summaryrefslogtreecommitdiffstats
path: root/src/lib/kadm5/srv
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/kadm5/srv')
-rw-r--r--src/lib/kadm5/srv/adb_xdr.c74
-rw-r--r--src/lib/kadm5/srv/server_acl.c1055
-rw-r--r--src/lib/kadm5/srv/server_acl.h129
-rw-r--r--src/lib/kadm5/srv/server_dict.c159
-rw-r--r--src/lib/kadm5/srv/server_handle.c5
-rw-r--r--src/lib/kadm5/srv/server_init.c405
-rw-r--r--src/lib/kadm5/srv/server_kdb.c314
-rw-r--r--src/lib/kadm5/srv/server_misc.c222
-rw-r--r--src/lib/kadm5/srv/svr_chpass_util.c19
-rw-r--r--src/lib/kadm5/srv/svr_iters.c332
-rw-r--r--src/lib/kadm5/srv/svr_policy.c299
-rw-r--r--src/lib/kadm5/srv/svr_principal.c2261
12 files changed, 2641 insertions, 2633 deletions
diff --git a/src/lib/kadm5/srv/adb_xdr.c b/src/lib/kadm5/srv/adb_xdr.c
index d5d17062a8..87ed27a431 100644
--- a/src/lib/kadm5/srv/adb_xdr.c
+++ b/src/lib/kadm5/srv/adb_xdr.c
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
*
@@ -11,7 +12,7 @@ static char *rcsid = "$Header$";
#include <sys/types.h>
#include <krb5.h>
#include <gssrpc/rpc.h>
-#include "server_internal.h"
+#include "server_internal.h"
#include "admin_xdr.h"
#ifdef HAVE_MEMORY_H
#include <memory.h>
@@ -23,27 +24,27 @@ xdr_krb5_key_data(XDR *xdrs, krb5_key_data *objp)
unsigned int tmp;
if (!xdr_krb5_int16(xdrs, &objp->key_data_ver))
- return(FALSE);
+ return(FALSE);
if (!xdr_krb5_int16(xdrs, &objp->key_data_kvno))
- return(FALSE);
+ return(FALSE);
if (!xdr_krb5_int16(xdrs, &objp->key_data_type[0]))
- return(FALSE);
+ return(FALSE);
if (!xdr_krb5_int16(xdrs, &objp->key_data_type[1]))
- return(FALSE);
+ return(FALSE);
if (!xdr_krb5_ui_2(xdrs, &objp->key_data_length[0]))
- return(FALSE);
+ return(FALSE);
if (!xdr_krb5_ui_2(xdrs, &objp->key_data_length[1]))
- return(FALSE);
+ return(FALSE);
tmp = (unsigned int) objp->key_data_length[0];
if (!xdr_bytes(xdrs, (char **) &objp->key_data_contents[0],
- &tmp, ~0))
- return FALSE;
+ &tmp, ~0))
+ return FALSE;
tmp = (unsigned int) objp->key_data_length[1];
if (!xdr_bytes(xdrs, (char **) &objp->key_data_contents[1],
- &tmp, ~0))
- return FALSE;
+ &tmp, ~0))
+ return FALSE;
/* don't need to copy tmp out, since key_data_length will be set
by the above encoding. */
@@ -55,10 +56,10 @@ bool_t
xdr_osa_pw_hist_ent(XDR *xdrs, osa_pw_hist_ent *objp)
{
if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
- (u_int *) &objp->n_key_data, ~0,
- sizeof(krb5_key_data),
- xdr_krb5_key_data))
- return (FALSE);
+ (u_int *) &objp->n_key_data, ~0,
+ sizeof(krb5_key_data),
+ xdr_krb5_key_data))
+ return (FALSE);
return (TRUE);
}
@@ -67,33 +68,33 @@ xdr_osa_princ_ent_rec(XDR *xdrs, osa_princ_ent_t objp)
{
switch (xdrs->x_op) {
case XDR_ENCODE:
- objp->version = OSA_ADB_PRINC_VERSION_1;
- /* fall through */
+ objp->version = OSA_ADB_PRINC_VERSION_1;
+ /* fall through */
case XDR_FREE:
- if (!xdr_int(xdrs, &objp->version))
- return FALSE;
- break;
+ if (!xdr_int(xdrs, &objp->version))
+ return FALSE;
+ break;
case XDR_DECODE:
- if (!xdr_int(xdrs, &objp->version))
- return FALSE;
- if (objp->version != OSA_ADB_PRINC_VERSION_1)
- return FALSE;
- break;
+ if (!xdr_int(xdrs, &objp->version))
+ return FALSE;
+ if (objp->version != OSA_ADB_PRINC_VERSION_1)
+ return FALSE;
+ break;
}
-
+
if (!xdr_nullstring(xdrs, &objp->policy))
- return (FALSE);
+ return (FALSE);
if (!xdr_long(xdrs, &objp->aux_attributes))
- return (FALSE);
+ return (FALSE);
if (!xdr_u_int(xdrs, &objp->old_key_next))
- return (FALSE);
+ return (FALSE);
if (!xdr_krb5_kvno(xdrs, &objp->admin_history_kvno))
- return (FALSE);
+ return (FALSE);
if (!xdr_array(xdrs, (caddr_t *) &objp->old_keys,
- (unsigned int *) &objp->old_key_len, ~0,
- sizeof(osa_pw_hist_ent),
- xdr_osa_pw_hist_ent))
- return (FALSE);
+ (unsigned int *) &objp->old_key_len, ~0,
+ sizeof(osa_pw_hist_ent),
+ xdr_osa_pw_hist_ent))
+ return (FALSE);
return (TRUE);
}
@@ -101,10 +102,9 @@ void
osa_free_princ_ent(osa_princ_ent_t val)
{
XDR xdrs;
-
+
xdrmem_create(&xdrs, NULL, 0, XDR_FREE);
-
+
xdr_osa_princ_ent_rec(&xdrs, val);
free(val);
}
-
diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c
index 45f3879b89..b8abe8afd8 100644
--- a/src/lib/kadm5/srv/server_acl.c
+++ b/src/lib/kadm5/srv/server_acl.c
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kadm5/srv/server_acl.c
*
@@ -40,46 +41,46 @@
#include <ctype.h>
typedef struct _acl_op_table {
- char ao_op;
- krb5_int32 ao_mask;
+ char ao_op;
+ krb5_int32 ao_mask;
} aop_t;
typedef struct _acl_entry {
- struct _acl_entry *ae_next;
- char *ae_name;
- krb5_boolean ae_name_bad;
- krb5_principal ae_principal;
- krb5_int32 ae_op_allowed;
- char *ae_target;
- krb5_boolean ae_target_bad;
- krb5_principal ae_target_princ;
- char *ae_restriction_string;
- /* eg: "-maxlife 3h -service +proxiable" */
- krb5_boolean ae_restriction_bad;
- restriction_t *ae_restrictions;
+ struct _acl_entry *ae_next;
+ char *ae_name;
+ krb5_boolean ae_name_bad;
+ krb5_principal ae_principal;
+ krb5_int32 ae_op_allowed;
+ char *ae_target;
+ krb5_boolean ae_target_bad;
+ krb5_principal ae_target_princ;
+ char *ae_restriction_string;
+ /* eg: "-maxlife 3h -service +proxiable" */
+ krb5_boolean ae_restriction_bad;
+ restriction_t *ae_restrictions;
} aent_t;
static const aop_t acl_op_table[] = {
- { 'a', ACL_ADD },
- { 'd', ACL_DELETE },
- { 'm', ACL_MODIFY },
- { 'c', ACL_CHANGEPW },
- { 'i', ACL_INQUIRE },
- { 'l', ACL_LIST },
- { 'p', ACL_IPROP },
- { 's', ACL_SETKEY },
- { 'x', ACL_ALL_MASK },
- { '*', ACL_ALL_MASK },
- { '\0', 0 }
+ { 'a', ACL_ADD },
+ { 'd', ACL_DELETE },
+ { 'm', ACL_MODIFY },
+ { 'c', ACL_CHANGEPW },
+ { 'i', ACL_INQUIRE },
+ { 'l', ACL_LIST },
+ { 'p', ACL_IPROP },
+ { 's', ACL_SETKEY },
+ { 'x', ACL_ALL_MASK },
+ { '*', ACL_ALL_MASK },
+ { '\0', 0 }
};
typedef struct _wildstate {
- int nwild;
- krb5_data *backref[9];
+ int nwild;
+ krb5_data *backref[9];
} wildstate_t;
-static aent_t *acl_list_head = (aent_t *) NULL;
-static aent_t *acl_list_tail = (aent_t *) NULL;
+static aent_t *acl_list_head = (aent_t *) NULL;
+static aent_t *acl_list_tail = (aent_t *) NULL;
static const char *acl_acl_file = (char *) NULL;
static int acl_inited = 0;
@@ -99,65 +100,65 @@ static const char *acl_cantopen_msg = "%s while opening ACL file %s";
/*
* kadm5int_acl_get_line() - Get a line from the ACL file.
- * Lines ending with \ are continued on the next line
+ * Lines ending with \ are continued on the next line
*/
static char *
kadm5int_acl_get_line(fp, lnp)
- FILE *fp;
- int *lnp; /* caller should set to 1 before first call */
+ FILE *fp;
+ int *lnp; /* caller should set to 1 before first call */
{
- int i, domore;
- static int line_incr = 0;
+ int i, domore;
+ static int line_incr = 0;
static char acl_buf[BUFSIZ];
*lnp += line_incr;
line_incr = 0;
for (domore = 1; domore && !feof(fp); ) {
- /* Copy in the line, with continuations */
- for (i=0; ((i < sizeof acl_buf) && !feof(fp)); i++ ) {
- int byte;
- byte = fgetc(fp);
- acl_buf[i] = byte;
- if (byte == (char)EOF) {
- if (i > 0 && acl_buf[i-1] == '\\')
- i--;
- break; /* it gets nulled-out below */
- }
- else if (acl_buf[i] == '\n') {
- if (i == 0 || acl_buf[i-1] != '\\')
- break; /* empty line or normal end of line */
- else {
- i -= 2; /* back up over "\\\n" and continue */
- line_incr++;
- }
- }
- }
- /* Check if we exceeded our buffer size */
- if (i == sizeof acl_buf && (i--, !feof(fp))) {
- int c1 = acl_buf[i], c2;
-
- krb5_klog_syslog(LOG_ERR, acl_line2long_msg, acl_acl_file, *lnp);
- while ((c2 = fgetc(fp)) != EOF) {
- if (c2 == '\n') {
- if (c1 != '\\')
- break;
- line_incr++;
- }
- c1 = c2;
- }
- }
- acl_buf[i] = '\0';
- if (acl_buf[0] == (char) EOF) /* ptooey */
- acl_buf[0] = '\0';
- else
- line_incr++;
- if ((acl_buf[0] != '#') && (acl_buf[0] != '\0'))
- domore = 0;
+ /* Copy in the line, with continuations */
+ for (i=0; ((i < sizeof acl_buf) && !feof(fp)); i++ ) {
+ int byte;
+ byte = fgetc(fp);
+ acl_buf[i] = byte;
+ if (byte == (char)EOF) {
+ if (i > 0 && acl_buf[i-1] == '\\')
+ i--;
+ break; /* it gets nulled-out below */
+ }
+ else if (acl_buf[i] == '\n') {
+ if (i == 0 || acl_buf[i-1] != '\\')
+ break; /* empty line or normal end of line */
+ else {
+ i -= 2; /* back up over "\\\n" and continue */
+ line_incr++;
+ }
+ }
+ }
+ /* Check if we exceeded our buffer size */
+ if (i == sizeof acl_buf && (i--, !feof(fp))) {
+ int c1 = acl_buf[i], c2;
+
+ krb5_klog_syslog(LOG_ERR, acl_line2long_msg, acl_acl_file, *lnp);
+ while ((c2 = fgetc(fp)) != EOF) {
+ if (c2 == '\n') {
+ if (c1 != '\\')
+ break;
+ line_incr++;
+ }
+ c1 = c2;
+ }
+ }
+ acl_buf[i] = '\0';
+ if (acl_buf[0] == (char) EOF) /* ptooey */
+ acl_buf[0] = '\0';
+ else
+ line_incr++;
+ if ((acl_buf[0] != '#') && (acl_buf[0] != '\0'))
+ domore = 0;
}
if (domore || (strlen(acl_buf) == 0))
- return((char *) NULL);
+ return((char *) NULL);
else
- return(acl_buf);
+ return(acl_buf);
}
/*
@@ -171,95 +172,95 @@ kadm5int_acl_parse_line(lp)
static char acle_ops[BUFSIZ];
static char acle_object[BUFSIZ];
static char acle_restrictions[BUFSIZ];
- aent_t *acle;
- char *op;
- int t, found, opok, nmatch;
+ aent_t *acle;
+ char *op;
+ int t, found, opok, nmatch;
DPRINT(DEBUG_CALLS, acl_debug_level,
- ("* kadm5int_acl_parse_line(line=%20s)\n", lp));
+ ("* kadm5int_acl_parse_line(line=%20s)\n", lp));
/*
* Format is still simple:
* entry ::= [<whitespace>] <principal> <whitespace> <opstring>
- * [<whitespace> <target> [<whitespace> <restrictions>
- * [<whitespace>]]]
+ * [<whitespace> <target> [<whitespace> <restrictions>
+ * [<whitespace>]]]
*/
acle = (aent_t *) NULL;
acle_object[0] = '\0';
nmatch = sscanf(lp, "%s %s %s %[^\n]", acle_principal, acle_ops,
- acle_object, acle_restrictions);
+ acle_object, acle_restrictions);
if (nmatch >= 2) {
- acle = (aent_t *) malloc(sizeof(aent_t));
- if (acle) {
- acle->ae_next = (aent_t *) NULL;
- acle->ae_op_allowed = (krb5_int32) 0;
- acle->ae_target =
- (nmatch >= 3) ? strdup(acle_object) : (char *) NULL;
- acle->ae_target_bad = 0;
- acle->ae_target_princ = (krb5_principal) NULL;
- opok = 1;
- for (op=acle_ops; *op; op++) {
- char rop;
-
- rop = (isupper((unsigned char) *op)) ? tolower((unsigned char) *op) : *op;
- found = 0;
- for (t=0; acl_op_table[t].ao_op; t++) {
- if (rop == acl_op_table[t].ao_op) {
- found = 1;
- if (rop == *op)
- acle->ae_op_allowed |= acl_op_table[t].ao_mask;
- else
- acle->ae_op_allowed &= ~acl_op_table[t].ao_mask;
- }
- }
- if (!found) {
- krb5_klog_syslog(LOG_ERR, acl_op_bad_msg, *op, lp);
- opok = 0;
- }
- }
- if (opok) {
- acle->ae_name = strdup(acle_principal);
- if (acle->ae_name) {
- acle->ae_principal = (krb5_principal) NULL;
- acle->ae_name_bad = 0;
- DPRINT(DEBUG_ACL, acl_debug_level,
- ("A ACL entry %s -> opmask %x\n",
- acle->ae_name, acle->ae_op_allowed));
- }
- else {
- if (acle->ae_target)
- free(acle->ae_target);
- free(acle);
- acle = (aent_t *) NULL;
- }
- }
- else {
- if (acle->ae_target)
- free(acle->ae_target);
- free(acle);
- acle = (aent_t *) NULL;
- }
-
- if (acle) {
- if ( nmatch >= 4 ) {
- char *trailing;
-
- trailing = &acle_restrictions[strlen(acle_restrictions)-1];
- while ( isspace((int) *trailing) )
- trailing--;
- trailing[1] = '\0';
- acle->ae_restriction_string =
- strdup(acle_restrictions);
- }
- else {
- acle->ae_restriction_string = (char *) NULL;
- }
- acle->ae_restriction_bad = 0;
- acle->ae_restrictions = (restriction_t *) NULL;
- }
- }
+ acle = (aent_t *) malloc(sizeof(aent_t));
+ if (acle) {
+ acle->ae_next = (aent_t *) NULL;
+ acle->ae_op_allowed = (krb5_int32) 0;
+ acle->ae_target =
+ (nmatch >= 3) ? strdup(acle_object) : (char *) NULL;
+ acle->ae_target_bad = 0;
+ acle->ae_target_princ = (krb5_principal) NULL;
+ opok = 1;
+ for (op=acle_ops; *op; op++) {
+ char rop;
+
+ rop = (isupper((unsigned char) *op)) ? tolower((unsigned char) *op) : *op;
+ found = 0;
+ for (t=0; acl_op_table[t].ao_op; t++) {
+ if (rop == acl_op_table[t].ao_op) {
+ found = 1;
+ if (rop == *op)
+ acle->ae_op_allowed |= acl_op_table[t].ao_mask;
+ else
+ acle->ae_op_allowed &= ~acl_op_table[t].ao_mask;
+ }
+ }
+ if (!found) {
+ krb5_klog_syslog(LOG_ERR, acl_op_bad_msg, *op, lp);
+ opok = 0;
+ }
+ }
+ if (opok) {
+ acle->ae_name = strdup(acle_principal);
+ if (acle->ae_name) {
+ acle->ae_principal = (krb5_principal) NULL;
+ acle->ae_name_bad = 0;
+ DPRINT(DEBUG_ACL, acl_debug_level,
+ ("A ACL entry %s -> opmask %x\n",
+ acle->ae_name, acle->ae_op_allowed));
+ }
+ else {
+ if (acle->ae_target)
+ free(acle->ae_target);
+ free(acle);
+ acle = (aent_t *) NULL;
+ }
+ }
+ else {
+ if (acle->ae_target)
+ free(acle->ae_target);
+ free(acle);
+ acle = (aent_t *) NULL;
+ }
+
+ if (acle) {
+ if ( nmatch >= 4 ) {
+ char *trailing;
+
+ trailing = &acle_restrictions[strlen(acle_restrictions)-1];
+ while ( isspace((int) *trailing) )
+ trailing--;
+ trailing[1] = '\0';
+ acle->ae_restriction_string =
+ strdup(acle_restrictions);
+ }
+ else {
+ acle->ae_restriction_string = (char *) NULL;
+ }
+ acle->ae_restriction_bad = 0;
+ acle->ae_restrictions = (restriction_t *) NULL;
+ }
+ }
}
DPRINT(DEBUG_CALLS, acl_debug_level,
- ("X kadm5int_acl_parse_line() = %x\n", (long) acle));
+ ("X kadm5int_acl_parse_line() = %x\n", (long) acle));
return(acle);
}
@@ -267,177 +268,177 @@ kadm5int_acl_parse_line(lp)
* kadm5int_acl_parse_restrictions() - Parse optional restrictions field
*
* Allowed restrictions are:
- * [+-]flagname (recognized by krb5_string_to_flags)
- * flag is forced to indicated value
- * -clearpolicy policy is forced clear
- * -policy pol policy is forced to be "pol"
- * -{expire,pwexpire,maxlife,maxrenewlife} deltat
- * associated value will be forced to
- * MIN(deltat, requested value)
+ * [+-]flagname (recognized by krb5_string_to_flags)
+ * flag is forced to indicated value
+ * -clearpolicy policy is forced clear
+ * -policy pol policy is forced to be "pol"
+ * -{expire,pwexpire,maxlife,maxrenewlife} deltat
+ * associated value will be forced to
+ * MIN(deltat, requested value)
*
* Returns: 0 on success, or system errors
*/
static krb5_error_code
kadm5int_acl_parse_restrictions(s, rpp)
- char *s;
- restriction_t **rpp;
+ char *s;
+ restriction_t **rpp;
{
- char *sp = NULL, *tp, *ap, *save;
- static const char *delims = "\t\n\f\v\r ,";
- krb5_deltat dt;
- krb5_flags flag;
- krb5_error_code code;
+ char *sp = NULL, *tp, *ap, *save;
+ static const char *delims = "\t\n\f\v\r ,";
+ krb5_deltat dt;
+ krb5_flags flag;
+ krb5_error_code code;
- DPRINT(DEBUG_CALLS, acl_debug_level,
- ("* kadm5int_acl_parse_restrictions(s=%20s, rpp=0x%08x)\n", s, (long)rpp));
+ DPRINT(DEBUG_CALLS, acl_debug_level,
+ ("* kadm5int_acl_parse_restrictions(s=%20s, rpp=0x%08x)\n", s, (long)rpp));
*rpp = (restriction_t *) NULL;
code = 0;
if (s) {
- if (!(sp = strdup(s)) /* Don't munge the original */
- || !(*rpp = (restriction_t *) malloc(sizeof(restriction_t)))) {
- code = ENOMEM;
- } else {
- memset(*rpp, 0, sizeof(**rpp));
- for (tp = strtok_r(sp, delims, &save); tp;
- tp = strtok_r(NULL, delims, &save)) {
- flag = 0;
- if (!krb5_string_to_flags(tp, "+", "-", &flag)) {
- /* OK, but was it in the positive or negative sense? */
- if (flag) {
- (*rpp)->require_attrs |= flag;
- } else {
- flag = ~0;
- (void) krb5_string_to_flags(tp, "+", "-", &flag);
- (*rpp)->forbid_attrs |= ~flag;
- }
- (*rpp)->mask |= KADM5_ATTRIBUTES;
- } else if (!strcmp(tp, "-clearpolicy")) {
- (*rpp)->mask |= KADM5_POLICY_CLR;
- } else {
- /* everything else needs an argument ... */
- if (!(ap = strtok_r(NULL, delims, &save))) {
- code = EINVAL;
- break;
- }
- if (!strcmp(tp, "-policy")) {
- if (!((*rpp)->policy = strdup(ap))) {
- code = ENOMEM;
- break;
- }
- (*rpp)->mask |= KADM5_POLICY;
- } else {
- /* all other arguments must be a deltat ... */
- if (krb5_string_to_deltat(ap, &dt)) {
- code = EINVAL;
- break;
- }
- if (!strcmp(tp, "-expire")) {
- (*rpp)->princ_lifetime = dt;
- (*rpp)->mask |= KADM5_PRINC_EXPIRE_TIME;
- } else if (!strcmp(tp, "-pwexpire")) {
- (*rpp)->pw_lifetime = dt;
- (*rpp)->mask |= KADM5_PW_EXPIRATION;
- } else if (!strcmp(tp, "-maxlife")) {
- (*rpp)->max_life = dt;
- (*rpp)->mask |= KADM5_MAX_LIFE;
- } else if (!strcmp(tp, "-maxrenewlife")) {
- (*rpp)->max_renewable_life = dt;
- (*rpp)->mask |= KADM5_MAX_RLIFE;
- } else {
- code = EINVAL;
- break;
- }
- }
- }
- }
- }
+ if (!(sp = strdup(s)) /* Don't munge the original */
+ || !(*rpp = (restriction_t *) malloc(sizeof(restriction_t)))) {
+ code = ENOMEM;
+ } else {
+ memset(*rpp, 0, sizeof(**rpp));
+ for (tp = strtok_r(sp, delims, &save); tp;
+ tp = strtok_r(NULL, delims, &save)) {
+ flag = 0;
+ if (!krb5_string_to_flags(tp, "+", "-", &flag)) {
+ /* OK, but was it in the positive or negative sense? */
+ if (flag) {
+ (*rpp)->require_attrs |= flag;
+ } else {
+ flag = ~0;
+ (void) krb5_string_to_flags(tp, "+", "-", &flag);
+ (*rpp)->forbid_attrs |= ~flag;
+ }
+ (*rpp)->mask |= KADM5_ATTRIBUTES;
+ } else if (!strcmp(tp, "-clearpolicy")) {
+ (*rpp)->mask |= KADM5_POLICY_CLR;
+ } else {
+ /* everything else needs an argument ... */
+ if (!(ap = strtok_r(NULL, delims, &save))) {
+ code = EINVAL;
+ break;
+ }
+ if (!strcmp(tp, "-policy")) {
+ if (!((*rpp)->policy = strdup(ap))) {
+ code = ENOMEM;
+ break;
+ }
+ (*rpp)->mask |= KADM5_POLICY;
+ } else {
+ /* all other arguments must be a deltat ... */
+ if (krb5_string_to_deltat(ap, &dt)) {
+ code = EINVAL;
+ break;
+ }
+ if (!strcmp(tp, "-expire")) {
+ (*rpp)->princ_lifetime = dt;
+ (*rpp)->mask |= KADM5_PRINC_EXPIRE_TIME;
+ } else if (!strcmp(tp, "-pwexpire")) {
+ (*rpp)->pw_lifetime = dt;
+ (*rpp)->mask |= KADM5_PW_EXPIRATION;
+ } else if (!strcmp(tp, "-maxlife")) {
+ (*rpp)->max_life = dt;
+ (*rpp)->mask |= KADM5_MAX_LIFE;
+ } else if (!strcmp(tp, "-maxrenewlife")) {
+ (*rpp)->max_renewable_life = dt;
+ (*rpp)->mask |= KADM5_MAX_RLIFE;
+ } else {
+ code = EINVAL;
+ break;
+ }
+ }
+ }
+ }
+ }
}
if (sp)
- free(sp);
+ free(sp);
if (*rpp && code) {
- if ((*rpp)->policy)
- free((*rpp)->policy);
- free(*rpp);
- *rpp = (restriction_t *) NULL;
+ if ((*rpp)->policy)
+ free((*rpp)->policy);
+ free(*rpp);
+ *rpp = (restriction_t *) NULL;
}
DPRINT(DEBUG_CALLS, acl_debug_level,
- ("X kadm5int_acl_parse_restrictions() = %d, mask=0x%08x\n",
- code, (*rpp) ? (*rpp)->mask : 0));
+ ("X kadm5int_acl_parse_restrictions() = %d, mask=0x%08x\n",
+ code, (*rpp) ? (*rpp)->mask : 0));
return code;
}
/*
- * kadm5int_acl_impose_restrictions() - impose restrictions, modifying *recp, *maskp
+ * kadm5int_acl_impose_restrictions() - impose restrictions, modifying *recp, *maskp
*
* Returns: 0 on success;
- * malloc or timeofday errors
+ * malloc or timeofday errors
*/
krb5_error_code
kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp)
- krb5_context kcontext;
- kadm5_principal_ent_rec *recp;
- long *maskp;
- restriction_t *rp;
+ krb5_context kcontext;
+ kadm5_principal_ent_rec *recp;
+ long *maskp;
+ restriction_t *rp;
{
- krb5_error_code code;
- krb5_int32 now;
+ krb5_error_code code;
+ krb5_int32 now;
DPRINT(DEBUG_CALLS, acl_debug_level,
- ("* kadm5int_acl_impose_restrictions(..., *maskp=0x%08x, rp=0x%08x)\n",
- *maskp, (long)rp));
+ ("* kadm5int_acl_impose_restrictions(..., *maskp=0x%08x, rp=0x%08x)\n",
+ *maskp, (long)rp));
if (!rp)
- return 0;
+ return 0;
if (rp->mask & (KADM5_PRINC_EXPIRE_TIME|KADM5_PW_EXPIRATION))
- if ((code = krb5_timeofday(kcontext, &now)))
- return code;
+ if ((code = krb5_timeofday(kcontext, &now)))
+ return code;
if (rp->mask & KADM5_ATTRIBUTES) {
- recp->attributes |= rp->require_attrs;
- recp->attributes &= ~(rp->forbid_attrs);
- *maskp |= KADM5_ATTRIBUTES;
+ recp->attributes |= rp->require_attrs;
+ recp->attributes &= ~(rp->forbid_attrs);
+ *maskp |= KADM5_ATTRIBUTES;
}
if (rp->mask & KADM5_POLICY_CLR) {
- *maskp &= ~KADM5_POLICY;
- *maskp |= KADM5_POLICY_CLR;
+ *maskp &= ~KADM5_POLICY;
+ *maskp |= KADM5_POLICY_CLR;
} else if (rp->mask & KADM5_POLICY) {
- if (recp->policy && strcmp(recp->policy, rp->policy)) {
- free(recp->policy);
- recp->policy = (char *) NULL;
- }
- if (!recp->policy) {
- recp->policy = strdup(rp->policy); /* XDR will free it */
- if (!recp->policy)
- return ENOMEM;
- }
- *maskp |= KADM5_POLICY;
+ if (recp->policy && strcmp(recp->policy, rp->policy)) {
+ free(recp->policy);
+ recp->policy = (char *) NULL;
+ }
+ if (!recp->policy) {
+ recp->policy = strdup(rp->policy); /* XDR will free it */
+ if (!recp->policy)
+ return ENOMEM;
+ }
+ *maskp |= KADM5_POLICY;
}
if (rp->mask & KADM5_PRINC_EXPIRE_TIME) {
- if (!(*maskp & KADM5_PRINC_EXPIRE_TIME)
- || (recp->princ_expire_time > (now + rp->princ_lifetime)))
- recp->princ_expire_time = now + rp->princ_lifetime;
- *maskp |= KADM5_PRINC_EXPIRE_TIME;
+ if (!(*maskp & KADM5_PRINC_EXPIRE_TIME)
+ || (recp->princ_expire_time > (now + rp->princ_lifetime)))
+ recp->princ_expire_time = now + rp->princ_lifetime;
+ *maskp |= KADM5_PRINC_EXPIRE_TIME;
}
if (rp->mask & KADM5_PW_EXPIRATION) {
- if (!(*maskp & KADM5_PW_EXPIRATION)
- || (recp->pw_expiration > (now + rp->pw_lifetime)))
- recp->pw_expiration = now + rp->pw_lifetime;
- *maskp |= KADM5_PW_EXPIRATION;
+ if (!(*maskp & KADM5_PW_EXPIRATION)
+ || (recp->pw_expiration > (now + rp->pw_lifetime)))
+ recp->pw_expiration = now + rp->pw_lifetime;
+ *maskp |= KADM5_PW_EXPIRATION;
}
if (rp->mask & KADM5_MAX_LIFE) {
- if (!(*maskp & KADM5_MAX_LIFE)
- || (recp->max_life > rp->max_life))
- recp->max_life = rp->max_life;
- *maskp |= KADM5_MAX_LIFE;
+ if (!(*maskp & KADM5_MAX_LIFE)
+ || (recp->max_life > rp->max_life))
+ recp->max_life = rp->max_life;
+ *maskp |= KADM5_MAX_LIFE;
}
if (rp->mask & KADM5_MAX_RLIFE) {
- if (!(*maskp & KADM5_MAX_RLIFE)
- || (recp->max_renewable_life > rp->max_renewable_life))
- recp->max_renewable_life = rp->max_renewable_life;
- *maskp |= KADM5_MAX_RLIFE;
+ if (!(*maskp & KADM5_MAX_RLIFE)
+ || (recp->max_renewable_life > rp->max_renewable_life))
+ recp->max_renewable_life = rp->max_renewable_life;
+ *maskp |= KADM5_MAX_RLIFE;
}
DPRINT(DEBUG_CALLS, acl_debug_level,
- ("X kadm5int_acl_impose_restrictions() = 0, *maskp=0x%08x\n", *maskp));
+ ("X kadm5int_acl_impose_restrictions() = 0, *maskp=0x%08x\n", *maskp));
return 0;
}
@@ -447,28 +448,28 @@ kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp)
static void
kadm5int_acl_free_entries()
{
- aent_t *ap;
- aent_t *np;
+ aent_t *ap;
+ aent_t *np;
DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_free_entries()\n"));
for (ap=acl_list_head; ap; ap = np) {
- if (ap->ae_name)
- free(ap->ae_name);
- if (ap->ae_principal)
- krb5_free_principal((krb5_context) NULL, ap->ae_principal);
- if (ap->ae_target)
- free(ap->ae_target);
- if (ap->ae_target_princ)
- krb5_free_principal((krb5_context) NULL, ap->ae_target_princ);
- if (ap->ae_restriction_string)
- free(ap->ae_restriction_string);
- if (ap->ae_restrictions) {
- if (ap->ae_restrictions->policy)
- free(ap->ae_restrictions->policy);
- free(ap->ae_restrictions);
- }
- np = ap->ae_next;
- free(ap);
+ if (ap->ae_name)
+ free(ap->ae_name);
+ if (ap->ae_principal)
+ krb5_free_principal((krb5_context) NULL, ap->ae_principal);
+ if (ap->ae_target)
+ free(ap->ae_target);
+ if (ap->ae_target_princ)
+ krb5_free_principal((krb5_context) NULL, ap->ae_target_princ);
+ if (ap->ae_restriction_string)
+ free(ap->ae_restriction_string);
+ if (ap->ae_restrictions) {
+ if (ap->ae_restrictions->policy)
+ free(ap->ae_restrictions->policy);
+ free(ap->ae_restrictions);
+ }
+ np = ap->ae_next;
+ free(ap);
}
acl_list_head = acl_list_tail = (aent_t *) NULL;
acl_inited = 0;
@@ -476,250 +477,250 @@ kadm5int_acl_free_entries()
}
/*
- * kadm5int_acl_load_acl_file() - Open and parse the ACL file.
