diff options
| author | Greg Hudson <ghudson@mit.edu> | 2013-02-04 22:44:45 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2013-02-06 15:24:12 -0500 |
| commit | 9bddaebd2dbdbf74086c94d55a5f307898463b2c (patch) | |
| tree | a895452274161ff32f3a6bbce43f63ac30c90b3b /src/kadmin | |
| parent | d055554b7c338bac0e7a679b431c7faaf53819c9 (diff) | |
| download | krb5-9bddaebd2dbdbf74086c94d55a5f307898463b2c.tar.gz krb5-9bddaebd2dbdbf74086c94d55a5f307898463b2c.tar.xz krb5-9bddaebd2dbdbf74086c94d55a5f307898463b2c.zip | |
Modernize dump.c
Reformat and simplify dump.c code according to current coding
standards. No functional changes except for some error messages.
Diffstat (limited to 'src/kadmin')
| -rw-r--r-- | src/kadmin/dbutil/dump.c | 2004 | ||||
| -rw-r--r-- | src/kadmin/dbutil/kdb5_util.h | 2 | ||||
| -rw-r--r-- | src/kadmin/dbutil/ovload.c | 4 |
3 files changed, 697 insertions, 1313 deletions
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c index 8cde6711b0..f326999940 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -1,8 +1,8 @@ /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* kadmin/dbutil/dump.c - Dump a KDC database */ /* - * Copyright 1990,1991,2001,2006,2008,2009 by the Massachusetts Institute of - * Technology. All Rights Reserved. + * Copyright 1990,1991,2001,2006,2008,2009,2013 by the Massachusetts Institute + * of Technology. All Rights Reserved. * * Export of this software from the United States of America may * require a specific license from the United States Government. @@ -39,43 +39,36 @@ #include <regex.h> #endif /* HAVE_REGEX_H */ -/* - * Needed for master key conversion. - */ -static int mkey_convert; -krb5_keyblock new_master_keyblock; -krb5_kvno new_mkvno; - -static int backwards; -static int recursive; - -#define K5Q1(x) #x -#define K5Q(x) K5Q1(x) -#define K5CONST_WIDTH_SCANF_STR(x) "%" K5Q(x) "s" - -/* - * Use compile(3) if no regcomp present. - */ -#if !defined(HAVE_REGCOMP) && defined(HAVE_REGEXP_H) -#define INIT char *sp = instring; -#define GETC() (*sp++) -#define PEEKC() (*sp) -#define UNGETC(c) (--sp) -#define RETURN(c) return(c) +/* Needed for master key conversion. */ +static int mkey_convert; +krb5_keyblock new_master_keyblock; +krb5_kvno new_mkvno; + +#define K5Q1(x) #x +#define K5Q(x) K5Q1(x) +#define K5CONST_WIDTH_SCANF_STR(x) "%" K5Q(x) "s" + +/* Use compile(3) if no regcomp present. */ +#if !defined(HAVE_REGCOMP) && defined(HAVE_REGEXP_H) +#define INIT char *sp = instring; +#define GETC() (*sp++) +#define PEEKC() (*sp) +#define UNGETC(c) (--sp) +#define RETURN(c) return(c) #define ERROR(c) -#define RE_BUF_SIZE 1024 +#define RE_BUF_SIZE 1024 #include <regexp.h> -#endif /* !HAVE_REGCOMP && HAVE_REGEXP_H */ +#endif /* !HAVE_REGCOMP && HAVE_REGEXP_H */ #define FLAG_VERBOSE 0x1 /* be verbose */ #define FLAG_UPDATE 0x2 /* processing an update */ #define FLAG_OMIT_NRA 0x4 /* avoid dumping non-replicated attrs */ -typedef krb5_error_code (*dump_func)(krb5_context, krb5_db_entry *, - const char *, FILE *, int); - -typedef krb5_error_code (*load_func)(char *, krb5_context, - FILE *, int, int *); +typedef krb5_error_code (*dump_func)(krb5_context context, + krb5_db_entry *entry, const char *name, + FILE *fp, int flags); +typedef int (*load_func)(krb5_context context, const char *dumpfile, FILE *fp, + int flags, int *linenop); typedef struct _dump_version { char *name; @@ -89,150 +82,67 @@ typedef struct _dump_version { } dump_version; struct dump_args { - char *programname; - FILE *ofile; - krb5_context kcontext; - char **names; - int nnames; - int flags; - dump_version *dump; + FILE *ofile; + krb5_context context; + char **names; + int nnames; + int flags; + dump_version *dump; }; /* External data */ -extern char *current_dbname; -extern krb5_boolean dbactive; -extern int exit_status; -extern krb5_context util_context; -extern kadm5_config_params global_params; -extern krb5_db_entry *master_entry; - -/* Strings */ - -#define k5beta_dump_header "kdb5_edit load_dump version 2.0\n" - -static const char null_mprinc_name[] = "kdb5_dump@MISSING"; - -/* Message strings */ -#define regex_err _("%s: regular expression error - %s\n") -#define regex_merr _("%s: regular expression match error - %s\n") -#define pname_unp_err _("%s: cannot unparse principal name (%s)\n") -#define mname_unp_err _("%s: cannot unparse modifier name (%s)\n") -#define nokeys_err _("%s: cannot find any standard key for %s\n") -#define sdump_tl_inc_err _("%s: tagged data list inconsistency for %s (counted %d, stored %d)\n") -#define ofopen_error _("%s: cannot open %s for writing (%s)\n") -#define oflock_error _("%s: cannot lock %s (%s)\n") -#define dumprec_err _("%s: error performing %s dump (%s)\n") -#define trash_end_fmt _("%s(%d): ignoring trash at end of line: ") -#define read_nomem _("entry (out of memory)") -#define read_header _("dump entry header") -#define read_negint _("dump entry (unexpected negative numeric field)") -#define read_name_string _("name string") -#define read_key_type _("key type") -#define read_key_data _("key data") -#define read_pr_data1 _("first set of principal attributes") -#define read_mod_name _("modifier name") -#define read_pr_data2 _("second set of principal attributes") -#define read_salt_data _("salt data") -#define read_akey_type _("alternate key type") -#define read_akey_data _("alternate key data") -#define read_asalt_type _("alternate salt type") -#define read_asalt_data _("alternate salt data") -#define read_exp_data _("expansion data") -#define store_err_fmt _("%s(%d): cannot store %s(%s)\n") -#define add_princ_fmt _("%s\n") -#define parse_err_fmt _("%s(%d): cannot parse %s (%s)\n") -#define read_err_fmt _("%s(%d): cannot read %s\n") -#define no_mem_fmt _("%s(%d): no memory for buffers\n") -#define rhead_err_fmt _("%s(%d): cannot match size tokens\n") -#define err_line_fmt _("%s: error processing line %d of %s\n") -#define head_bad_fmt _("%s: dump header bad in %s\n") -#define read_nint_data _("principal static attributes") -#define read_tcontents _("tagged data contents") -#define read_ttypelen _("tagged data type and length") -#define read_kcontents _("key data contents") -#define read_ktypelen _("key data type and length") -#define read_econtents _("extra data contents") -#define no_name_mem_fmt _("%s: cannot get memory for temporary name\n") -#define ctx_err_fmt _("%s: cannot initialize Kerberos context\n") -#define stdin_name _("standard input") -#define remaster_err_fmt _("while re-encoding keys for principal %s with new master key") -#define restfail_fmt _("%s: %s restore failed\n") -#define close_err_fmt _("%s: cannot close database (%s)\n") -#define dbinit_err_fmt _("%s: cannot initialize database (%s)\n") -#define dbdelerr_fmt _("%s: cannot delete bad database %s (%s)\n") -#define dbunlockerr_fmt _("%s: cannot unlock database %s (%s)\n") -#define dbcreaterr_fmt _("%s: cannot create database %s (%s)\n") -#define dfile_err_fmt _("%s: cannot open %s (%s)\n") - -static const char b7option[] = "-b7"; -static const char ipropoption[] = "-i"; -static const char conditionaloption[] = "-c"; -static const char verboseoption[] = "-verbose"; -static const char updateoption[] = "-update"; -static const char hashoption[] = "-hash"; -static const char ovoption[] = "-ov"; -static const char r13option[] = "-r13"; -static const char r18option[] = "-r18"; -static const char dump_tmptrail[] = "~"; +extern krb5_db_entry *master_entry; /* * Re-encrypt the key_data with the new master key... */ -krb5_error_code master_key_convert(context, db_entry) - krb5_context context; - krb5_db_entry * db_entry; +krb5_error_code +master_key_convert(krb5_context context, krb5_db_entry *db_entry) { - krb5_error_code retval; - krb5_keyblock v5plainkey, *key_ptr; - krb5_keysalt keysalt; - int i, j; - krb5_key_data new_key_data, *key_data; - krb5_boolean is_mkey; - krb5_kvno kvno; + krb5_error_code retval; + krb5_keyblock v5plainkey, *key_ptr, *tmp_mkey; + krb5_keysalt keysalt; + krb5_key_data new_key_data, *key_data; + krb5_boolean is_mkey; + krb5_kvno kvno; + int i, j; is_mkey = krb5_principal_compare(context, master_princ, db_entry->princ); if (is_mkey) { - retval = add_new_mkey(context, db_entry, &new_master_keyblock, new_mkvno); + return add_new_mkey(context, db_entry, &new_master_keyblock, + new_mkvno); + } + + for (i = 0; i < db_entry->n_key_data; i++) { + key_data = &db_entry->key_data[i]; + retval = krb5_dbe_find_mkey(context, db_entry, &tmp_mkey); if (retval) return retval; - } else { - for (i=0; i < db_entry->n_key_data; i++) { - krb5_keyblock *tmp_mkey; - - key_data = &db_entry->key_data[i]; - retval = krb5_dbe_find_mkey(context, db_entry, &tmp_mkey); - if (retval) - return retval; - retval = krb5_dbe_decrypt_key_data(context, tmp_mkey, key_data, - &v5plainkey, &keysalt); - if (retval) - return retval; - - memset(&new_key_data, 0, sizeof(new_key_data)); - - key_ptr = &v5plainkey; - kvno = (krb5_kvno) key_data->key_data_kvno; - - retval = krb5_dbe_encrypt_key_data(context, &new_master_keyblock, - key_ptr, &keysalt, (int) kvno, - &new_key_data); - if (retval) - return retval; - krb5_free_keyblock_contents(context, &v5plainkey); - for (j = 0; j < key_data->key_data_ver; j++) { - if (key_data->key_data_length[j]) { - free(key_data->key_data_contents[j]); - } - } - *key_data = new_key_data; - } - assert(new_mkvno > 0); - retval = krb5_dbe_update_mkvno(context, db_entry, new_mkvno); + retval = krb5_dbe_decrypt_key_data(context, tmp_mkey, key_data, + &v5plainkey, &keysalt); + if (retval) + return retval; + + memset(&new_key_data, 0, sizeof(new_key_data)); + + key_ptr = &v5plainkey; + kvno = key_data->key_data_kvno; + + retval = krb5_dbe_encrypt_key_data(context, &new_master_keyblock, + key_ptr, &keysalt, kvno, + &new_key_data); if (retval) return retval; + krb5_free_keyblock_contents(context, &v5plainkey); + for (j = 0; j < key_data->key_data_ver; j++) { + if (key_data->key_data_length[j]) + free(key_data->key_data_contents[j]); + } + *key_data = new_key_data; } - return 0; + assert(new_mkvno > 0); + return krb5_dbe_update_mkvno(context, db_entry, new_mkvno); } /* Create temp file for new dump to be named ofile. */ @@ -255,14 +165,13 @@ create_ofile(char *ofile, char **tmpname) return f; error: - com_err(progname, errno, - _("while allocating temporary filename dump")); + com_err(progname, errno, _("while allocating temporary filename dump")); if (fd >= 0) unlink(*tmpname); exit(1); } -/* Rename new dump file into place */ +/* Rename new dump file into place. */ static void finish_ofile(char *ofile, char **tmpname) { @@ -278,7 +187,7 @@ finish_ofile(char *ofile, char **tmpname) static int prep_ok_file(krb5_context context, char *file_name, int *fd) { - static char ok[]=".dump_ok"; + static char ok[] = ".dump_ok"; krb5_error_code retval; char *file_ok; @@ -314,122 +223,74 @@ update_ok_file(krb5_context context, int fd) close(fd); } -/* - * name_matches() - See if a principal name matches a regular expression - * or string. - */ +/* Return true if a principal name matches a regular expression or string. */ static int -name_matches(name, arglist) - char *name; - struct dump_args *arglist; +name_matches(char *name, struct dump_args *args) { -#if HAVE_REGCOMP - regex_t match_exp; - regmatch_t match_match; - int match_error; - char match_errmsg[BUFSIZ]; - size_t errmsg_size; +#if HAVE_REGCOMP + regex_t reg; + regmatch_t rmatch; + int st; + char errmsg[BUFSIZ]; #elif HAVE_REGEXP_H - char regexp_buffer[RE_BUF_SIZE]; + char regexp_buffer[RE_BUF_SIZE]; #elif HAVE_RE_COMP extern char *re_comp(); - char *re_result; + char *re_result; #endif /* HAVE_RE_COMP */ - int i, match; - - /* - * Plow, brute force, through the list of names/regular expressions. - */ - match = (arglist->nnames) ? 0 : 1; - for (i=0; i<arglist->nnames; i++) { -#if HAVE_REGCOMP - /* - * Compile the regular expression. - */ - match_error = regcomp(&match_exp, arglist->names[i], REG_EXTENDED); - if (match_error) { - errmsg_size = regerror(match_error, - &match_exp, - match_errmsg, - sizeof(match_errmsg)); - fprintf(stderr, regex_err, arglist->programname, match_errmsg); + int i, match; + + /* Check each regular expression in args. */ + match = args->nnames ? 0 : 1; + for (i = 0; i < args->nnames && !match; i++) { +#if HAVE_REGCOMP + /* Compile the regular expression. */ + st = regcomp(®, args->names[i], REG_EXTENDED); + if (st) { + regerror(st, ®, errmsg, sizeof(errmsg)); + fprintf(stderr, _("%s: regular expression error: %s\n"), progname, + errmsg); break; } - /* - * See if we have a match. - */ - match_error = regexec(&match_exp, name, 1, &match_match, 0); - if (match_error) { - if (match_error != REG_NOMATCH) { - errmsg_size = regerror(match_error, - &match_exp, - match_errmsg, - sizeof(match_errmsg)); - fprintf(stderr, regex_merr, - arglist->programname, match_errmsg); - break; - } - } - else { - /* - * We have a match. See if it matches the whole - * name. - */ - if ((match_match.rm_so == 0) && - ((size_t)match_match.rm_eo == strlen(name))) + /* See if we have a match. */ + st = regexec(®, name, 1, &rmatch, 0); + if (st == 0) { + /* See if it matches the whole name. */ + if (rmatch.rm_so == 0 && (size_t)rmatch.rm_eo == strlen(name)) match = 1; + } else if (st != REG_NOMATCH) { + regerror(st, ®, errmsg, sizeof(errmsg)); + fprintf(stderr, _("%s: regular expression match error: %s\n"), + progname, errmsg); + break; } - regfree(&match_exp); -#elif HAVE_REGEXP_H - /* - * Compile the regular expression. - */ - compile(arglist->names[i], - regexp_buffer, - ®exp_buffer[RE_BUF_SIZE], + regfree(®); +#elif HAVE_REGEXP_H + /* Compile the regular expression. */ + compile(args->names[i], regexp_buffer, ®exp_buffer[RE_BUF_SIZE], '\0'); if (step(name, regexp_buffer)) { - if ((loc1 == name) && - (loc2 == &name[strlen(name)])) + if (loc1 == name && loc2 == &name[strlen(name)]) match = 1; } -#elif HAVE_RE_COMP - /* - * Compile the regular expression. - */ - if (re_result = re_comp(arglist->names[i])) { - fprintf(stderr, regex_err, arglist->programname, re_result); +#elif HAVE_RE_COMP + /* Compile the regular expression. */ + re_result = re_comp(args->names[i]); + if (re_result) { + fprintf(stderr, _("%s: regular expression error: %s\n"), progname, + re_result); break; } if (re_exec(name)) match = 1; -#else /* HAVE_RE_COMP */ - /* - * If no regular expression support, then just compare the strings. - */ - if (!strcmp(arglist->names[i], name)) +#else /* HAVE_RE_COMP */ + /* If no regular expression support, then just compare the strings. */ + if (!strcmp(args->names[i], name)) match = 1; -#endif /* HAVE_REGCOMP */ - if (match) - break; +#endif /* HAVE_REGCOMP */ } - return(match); -} - -#if 0 -/* - * dump_k5beta_header() - Make a dump header that is recognizable by Kerberos - * Version 5 Beta 5 and previous releases. - */ -static krb5_error_code -dump_k5beta_header(arglist) - struct dump_args *arglist; -{ - /* The old header consists of the leading string */ - fprintf(arglist->ofile, k5beta_dump_header); - return(0); + return match; } -#endif /* Output "-1" if len is 0; otherwise output len bytes of data in hex. */ static void @@ -444,7 +305,7 @@ dump_octets_or_minus1(FILE *fp, unsigned char *data, size_t len) } /* - * Dumps TL data; common to principals and policies. + * Dump TL data; common to principals and policies. * * If filter_kadm then the KRB5_TL_KADM_DATA (where a principal's policy * name is stored) is filtered out. This is for dump formats that don't @@ -453,134 +314,100 @@ dump_octets_or_minus1(FILE *fp, unsigned char *data, size_t len) static void dump_tl_data(FILE *ofile, krb5_tl_data *tlp, krb5_boolean filter_kadm) { - for (; tlp; tlp = tlp->tl_data_next) { + for (; tlp != NULL; tlp = tlp->tl_data_next) { if (tlp->tl_data_type == KRB5_TL_KADM_DATA && filter_kadm) continue; - fprintf(ofile, "\t%d\t%d\t", - (int) tlp->tl_data_type, - (int) tlp->tl_data_length); + fprintf(ofile, "\t%d\t%d\t", (int)tlp->tl_data_type, + (int)tlp->tl_data_length); dump_octets_or_minus1(ofile, tlp->tl_data_contents, tlp->tl_data_length); } } +/* Dump a principal entry in krb5 beta 7 format. Omit kadmin tl-data if kadm + * is false. */ static krb5_error_code k5beta7_common(krb5_context context, krb5_db_entry *entry, const char *name, FILE *fp, int flags, krb5_boolean kadm) { - krb5_error_code retval = 0; - krb5_tl_data *tlp; - krb5_key_data *kdata; - int counter, skip, i; + krb5_tl_data *tlp; + krb5_key_data *kdata; + int counter, skip, i; /* - * If we don't have any match strings, or if our name matches, then - * proceed with the dump, otherwise, just forget about it. + * The dump format is as follows: + * len strlen(name) n_tl_data n_key_data e_length + * name + * attributes max_life max_renewable_life expiration + * pw_expiration last_success last_failed fail_auth_count + * n_tl_data*[type length <contents>] + * n_key_data*[ver kvno ver*(type length <contents>)] + * <e_data> + * Fields which are not encapsulated by angle-brackets are to appear + * verbatim. A bracketed field's absence is indicated by a -1 in its + * place. */ - if (TRUE) { - /* - * We'd like to just blast out the contents as they would appear in - * the database so that we can just suck it back in, but it doesn't - * lend itself to easy editing. - */ - - /* - * The dump format is as follows: - * len strlen(name) n_tl_data n_key_data e_length - * name - * attributes max_life max_renewable_life expiration - * pw_expiration last_success last_failed fail_auth_count - * n_tl_data*[type length <contents>] - * n_key_data*[ver kvno ver*(type length <contents>)] - * <e_data> - * Fields which are not encapsulated by angle-brackets are to appear - * verbatim. A bracketed field's absence is indicated by a -1 in its - * place - */ - - /* - * Make sure that the tagged list is reasonably correct. - */ - counter = skip = 0; - for (tlp = entry->tl_data; tlp; tlp = tlp->tl_data_next) { - /* - * don't dump tl data types we know aren't understood by - * earlier revisions [krb5-admin/89] - */ - switch (tlp->tl_data_type) { - case KRB5_TL_KADM_DATA: - if (kadm) - counter++; - else - skip++; - break; - default: - counter++; - break; - } - } - if (counter + skip == entry->n_tl_data) { - /* Pound out header */ - fprintf(fp, "princ\t%d\t%lu\t%d\t%d\t%d\t%s\t", - (int) entry->len, - (unsigned long) strlen(name), - counter, - (int) entry->n_key_data, - (int) entry->e_length, - name); - fprintf(fp, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d", - entry->attributes, - entry->max_life, - entry->max_renewable_life, - entry->expiration, - entry->pw_expiration, - (flags & FLAG_OMIT_NRA) ? 0 : entry->last_success, - (flags & FLAG_OMIT_NRA) ? 0 : entry->last_failed, - (flags & FLAG_OMIT_NRA) ? 0 : entry->fail_auth_count); - - /* Pound out tagged data. */ - dump_tl_data(fp, entry->tl_data, !kadm); + /* Make sure that the tagged list is reasonably correct. */ + counter = skip = 0; + for (tlp = entry->tl_data; tlp; tlp = tlp->tl_data_next) { + /* Don't dump tl data types we know aren't understood by earlier + * versions. */ + if (tlp->tl_data_type == KRB5_TL_KADM_DATA && !kadm) + skip++; + else + counter++; + } + + if (counter + skip != entry->n_tl_data) { + fprintf(stderr, _("%s: tagged data list inconsistency for %s " + "(counted %d, stored %d)\n"), progname, name, + counter + skip, (int)entry->n_tl_data); + return EINVAL; + } + + /* Write out header. */ + fprintf(fp, "princ\t%d\t%lu\t%d\t%d\t%d\t%s\t", (int)entry->len, + (unsigned long)strlen(name), counter, (int)entry->n_key_data, + (int)entry->e_length, name); + fprintf(fp, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d", entry->attributes, + entry->max_life, entry->max_renewable_life, entry->expiration, + entry->pw_expiration, + (flags & FLAG_OMIT_NRA) ? 