, principal, FALSE, - 0, NULL, password)); + return + kadm5_chpass_principal_3(server_handle, principal, FALSE, + 0, NULL, password); } kadm5_ret_t @@ -1134,7 +1152,7 @@ kadm5_chpass_principal_3(void *server_handle, kadm5_policy_ent_rec pol; osa_princ_ent_rec adb; krb5_db_entry kdb, kdb_save; - int ret, ret2, last_pwd, i, hist_added; + int ret, ret2, last_pwd, hist_added; int have_pol = 0; kadm5_server_handle_t handle = server_handle; osa_pw_hist_ent hist; @@ -1169,24 +1187,27 @@ kadm5_chpass_principal_3(void *server_handle, KADM5_POLICY, &pol, principal))) goto done; - if (ret = krb5_dbe_cpw(handle->context, &handle->master_keyblock, - n_ks_tuple?ks_tuple:handle->params.keysalts, - n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, - password, 0 /* increment kvno */, - keepold, &kdb)) + ret = krb5_dbe_cpw(handle->context, &handle->master_keyblock, + n_ks_tuple?ks_tuple:handle->params.keysalts, + n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, + password, 0 /* increment kvno */, + keepold, &kdb); + if (ret) goto done; kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; - if (ret = krb5_timeofday(handle->context, &now)) + ret = krb5_timeofday(handle->context, &now); + if (ret) goto done; if ((adb.aux_attributes & KADM5_POLICY)) { /* the policy was loaded before */ - if (ret = krb5_dbe_lookup_last_pwd_change(handle->context, - &kdb, &last_pwd)) - goto done; + ret = krb5_dbe_lookup_last_pwd_change(handle->context, + &kdb, &last_pwd); + if (ret) + goto done; #if 0 /* @@ -1202,17 +1223,19 @@ kadm5_chpass_principal_3(void *server_handle, } #endif - if (ret = create_history_entry(handle->context, - &handle->master_keyblock, kdb_save.n_key_data, - kdb_save.key_data, &hist)) - goto done; + ret = create_history_entry(handle->context, + &handle->master_keyblock, kdb_save.n_key_data, + kdb_save.key_data, &hist); + if (ret) + goto done; - if (ret = check_pw_reuse(handle->context, - &handle->master_keyblock, - &hist_key, - kdb.n_key_data, kdb.key_data, - 1, &hist)) - goto done; + ret = check_pw_reuse(handle->context, + &handle->master_keyblock, + &hist_key, + kdb.n_key_data, kdb.key_data, + 1, &hist); + if (ret) + goto done; if (pol.pw_history_num > 1) { if (adb.admin_history_kvno != hist_kvno) { @@ -1220,15 +1243,17 @@ kadm5_chpass_principal_3(void *server_handle, goto done; } - if (ret = check_pw_reuse(handle->context, + ret = check_pw_reuse(handle->context, &handle->master_keyblock, &hist_key, - kdb.n_key_data, kdb.key_data, - adb.old_key_len, adb.old_keys)) + kdb.n_key_data, kdb.key_data, + adb.old_key_len, adb.old_keys); + if (ret) goto done; - if (ret = add_to_history(handle->context, &adb, &pol, &hist)) - goto done; + ret = add_to_history(handle->context, &adb, &pol, &hist); + if (ret) + goto done; hist_added = 1; } @@ -1240,7 +1265,8 @@ kadm5_chpass_principal_3(void *server_handle, kdb.pw_expiration = 0; } - if (ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now)) + ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now); + if (ret) goto done; if ((ret = kdb_put_entry(handle, &kdb, &adb))) @@ -1318,16 +1344,18 @@ kadm5_randkey_principal_3(void *server_handle, if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) return(ret); - if (ret = krb5_dbe_crk(handle->context, &handle->master_keyblock, - n_ks_tuple?ks_tuple:handle->params.keysalts, - n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, - keepold, - &kdb)) - goto