+ * kadm5int_acl_load_acl_file() - Open and parse the ACL file.
*/
static int
kadm5int_acl_load_acl_file()
{
- FILE *afp;
- char *alinep;
- aent_t **aentpp;
- int alineno;
- int retval = 1;
+ FILE *afp;
+ char *alinep;
+ aent_t **aentpp;
+ int alineno;
+ int retval = 1;
DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_load_acl_file()\n"));
/* Open the ACL file for read */
afp = fopen(acl_acl_file, "r");
if (afp) {
- set_cloexec_file(afp);
- alineno = 1;
- aentpp = &acl_list_head;
-
- /* Get a non-comment line */
- while ((alinep = kadm5int_acl_get_line(afp, &alineno))) {
- /* Parse it */
- *aentpp = kadm5int_acl_parse_line(alinep);
- /* If syntax error, then fall out */
- if (!*aentpp) {
- krb5_klog_syslog(LOG_ERR, acl_syn_err_msg,
- acl_acl_file, alineno, alinep);
- retval = 0;
- break;
- }
- acl_list_tail = *aentpp;
- aentpp = &(*aentpp)->ae_next;
- }
-
- fclose(afp);
-
- if (acl_catchall_entry) {
- *aentpp = kadm5int_acl_parse_line(acl_catchall_entry);
- if (*aentpp) {
- acl_list_tail = *aentpp;
- }
- else {
- retval = 0;
- DPRINT(DEBUG_OPERATION, acl_debug_level,
- ("> catchall acl entry (%s) load failed\n",
- acl_catchall_entry));
- }
- }
+ set_cloexec_file(afp);
+ alineno = 1;
+ aentpp = &acl_list_head;
+
+ /* Get a non-comment line */
+ while ((alinep = kadm5int_acl_get_line(afp, &alineno))) {
+ /* Parse it */
+ *aentpp = kadm5int_acl_parse_line(alinep);
+ /* If syntax error, then fall out */
+ if (!*aentpp) {
+ krb5_klog_syslog(LOG_ERR, acl_syn_err_msg,
+ acl_acl_file, alineno, alinep);
+ retval = 0;
+ break;
+ }
+ acl_list_tail = *aentpp;
+ aentpp = &(*aentpp)->ae_next;
+ }
+
+ fclose(afp);
+
+ if (acl_catchall_entry) {
+ *aentpp = kadm5int_acl_parse_line(acl_catchall_entry);
+ if (*aentpp) {
+ acl_list_tail = *aentpp;
+ }
+ else {
+ retval = 0;
+ DPRINT(DEBUG_OPERATION, acl_debug_level,
+ ("> catchall acl entry (%s) load failed\n",
+ acl_catchall_entry));
+ }
+ }
}
else {
- krb5_klog_syslog(LOG_ERR, acl_cantopen_msg,
- error_message(errno), acl_acl_file);
- if (acl_catchall_entry &&
- (acl_list_head = kadm5int_acl_parse_line(acl_catchall_entry))) {
- acl_list_tail = acl_list_head;
- }
- else {
- retval = 0;
- DPRINT(DEBUG_OPERATION, acl_debug_level,
- ("> catchall acl entry (%s) load failed\n",
- acl_catchall_entry));
- }
+ krb5_klog_syslog(LOG_ERR, acl_cantopen_msg,
+ error_message(errno), acl_acl_file);
+ if (acl_catchall_entry &&
+ (acl_list_head = kadm5int_acl_parse_line(acl_catchall_entry))) {
+ acl_list_tail = acl_list_head;
+ }
+ else {
+ retval = 0;
+ DPRINT(DEBUG_OPERATION, acl_debug_level,
+ ("> catchall acl entry (%s) load failed\n",
+ acl_catchall_entry));
+ }
}
if (!retval) {
- kadm5int_acl_free_entries();
+ kadm5int_acl_free_entries();
}
DPRINT(DEBUG_CALLS, acl_debug_level,
- ("X kadm5int_acl_load_acl_file() = %d\n", retval));
+ ("X kadm5int_acl_load_acl_file() = %d\n", retval));
return(retval);
}
/*
- * kadm5int_acl_match_data() - See if two data entries match.
+ * kadm5int_acl_match_data() - See if two data entries match.
*
* Wildcarding is only supported for a whole component.
*/
static krb5_boolean
kadm5int_acl_match_data(e1, e2, targetflag, ws)
- krb5_data *e1, *e2;
- int targetflag;
- wildstate_t *ws;
+ krb5_data *e1, *e2;
+ int targetflag;
+ wildstate_t *ws;
{
- krb5_boolean retval;
+ krb5_boolean retval;
- DPRINT(DEBUG_CALLS, acl_debug_level,
- ("* acl_match_entry(%s, %s)\n", e1->data, e2->data));
+ DPRINT(DEBUG_CALLS, acl_debug_level,
+ ("* acl_match_entry(%s, %s)\n", e1->data, e2->data));
retval = 0;
if (!strncmp(e1->data, "*", e1->length)) {
- retval = 1;
- if (ws && !targetflag) {
- if (ws->nwild >= 9) {
- DPRINT(DEBUG_ACL, acl_debug_level,
- ("Too many wildcards in ACL entry %s\n", entry->ae_name));
- }
- else
- ws->backref[ws->nwild++] = e2;
- }
+ retval = 1;
+ if (ws && !targetflag) {
+ if (ws->nwild >= 9) {
+ DPRINT(DEBUG_ACL, acl_debug_level,
+ ("Too many wildcards in ACL entry %s\n", entry->ae_name));
+ }
+ else
+ ws->backref[ws->nwild++] = e2;
+ }
}
else if (ws && targetflag && (e1->length == 2) && (e1->data[0] == '*') &&
- (e1->data[1] >= '1') && (e1->data[1] <= '9')) {
- int n = e1->data[1] - '1';
- if (n >= ws->nwild) {
- DPRINT(DEBUG_ACL, acl_debug_level,
- ("Too many backrefs in ACL entry %s\n", entry->ae_name));
- }
- else if ((ws->backref[n]->length == e2->length) &&
- (!strncmp(ws->backref[n]->data, e2->data, e2->length)))
- retval = 1;
-
+ (e1->data[1] >= '1') && (e1->data[1] <= '9')) {
+ int n = e1->data[1] - '1';
+ if (n >= ws->nwild) {
+ DPRINT(DEBUG_ACL, acl_debug_level,
+ ("Too many backrefs in ACL entry %s\n", entry->ae_name));
+ }
+ else if ((ws->backref[n]->length == e2->length) &&
+ (!strncmp(ws->backref[n]->data, e2->data, e2->length)))
+ retval = 1;
+
}
else {
- if ((e1->length == e2->length) &&
- (!strncmp(e1->data, e2->data, e1->length)))
- retval = 1;
+ if ((e1->length == e2->length) &&
+ (!strncmp(e1->data, e2->data, e1->length)))
+ retval = 1;
}
DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_match_entry()=%d\n",retval));
return(retval);
}
/*
- * kadm5int_acl_find_entry() - Find a matching entry.
+ * kadm5int_acl_find_entry() - Find a matching entry.
*/
static aent_t *
kadm5int_acl_find_entry(kcontext, principal, dest_princ)
- krb5_context kcontext;
- krb5_principal principal;
- krb5_principal dest_princ;
+ krb5_context kcontext;
+ krb5_principal principal;
+ krb5_principal dest_princ;
{
- aent_t *entry;
- krb5_error_code kret;
- int i;
- int matchgood;
- wildstate_t state;
+ aent_t *entry;
+ krb5_error_code kret;
+ int i;
+ int matchgood;
+ wildstate_t state;
DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_find_entry()\n"));
memset(&state, 0, sizeof state);
for (entry=acl_list_head; entry; entry = entry->ae_next) {
- if (entry->ae_name_bad)
- continue;
- if (!strcmp(entry->ae_name, "*")) {
- DPRINT(DEBUG_ACL, acl_debug_level, ("A wildcard ACL match\n"));
- matchgood = 1;
- }
- else {
- if (!entry->ae_principal && !entry->ae_name_bad) {
- kret = krb5_parse_name(kcontext,
- entry->ae_name,
- &entry->ae_principal);
- if (kret)
- entry->ae_name_bad = 1;
- }
- if (entry->ae_name_bad) {
- DPRINT(DEBUG_ACL, acl_debug_level,
- ("Bad ACL entry %s\n", entry->ae_name));
- continue;
- }
- matchgood = 0;
- if (kadm5int_acl_match_data(&entry->ae_principal->realm,
- &principal->realm, 0, (wildstate_t *)0) &&
- (entry->ae_principal->length == principal->length)) {
- matchgood = 1;
- for (i=0; i<principal->length; i++) {
- if (!kadm5int_acl_match_data(&entry->ae_principal->data[i],
- &principal->data[i], 0, &state)) {
- matchgood = 0;
- break;
- }
- }
- }
- }
- if (!matchgood)
- continue;
-
- /* We've matched the principal. If we have a target, then try it */
- if (entry->ae_target && strcmp(entry->ae_target, "*")) {
- if (!entry->ae_target_princ && !entry->ae_target_bad) {
- kret = krb5_parse_name(kcontext, entry->ae_target,
- &entry->ae_target_princ);
- if (kret)
- entry->ae_target_bad = 1;
- }
- if (entry->ae_target_bad) {
- DPRINT(DEBUG_ACL, acl_debug_level,
- ("Bad target in ACL entry for %s\n", entry->ae_name));
- entry->ae_name_bad = 1;
- continue;
- }
- if (!dest_princ)
- matchgood = 0;
- else if (entry->ae_target_princ && dest_princ) {
- if (kadm5int_acl_match_data(&entry->ae_target_princ->realm,
- &dest_princ->realm, 1, (wildstate_t *)0) &&
- (entry->ae_target_princ->length == dest_princ->length)) {
- for (i=0; i<dest_princ->length; i++) {
- if (!kadm5int_acl_match_data(&entry->ae_target_princ->data[i],
- &dest_princ->data[i], 1, &state)) {
- matchgood = 0;
- break;
- }
- }
- }
- else
- matchgood = 0;
- }
+ if (entry->ae_name_bad)
+ continue;
+ if (!strcmp(entry->ae_name, "*")) {
+ DPRINT(DEBUG_ACL, acl_debug_level, ("A wildcard ACL match\n"));
+ matchgood = 1;
}
- if (!matchgood)
- continue;
-
- if (entry->ae_restriction_string
- && !entry->ae_restriction_bad
- && !entry->ae_restrictions
- && kadm5int_acl_parse_restrictions(entry->ae_restriction_string,
- &entry->ae_restrictions)) {
- DPRINT(DEBUG_ACL, acl_debug_level,
- ("Bad restrictions in ACL entry for %s\n", entry->ae_name));
- entry->ae_restriction_bad = 1;
- }
- if (entry->ae_restriction_bad) {
- entry->ae_name_bad = 1;
- continue;
- }
- break;
+ else {
+ if (!entry->ae_principal && !entry->ae_name_bad) {
+ kret = krb5_parse_name(kcontext,
+ entry->ae_name,
+ &entry->ae_principal);
+ if (kret)
+ entry->ae_name_bad = 1;
+ }
+ if (entry->ae_name_bad) {
+ DPRINT(DEBUG_ACL, acl_debug_level,
+ ("Bad ACL entry %s\n", entry->ae_name));
+ continue;
+ }
+ matchgood = 0;
+ if (kadm5int_acl_match_data(&entry->ae_principal->realm,
+ &principal->realm, 0, (wildstate_t *)0) &&
+ (entry->ae_principal->length == principal->length)) {
+ matchgood = 1;
+ for (i=0; i<principal->length; i++) {
+ if (!kadm5int_acl_match_data(&entry->ae_principal->data[i],
+ &principal->data[i], 0, &state)) {
+ matchgood = 0;
+ break;
+ }
+ }
+ }
+ }
+ if (!matchgood)
+ continue;
+
+ /* We've matched the principal. If we have a target, then try it */
+ if (entry->ae_target && strcmp(entry->ae_target, "*")) {
+ if (!entry->ae_target_princ && !entry->ae_target_bad) {
+ kret = krb5_parse_name(kcontext, entry->ae_target,
+ &entry->ae_target_princ);
+ if (kret)
+ entry->ae_target_bad = 1;
+ }
+ if (entry->ae_target_bad) {
+ DPRINT(DEBUG_ACL, acl_debug_level,
+ ("Bad target in ACL entry for %s\n", entry->ae_name));
+ entry->ae_name_bad = 1;
+ continue;
+ }
+ if (!dest_princ)
+ matchgood = 0;
+ else if (entry->ae_target_princ && dest_princ) {
+ if (kadm5int_acl_match_data(&entry->ae_target_princ->realm,
+ &dest_princ->realm, 1, (wildstate_t *)0) &&
+ (entry->ae_target_princ->length == dest_princ->length)) {
+ for (i=0; i<dest_princ->length; i++) {
+ if (!kadm5int_acl_match_data(&entry->ae_target_princ->data[i],
+ &dest_princ->data[i], 1, &state)) {
+ matchgood = 0;
+ break;
+ }
+ }
+ }
+ else
+ matchgood = 0;
+ }
+ }
+ if (!matchgood)
+ continue;
+
+ if (entry->ae_restriction_string
+ && !entry->ae_restriction_bad
+ && !entry->ae_restrictions
+ && kadm5int_acl_parse_restrictions(entry->ae_restriction_string,
+ &entry->ae_restrictions)) {
+ DPRINT(DEBUG_ACL, acl_debug_level,
+ ("Bad restrictions in ACL entry for %s\n", entry->ae_name));
+ entry->ae_restriction_bad = 1;
+ }
+ if (entry->ae_restriction_bad) {
+ entry->ae_name_bad = 1;
+ continue;
+ }
+ break;
}
DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_find_entry()=%x\n",entry));
return(entry);
}
/*
- * kadm5int_acl_init() - Initialize ACL context.
+ * kadm5int_acl_init() - Initialize ACL context.
*/
krb5_error_code
kadm5int_acl_init(kcontext, debug_level, acl_file)
- krb5_context kcontext;
- int debug_level;
- char *acl_file;
+ krb5_context kcontext;
+ int debug_level;
+ char *acl_file;
{
- krb5_error_code kret;
+ krb5_error_code kret;
kret = 0;
acl_debug_level = debug_level;
DPRINT(DEBUG_CALLS, acl_debug_level,
- ("* kadm5int_acl_init(afile=%s)\n",
- ((acl_file) ? acl_file : "(null)")));
+ ("* kadm5int_acl_init(afile=%s)\n",
+ ((acl_file) ? acl_file : "(null)")));
acl_acl_file = (acl_file) ? acl_file : (char *) KRB5_DEFAULT_ADMIN_ACL;
acl_inited = kadm5int_acl_load_acl_file();
@@ -728,12 +729,12 @@ kadm5int_acl_init(kcontext, debug_level, acl_file)
}
/*
- * kadm5int_acl_finish - Terminate ACL context.
+ * kadm5int_acl_finish - Terminate ACL context.
*/
void
kadm5int_acl_finish(kcontext, debug_level)
- krb5_context kcontext;
- int debug_level;
+ krb5_context kcontext;
+ int debug_level;
{
DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_finish()\n"));
kadm5int_acl_free_entries();
@@ -741,18 +742,18 @@ kadm5int_acl_finish(kcontext, debug_level)
}
/*
- * kadm5int_acl_check_krb() - Is this operation permitted for this principal?
+ * kadm5int_acl_check_krb() - Is this operation permitted for this principal?
*/
krb5_boolean
kadm5int_acl_check_krb(kcontext, caller_princ, opmask, principal, restrictions)
- krb5_context kcontext;
+ krb5_context kcontext;
krb5_const_principal caller_princ;
- krb5_int32 opmask;
+ krb5_int32 opmask;
krb5_const_principal principal;
- restriction_t **restrictions;
+ restriction_t **restrictions;
{
- krb5_boolean retval;
- aent_t *aentry;
+ krb5_boolean retval;
+ aent_t *aentry;
DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_op_permitted()\n"));
@@ -760,59 +761,59 @@ kadm5int_acl_check_krb(kcontext, caller_princ, opmask, principal, restrictions)
aentry = kadm5int_acl_find_entry(kcontext, caller_princ, principal);
if (aentry) {
- if ((aentry->ae_op_allowed & opmask) == opmask) {
- retval = TRUE;
- if (restrictions) {
- *restrictions =
- (aentry->ae_restrictions && aentry->ae_restrictions->mask)
- ? aentry->ae_restrictions
- : (restriction_t *) NULL;
- }
- }
+ if ((aentry->ae_op_allowed & opmask) == opmask) {
+ retval = TRUE;
+ if (restrictions) {
+ *restrictions =
+ (aentry->ae_restrictions && aentry->ae_restrictions->mask)
+ ? aentry->ae_restrictions
+ : (restriction_t *) NULL;
+ }
+ }
}
DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_op_permitted()=%d\n",
- retval));
+ retval));
return retval;
}
/*
- * kadm5int_acl_check() - Is this operation permitted for this principal?
- * this code used not to be based on gssapi. In order
- * to minimize porting hassles, I've put all the
- * gssapi hair in this function. This might not be
- * the best medium-term solution. (The best long-term
- * solution is, of course, a real authorization service.)
+ * kadm5int_acl_check() - Is this operation permitted for this principal?
+ * this code used not to be based on gssapi. In order
+ * to minimize porting hassles, I've put all the
+ * gssapi hair in this function. This might not be
+ * the best medium-term solution. (The best long-term
+ * solution is, of course, a real authorization service.)
*/
krb5_boolean
kadm5int_acl_check(kcontext, caller, opmask, principal, restrictions)
- krb5_context kcontext;
- gss_name_t caller;
- krb5_int32 opmask;
- krb5_principal principal;
- restriction_t **restrictions;
+ krb5_context kcontext;
+ gss_name_t caller;
+ krb5_int32 opmask;
+ krb5_principal principal;
+ restriction_t **restrictions;
{
- krb5_boolean retval;
- gss_buffer_desc caller_buf;
- gss_OID caller_oid;
- OM_uint32 emaj, emin;
- krb5_error_code code;
- krb5_principal caller_princ;
+ krb5_boolean retval;
+ gss_buffer_desc caller_buf;
+ gss_OID caller_oid;
+ OM_uint32 emaj, emin;
+ krb5_error_code code;
+ krb5_principal caller_princ;
if (GSS_ERROR(emaj = gss_display_name(&emin, caller, &caller_buf,
- &caller_oid)))
- return FALSE;
+ &caller_oid)))
+ return FALSE;
code = krb5_parse_name(kcontext, (char *) caller_buf.value,
- &caller_princ);
+ &caller_princ);
gss_release_buffer(&emin, &caller_buf);
if (code != 0)
- return FALSE;
+ return FALSE;
retval = kadm5int_acl_check_krb(kcontext, caller_princ,
- opmask, principal, restrictions);
+ opmask, principal, restrictions);
krb5_free_principal(kcontext, caller_princ);
@@ -822,13 +823,13 @@ kadm5int_acl_check(kcontext, caller, opmask, principal, restrictions)
kadm5_ret_t
kadm5_get_privs(void *server_handle, long *privs)
{
- CHECK_HANDLE(server_handle);
+ CHECK_HANDLE(server_handle);
- /* this is impossible to do with the current interface. For now,
- return all privs, which will confuse some clients, but not
- deny any access to users of "smart" clients which try to cache */
+ /* this is impossible to do with the current interface. For now,
+ return all privs, which will confuse some clients, but not
+ deny any access to users of "smart" clients which try to cache */
- *privs = ~0;
+ *privs = ~0;
- return KADM5_OK;
+ return KADM5_OK;
}
diff --git a/src/lib/kadm5/srv/server_acl.h b/src/lib/kadm5/srv/server_acl.h
index c4c478993f..b76fbb52a4 100644
--- a/src/lib/kadm5/srv/server_acl.h
+++ b/src/lib/kadm5/srv/server_acl.h
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/kadm5/srv/server_acl.h
*
@@ -25,85 +26,85 @@
*
*/
-#ifndef SERVER_ACL_H__
-#define SERVER_ACL_H__
+#ifndef SERVER_ACL_H__
+#define SERVER_ACL_H__
/*
* Debug definitions.
