diff options
author | Greg Hudson <ghudson@mit.edu> | 2013-01-16 11:38:55 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2013-01-16 11:38:55 -0500 |
commit | 1078f5bf8049ab95322e7daf37c06f94623cdb74 (patch) | |
tree | a5cfb7f66c64129375ef2f949acca0391eaf3f1e | |
parent | e987546b4ff1689bb711cc46118ad9fc0a5613f6 (diff) | |
download | krb5-1078f5bf8049ab95322e7daf37c06f94623cdb74.tar.gz krb5-1078f5bf8049ab95322e7daf37c06f94623cdb74.tar.xz krb5-1078f5bf8049ab95322e7daf37c06f94623cdb74.zip |
Get rid of krb5_read_realm_params
Read realm parameters directly from the profile in the KDC's
init_realm(), getting rid of the intermediate krb5_realm_params
structure. Then get rid of krb5_realm_params and
krb5_read_realm_params, since nothing else uses it.
-rw-r--r-- | src/include/adm_proto.h | 9 | ||||
-rw-r--r-- | src/kdc/main.c | 125 | ||||
-rw-r--r-- | src/lib/kadm5/admin.h | 33 | ||||
-rw-r--r-- | src/lib/kadm5/alt_prof.c | 143 | ||||
-rw-r--r-- | src/lib/kadm5/clnt/libkadm5clnt_mit.exports | 2 | ||||
-rw-r--r-- | src/lib/kadm5/srv/libkadm5srv_mit.exports | 2 |
6 files changed, 63 insertions, 251 deletions
diff --git a/src/include/adm_proto.h b/src/include/adm_proto.h index daca5a1162..3758f5ffe6 100644 --- a/src/include/adm_proto.h +++ b/src/include/adm_proto.h @@ -37,11 +37,6 @@ typedef struct _krb5_db_entry krb5_db_entry; /* Ditto for admin.h */ -#if !defined(__KADM5_ADMIN_H__) -struct ___krb5_realm_params; -typedef struct ___krb5_realm_params krb5_realm_params; -#endif /* KRB5_ADM_H__ */ - #ifndef KRB5_KDB5__ struct ___krb5_key_salt_tuple; typedef struct ___krb5_key_salt_tuple krb5_key_salt_tuple; @@ -76,10 +71,6 @@ krb5_error_code krb5_aprof_get_int32(krb5_pointer, const char **, krb5_boolean, krb5_int32 *); krb5_error_code krb5_aprof_finish(krb5_pointer); -krb5_error_code krb5_read_realm_params(krb5_context, char *, - krb5_realm_params **); -krb5_error_code krb5_free_realm_params(krb5_context, krb5_realm_params *); - /* str_conv.c */ krb5_error_code krb5_string_to_flags(char *, const char *, const char *, krb5_flags *); diff --git a/src/kdc/main.c b/src/kdc/main.c index 26d390798d..2f08df60d0 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -200,15 +200,16 @@ combine(const char *val1, const char *val2, char **val_out) * realm data and we should be all set to begin operation for that realm. */ static krb5_error_code -init_realm(kdc_realm_t *rdp, char *realm, char *def_mpname, +init_realm(kdc_realm_t *rdp, krb5_pointer aprof, char *realm, char *def_mpname, krb5_enctype def_enctype, char *def_udp_ports, char *def_tcp_ports, krb5_boolean def_manual, krb5_boolean def_restrict_anon, char **db_args, char *no_referral, char *hostbased) { krb5_error_code kret; krb5_boolean manual; - krb5_realm_params *rparams; int kdb_open_flags; + char *svalue = NULL; + const char *hierarchy[4]; krb5_kvno mkvno = IGNORE_VNO; memset(rdp, 0, sizeof(kdc_realm_t)); @@ -216,6 +217,9 @@ init_realm(kdc_realm_t *rdp, char *realm, char *def_mpname, kret = EINVAL; goto whoops; } + hierarchy[0] = KRB5_CONF_REALMS; + hierarchy[1] = realm; + hierarchy[3] = NULL; rdp->realm_name = strdup(realm); if (rdp->realm_name == NULL) { @@ -230,95 +234,90 @@ init_realm(kdc_realm_t *rdp, char *realm, char *def_mpname, if (time_offset != 0) (void)krb5_set_time_offsets(rdp->realm_context, time_offset, 0); - kret = krb5_read_realm_params(rdp->realm_context, rdp->realm_name, - &rparams); - if (kret) { - kdc_err(rdp->realm_context, kret, _("while reading