0 : entry->last_success, + (flags & FLAG_OMIT_NRA) ? 0 : entry->last_failed, + (flags & FLAG_OMIT_NRA) ? 0 : entry->fail_auth_count); + + /* Write out tagged data. */ + dump_tl_data(fp, entry->tl_data, !kadm); + fprintf(fp, "\t"); + + /* Write out key data. */ + for (counter = 0; counter < entry->n_key_data; counter++) { + kdata = &entry->key_data[counter]; + fprintf(fp, "%d\t%d\t", (int)kdata->key_data_ver, + (int)kdata->key_data_kvno); + for (i = 0; i < kdata->key_data_ver; i++) { + fprintf(fp, "%d\t%d\t", kdata->key_data_type[i], + kdata->key_data_length[i]); + dump_octets_or_minus1(fp, kdata->key_data_contents[i], + kdata->key_data_length[i]); fprintf(fp, "\t"); + } + } - /* Pound out key data */ - for (counter=0; counter<entry->n_key_data; counter++) { - kdata = &entry->key_data[counter]; - fprintf(fp, "%d\t%d\t", - (int) kdata->key_data_ver, - (int) kdata->key_data_kvno); - for (i=0; i<kdata->key_data_ver; i++) { - fprintf(fp, "%d\t%d\t", - kdata->key_data_type[i], - kdata->key_data_length[i]); - dump_octets_or_minus1(fp, kdata->key_data_contents[i], - kdata->key_data_length[i]); - fprintf(fp, "\t"); - } - } + /* Write out extra data. */ + dump_octets_or_minus1(fp, entry->e_data, entry->e_length); - /* Pound out extra data */ - dump_octets_or_minus1(fp, entry->e_data, entry->e_length); + /* Write trailer. */ + fprintf(fp, ";\n"); - /* Print trailer */ - fprintf(fp, ";\n"); + if (flags & FLAG_VERBOSE) + fprintf(stderr, "%s\n", name); - if (flags & FLAG_VERBOSE) - fprintf(stderr, "%s\n", name); - } - else { - fprintf(stderr, sdump_tl_inc_err, - progname, name, counter+skip, - (int) entry->n_tl_data); - retval = EINVAL; - } - } - return(retval); + return 0; } -/* - * dump_k5beta7_iterator() - Output a dump record in krb5b7 format. - */ +/* Output a dump record in krb5b7 format. */ static krb5_error_code dump_k5beta7_princ(krb5_context context, krb5_db_entry *entry, const char *name, FILE *fp, int flags) @@ -595,44 +422,39 @@ dump_k5beta7_princ_withpolicy(krb5_context context, krb5_db_entry *entry, return k5beta7_common(context, entry, name, fp, flags, TRUE); } -static void dump_k5beta7_policy(void *data, osa_policy_ent_t entry) +static void +dump_k5beta7_policy(void *data, osa_policy_ent_t entry) { - struct dump_args *arg; + struct dump_args *arg = data; - arg = (struct dump_args *) data; fprintf(arg->ofile, "policy\t%s\t%d\t%d\t%d\t%d\t%d\t%d\n", entry->name, entry->pw_min_life, entry->pw_max_life, entry->pw_min_length, entry->pw_min_classes, entry->pw_history_num, 0); } -static void dump_r1_8_policy(void *data, osa_policy_ent_t entry) +static void +dump_r1_8_policy(void *data, osa_policy_ent_t entry) { - struct dump_args *arg; + struct dump_args *arg = data; - arg = (struct dump_args *) data; fprintf(arg->ofile, "policy\t%s\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\n", - entry->name, - entry->pw_min_life, entry->pw_max_life, entry->pw_min_length, - entry->pw_min_classes, entry->pw_history_num, 0, - entry->pw_max_fail, entry->pw_failcnt_interval, + entry->name, entry->pw_min_life, entry->pw_max_life, + entry->pw_min_length, entry->pw_min_classes, entry->pw_history_num, + 0, entry->pw_max_fail, entry->pw_failcnt_interval, entry->pw_lockout_duration); } static void dump_r1_11_policy(void *data, osa_policy_ent_t entry) { - struct dump_args *arg; - - arg = (struct dump_args *) data; - fprintf(arg->ofile, - "policy\t%s\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t" - "%d\t%d\t%d\t%s\t%d", - entry->name, - entry->pw_min_life, entry->pw_max_life, entry->pw_min_length, - entry->pw_min_classes, entry->pw_history_num, 0, - entry->pw_max_fail, entry->pw_failcnt_interval, - entry->pw_lockout_duration, entry->attributes, entry->max_life, - entry->max_renewable_life, + struct dump_args *arg = data; + + fprintf(arg->ofile, "policy\t%s\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t" + "%d\t%d\t%d\t%s\t%d", entry->name, entry->pw_min_life, + entry->pw_max_life, entry->pw_min_length, entry->pw_min_classes, + entry->pw_history_num, 0, entry->pw_max_fail, + entry->pw_failcnt_interval, entry->pw_lockout_duration, + entry->attributes, entry->max_life, entry->max_renewable_life, entry->allowed_keysalts ? entry->allowed_keysalts : "-", entry->n_tl_data); @@ -640,42 +462,20 @@ dump_r1_11_policy(void *data, osa_policy_ent_t entry) fprintf(arg->ofile, "\n"); } -static void print_key_data(FILE *f, krb5_key_data *key_data) +static void +print_key_data(FILE *f, krb5_key_data *kd) { int c; - fprintf(f, "%d\t%d\t", key_data->key_data_type[0], - key_data->key_data_length[0]); - for(c = 0; c < key_data->key_data_length[0]; c++) - fprintf(f, "%02x ", - key_data->key_data_contents[0][c]); + fprintf(f, "%d\t%d\t", kd->key_data_type[0], kd->key_data_length[0]); + for (c = 0; c < kd->key_data_length[0]; c++) + fprintf(f, "%02x ", kd->key_data_contents[0][c]); } -/* - * Function: print_princ - * - * Purpose: output osa_adb_princ_ent data in a human - * readable format (which is a format suitable for - * ovsec_adm_import consumption) - * - * Arguments: - * data (input) pointer to a structure containing a FILE * - * and a record counter. - * entry (input) entry to get dumped. - * <return value> void - * - * Requires: - * nuttin - * - * Effects: - * writes data to the specified file pointerp. - * - * Modifies: - * nuttin - * - */ +/* Output osa_adb_princ_ent data in a printable serialized format, suitable for + * ovsec_adm_import consumption. */ static krb5_error_code -dump_ov_princ(krb5_context context, krb5_db_entry *kdb, const char *name, +dump_ov_princ(krb5_context context, krb5_db_entry *entry, const char *name, FILE *fp, int flags) { char *princstr; @@ -684,45 +484,35 @@ dump_ov_princ(krb5_context context, krb5_db_entry *kdb, const char *name, krb5_tl_data tl_data; osa_princ_ent_rec adb; XDR xdrs; + krb5_key_data *key_data; - /* - * XXX Currently, lookup_tl_data always returns zero; it sets - * tl_data->tl_data_length to zero if the type isn't found. - * This should be fixed... - */ - /* - * XXX Should this function do nothing for a principal with no - * admin data, or print a record of "default" values? See - * comment in server_kdb.c to help decide. - */ tl_data.tl_data_type = KRB5_TL_KADM_DATA; - if (krb5_dbe_lookup_tl_data(context, kdb, &tl_data) - || (tl_data.tl_data_length == 0)) + if (krb5_dbe_lookup_tl_data(context, entry, &tl_data) || + tl_data.tl_data_length == 0) return 0; memset(&adb, 0, sizeof(adb)); xdrmem_create(&xdrs, (caddr_t)tl_data.tl_data_contents, tl_data.tl_data_length, XDR_DECODE); - if (! xdr_osa_princ_ent_rec(&xdrs, &adb)) { + if (!xdr_osa_princ_ent_rec(&xdrs, &adb)) { xdr_destroy(&xdrs); - return(KADM5_XDR_FAILURE); + return KADM5_XDR_FAILURE; } xdr_destroy(&xdrs); - krb5_unparse_name(context, kdb->princ, &princstr); + krb5_unparse_name(context, entry->princ, &princstr); fprintf(fp, "princ\t%s\t", princstr); - if(adb.policy == NULL) + if (adb.policy == NULL) fputc('\t', fp); else fprintf(fp, "%s\t", adb.policy); - fprintf(fp, "%lx\t%d\t%d\t%d", adb.aux_attributes, - adb.old_key_len,adb.old_key_next, adb.admin_history_kvno); + fprintf(fp, "%lx\t%d\t%d\t%d", adb.aux_attributes, adb.old_key_len, + adb.old_key_next, adb.admin_history_kvno); for (x = 0; x < adb.old_key_len; x++) { foundcrc = 0; for (y = 0; y < adb.old_keys[x].n_key_data; y++) { - krb5_key_data *key_data = &adb.old_keys[x].key_data[y]; - + key_data = &adb.old_keys[x].key_data[y]; if (key_data->key_data_type[0] != ENCTYPE_DES_CBC_CRC) continue; if (foundcrc) { @@ -755,7 +545,7 @@ dump_iterator(void *ptr, krb5_db_entry *entry) struct dump_args *args = ptr; char *name; - ret = krb5_unparse_name(args->kcontext, entry->princ, &name); + ret = krb5_unparse_name(args->context, entry->princ, &name); if (ret) { com_err(progname, ret, _("while unparsing principal name")); return ret; @@ -763,7 +553,7 @@ dump_iterator(void *ptr, krb5_db_entry *entry) /* Re-encode the keys in the new master key, if necessary. */ if (mkey_convert) { - ret = master_key_convert(args->kcontext, entry); + ret = master_key_convert(args->context, entry); if (ret) { com_err(progname, ret, _("while converting %s to new master key"), name); @@ -775,7 +565,7 @@ dump_iterator(void *ptr, krb5_db_entry *entry) if (args->nnames > 0 && !name_matches(name, args)) goto cleanup; - ret = args->dump->dump_princ(args->kcontext, entry, name, args->ofile, + ret = args->dump->dump_princ(args->context, entry, name, args->ofile, args->flags); cleanup: @@ -783,70 +573,54 @@ cleanup: return ret; } -/* - * Read a string of bytes while counting the number of lines passed. - */ +static inline void +load_err(const char *fname, int lineno, const char *msg) +{ + fprintf(stderr, _("%s(%d): %s\n"), fname, lineno, msg); +} + +/* Read a string of bytes. Increment *lp for each newline. Return 0 on + * success, 1 on failure. */ static int -read_string(f, buf, len, lp) - FILE *f; - char *buf; - int len; - int *lp; +read_string(FILE *f, char *buf, int len, int *lp) { - int c; - int i, retval; + int c, i; - retval = 0; - for (i=0; i<len; i++) { + for (i = 0; i < len; i++) { c = fgetc(f); - if (c < 0) { - retval = 1; - break; - } + if (c < 0) + return 1; if (c == '\n') (*lp)++; - buf[i] = (char) c; + buf[i] = c; } buf[len] = '\0'; - return(retval); + return 0; } -/* - * Read a string of two character representations of bytes. - */ +/* Read a string of two-character representations of bytes. */ static int -read_octet_string(f, buf, len) - FILE *f; - krb5_octet *buf; - int len; +read_octet_string(FILE *f, unsigned char *buf, int len) { - int c; - int i, retval; + int c, i; - retval = 0; - for (i=0; i<len; i++) { - if (fscanf(f, "%02x", &c) != 1) { - retval = 1; - break; - } - buf[i] = (krb5_octet) c; + for (i = 0; i < len; i++) { + if (fscanf(f, "%02x", &c) != 1) + return 1; + buf[i] = c; } - return(retval); + return 0; } -/* - * Find the end of an old format record. - */ +/* Read the end of a dumpfile record. */ static void -find_record_end(f, fn, lineno) - FILE *f; - char *fn; - int lineno; +read_record_end(FILE *f, const char *fn, int lineno) { int ch; - if (((ch = fgetc(f)) != ';') || ((ch = fgetc(f)) != '\n')) { - fprintf(stderr, trash_end_fmt, fn, lineno); + if ((ch = fgetc(f)) != ';' || (ch = fgetc(f)) != '\n') { + fprintf(stderr, _("%s(%d): ignoring trash at end of line: "), fn, + lineno); while (ch != '\n') { putc(ch, stderr); ch = fgetc(f); @@ -855,93 +629,6 @@ find_record_end(f, fn, lineno) } } -#if 0 -/* - * update_tl_data() - Generate the tl_data entries. - */ -static krb5_error_code -update_tl_data(kcontext, dbentp, mod_name, mod_date, last_pwd_change) - krb5_context kcontext; - krb5_db_entry *dbentp; - krb5_principal mod_name; - krb5_timestamp mod_date; - krb5_timestamp last_pwd_change; -{ - krb5_error_code kret; - - kret = 0 ; - - /* - * Handle modification principal. - */ - if (mod_name) { - krb5_tl_mod_princ mprinc; - - memset(&mprinc, 0, sizeof(mprinc)); - if (!