*/
-#define DEBUG_SPROC 1
-#define DEBUG_OPERATION 2
-#define DEBUG_HOST 4
-#define DEBUG_REALM 8
-#define DEBUG_REQUESTS 16
-#define DEBUG_ACL 32
-#define DEBUG_PROTO 64
-#define DEBUG_CALLS 128
-#define DEBUG_NOSLAVES 256
-#ifdef DEBUG
-#define DPRINT(l1, cl, al) if ((cl & l1) != 0) xprintf al
-#else /* DEBUG */
-#define DPRINT(l1, cl, al)
-#endif /* DEBUG */
+#define DEBUG_SPROC 1
+#define DEBUG_OPERATION 2
+#define DEBUG_HOST 4
+#define DEBUG_REALM 8
+#define DEBUG_REQUESTS 16
+#define DEBUG_ACL 32
+#define DEBUG_PROTO 64
+#define DEBUG_CALLS 128
+#define DEBUG_NOSLAVES 256
+#ifdef DEBUG
+#define DPRINT(l1, cl, al) if ((cl & l1) != 0) xprintf al
+#else /* DEBUG */
+#define DPRINT(l1, cl, al)
+#endif /* DEBUG */
/*
* Access control bits.
*/
-#define ACL_ADD 1
-#define ACL_DELETE 2
-#define ACL_MODIFY 4
-#define ACL_CHANGEPW 8
-/* #define ACL_CHANGE_OWN_PW 16 */
-#define ACL_INQUIRE 32
-/* #define ACL_EXTRACT 64 */
-#define ACL_LIST 128
-#define ACL_SETKEY 256
-#define ACL_IPROP 512
-#define ACL_RENAME (ACL_ADD+ACL_DELETE)
+#define ACL_ADD 1
+#define ACL_DELETE 2
+#define ACL_MODIFY 4
+#define ACL_CHANGEPW 8
+/* #define ACL_CHANGE_OWN_PW 16 */
+#define ACL_INQUIRE 32
+/* #define ACL_EXTRACT 64 */
+#define ACL_LIST 128
+#define ACL_SETKEY 256
+#define ACL_IPROP 512
+#define ACL_RENAME (ACL_ADD+ACL_DELETE)
-#define ACL_ALL_MASK (ACL_ADD | \
- ACL_DELETE | \
- ACL_MODIFY | \
- ACL_CHANGEPW | \
- ACL_INQUIRE | \
- ACL_LIST | \
- ACL_IPROP | \
- ACL_SETKEY)
+#define ACL_ALL_MASK (ACL_ADD | \
+ ACL_DELETE | \
+ ACL_MODIFY | \
+ ACL_CHANGEPW | \
+ ACL_INQUIRE | \
+ ACL_LIST | \
+ ACL_IPROP | \
+ ACL_SETKEY)
typedef struct _restriction {
- long mask;
- krb5_flags require_attrs;
- krb5_flags forbid_attrs;
- krb5_deltat princ_lifetime;
- krb5_deltat pw_lifetime;
- krb5_deltat max_life;
- krb5_deltat max_renewable_life;
- long aux_attributes;
- char *policy;
+ long mask;
+ krb5_flags require_attrs;
+ krb5_flags forbid_attrs;
+ krb5_deltat princ_lifetime;
+ krb5_deltat pw_lifetime;
+ krb5_deltat max_life;
+ krb5_deltat max_renewable_life;
+ long aux_attributes;
+ char *policy;
} restriction_t;
krb5_error_code kadm5int_acl_init
- (krb5_context,
- int,
- char *);
+(krb5_context,
+ int,
+ char *);
void kadm5int_acl_finish
- (krb5_context,
- int);
+(krb5_context,
+ int);
krb5_boolean kadm5int_acl_check
- (krb5_context,
- gss_name_t,
- krb5_int32,
- krb5_principal,
- restriction_t **);
+(krb5_context,
+ gss_name_t,
+ krb5_int32,
+ krb5_principal,
+ restriction_t **);
krb5_boolean kadm5int_acl_check_krb
- (krb5_context,
- krb5_const_principal,
- krb5_int32,
- krb5_const_principal,
- restriction_t **);
+(krb5_context,
+ krb5_const_principal,
+ krb5_int32,
+ krb5_const_principal,
+ restriction_t **);
krb5_error_code kadm5int_acl_impose_restrictions
- (krb5_context,
- kadm5_principal_ent_rec *,
- long *,
- restriction_t *);
-#endif /* SERVER_ACL_H__ */
+(krb5_context,
+ kadm5_principal_ent_rec *,
+ long *,
+ restriction_t *);
+#endif /* SERVER_ACL_H__ */
diff --git a/src/lib/kadm5/srv/server_dict.c b/src/lib/kadm5/srv/server_dict.c
index 8129994f35..81cc5f9970 100644
--- a/src/lib/kadm5/srv/server_dict.c
+++ b/src/lib/kadm5/srv/server_dict.c
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
*
@@ -26,24 +27,24 @@ static char *rcsid = "$Header$";
#include "server_internal.h"
#include "k5-platform.h"
-static char **word_list = NULL; /* list of word pointers */
-static char *word_block = NULL; /* actual word data */
-static unsigned int word_count = 0; /* number of words */
+static char **word_list = NULL; /* list of word pointers */
+static char *word_block = NULL; /* actual word data */
+static unsigned int word_count = 0; /* number of words */
/*
* Function: word_compare
- *
+ *
* Purpose: compare two words in the dictionary.
*
* Arguments:
- * w1 (input) pointer to first word
- * w2 (input) pointer to second word
- * <return value> result of strcmp
+ * w1 (input) pointer to first word
+ * w2 (input) pointer to second word
+ * <return value> result of strcmp
*
* Requires:
- * w1 and w2 to point to valid memory
- *
+ * w1 and w2 to point to valid memory
+ *
*/
static int
@@ -54,81 +55,81 @@ word_compare(const void *s1, const void *s2)
/*
* Function: init-dict
- *
+ *
* Purpose: Initialize in memory word dictionary
*
* Arguments:
- * none
- * <return value> KADM5_OK on success errno on failure;
- * (but success on ENOENT)
+ * none
+ * <return value> KADM5_OK on success errno on failure;
+ * (but success on ENOENT)
*
* Requires:
- * If WORDFILE exists, it must contain a list of words,
- * one word per-line.
- *
+ * If WORDFILE exists, it must contain a list of words,
+ * one word per-line.
+ *
* Effects:
- * If WORDFILE exists, it is read into memory sorted for future
+ * If WORDFILE exists, it is read into memory sorted for future
* use. If it does not exist, it syslogs an error message and returns
* success.
*
* Modifies:
- * word_list to point to a chunck of allocated memory containing
- * pointers to words
- * word_block to contain the dictionary.
- *
+ * word_list to point to a chunck of allocated memory containing
+ * pointers to words
+ * word_block to contain the dictionary.
+ *
*/
int init_dict(kadm5_config_params *params)
{
- int fd,
- len,
- i;
- char *p,
- *t;
+ int fd,
+ len,
+ i;
+ char *p,
+ *t;
struct stat sb;
-
+
if(word_list != NULL && word_block != NULL)
- return KADM5_OK;
+ return KADM5_OK;
if (! (params->mask & KADM5_CONFIG_DICT_FILE)) {
- krb5_klog_syslog(LOG_INFO, "No dictionary file specified, continuing "
- "without one.");
- return KADM5_OK;
+ krb5_klog_syslog(LOG_INFO, "No dictionary file specified, continuing "
+ "without one.");
+ return KADM5_OK;
}
if ((fd = open(params->dict_file, O_RDONLY)) == -1) {
- if (errno == ENOENT) {
- krb5_klog_syslog(LOG_ERR,
- "WARNING! Cannot find dictionary file %s, "
- "continuing without one.", params->dict_file);
- return KADM5_OK;
- } else
- return errno;
+ if (errno == ENOENT) {
+ krb5_klog_syslog(LOG_ERR,
+ "WARNING! Cannot find dictionary file %s, "
+ "continuing without one.", params->dict_file);
+ return KADM5_OK;
+ } else
+ return errno;
}
set_cloexec_fd(fd);
if (fstat(fd, &sb) == -1) {
- close(fd);
- return errno;
+ close(fd);
+ return errno;
}
if ((word_block = (char *) malloc(sb.st_size + 1)) == NULL)
- return ENOMEM;
+ return ENOMEM;
if (read(fd, word_block, sb.st_size) != sb.st_size)
- return errno;
+ return errno;
(void) close(fd);
word_block[sb.st_size] = '\0';
p = word_block;
len = sb.st_size;
while(len > 0 && (t = memchr(p, '\n', len)) != NULL) {
- *t = '\0';
- len -= t - p + 1;
- p = t + 1;
- word_count++;
+ *t = '\0';
+ len -= t - p + 1;
+ p = t + 1;
+ word_count++;
}
if ((word_list = (char **) malloc(word_count * sizeof(char *))) == NULL)
- return ENOMEM;
+ return ENOMEM;
p = word_block;
for (i = 0; i < word_count; i++) {
- word_list[i] = p;
- p += strlen(p) + 1;
+ word_list[i] = p;
+ p += strlen(p) + 1;
}
qsort(word_list, word_count, sizeof(char *), word_compare);
return KADM5_OK;
@@ -136,25 +137,25 @@ int init_dict(kadm5_config_params *params)
/*
* Function: find_word
- *
+ *
* Purpose: See if the specified word exists in the in-core dictionary
*
* Arguments:
- * word (input) word to search for.
- * <return value> WORD_NOT_FOUND if not in dictionary,
- * KADM5_OK if if found word
- * errno if init needs to be called and returns an
- * error
+ * word (input) word to search for.
+ * <return value> WORD_NOT_FOUND if not in dictionary,
+ * KADM5_OK if if found word
+ * errno if init needs to be called and returns an
+ * error
*
* Requires:
- * word to be a null terminated string.
- * That word_list and word_block besetup
- *
+ * word to be a null terminated string.
+ * That word_list and word_block besetup
+ *
* Effects:
- * finds word in dictionary.
+ * finds word in dictionary.
* Modifies:
- * nothing.
- *
+ * nothing.
+ *
*/
int
@@ -162,46 +163,46 @@ find_word(const char *word)
{
char **value;
- if(word_list == NULL || word_block == NULL)
- return WORD_NOT_FOUND;
+ if(word_list == NULL || word_block == NULL)
+ return WORD_NOT_FOUND;
if ((value = (char **) bsearch(&word, word_list, word_count, sizeof(char *),
- word_compare)) == NULL)
- return WORD_NOT_FOUND;
+ word_compare)) == NULL)
+ return WORD_NOT_FOUND;
else
- return KADM5_OK;
+ return KADM5_OK;
}
/*
* Function: destroy_dict
- *
+ *
* Purpose: destroy in-core copy of dictionary.
*
* Arguments:
- * none
- * <return value> none
+ * none
+ * <return value> none
* Requires:
- * nothing
+ * nothing
* Effects:
- * frees up memory occupied by word_list and word_block
- * sets count back to 0, and resets the pointers to NULL
+ * frees up memory occupied by word_list and word_block
+ * sets count back to 0, and resets the pointers to NULL
*
* Modifies:
- * word_list, word_block, and word_count.
- *
+ * word_list, word_block, and word_count.
+ *
*/
void
destroy_dict(void)
{
if(word_list) {
- free(word_list);
- word_list = NULL;
+ free(word_list);
+ word_list = NULL;
}
if(word_block) {
- free(word_block);
- word_block = NULL;
+ free(word_block);
+ word_block = NULL;
}
if(word_count)
- word_count = 0;
+ word_count = 0;
return;
}
diff --git a/src/lib/kadm5/srv/server_handle.c b/src/lib/kadm5/srv/server_handle.c
index 53abe94dd2..37425c8ba7 100644
--- a/src/lib/kadm5/srv/server_handle.c
+++ b/src/lib/kadm5/srv/server_handle.c
@@ -1,9 +1,10 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
#include <krb5.h>
#include <kadm5/admin.h>
#include "server_internal.h"
int _kadm5_check_handle(void *handle)
{
- CHECK_HANDLE(handle);
- return 0;
+ CHECK_HANDLE(handle);
+ return 0;
}
diff --git a/src/lib/kadm5/srv/server_init.c b/src/lib/kadm5/srv/server_init.c
index d5426f8101..ed71cbf96b 100644
--- a/src/lib/kadm5/srv/server_init.c
+++ b/src/lib/kadm5/srv/server_init.c
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
*
@@ -17,7 +18,7 @@ static char *rcsid = "$Header$";
#include <stdlib.h>
#include <errno.h>
#include <com_err.h>
-#include "k5-int.h" /* needed for gssapiP_krb5.h */
+#include "k5-int.h" /* needed for gssapiP_krb5.h */
#include <kadm5/admin.h>
#include <krb5.h>
#include <kdb_log.h>
@@ -33,13 +34,13 @@ static char *rcsid = "$Header$";
*
* Arguments:
*
- * handle The server handle.
+ * handle The server handle.
*/
static int check_handle(void *handle)
{
- CHECK_HANDLE(handle);
- return 0;
+ CHECK_HANDLE(handle);
+ return 0;
}
static int dup_db_args(kadm5_server_handle_t handle, char **db_args)
@@ -49,30 +50,30 @@ static int dup_db_args(kadm5_server_handle_t handle, char **db_args)
for (count=0; db_args && db_args[count]; count++);
if (count == 0) {
- handle->db_args = NULL;
- goto clean_n_exit;
+ handle->db_args = NULL;
+ goto clean_n_exit;
}
handle->db_args = calloc(sizeof(char*), count+1);
if (handle->db_args == NULL) {
- ret=ENOMEM;
- goto clean_n_exit;
+ ret=ENOMEM;
+ goto clean_n_exit;
}
for (count=0; db_args[count]; count++) {
- handle->db_args[count] = strdup(db_args[count]);
- if (handle->db_args[count] == NULL) {
- ret = ENOMEM;
- goto clean_n_exit;
- }
+ handle->db_args[count] = strdup(db_args[count]);
+ if (handle->db_args[count] == NULL) {
+ ret = ENOMEM;
+ goto clean_n_exit;
+ }
}
- clean_n_exit:
+clean_n_exit:
if (ret && handle->db_args) {
- for (count=0; handle->db_args[count]; count++)
- free(handle->db_args[count]);
+ for (count=0; handle->db_args[count]; count++)
+ free(handle->db_args[count]);
- free(handle->db_args), handle->db_args = NULL;
+ free(handle->db_args), handle->db_args = NULL;
}
return ret;
@@ -83,97 +84,97 @@ static void free_db_args(kadm5_server_handle_t handle)
int count;
if (handle->db_args) {
- for (count=0; handle->db_args[count]; count++)
- free(handle->db_args[count]);
+ for (count=0; handle->db_args[count]; count++)
+ free(handle->db_args[count]);
- free(handle->db_args), handle->db_args = NULL;
+ free(handle->db_args), handle->db_args = NULL;
}
}
kadm5_ret_t kadm5_init_with_password(krb5_context context, char *client_name,
- char *pass, char *service_name,
- kadm5_config_params *params,
- krb5_ui_4 struct_version,
- krb5_ui_4 api_version,
- char **db_args,
- void **server_handle)
+ char *pass, char *service_name,
+ kadm5_config_params *params,
+ krb5_ui_4 struct_version,
+ krb5_ui_4 api_version,
+ char **db_args,
+ void **server_handle)
{
return kadm5_init(context, client_name, pass, service_name, params,
- struct_version, api_version, db_args,
- server_handle);
+ struct_version, api_version, db_args,
+ server_handle);
}
kadm5_ret_t kadm5_init_with_creds(krb5_context context,
- char *client_name,
- krb5_ccache ccache,
- char *service_name,
- kadm5_config_params *params,
- krb5_ui_4 struct_version,
- krb5_ui_4 api_version,
- char **db_args,
- void **server_handle)
+ char *client_name,
+ krb5_ccache ccache,
+ char *service_name,
+ kadm5_config_params *params,
+ krb5_ui_4 struct_version,
+ krb5_ui_4 api_version,
+ char **db_args,
+ void **server_handle)
{
- /*
- * A program calling init_with_creds *never* expects to prompt
- * the user. If this is KADM5_API_VERSION_2 and MKEY_FROM_KBD is
- * non-zero, return an error.
- */
- if (params && (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) &&
- params->mkey_from_kbd)
- return KADM5_BAD_SERVER_PARAMS;
- return kadm5_init(context, client_name, NULL, service_name, params,
- struct_version, api_version, db_args,
- server_handle);
+ /*
+ * A program calling init_with_creds *never* expects to prompt
+ * the user. If this is KADM5_API_VERSION_2 and MKEY_FROM_KBD is
+ * non-zero, return an error.
+ */
+ if (params && (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) &&
+ params->mkey_from_kbd)
+ return KADM5_BAD_SERVER_PARAMS;
+ return kadm5_init(context, client_name, NULL, service_name, params,
+ struct_version, api_version, db_args,
+ server_handle);
}
kadm5_ret_t kadm5_init_with_skey(krb5_context context, char *client_name,
- char *keytab, char *service_name,
- kadm5_config_params *params,
- krb5_ui_4 struct_version,
- krb5_ui_4 api_version,
- char **db_args,
- void **server_handle)
+ char *keytab, char *service_name,
+ kadm5_config_params *params,
+ krb5_ui_4 struct_version,
+ krb5_ui_4 api_version,
+ char **db_args,
+ void **server_handle)
{
- /*
- * A program calling init_with_skey *never* expects to prompt the
- * user. If this is KADM5_API_VERSION_2 and MKEY_FROM_KBD is
- * non-zero, return an error.
- */
- if (params && (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) &&
- params->mkey_from_kbd)
- return KADM5_BAD_SERVER_PARAMS;
- return kadm5_init(context, client_name, NULL, service_name, params,
- struct_version, api_version, db_args,
- server_handle);
+ /*
+ * A program calling init_with_skey *never* expects to prompt the
+ * user. If this is KADM5_API_VERSION_2 and MKEY_FROM_KBD is
+ * non-zero, return an error.
+ */
+ if (params && (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) &&
+ params->mkey_from_kbd)
+ return KADM5_BAD_SERVER_PARAMS;
+ return kadm5_init(context, client_name, NULL, service_name, params,
+ struct_version, api_version, db_args,
+ server_handle);
}
kadm5_ret_t kadm5_init(krb5_context context, char *client_name, char *pass,
- char *service_name,
- kadm5_config_params *params_in,
- krb5_ui_4 struct_version,
- krb5_ui_4 api_version,
- char **db_args,
- void **server_handle)
+ char *service_name,
+ kadm5_config_params *params_in,
+ krb5_ui_4 struct_version,
+ krb5_ui_4 api_version,
+ char **db_args,
+ void **server_handle)
{
- int ret;
- kadm5_server_handle_t handle;
- kadm5_config_params params_local; /* for v1 compat */
+ int ret;
+ kadm5_server_handle_t handle;
+ kadm5_config_params params_local; /* for v1 compat */
if (! server_handle)
- return EINVAL;
+ return EINVAL;
if (! client_name)
- return EINVAL;
+ return EINVAL;
if (! (handle = (kadm5_server_handle_t) malloc(sizeof *handle)))
- return ENOMEM;
+ return ENOMEM;
memset(handle, 0, sizeof(*handle));
ret = dup_db_args(handle, db_args);
if (ret) {
- free(handle);
- return ret;
+ free(handle);
+ return ret;
}
handle->context = context;
@@ -186,91 +187,91 @@ kadm5_ret_t kadm5_init(krb5_context context, char *client_name, char *pass,
handle->struct_version = struct_version;
handle->api_version = api_version;
- /*
- * Verify the version numbers before proceeding; we can't use
- * CHECK_HANDLE because not all fields are set yet.
- */
- GENERIC_CHECK_HANDLE(handle, KADM5_OLD_SERVER_API_VERSION,
- KADM5_NEW_SERVER_API_VERSION);
+ /*
+ * Verify the version numbers before proceeding; we can't use
+ * CHECK_HANDLE because not all fields are set yet.
+ */
+ GENERIC_CHECK_HANDLE(handle, KADM5_OLD_SERVER_API_VERSION,
+ KADM5_NEW_SERVER_API_VERSION);
- /*
- * Acquire relevant profile entries. Merge values
- * in params_in with values from profile, based on
- * params_in->mask.
- */
- memset(&params_local, 0, sizeof(params_local));
+ /*
+ * Acquire relevant profile entries. Merge values
+ * in params_in with values from profile, based on
+ * params_in->mask.