realm parameters")); - goto whoops; - } - /* Handle master key name */ - if (rparams && rparams->realm_mkey_name) - rdp->realm_mpname = strdup(rparams->realm_mkey_name); - else + hierarchy[2] = KRB5_CONF_MASTER_KEY_NAME; + if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &rdp->realm_mpname)) { rdp->realm_mpname = (def_mpname) ? strdup(def_mpname) : strdup(KRB5_KDB_M_NAME); + } if (!rdp->realm_mpname) { kret = ENOMEM; goto whoops; } /* Handle KDC ports */ - if (rparams && rparams->realm_kdc_ports) - rdp->realm_ports = strdup(rparams->realm_kdc_ports); - else + hierarchy[2] = KRB5_CONF_KDC_PORTS; + if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &rdp->realm_ports)) rdp->realm_ports = strdup(def_udp_ports); if (!rdp->realm_ports) { kret = ENOMEM; goto whoops; } - if (rparams && rparams->realm_kdc_tcp_ports) - rdp->realm_tcp_ports = strdup(rparams->realm_kdc_tcp_ports); - else + hierarchy[2] = KRB5_CONF_KDC_TCP_PORTS; + if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &rdp->realm_tcp_ports)) rdp->realm_tcp_ports = strdup(def_tcp_ports); if (!rdp->realm_tcp_ports) { kret = ENOMEM; goto whoops; } /* Handle stash file */ - if (rparams && rparams->realm_stash_file) { - rdp->realm_stash = strdup(rparams->realm_stash_file); - if (!rdp->realm_stash) { - kret = ENOMEM; - goto whoops; - } - manual = FALSE; - } else + hierarchy[2] = KRB5_CONF_KEY_STASH_FILE; + if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &rdp->realm_stash)) manual = def_manual; - - if (rparams && rparams->realm_restrict_anon_valid) - rdp->realm_restrict_anon = rparams->realm_restrict_anon; else + manual = FALSE; + + hierarchy[2] = KRB5_CONF_RESTRICT_ANONYMOUS_TO_TGT; + if (krb5_aprof_get_boolean(aprof, hierarchy, TRUE, + &rdp->realm_restrict_anon)) rdp->realm_restrict_anon = def_restrict_anon; /* Handle master key type */ - if (rparams && rparams->realm_enctype_valid) - rdp->realm_mkey.enctype = (krb5_enctype) rparams->realm_enctype; - else + hierarchy[2] = KRB5_CONF_MASTER_KEY_TYPE; + if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &svalue) || + krb5_string_to_enctype(svalue, &rdp->realm_mkey.enctype)) rdp->realm_mkey.enctype = manual ? def_enctype : ENCTYPE_UNKNOWN; + free(svalue); + svalue = NULL; /* Handle reject-bad-transit flag */ - if (rparams && rparams->realm_reject_bad_transit_valid) - rdp->realm_reject_bad_transit = rparams->realm_reject_bad_transit; - else - rdp->realm_reject_bad_transit = 1; + hierarchy[2] = KRB5_CONF_REJECT_BAD_TRANSIT; + if (krb5_aprof_get_boolean(aprof, hierarchy, TRUE, + &rdp->realm_reject_bad_transit)) + rdp->realm_reject_bad_transit = TRUE; /* Handle assume des-cbc-crc is supported for session keys */ - if (rparams && rparams->realm_assume_des_crc_sess_valid) - rdp->realm_assume_des_crc_sess = rparams->realm_assume_des_crc_sess; - else - rdp->realm_assume_des_crc_sess = 1; + hierarchy[2] = KRB5_CONF_ASSUME_DES_CRC_SESSION; + if (krb5_aprof_get_boolean(aprof, hierarchy, TRUE, + &rdp->realm_assume_des_crc_sess)) + rdp->realm_assume_des_crc_sess = TRUE; /* Handle ticket maximum life */ - rdp->realm_maxlife = (rparams && rparams->realm_max_life_valid) ? - rparams->realm_max_life : KRB5_KDB_MAX_LIFE; + hierarchy[2] = KRB5_CONF_MAX_LIFE; + if (krb5_aprof_get_deltat(aprof, hierarchy, TRUE, &rdp->realm_maxlife)) + rdp->realm_maxlife = KRB5_KDB_MAX_LIFE; /* Handle ticket renewable maximum life */ - rdp->realm_maxrlife = (rparams && rparams->realm_max_rlife_valid) ? - rparams->realm_max_rlife : KRB5_KDB_MAX_RLIFE; + hierarchy[2] = KRB5_CONF_MAX_RENEWABLE_LIFE; + if (krb5_aprof_get_deltat(aprof, hierarchy, TRUE, &rdp->realm_maxrlife)) + rdp->realm_maxrlife = KRB5_KDB_MAX_RLIFE; /* Handle KDC referrals */ - kret = combine(no_referral, rparams->realm_no_referral, - &rdp->realm_no_referral); + hierarchy[2] = KRB5_CONF_NO_HOST_REFERRAL; + (void)krb5_aprof_get_string_all(aprof, hierarchy, &svalue); + kret = combine(no_referral, svalue, &rdp->realm_no_referral); if (kret) goto whoops; + free(svalue); + svalue = NULL; - kret = combine(hostbased, rparams->realm_hostbased, &rdp->realm_hostbased); + hierarchy[2] = KRB5_CONF_HOST_BASED_SERVICES; + (void)krb5_aprof_get_string_all(aprof, hierarchy, &svalue); + kret = combine(hostbased, svalue, &rdp->realm_hostbased); if (kret) goto whoops; - - if (rparams) - krb5_free_realm_params(rdp->realm_context, rparams); + free(svalue); + svalue = NULL; /* * We've got our parameters, now go and setup our realm context. @@ -616,7 +615,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) krb5_boolean def_restrict_anon; char *default_udp_ports = 0; char *default_tcp_ports = 0; - krb5_pointer aprof; + krb5_pointer aprof = NULL; const char *hierarchy[3]; char *no_referral = NULL; char *hostbased = NULL; @@ -646,8 +645,6 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) hierarchy[1] = KRB5_CONF_HOST_BASED_SERVICES; if (krb5_aprof_get_string_all(aprof, hierarchy, &hostbased)) hostbased = 0; - - krb5_aprof_finish(aprof); } if (default_udp_ports == 0) { @@ -691,11 +688,12 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) case 'r': /* realm name for db */ if (!find_realm_data(&shandle, optarg, (krb5_ui_4) strlen(optarg))) { if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) { - if ((retval = init_realm(rdatap, optarg, mkey_name, - menctype, default_udp_ports, - default_tcp_ports, manual, - def_restrict_anon, db_args, - no_referral, hostbased))) { + retval = init_realm(rdatap, aprof, optarg, mkey_name, + menctype, default_udp_ports, + default_tcp_ports, manual, + def_restrict_anon, db_args, + no_referral, hostbased); + if (retval) { fprintf(stderr, _("%s: cannot initialize realm %s - " "see log file for details\n"), argv[0], optarg); @@ -808,10 +806,11 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) exit(1); } if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) { - if ((retval = init_realm(rdatap, lrealm, mkey_name, menctype, - default_udp_ports, default_tcp_ports, - manual, def_restrict_anon, db_args, - no_referral, hostbased))) { + retval = init_realm(rdatap, aprof, lrealm, mkey_name, menctype, + default_udp_ports, default_tcp_ports, manual, + def_restrict_anon, db_args, no_referral, + hostbased); + if (retval) { fprintf(stderr, _("%s: cannot initialize realm %s - see log " "file for details\n"), argv[0], lrealm); exit(1); @@ -834,6 +833,8 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) free(hostbased); if (no_referral) free(no_referral); + if (aprof) + krb5_aprof_finish(aprof); return; } diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h index 47102cd3de..189ca45cf3 100644 --- a/src/lib/kadm5/admin.h +++ b/src/lib/kadm5/admin.h @@ -278,36 +278,6 @@ typedef struct _kadm5_config_params { int iprop_resync_timeout; } kadm5_config_params; -/*********************************************************************** - * This is the old krb5_realm_read_params, which I mutated into - * kadm5_get_config_params but which old code (kdb5_* and