Merge mskrb-integ onto trunk

The mskrb-integ branch includes support for the following projects:
Projects/Aliases
* Projects/PAC and principal APIs
* Projects/AEAD encryption API
* Projects/GSSAPI DCE
* Projects/RFC 3244

In addition, it includes support for enctype negotiation, and a variety of GSS-API extensions.
In the KDC it includes support for protocol transition, constrained delegation
and a new authorization data interface.
The old authorization data interface is also supported.

This commit merges the mskrb-integ branch on to the trunk.
Additional review and testing is required.

Merge commit 'mskrb-integ' into trunk

ticket: new
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21690 dc483132-0cff-0310-8789-dd5450dbe970

6 files changed, 192 insertions, 187 deletions

diff --git a/src/lib/kdb/Makefile.in b/src/lib/kdb/Makefile.in
index 1a13ade094..6336f157bd 100644
--- a/src/lib/kdb/Makefile.in
+++ b/src/lib/kdb/Makefile.in
@@ -83,10 +83,11 @@ kdb5.so kdb5.po $(OUTPRE)kdb5.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
-  $(SRCTOP)/include/kdb_log.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  adb_err.h kdb5.c kdb5.h kdb5int.h
+  $(SRCTOP)/include/kdb_ext.h $(SRCTOP)/include/kdb_log.h \
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h adb_err.h kdb5.c kdb5.h \
+  kdb5int.h
 encrypt_key.so encrypt_key.po $(OUTPRE)encrypt_key.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -169,10 +170,10 @@ kdb_log.so kdb_log.po $(OUTPRE)kdb_log.$(OBJEXT): $(BUILDTOP)/include/autoconf.h
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
-  $(SRCTOP)/include/kdb_log.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  kdb5.h kdb5int.h kdb_log.c
+  $(SRCTOP)/include/kdb_ext.h $(SRCTOP)/include/kdb_log.h \
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h kdb5.h kdb5int.h kdb_log.c
 keytab.so keytab.po $(OUTPRE)keytab.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
diff --git a/src/lib/kdb/decrypt_key.c b/src/lib/kdb/decrypt_key.c
index c2ddbfd2c8..9ab66dfbf5 100644
--- a/src/lib/kdb/decrypt_key.c
+++ b/src/lib/kdb/decrypt_key.c
@@ -63,11 +63,11 @@
  */
 
 krb5_error_code
-krb5_dbekd_decrypt_key_data( krb5_context 	  context,
-			     const krb5_keyblock	* mkey,
-			     const krb5_key_data	* key_data,
-			     krb5_keyblock 	* dbkey,
-			     krb5_keysalt 	* keysalt)
+krb5_dbekd_def_decrypt_key_data( krb5_context 	  context,
+				 const krb5_keyblock	* mkey,
+				 const krb5_key_data	* key_data,
+				 krb5_keyblock 	* dbkey,
+				 krb5_keysalt 	* keysalt)
 {
     krb5_error_code 	  retval = 0;
     krb5_int16		  tmplen;
diff --git a/src/lib/kdb/encrypt_key.c b/src/lib/kdb/encrypt_key.c
index ed35e6969f..bf778ea858 100644
--- a/src/lib/kdb/encrypt_key.c
+++ b/src/lib/kdb/encrypt_key.c
@@ -63,12 +63,12 @@
  */
 
 krb5_error_code
-krb5_dbekd_encrypt_key_data( krb5_context 		  context,
-			     const krb5_keyblock	* mkey,
-			     const krb5_keyblock 	* dbkey,
-			     const krb5_keysalt		* keysalt,
-			     int			  keyver,
-			     krb5_key_data	        * key_data)
+krb5_dbekd_def_encrypt_key_data( krb5_context 		  context,
+				 const krb5_keyblock	* mkey,
+				 const krb5_keyblock 	* dbkey,
+				 const krb5_keysalt	* keysalt,
+				 int			  keyver,
+				 krb5_key_data	        * key_data)
 {
     krb5_error_code 		  retval;
     krb5_octet			* ptr;
diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c
index d6c91676ea..e76ebe921f 100644
--- a/src/lib/kdb/kdb5.c
+++ b/src/lib/kdb/kdb5.c
@@ -223,6 +223,14 @@ kdb_setup_opt_functions(db_library lib)
     if (lib->vftabl.promote_db == NULL) {
 	lib->vftabl.promote_db = krb5_def_promote_db;
     }
+    
+    if (lib->vftabl.dbekd_decrypt_key_data == NULL) {
+	lib->vftabl.dbekd_decrypt_key_data = krb5_dbekd_def_decrypt_key_data;
+    }
+
+    if (lib->vftabl.dbekd_encrypt_key_data == NULL) {
+	lib->vftabl.dbekd_encrypt_key_data = krb5_dbekd_def_encrypt_key_data;
+    }
 }
 