+ */
+ memset(&params_local, 0, sizeof(params_local));
#if 0 /* Now that we look at krb5.conf as well as kdc.conf, we can
- expect to see admin_server being set sometimes. */
+ expect to see admin_server being set sometimes. */
#define ILLEGAL_PARAMS (KADM5_CONFIG_ADMIN_SERVER)
- if (params_in && (params_in->mask & ILLEGAL_PARAMS)) {
- free_db_args(handle);
- free(handle);
- return KADM5_BAD_SERVER_PARAMS;
- }
+ if (params_in && (params_in->mask & ILLEGAL_PARAMS)) {
+ free_db_args(handle);
+ free(handle);
+ return KADM5_BAD_SERVER_PARAMS;
+ }
#endif
- ret = kadm5_get_config_params(handle->context, 1, params_in,
- &handle->params);
- if (ret) {
- free_db_args(handle);
- free(handle);
- return(ret);
- }
-
-#define REQUIRED_PARAMS (KADM5_CONFIG_REALM | KADM5_CONFIG_DBNAME | \
- KADM5_CONFIG_ENCTYPE | \
- KADM5_CONFIG_FLAGS | \
- KADM5_CONFIG_MAX_LIFE | KADM5_CONFIG_MAX_RLIFE | \
- KADM5_CONFIG_EXPIRATION | KADM5_CONFIG_ENCTYPES)
-
-#define IPROP_REQUIRED_PARAMS \
- (KADM5_CONFIG_IPROP_ENABLED | \
- KADM5_CONFIG_IPROP_LOGFILE | \
- KADM5_CONFIG_IPROP_PORT)
-
- if ((handle->params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) {
- free_db_args(handle);
- free(handle);
- return KADM5_MISSING_CONF_PARAMS;
- }
- if ((handle->params.mask & KADM5_CONFIG_IPROP_ENABLED) == KADM5_CONFIG_IPROP_ENABLED
- && handle->params.iprop_enabled) {
- if ((handle->params.mask & IPROP_REQUIRED_PARAMS) != IPROP_REQUIRED_PARAMS) {
- free_db_args(handle);
- free(handle);
- return KADM5_MISSING_CONF_PARAMS;
- }
- }
-
- ret = krb5_set_default_realm(handle->context, handle->params.realm);
- if (ret) {
- free_db_args(handle);
- free(handle);
- return ret;
- }
+ ret = kadm5_get_config_params(handle->context, 1, params_in,
+ &handle->params);
+ if (ret) {
+ free_db_args(handle);
+ free(handle);
+ return(ret);
+ }
+
+#define REQUIRED_PARAMS (KADM5_CONFIG_REALM | KADM5_CONFIG_DBNAME | \
+ KADM5_CONFIG_ENCTYPE | \
+ KADM5_CONFIG_FLAGS | \
+ KADM5_CONFIG_MAX_LIFE | KADM5_CONFIG_MAX_RLIFE | \
+ KADM5_CONFIG_EXPIRATION | KADM5_CONFIG_ENCTYPES)
+
+#define IPROP_REQUIRED_PARAMS \
+ (KADM5_CONFIG_IPROP_ENABLED | \
+ KADM5_CONFIG_IPROP_LOGFILE | \
+ KADM5_CONFIG_IPROP_PORT)
+
+ if ((handle->params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) {
+ free_db_args(handle);
+ free(handle);
+ return KADM5_MISSING_CONF_PARAMS;
+ }
+ if ((handle->params.mask & KADM5_CONFIG_IPROP_ENABLED) == KADM5_CONFIG_IPROP_ENABLED
+ && handle->params.iprop_enabled) {
+ if ((handle->params.mask & IPROP_REQUIRED_PARAMS) != IPROP_REQUIRED_PARAMS) {
+ free_db_args(handle);
+ free(handle);
+ return KADM5_MISSING_CONF_PARAMS;
+ }
+ }
+
+ ret = krb5_set_default_realm(handle->context, handle->params.realm);
+ if (ret) {
+ free_db_args(handle);
+ free(handle);
+ return ret;
+ }
ret = krb5_db_open(handle->context, db_args,
- KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN);
+ KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN);
if (ret) {
- free_db_args(handle);
- free(handle);
- return(ret);
+ free_db_args(handle);
+ free(handle);
+ return(ret);
}
if ((ret = krb5_parse_name(handle->context, client_name,
- &handle->current_caller))) {
- krb5_db_fini(handle->context);
- free_db_args(handle);
- free(handle);
- return ret;
+ &handle->current_caller))) {
+ krb5_db_fini(handle->context);
+ free_db_args(handle);
+ free(handle);
+ return ret;
}
if (! (handle->lhandle = malloc(sizeof(*handle)))) {
- krb5_db_fini(handle->context);
- free_db_args(handle);
- free(handle);
- return ENOMEM;
+ krb5_db_fini(handle->context);
+ free_db_args(handle);
+ free(handle);
+ return ENOMEM;
}
*handle->lhandle = *handle;
handle->lhandle->api_version = KADM5_API_VERSION_3;
@@ -280,36 +281,36 @@ kadm5_ret_t kadm5_init(krb5_context context, char *client_name, char *pass,
/* can't check the handle until current_caller is set */
ret = check_handle((void *) handle);
if (ret) {
- free_db_args(handle);
- free(handle);
- return ret;
+ free_db_args(handle);
+ free(handle);
+ return ret;
}
ret = kdb_init_master(handle, handle->params.realm,
- (handle->params.mask & KADM5_CONFIG_MKEY_FROM_KBD)
- && handle->params.mkey_from_kbd);
+ (handle->params.mask & KADM5_CONFIG_MKEY_FROM_KBD)
+ && handle->params.mkey_from_kbd);
if (ret) {
- krb5_db_fini(handle->context);
- free_db_args(handle);
- free(handle);
- return ret;
+ krb5_db_fini(handle->context);
+ free_db_args(handle);
+ free(handle);
+ return ret;
}
ret = kdb_init_hist(handle, handle->params.realm);
if (ret) {
- krb5_db_fini(handle->context);
- free_db_args(handle);
- free(handle);
- return ret;
+ krb5_db_fini(handle->context);
+ free_db_args(handle);
+ free(handle);
+ return ret;
}
ret = init_dict(&handle->params);
if (ret) {
- krb5_db_fini(handle->context);
- krb5_free_principal(handle->context, handle->current_caller);
- free_db_args(handle);
- free(handle);
- return ret;
+ krb5_db_fini(handle->context);
+ krb5_free_principal(handle->context, handle->current_caller);
+ free_db_args(handle);
+ free(handle);
+ return ret;
}
*server_handle = (void *) handle;
@@ -345,7 +346,7 @@ kadm5_ret_t kadm5_lock(void *server_handle)
CHECK_HANDLE(server_handle);
ret = krb5_db_lock(handle->context, KRB5_DB_LOCKMODE_EXCLUSIVE);
if (ret)
- return ret;
+ return ret;
return KADM5_OK;
}
@@ -358,33 +359,33 @@ kadm5_ret_t kadm5_unlock(void *server_handle)
CHECK_HANDLE(server_handle);
ret = krb5_db_unlock(handle->context);
if (ret)
- return ret;
+ return ret;
return KADM5_OK;
}
kadm5_ret_t kadm5_flush(void *server_handle)
{
- kadm5_server_handle_t handle = server_handle;
- kadm5_ret_t ret;
-
- CHECK_HANDLE(server_handle);
-
- if ((ret = krb5_db_fini(handle->context)) ||
- (ret = krb5_db_open(handle->context, handle->db_args,
- KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN)) ||
- (ret = adb_policy_close(handle)) ||
- (ret = adb_policy_init(handle))) {
- (void) kadm5_destroy(server_handle);
- return ret;
- }
- return KADM5_OK;
+ kadm5_server_handle_t handle = server_handle;
+ kadm5_ret_t ret;
+
+ CHECK_HANDLE(server_handle);
+
+ if ((ret = krb5_db_fini(handle->context)) ||
+ (ret = krb5_db_open(handle->context, handle->db_args,
+ KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN)) ||
+ (ret = adb_policy_close(handle)) ||
+ (ret = adb_policy_init(handle))) {
+ (void) kadm5_destroy(server_handle);
+ return ret;
+ }
+ return KADM5_OK;
}
int _kadm5_check_handle(void *handle)
{
- CHECK_HANDLE(handle);
- return 0;
+ CHECK_HANDLE(handle);
+ return 0;
}
#include "gssapiP_krb5.h"
@@ -392,11 +393,11 @@ krb5_error_code kadm5_init_krb5_context (krb5_context *ctx)
{
static int first_time = 1;
if (first_time) {
- krb5_error_code err;
- err = krb5_gss_use_kdc_context();
- if (err)
- return err;
- first_time = 0;
+ krb5_error_code err;
+ err = krb5_gss_use_kdc_context();
+ if (err)
+ return err;
+ first_time = 0;
}
return krb5int_init_context_kdc(ctx);
}
@@ -404,17 +405,17 @@ krb5_error_code kadm5_init_krb5_context (krb5_context *ctx)
krb5_error_code
kadm5_init_iprop(void *handle, char **db_args)
{
- kadm5_server_handle_t iprop_h;
- krb5_error_code retval;
-
- iprop_h = handle;
- if (iprop_h->params.iprop_enabled) {
- ulog_set_role(iprop_h->context, IPROP_MASTER);
- if ((retval = ulog_map(iprop_h->context,
- iprop_h->params.iprop_logfile,
- iprop_h->params.iprop_ulogsize,
- FKCOMMAND, db_args)) != 0)
- return (retval);
- }
- return (0);
+ kadm5_server_handle_t iprop_h;
+ krb5_error_code retval;
+
+ iprop_h = handle;
+ if (iprop_h->params.iprop_enabled) {
+ ulog_set_role(iprop_h->context, IPROP_MASTER);
+ if ((retval = ulog_map(iprop_h->context,
+ iprop_h->params.iprop_logfile,
+ iprop_h->params.iprop_ulogsize,
+ FKCOMMAND, db_args)) != 0)
+ return (retval);
+ }
+ return (0);
}
diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c
index fe2020db1d..4b1d05dbbc 100644
--- a/src/lib/kadm5/srv/server_kdb.c
+++ b/src/lib/kadm5/srv/server_kdb.c
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
*
@@ -19,88 +20,88 @@ static char *rcsid = "$Header$";
#include <kadm5/admin.h>
#include "server_internal.h"
-krb5_principal master_princ;
-krb5_keyblock master_keyblock; /* local mkey */
+krb5_principal master_princ;
+krb5_keyblock master_keyblock; /* local mkey */
krb5_keylist_node *master_keylist = NULL;
krb5_actkvno_node *active_mkey_list = NULL;
-krb5_db_entry master_db;
+krb5_db_entry master_db;
-krb5_principal hist_princ;
-krb5_keyblock hist_key;
-krb5_db_entry hist_db;
-krb5_kvno hist_kvno;
+krb5_principal hist_princ;
+krb5_keyblock hist_key;
+krb5_db_entry hist_db;
+krb5_kvno hist_kvno;
/* much of this code is stolen from the kdc. there should be some
library code to deal with this. */
krb5_error_code kdb_init_master(kadm5_server_handle_t handle,
- char *r, int from_keyboard)
+ char *r, int from_keyboard)
{
- int ret = 0;
- char *realm;
+ int ret = 0;
+ char *realm;
krb5_boolean from_kbd = FALSE;
krb5_kvno mkvno = IGNORE_VNO;
if (from_keyboard)
- from_kbd = TRUE;
+ from_kbd = TRUE;
if (r == NULL) {
- if ((ret = krb5_get_default_realm(handle->context, &realm)))
- return ret;
+ if ((ret = krb5_get_default_realm(handle->context, &realm)))
+ return ret;
} else {
- realm = r;
+ realm = r;
}
if ((ret = krb5_db_setup_mkey_name(handle->context,
- handle->params.mkey_name,
- realm, NULL, &master_princ)))
- goto done;
+ handle->params.mkey_name,
+ realm, NULL, &master_princ)))
+ goto done;
master_keyblock.enctype = handle->params.enctype;
- /*
+ /*
* Fetch the local mkey, may not be the latest but that's okay because we
* really want the list of all mkeys and those can be retrieved with any
* valid mkey.
*/
ret = krb5_db_fetch_mkey(handle->context, master_princ,
- master_keyblock.enctype, from_kbd,
- FALSE /* only prompt once */,
- handle->params.stash_file,
- &mkvno /* get the kvno of the returned mkey */,
- NULL /* I'm not sure about this,
- but it's what the kdc does --marc */,
- &master_keyblock);
+ master_keyblock.enctype, from_kbd,
+ FALSE /* only prompt once */,
+ handle->params.stash_file,
+ &mkvno /* get the kvno of the returned mkey */,
+ NULL /* I'm not sure about this,
+ but it's what the kdc does --marc */,
+ &master_keyblock);
if (ret)
- goto done;
-
+ goto done;
+
#if 0 /************** Begin IFDEF'ed OUT *******************************/
/*
* krb5_db_fetch_mkey_list will verify mkey so don't call
* krb5_db_verify_master_key()
*/
if ((ret = krb5_db_verify_master_key(handle->context, master_princ,
- IGNORE_VNO, &master_keyblock))) {
- krb5_db_fini(handle->context);
- return ret;
+ IGNORE_VNO, &master_keyblock))) {
+ krb5_db_fini(handle->context);
+ return ret;
}
#endif /**************** END IFDEF'ed OUT *******************************/
if ((ret = krb5_db_fetch_mkey_list(handle->context, master_princ,
- &master_keyblock, mkvno, &master_keylist))) {
- krb5_db_fini(handle->context);
- return (ret);
+ &master_keyblock, mkvno, &master_keylist))) {
+ krb5_db_fini(handle->context);
+ return (ret);
}
if ((ret = krb5_dbe_fetch_act_key_list(handle->context, master_princ,
- &active_mkey_list))) {
- krb5_db_fini(handle->context);
- return (ret);
+ &active_mkey_list))) {
+ krb5_db_fini(handle->context);
+ return (ret);
}
done:
if (r == NULL)
- free(realm);
+ free(realm);
return(ret);
}
@@ -112,17 +113,17 @@ done:
*
* Arguments:
*
- * handle (r) kadm5 api server handle
- * r (r) realm of history principal to use, or NULL
+ * handle (r) kadm5 api server handle
+ * r (r) realm of history principal to use, or NULL
*
* Effects: This function sets the value of the following global
* variables:
*
- * hist_princ krb5_principal holding the history principal
- * hist_db krb5_db_entry of the history principal
- * hist_key krb5_keyblock holding the history principal's key
- * hist_encblock krb5_encrypt_block holding the procssed hist_key
- * hist_kvno the version number of the history key
+ * hist_princ krb5_principal holding the history principal
+ * hist_db krb5_db_entry of the history principal
+ * hist_key krb5_keyblock holding the history principal's key
+ * hist_encblock krb5_encrypt_block holding the procssed hist_key
+ * hist_kvno the version number of the history key
*
* If the history principal does not already exist, this function
* attempts to create it with kadm5_create_principal. WARNING!
@@ -133,98 +134,98 @@ done:
*/
krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, char *r)
{
- int ret = 0;
+ int ret = 0;
char *realm, *hist_name;
krb5_key_data *key_data;
krb5_key_salt_tuple ks[1];
krb5_keyblock *tmp_mkey;
if (r == NULL) {
- if ((ret = krb5_get_default_realm(handle->context, &realm)))
- return ret;
+ if ((ret = krb5_get_default_realm(handle->context, &realm)))
+ return ret;
} else {
- realm = r;
+ realm = r;
}
if (asprintf(&hist_name, "%s@%s", KADM5_HIST_PRINCIPAL, realm) < 0) {
- hist_name = NULL;
- goto done;
+ hist_name = NULL;
+ goto done;
}
if ((ret = krb5_parse_name(handle->context, hist_name, &hist_princ)))
- goto done;
+ goto done;
if ((ret = kdb_get_entry(handle, hist_princ, &hist_db, NULL))) {
- kadm5_principal_ent_rec ent;
+ kadm5_principal_ent_rec ent;
- if (ret != KADM5_UNK_PRINC)
- goto done;
+ if (ret != KADM5_UNK_PRINC)
+ goto done;
- /* try to create the principal */
+ /* try to create the principal */
- memset(&ent, 0, sizeof(ent));
+ memset(&ent, 0, sizeof(ent));
- ent.principal = hist_princ;
- ent.max_life = KRB5_KDB_DISALLOW_ALL_TIX;
- ent.attributes = 0;
+ ent.principal = hist_princ;
+ ent.max_life = KRB5_KDB_DISALLOW_ALL_TIX;
+ ent.attributes = 0;
- /* this uses hist_kvno. So we set it to 2, which will be the
- correct value once the principal is created and randomized.
- Of course, it doesn't make sense to keep a history for the
- history principal, anyway. */
+ /* this uses hist_kvno. So we set it to 2, which will be the
+ correct value once the principal is created and randomized.
+ Of course, it doesn't make sense to keep a history for the
+ history principal, anyway. */
- hist_kvno = 2;
- ks[0].ks_enctype = handle->params.enctype;
- ks[0].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL;
- ret = kadm5_create_principal_3(handle, &ent,
- (KADM5_PRINCIPAL | KADM5_MAX_LIFE |
- KADM5_ATTRIBUTES),
- 1, ks,
- "to-be-random");
- if (ret)
- goto done;
+ hist_kvno = 2;
+ ks[0].ks_enctype = handle->params.enctype;
+ ks[0].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL;
+ ret = kadm5_create_principal_3(handle, &ent,
+ (KADM5_PRINCIPAL | KADM5_MAX_LIFE |
+ KADM5_ATTRIBUTES),
+ 1, ks,
+ "to-be-random");
+ if (ret)
+ goto done;
- /* this won't let us randomize the hist_princ. So we cheat. */
+ /* this won't let us randomize the hist_princ. So we cheat. */
- hist_princ = NULL;
+ hist_princ = NULL;
- ret = kadm5_randkey_principal_3(handle, ent.principal, 0, 1, ks,
- NULL, NULL);
+ ret = kadm5_randkey_principal_3(handle, ent.principal, 0, 1, ks,
+ NULL, NULL);
- hist_princ = ent.principal;
+ hist_princ = ent.principal;
- if (ret)
- goto done;
+ if (ret)
+ goto done;
- /* now read the newly-created kdb record out of the
- database. */
+ /* now read the newly-created kdb record out of the
+ database. */
- if ((ret = kdb_get_entry(handle, hist_princ, &hist_db, NULL)))
- goto done;
+ if ((ret = kdb_get_entry(handle, hist_princ, &hist_db, NULL)))
+ goto done;
}
ret = krb5_dbe_find_enctype(handle->context, &hist_db,
- handle->params.enctype, -1, -1, &key_data);
+ handle->params.enctype, -1, -1, &key_data);
if (ret)
- goto done;
+ goto done;
ret = krb5_dbe_find_mkey(handle->context, master_keylist, &hist_db,
&tmp_mkey);
if (ret)
- goto done;
+ goto done;
ret = krb5_dbekd_decrypt_key_data(handle->context, tmp_mkey,
- key_data, &hist_key, NULL);
+ key_data, &hist_key, NULL);
if (ret)
- goto done;
+ goto done;
hist_kvno = key_data->key_data_kvno;
done:
free(hist_name);
if (r == NULL)
- free(realm);
+ free(realm);
return ret;
}
@@ -236,10 +237,10 @@ done:
*
* Arguments:
*
- * handle (r) the server_handle
- * principal (r) the principal to get
- * kdb (w) krb5_db_entry to fill in
- * adb (w) osa_princ_ent_rec to fill in
+ * handle (r) the server_handle
+ * principal (r) the principal to get
+ * kdb (w) krb5_db_entry to fill in
+ * adb (w) osa_princ_ent_rec to fill in
*
* when the caller is done with kdb and adb, kdb_free_entry must be
* called to release them. The adb record is filled in with the
@@ -248,8 +249,8 @@ done:
*/
krb5_error_code
kdb_get_entry(kadm5_server_handle_t handle,
- krb5_principal principal, krb5_db_entry *kdb,
- osa_princ_ent_rec *adb)
+ krb5_principal principal, krb5_db_entry *kdb,
+ osa_princ_ent_rec *adb)
{
krb5_error_code ret;
int nprincs;
@@ -258,49 +259,49 @@ kdb_get_entry(kadm5_server_handle_t handle,
XDR xdrs;
ret = krb5_db_get_principal(handle->context, principal, kdb, &nprincs,
- &more);
+ &more);
if (ret)
- return(ret);
+ return(ret);
if (more) {
- krb5_db_free_principal(handle->context, kdb, nprincs);
- return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
+ krb5_db_free_principal(handle->context, kdb, nprincs);
+ return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
} else if (nprincs != 1) {
- krb5_db_free_principal(handle->context, kdb, nprincs);
- return(KADM5_UNK_PRINC);
+ krb5_db_free_principal(handle->context, kdb, nprincs);
+ return(KADM5_UNK_PRINC);
}
if (adb) {
- memset(adb, 0, sizeof(*adb));
-
- tl_data.tl_data_type = KRB5_TL_KADM_DATA;
- /*
- * XXX Currently, lookup_tl_data always returns zero; it sets
- * tl_data->tl_data_length to zero if the type isn't found.
- * This should be fixed...
- */
- if ((ret = krb5_dbe_lookup_tl_data(handle->context, kdb, &tl_data))
- || (tl_data.tl_data_length == 0)) {
- /* there's no admin data. this can happen, if the admin
- server is put into production after some principals
- are created. In this case, return valid admin
- data (which is all zeros with the hist_kvno filled
- in), and when the entry is written, the admin
- data will get stored correctly. */
-
- adb->admin_history_kvno = hist_kvno;
-
- return(ret);
- }
-
- xdrmem_create(&xdrs, tl_data.tl_data_contents,
- tl_data.tl_data_length, XDR_DECODE);
- if (! xdr_osa_princ_ent_rec(&xdrs, adb)) {
- xdr_destroy(&xdrs);
- krb5_db_free_principal(handle->context, kdb, 1);
- return(KADM5_XDR_FAILURE);
- }
- xdr_destroy(&xdrs);
+ memset(adb, 0, sizeof(*adb));
+
+ tl_data.tl_data_type = KRB5_TL_KADM_DATA;
+ /*
+ * XXX Currently, lookup_tl_data always returns zero; it sets
+ * tl_data->tl_data_length to zero if the type isn't found.
+ * This should be fixed...
+ */
+ if ((ret = krb5_dbe_lookup_tl_data(handle->context, kdb, &tl_data))
+ || (tl_data.tl_data_length == 0)) {
+ /* there's no admin data. this can happen, if the admin
+ server is put into production after some principals
+ are created. In this case, return valid admin
+ data (which is all zeros with the hist_kvno filled
+ in), and when the entry is written, the admin
+ data will get stored correctly. */
+
+ adb->admin_history_kvno = hist_kvno;
+
+ return(ret);
+ }
+
+ xdrmem_create(&xdrs, tl_data.tl_data_contents,
+ tl_data.tl_data_length, XDR_DECODE);
+ if (! xdr_osa_princ_ent_rec(&xdrs, adb)) {
+ xdr_destroy(&xdrs);
+ krb5_db_free_principal(handle->context, kdb, 1);
+ return(KADM5_XDR_FAILURE);
+ }
+ xdr_destroy(&xdrs);
}
return(0);
@@ -313,9 +314,9 @@ kdb_get_entry(kadm5_server_handle_t handle,
*
* Arguments:
*
- * handle (r) the server_handle
- * kdb (w) krb5_db_entry to fill in
- * adb (w) osa_princ_ent_rec to fill in
+ * handle (r) the server_handle
+ * kdb (w) krb5_db_entry to fill in
+ * adb (w) osa_princ_ent_rec to fill in
*
* when the caller is done with kdb and adb, kdb_free_entry must be
* called to release them.