(kret = krb5_copy_principal(kcontext, - mod_name, - &mprinc.mod_princ))) { - mprinc.mod_date = mod_date; - kret = krb5_dbe_encode_mod_princ_data(kcontext, - &mprinc, - dbentp); - } - if (mprinc.mod_princ) - krb5_free_principal(kcontext, mprinc.mod_princ); - } - - /* - * Handle last password change. - */ - if (!kret) { - krb5_tl_data *pwchg; - krb5_boolean linked; - - /* Find a previously existing entry */ - for (pwchg = dbentp->tl_data; - (pwchg) && (pwchg->tl_data_type != KRB5_TL_LAST_PWD_CHANGE); - pwchg = pwchg->tl_data_next); - - /* Check to see if we found one. */ - linked = 0; - if (!pwchg) { - /* No, allocate a new one */ - if ((pwchg = (krb5_tl_data *) malloc(sizeof(krb5_tl_data)))) { - memset(pwchg, 0, sizeof(krb5_tl_data)); - if (!(pwchg->tl_data_contents = - (krb5_octet *) malloc(sizeof(krb5_timestamp)))) { - free(pwchg); - pwchg = (krb5_tl_data *) NULL; - } - else { - pwchg->tl_data_type = KRB5_TL_LAST_PWD_CHANGE; - pwchg->tl_data_length = - (krb5_int16) sizeof(krb5_timestamp); - } - } - } - else - linked = 1; - - /* Do we have an entry? */ - if (pwchg && pwchg->tl_data_contents) { - /* Encode it */ - krb5_kdb_encode_int32(last_pwd_change, pwchg->tl_data_contents); - /* Link it in if necessary */ - if (!linked) { - pwchg->tl_data_next = dbentp->tl_data; - dbentp->tl_data = pwchg; - dbentp->n_tl_data++; - } - } - else - kret = ENOMEM; - } - - return(kret); -} -#endif - /* Allocate and form a TL data list of a desired size. */ static int alloc_tl_data(krb5_int16 n_tl_data, krb5_tl_data **tldp) @@ -981,30 +668,28 @@ read_octets_or_minus1(FILE *fp, size_t len, unsigned char **out) return 0; } -/* Read TL data; common to principals and policies */ +/* Read TL data for a principal or policy. Print an error and return -1 on + * failure. */ static int -process_tl_data(const char *fname, FILE *filep, krb5_tl_data *tl_data, - const char **errstr) +process_tl_data(const char *fname, FILE *filep, int lineno, + krb5_tl_data *tl_data) { - krb5_tl_data *tl; - int nread; - krb5_int32 t1, t2; + krb5_tl_data *tl; + int nread, i1; + unsigned int u1; for (tl = tl_data; tl; tl = tl->tl_data_next) { - nread = fscanf(filep, "%d\t%d\t", &t1, &t2); + nread = fscanf(filep, "%d\t%u\t", &i1, &u1); if (nread != 2) { - *errstr = read_ttypelen; - return EINVAL; - } - if (t2 < 0) { - *errstr = read_negint; + load_err(fname, lineno, + _("cannot read tagged data type and length")); return EINVAL; } - tl->tl_data_type = (krb5_int16) t1; - tl->tl_data_length = (krb5_int16) t2; + tl->tl_data_type = i1; + tl->tl_data_length = u1; if (read_octets_or_minus1(filep, tl->tl_data_length, &tl->tl_data_contents)) { - *errstr = read_tcontents; + load_err(fname, lineno, _("cannot read tagged data contents")); return EINVAL; } } @@ -1012,123 +697,94 @@ process_tl_data(const char *fname, FILE *filep, krb5_tl_data *tl_data, return 0; } -/* - * process_k5beta6_record() - Handle a dump record in krb5b6 format. - * - * Returns -1 for end of file, 0 for success and 1 for failure. - */ +/* Read a beta 7 entry and add it to the database. Return -1 for end of file, + * 0 for success and 1 for failure. */ static int -process_k5beta6_record(char *fname, krb5_context kcontext, FILE *filep, - int flags, int *linenop) +process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep, + int flags, int *linenop) { - int retval = 1; - krb5_db_entry *dbentry; - krb5_int32 t1, t2, t3, t4, t5, t6, t7, t8, t9; - int nread; - int i, j; - char *name; - krb5_key_data *kp, *kdatap; - krb5_tl_data *tl; - krb5_octet *op; - krb5_error_code kret; - const char *try2read = read_header; - - dbentry = krb5_db_alloc(kcontext, NULL, sizeof(*dbentry)); + int retval, nread, i, j; + krb5_db_entry *dbentry; + int t1, t2, t3, t4, t5, t6, t7; + unsigned int u1, u2, u3, u4, u5; + char *name = NULL; + krb5_key_data *kp = NULL, *kd; + krb5_tl_data *tl; + krb5_error_code ret; + + dbentry = krb5_db_alloc(context, NULL, sizeof(*dbentry)); if (dbentry == NULL) return 1; memset(dbentry, 0, sizeof(*dbentry)); (*linenop)++; - name = NULL; - kp = NULL; - op = NULL; - nread = fscanf(filep, "%d\t%d\t%d\t%d\t%d\t", &t1, &t2, &t3, &t4, &t5); + nread = fscanf(filep, "%u\t%u\t%u\t%u\t%u\t", &u1, &u2, &u3, &u4, &u5); if (nread == EOF) { retval = -1; goto cleanup; } - if (nread != 5) - goto cleanup; - if (t1 < 0 || t2 < 0 || t3 < 0 || t4 < 0 || t5 < 0) { - try2read = read_negint; - goto cleanup; + if (nread != 5) { + load_err(fname, *linenop, _("cannot match size tokens")); + goto fail; } /* Get memory for flattened principal name */ - if ((name = malloc(t2 + 1)) == NULL) - goto cleanup; + name = malloc(u2 + 1); + if (name == NULL) + goto fail; /* Get memory for and form tagged data linked list */ - if (alloc_tl_data(t3, &dbentry->tl_data)) - goto cleanup; - dbentry->n_tl_data = t3; + if (alloc_tl_data(u3, &dbentry->tl_data)) + goto fail; + dbentry->n_tl_data = u3; /* Get memory for key list */ - if (t4 && (kp = calloc(t4, sizeof(krb5_key_data))) == NULL) - goto cleanup; + if (u4 && (kp = calloc(u4, sizeof(krb5_key_data))) == NULL) + goto fail; - /* Get memory for extra data */ - if (t5 && !(op = malloc(t5))) - goto cleanup; - - dbentry->len = t1; - dbentry->n_key_data = t4; - dbentry->e_length = t5; + dbentry->len = u1; + dbentry->n_key_data = u4; + dbentry->e_length = u5; if (kp != NULL) { dbentry->key_data = kp; kp = NULL; } - if (op != NULL) { - memset(op, 0, t5); - dbentry->e_data = op; - op = NULL; - } /* Read in and parse the principal name */ - if (read_string(filep, name, t2, linenop)) { - try2read = no_mem_fmt; - goto cleanup; + if (read_string(filep, name, u2, linenop)) { + load_err(fname, *linenop, _("cannot read name string")); + goto fail; } - if ((kret = krb5_parse_name(kcontext, name, &dbentry->princ))) { - fprintf(stderr, parse_err_fmt, - fname, *linenop, name, error_message(kret)); - try2read = read_name_string; - goto cleanup; + ret = krb5_parse_name(context, name, &dbentry->princ); + if (ret) { + com_err(progname, ret, _("while parsing name %s"), name); + goto fail; } /* Get the fixed principal attributes */ nread = fscanf(filep, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t", - &t2, &t3, &t4, &t5, &t6, &t7, &t8, &t9); + &t1, &t2, &t3, &t4, &t5, &t6, &t7, &u1); if (nread != 8) { - try2read = read_nint_data; - goto cleanup; - } - dbentry->attributes = (krb5_flags) t2; - dbentry->max_life = (krb5_deltat) t3; - dbentry->max_renewable_life = (krb5_deltat) t4; - dbentry->expiration = (krb5_timestamp) t5; - dbentry->pw_expiration = (krb5_timestamp) t6; - dbentry->last_success = (krb5_timestamp) t7; - dbentry->last_failed = (krb5_timestamp) t8; - dbentry->fail_auth_count = (krb5_kvno) t9; + load_err(fname, *linenop, _("cannot read principal attributes")); + goto fail; + } + dbentry->attributes = t1; + dbentry->max_life = t2; + dbentry->max_renewable_life = t3; + dbentry->expiration = t4; + dbentry->pw_expiration = t5; + dbentry->last_success = t6; + dbentry->last_failed = t7; + dbentry->fail_auth_count = u1; dbentry->mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_MAX_RLIFE | KADM5_PRINC_EXPIRE_TIME | KADM5_LAST_SUCCESS | KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT; - /* - * Get the tagged data. - * - * Really, this code ought to discard tl data types - * that it knows are special to the current version - * and were not supported in the previous version. - * But it's a pain to implement that here, and doing - * it at dump time has almost as good an effect, so - * that's what I did. [krb5-admin/89] - */ + /* Read tagged data. */ if (dbentry->n_tl_data) { - if (process_tl_data(fname, filep, dbentry->tl_data, &try2read)) - goto cleanup; + if (process_tl_data(fname, filep, *linenop, dbentry->tl_data)) + goto fail; for (tl = dbentry->tl_data; tl; tl = tl->tl_data_next) { /* test to set mask fields */ if (tl->tl_data_type == KRB5_TL_KADM_DATA) { @@ -1145,11 +801,10 @@ process_k5beta6_record(char *fname, krb5_context kcontext, FILE *filep, memset(&osa_princ_ent, 0, sizeof(osa_princ_ent)); xdrmem_create(&xdrs, (char *)tl->tl_data_contents, tl->tl_data_length, XDR_DECODE); - if (xdr_osa_princ_ent_rec(&xdrs, &osa_princ_ent) && - (osa_princ_ent.aux_attributes & KADM5_POLICY) && - osa_princ_ent.policy != NULL) { - - dbentry->mask |= KADM5_POLICY; + if (xdr_osa_princ_ent_rec(&xdrs, &osa_princ_ent)) { + if ((osa_princ_ent.aux_attributes & KADM5_POLICY) && + osa_princ_ent.policy != NULL) + dbentry->mask |= KADM5_POLICY; kdb_free_entry(NULL, NULL, &osa_princ_ent); } xdr_destroy(&xdrs); @@ -1158,108 +813,96 @@ process_k5beta6_record(char *fname, krb5_context kcontext, FILE *filep, dbentry->mask |= KADM5_TL_DATA; } - /* Get the key data */ - if (dbentry->n_key_data) { - for (i = 0; i < dbentry->n_key_data; i++) { - kdatap = &dbentry->key_data[i]; - nread = fscanf(filep, "%d\t%d\t", &t1, &t2); - if (nread != 2) { - try2read = read_kcontents; - goto cleanup; - } + /* Get the key data. */ + for (i = 0; i < dbentry->n_key_data; i++) { + kd = &dbentry->key_data[i]; + nread = fscanf(filep, "%d\t%d\t", &t1, &t2); + if (nread != 2) { + load_err(fname, *linenop, _("cannot read key size and version")); + goto fail; + } - kdatap->key_data_ver = (krb5_int16) t1; - kdatap->key_data_kvno = (krb5_int16) t2; + kd->key_data_ver = t1; + kd->key_data_kvno = t2; - for (j = 0; j < t1; j++) { - nread = fscanf(filep, "%d\t%d\t", &t3, &t4); - if (nread != 2) { - try2read = read_ktypelen; - goto cleanup; - } - if (t4 < 0) { - try2read = read_negint; - goto cleanup; - } - kdatap->key_data_type[j] = t3; - kdatap->key_data_length[j] = t4; - if (read_octets_or_minus1(filep, t4, - &kdatap->key_data_contents[j])) { - try2read = read_kcontents; - goto cleanup; - } + for (j = 0; j < t1; j++) { + nread = fscanf(filep, "%d\t%d\t", &t3, &t4); + if (nread != 2) { + load_err(fname, *linenop, + _("cannot read key type and length")); + goto fail; + } + kd->key_data_type[j] = t3; + kd->key_data_length[j] = t4; + if (read_octets_or_minus1(filep, t4, &kd->key_data_contents[j])) { + load_err(fname, *linenop, _("cannot read key data")); + goto fail; } } - dbentry->mask |= KADM5_KEY_DATA; } + if (dbentry->n_key_data) + dbentry->mask |= KADM5_KEY_DATA; /* Get the extra data */ if (read_octets_or_minus1(filep, dbentry->e_length, &dbentry->e_data)) { - try2read = read_econtents; - goto cleanup; + load_err(fname, *linenop, _("cannot read extra data")); + goto fail; } /* Finally, find the end of the record. */ - find_record_end(filep, fname, *linenop); + read_record_end(filep, fname, *linenop); - if ((kret = krb5_db_put_principal(kcontext, dbentry))) { - fprintf(stderr, store_err_fmt, fname, *linenop, name, - error_message(kret)); - goto cleanup; + ret = krb5_db_put_principal(context, dbentry); + if (ret) { + com_err(progname, ret, _("while storing %s"), name); + goto fail; } if (flags & FLAG_VERBOSE) - fprintf(stderr, add_princ_fmt, name); + fprintf(stderr, "%s\n", name); retval = 0; cleanup: - if (retval > 0) - fprintf(stderr, read_err_fmt, fname, *linenop, try2read); - - free(op); free(kp); free(name); - krb5_db_free_principal(kcontext, dbentry); - + krb5_db_free_principal(context, dbentry); return retval; + +fail: + retval = 1; + goto cleanup; } static int -process_k5beta7_policy(fname, kcontext, filep, flags, linenop) - char *fname; - krb5_context kcontext; - FILE *filep; - int flags; - int *linenop; +process_k5beta7_policy(krb5_context context, const char *fname, FILE *filep, + int flags, int *linenop) { osa_policy_ent_rec rec; char namebuf[1024]; - int nread, refcnt, ret; + unsigned int refcnt; + int nread, ret; memset(&rec, 0, sizeof(rec)); (*linenop)++; rec.name = namebuf; - nread = fscanf(filep, "%1023s\t%d\t%d\t%d\t%d\t%d\t%d", rec.name, - &rec.pw_min_life, &rec.pw_max_life, - &rec.pw_min_length, &rec.pw_min_classes, - &rec.pw_history_num, &refcnt); + nread = fscanf(filep, "%1023s\t%u\t%u\t%u\t%u\t%u\t%u", rec.name, + &rec.pw_min_life, &rec.pw_max_life, &rec.pw_min_length, + &rec.pw_min_classes, &rec.pw_history_num, &refcnt); if (nread == EOF) return -1; - else if (nread != 7) { - fprintf(stderr, _("cannot parse policy on line %d (%d read)\n"), - *linenop, nread); + if (nread != 7) { + fprintf(stderr, _("cannot parse policy (%d read)\n"), nread); return 1; } - if ((ret = krb5_db_create_policy(kcontext, &rec))) { - if (ret && - ((ret = krb5_db_put_policy(kcontext, &rec)))) { - fprintf(stderr, _("cannot create policy on line %d: %s\n"), - *linenop, error_message(ret)); - return 1; - } + ret = krb5_db_create_policy(context, &rec); + if (ret) + ret = krb5_db_put_policy(context, &rec); + if (ret) { + com_err(progname, ret, _("while creating policy")); + return 1; } if (flags & FLAG_VERBOSE) fprintf(stderr, _("created policy %s\n"), rec.name); @@ -1268,44 +911,37 @@ process_k5beta7_policy(fname, kcontext, filep, flags, linenop) } static int -process_r1_8_policy(fname, kcontext, filep, flags, linenop) - char *fname; - krb5_context kcontext; - FILE *filep; - int flags; - int *linenop; +process_r1_8_policy(krb5_context context, const char *fname, FILE *filep, + int flags, int *linenop) { osa_policy_ent_rec rec; char namebuf[1024]; - int nread, refcnt, ret; + unsigned int refcnt; + int nread, ret; memset(&rec, 0, sizeof(rec)); (*linenop)++; rec.name = namebuf; - nread = fscanf(filep, "%1023s\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d", - rec.name, - &rec.pw_min_life, &rec.pw_max_life, + nread = fscanf(filep, "%1023s\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u", + rec.name, &rec.pw_min_life, &rec.pw_max_life, &rec.pw_min_length, &rec.pw_min_classes, - &rec.pw_history_num, &refcnt, - &rec.pw_max_fail, &rec.pw_failcnt_interval, - &rec.pw_lockout_duration); + &rec.pw_history_num, &refcnt, &rec.pw_max_fail, + &rec.pw_failcnt_interval, &rec.pw_lockout_duration); if (nread == EOF) return -1; - else if (nread != 10) { - fprintf(stderr, "cannot parse policy on line %d (%d read)\n", - *linenop, nread); + if (nread != 10) { + fprintf(stderr, _("cannot parse policy (%d read)\n"), nread); return 1; } - if ((ret = krb5_db_create_policy(kcontext, &rec))) { - if (ret && - ((ret = krb5_db_put_policy(kcontext, &rec)))) { - fprintf(stderr, "cannot create policy on line %d: %s\n", - *linenop, error_message(ret)); - return 1; - } + ret = krb5_db_create_policy(context, &rec); + if (ret) + ret = krb5_db_put_policy(context, &rec); + if (ret) { + com_err(progname, ret, _("while creating policy")); + return 1; } if (flags & FLAG_VERBOSE) fprintf(stderr, "created policy %s\n", rec.name); @@ -1314,16 +950,15 @@ process_r1_8_policy(fname, kcontext, filep, flags, linenop) } static int -process_r1_11_policy(char *fname, krb5_context kcontext, FILE *filep, +process_r1_11_policy(krb5_context context, const char *fname, FILE *filep, int flags, int *linenop) { - osa_policy_ent_rec rec; - krb5_tl_data *tl, *tl_next; - char namebuf[1024]; - char keysaltbuf[KRB5_KDB_MAX_ALLOWED_KS_LEN + 1]; - int nread, refcnt; - int ret = 0; - const char *try2read = NULL; + osa_policy_ent_rec rec; + krb5_tl_data *tl, *tl_next; + char namebuf[1024]; + char keysaltbuf[KRB5_KDB_MAX_ALLOWED_KS_LEN + 1]; + unsigned int refcnt; + int nread, ret = 0; memset(&rec, 0, sizeof(rec)); @@ -1331,24 +966,19 @@ process_r1_11_policy(char *fname, krb5_context kcontext, FILE *filep, rec.name = namebuf; rec.allowed_keysalts = keysaltbuf; - nread = fscanf(filep, - "%1023s\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t" - "%d\t%d\t%d\t" + nread = fscanf(filep, "%1023s\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t" + "%u\t%u\t%u\t" K5CONST_WIDTH_SCANF_STR(KRB5_KDB_MAX_ALLOWED_KS_LEN) - "\t%hd", - rec.name, - &rec.pw_min_life, &rec.pw_max_life, + "\t%hd", rec.name, &rec.pw_min_life, &rec.pw_max_life, &rec.pw_min_length, &rec.pw_min_classes, - &rec.pw_history_num, &refcnt, - &rec.pw_max_fail, &rec.pw_failcnt_interval, - &rec.pw_lockout_duration, + &rec.pw_history_num, &refcnt, &rec.pw_max_fail, + &rec.pw_failcnt_interval, &rec.pw_lockout_duration, &rec.attributes, &rec.max_life, &rec.max_renewable_life, rec.allowed_keysalts, &rec.n_tl_data); if (nread == EOF) return -1; - else if (nread != 15) { - fprintf(stderr, "cannot parse policy on line %d (%d read)\n", - *linenop, nread); + if (nread != 15) { + fprintf(stderr, _("cannot parse policy (%d read)\n"), nread); return 1; } @@ -1360,15 +990,15 @@ process_r1_11_policy(char *fname, krb5_context kcontext, FILE *filep, if (ret) goto cleanup; - ret = process_tl_data(fname, filep, rec.tl_data, &try2read); + ret = process_tl_data(fname, filep, *linenop, rec.tl_data); if (ret) goto cleanup; - if ((ret = krb5_db_create_policy(kcontext, &rec)) && - (ret = krb5_db_put_policy(kcontext, &rec))) { - fprintf(stderr, "cannot create policy on line %d: %s\n", - *linenop, error_message(ret)); - try2read = NULL; + ret = krb5_db_create_policy(context, &rec); + if (ret) + ret = krb5_db_put_policy(context, &rec); + if (ret) { + com_err(progname, ret, _("while creating policy")); goto cleanup; } if (flags & FLAG_VERBOSE) @@ -1380,28 +1010,14 @@ cleanup: free(tl->tl_data_contents); free(tl); } - if (ret == ENOMEM) - try2read = no_mem_fmt; - if (ret) { - if (try2read) - fprintf(stderr, read_err_fmt, fname, *linenop, try2read); - return 1; - } - return 0; + return ret ? 