krb5kdc) - * still uses. - ***********************************************************************/ - -/* - * Data structure returned by krb5_read_realm_params() - */ -typedef struct __krb5_realm_params { - char * realm_mkey_name; - char * realm_stash_file; - char * realm_kdc_ports; - char * realm_kdc_tcp_ports; - char * realm_hostbased; - char * realm_no_referral; - krb5_enctype realm_enctype; - krb5_deltat realm_max_life; - krb5_deltat realm_max_rlife; - unsigned int realm_reject_bad_transit:1; - unsigned int realm_restrict_anon:1; - unsigned int realm_enctype_valid:1; - unsigned int realm_max_life_valid:1; - unsigned int realm_max_rlife_valid:1; - unsigned int realm_reject_bad_transit_valid:1; - unsigned int realm_restrict_anon_valid:1; - unsigned int realm_assume_des_crc_sess:1; - unsigned int realm_assume_des_crc_sess_valid:1; -} krb5_realm_params; - /* * functions */ @@ -320,9 +290,6 @@ krb5_error_code kadm5_get_config_params(krb5_context context, krb5_error_code kadm5_free_config_params(krb5_context context, kadm5_config_params *params); -krb5_error_code kadm5_free_realm_params(krb5_context kcontext, - kadm5_config_params *params); - krb5_error_code kadm5_get_admin_service_name(krb5_context, char *, char *, size_t); diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c index 075e077dae..07158fcd5e 100644 --- a/src/lib/kadm5/alt_prof.c +++ b/src/lib/kadm5/alt_prof.c @@ -869,146 +869,3 @@ err_params: kadm5_free_config_params(ctx, ¶ms_out); return ret; } - -/*********************************************************************** - * This is the old krb5_realm_read_params, which I mutated into - * kadm5_get_config_params but which old KDC code still uses. - ***********************************************************************/ - -/* - * krb5_read_realm_params() - Read per-realm parameters from KDC alternate - * profile. - */ -krb5_error_code -krb5_read_realm_params(krb5_context context, char *realm, - krb5_realm_params **rparamp) -{ - char *envname, *lrealm, *svalue; - char *no_referral = NULL, *hostbased = NULL; - krb5_pointer aprofile = NULL; - krb5_realm_params *rparams = NULL; - const char *hierarchy[4]; - krb5_boolean bvalue; - krb5_deltat dtvalue; - krb5_error_code ret; - - if (realm != NULL) { - lrealm = strdup(realm); - } else { - ret = krb5_get_default_realm(context, &lrealm); - if (ret) - goto cleanup; - } - - envname = context->profile_secure ? NULL : KDC_PROFILE_ENV; - ret = krb5_aprof_init(DEFAULT_KDC_PROFILE, envname, &aprofile); - if (ret) - goto cleanup; - - rparams = calloc(1, sizeof(krb5_realm_params)); - if (rparams == NULL) { - ret = ENOMEM; - goto cleanup; - } - - /* Set up the hierarchy so we can query multiple realm variables. */ - hierarchy[0] = KRB5_CONF_REALMS; - hierarchy[1] = lrealm; - hierarchy[3] = NULL; - - /* Get the value for the KDC port list */ - hierarchy[2] = KRB5_CONF_KDC_PORTS; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_kdc_ports = svalue; - hierarchy[2] = KRB5_CONF_KDC_TCP_PORTS; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_kdc_tcp_ports = svalue; - - /* Get the value for the master key name */ - hierarchy[2] = KRB5_CONF_MASTER_KEY_NAME; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_mkey_name = svalue; - - /* Get the value for the master key type */ - hierarchy[2] = KRB5_CONF_MASTER_KEY_TYPE; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - if (!krb5_string_to_enctype(svalue, &rparams->realm_enctype)) - rparams->realm_enctype_valid = 