@@ -323,18 +324,18 @@ kdb_get_entry(kadm5_server_handle_t handle,
krb5_error_code
kdb_free_entry(kadm5_server_handle_t handle,
- krb5_db_entry *kdb, osa_princ_ent_rec *adb)
+ krb5_db_entry *kdb, osa_princ_ent_rec *adb)
{
XDR xdrs;
if (kdb)
- krb5_db_free_principal(handle->context, kdb, 1);
+ krb5_db_free_principal(handle->context, kdb, 1);
if (adb) {
- xdrmem_create(&xdrs, NULL, 0, XDR_FREE);
- xdr_osa_princ_ent_rec(&xdrs, adb);
- xdr_destroy(&xdrs);
+ xdrmem_create(&xdrs, NULL, 0, XDR_FREE);
+ xdr_osa_princ_ent_rec(&xdrs, adb);
+ xdr_destroy(&xdrs);
}
return(0);
@@ -348,9 +349,9 @@ kdb_free_entry(kadm5_server_handle_t handle,
*
* Arguments:
*
- * handle (r) the server_handle
- * kdb (r/w) the krb5_db_entry to store
- * adb (r) the osa_princ_db_ent to store
+ * handle (r) the server_handle
+ * kdb (r/w) the krb5_db_entry to store
+ * adb (r) the osa_princ_db_ent to store
*
* Effects:
*
@@ -360,7 +361,7 @@ kdb_free_entry(kadm5_server_handle_t handle,
*/
krb5_error_code
kdb_put_entry(kadm5_server_handle_t handle,
- krb5_db_entry *kdb, osa_princ_ent_rec *adb)
+ krb5_db_entry *kdb, osa_princ_ent_rec *adb)
{
krb5_error_code ret;
krb5_int32 now;
@@ -370,17 +371,17 @@ kdb_put_entry(kadm5_server_handle_t handle,
ret = krb5_timeofday(handle->context, &now);
if (ret)
- return(ret);
+ return(ret);
ret = krb5_dbe_update_mod_princ_data(handle->context, kdb, now,
- handle->current_caller);
+ handle->current_caller);
if (ret)
- return(ret);
-
- xdralloc_create(&xdrs, XDR_ENCODE);
+ return(ret);
+
+ xdralloc_create(&xdrs, XDR_ENCODE);
if(! xdr_osa_princ_ent_rec(&xdrs, adb)) {
- xdr_destroy(&xdrs);
- return(KADM5_XDR_FAILURE);
+ xdr_destroy(&xdrs);
+ return(KADM5_XDR_FAILURE);
}
tl_data.tl_data_type = KRB5_TL_KADM_DATA;
tl_data.tl_data_length = xdr_getpos(&xdrs);
@@ -391,7 +392,7 @@ kdb_put_entry(kadm5_server_handle_t handle,
xdr_destroy(&xdrs);
if (ret)
- return(ret);
+ return(ret);
one = 1;
@@ -400,7 +401,7 @@ kdb_put_entry(kadm5_server_handle_t handle,
ret = krb5_db_put_principal(handle->context, kdb, &one);
if (ret)
- return(ret);
+ return(ret);
return(0);
}
@@ -410,7 +411,7 @@ kdb_delete_entry(kadm5_server_handle_t handle, krb5_principal name)
{
int one = 1;
krb5_error_code ret;
-
+
ret = krb5_db_delete_principal(handle->context, name, &one);
return ret;
@@ -433,7 +434,7 @@ kdb_iter_func(krb5_pointer data, krb5_db_entry *kdb)
krb5_error_code
kdb_iter_entry(kadm5_server_handle_t handle, char *match_entry,
- void (*iter_fct)(void *, krb5_principal), void *data)
+ void (*iter_fct)(void *, krb5_principal), void *data)
{
iter_data id;
krb5_error_code ret;
@@ -443,8 +444,7 @@ kdb_iter_entry(kadm5_server_handle_t handle, char *match_entry,
ret = krb5_db_iterate(handle->context, match_entry, kdb_iter_func, &id);
if (ret)
- return(ret);
+ return(ret);
return(0);
}
-
diff --git a/src/lib/kadm5/srv/server_misc.c b/src/lib/kadm5/srv/server_misc.c
index cd65371c9c..1faeb86b16 100644
--- a/src/lib/kadm5/srv/server_misc.c
+++ b/src/lib/kadm5/srv/server_misc.c
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
*
@@ -23,10 +24,10 @@ adb_policy_init(kadm5_server_handle_t handle)
{
/* now policy is initialized as part of database. No seperate call needed */
if( krb5_db_inited( handle->context ) )
- return KADM5_OK;
+ return KADM5_OK;
- return krb5_db_open( handle->context, NULL,
- KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN );
+ return krb5_db_open( handle->context, NULL,
+ KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN );
}
kadm5_ret_t
@@ -40,144 +41,143 @@ adb_policy_close(kadm5_server_handle_t handle)
/* stolen from v4sever/kadm_funcs.c */
static char *
reverse(str)
- char *str;
+ char *str;
{
- static char newstr[80];
- char *p, *q;
- int i;
-
- i = strlen(str);
- if (i >= sizeof(newstr))
- i = sizeof(newstr)-1;
- p = str+i-1;
- q = newstr;
- q[i]='\0';
- for(; i > 0; i--)
- *q++ = *p--;
-
- return(newstr);
+ static char newstr[80];
+ char *p, *q;
+ int i;
+
+ i = strlen(str);
+ if (i >= sizeof(newstr))
+ i = sizeof(newstr)-1;
+ p = str+i-1;
+ q = newstr;
+ q[i]='\0';
+ for(; i > 0; i--)
+ *q++ = *p--;
+
+ return(newstr);
}
#endif /* HESIOD */
#if 0
static int
lower(str)
- char *str;
+ char *str;
{
- register char *cp;
- int effect=0;
-
- for (cp = str; *cp; cp++) {
- if (isupper(*cp)) {
- *cp = tolower(*cp);
- effect++;
- }
- }
- return(effect);
+ register char *cp;
+ int effect=0;
+
+ for (cp = str; *cp; cp++) {
+ if (isupper(*cp)) {
+ *cp = tolower(*cp);
+ effect++;
+ }
+ }
+ return(effect);
}
#endif
#ifdef HESIOD
static int
str_check_gecos(gecos, pwstr)
- char *gecos;
- char *pwstr;
+ char *gecos;
+ char *pwstr;
{
- char *cp, *ncp, *tcp;
-
- for (cp = gecos; *cp; ) {
- /* Skip past punctuation */
- for (; *cp; cp++)
- if (isalnum(*cp))
- break;
- /* Skip to the end of the word */
- for (ncp = cp; *ncp; ncp++)
- if (!isalnum(*ncp) && *ncp != '\'')
- break;
- /* Delimit end of word */
- if (*ncp)
- *ncp++ = '\0';
- /* Check word to see if it's the password */
- if (*cp) {
- if (!strcasecmp(pwstr, cp))
- return 1;
- tcp = reverse(cp);
- if (!strcasecmp(pwstr, tcp))
- return 1;
- cp = ncp;
- } else
- break;
- }
- return 0;
+ char *cp, *ncp, *tcp;
+
+ for (cp = gecos; *cp; ) {
+ /* Skip past punctuation */
+ for (; *cp; cp++)
+ if (isalnum(*cp))
+ break;
+ /* Skip to the end of the word */
+ for (ncp = cp; *ncp; ncp++)
+ if (!isalnum(*ncp) && *ncp != '\'')
+ break;
+ /* Delimit end of word */
+ if (*ncp)
+ *ncp++ = '\0';
+ /* Check word to see if it's the password */
+ if (*cp) {
+ if (!strcasecmp(pwstr, cp))
+ return 1;
+ tcp = reverse(cp);
+ if (!strcasecmp(pwstr, tcp))
+ return 1;
+ cp = ncp;
+ } else
+ break;
+ }
+ return 0;
}
#endif /* HESIOD */
/* some of this is stolen from gatekeeper ... */
kadm5_ret_t
passwd_check(kadm5_server_handle_t handle,
- char *password, int use_policy, kadm5_policy_ent_t pol,
- krb5_principal principal)
+ char *password, int use_policy, kadm5_policy_ent_t pol,
+ krb5_principal principal)
{
- int nupper = 0,
- nlower = 0,
- ndigit = 0,
- npunct = 0,
- nspec = 0;
+ int nupper = 0,
+ nlower = 0,
+ ndigit = 0,
+ npunct = 0,
+ nspec = 0;
char c, *s, *cp;
#ifdef HESIOD
extern struct passwd *hes_getpwnam();
struct passwd *ent;
#endif
-
+
if(use_policy) {
- if(strlen(password) < pol->pw_min_length)
- return KADM5_PASS_Q_TOOSHORT;
- s = password;
- while ((c = *s++)) {
- if (islower((unsigned char) c)) {
- nlower = 1;
- continue;
- }
- else if (isupper((unsigned char) c)) {
- nupper = 1;
- continue;
- } else if (isdigit((unsigned char) c)) {
- ndigit = 1;
- continue;
- } else if (ispunct((unsigned char) c)) {
- npunct = 1;
- continue;
- } else {
- nspec = 1;
- continue;
- }
- }
- if ((nupper + nlower + ndigit + npunct + nspec) < pol->pw_min_classes)
- return KADM5_PASS_Q_CLASS;
- if((find_word(password) == KADM5_OK))
- return KADM5_PASS_Q_DICT;
- else {
- int i, n = krb5_princ_size(handle->context, principal);
- cp = krb5_princ_realm(handle->context, principal)->data;
- if (strcasecmp(cp, password) == 0)
- return KADM5_PASS_Q_DICT;
- for (i = 0; i < n ; i++) {
- cp = krb5_princ_component(handle->context, principal, i)->data;
- if (strcasecmp(cp, password) == 0)
- return KADM5_PASS_Q_DICT;
+ if(strlen(password) < pol->pw_min_length)
+ return KADM5_PASS_Q_TOOSHORT;
+ s = password;
+ while ((c = *s++)) {
+ if (islower((unsigned char) c)) {
+ nlower = 1;
+ continue;
+ }
+ else if (isupper((unsigned char) c)) {
+ nupper = 1;
+ continue;
+ } else if (isdigit((unsigned char) c)) {
+ ndigit = 1;
+ continue;
+ } else if (ispunct((unsigned char) c)) {
+ npunct = 1;
+ continue;
+ } else {
+ nspec = 1;
+ continue;
+ }
+ }
+ if ((nupper + nlower + ndigit + npunct + nspec) < pol->pw_min_classes)
+ return KADM5_PASS_Q_CLASS;
+ if((find_word(password) == KADM5_OK))
+ return KADM5_PASS_Q_DICT;
+ else {
+ int i, n = krb5_princ_size(handle->context, principal);
+ cp = krb5_princ_realm(handle->context, principal)->data;
+ if (strcasecmp(cp, password) == 0)
+ return KADM5_PASS_Q_DICT;
+ for (i = 0; i < n ; i++) {
+ cp = krb5_princ_component(handle->context, principal, i)->data;
+ if (strcasecmp(cp, password) == 0)
+ return KADM5_PASS_Q_DICT;
#ifdef HESIOD
- ent = hes_getpwnam(cp);
- if (ent && ent->pw_gecos)
- if (str_check_gecos(ent->pw_gecos, password))
- return KADM5_PASS_Q_DICT; /* XXX new error code? */
+ ent = hes_getpwnam(cp);
+ if (ent && ent->pw_gecos)
+ if (str_check_gecos(ent->pw_gecos, password))
+ return KADM5_PASS_Q_DICT; /* XXX new error code? */
#endif
- }
- return KADM5_OK;
- }
+ }
+ return KADM5_OK;
+ }
} else {
- if (strlen(password) < 1)
- return KADM5_PASS_Q_TOOSHORT;
+ if (strlen(password) < 1)
+ return KADM5_PASS_Q_TOOSHORT;
}
- return KADM5_OK;
+ return KADM5_OK;
}
-
diff --git a/src/lib/kadm5/srv/svr_chpass_util.c b/src/lib/kadm5/srv/svr_chpass_util.c
index c8b63100a9..bfb66466a1 100644
--- a/src/lib/kadm5/srv/svr_chpass_util.c
+++ b/src/lib/kadm5/srv/svr_chpass_util.c
@@ -1,16 +1,17 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
#include <kadm5/admin.h>
#include "server_internal.h"
kadm5_ret_t kadm5_chpass_principal_util(void *server_handle,
- krb5_principal princ,
- char *new_pw,
- char **ret_pw,
- char *msg_ret,
- unsigned int msg_len)
+ krb5_principal princ,
+ char *new_pw,
+ char **ret_pw,
+ char *msg_ret,
+ unsigned int msg_len)
{
- kadm5_server_handle_t handle = server_handle;
+ kadm5_server_handle_t handle = server_handle;
- CHECK_HANDLE(server_handle);
- return _kadm5_chpass_principal_util(handle, handle->lhandle, princ,
- new_pw, ret_pw, msg_ret, msg_len);
+ CHECK_HANDLE(server_handle);
+ return _kadm5_chpass_principal_util(handle, handle->lhandle, princ,
+ new_pw, ret_pw, msg_ret, msg_len);
}
diff --git a/src/lib/kadm5/srv/svr_iters.c b/src/lib/kadm5/srv/svr_iters.c
index 757d3ab0e6..77ef05aea0 100644
--- a/src/lib/kadm5/srv/svr_iters.c
+++ b/src/lib/kadm5/srv/svr_iters.c
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
*
@@ -19,30 +20,30 @@ static char *rcsid = "$Header$";
#error I cannot find any regexp functions
#endif
-#include <sys/types.h>
-#include <string.h>
-#include <kadm5/admin.h>
+#include <sys/types.h>
+#include <string.h>
+#include <kadm5/admin.h>
#ifdef SOLARIS_REGEXPS
-#include <regexpr.h>
+#include <regexpr.h>
#endif
#ifdef POSIX_REGEXPS
-#include <regex.h>
+#include <regex.h>
#endif
#include <stdlib.h>
-#include "server_internal.h"
+#include "server_internal.h"
struct iter_data {
- krb5_context context;
- char **names;
- int n_names, sz_names;
- unsigned int malloc_failed;
- char *exp;
+ krb5_context context;
+ char **names;
+ int n_names, sz_names;
+ unsigned int malloc_failed;
+ char *exp;
#ifdef SOLARIS_REGEXPS
- char *expbuf;
+ char *expbuf;
#endif
#ifdef POSIX_REGEXPS
- regex_t preg;
+ regex_t preg;
#endif
};
@@ -52,9 +53,9 @@ struct iter_data {
*
* Arguments:
*
- * glob (r) the shell-style glob (?*[]) to convert
- * realm (r) the default realm to append, or NULL
- * regexp (w) the ed-style regexp created from glob
+ * glob (r) the shell-style glob (?*[]) to convert
+ * realm (r) the default realm to append, or NULL
+ * regexp (w) the ed-style regexp created from glob
*
* Effects:
*
@@ -65,210 +66,209 @@ struct iter_data {
*
* Conversion algorithm:
*
- * quoted characters are copied quoted
- * ? is converted to .
- * * is converted to .*
- * active characters are quoted: ^, $, .
- * [ and ] are active but supported and have the same meaning, so
- * they are copied
- * other characters are copied
- * regexp is anchored with ^ and $
+ * quoted characters are copied quoted
+ * ? is converted to .
+ * * is converted to .*
+ * active characters are quoted: ^, $, .
+ * [ and ] are active but supported and have the same meaning, so
+ * they are copied
+ * other characters are copied
+ * regexp is anchored with ^ and $
*/
static kadm5_ret_t glob_to_regexp(char *glob, char *realm, char **regexp)
{
- int append_realm;
- char *p;
+ int append_realm;
+ char *p;
- /* validate the glob */
- if (glob[strlen(glob)-1] == '\\')
- return EINVAL;
+ /* validate the glob */
+ if (glob[strlen(glob)-1] == '\\')
+ return EINVAL;
- /* A character of glob can turn into two in regexp, plus ^ and $ */
- /* and trailing null. If glob has no @, also allocate space for */
- /* the realm. */
- append_realm = (realm != NULL) && (strchr(glob, '@') == NULL);
- p = (char *) malloc(strlen(glob)*2+ 3 + (append_realm ? 3 : 0));
- if (p == NULL)
- return ENOMEM;
- *regexp = p;
+ /* A character of glob can turn into two in regexp, plus ^ and $ */
+ /* and trailing null. If glob has no @, also allocate space for */
+ /* the realm. */
+ append_realm = (realm != NULL) && (strchr(glob, '@') == NULL);
+ p = (char *) malloc(strlen(glob)*2+ 3 + (append_realm ? 3 : 0));
+ if (p == NULL)
+ return ENOMEM;
+ *regexp = p;
- *p++ = '^';
- while (*glob) {
- switch (*glob) {
- case '?':
- *p++ = '.';
- break;
- case '*':
- *p++ = '.';
- *p++ = '*';
- break;
- case '.':
- case '^':
- case '$':
- *p++ = '\\';
- *p++ = *glob;
- break;
- case '\\':
- *p++ = '\\';
- *p++ = *++glob;
- break;
- default:
- *p++ = *glob;
- break;
- }
- glob++;
- }
+ *p++ = '^';
+ while (*glob) {
+ switch (*glob) {
+ case '?':
+ *p++ = '.';
+ break;
+ case '*':
+ *p++ = '.';
+ *p++ = '*';
+ break;
+ case '.':
+ case '^':
+ case '$':
+ *p++ = '\\';
+ *p++ = *glob;
+ break;
+ case '\\':
+ *p++ = '\\';
+ *p++ = *++glob;
+ break;
+ default:
+ *p++ = *glob;
+ break;
+ }
+ glob++;
+ }
- if (append_realm) {
- *p++ = '@';
- *p++ = '.';
- *p++ = '*';
- }
+ if (append_realm) {
+ *p++ = '@';
+ *p++ = '.';
+ *p++ = '*';
+ }
- *p++ = '$';
- *p++ = '\0';
- return KADM5_OK;
+ *p++ = '$';
+ *p++ = '\0';
+ return KADM5_OK;
}
static void get_either_iter(struct iter_data *data, char *name)
{
- int match;
+ int match;
#ifdef SOLARIS_REGEXPS
- match = (step(name, data->expbuf) != 0);
+ match = (step(name, data->expbuf) != 0);
#endif
#ifdef POSIX_REGEXPS
- match = (regexec(&data->preg, name, 0, NULL, 0) == 0);
+ match = (regexec(&data->preg, name, 0, NULL, 0) == 0);
#endif
#ifdef BSD_REGEXPS
- match = (re_exec(name) != 0);
+ match = (re_exec(name) != 0);
#endif
- if (match) {
- if (data->n_names == data->sz_names) {
- int new_sz = data->sz_names * 2;
- char **new_names = realloc(data->names,
- new_sz * sizeof(char *));
- if (new_names) {
- data->names = new_names;
- data->sz_names = new_sz;
- } else {
- data->malloc_failed = 1;
- free(name);
- return;
- }
- }
- data->names[data->n_names++] = name;
- } else
- free(name);
+ if (match) {
+ if (data->n_names == data->sz_names) {
+ int new_sz = data->sz_names * 2;
+ char **new_names = realloc(data->names,
+ new_sz * sizeof(char *));
+ if (new_names) {
+ data->names = new_names;
+ data->sz_names = new_sz;
+ } else {
+ data->malloc_failed = 1;
+ free(name);
+ return;
+ }
+ }
+ data->names[data->n_names++] = name;
+ } else
+ free(name);
}
static void get_pols_iter(void *data, osa_policy_ent_t entry)
{
- char *name;
+ char *name;
- if ((name = strdup(entry->name)) == NULL)
- return;
- get_either_iter(data, name);
+ if ((name = strdup(entry->name)) == NULL)
+ return;
+ get_either_iter(data, name);
}
static void get_princs_iter(void *data, krb5_principal princ)
{
- struct iter_data *id = (struct iter_data *) data;
- char *name;
-
- if (krb5_unparse_name(id->context, princ, &name) != 0)
- return;
- get_either_iter(data, name);
+ struct iter_data *id = (struct iter_data *) data;
+ char *name;
+
+ if (krb5_unparse_name(id->context, princ, &name) != 0)
+ return;
+ get_either_iter(data, name);
}
static kadm5_ret_t kadm5_get_either(int princ,
- void *server_handle,
- char *exp,
- char ***princs,
- int *count)
+ void *server_handle,
+ char *exp,
+ char ***princs,
+ int *count)
{
- struct iter_data data;
+ struct iter_data data;
#ifdef BSD_REGEXPS
- char *msg;
+ char *msg;
#endif
- char *regexp;
- int i, ret;
- kadm5_server_handle_t handle = server_handle;
+ char *regexp;
+ int i, ret;
+ kadm5_server_handle_t handle = server_handle;
- *princs = NULL;
- *count = 0;
- if (exp == NULL)
- exp = "*";
+ *princs = NULL;
+ *count = 0;
+ if (exp == NULL)
+ exp = "*";
- CHECK_HANDLE(server_handle);
+ CHECK_HANDLE(server_handle);
- if ((ret = glob_to_regexp(exp, princ ? handle->params.realm : NULL,
- &regexp)) != KADM5_OK)
- return ret;
+ if ((ret = glob_to_regexp(exp, princ ? handle->params.realm : NULL,
+ &regexp)) != KADM5_OK)
+ return ret;
- if (
+ if (
#ifdef SOLARIS_REGEXPS
- ((data.expbuf = compile(regexp, NULL, NULL)) == NULL)
+ ((data.expbuf = compile(regexp, NULL, NULL)) == NULL)
#endif
#ifdef POSIX_REGEXPS
- ((regcomp(&data.preg, regexp, REG_NOSUB)) != 0)
+ ((regcomp(&data.preg, regexp, REG_NOSUB)) != 0)
#endif
#ifdef BSD_REGEXPS
- ((msg = (char *) re_comp(regexp)) != NULL)
+ ((msg = (char *) re_comp(regexp)) != NULL)
#endif
- )
- {
- /* XXX syslog msg or regerr(regerrno) */
- free(regexp);
- return EINVAL;
- }
+ )
+ {
+ /* XXX syslog msg or regerr(regerrno) */
+ free(regexp);
+ return EINVAL;
+ }
+
+ data.n_names = 0;
+ data.sz_names = 10;
+ data.malloc_failed = 0;
+ data.names = malloc(sizeof(char *) * data.sz_names);
+ if (data.names == NULL) {
+ free(regexp);
+ return ENOMEM;
+ }
- data.n_names = 0;
- data.sz_names = 10;
- data.malloc_failed = 0;
- data.names = malloc(sizeof(char *) * data.sz_names);
- if (data.names == NULL) {
- free(regexp);
- return ENOMEM;
- }
+ if (princ) {
+ data.context = handle->context;
+ ret = kdb_iter_entry(handle, exp, get_princs_iter, (void *) &data);
+ } else {
+ ret = krb5_db_iter_policy(handle->context, exp, get_pols_iter, (void *)&data);
+ }
- if (princ) {
- data.context = handle->context;
- ret = kdb_iter_entry(handle, exp, get_princs_iter, (void *) &data);
- } else {
- ret = krb5_db_iter_policy(handle->context, exp, get_pols_iter, (void *)&data);
- }
-
- free(regexp);
+ free(regexp);
#ifdef POSIX_REGEXPS
- regfree(&data.preg);
+ regfree(&data.preg);
#endif
- if ( !ret && data.malloc_failed)
- ret = ENOMEM;
- if ( ret ) {
- for (i = 0; i < data.n_names; i++)
- free(data.names[i]);
- free(data.names);
- return ret;
- }
+ if ( !ret && data.malloc_failed)
+ ret = ENOMEM;
+ if ( ret ) {
+ for (i = 0; i < data.n_names; i++)
+ free(data.names[i]);
+ free(data.names);
+ return ret;
+ }
- *princs = data.names;
- *count = data.n_names;
- return KADM5_OK;
+ *princs = data.names;
+ *count = data.n_names;
+ return KADM5_OK;
}
kadm5_ret_t kadm5_get_principals(void *server_handle,
- char *exp,
- char ***princs,
- int *count)
+ char *exp,
+ char ***princs,
+ int *count)
{
- return kadm5_get_either(1, server_handle, exp, princs, count);
+ return kadm5_get_either(1, server_handle, exp, princs, count);
}
kadm5_ret_t kadm5_get_policies(void *server_handle,
- char *exp,
- char ***pols,
- int *count)
+ char *exp,
+ char ***pols,
+ int *count)
{
- return kadm5_get_either(0, server_handle, exp, pols, count);
+ return kadm5_get_either(0, server_handle, exp, pols, count);
}
-
diff --git a/src/lib/kadm5/srv/svr_policy.c b/src/lib/kadm5/srv/svr_policy.c
index 0d8c5ced63..1d3ccbc666 100644
--- a/src/lib/kadm5/srv/svr_policy.c
+++ b/src/lib/kadm5/srv/svr_policy.c
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
*
@@ -8,170 +9,170 @@
static char *rcsid = "$Header$";
#endif
-#include <sys/types.h>
-#include <kadm5/admin.h>
-#include "server_internal.h"
-#include <stdlib.h>
-#include <string.h>
-#include <errno.h>
+#include <sys/types.h>
+#include <kadm5/admin.h>
+#include "server_internal.h"
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
-#define MIN_PW_HISTORY 1
-#define MIN_PW_CLASSES 1
-#define MAX_PW_CLASSES 5
-#define MIN_PW_LENGTH 1
+#define MIN_PW_HISTORY 1
+#define MIN_PW_CLASSES 1
+#define MAX_PW_CLASSES 5
+#define MIN_PW_LENGTH 1
/*
* Function: kadm5_create_policy
- *
+ *
* Purpose: Create Policies in the policy DB.
*
* Arguments:
- * entry (input) The policy entry to be written out to the DB.
- * mask (input) Specifies which fields in entry are to ge written out
- * and which get default values.
- * <return value> 0 if successful otherwise an error code is returned.
+ * entry (input) The policy entry to be written out to the DB.
+ * mask (input) Specifies which fields in entry are to ge written out
+ * and which get default values.
+ * <return value> 0 if successful otherwise an error code is returned.
*
* Requires:
- * Entry must be a valid principal entry, and mask have a valid value.
- *
+ * Entry must be a valid principal entry, and mask have a valid value.
+ *
* Effects:
- * Verifies that mask does not specify that the refcount should
- * be set as part of the creation, and calls
- * kadm5_create_policy_internal. If the refcount *is*
- * specified, returns KADM5_BAD_MASK.
+ * Verifies that mask does not specify that the refcount should
+ * be set as part of the creation, and calls
+ * kadm5_create_policy_internal. If the refcount *is*
+ * specified, returns KADM5_BAD_MASK.
*/
kadm5_ret_t
kadm5_create_policy(void *server_handle,
- kadm5_policy_ent_t entry, long mask)
+ kadm5_policy_ent_t entry, long mask)
{
CHECK_HANDLE(server_handle);
krb5_clear_error_message(((kadm5_server_handle_t)server_handle)->context);
if (mask & KADM5_REF_COUNT)
- return KADM5_BAD_MASK;
+ return KADM5_BAD_MASK;
else
- return kadm5_create_policy_internal(server_handle, entry, mask);
+ return kadm5_create_policy_internal(server_handle, entry, mask);
}
/*
* Function: kadm5_create_policy_internal
- *
+ *
* Purpose: Create Policies in the policy DB.
*
* Arguments:
- * entry (input) The policy entry to be written out to the DB.
- * mask (input) Specifies which fields in entry are to ge written out
- * and which get default values.
- * <return value> 0 if successful otherwise an error code is returned.
+ * entry (input) The policy entry to be written out to the DB.
+ * mask (input) Specifies which fields in entry are to ge written out
+ * and which get default values.
+ * <return value> 0 if successful otherwise an error code is returned.
*
* Requires:
- * Entry must be a valid principal entry, and mask have a valid value.
- *
+ * Entry must be a valid principal entry, and mask have a valid value.
+ *
* Effects:
- * Writes the data to the database, and does a database sync if
- * successful.
+ * Writes the data to the database, and does a database sync if
+ * successful.