1 : 0; } -/* - * process_k5beta7_record() - Handle a dump record in krb5b7 format. - * - * Returns -1 for end of file, 0 for success and 1 for failure. - */ +/* Read a record which is tagged with "princ" or "policy", calling princfn + * or policyfn as appropriate. */ static int -process_k5beta7_record(fname, kcontext, filep, flags, linenop) - char *fname; - krb5_context kcontext; - FILE *filep; - int flags; - int *linenop; +process_tagged(krb5_context context, const char *fname, FILE *filep, int flags, + int *linenop, load_func princfn, load_func policyfn) { int nread; char rectype[100]; @@ -1409,125 +1025,49 @@ process_k5beta7_record(fname, kcontext, filep, flags, linenop) nread = fscanf(filep, "%99s\t", rectype); if (nread == EOF) return -1; - else if (nread != 1) + if (nread != 1) return 1; if (strcmp(rectype, "princ") == 0) - process_k5beta6_record(fname, kcontext, filep, flags, - linenop); - else if (strcmp(rectype, "policy") == 0) - process_k5beta7_policy(fname, kcontext, filep, flags, - linenop); - else { - fprintf(stderr, _("unknown record type \"%s\" on line %d\n"), - rectype, *linenop); - return 1; - } + return (*princfn)(context, fname, filep, flags, linenop); + if (strcmp(rectype, "policy") == 0) + return (*policyfn)(context, fname, filep, flags, linenop); + if (strcmp(rectype, "End") == 0) /* Only expected for OV format */ + return -1; - return 0; + fprintf(stderr, _("unknown record type \"%s\"\n"), rectype); + return 1; } -/* - * process_ov_record() - Handle a dump record in OpenV*Secure 1.0 format. - * - * Returns -1 for end of file, 0 for success and 1 for failure. - */ static int -process_ov_record(fname, kcontext, filep, flags, linenop) - char *fname; - krb5_context kcontext; - FILE *filep; - int flags; - int *linenop; +process_k5beta7_record(krb5_context context, const char *fname, FILE *filep, + int flags, int *linenop) { - int nread; - char rectype[100]; - - nread = fscanf(filep, "%99s\t", rectype); - if (nread == EOF) - return -1; - else if (nread != 1) - return 1; - if (strcmp(rectype, "princ") == 0) - process_ov_principal(fname, kcontext, filep, flags, - linenop); - else if (strcmp(rectype, "policy") == 0) - process_k5beta7_policy(fname, kcontext, filep, flags, - linenop); - else if (strcmp(rectype, "End") == 0) - return -1; - else { - fprintf(stderr, _("unknown record type \"%s\" on line %d\n"), - rectype, *linenop); - return 1; - } - - return 0; + return process_tagged(context, fname, filep, flags, linenop, + process_k5beta7_princ, process_k5beta7_policy); } -/* - * process_r1_8_record() - Handle a dump record in krb5 1.8 format. - * - * Returns -1 for end of file, 0 for success and 1 for failure. - */ static int -process_r1_8_record(fname, kcontext, filep, flags, linenop) - char *fname; - krb5_context kcontext; - FILE *filep; - int flags; - int *linenop; +process_ov_record(krb5_context context, const char *fname, FILE *filep, + int flags, int *linenop) { - int nread; - char rectype[100]; - - nread = fscanf(filep, "%99s\t", rectype); - if (nread == EOF) - return -1; - else if (nread != 1) - return 1; - if (strcmp(rectype, "princ") == 0) - process_k5beta6_record(fname, kcontext, filep, flags, - linenop); - else if (strcmp(rectype, "policy") == 0) - process_r1_8_policy(fname, kcontext, filep, flags, - linenop); - else { - fprintf(stderr, _("unknown record type \"%s\" on line %d\n"), - rectype, *linenop); - return 1; - } + return process_tagged(context, fname, filep, flags, linenop, + process_ov_principal, process_k5beta7_policy); +} - return 0; +static int +process_r1_8_record(krb5_context context, const char *fname, FILE *filep, + int flags, int *linenop) +{ + return process_tagged(context, fname, filep, flags, linenop, + process_k5beta7_princ, process_r1_8_policy); } -/* - * process_r1_11_record() - Handle a dump record in krb5 1.11 format. - * - * Returns -1 for end of file, 0 for success and 1 for failure. - */ static int -process_r1_11_record(char *fname, krb5_context kcontext, FILE *filep, +process_r1_11_record(krb5_context context, const char *fname, FILE *filep, int flags, int *linenop) { - int nread; - char rectype[100]; - - nread = fscanf(filep, "%99s\t", rectype); - if (nread == EOF) - return -1; - else if (nread != 1) - return 1; - if (!strcmp(rectype, "princ")) - process_k5beta6_record(fname, kcontext, filep, flags, linenop); - else if (!strcmp(rectype, "policy")) - process_r1_11_policy(fname, kcontext, filep, flags, linenop); - else { - fprintf(stderr, _("unknown record type \"%s\" on line %d\n"), - rectype, *linenop); - return 1; - } - - return 0; + return process_tagged(context, fname, filep, flags, linenop, + process_k5beta7_princ, process_r1_11_policy); } dump_version beta7_version = { @@ -1601,10 +1141,8 @@ dump_version ipropx_1_version = { process_r1_11_record, }; -/* - * Read the dump header. Returns 1 on success, 0 if the file is not a - * recognized iprop dump format. - */ +/* Read the dump header. Return 1 on success, 0 if the file is not a + * recognized iprop dump format. */ static int parse_iprop_header(char *buf, dump_version **dv, uint32_t *last_sno, uint32_t *last_seconds, uint32_t *last_useconds) @@ -1621,13 +1159,13 @@ parse_iprop_header(char *buf, dump_version **dv, uint32_t *last_sno, if (!strcmp(head, ipropx_1_version.header)) { if (nread != 5) return 0; - if (u[0] == IPROPX_VERSION_0) + if (u[0] == IPROPX_VERSION_0) { *dv = &iprop_version; - else if (u[0] == IPROPX_VERSION_1) + } else if (u[0] == IPROPX_VERSION_1) { *dv = &ipropx_1_version; - else { - fprintf(stderr, _("%s: Unknown iprop dump version %d\n"), - progname, u[0]); + } else { + fprintf(stderr, _("%s: Unknown iprop dump version %d\n"), progname, + u[0]); return 0; } up = &u[1]; @@ -1640,16 +1178,14 @@ parse_iprop_header(char *buf, dump_version **dv, uint32_t *last_sno, return 0; } - *last_sno = *(up++); - *last_seconds = *(up++); - *last_useconds = *(up++); + *last_sno = *up++; + *last_seconds = *up++; + *last_useconds = *up++; return 1; } -/* - * Return 1 if the {sno, timestamp} in an existing dump file is in the - * ulog, else return 0. - */ +/* Return 1 if the {sno, timestamp} in an existing dump file is in the + * ulog, else return 0. */ static int current_dump_sno_in_ulog(char *ifile, kdb_hlog_t *ulog) { @@ -1689,101 +1225,86 @@ current_dump_sno_in_ulog(char *ifile, kdb_hlog_t *ulog) * [filename [principals...]] */ void -dump_db(argc, argv) - int argc; - char **argv; +dump_db(int argc, char **argv) { - FILE *f; - struct dump_args arglist; - char *ofile; - char *tmpofile = NULL; - krb5_error_code kret, retval; - dump_version *dump; - int aindex; - int conditional = 0; - int ok_fd = -1; - char *new_mkey_file = 0; - bool_t dump_sno = FALSE; - kdb_log_context *log_ctx; - unsigned int ipropx_version = IPROPX_VERSION_0; - - /* - * Parse the arguments. - */ - ofile = (char *) NULL; + FILE *f; + struct dump_args args; + char *ofile = NULL, *tmpofile = NULL, *new_mkey_file = NULL; + krb5_error_code ret, retval; + dump_version *dump; + int aindex, conditional = 0, ok_fd = -1; + bool_t dump_sno = FALSE; + kdb_log_context *log_ctx; + unsigned int ipropx_version = IPROPX_VERSION_0; + krb5_kvno kt_kvno; + + /* Parse the arguments. */ dump = &r1_11_version; - arglist.flags = 0; - new_mkey_file = 0; + args.flags = 0; mkey_convert = 0; - backwards = 0; - recursive = 0; log_ctx = util_context->kdblog_context; /* * Parse the qualifiers. */ for (aindex = 1; aindex < argc; aindex++) { - if (!strcmp(argv[aindex], b7option)) + if (!strcmp(argv[aindex], "-b7")) { dump = &beta7_version; - else if (!strcmp(argv[aindex], ovoption)) + } else if (!strcmp(argv[aindex], "-ov")) { dump = &ov_version; - else if (!strcmp(argv[aindex], r13option)) + } else if (!strcmp(argv[aindex], "-r13")) { dump = &r1_3_version; - else if (!strcmp(argv[aindex], r18option)) + } else if (!strcmp(argv[aindex], "-r18")) { dump = &r1_8_version; - else if (!strncmp(argv[aindex], ipropoption, sizeof(ipropoption) - 1)) { + } else if (!strncmp(argv[aindex], "-i", 2)) { if (log_ctx && log_ctx->iproprole) { - /* Note: ipropx_version is the maximum version acceptable */ - ipropx_version = atoi(argv[aindex] + sizeof(ipropoption) - 1); + /* ipropx_version is the maximum version acceptable. */ + ipropx_version = atoi(argv[aindex] + 2); dump = ipropx_version ? &ipropx_1_version : &iprop_version; /* - * dump_sno is used to indicate if the serial - * # should be populated in the output - * file to be used later by iprop for updating - * the slave's update log when loading + * dump_sno is used to indicate if the serial number should be + * populated in the output file to be used later by iprop for + * updating the slave's update log when loading. */ dump_sno = TRUE; - /* - * FLAG_OMIT_NRA is set to indicate that non-replicated - * attributes should be omitted. - */ - arglist.flags |= FLAG_OMIT_NRA; + /* FLAG_OMIT_NRA is set to indicate that non-replicated + * attributes should be omitted. */ + args.flags |= FLAG_OMIT_NRA; } else { fprintf(stderr, _("Iprop not enabled\n")); goto error; } - } else if (!strcmp(argv[aindex], conditionaloption)) + } else if (!strcmp(argv[aindex], "-c")) { conditional = 1; - else if (!strcmp(argv[aindex], verboseoption)) - arglist.flags |= FLAG_VERBOSE; - else if (!strcmp(argv[aindex], "-mkey_convert")) + } else if (!strcmp(argv[aindex], "-verbose")) { + args.flags |= FLAG_VERBOSE; + } else if (!strcmp(argv[aindex], "-mkey_convert")) { mkey_convert = 1; - else if (!strcmp(argv[aindex], "-new_mkey_file")) { + } else if (!strcmp(argv[aindex], "-new_mkey_file")) { new_mkey_file = argv[++aindex]; mkey_convert = 1; - } else if (!strcmp(argv[aindex], "-rev")) - backwards = 1; - else if (!strcmp(argv[aindex], "-recurse")) - recursive = 1; - else + } else if (!strcmp(argv[aindex], "-rev") || + !strcmp(argv[aindex], "-recurse")) { + /* Accept these for compatibility, but do nothing since + * krb5_db_iterate doesn't support them. */ + } else { break; + } } - arglist.names = (char **) NULL; - arglist.nnames = 0; + args.names = NULL; + args.nnames = 0; if (aindex < argc) { ofile = argv[aindex]; aindex++; if (aindex < argc) { - arglist.names = &argv[aindex]; - arglist.nnames = argc - aindex; + args.names = &argv[aindex]; + args.nnames = argc - aindex; } } - /* - * If a conditional ipropx dump we check if the existing dump is - * good enough. - */ + /* If a conditional ipropx dump we check if the existing dump is + * good enough. */ if (ofile != NULL && conditional) { if (!dump->iprop) { com_err(progname, 0, @@ -1810,13 +1331,9 @@ dump_db(argc, argv) if (mkey_convert) { if (!valid_master_key) { /* TRUE here means read the keyboard, but only once */ - retval = krb5_db_fetch_mkey(util_context, - master_princ, - master_keyblock.enctype, - TRUE, FALSE, - (char *) NULL, - NULL, NULL, - &master_keyblock); + retval = krb5_db_fetch_mkey(util_context, master_princ, + master_keyblock.enctype, TRUE, FALSE, + NULL, NULL, NULL, &master_keyblock); if (retval) { com_err(progname, retval, _("while reading master key")); exit(1); @@ -1833,114 +1350,96 @@ dump_db(argc, argv) new_master_keyblock.enctype = DEFAULT_KDC_ENCTYPE; if (new_mkey_file) { - krb5_kvno kt_kvno; - if (global_params.mask & KADM5_CONFIG_KVNO) kt_kvno = global_params.kvno; else kt_kvno = IGNORE_VNO; - if ((retval = krb5_db_fetch_mkey(util_context, master_princ, - new_master_keyblock.enctype, - FALSE, - FALSE, - new_mkey_file, - &kt_kvno, - NULL, - &new_master_keyblock))) { + retval = krb5_db_fetch_mkey(util_context, master_princ, + new_master_keyblock.enctype, FALSE, + FALSE, new_mkey_file, &kt_kvno, NULL, + &new_master_keyblock); + if (retval) { com_err(progname, retval, _("while reading new master key")); exit(1); } } else { printf(_("Please enter new master key....