done; + ret = krb5_dbe_crk(handle->context, &handle->master_keyblock, + n_ks_tuple?ks_tuple:handle->params.keysalts, + n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, + keepold, + &kdb); + if (ret) + goto done; kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; - if (ret = krb5_timeofday(handle->context, &now)) + ret = krb5_timeofday(handle->context, &now); + if (ret) goto done; if ((adb.aux_attributes & KADM5_POLICY)) { @@ -1336,8 +1364,9 @@ kadm5_randkey_principal_3(void *server_handle, goto done; have_pol = 1; - if (ret = krb5_dbe_lookup_last_pwd_change(handle->context, - &kdb, &last_pwd)) + ret = krb5_dbe_lookup_last_pwd_change(handle->context, + &kdb, &last_pwd); + if (ret) goto done; #if 0 @@ -1360,11 +1389,12 @@ kadm5_randkey_principal_3(void *server_handle, goto done; } - if (ret = check_pw_reuse(handle->context, - &handle->master_keyblock, - &hist_key, - kdb.n_key_data, kdb.key_data, - adb.old_key_len, adb.old_keys)) + ret = check_pw_reuse(handle->context, + &handle->master_keyblock, + &hist_key, + kdb.n_key_data, kdb.key_data, + adb.old_key_len, adb.old_keys); + if (ret) goto done; } if (pol.pw_max_life) @@ -1375,28 +1405,31 @@ kadm5_randkey_principal_3(void *server_handle, kdb.pw_expiration = 0; } - if (ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now)) + ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now); + if (ret) goto done; if (keyblocks) { if (handle->api_version == KADM5_API_VERSION_1) { /* Version 1 clients will expect to see a DES_CRC enctype. */ - if (ret = krb5_dbe_find_enctype(handle->context, &kdb, - ENCTYPE_DES_CBC_CRC, - -1, -1, &key_data)) - goto done; - - if (ret = decrypt_key_data(handle->context, + ret = krb5_dbe_find_enctype(handle->context, &kdb, + ENCTYPE_DES_CBC_CRC, + -1, -1, &key_data); + if (ret) + goto done; + + ret = decrypt_key_data(handle->context, &handle->master_keyblock, 1, key_data, - keyblocks, NULL)) - goto done; + keyblocks, NULL); + if (ret) + goto done; } else { - ret = decrypt_key_data(handle->context, - &handle->master_keyblock, - kdb.n_key_data, kdb.key_data, - keyblocks, n_keys); - if (ret) - goto done; + ret = decrypt_key_data(handle->context, + &handle->master_keyblock, + kdb.n_key_data, kdb.key_data, + keyblocks, n_keys); + if (ret) + goto done; } } @@ -1418,8 +1451,10 @@ kadm5_setkey_principal(void *server_handle, krb5_keyblock *keyblocks, int n_keys) { - return (kadm5_setkey_principal_3(server_handle, principal, - FALSE, 0, NULL, keyblocks, n_keys)); + return + kadm5_setkey_principal_3(server_handle, principal, + FALSE, 0, NULL, + keyblocks, n_keys); } kadm5_ret_t @@ -1452,21 +1487,22 @@ kadm5_setkey_principal_3(void *server_handle, for (i = 0; i < n_keys; i++) { for (j = i+1; j < n_keys; j++) { - if (ret = krb5_c_enctype_compare(handle->context, - keyblocks[i].enctype, - keyblocks[j].enctype, - &similar)) + if ((ret = krb5_c_enctype_compare(handle->context, + keyblocks[i].enctype, + keyblocks[j].enctype, + &similar))) return(ret); - if (similar) + if (similar) { if (n_ks_tuple) { if (ks_tuple[i].ks_salttype == ks_tuple[j].ks_salttype) return KADM5_SETKEY_DUP_ENCTYPES; } else return KADM5_SETKEY_DUP_ENCTYPES; + } } } - if (n_ks_tuple != n_keys) + if (n_ks_tuple && n_ks_tuple != n_keys) return KADM5_SETKEY3_ETYPE_MISMATCH; if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) @@ -1526,7 +1562,7 @@ kadm5_setkey_principal_3(void *server_handle, /* assert(kdb.n_key_data == n_keys + n_old_keys) */ kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; - if (ret = krb5_timeofday(handle->context, &now)) + if ((ret = krb5_timeofday(handle->context, &now))) goto done; if ((adb.aux_attributes & KADM5_POLICY)) { @@ -1578,8 +1614,8 @@ kadm5_setkey_principal_3(void *server_handle, kdb.pw_expiration = 0; } - if (ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now)) - goto done; + if ((ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now))) + goto done; if ((ret = kdb_put_entry(handle, &kdb, &adb))) goto done; @@ -1600,9 +1636,9 @@ done: * number of keys decrypted. */ static int decrypt_key_data(krb5_context context, - krb5_keyblock *master_keyblock, - int n_key_data, krb5_key_data *key_data, - krb5_keyblock **keyblocks, int *n_keys) + krb5_keyblock *master_keyblock, + int n_key_data, krb5_key_data *key_data, + krb5_keyblock **keyblocks, int *n_keys) { krb5_keyblock *keys; int ret, i; @@ -1613,8 +1649,11 @@ static int decrypt_key_data(krb5_context context, memset((char *) keys, 0, n_key_data*sizeof(krb5_keyblock)); for (i = 0; i < n_key_data; i++) { - if (ret = krb5_dbekd_decrypt_key_data(context, - master_keyblock, &key_data[i], &keys[i], NULL)) { + ret = krb5_dbekd_decrypt_key_data(context, + master_keyblock, + &key_data[i], + &keys[i], NULL); + if (ret) { memset((char *) keys, 0, n_key_data*sizeof(krb5_keyblock)); free(keys); @@ -1678,13 +1717,13 @@ kadm5_ret_t kadm5_decrypt_key(void *server_handle, /* find_enctype only uses these two fields */ dbent.n_key_data = entry->n_key_data; dbent.key_data = entry->key_data; - if (ret = krb5_dbe_find_enctype(handle->context, &dbent, ktype, - stype, kvno, &key_data)) + if ((ret = krb5_dbe_find_enctype(handle->context, &dbent, ktype, + stype, kvno, &key_data))) return ret; - if (ret = krb5_dbekd_decrypt_key_data(handle->context, - &handle->master_keyblock, key_data, - keyblock, keysalt)) + if ((ret = krb5_dbekd_decrypt_key_data(handle->context, + &handle->master_keyblock, key_data, + keyblock, keysalt))) return ret; if (kvnop) diff --git a/usr/src/lib/krb5/kadm5/str_conv.c b/usr/src/lib/krb5/kadm5/str_conv.c index 9e81c46194..62cb897d49 100644 --- a/usr/src/lib/krb5/kadm5/str_conv.c +++ b/usr/src/lib/krb5/kadm5/str_conv.c @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -68,6 +68,7 @@ #include "k5-int.h" #include "admin_internal.h" +#include "adm_proto.h" /* * Local data structures. @@ -359,8 +360,9 @@ krb5_string_to_keysalts(string, tupleseps, ksaltseps, dups, ksaltp, nksaltp) len = (size_t) *nksaltp; /* Get new keysalt array */ - if (*ksaltp = (krb5_key_salt_tuple *) - malloc((len + 1) * sizeof(krb5_key_salt_tuple))) { + *ksaltp = (krb5_key_salt_tuple *) + malloc((len + 1) * sizeof(krb5_key_salt_tuple)); + if (*ksaltp) { /* Copy old keysalt if appropriate */ if (savep) { @@ -420,8 +422,7 @@ krb5_keysalt_iterate(ksaltlist, nksalt, ignoresalt, iterator, arg) krb5_key_salt_tuple *ksaltlist; krb5_int32 nksalt; krb5_boolean ignoresalt; - krb5_error_code (*iterator) (krb5_key_salt_tuple *, - krb5_pointer); + krb5_error_code (*iterator) (krb5_key_salt_tuple *, krb5_pointer); krb5_pointer arg; { int i; @@ -436,7 +437,8 @@ krb5_keysalt_iterate(ksaltlist, nksalt, ignoresalt, iterator, arg) i, scratch.ks_enctype, scratch.ks_salttype)) { - if (kret = (*iterator)(&scratch, arg)) + kret = (*iterator)(&scratch, arg); + if (kret) break; } } |