 static int kdb_db2_pol_err_loaded = 0;
@@ -898,7 +906,7 @@ krb5_db_get_principal(krb5_context kcontext,
     }
 
     status =
-	dal_handle->lib_handle->vftabl.db_get_principal(kcontext, search_for,
+	dal_handle->lib_handle->vftabl.db_get_principal(kcontext, search_for, 0,
 							entries, nentries,
 							more);
     get_errmsg(kcontext, status);
@@ -909,6 +917,40 @@ krb5_db_get_principal(krb5_context kcontext,
 }
 
 krb5_error_code
+krb5_db_get_principal_ext(krb5_context kcontext,
+			  krb5_const_principal search_for,
+			  unsigned int flags,
+			  krb5_db_entry * entries,
+			  int *nentries, krb5_boolean * more)
+{
+    krb5_error_code status = 0;
+    kdb5_dal_handle *dal_handle;
+
+    if (kcontext->dal_handle == NULL) {
+	status = kdb_setup_lib_handle(kcontext);
+	if (status) {
+	    goto clean_n_exit;
+	}
+    }
+
+    dal_handle = kcontext->dal_handle;
+    status = kdb_lock_lib_lock(dal_handle->lib_handle, FALSE);
+    if (status) {
+	goto clean_n_exit;
+    }
+
+    status =
+	dal_handle->lib_handle->vftabl.db_get_principal(kcontext, search_for,
+							flags,
+							entries, nentries,
+							more);
+    kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE);
+
+  clean_n_exit:
+    return status;
+}
+
+krb5_error_code
 krb5_db_free_principal(krb5_context kcontext, krb5_db_entry * entry, int count)
 {
     krb5_error_code status = 0;
@@ -1110,7 +1152,7 @@ krb5_db_put_principal(krb5_context kcontext,
 		upd->kdb_princ_name.utf8str_t_val = princ_name;
 		upd->kdb_princ_name.utf8str_t_len = strlen(princ_name);
 
-                if ((status = ulog_add_update(kcontext, upd)))
+                if ((status = ulog_add_update(kcontext, upd)) != 0)
 			goto err_lock;
 		upd++;
         }
@@ -2164,3 +2206,125 @@ krb5_db_promote(krb5_context kcontext, char **db_args)
     return status;
 }
 
+krb5_error_code
+krb5_dbekd_decrypt_key_data( krb5_context 	  kcontext,
+			     const krb5_keyblock	* mkey,
+			     const krb5_key_data	* key_data,
+			     krb5_keyblock 	* dbkey,
+			     krb5_keysalt 	* keysalt)
+{
+    krb5_error_code status = 0;
+    kdb5_dal_handle *dal_handle;
+
+    if (kcontext->dal_handle == NULL) {
+	status = kdb_setup_lib_handle(kcontext);
+	if (status) {
+	    goto clean_n_exit;
+	}
+    }
+
+    dal_handle = kcontext->dal_handle;
+    status = kdb_lock_lib_lock(dal_handle->lib_handle, FALSE);
+    if (status) {
+	goto clean_n_exit;
+    }
+
+    status =
+	dal_handle->lib_handle->vftabl.dbekd_decrypt_key_data(kcontext,
+	    mkey, key_data, dbkey, keysalt);
+    kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE);
+
+  clean_n_exit:
+    return status;
+}
+
+krb5_error_code
+krb5_dbekd_encrypt_key_data( krb5_context 		  kcontext,
+			     const krb5_keyblock	* mkey,
+			     const krb5_keyblock 	* dbkey,
+			     const krb5_keysalt		* keysalt,
+			     int			  keyver,
+			     krb5_key_data	        * key_data)
+{
+    krb5_error_code status = 0;
+    kdb5_dal_handle *dal_handle;
+
+    if (kcontext->dal_handle == NULL) {
+	status = kdb_setup_lib_handle(kcontext);
+	if (status) {
+	    goto clean_n_exit;
+	}
+    }
+
+    dal_handle = kcontext->dal_handle;
+    status = kdb_lock_lib_lock(dal_handle->lib_handle, FALSE);
+    if (status) {
+	goto clean_n_exit;
+    }
+
+    status =
+	dal_handle->lib_handle->vftabl.dbekd_encrypt_key_data(kcontext,
+	    mkey, dbkey, keysalt, keyver, key_data);
+    kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE);
+
+  clean_n_exit:
+    return status;
+}
+
+krb5_error_code
+krb5_db_get_context(krb5_context context, void **db_context)
+{
+    *db_context = KRB5_DB_GET_DB_CONTEXT(context);
+    if (*db_context == NULL) {
+	return KRB5_KDB_DBNOTINITED;
+    }
+
+    return 0;
+}
+
+krb5_error_code
+krb5_db_set_context(krb5_context context, void *db_context)
+{
+    KRB5_DB_GET_DB_CONTEXT(context) = db_context;
+
+    return 0;
+}
+
+krb5_error_code
+krb5_db_invoke(krb5_context kcontext,
+	       unsigned int method,
+	       const krb5_data *req,
+	       krb5_data *rep)
+{
+    krb5_error_code status = 0;
+    kdb5_dal_handle *dal_handle;
+
+    if (kcontext->dal_handle == NULL) {
+	status = kdb_setup_lib_handle(kcontext);
+	if (status) {
+	    goto clean_n_exit;
+	}
+    }
+
+    dal_handle = kcontext->dal_handle;
+    if (dal_handle->lib_handle->vftabl.db_invoke == NULL) {
+	status = KRB5_KDB_DBTYPE_NOSUP;
+	goto clean_n_exit;
+    }
+
+    status = kdb_lock_lib_lock(dal_handle->lib_handle, FALSE);
+    if (status) {
+	goto clean_n_exit;
+    }
+
+    status =
+	dal_handle->lib_handle->vftabl.db_invoke(kcontext,
+						 method,
+						 req,
+						 rep);
+    kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE);
+
+  clean_n_exit:
+    return status;
+}
+
diff --git a/src/lib/kdb/kdb5.h b/src/lib/kdb/kdb5.h
index f9f4494422..e3a1f2633a 100644
--- a/src/lib/kdb/kdb5.h
+++ b/src/lib/kdb/kdb5.h
@@ -10,176 +10,12 @@
 #include <utime.h>
 #include <k5-int.h>
 #include "kdb.h"
+#include "kdb_ext.h"
 