*
*/
kadm5_ret_t
kadm5_create_policy_internal(void *server_handle,
- kadm5_policy_ent_t entry, long mask)
+ kadm5_policy_ent_t entry, long mask)
{
kadm5_server_handle_t handle = server_handle;
- osa_policy_ent_rec pent;
- int ret;
- char *p;
+ osa_policy_ent_rec pent;
+ int ret;
+ char *p;
CHECK_HANDLE(server_handle);
if ((entry == (kadm5_policy_ent_t) NULL) || (entry->policy == NULL))
- return EINVAL;
+ return EINVAL;
if(strlen(entry->policy) == 0)
- return KADM5_BAD_POLICY;
+ return KADM5_BAD_POLICY;
if (!(mask & KADM5_POLICY))
- return KADM5_BAD_MASK;
-
+ return KADM5_BAD_MASK;
+
pent.name = entry->policy;
p = entry->policy;
while(*p != '\0') {
- if(*p < ' ' || *p > '~')
- return KADM5_BAD_POLICY;
- else
- p++;
+ if(*p < ' ' || *p > '~')
+ return KADM5_BAD_POLICY;
+ else
+ p++;
}
if (!(mask & KADM5_PW_MAX_LIFE))
- pent.pw_max_life = 0;
+ pent.pw_max_life = 0;
else
- pent.pw_max_life = entry->pw_max_life;
+ pent.pw_max_life = entry->pw_max_life;
if (!(mask & KADM5_PW_MIN_LIFE))
- pent.pw_min_life = 0;
+ pent.pw_min_life = 0;
else {
- if((mask & KADM5_PW_MAX_LIFE)) {
- if(entry->pw_min_life > entry->pw_max_life && entry->pw_max_life != 0)
- return KADM5_BAD_MIN_PASS_LIFE;
- }
- pent.pw_min_life = entry->pw_min_life;
+ if((mask & KADM5_PW_MAX_LIFE)) {
+ if(entry->pw_min_life > entry->pw_max_life && entry->pw_max_life != 0)
+ return KADM5_BAD_MIN_PASS_LIFE;
+ }
+ pent.pw_min_life = entry->pw_min_life;
}
if (!(mask & KADM5_PW_MIN_LENGTH))
- pent.pw_min_length = MIN_PW_LENGTH;
+ pent.pw_min_length = MIN_PW_LENGTH;
else {
- if(entry->pw_min_length < MIN_PW_LENGTH)
- return KADM5_BAD_LENGTH;
- pent.pw_min_length = entry->pw_min_length;
+ if(entry->pw_min_length < MIN_PW_LENGTH)
+ return KADM5_BAD_LENGTH;
+ pent.pw_min_length = entry->pw_min_length;
}
if (!(mask & KADM5_PW_MIN_CLASSES))
- pent.pw_min_classes = MIN_PW_CLASSES;
+ pent.pw_min_classes = MIN_PW_CLASSES;
else {
- if(entry->pw_min_classes > MAX_PW_CLASSES || entry->pw_min_classes < MIN_PW_CLASSES)
- return KADM5_BAD_CLASS;
- pent.pw_min_classes = entry->pw_min_classes;
+ if(entry->pw_min_classes > MAX_PW_CLASSES || entry->pw_min_classes < MIN_PW_CLASSES)
+ return KADM5_BAD_CLASS;
+ pent.pw_min_classes = entry->pw_min_classes;
}
if (!(mask & KADM5_PW_HISTORY_NUM))
- pent.pw_history_num = MIN_PW_HISTORY;
+ pent.pw_history_num = MIN_PW_HISTORY;
else {
- if(entry->pw_history_num < MIN_PW_HISTORY)
- return KADM5_BAD_HISTORY;
- else
- pent.pw_history_num = entry->pw_history_num;
+ if(entry->pw_history_num < MIN_PW_HISTORY)
+ return KADM5_BAD_HISTORY;
+ else
+ pent.pw_history_num = entry->pw_history_num;
}
if (!(mask & KADM5_REF_COUNT))
- pent.policy_refcnt = 0;
+ pent.policy_refcnt = 0;
else
- pent.policy_refcnt = entry->policy_refcnt;
+ pent.policy_refcnt = entry->policy_refcnt;
if (handle->api_version == KADM5_API_VERSION_3) {
- if (!(mask & KADM5_PW_MAX_FAILURE))
- pent.pw_max_fail = 0;
- else
- pent.pw_max_fail = entry->pw_max_fail;
- if (!(mask & KADM5_PW_FAILURE_COUNT_INTERVAL))
- pent.pw_failcnt_interval = 0;
- else
- pent.pw_failcnt_interval = entry->pw_failcnt_interval;
- if (!(mask & KADM5_PW_LOCKOUT_DURATION))
- pent.pw_lockout_duration = 0;
- else
- pent.pw_lockout_duration = entry->pw_lockout_duration;
+ if (!(mask & KADM5_PW_MAX_FAILURE))
+ pent.pw_max_fail = 0;
+ else
+ pent.pw_max_fail = entry->pw_max_fail;
+ if (!(mask & KADM5_PW_FAILURE_COUNT_INTERVAL))
+ pent.pw_failcnt_interval = 0;
+ else
+ pent.pw_failcnt_interval = entry->pw_failcnt_interval;
+ if (!(mask & KADM5_PW_LOCKOUT_DURATION))
+ pent.pw_lockout_duration = 0;
+ else
+ pent.pw_lockout_duration = entry->pw_lockout_duration;
} else {
- pent.pw_max_fail = 0;
- pent.pw_failcnt_interval = 0;
- pent.pw_lockout_duration = 0;
+ pent.pw_max_fail = 0;
+ pent.pw_failcnt_interval = 0;
+ pent.pw_lockout_duration = 0;
}
if ((ret = krb5_db_create_policy(handle->context, &pent)))
- return ret;
+ return ret;
else
- return KADM5_OK;
+ return KADM5_OK;
}
-
+
kadm5_ret_t
kadm5_delete_policy(void *server_handle, kadm5_policy_t name)
{
kadm5_server_handle_t handle = server_handle;
- osa_policy_ent_t entry;
- int ret;
+ osa_policy_ent_t entry;
+ int ret;
int cnt=1;
CHECK_HANDLE(server_handle);
@@ -179,102 +180,102 @@ kadm5_delete_policy(void *server_handle, kadm5_policy_t name)
krb5_clear_error_message(handle->context);
if(name == (kadm5_policy_t) NULL)
- return EINVAL;
+ return EINVAL;
if(strlen(name) == 0)
- return KADM5_BAD_POLICY;
+ return KADM5_BAD_POLICY;
if((ret = krb5_db_get_policy(handle->context, name, &entry,&cnt)))
- return ret;
+ return ret;
if( cnt != 1 )
- return KADM5_UNK_POLICY;
+ return KADM5_UNK_POLICY;
if(entry->policy_refcnt != 0) {
- krb5_db_free_policy(handle->context, entry);
- return KADM5_POLICY_REF;
+ krb5_db_free_policy(handle->context, entry);
+ return KADM5_POLICY_REF;
}
krb5_db_free_policy(handle->context, entry);
if ((ret = krb5_db_delete_policy(handle->context, name)))
- return ret;
+ return ret;
else
- return KADM5_OK;
+ return KADM5_OK;
}
kadm5_ret_t
kadm5_modify_policy(void *server_handle,
- kadm5_policy_ent_t entry, long mask)
+ kadm5_policy_ent_t entry, long mask)
{
CHECK_HANDLE(server_handle);
krb5_clear_error_message(((kadm5_server_handle_t)server_handle)->context);
if (mask & KADM5_REF_COUNT)
- return KADM5_BAD_MASK;
+ return KADM5_BAD_MASK;
else
- return kadm5_modify_policy_internal(server_handle, entry, mask);
+ return kadm5_modify_policy_internal(server_handle, entry, mask);
}
kadm5_ret_t
kadm5_modify_policy_internal(void *server_handle,
- kadm5_policy_ent_t entry, long mask)
+ kadm5_policy_ent_t entry, long mask)
{
kadm5_server_handle_t handle = server_handle;
- osa_policy_ent_t p;
- int ret;
+ osa_policy_ent_t p;
+ int ret;
int cnt=1;
CHECK_HANDLE(server_handle);
if((entry == (kadm5_policy_ent_t) NULL) || (entry->policy == NULL))
- return EINVAL;
+ return EINVAL;
if(strlen(entry->policy) == 0)
- return KADM5_BAD_POLICY;
+ return KADM5_BAD_POLICY;
if((mask & KADM5_POLICY))
- return KADM5_BAD_MASK;
-
+ return KADM5_BAD_MASK;
+
if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt)))
- return ret;
+ return ret;
if (cnt != 1)
- return KADM5_UNK_POLICY;
+ return KADM5_UNK_POLICY;
if ((mask & KADM5_PW_MAX_LIFE))
- p->pw_max_life = entry->pw_max_life;
+ p->pw_max_life = entry->pw_max_life;
if ((mask & KADM5_PW_MIN_LIFE)) {
- if(entry->pw_min_life > p->pw_max_life && p->pw_max_life != 0) {
- krb5_db_free_policy(handle->context, p);
- return KADM5_BAD_MIN_PASS_LIFE;
- }
- p->pw_min_life = entry->pw_min_life;
+ if(entry->pw_min_life > p->pw_max_life && p->pw_max_life != 0) {
+ krb5_db_free_policy(handle->context, p);
+ return KADM5_BAD_MIN_PASS_LIFE;
+ }
+ p->pw_min_life = entry->pw_min_life;
}
if ((mask & KADM5_PW_MIN_LENGTH)) {
- if(entry->pw_min_length < MIN_PW_LENGTH) {
- krb5_db_free_policy(handle->context, p);
- return KADM5_BAD_LENGTH;
- }
- p->pw_min_length = entry->pw_min_length;
+ if(entry->pw_min_length < MIN_PW_LENGTH) {
+ krb5_db_free_policy(handle->context, p);
+ return KADM5_BAD_LENGTH;
+ }
+ p->pw_min_length = entry->pw_min_length;
}
if ((mask & KADM5_PW_MIN_CLASSES)) {
- if(entry->pw_min_classes > MAX_PW_CLASSES ||
- entry->pw_min_classes < MIN_PW_CLASSES) {
- krb5_db_free_policy(handle->context, p);
- return KADM5_BAD_CLASS;
- }
- p->pw_min_classes = entry->pw_min_classes;
+ if(entry->pw_min_classes > MAX_PW_CLASSES ||
+ entry->pw_min_classes < MIN_PW_CLASSES) {
+ krb5_db_free_policy(handle->context, p);
+ return KADM5_BAD_CLASS;
+ }
+ p->pw_min_classes = entry->pw_min_classes;
}
if ((mask & KADM5_PW_HISTORY_NUM)) {
- if(entry->pw_history_num < MIN_PW_HISTORY) {
- krb5_db_free_policy(handle->context, p);
- return KADM5_BAD_HISTORY;
- }
- p->pw_history_num = entry->pw_history_num;
+ if(entry->pw_history_num < MIN_PW_HISTORY) {
+ krb5_db_free_policy(handle->context, p);
+ return KADM5_BAD_HISTORY;
+ }
+ p->pw_history_num = entry->pw_history_num;
}
if ((mask & KADM5_REF_COUNT))
- p->policy_refcnt = entry->policy_refcnt;
+ p->policy_refcnt = entry->policy_refcnt;
if (handle->api_version == KADM5_API_VERSION_3) {
- if ((mask & KADM5_PW_MAX_FAILURE))
- p->pw_max_fail = entry->pw_max_fail;
- if ((mask & KADM5_PW_FAILURE_COUNT_INTERVAL))
- p->pw_failcnt_interval = entry->pw_failcnt_interval;
- if ((mask & KADM5_PW_LOCKOUT_DURATION))
- p->pw_lockout_duration = entry->pw_lockout_duration;
+ if ((mask & KADM5_PW_MAX_FAILURE))
+ p->pw_max_fail = entry->pw_max_fail;
+ if ((mask & KADM5_PW_FAILURE_COUNT_INTERVAL))
+ p->pw_failcnt_interval = entry->pw_failcnt_interval;
+ if ((mask & KADM5_PW_LOCKOUT_DURATION))
+ p->pw_lockout_duration = entry->pw_lockout_duration;
}
ret = krb5_db_put_policy(handle->context, p);
krb5_db_free_policy(handle->context, p);
@@ -283,10 +284,10 @@ kadm5_modify_policy_internal(void *server_handle,
kadm5_ret_t
kadm5_get_policy(void *server_handle, kadm5_policy_t name,
- kadm5_policy_ent_t entry)
+ kadm5_policy_ent_t entry)
{
- osa_policy_ent_t t;
- int ret;
+ osa_policy_ent_t t;
+ int ret;
kadm5_server_handle_t handle = server_handle;
int cnt=1;
@@ -295,18 +296,18 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name,
krb5_clear_error_message(handle->context);
if (name == (kadm5_policy_t) NULL)
- return EINVAL;
+ return EINVAL;
if(strlen(name) == 0)
- return KADM5_BAD_POLICY;
+ return KADM5_BAD_POLICY;
if((ret = krb5_db_get_policy(handle->context, name, &t, &cnt)))
- return ret;
+ return ret;
if( cnt != 1 )
- return KADM5_UNK_POLICY;
+ return KADM5_UNK_POLICY;
if ((entry->policy = strdup(t->name)) == NULL) {
- krb5_db_free_policy(handle->context, t);
- return ENOMEM;
+ krb5_db_free_policy(handle->context, t);
+ return ENOMEM;
}
entry->pw_min_life = t->pw_min_life;
entry->pw_max_life = t->pw_max_life;
@@ -315,9 +316,9 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name,
entry->pw_history_num = t->pw_history_num;
entry->policy_refcnt = t->policy_refcnt;
if (handle->api_version == KADM5_API_VERSION_3) {
- entry->pw_max_fail = t->pw_max_fail;
- entry->pw_failcnt_interval = t->pw_failcnt_interval;
- entry->pw_lockout_duration = t->pw_lockout_duration;
+ entry->pw_max_fail = t->pw_max_fail;
+ entry->pw_failcnt_interval = t->pw_failcnt_interval;
+ entry->pw_lockout_duration = t->pw_lockout_duration;
}
krb5_db_free_policy(handle->context, t);
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 40eea875bc..a58c798acb 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
*
@@ -8,19 +9,19 @@
static char *rcsid = "$Header$";
#endif
-#include <sys/types.h>
-#include <sys/time.h>
-#include <errno.h>
-#include <kadm5/admin.h>
-#include <kdb.h>
-#include <stdio.h>
-#include <string.h>
-#include "server_internal.h"
-#include <stdarg.h>
-#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <errno.h>
+#include <kadm5/admin.h>
+#include <kdb.h>
+#include <stdio.h>
+#include <string.h>
+#include "server_internal.h"
+#include <stdarg.h>
+#include <stdlib.h>
#ifdef USE_PASSWORD_SERVER
-#include <sys/wait.h>
-#include <signal.h>
+#include <sys/wait.h>
+#include <signal.h>
#endif
@@ -30,19 +31,19 @@ static char *rcsid = "$Header$";
#define VALGRIND_CHECK_DEFINED(LVALUE) ((void)0)
#endif
-extern krb5_principal master_princ;
-extern krb5_principal hist_princ;
-extern krb5_keyblock master_keyblock;
+extern krb5_principal master_princ;
+extern krb5_principal hist_princ;
+extern krb5_keyblock master_keyblock;
extern krb5_keylist_node *master_keylist;
extern krb5_actkvno_node *active_mkey_list;
-extern krb5_keyblock hist_key;
-extern krb5_db_entry master_db;
-extern krb5_db_entry hist_db;
-extern krb5_kvno hist_kvno;
+extern krb5_keyblock hist_key;
+extern krb5_db_entry master_db;
+extern krb5_db_entry hist_db;
+extern krb5_kvno hist_kvno;
static int decrypt_key_data(krb5_context context, krb5_keyblock *mkey,
- int n_key_data, krb5_key_data *key_data,
- krb5_keyblock **keyblocks, int *n_keys);
+ int n_key_data, krb5_key_data *key_data,
+ krb5_keyblock **keyblocks, int *n_keys);
static krb5_error_code
kadm5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_principal *outprinc)
@@ -61,7 +62,7 @@ kadm5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_pr
nelems = (int) krb5_princ_size(context, inprinc);
tempprinc->data = krb5_db_alloc(context, NULL, nelems * sizeof(krb5_data));
if (tempprinc->data == 0) {
- krb5_db_free(context, (char *)tempprinc);
+ krb5_db_free(context, (char *)tempprinc);
return ENOMEM;
}
@@ -79,17 +80,17 @@ kadm5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_pr
if (len)
memcpy(krb5_princ_component(context, tempprinc, i)->data,
krb5_princ_component(context, inprinc, i)->data, len);
- krb5_princ_component(context, tempprinc, i)->magic = KV5M_DATA;
+ krb5_princ_component(context, tempprinc, i)->magic = KV5M_DATA;
}
tempprinc->realm.data =
- krb5_db_alloc(context, NULL, tempprinc->realm.length = inprinc->realm.length);
+ krb5_db_alloc(context, NULL, tempprinc->realm.length = inprinc->realm.length);
if (!tempprinc->realm.data && tempprinc->realm.length) {
- for (i = 0; i < nelems; i++)
- krb5_db_free(context, krb5_princ_component(context, tempprinc, i)->data);
- krb5_db_free(context, tempprinc->data);
- krb5_db_free(context, tempprinc);
- return ENOMEM;
+ for (i = 0; i < nelems; i++)
+ krb5_db_free(context, krb5_princ_component(context, tempprinc, i)->data);
+ krb5_db_free(context, tempprinc->data);
+ krb5_db_free(context, tempprinc);
+ return ENOMEM;
}
if (tempprinc->realm.length)
memcpy(tempprinc->realm.data, inprinc->realm.data,
@@ -122,90 +123,90 @@ kadm5_free_principal(krb5_context context, krb5_principal val)
* XXX Functions that ought to be in libkrb5.a, but aren't.
*/
kadm5_ret_t krb5_copy_key_data_contents(context, from, to)
- krb5_context context;
- krb5_key_data *from, *to;
+ krb5_context context;
+ krb5_key_data *from, *to;
{
- int i, idx;
-
- *to = *from;
-
- idx = (from->key_data_ver == 1 ? 1 : 2);
-
- for (i = 0; i < idx; i++) {
- if ( from->key_data_length[i] ) {
- to->key_data_contents[i] = malloc(from->key_data_length[i]);
- if (to->key_data_contents[i] == NULL) {
- for (i = 0; i < idx; i++) {
- if (to->key_data_contents[i]) {
- memset(to->key_data_contents[i], 0,
- to->key_data_length[i]);
- free(to->key_data_contents[i]);
- }
- }
- return ENOMEM;
- }
- memcpy(to->key_data_contents[i], from->key_data_contents[i],
- from->key_data_length[i]);
- }
- }
- return 0;
+ int i, idx;
+
+ *to = *from;
+
+ idx = (from->key_data_ver == 1 ? 1 : 2);
+
+ for (i = 0; i < idx; i++) {
+ if ( from->key_data_length[i] ) {
+ to->key_data_contents[i] = malloc(from->key_data_length[i]);
+ if (to->key_data_contents[i] == NULL) {
+ for (i = 0; i < idx; i++) {
+ if (to->key_data_contents[i]) {
+ memset(to->key_data_contents[i], 0,
+ to->key_data_length[i]);
+ free(to->key_data_contents[i]);
+ }
+ }
+ return ENOMEM;
+ }
+ memcpy(to->key_data_contents[i], from->key_data_contents[i],
+ from->key_data_length[i]);
+ }
+ }
+ return 0;
}
static krb5_tl_data *dup_tl_data(krb5_tl_data *tl)
{
- krb5_tl_data *n;
-
- n = (krb5_tl_data *) malloc(sizeof(krb5_tl_data));
- if (n == NULL)
- return NULL;
- n->tl_data_contents = malloc(tl->tl_data_length);
- if (n->tl_data_contents == NULL) {
- free(n);
- return NULL;
- }
- memcpy(n->tl_data_contents, tl->tl_data_contents, tl->tl_data_length);
- n->tl_data_type = tl->tl_data_type;
- n->tl_data_length = tl->tl_data_length;
- n->tl_data_next = NULL;
- return n;
+ krb5_tl_data *n;
+
+ n = (krb5_tl_data *) malloc(sizeof(krb5_tl_data));
+ if (n == NULL)
+ return NULL;
+ n->tl_data_contents = malloc(tl->tl_data_length);
+ if (n->tl_data_contents == NULL) {
+ free(n);
+ return NULL;
+ }
+ memcpy(n->tl_data_contents, tl->tl_data_contents, tl->tl_data_length);
+ n->tl_data_type = tl->tl_data_type;
+ n->tl_data_length = tl->tl_data_length;
+ n->tl_data_next = NULL;
+ return n;
}
/* This is in lib/kdb/kdb_cpw.c, but is static */
static void cleanup_key_data(context, count, data)
- krb5_context context;
- int count;
- krb5_key_data * data;
+ krb5_context context;
+ int count;
+ krb5_key_data * data;
{
- int i, j;
+ int i, j;
- for (i = 0; i < count; i++)
- for (j = 0; j < data[i].key_data_ver; j++)
- if (data[i].key_data_length[j])
- krb5_db_free(context, data[i].key_data_contents[j]);
- krb5_db_free(context, data);
+ for (i = 0; i < count; i++)
+ for (j = 0; j < data[i].key_data_ver; j++)
+ if (data[i].key_data_length[j])
+ krb5_db_free(context, data[i].key_data_contents[j]);
+ krb5_db_free(context, data);
}
kadm5_ret_t
kadm5_create_principal(void *server_handle,
- kadm5_principal_ent_t entry, long mask,
- char *password)
+ kadm5_principal_ent_t entry, long mask,
+ char *password)
{
return
- kadm5_create_principal_3(server_handle, entry, mask,
- 0, NULL, password);
+ kadm5_create_principal_3(server_handle, entry, mask,
+ 0, NULL, password);
}
kadm5_ret_t
kadm5_create_principal_3(void *server_handle,
- kadm5_principal_ent_t entry, long mask,
- int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
- char *password)
+ kadm5_principal_ent_t entry, long mask,
+ int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
+ char *password)
{
- krb5_db_entry kdb;
- osa_princ_ent_rec adb;
- kadm5_policy_ent_rec polent;
- krb5_int32 now;
- krb5_tl_data *tl_data_orig, *tl_data_tail;
- unsigned int ret;
+ krb5_db_entry kdb;
+ osa_princ_ent_rec adb;
+ kadm5_policy_ent_rec polent;
+ krb5_int32 now;
+ krb5_tl_data *tl_data_orig, *tl_data_tail;
+ unsigned int ret;
kadm5_server_handle_t handle = server_handle;
krb5_keyblock *act_mkey;
krb5_kvno act_kvno;
@@ -223,11 +224,11 @@ kadm5_create_principal_3(void *server_handle,
(mask & KADM5_AUX_ATTRIBUTES) || (mask & KADM5_KEY_DATA) ||
(mask & KADM5_LAST_SUCCESS) || (mask & KADM5_LAST_FAILED) ||
(mask & KADM5_FAIL_AUTH_COUNT))
- return KADM5_BAD_MASK;
+ return KADM5_BAD_MASK;
if((mask & ~ALL_PRINC_MASK))
- return KADM5_BAD_MASK;
+ return KADM5_BAD_MASK;
if (entry == NULL)
- return EINVAL;
+ return EINVAL;
/*
* Check to see if the principal exists
@@ -236,12 +237,12 @@ kadm5_create_principal_3(void *server_handle,
switch(ret) {
case KADM5_UNK_PRINC:
- break;
+ break;
case 0:
- kdb_free_entry(handle, &kdb, &adb);
- return KADM5_DUP;
+ kdb_free_entry(handle, &kdb, &adb);
+ return KADM5_DUP;
default:
- return ret;
+ return ret;
}
memset(&kdb, 0, sizeof(krb5_db_entry));
@@ -252,22 +253,22 @@ kadm5_create_principal_3(void *server_handle,
* If we can not find the one specified return an error
*/
if ((mask & KADM5_POLICY)) {
- if ((ret = kadm5_get_policy(handle->lhandle, entry->policy,
- &polent)) != KADM5_OK) {
- if(ret == EINVAL)
- return KADM5_BAD_POLICY;
- else
- return ret;
- }
+ if ((ret = kadm5_get_policy(handle->lhandle, entry->policy,
+ &polent)) != KADM5_OK) {
+ if(ret == EINVAL)
+ return KADM5_BAD_POLICY;
+ else
+ return ret;
+ }
}
if (password) {
- ret = passwd_check(handle, password, (mask & KADM5_POLICY),
- &polent, entry->principal);
- if (ret) {
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return ret;
- }
+ ret = passwd_check(handle, password, (mask & KADM5_POLICY),
+ &polent, entry->principal);
+ if (ret) {
+ if (mask & KADM5_POLICY)
+ (void) kadm5_free_policy_ent(handle->lhandle, &polent);
+ return ret;
+ }
}
/*
* Start populating the various DB fields, using the
@@ -275,43 +276,43 @@ kadm5_create_principal_3(void *server_handle,
* mask.
*/
if ((ret = krb5_timeofday(handle->context, &now))) {
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return ret;
+ if (mask & KADM5_POLICY)
+ (void) kadm5_free_policy_ent(handle->lhandle, &polent);
+ return ret;
}
kdb.magic = KRB5_KDB_MAGIC_NUMBER;
kdb.len = KRB5_KDB_V1_BASE_LENGTH; /* gag me with a chainsaw */
if ((mask & KADM5_ATTRIBUTES))
- kdb.attributes = entry->attributes;
+ kdb.attributes = entry->attributes;
else
- kdb.attributes = handle->params.flags;
+ kdb.attributes = handle->params.flags;
if ((mask & KADM5_MAX_LIFE))
- kdb.max_life = entry->max_life;
+ kdb.max_life = entry->max_life;
else
- kdb.max_life = handle->params.max_life;
+ kdb.max_life = handle->params.max_life;
if (mask & KADM5_MAX_RLIFE)
- kdb.max_renewable_life = entry->max_renewable_life;
+ kdb.max_renewable_life = entry->max_renewable_life;
else
- kdb.max_renewable_life = handle->params.max_rlife;
+ kdb.max_renewable_life = handle->params.max_rlife;
if ((mask & KADM5_PRINC_EXPIRE_TIME))
- kdb.expiration = entry->princ_expire_time;
+ kdb.expiration = entry->princ_expire_time;
else
- kdb.expiration = handle->params.expiration;
+ kdb.expiration = handle->params.expiration;
kdb.pw_expiration = 0;
if ((mask & KADM5_POLICY)) {
- if(polent.pw_max_life)
- kdb.pw_expiration = now + polent.pw_max_life;
- else
- kdb.pw_expiration = 0;
+ if(polent.pw_max_life)
+ kdb.pw_expiration = now + polent.pw_max_life;
+ else
+ kdb.pw_expiration = 0;
}
if ((mask & KADM5_PW_EXPIRATION))
- kdb.pw_expiration = entry->pw_expiration;
+ kdb.pw_expiration = entry->pw_expiration;
kdb.last_success = 0;
kdb.last_failed = 0;
@@ -322,40 +323,40 @@ kadm5_create_principal_3(void *server_handle,
principal. */
if ((ret = kadm5_copy_principal(handle->context,
- entry->principal, &(kdb.princ)))) {
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return(ret);
+ entry->principal, &(kdb.princ)))) {
+ if (mask & KADM5_POLICY)
+ (void) kadm5_free_policy_ent(handle->lhandle, &polent);
+ return(ret);
}
if ((ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now))) {
- krb5_db_free_principal(handle->context, &kdb, 1);
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return(ret);
+ krb5_db_free_principal(handle->context, &kdb, 1);
+ if (mask & KADM5_POLICY)
+ (void) kadm5_free_policy_ent(handle->lhandle, &polent);
+ return(ret);
}
if (mask & KADM5_TL_DATA) {
- /* splice entry->tl_data onto the front of kdb.tl_data */
- tl_data_orig = kdb.tl_data;
- for (tl_data_tail = entry->tl_data; tl_data_tail;
- tl_data_tail = tl_data_tail->tl_data_next)
- {
- ret = krb5_dbe_update_tl_data(handle->context, &kdb, tl_data_tail);
- if( ret )
- {
- krb5_db_free_principal(handle->context, &kdb, 1);
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return ret;
- }
- }
+ /* splice entry->tl_data onto the front of kdb.tl_data */
+ tl_data_orig = kdb.tl_data;
+ for (tl_data_tail = entry->tl_data; tl_data_tail;
+ tl_data_tail = tl_data_tail->tl_data_next)
+ {
+ ret = krb5_dbe_update_tl_data(handle->context, &kdb, tl_data_tail);
+ if( ret )
+ {
+ krb5_db_free_principal(handle->context, &kdb, 1);
+ if (mask & KADM5_POLICY)
+ (void) kadm5_free_policy_ent(handle->lhandle, &polent);
+ return ret;
+ }
+ }
}
/* initialize the keys */
ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
- active_mkey_list, &act_kvno, &act_mkey);
+ active_mkey_list, &act_kvno, &act_mkey);
if (ret) {
krb5_db_free_principal(handle->context, &kdb, 1);
if (mask & KADM5_POLICY)
@@ -364,33 +365,33 @@ kadm5_create_principal_3(void *server_handle,
}
if (password) {
- ret = krb5_dbe_cpw(handle->context, act_mkey,
- n_ks_tuple?ks_tuple:handle->params.keysalts,
- n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
- password, (mask & KADM5_KVNO)?entry->kvno:1,
- FALSE, &kdb);
+ ret = krb5_dbe_cpw(handle->context, act_mkey,
+ n_ks_tuple?ks_tuple:handle->params.keysalts,
+ n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
+ password, (mask & KADM5_KVNO)?entry->kvno:1,
+ FALSE, &kdb);
} else {
- /* Null password means create with random key (new in 1.8). */
- ret = krb5_dbe_crk(handle->context, &master_keyblock,
- n_ks_tuple?ks_tuple:handle->params.keysalts,
- n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
- FALSE, &kdb);
+ /* Null password means create with random key (new in 1.8). */
+ ret = krb5_dbe_crk(handle->context, &master_keyblock,
+ n_ks_tuple?ks_tuple:handle->params.keysalts,
+ n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
+ FALSE, &kdb);
}
if (ret) {
- krb5_db_free_principal(handle->context, &kdb, 1);
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return(ret);
+ krb5_db_free_principal(handle->context, &kdb, 1);
+ if (mask & KADM5_POLICY)
+ (void) kadm5_free_policy_ent(handle->lhandle, &polent);
+ return(ret);
}
/* Record the master key VNO used to encrypt this entry's keys */
ret = krb5_dbe_update_mkvno(handle->context, &kdb, act_kvno);
if (ret)
{
- krb5_db_free_principal(handle->context, &kdb, 1);
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return ret;
+ krb5_db_free_principal(handle->context, &kdb, 1);
+ if (mask & KADM5_POLICY)
+ (void) kadm5_free_policy_ent(handle->lhandle, &polent);
+ return ret;
}
/* populate the admin-server-specific fields. In the OV server,
@@ -401,26 +402,26 @@ kadm5_create_principal_3(void *server_handle,
adb.admin_history_kvno = hist_kvno;
if ((mask & KADM5_POLICY)) {
- adb.aux_attributes = KADM5_POLICY;
+ adb.aux_attributes = KADM5_POLICY;
- /* this does *not* need to be strdup'ed, because adb is xdr */
- /* encoded in osa_adb_create_princ, and not ever freed */
+ /* this does *not* need to be strdup'ed, because adb is xdr */
+ /* encoded in osa_adb_create_princ, and not ever freed */
- adb.policy = entry->policy;
+ adb.policy = entry->policy;
}
/* increment the policy ref count, if any */
if ((mask & KADM5_POLICY)) {
- polent.policy_refcnt++;
- if ((ret = kadm5_modify_policy_internal(handle->lhandle, &polent,
- KADM5_REF_COUNT))
- != KADM5_OK) {
- krb5_db_free_principal(handle->context, &kdb, 1);
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return(ret);
- }
+ polent.policy_refcnt++;
+ if ((ret = kadm5_modify_policy_internal(handle->lhandle, &polent,
+ KADM5_REF_COUNT))
+ != KADM5_OK) {
+ krb5_db_free_principal(handle->context, &kdb, 1);
+ if (mask & KADM5_POLICY)
+ (void) kadm5_free_policy_ent(handle->lhandle, &polent);
+ return(ret);
+ }
}
/* In all cases key and the principal data is set, let the database provider know */
@@ -432,25 +433,25 @@ kadm5_create_principal_3(void *server_handle,
krb5_db_free_principal(handle->context, &kdb, 1);
if (ret) {
- if ((mask & KADM5_POLICY)) {
- /* decrement the policy ref count */
-
- polent.policy_refcnt--;
- /*
- * if this fails, there's nothing we can do anyway. the
- * policy refcount wil be too high.