\n")); - if ((retval = krb5_db_fetch_mkey(util_context, master_princ, - new_master_keyblock.enctype, - TRUE, - TRUE, - NULL, NULL, NULL, - &new_master_keyblock))) { + retval = krb5_db_fetch_mkey(util_context, master_princ, + new_master_keyblock.enctype, TRUE, + TRUE, NULL, NULL, NULL, + &new_master_keyblock); + if (retval) { com_err(progname, retval, _("while reading new master key")); exit(1); } } - /* - * get new master key vno that will be used to protect princs, used - * later on. - */ + /* Get new master key vno that will be used to protect princs. */ new_mkvno = get_next_kvno(util_context, master_entry); } - kret = 0; + ret = 0; - if (ofile && strcmp(ofile, "-")) { - /* - * Discourage accidental dumping to filenames beginning with '-'. - */ + if (ofile != NULL && strcmp(ofile, "-")) { + /* Discourage accidental dumping to filenames beginning with '-'. */ if (ofile[0] == '-') usage(); if (!prep_ok_file(util_context, ofile, &ok_fd)) - return; /* prep_ok_file() bumps exit_status */ + return; /* prep_ok_file() bumps exit_status */ f = create_ofile(ofile, &tmpofile); if (f == NULL) { - fprintf(stderr, ofopen_error, - progname, ofile, error_message(errno)); + com_err(progname, errno, _("while opening %s for writing"), ofile); goto error; } } else { f = stdout; } - if (f && !(kret)) { - arglist.programname = progname; - arglist.ofile = f; - arglist.kcontext = util_context; - arglist.dump = dump; - fprintf(arglist.ofile, "%s", dump->header); - /* - * We grab the lock twice (once again in the iterator call), - * but that's ok since the lock func handles incr locks held. - */ - kret = krb5_db_lock(util_context, KRB5_LOCKMODE_SHARED); - if (kret != 0 && kret != KRB5_PLUGIN_OP_NOTSUPP) { - fprintf(stderr, - _("%s: Couldn't grab lock\n"), progname); - goto error; - } + args.ofile = f; + args.context = util_context; + args.dump = dump; + fprintf(args.ofile, "%s", dump->header); - if (dump_sno) { - if (ipropx_version) - fprintf(f, " %u", IPROPX_VERSION); - fprintf(f, " %u", log_ctx->ulog->kdb_last_sno); - fprintf(f, " %u", log_ctx->ulog->kdb_last_time.seconds); - fprintf(f, " %u", log_ctx->ulog->kdb_last_time.useconds); - } + /* We grab the lock twice (once again in the iterator call), but that's ok + * since krb5_db_lock handles recursive locks. */ + ret = krb5_db_lock(util_context, KRB5_LOCKMODE_SHARED); + if (ret != 0 && ret != KRB5_PLUGIN_OP_NOTSUPP) { + fprintf(stderr, _("%s: Couldn't grab lock\n"), progname); + goto error; + } - if (dump->header[strlen(dump->header)-1] != '\n') - fputc('\n', arglist.ofile); + if (dump_sno) { + if (ipropx_version) + fprintf(f, " %u", IPROPX_VERSION); + fprintf(f, " %u", log_ctx->ulog->kdb_last_sno); + fprintf(f, " %u", log_ctx->ulog->kdb_last_time.seconds); + fprintf(f, " %u", log_ctx->ulog->kdb_last_time.useconds); + } - if ((kret = krb5_db_iterate(util_context, - NULL, - dump_iterator, - (krb5_pointer) &arglist))) { /* TBD: backwards and recursive not supported */ - fprintf(stderr, dumprec_err, - progname, dump->name, error_message(kret)); - goto error; - } - if (dump->dump_policy && - (kret = krb5_db_iter_policy( util_context, "*", dump->dump_policy, - &arglist))) { - fprintf(stderr, dumprec_err, progname, dump->name, - error_message(kret)); + if (dump->header[strlen(dump->header)-1] != '\n') + fputc('\n', args.ofile); + + ret = krb5_db_iterate(util_context, NULL, dump_iterator, &args); + if (ret) { + com_err(progname, ret, _("performing %s dump"), dump->name); + goto error; + } + + if (dump->dump_policy != NULL) { + ret = krb5_db_iter_policy(util_context, "*", dump->dump_policy, &args); + if (ret) { + com_err(progname, ret, _("performing %s dump"), dump->name); goto error; } - if (ofile && f != stdout) { - fclose(f); - finish_ofile(ofile, &tmpofile); - update_ok_file(util_context, ok_fd); - } - return; } + if (f != stdout) { + fclose(f); + finish_ofile(ofile, &tmpofile); + update_ok_file(util_context, ok_fd); + } + return; + error: krb5_db_unlock(util_context); if (tmpofile != NULL) @@ -1949,39 +1448,22 @@ error: exit_status++; } -/* - * restore_dump() - Restore the database from any version dump file. - */ +/* Restore the database from any version dump file. */ static int -restore_dump(programname, kcontext, dumpfile, f, flags, dump) - char *programname; - krb5_context kcontext; - char *dumpfile; - FILE *f; - int flags; - dump_version *dump; +restore_dump(krb5_context context, char *dumpfile, FILE *f, int flags, + dump_version *dump) { - int error; - int lineno; + int error = 0; + int lineno = 1; - error = 0; - lineno = 1; - - /* - * Process the records. - */ - while (!(error = (*dump->load_record)(dumpfile, - kcontext, - f, - flags, - &lineno))) - ; - if (error != -1) - fprintf(stderr, err_line_fmt, programname, lineno, dumpfile); - else - error = 0; - - return(error); + /* Process the records. */ + while (!(error = dump->load_record(context, dumpfile, f, flags, &lineno))); + if (error != -1) { + fprintf(stderr, _("%s: error processing line %d of %s\n"), progname, + lineno, dumpfile); + return error; + } + return 0; } /* @@ -1989,163 +1471,114 @@ restore_dump(programname, kcontext, dumpfile, f, flags, dump) * filename */ void -load_db(argc, argv) - int argc; - char **argv; +load_db(int argc, char **argv) { - krb5_error_code kret; - krb5_context kcontext; - FILE *f; - extern char *optarg; - extern int optind; - char *dumpfile; - char *dbname; - char buf[BUFSIZ]; - dump_version *load; - int flags; - krb5_int32 crflags; - int aindex; - int db_locked = 0; - kdb_log_context *log_ctx; - krb5_boolean add_update = TRUE; - uint32_t caller = FKCOMMAND; - uint32_t last_sno, last_seconds, last_useconds; - - /* - * Parse the arguments. - */ - dumpfile = (char *) NULL; + krb5_error_code ret; + FILE *f = NULL; + extern char *optarg; + extern int optind; + char *dumpfile = NULL, *dbname, buf[BUFSIZ]; + dump_version *load = NULL; + int flags = 0, aindex; + kdb_log_context *log_ctx; + krb5_boolean add_update = TRUE, db_locked = FALSE, temp_db_created = FALSE; + uint32_t caller = FKCOMMAND, last_sno, last_seconds, last_useconds; + + /* Parse the arguments. */ dbname = global_params.dbname; - load = NULL; - flags = 0; - crflags = KRB5_KDB_CREATE_BTREE; exit_status = 0; log_ctx = util_context->kdblog_context; for (aindex = 1; aindex < argc; aindex++) { - if (!strcmp(argv[aindex], b7option)) + if (!strcmp(argv[aindex], "-b7")){ load = &beta7_version; - else if (!strcmp(argv[aindex], ovoption)) + } else if (!strcmp(argv[aindex], "-ov")) { load = &ov_version; - else if (!strcmp(argv[aindex], r13option)) + } else if (!strcmp(argv[aindex], "-r13")) { load = &r1_3_version; - else if (!strcmp(argv[aindex], r18option)) + } else if (!strcmp(argv[aindex], "-r18")){ load = &r1_8_version; - else if (!strcmp(argv[aindex], ipropoption)) { + } else if (!strcmp(argv[aindex], "-i")) { if (log_ctx && log_ctx->iproprole) { load = &iprop_version; add_update = FALSE; caller = FKLOAD; } else { fprintf(stderr, _("Iprop not enabled\n")); - exit_status++; - return; + goto error; } - } else if (!strcmp(argv[aindex], verboseoption)) + } else if (!strcmp(argv[aindex], "-verbose")) { flags |= FLAG_VERBOSE; - else if (!strcmp(argv[aindex], updateoption)) + } else if (!strcmp(argv[aindex], "-update")){ flags |= FLAG_UPDATE; - else if (!strcmp(argv[aindex], hashoption)) { + } else if (!strcmp(argv[aindex], "-hash")) { if (!add_db_arg("hash=true")) { - com_err(progname, ENOMEM, - _("while parsing command arguments\n")); - exit(1); + com_err(progname, ENOMEM, _("while parsing options")); + goto error; } - } else + } else { break; + } } - if ((argc - aindex) != 1) { + if (argc - aindex != 1) usage(); - return; - } dumpfile = argv[aindex]; - /* - * Initialize the Kerberos context and error tables. - */ - if ((kret = kadm5_init_krb5_context(&kcontext))) { - fprintf(stderr, ctx_err_fmt, progname); - exit_status++; - return; - } - - if( (kret = krb5_set_default_realm(kcontext, util_context->default_realm)) ) - { - fprintf(stderr, _("%s: Unable to set the default realm\n"), progname); - exit_status++; - return; - } - - if (log_ctx && log_ctx->iproprole) - kcontext->kdblog_context = log_ctx; - - /* - * Open the dumpfile - */ - if (dumpfile) { - if ((f = fopen(dumpfile, "r")) == NULL) { - fprintf(stderr, dfile_err_fmt, progname, dumpfile, - error_message(errno)); - exit_status++; - return; + /* Open the dumpfile. */ + if (dumpfile != NULL) { + f = fopen(dumpfile, "r"); + if (f == NULL) { + com_err(progname, errno, _("while opening %s"), dumpfile); + goto error; } - } else + } else { f = stdin; + dumpfile = _("standard input"); + } - /* - * Auto-detect dump version if we weren't told, verify if we - * were told. - */ + /* Auto-detect dump version if we weren't told, or verify if we were. */ if (fgets(buf, sizeof(buf), f) == NULL) { - exit_status++; - if (dumpfile) - fclose(f); - return; + fprintf(stderr, _("%s: can't read dump header in %s\n"), progname, + dumpfile); + goto error; } if (load) { - /* only check what we know; some headers only contain a prefix */ - /* NB: this should work for ipropx even though load is iprop */ + /* Only check what we know; some headers only contain a prefix. + * NB: this should work for ipropx even though load is iprop */ if (strncmp(buf, load->header, strlen(load->header)) != 0) { - fprintf(stderr, head_bad_fmt, progname, dumpfile); - exit_status++; - if (dumpfile) fclose(f); - return; + fprintf(stderr, _("%s: dump header bad in %s\n"), progname, + dumpfile); + goto