-#define KDB_MAX_DB_NAME 128
-#define KDB_REALM_SECTION  "realms"
-#define KDB_MODULE_POINTER "database_module"
-#define KDB_MODULE_DEF_SECTION "dbdefaults"
-#define KDB_MODULE_SECTION "dbmodules"
-#define KDB_LIB_POINTER    "db_library"
-#define KDB_DATABASE_CONF_FILE  DEFAULT_SECURE_PROFILE_PATH
-#define KDB_DATABASE_ENV_PROF KDC_PROFILE_ENV
-
-#define KRB5_DB_GET_DB_CONTEXT(kcontext) (((kdb5_dal_handle*) (kcontext)->db_context)->db_context)
+#define KRB5_DB_GET_DB_CONTEXT(kcontext) (((kdb5_dal_handle*) (kcontext)->dal_handle)->db_context)
 #define KRB5_DB_GET_PROFILE(kcontext)  ((kcontext)->profile)
 #define KRB5_DB_GET_REALM(kcontext)    ((kcontext)->default_realm)
 
-typedef struct _kdb_vftabl{
-    short int maj_ver;
-    short int min_ver;
-
-    krb5_error_code (*init_library)();
-    krb5_error_code (*fini_library)();
-    krb5_error_code (*init_module) (krb5_context kcontext,
-				    char * conf_section,
-				    char ** db_args,
-				    int mode);
-
-    krb5_error_code (*fini_module) (krb5_context kcontext);
-
-    krb5_error_code (*db_create) (krb5_context kcontext,
-				  char * conf_section,
-				  char ** db_args);
-
-    krb5_error_code (*db_destroy) (krb5_context kcontext,
-				   char *conf_section,
-				   char ** db_args);
-
-    krb5_error_code (*db_get_age) (krb5_context kcontext,
-				   char *db_name,
-				   time_t *age);
-
-    krb5_error_code (*db_set_option) (krb5_context kcontext,
-				      int option,
-				      void *value);
-
-    krb5_error_code (*db_lock) (krb5_context kcontext,
-				int mode);
-
-    krb5_error_code (*db_unlock) (krb5_context kcontext);
-
-    krb5_error_code (*db_get_principal) (krb5_context kcontext,
-					 krb5_const_principal search_for,
-					 krb5_db_entry *entries,
-					 int *nentries,
-					 krb5_boolean *more);
-
-    krb5_error_code (*db_free_principal) (krb5_context kcontext,
-					  krb5_db_entry *entry,
-					  int count);
-
-    krb5_error_code (*db_put_principal) (krb5_context kcontext,
-					 krb5_db_entry *entries,
-					 int *nentries,
-					 char **db_args);
-
-    krb5_error_code (*db_delete_principal) (krb5_context kcontext,
-					    krb5_const_principal search_for,
-					    int *nentries);
-
-    krb5_error_code (*db_iterate) (krb5_context kcontext,
-				   char *match_entry,
-				   int (*func) (krb5_pointer, krb5_db_entry *),
-				   krb5_pointer func_arg);
-
-    krb5_error_code (*db_create_policy) (krb5_context kcontext,
-					 osa_policy_ent_t policy);
-
-    krb5_error_code (*db_get_policy) (krb5_context kcontext,
-				      char *name,
-				      osa_policy_ent_t *policy,
-				      int *cnt);
-
-    krb5_error_code (*db_put_policy) (krb5_context kcontext,
-				      osa_policy_ent_t policy);
-
-    krb5_error_code (*db_iter_policy) (krb5_context kcontext,
-				       char *match_entry,
-				       osa_adb_iter_policy_func func,
-				       void *data);
-
-