- */
- (void) kadm5_modify_policy_internal(handle->lhandle, &polent,
- KADM5_REF_COUNT);
- }
-
- if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- return(ret);
+ if ((mask & KADM5_POLICY)) {
+ /* decrement the policy ref count */
+
+ polent.policy_refcnt--;
+ /*
+ * if this fails, there's nothing we can do anyway. the
+ * policy refcount wil be too high.
+ */
+ (void) kadm5_modify_policy_internal(handle->lhandle, &polent,
+ KADM5_REF_COUNT);
+ }
+
+ if (mask & KADM5_POLICY)
+ (void) kadm5_free_policy_ent(handle->lhandle, &polent);
+ return(ret);
}
if (mask & KADM5_POLICY)
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
+ (void) kadm5_free_policy_ent(handle->lhandle, &polent);
return KADM5_OK;
}
@@ -459,10 +460,10 @@ kadm5_create_principal_3(void *server_handle,
kadm5_ret_t
kadm5_delete_principal(void *server_handle, krb5_principal principal)
{
- unsigned int ret;
- kadm5_policy_ent_rec polent;
- krb5_db_entry kdb;
- osa_princ_ent_rec adb;
+ unsigned int ret;
+ kadm5_policy_ent_rec polent;
+ krb5_db_entry kdb;
+ osa_princ_ent_rec adb;
kadm5_server_handle_t handle = server_handle;
CHECK_HANDLE(server_handle);
@@ -470,28 +471,28 @@ kadm5_delete_principal(void *server_handle, krb5_principal principal)
krb5_clear_error_message(handle->context);
if (principal == NULL)
- return EINVAL;
+ return EINVAL;
if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
- return(ret);
+ return(ret);
if ((adb.aux_attributes & KADM5_POLICY)) {
- if ((ret = kadm5_get_policy(handle->lhandle,
- adb.policy, &polent))
- == KADM5_OK) {
- polent.policy_refcnt--;
- if ((ret = kadm5_modify_policy_internal(handle->lhandle, &polent,
- KADM5_REF_COUNT))
- != KADM5_OK) {
- (void) kadm5_free_policy_ent(handle->lhandle, &polent);
- kdb_free_entry(handle, &kdb, &adb);
- return(ret);
- }
- }
- if ((ret = kadm5_free_policy_ent(handle->lhandle, &polent))) {
- kdb_free_entry(handle, &kdb, &adb);
- return ret;
- }
+ if ((ret = kadm5_get_policy(handle->lhandle,
+ adb.policy, &polent))
+ == KADM5_OK) {
+ polent.policy_refcnt--;
+ if ((ret = kadm5_modify_policy_internal(handle->lhandle, &polent,
+ KADM5_REF_COUNT))
+ != KADM5_OK) {
+ (void) kadm5_free_policy_ent(handle->lhandle, &polent);
+ kdb_free_entry(handle, &kdb, &adb);
+ return(ret);
+ }
+ }
+ if ((ret = kadm5_free_policy_ent(handle->lhandle, &polent))) {
+ kdb_free_entry(handle, &kdb, &adb);
+ return ret;
+ }
}
ret = kdb_delete_entry(handle, principal);
@@ -503,14 +504,14 @@ kadm5_delete_principal(void *server_handle, krb5_principal principal)
kadm5_ret_t
kadm5_modify_principal(void *server_handle,
- kadm5_principal_ent_t entry, long mask)
+ kadm5_principal_ent_t entry, long mask)
{
- int ret, ret2, i;
+ int ret, ret2, i;
kadm5_policy_ent_rec npol, opol;
- int have_npol = 0, have_opol = 0;
- krb5_db_entry kdb;
- krb5_tl_data *tl_data_orig;
- osa_princ_ent_rec adb;
+ int have_npol = 0, have_opol = 0;
+ krb5_db_entry kdb;
+ krb5_tl_data *tl_data_orig;
+ osa_princ_ent_rec adb;
kadm5_server_handle_t handle = server_handle;
CHECK_HANDLE(server_handle);
@@ -522,154 +523,154 @@ kadm5_modify_principal(void *server_handle,
(mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
(mask & KADM5_KEY_DATA) || (mask & KADM5_LAST_SUCCESS) ||
(mask & KADM5_LAST_FAILED))
- return KADM5_BAD_MASK;
+ return KADM5_BAD_MASK;
if((mask & ~ALL_PRINC_MASK))
- return KADM5_BAD_MASK;
+ return KADM5_BAD_MASK;
if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
- return KADM5_BAD_MASK;
+ return KADM5_BAD_MASK;
if(entry == (kadm5_principal_ent_t) NULL)
- return EINVAL;
+ return EINVAL;
if (mask & KADM5_TL_DATA) {
- tl_data_orig = entry->tl_data;
- while (tl_data_orig) {
- if (tl_data_orig->tl_data_type < 256)
- return KADM5_BAD_TL_TYPE;
- tl_data_orig = tl_data_orig->tl_data_next;
- }
+ tl_data_orig = entry->tl_data;
+ while (tl_data_orig) {
+ if (tl_data_orig->tl_data_type < 256)
+ return KADM5_BAD_TL_TYPE;
+ tl_data_orig = tl_data_orig->tl_data_next;
+ }
}
ret = kdb_get_entry(handle, entry->principal, &kdb, &adb);
if (ret)
- return(ret);
+ return(ret);
/*
* This is pretty much the same as create ...
*/
if ((mask & KADM5_POLICY)) {
- /* get the new policy */
- ret = kadm5_get_policy(handle->lhandle, entry->policy, &npol);
- if (ret) {
- switch (ret) {
- case EINVAL:
- ret = KADM5_BAD_POLICY;
- break;
- case KADM5_UNK_POLICY:
- case KADM5_BAD_POLICY:
- ret = KADM5_UNK_POLICY;
- break;
- }
- goto done;
- }
- have_npol = 1;
-
- /* if we already have a policy, get it to decrement the refcnt */
- if(adb.aux_attributes & KADM5_POLICY) {
- /* ... but not if the old and new are the same */
- if(strcmp(adb.policy, entry->policy)) {
- ret = kadm5_get_policy(handle->lhandle,
- adb.policy, &opol);
- switch(ret) {
- case EINVAL:
- case KADM5_BAD_POLICY:
- case KADM5_UNK_POLICY:
- break;
- case KADM5_OK:
- have_opol = 1;
- opol.policy_refcnt--;
- break;
- default:
- goto done;
- break;
- }
- npol.policy_refcnt++;
- }
- } else npol.policy_refcnt++;
-
- /* set us up to use the new policy */
- adb.aux_attributes |= KADM5_POLICY;
- if (adb.policy)
- free(adb.policy);
- adb.policy = strdup(entry->policy);
-
- /* set pw_max_life based on new policy */
- if (npol.pw_max_life) {
- ret = krb5_dbe_lookup_last_pwd_change(handle->context, &kdb,
- &(kdb.pw_expiration));
- if (ret)
- goto done;
- kdb.pw_expiration += npol.pw_max_life;
- } else {
- kdb.pw_expiration = 0;
- }
+ /* get the new policy */
+ ret = kadm5_get_policy(handle->lhandle, entry->policy, &npol);
+ if (ret) {
+ switch (ret) {
+ case EINVAL:
+ ret = KADM5_BAD_POLICY;
+ break;
+ case KADM5_UNK_POLICY:
+ case KADM5_BAD_POLICY:
+ ret = KADM5_UNK_POLICY;
+ break;
+ }
+ goto done;
+ }
+ have_npol = 1;
+
+ /* if we already have a policy, get it to decrement the refcnt */
+ if(adb.aux_attributes & KADM5_POLICY) {
+ /* ... but not if the old and new are the same */
+ if(strcmp(adb.policy, entry->policy)) {
+ ret = kadm5_get_policy(handle->lhandle,
+ adb.policy, &opol);
+ switch(ret) {
+ case EINVAL:
+ case KADM5_BAD_POLICY:
+ case KADM5_UNK_POLICY:
+ break;
+ case KADM5_OK:
+ have_opol = 1;
+ opol.policy_refcnt--;
+ break;
+ default:
+ goto done;
+ break;
+ }
+ npol.policy_refcnt++;
+ }
+ } else npol.policy_refcnt++;
+
+ /* set us up to use the new policy */
+ adb.aux_attributes |= KADM5_POLICY;
+ if (adb.policy)
+ free(adb.policy);
+ adb.policy = strdup(entry->policy);
+
+ /* set pw_max_life based on new policy */
+ if (npol.pw_max_life) {
+ ret = krb5_dbe_lookup_last_pwd_change(handle->context, &kdb,
+ &(kdb.pw_expiration));
+ if (ret)
+ goto done;
+ kdb.pw_expiration += npol.pw_max_life;
+ } else {
+ kdb.pw_expiration = 0;
+ }
}
if ((mask & KADM5_POLICY_CLR) &&
- (adb.aux_attributes & KADM5_POLICY)) {
- ret = kadm5_get_policy(handle->lhandle, adb.policy, &opol);
- switch(ret) {
- case EINVAL:
- case KADM5_BAD_POLICY:
- case KADM5_UNK_POLICY:
- ret = KADM5_BAD_DB;
- goto done;
- break;
- case KADM5_OK:
- have_opol = 1;
- if (adb.policy)
- free(adb.policy);
- adb.policy = NULL;
- adb.aux_attributes &= ~KADM5_POLICY;
- kdb.pw_expiration = 0;
- opol.policy_refcnt--;
- break;
- default:
- goto done;
- break;
- }
+ (adb.aux_attributes & KADM5_POLICY)) {
+ ret = kadm5_get_policy(handle->lhandle, adb.policy, &opol);
+ switch(ret) {
+ case EINVAL:
+ case KADM5_BAD_POLICY:
+ case KADM5_UNK_POLICY:
+ ret = KADM5_BAD_DB;
+ goto done;
+ break;
+ case KADM5_OK:
+ have_opol = 1;
+ if (adb.policy)
+ free(adb.policy);
+ adb.policy = NULL;
+ adb.aux_attributes &= ~KADM5_POLICY;
+ kdb.pw_expiration = 0;
+ opol.policy_refcnt--;
+ break;
+ default:
+ goto done;
+ break;
+ }
}
if (((mask & KADM5_POLICY) || (mask & KADM5_POLICY_CLR)) &&
- (((have_opol) &&
- (ret =
- kadm5_modify_policy_internal(handle->lhandle, &opol,
- KADM5_REF_COUNT))) ||
- ((have_npol) &&
- (ret =
- kadm5_modify_policy_internal(handle->lhandle, &npol,
- KADM5_REF_COUNT)))))
- goto done;
+ (((have_opol) &&
+ (ret =
+ kadm5_modify_policy_internal(handle->lhandle, &opol,
+ KADM5_REF_COUNT))) ||
+ ((have_npol) &&
+ (ret =
+ kadm5_modify_policy_internal(handle->lhandle, &npol,
+ KADM5_REF_COUNT)))))
+ goto done;
if ((mask & KADM5_ATTRIBUTES))
- kdb.attributes = entry->attributes;
+ kdb.attributes = entry->attributes;
if ((mask & KADM5_MAX_LIFE))
- kdb.max_life = entry->max_life;
+ kdb.max_life = entry->max_life;
if ((mask & KADM5_PRINC_EXPIRE_TIME))
- kdb.expiration = entry->princ_expire_time;
+ kdb.expiration = entry->princ_expire_time;
if (mask & KADM5_PW_EXPIRATION)
- kdb.pw_expiration = entry->pw_expiration;
+ kdb.pw_expiration = entry->pw_expiration;
if (mask & KADM5_MAX_RLIFE)
- kdb.max_renewable_life = entry->max_renewable_life;
+ kdb.max_renewable_life = entry->max_renewable_life;
if((mask & KADM5_KVNO)) {
- for (i = 0; i < kdb.n_key_data; i++)
- kdb.key_data[i].key_data_kvno = entry->kvno;
+ for (i = 0; i < kdb.n_key_data; i++)
+ kdb.key_data[i].key_data_kvno = entry->kvno;
}
if (mask & KADM5_TL_DATA) {
- krb5_tl_data *tl;
-
- /* may have to change the version number of the API. Updates the list with the given tl_data rather than over-writting */
-
- for (tl = entry->tl_data; tl;
- tl = tl->tl_data_next)
- {
- ret = krb5_dbe_update_tl_data(handle->context, &kdb, tl);
- if( ret )
- {
- goto done;
- }
- }
+ krb5_tl_data *tl;
+
+ /* may have to change the version number of the API. Updates the list with the given tl_data rather than over-writting */
+
+ for (tl = entry->tl_data; tl;
+ tl = tl->tl_data_next)
+ {
+ ret = krb5_dbe_update_tl_data(handle->context, &kdb, tl);
+ if( ret )
+ {
+ goto done;
+ }
+ }
}
/*
@@ -678,12 +679,12 @@ kadm5_modify_principal(void *server_handle,
* value using kadmin.
*/
if (mask & KADM5_FAIL_AUTH_COUNT) {
- if (entry->fail_auth_count != 0) {
- ret = KADM5_BAD_SERVER_PARAMS;
- goto done;
- }
+ if (entry->fail_auth_count != 0) {
+ ret = KADM5_BAD_SERVER_PARAMS;
+ goto done;
+ }
- kdb.fail_auth_count = 0;
+ kdb.fail_auth_count = 0;
}
/* let the mask propagate to the database provider */
@@ -695,12 +696,12 @@ kadm5_modify_principal(void *server_handle,
ret = KADM5_OK;
done:
if (have_opol) {
- ret2 = kadm5_free_policy_ent(handle->lhandle, &opol);
- ret = ret ? ret : ret2;
+ ret2 = kadm5_free_policy_ent(handle->lhandle, &opol);
+ ret = ret ? ret : ret2;
}
if (have_npol) {
- ret2 = kadm5_free_policy_ent(handle->lhandle, &npol);
- ret = ret ? ret : ret2;
+ ret2 = kadm5_free_policy_ent(handle->lhandle, &npol);
+ ret = ret ? ret : ret2;
}
kdb_free_entry(handle, &kdb, &adb);
return ret;
@@ -708,11 +709,11 @@ done:
kadm5_ret_t
kadm5_rename_principal(void *server_handle,
- krb5_principal source, krb5_principal target)
+ krb5_principal source, krb5_principal target)
{
- krb5_db_entry kdb;
- osa_princ_ent_rec adb;
- int ret, i;
+ krb5_db_entry kdb;
+ osa_princ_ent_rec adb;
+ int ret, i;
kadm5_server_handle_t handle = server_handle;
CHECK_HANDLE(server_handle);
@@ -720,35 +721,35 @@ kadm5_rename_principal(void *server_handle,
krb5_clear_error_message(handle->context);
if (source == NULL || target == NULL)
- return EINVAL;
+ return EINVAL;
if ((ret = kdb_get_entry(handle, target, &kdb, &adb)) == 0) {
- kdb_free_entry(handle, &kdb, &adb);
- return(KADM5_DUP);
+ kdb_free_entry(handle, &kdb, &adb);
+ return(KADM5_DUP);
}
if ((ret = kdb_get_entry(handle, source, &kdb, &adb)))
- return ret;
+ return ret;
/* this is kinda gross, but unavoidable */
for (i=0; i<kdb.n_key_data; i++) {
- if ((kdb.key_data[i].key_data_ver == 1) ||
- (kdb.key_data[i].key_data_type[1] == KRB5_KDB_SALTTYPE_NORMAL)) {
- ret = KADM5_NO_RENAME_SALT;
- goto done;
- }
+ if ((kdb.key_data[i].key_data_ver == 1) ||
+ (kdb.key_data[i].key_data_type[1] == KRB5_KDB_SALTTYPE_NORMAL)) {
+ ret = KADM5_NO_RENAME_SALT;
+ goto done;
+ }
}
kadm5_free_principal(handle->context, kdb.princ);
ret = kadm5_copy_principal(handle->context, target, &kdb.princ);
if (ret) {
- kdb.princ = NULL; /* so freeing the dbe doesn't lose */
- goto done;
+ kdb.princ = NULL; /* so freeing the dbe doesn't lose */
+ goto done;
}
if ((ret = kdb_put_entry(handle, &kdb, &adb)))
- goto done;
+ goto done;
ret = kdb_delete_entry(handle, source);
@@ -759,13 +760,13 @@ done:
kadm5_ret_t
kadm5_get_principal(void *server_handle, krb5_principal principal,
- kadm5_principal_ent_t entry,
- long in_mask)
+ kadm5_principal_ent_t entry,
+ long in_mask)
{
- krb5_db_entry kdb;
- osa_princ_ent_rec adb;
- krb5_error_code ret = 0;
- long mask;
+ krb5_db_entry kdb;
+ osa_princ_ent_rec adb;
+ krb5_error_code ret = 0;
+ long mask;
int i;
kadm5_server_handle_t handle = server_handle;
@@ -783,125 +784,125 @@ kadm5_get_principal(void *server_handle, krb5_principal principal,
memset(entry, 0, sizeof(*entry));
if (principal == NULL)
- return EINVAL;
+ return EINVAL;
if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
- return ret;
+ return ret;
if ((mask & KADM5_POLICY) &&
- adb.policy && (adb.aux_attributes & KADM5_POLICY)) {
- if ((entry->policy = strdup(adb.policy)) == NULL) {
- ret = ENOMEM;
- goto done;
- }
+ adb.policy && (adb.aux_attributes & KADM5_POLICY)) {
+ if ((entry->policy = strdup(adb.policy)) == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
}
if (mask & KADM5_AUX_ATTRIBUTES)
- entry->aux_attributes = adb.aux_attributes;
+ entry->aux_attributes = adb.aux_attributes;
if ((mask & KADM5_PRINCIPAL) &&
- (ret = krb5_copy_principal(handle->context, kdb.princ,
- &entry->principal))) {
- goto done;
+ (ret = krb5_copy_principal(handle->context, kdb.princ,
+ &entry->principal))) {
+ goto done;
}
if (mask & KADM5_PRINC_EXPIRE_TIME)
- entry->princ_expire_time = kdb.expiration;
+ entry->princ_expire_time = kdb.expiration;
if ((mask & KADM5_LAST_PWD_CHANGE) &&
- (ret = krb5_dbe_lookup_last_pwd_change(handle->context, &kdb,
- &(entry->last_pwd_change)))) {
- goto done;
+ (ret = krb5_dbe_lookup_last_pwd_change(handle->context, &kdb,
+ &(entry->last_pwd_change)))) {
+ goto done;
}
if (mask & KADM5_PW_EXPIRATION)
- entry->pw_expiration = kdb.pw_expiration;
+ entry->pw_expiration = kdb.pw_expiration;
if (mask & KADM5_MAX_LIFE)
- entry->max_life = kdb.max_life;
+ entry->max_life = kdb.max_life;
/* this is a little non-sensical because the function returns two */
/* values that must be checked separately against the mask */
if ((mask & KADM5_MOD_NAME) || (mask & KADM5_MOD_TIME)) {
- ret = krb5_dbe_lookup_mod_princ_data(handle->context, &kdb,
- &(entry->mod_date),
- &(entry->mod_name));
- if (ret) {
- goto done;
- }
-
- if (! (mask & KADM5_MOD_TIME))
- entry->mod_date = 0;
- if (! (mask & KADM5_MOD_NAME)) {
- krb5_free_principal(handle->context, entry->principal);
- entry->principal = NULL;
- }
+ ret = krb5_dbe_lookup_mod_princ_data(handle->context, &kdb,
+ &(entry->mod_date),
+ &(entry->mod_name));
+ if (ret) {
+ goto done;
+ }
+
+ if (! (mask & KADM5_MOD_TIME))
+ entry->mod_date = 0;
+ if (! (mask & KADM5_MOD_NAME)) {
+ krb5_free_principal(handle->context, entry->principal);
+ entry->principal = NULL;
+ }
}
if (mask & KADM5_ATTRIBUTES)
- entry->attributes = kdb.attributes;
+ entry->attributes = kdb.attributes;
if (mask & KADM5_KVNO)
- for (entry->kvno = 0, i=0; i<kdb.n_key_data; i++)
- if (kdb.key_data[i].key_data_kvno > entry->kvno)
- entry->kvno = kdb.key_data[i].key_data_kvno;
+ for (entry->kvno = 0, i=0; i<kdb.n_key_data; i++)
+ if (kdb.key_data[i].key_data_kvno > entry->kvno)
+ entry->kvno = kdb.key_data[i].key_data_kvno;
ret = krb5_dbe_lookup_mkvno(handle->context, &kdb, &entry->mkvno);
if (ret)
- goto done;
+ goto done;
if (mask & KADM5_MAX_RLIFE)
- entry->max_renewable_life = kdb.max_renewable_life;
+ entry->max_renewable_life = kdb.max_renewable_life;
if (mask & KADM5_LAST_SUCCESS)
- entry->last_success = kdb.last_success;
+ entry->last_success = kdb.last_success;
if (mask & KADM5_LAST_FAILED)
- entry->last_failed = kdb.last_failed;
+ entry->last_failed = kdb.last_failed;
if (mask & KADM5_FAIL_AUTH_COUNT)
- entry->fail_auth_count = kdb.fail_auth_count;
+ entry->fail_auth_count = kdb.fail_auth_count;
if (mask & KADM5_TL_DATA) {
- krb5_tl_data *tl, *tl2;
-
- entry->tl_data = NULL;
-
- tl = kdb.tl_data;
- while (tl) {
- if (tl->tl_data_type > 255) {
- if ((tl2 = dup_tl_data(tl)) == NULL) {
- ret = ENOMEM;
- goto done;
- }
- tl2->tl_data_next = entry->tl_data;
- entry->tl_data = tl2;
- entry->n_tl_data++;
- }
-
- tl = tl->tl_data_next;
- }
+ krb5_tl_data *tl, *tl2;
+
+ entry->tl_data = NULL;
+
+ tl = kdb.tl_data;
+ while (tl) {
+ if (tl->tl_data_type > 255) {
+ if ((tl2 = dup_tl_data(tl)) == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ tl2->tl_data_next = entry->tl_data;
+ entry->tl_data = tl2;
+ entry->n_tl_data++;
+ }
+
+ tl = tl->tl_data_next;
+ }
}
if (mask & KADM5_KEY_DATA) {
- entry->n_key_data = kdb.n_key_data;
- if(entry->n_key_data) {
- entry->key_data = malloc(entry->n_key_data*sizeof(krb5_key_data));
- if (entry->key_data == NULL) {
- ret = ENOMEM;
- goto done;
- }
- } else
- entry->key_data = NULL;
-
- for (i = 0; i < entry->n_key_data; i++)
- ret = krb5_copy_key_data_contents(handle->context,
- &kdb.key_data[i],
- &entry->key_data[i]);
- if (ret)
- goto done;
+ entry->n_key_data = kdb.n_key_data;
+ if(entry->n_key_data) {
+ entry->key_data = malloc(entry->n_key_data*sizeof(krb5_key_data));
+ if (entry->key_data == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ } else
+ entry->key_data = NULL;
+
+ for (i = 0; i < entry->n_key_data; i++)
+ ret = krb5_copy_key_data_contents(handle->context,
+ &kdb.key_data[i],
+ &entry->key_data[i]);
+ if (ret)
+ goto done;
}
ret = KADM5_OK;
done:
if (ret && entry->principal) {
- krb5_free_principal(handle->context, entry->principal);
- entry->principal = NULL;
+ krb5_free_principal(handle->context, entry->principal);
+ entry->principal = NULL;
}
kdb_free_entry(handle, &kdb, &adb);
@@ -916,66 +917,66 @@ done:
*
* Arguments:
*
- * context (r) the krb5 context
- * hist_keyblock (r) the key that hist_key_data is
- * encrypted in
- * n_new_key_data (r) length of new_key_data
- * new_key_data (r) keys to check against
- * pw_hist_data, encrypted in hist_keyblock
- * n_pw_hist_data (r) length of pw_hist_data
- * pw_hist_data (r) passwords to check new_key_data against
+ * context (r) the krb5 context
+ * hist_keyblock (r) the key that hist_key_data is
+ * encrypted in
+ * n_new_key_data (r) length of new_key_data
+ * new_key_data (r) keys to check against
+ * pw_hist_data, encrypted in hist_keyblock
+ * n_pw_hist_data (r) length of pw_hist_data
+ * pw_hist_data (r) passwords to check new_key_data against
*
* Effects:
* For each new_key in new_key_data:
- * decrypt new_key with the master_keyblock
- * for each password in pw_hist_data:
- * for each hist_key in password:
- * decrypt hist_key with hist_keyblock
- * compare the new_key and hist_key
+ * decrypt new_key with the master_keyblock
+ * for each password in pw_hist_data:
+ * for each hist_key in password:
+ * decrypt hist_key with hist_keyblock
+ * compare the new_key and hist_key
*
* Returns krb5 errors, KADM5_PASS_RESUSE if a key in
* new_key_data is the same as a key in pw_hist_data, or 0.