error; } } else { - /* perhaps this should be in an array, but so what? */ - if (strcmp(buf, beta7_version.header) == 0) + if (strcmp(buf, beta7_version.header) == 0) { load = &beta7_version; - else if (strcmp(buf, r1_3_version.header) == 0) + } else if (strcmp(buf, r1_3_version.header) == 0) { load = &r1_3_version; - else if (strcmp(buf, r1_8_version.header) == 0) + } else if (strcmp(buf, r1_8_version.header) == 0) { load = &r1_8_version; - else if (strcmp(buf, r1_11_version.header) == 0) + } else if (strcmp(buf, r1_11_version.header) == 0) { load = &r1_11_version; - else if (strncmp(buf, ov_version.header, - strlen(ov_version.header)) == 0) + } else if (strncmp(buf, ov_version.header, + strlen(ov_version.header)) == 0) { load = &ov_version; - else { - fprintf(stderr, head_bad_fmt, progname, dumpfile); - exit_status++; - if (dumpfile) fclose(f); - return; + } else { + fprintf(stderr, _("%s: dump header bad in %s\n"), progname, + dumpfile); + goto error; } } /* - * Fail if the dump is not in iprop format and iprop is enabled and - * we have a ulog -- we don't want an accidental stepping on our - * toes by a sysadmin or wayward cronjob left over from before - * enabling iprop. + * Fail if the dump is not in iprop format and iprop is enabled and we have + * a ulog -- we don't want an accidental stepping on our toes by a sysadmin + * or wayward cronjob left over from before enabling iprop. */ if (global_params.iprop_enabled && - ulog_map(kcontext, global_params.iprop_logfile, + ulog_map(util_context, global_params.iprop_logfile, global_params.iprop_ulogsize, caller, db5util_db_args)) { - fprintf(stderr, "Could not open iprop ulog\n"); - exit_status++; - if (dumpfile) - fclose(f); - return; + fprintf(stderr, _("Could not open iprop ulog\n")); + goto error; } if (global_params.iprop_enabled && !load->iprop) { if (log_ctx->ulog != NULL && log_ctx->ulog->kdb_first_time.seconds && @@ -2153,77 +1586,62 @@ load_db(argc, argv) fprintf(stderr, _("%s: Loads disallowed when iprop is enabled " "and a ulog is present\n"), progname); - exit_status++; - if (dumpfile) - fclose(f); - return; + goto error; } } if (load->updateonly && !(flags & FLAG_UPDATE)) { fprintf(stderr, _("%s: dump version %s can only be loaded with the " "-update flag\n"), progname, load->name); - exit_status++; - return; + goto error; } - /* - * Cons up params for the new databases. If we are not in update - * mode, we create an alternate database and then promote it to - * be the live db. - */ - if (! (flags & FLAG_UPDATE)) { + /* If we are not in update mode, we create an alternate database and then + * promote it to be the live db. */ + if (!(flags & FLAG_UPDATE)) { if (!add_db_arg("temporary")) { com_err(progname, ENOMEM, _("computing parameters for database")); - exit(1); + goto error; } if (!add_update && !add_db_arg("merge_nra")) { com_err(progname, ENOMEM, _("computing parameters for database")); - exit(1); + goto error; } - if((kret = krb5_db_create(kcontext, db5util_db_args))) { - const char *emsg = krb5_get_error_message(kcontext, kret); - fprintf(stderr, "%s: %s\n", progname, emsg); - krb5_free_error_message (kcontext, emsg); - exit_status++; - if (dumpfile) fclose(f); - return; + ret = krb5_db_create(util_context, db5util_db_args); + if (ret) { + com_err(progname, ret, _("while creating database")); + goto error; } - } - else { + temp_db_created = TRUE; + } else { /* Initialize the database. */ - kret = krb5_db_open(kcontext, db5util_db_args, - KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN); - if (kret) { - const char *emsg = krb5_get_error_message(kcontext, kret); - fprintf(stderr, "%s: %s\n", progname, emsg); - krb5_free_error_message (kcontext, emsg); - exit_status++; + ret = krb5_db_open(util_context, db5util_db_args, + KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN); + if (ret) { + com_err(progname, ret, _("while opening database")); goto error; } /* Make sure the db is left unusable if the update fails, if the db * supports locking. */ - kret = krb5_db_lock(kcontext, KRB5_DB_LOCKMODE_PERMANENT); - if (kret == 0) - db_locked = 1; - else if (kret != KRB5_PLUGIN_OP_NOTSUPP) { - fprintf(stderr, _("%s: %s while permanently locking database\n"), - progname, error_message(kret)); - exit_status++; + ret = krb5_db_lock(util_context, KRB5_DB_LOCKMODE_PERMANENT); + if (ret == 0) { + db_locked = TRUE; + } else if (ret != KRB5_PLUGIN_OP_NOTSUPP) { + com_err(progname, ret, _("while permanently locking database")); goto error; } } - if (log_ctx && log_ctx->iproprole) { + if (log_ctx != NULL && log_ctx->iproprole) { /* - * We don't want to take out the ulog out from underneath - * kadmind so we reinit the header log. + * We don't want to take out the ulog out from underneath kadmind so we + * reinit the header log. * - * We also don't want to add to the update log since we - * are doing a whole sale replace of the db, because: + * We also don't want to add to the update log since we are doing a + * whole sale replace of the db, because: * we could easily exceed # of update entries * we could implicity delete db entries during a replace * no advantage in incr updates when entire db is replaced @@ -2233,95 +1651,61 @@ load_db(argc, argv) log_ctx->iproprole = IPROP_NULL; if (!add_update) { - if (!parse_iprop_header(buf, &load, &last_sno, - &last_seconds, - &last_useconds)) { - exit_status++; + if (!parse_iprop_header(buf, &load, &last_sno, &last_seconds, + &last_useconds)) goto error; - } log_ctx->ulog->kdb_last_sno = last_sno; - log_ctx->ulog->kdb_last_time.seconds = - last_seconds; - log_ctx->ulog->kdb_last_time.useconds = - last_useconds; + log_ctx->ulog->kdb_last_time.seconds = last_seconds; + log_ctx->ulog->kdb_last_time.useconds = last_useconds; - /* - * Sync'ing the header is not necessary on any OS and - * filesystem where the filesystem and virtual memory block - * cache are unified, which is pretty much all cases that we - * care about. However, technically speaking we must msync() - * in order for our writes here to be visible to a running - * kpropd. - */ + /* Technically we must msync() in order for our writes here to + * be visible to a running kpropd. */ ulog_sync_header(log_ctx->ulog); } } } - if (restore_dump(progname, kcontext, (dumpfile) ? dumpfile : stdin_name, + if (restore_dump(util_context, dumpfile ? dumpfile : _("standard input"), f, flags, load)) { - fprintf(stderr, restfail_fmt, - progname, load->name); - exit_status++; - } - - if (db_locked && (kret = krb5_db_unlock(kcontext))) { - /* change this error? */ - fprintf(stderr, dbunlockerr_fmt, - progname, dbname, error_message(kret)); - exit_status++; + fprintf(stderr, _("%s: %s restore failed\n"), progname, load->name); + goto error; } -#if 0 - if ((kret = krb5_db_fini(kcontext))) { - fprintf(stderr, close_err_fmt, - progname, error_message(kret)); - exit_status++; + if (db_locked && (ret = krb5_db_unlock(util_context))) { + com_err(progname, ret, _("while unlocking database")); + goto error; } -#endif - /* close policy db below */ - - if (exit_status == 0 && !(flags & FLAG_UPDATE)) { - kret = krb5_db_promote(kcontext, db5util_db_args); - /* - * Ignore a not supported error since there is nothing to do about it - * anyway. - */ - if (kret != 0 && kret != KRB5_PLUGIN_OP_NOTSUPP) { - fprintf(stderr, _("%s: cannot make newly loaded database live " - "(%s)\n"), progname, error_message(kret)); - exit_status++; + if (!(flags & FLAG_UPDATE)) { + ret = krb5_db_promote(util_context, db5util_db_args); + /* Ignore a not supported error since there is nothing to do about it + * anyway. */ + if (ret != 0 && ret != KRB5_PLUGIN_OP_NOTSUPP) { + com_err(progname, ret, + _("while making newly loaded database live")); + goto error; } } -error: - /* - * If not an update: if there was an error, destroy the temp database, - * otherwise rename it into place. - * - * If an update: if there was no error, unlock the database. - */ - if (!(flags & FLAG_UPDATE)) { - if (exit_status) { - kret = krb5_db_destroy(kcontext, db5util_db_args); - /* - * Ignore a not supported error since there is nothing to do about - * it anyway. - */ - if (kret != 0 && kret != KRB5_PLUGIN_OP_NOTSUPP) { - fprintf(stderr, dbdelerr_fmt, - progname, dbname, error_message(kret)); - exit_status++; - } +cleanup: + /* If we created a temporary DB but didn't succeed, destroy it. */ + if (exit_status && temp_db_created) { + ret = krb5_db_destroy(util_context, db5util_db_args); + /* Ignore a not supported error since there is nothing to do about + * it anyway. */ + if (ret != 0 && ret != KRB5_PLUGIN_OP_NOTSUPP) { + com_err(progname, ret, _("while deleting bad database %s"), + dbname); } } - if (dumpfile) { - (void) krb5_lock_file(kcontext, fileno(f), KRB5_LOCKMODE_UNLOCK); + if (f != NULL && f != stdin) fclose(f); - } - krb5_free_context(kcontext); + return; + +error: + exit_status++; + goto cleanup; } diff --git a/src/kadmin/dbutil/kdb5_util.h b/src/kadmin/dbutil/kdb5_util.h index 9517ea7ea5..b6c2a48fca 100644 --- a/src/kadmin/dbutil/kdb5_util.h +++ b/src/kadmin/dbutil/kdb5_util.h @@ -70,7 +70,7 @@ extern int create_db_entry (krb5_principal, krb5_db_entry *); extern int kadm5_create_magic_princs (kadm5_config_params *params, krb5_context context); -extern int process_ov_principal (char *fname, krb5_context kcontext, +extern int process_ov_principal (krb5_context kcontext, const char *fname, FILE *filep, int verbose, int *linenop); diff --git a/src/kadmin/dbutil/ovload.c b/src/kadmin/dbutil/ovload.c index de677a25b8..d514f8c7d8 100644 --- a/src/kadmin/dbutil/ovload.c +++ b/src/kadmin/dbutil/ovload.c @@ -96,9 +96,9 @@ done: * [modifies] * */ -int process_ov_principal(fname, kcontext, filep, verbose, linenop) - char *fname; +int process_ov_principal(kcontext, fname, filep, verbose, linenop) krb5_context kcontext; + const char *fname; FILE *filep; int verbose; int *linenop; |