1; - free(svalue); - } - - /* Get the value for the stashfile */ - hierarchy[2] = KRB5_CONF_KEY_STASH_FILE; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_stash_file = svalue; - - /* Get the value for maximum ticket lifetime. */ - hierarchy[2] = KRB5_CONF_MAX_LIFE; - if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) { - rparams->realm_max_life = dtvalue; - rparams->realm_max_life_valid = 1; - } - - /* Get the value for maximum renewable ticket lifetime. */ - hierarchy[2] = KRB5_CONF_MAX_RENEWABLE_LIFE; - if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) { - rparams->realm_max_rlife = dtvalue; - rparams->realm_max_rlife_valid = 1; - } - - hierarchy[2] = KRB5_CONF_REJECT_BAD_TRANSIT; - if (!krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) { - rparams->realm_reject_bad_transit = bvalue; - rparams->realm_reject_bad_transit_valid = 1; - } - - hierarchy[2] = KRB5_CONF_RESTRICT_ANONYMOUS_TO_TGT; - if (!krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) { - rparams->realm_restrict_anon = bvalue; - rparams->realm_restrict_anon_valid = 1; - } - - hierarchy[2] = KRB5_CONF_ASSUME_DES_CRC_SESSION; - if (!krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) { - rparams->realm_assume_des_crc_sess = bvalue; - rparams->realm_assume_des_crc_sess_valid = 1; - } - - hierarchy[2] = KRB5_CONF_NO_HOST_REFERRAL; - if (!krb5_aprof_get_string_all(aprofile, hierarchy, &no_referral)) - rparams->realm_no_referral = no_referral; - - hierarchy[2] = KRB5_CONF_HOST_BASED_SERVICES; - if (!krb5_aprof_get_string_all(aprofile, hierarchy, &hostbased)) - rparams->realm_hostbased = hostbased; - -cleanup: - if (aprofile) - krb5_aprof_finish(aprofile); - free(lrealm); - if (ret) { - if (rparams) - krb5_free_realm_params(context, rparams); - rparams = 0; - } - *rparamp = rparams; - return ret; -} - -/* - * krb5_free_realm_params() - Free data allocated by above. - */ -krb5_error_code -krb5_free_realm_params(krb5_context context, krb5_realm_params *rparams) -{ - if (rparams == NULL) - return 0; - free(rparams->realm_mkey_name); - free(rparams->realm_stash_file); - free(rparams->realm_kdc_ports); - free(rparams->realm_kdc_tcp_ports); - free(rparams->realm_no_referral); - free(rparams->realm_hostbased); - free(rparams); - return 0; -} diff --git a/src/lib/kadm5/clnt/libkadm5clnt_mit.exports b/src/lib/kadm5/clnt/libkadm5clnt_mit.exports index 4732766ae9..f6f93b96a2 100644 --- a/src/lib/kadm5/clnt/libkadm5clnt_mit.exports +++ b/src/lib/kadm5/clnt/libkadm5clnt_mit.exports @@ -52,7 +52,6 @@ krb5_aprof_getvals krb5_aprof_init krb5_flags_to_string krb5_free_key_data_contents -krb5_free_realm_params krb5_input_flag_to_string krb5_keysalt_is_present krb5_keysalt_iterate @@ -60,7 +59,6 @@ krb5_klog_close krb5_klog_init krb5_klog_reopen krb5_klog_syslog -krb5_read_realm_params krb5_string_to_flags krb5_string_to_keysalts xdr_chpass3_arg diff --git a/src/lib/kadm5/srv/libkadm5srv_mit.exports b/src/lib/kadm5/srv/libkadm5srv_mit.exports index 0788ac1fe3..07d447a152 100644 --- a/src/lib/kadm5/srv/libkadm5srv_mit.exports +++ b/src/lib/kadm5/srv/libkadm5srv_mit.exports @@ -69,7 +69,6 @@ krb5_aprof_init krb5_copy_key_data_contents krb5_flags_to_string krb5_free_key_data_contents -krb5_free_realm_params krb5_input_flag_to_string krb5_keysalt_is_present krb5_keysalt_iterate @@ -77,7 +76,6 @@ krb5_klog_close krb5_klog_init krb5_klog_reopen krb5_klog_syslog -krb5_read_realm_params krb5_string_to_flags krb5_string_to_keysalts master_db |