-    krb5_error_code (*db_delete_policy) (krb5_context kcontext,
-					 char *policy);
-
-    void (*db_free_policy) (krb5_context kcontext,
-			    osa_policy_ent_t val);
-
-    krb5_error_code (*db_supported_realms) (krb5_context kcontext,
-					    char **realms);
-
-    krb5_error_code (*db_free_supported_realms) (krb5_context kcontext,
-						 char **realms);
-
-
-    const char * (*errcode_2_string) (krb5_context kcontext,
-				      long err_code);
-    void (*release_errcode_string) (krb5_context kcontext, const char *msg);
-
-    void * (*db_alloc) (krb5_context kcontext, void *ptr, size_t size);
-    void   (*db_free)  (krb5_context kcontext, void *ptr);
-
-
-
-    /* optional functions */
-    krb5_error_code (*set_master_key) (krb5_context kcontext,
-				       char *pwd,
-				       krb5_keyblock *key);
-
-    krb5_error_code (*get_master_key) (krb5_context kcontext,
-				       krb5_keyblock **key);
-
-
-    krb5_error_code (*setup_master_key_name) (krb5_context kcontext,
-					      char *keyname,
-					      char *realm,
-					      char **fullname,
-					      krb5_principal  *principal);
-
-    krb5_error_code (*store_master_key) (krb5_context kcontext,
-					 char *db_arg,
-					 krb5_principal mname,
-					 krb5_kvno kvno,
-					 krb5_keyblock *key,
-					 char *master_pwd);
-
-    krb5_error_code (*fetch_master_key) (krb5_context kcontext,
-					 krb5_principal mname,
-					 krb5_keyblock *key,
-					 krb5_kvno *kvno,
-					 char *db_args);
-
-    krb5_error_code (*verify_master_key) (krb5_context kcontext,
-					  krb5_principal mprinc,
-					  krb5_kvno     kvno,
-					  krb5_keyblock *mkey);
-
-    krb5_error_code (*dbe_search_enctype) (krb5_context kcontext,
-					   krb5_db_entry *dbentp,
-					   krb5_int32 *start,
-					   krb5_int32 ktype,
-					   krb5_int32 stype,
-					   krb5_int32 kvno,
-					   krb5_key_data **kdatap);
-
-
-    krb5_error_code
-    (*db_change_pwd) (krb5_context	  context,
-		      krb5_keyblock     * master_key,
-		      krb5_key_salt_tuple * ks_tuple,
-		      int		  ks_tuple_count,
-		      char 		* passwd,
-		      int		  new_kvno,
-		      krb5_boolean	  keepold,
-		      krb5_db_entry	* db_entry);
-
-    /* Promote a temporary database to be the live one.  */
-    krb5_error_code (*promote_db) (krb5_context context,
-				   char *conf_section,
-				   char **db_args);
-
-} kdb_vftabl;
-
 typedef struct _db_library {
     char name[KDB_MAX_DB_NAME];
     int reference_cnt;
diff --git a/src/lib/kdb/libkdb5.exports b/src/lib/kdb/libkdb5.exports
index 6157ec3571..cbd8711811 100644
--- a/src/lib/kdb/libkdb5.exports
+++ b/src/lib/kdb/libkdb5.exports
@@ -10,10 +10,14 @@ krb5_db_fini
 krb5_db_free_principal
 krb5_db_get_age
 krb5_db_get_mkey
+krb5_db_get_context
 krb5_db_get_principal
+krb5_db_get_principal_ext
+krb5_db_invoke
 krb5_db_iterate
 krb5_db_lock
 krb5_db_put_principal
+krb5_db_set_context
 krb5_db_set_mkey
 krb5_db_setup_mkey_name
 krb5_db_unlock