*/
static kadm5_ret_t
check_pw_reuse(krb5_context context,
- krb5_keyblock *mkey,
- krb5_keyblock *hist_keyblock,
- int n_new_key_data, krb5_key_data *new_key_data,
- unsigned int n_pw_hist_data, osa_pw_hist_ent *pw_hist_data)
+ krb5_keyblock *mkey,
+ krb5_keyblock *hist_keyblock,
+ int n_new_key_data, krb5_key_data *new_key_data,
+ unsigned int n_pw_hist_data, osa_pw_hist_ent *pw_hist_data)
{
int x, y, z;
krb5_keyblock newkey, histkey;
krb5_error_code ret;
for (x = 0; x < n_new_key_data; x++) {
- ret = krb5_dbekd_decrypt_key_data(context,
- mkey,
- &(new_key_data[x]),
- &newkey, NULL);
- if (ret)
- return(ret);
- for (y = 0; y < n_pw_hist_data; y++) {
- for (z = 0; z < pw_hist_data[y].n_key_data; z++) {
- ret = krb5_dbekd_decrypt_key_data(context,
- hist_keyblock,
- &pw_hist_data[y].key_data[z],
- &histkey, NULL);
- if (ret)
- return(ret);
-
- if ((newkey.length == histkey.length) &&
- (newkey.enctype == histkey.enctype) &&
- (memcmp(newkey.contents, histkey.contents,
- histkey.length) == 0)) {
- krb5_free_keyblock_contents(context, &histkey);
- krb5_free_keyblock_contents(context, &newkey);
-
- return(KADM5_PASS_REUSE);
- }
- krb5_free_keyblock_contents(context, &histkey);
- }
- }
- krb5_free_keyblock_contents(context, &newkey);
+ ret = krb5_dbekd_decrypt_key_data(context,
+ mkey,
+ &(new_key_data[x]),
+ &newkey, NULL);
+ if (ret)
+ return(ret);
+ for (y = 0; y < n_pw_hist_data; y++) {
+ for (z = 0; z < pw_hist_data[y].n_key_data; z++) {
+ ret = krb5_dbekd_decrypt_key_data(context,
+ hist_keyblock,
+ &pw_hist_data[y].key_data[z],
+ &histkey, NULL);
+ if (ret)
+ return(ret);
+
+ if ((newkey.length == histkey.length) &&
+ (newkey.enctype == histkey.enctype) &&
+ (memcmp(newkey.contents, histkey.contents,
+ histkey.length) == 0)) {
+ krb5_free_keyblock_contents(context, &histkey);
+ krb5_free_keyblock_contents(context, &newkey);
+
+ return(KADM5_PASS_REUSE);
+ }
+ krb5_free_keyblock_contents(context, &histkey);
+ }
+ }
+ krb5_free_keyblock_contents(context, &newkey);
}
return(0);
@@ -989,10 +990,10 @@ check_pw_reuse(krb5_context context,
*
* Arguments:
*
- * context (r) krb5_context to use
- * n_key_data (r) number of elements in key_data
- * key_data (r) keys to add to the history entry
- * hist (w) history entry to fill in
+ * context (r) krb5_context to use
+ * n_key_data (r) number of elements in key_data
+ * key_data (r) keys to add to the history entry
+ * hist (w) history entry to fill in
*
* Effects:
*
@@ -1003,48 +1004,48 @@ check_pw_reuse(krb5_context context,
*/
static
int create_history_entry(krb5_context context, krb5_keyblock *mkey, int n_key_data,
- krb5_key_data *key_data, osa_pw_hist_ent *hist)
+ krb5_key_data *key_data, osa_pw_hist_ent *hist)
{
- int i, ret;
- krb5_keyblock key;
- krb5_keysalt salt;
-
- hist->key_data = (krb5_key_data*)malloc(n_key_data*sizeof(krb5_key_data));
- if (hist->key_data == NULL)
- return ENOMEM;
- memset(hist->key_data, 0, n_key_data*sizeof(krb5_key_data));
-
- for (i = 0; i < n_key_data; i++) {
- ret = krb5_dbekd_decrypt_key_data(context,
- mkey,
- &key_data[i],
- &key, &salt);
- if (ret)
- return ret;
-
- ret = krb5_dbekd_encrypt_key_data(context, &hist_key,
- &key, &salt,
- key_data[i].key_data_kvno,
- &hist->key_data[i]);
- if (ret)
- return ret;
-
- krb5_free_keyblock_contents(context, &key);
- /* krb5_free_keysalt(context, &salt); */
- }
-
- hist->n_key_data = n_key_data;
- return 0;
+ int i, ret;
+ krb5_keyblock key;
+ krb5_keysalt salt;
+
+ hist->key_data = (krb5_key_data*)malloc(n_key_data*sizeof(krb5_key_data));
+ if (hist->key_data == NULL)
+ return ENOMEM;
+ memset(hist->key_data, 0, n_key_data*sizeof(krb5_key_data));
+
+ for (i = 0; i < n_key_data; i++) {
+ ret = krb5_dbekd_decrypt_key_data(context,
+ mkey,
+ &key_data[i],
+ &key, &salt);
+ if (ret)
+ return ret;
+
+ ret = krb5_dbekd_encrypt_key_data(context, &hist_key,
+ &key, &salt,
+ key_data[i].key_data_kvno,
+ &hist->key_data[i]);
+ if (ret)
+ return ret;
+
+ krb5_free_keyblock_contents(context, &key);
+ /* krb5_free_keysalt(context, &salt); */
+ }
+
+ hist->n_key_data = n_key_data;
+ return 0;
}
static
void free_history_entry(krb5_context context, osa_pw_hist_ent *hist)
{
- int i;
+ int i;
- for (i = 0; i < hist->n_key_data; i++)
- krb5_free_key_data_contents(context, &hist->key_data[i]);
- free(hist->key_data);
+ for (i = 0; i < hist->n_key_data; i++)
+ krb5_free_key_data_contents(context, &hist->key_data[i]);
+ free(hist->key_data);
}
/*
@@ -1054,10 +1055,10 @@ void free_history_entry(krb5_context context, osa_pw_hist_ent *hist)
*
* Arguments:
*
- * context (r) krb5_context to use
- * adb (r/w) admin principal entry to add keys to
- * pol (r) adb's policy
- * pw (r) keys for the password to add to adb's key history
+ * context (r) krb5_context to use
+ * adb (r/w) admin principal entry to add keys to
+ * pol (r) adb's policy
+ * pw (r) keys for the password to add to adb's key history
*
* Effects:
*
@@ -1074,111 +1075,111 @@ void free_history_entry(krb5_context context, osa_pw_hist_ent *hist)
* adb->old_key_len).
*/
static kadm5_ret_t add_to_history(krb5_context context,
- osa_princ_ent_t adb,
- kadm5_policy_ent_t pol,
- osa_pw_hist_ent *pw)
+ osa_princ_ent_t adb,
+ kadm5_policy_ent_t pol,
+ osa_pw_hist_ent *pw)
{
- osa_pw_hist_ent *histp;
- uint32_t nhist;
- unsigned int i, knext, nkeys;
-
- nhist = pol->pw_history_num;
- /* A history of 1 means just check the current password */
- if (nhist <= 1)
- return 0;
-
- nkeys = adb->old_key_len;
- knext = adb->old_key_next;
- /* resize the adb->old_keys array if necessary */
- if (nkeys + 1 < nhist) {
- if (adb->old_keys == NULL) {
- adb->old_keys = (osa_pw_hist_ent *)
- malloc((nkeys + 1) * sizeof (osa_pw_hist_ent));
- } else {
- adb->old_keys = (osa_pw_hist_ent *)
- realloc(adb->old_keys,
- (nkeys + 1) * sizeof (osa_pw_hist_ent));
- }
- if (adb->old_keys == NULL)
- return(ENOMEM);
-
- memset(&adb->old_keys[nkeys], 0, sizeof(osa_pw_hist_ent));
- nkeys = ++adb->old_key_len;
- /*
- * To avoid losing old keys, shift forward each entry after
- * knext.
- */
- for (i = nkeys - 1; i > knext; i--) {
- adb->old_keys[i] = adb->old_keys[i - 1];
- }
- memset(&adb->old_keys[knext], 0, sizeof(osa_pw_hist_ent));
- } else if (nkeys + 1 > nhist) {
- /*
- * The policy must have changed! Shrink the array.
- * Can't simply realloc() down, since it might be wrapped.
- * To understand the arithmetic below, note that we are
- * copying into new positions 0 .. N-1 from old positions
- * old_key_next-N .. old_key_next-1, modulo old_key_len,
- * where N = pw_history_num - 1 is the length of the
- * shortened list. Matt Crawford, FNAL
- */
- /*
- * M = adb->old_key_len, N = pol->pw_history_num - 1
- *
- * tmp[0] .. tmp[N-1] = old[(knext-N)%M] .. old[(knext-1)%M]
- */
- int j;
- osa_pw_hist_t tmp;
-
- tmp = (osa_pw_hist_ent *)
- malloc((nhist - 1) * sizeof (osa_pw_hist_ent));
- if (tmp == NULL)
- return ENOMEM;
- for (i = 0; i < nhist - 1; i++) {
- /*
- * Add nkeys once before taking remainder to avoid
- * negative values.
- */
- j = (i + nkeys + knext - (nhist - 1)) % nkeys;
- tmp[i] = adb->old_keys[j];
- }
- /* Now free the ones we don't keep (the oldest ones) */
- for (i = 0; i < nkeys - (nhist - 1); i++) {
- j = (i + nkeys + knext) % nkeys;
- histp = &adb->old_keys[j];
- for (j = 0; j < histp->n_key_data; j++) {
- krb5_free_key_data_contents(context, &histp->key_data[j]);
- }
- free(histp->key_data);
- }
- free(adb->old_keys);
- adb->old_keys = tmp;
- nkeys = adb->old_key_len = nhist - 1;
- knext = adb->old_key_next = 0;
- }
-
- /*
- * If nhist decreased since the last password change, and nkeys+1
- * is less than the previous nhist, it is possible for knext to
- * index into unallocated space. This condition would not be
- * caught by the resizing code above.
- */
- if (knext + 1 > nkeys)
- knext = adb->old_key_next = 0;
- /* free the old pw history entry if it contains data */
- histp = &adb->old_keys[knext];
- for (i = 0; i < histp->n_key_data; i++)
- krb5_free_key_data_contents(context, &histp->key_data[i]);
- free(histp->key_data);
-
- /* store the new entry */
- adb->old_keys[knext] = *pw;
-
- /* update the next pointer */
- if (++adb->old_key_next == nhist - 1)
- adb->old_key_next = 0;
-
- return(0);
+ osa_pw_hist_ent *histp;
+ uint32_t nhist;
+ unsigned int i, knext, nkeys;
+
+ nhist = pol->pw_history_num;
+ /* A history of 1 means just check the current password */
+ if (nhist <= 1)
+ return 0;
+
+ nkeys = adb->old_key_len;
+ knext = adb->old_key_next;
+ /* resize the adb->old_keys array if necessary */
+ if (nkeys + 1 < nhist) {
+ if (adb->old_keys == NULL) {
+ adb->old_keys = (osa_pw_hist_ent *)
+ malloc((nkeys + 1) * sizeof (osa_pw_hist_ent));
+ } else {
+ adb->old_keys = (osa_pw_hist_ent *)
+ realloc(adb->old_keys,
+ (nkeys + 1) * sizeof (osa_pw_hist_ent));
+ }
+ if (adb->old_keys == NULL)
+ return(ENOMEM);
+
+ memset(&adb->old_keys[nkeys], 0, sizeof(osa_pw_hist_ent));
+ nkeys = ++adb->old_key_len;
+ /*
+ * To avoid losing old keys, shift forward each entry after
+ * knext.
+ */
+ for (i = nkeys - 1; i > knext; i--) {
+ adb->old_keys[i] = adb->old_keys[i - 1];
+ }
+ memset(&adb->old_keys[knext], 0, sizeof(osa_pw_hist_ent));
+ } else if (nkeys + 1 > nhist) {
+ /*
+ * The policy must have changed! Shrink the array.
+ * Can't simply realloc() down, since it might be wrapped.
+ * To understand the arithmetic below, note that we are
+ * copying into new positions 0 .. N-1 from old positions
+ * old_key_next-N .. old_key_next-1, modulo old_key_len,
+ * where N = pw_history_num - 1 is the length of the
+ * shortened list. Matt Crawford, FNAL
+ */
+ /*
+ * M = adb->old_key_len, N = pol->pw_history_num - 1
+ *
+ * tmp[0] .. tmp[N-1] = old[(knext-N)%M] .. old[(knext-1)%M]
+ */
+ int j;
+ osa_pw_hist_t tmp;
+
+ tmp = (osa_pw_hist_ent *)
+ malloc((nhist - 1) * sizeof (osa_pw_hist_ent));
+ if (tmp == NULL)
+ return ENOMEM;
+ for (i = 0; i < nhist - 1; i++) {
+ /*
+ * Add nkeys once before taking remainder to avoid
+ * negative values.
+ */
+ j = (i + nkeys + knext - (nhist - 1)) % nkeys;
+ tmp[i] = adb->old_keys[j];
+ }
+ /* Now free the ones we don't keep (the oldest ones) */
+ for (i = 0; i < nkeys - (nhist - 1); i++) {
+ j = (i + nkeys + knext) % nkeys;
+ histp = &adb->old_keys[j];
+ for (j = 0; j < histp->n_key_data; j++) {
+ krb5_free_key_data_contents(context, &histp->key_data[j]);
+ }
+ free(histp->key_data);
+ }
+ free(adb->old_keys);
+ adb->old_keys = tmp;
+ nkeys = adb->old_key_len = nhist - 1;
+ knext = adb->old_key_next = 0;
+ }
+
+ /*
+ * If nhist decreased since the last password change, and nkeys+1
+ * is less than the previous nhist, it is possible for knext to
+ * index into unallocated space. This condition would not be
+ * caught by the resizing code above.
+ */
+ if (knext + 1 > nkeys)
+ knext = adb->old_key_next = 0;
+ /* free the old pw history entry if it contains data */
+ histp = &adb->old_keys[knext];
+ for (i = 0; i < histp->n_key_data; i++)
+ krb5_free_key_data_contents(context, &histp->key_data[i]);
+ free(histp->key_data);
+
+ /* store the new entry */
+ adb->old_keys[knext] = *pw;
+
+ /* update the next pointer */
+ if (++adb->old_key_next == nhist - 1)
+ adb->old_key_next = 0;
+
+ return(0);
}
/* FIXME: don't use global variable for this */
@@ -1221,22 +1222,22 @@ kadm5_launch_task (krb5_context context,
ret = pipe (data_pipe);
if (ret)
- ret = errno;
+ ret = errno;
if (!ret) {
pid_t pid = fork ();
if (pid == -1) {
ret = errno;
- close (data_pipe[0]);
- close (data_pipe[1]);
+ close (data_pipe[0]);
+ close (data_pipe[1]);
} else if (pid == 0) {
/* The child: */
if (dup2 (data_pipe[0], STDIN_FILENO) == -1)
- _exit (1);
+ _exit (1);
- close (data_pipe[0]);
- close (data_pipe[1]);
+ close (data_pipe[0]);
+ close (data_pipe[1]);
execv (task_path, task_argv);
@@ -1245,21 +1246,21 @@ kadm5_launch_task (krb5_context context,
/* The parent: */
int status;
- ret = 0;
+ ret = 0;
- close (data_pipe[0]);
+ close (data_pipe[0]);
- /* Write out the buffer to the child, add \n */
- if (buffer) {
- if (krb5_net_write (context, data_pipe[1], buffer, strlen (buffer)) < 0
- || krb5_net_write (context, data_pipe[1], "\n", 1) < 0)
- {
- /* kill the child to make sure waitpid() won't hang later */
- ret = errno;
- kill (pid, SIGKILL);
- }
- }
- close (data_pipe[1]);
+ /* Write out the buffer to the child, add \n */
+ if (buffer) {
+ if (krb5_net_write (context, data_pipe[1], buffer, strlen (buffer)) < 0
+ || krb5_net_write (context, data_pipe[1], "\n", 1) < 0)
+ {
+ /* kill the child to make sure waitpid() won't hang later */
+ ret = errno;
+ kill (pid, SIGKILL);
+ }
+ }
+ close (data_pipe[1]);
waitpid (pid, &status, 0);
@@ -1267,7 +1268,7 @@ kadm5_launch_task (krb5_context context,
if (WIFEXITED (status)) {
/* child read password and exited. Check the return value. */
if ((WEXITSTATUS (status) != 0) && (WEXITSTATUS (status) != 252)) {
- ret = KRB5KDC_ERR_POLICY; /* password change rejected */
+ ret = KRB5KDC_ERR_POLICY; /* password change rejected */
}
} else {
/* child read password but crashed or was killed */
@@ -1284,27 +1285,27 @@ kadm5_launch_task (krb5_context context,
kadm5_ret_t
kadm5_chpass_principal(void *server_handle,
- krb5_principal principal, char *password)
+ krb5_principal principal, char *password)
{
return
- kadm5_chpass_principal_3(server_handle, principal, FALSE,
- 0, NULL, password);
+ kadm5_chpass_principal_3(server_handle, principal, FALSE,
+ 0, NULL, password);
}
kadm5_ret_t
kadm5_chpass_principal_3(void *server_handle,
- krb5_principal principal, krb5_boolean keepold,
- int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
- char *password)
+ krb5_principal principal, krb5_boolean keepold,
+ int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
+ char *password)
{
- krb5_int32 now;
- kadm5_policy_ent_rec pol;
- osa_princ_ent_rec adb;
- krb5_db_entry kdb, kdb_save;
- int ret, ret2, last_pwd, hist_added;
- int have_pol = 0;
- kadm5_server_handle_t handle = server_handle;
- osa_pw_hist_ent hist;
+ krb5_int32 now;
+ kadm5_policy_ent_rec pol;
+ osa_princ_ent_rec adb;
+ krb5_db_entry kdb, kdb_save;
+ int ret, ret2, last_pwd, hist_added;
+ int have_pol = 0;
+ kadm5_server_handle_t handle = server_handle;
+ osa_pw_hist_ent hist;
krb5_keyblock *act_mkey;
krb5_kvno act_kvno;
@@ -1316,112 +1317,112 @@ kadm5_chpass_principal_3(void *server_handle,
memset(&hist, 0, sizeof(hist));
if (principal == NULL || password == NULL)
- return EINVAL;
+ return EINVAL;
if ((krb5_principal_compare(handle->context,
- principal, hist_princ)) == TRUE)
- return KADM5_PROTECT_PRINCIPAL;
+ principal, hist_princ)) == TRUE)
+ return KADM5_PROTECT_PRINCIPAL;
if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
- return(ret);
+ return(ret);
/* we are going to need the current keys after the new keys are set */
if ((ret = kdb_get_entry(handle, principal, &kdb_save, NULL))) {
- kdb_free_entry(handle, &kdb, &adb);
- return(ret);
+ kdb_free_entry(handle, &kdb, &adb);
+ return(ret);
}
if ((adb.aux_attributes & KADM5_POLICY)) {
- if ((ret = kadm5_get_policy(handle->lhandle, adb.policy, &pol)))
- goto done;
- have_pol = 1;
+ if ((ret = kadm5_get_policy(handle->lhandle, adb.policy, &pol)))
+ goto done;
+ have_pol = 1;
}
if ((ret = passwd_check(handle, password, adb.aux_attributes &
- KADM5_POLICY, &pol, principal)))
- goto done;
+ KADM5_POLICY, &pol, principal)))
+ goto done;
ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
- active_mkey_list, &act_kvno, &act_mkey);
+ active_mkey_list, &act_kvno, &act_mkey);
if (ret)
- goto done;
+ goto done;
ret = krb5_dbe_cpw(handle->context, act_mkey,
- n_ks_tuple?ks_tuple:handle->params.keysalts,
- n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
- password, 0 /* increment kvno */,
- keepold, &kdb);
+ n_ks_tuple?ks_tuple:handle->params.keysalts,
+ n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
+ password, 0 /* increment kvno */,
+ keepold, &kdb);
if (ret)
- goto done;
+ goto done;
ret = krb5_dbe_update_mkvno(handle->context, &kdb, act_kvno);
if (ret)
- goto done;
+ goto done;
kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
ret = krb5_timeofday(handle->context, &now);
if (ret)
- goto done;
+ goto done;
if ((adb.aux_attributes & KADM5_POLICY)) {
- /* the policy was loaded before */
+ /* the policy was loaded before */
- ret = krb5_dbe_lookup_last_pwd_change(handle->context,
- &kdb, &last_pwd);
- if (ret)
- goto done;
+ ret = krb5_dbe_lookup_last_pwd_change(handle->context,
+ &kdb, &last_pwd);
+ if (ret)
+ goto done;
#if 0
- /*
- * The spec says this check is overridden if the caller has
- * modify privilege. The admin server therefore makes this
- * check itself (in chpass_principal_wrapper, misc.c). A
- * local caller implicitly has all authorization bits.
- */
- if ((now - last_pwd) < pol.pw_min_life &&
- !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
- ret = KADM5_PASS_TOOSOON;
- goto done;
- }
+ /*
+ * The spec says this check is overridden if the caller has
+ * modify privilege. The admin server therefore makes this
+ * check itself (in chpass_principal_wrapper, misc.c). A
+ * local caller implicitly has all authorization bits.
+ */
+ if ((now - last_pwd) < pol.pw_min_life &&
+ !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
+ ret = KADM5_PASS_TOOSOON;
+ goto done;
+ }
#endif
- ret = create_history_entry(handle->context,
- act_mkey,
- kdb_save.n_key_data,
- kdb_save.key_data, &hist);
- if (ret)
- goto done;
-
- ret = check_pw_reuse(handle->context, act_mkey, &hist_key,
- kdb.n_key_data, kdb.key_data,
- 1, &hist);
- if (ret)
- goto done;
-
- if (pol.pw_history_num > 1) {
- if (adb.admin_history_kvno != hist_kvno) {
- ret = KADM5_BAD_HIST_KEY;
- goto done;
- }
-
- ret = check_pw_reuse(handle->context, act_mkey, &hist_key,
- kdb.n_key_data, kdb.key_data,
- adb.old_key_len, adb.old_keys);
- if (ret)
- goto done;
-
- ret = add_to_history(handle->context, &adb, &pol, &hist);
- if (ret)
- goto done;
- hist_added = 1;
- }
-
- if (pol.pw_max_life)
- kdb.pw_expiration = now + pol.pw_max_life;
- else
- kdb.pw_expiration = 0;
+ ret = create_history_entry(handle->context,
+ act_mkey,
+ kdb_save.n_key_data,
+ kdb_save.key_data, &hist);
+ if (ret)
+ goto done;
+
+ ret = check_pw_reuse(handle->context, act_mkey, &hist_key,
+ kdb.n_key_data, kdb.key_data,
+ 1, &hist);
+ if (ret)
+ goto done;
+
+ if (pol.pw_history_num > 1) {
+ if (adb.admin_history_kvno != hist_kvno) {
+ ret = KADM5_BAD_HIST_KEY;
+ goto done;
+ }
+
+ ret = check_pw_reuse(handle->context, act_mkey, &hist_key,
+ kdb.n_key_data, kdb.key_data,
+ adb.old_key_len, adb.old_keys);
+ if (ret)
+ goto done;
+
+ ret = add_to_history(handle->context, &adb, &pol, &hist);
+ if (ret)
+ goto done;
+ hist_added = 1;
+ }
+
+ if (pol.pw_max_life)
+ kdb.pw_expiration = now + pol.pw_max_life;
+ else
+ kdb.pw_expiration = 0;
} else {
- kdb.pw_expiration = 0;
+ kdb.pw_expiration = 0;
}
#ifdef USE_PASSWORD_SERVER
@@ -1455,169 +1456,169 @@ kadm5_chpass_principal_3(void *server_handle,
ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now);
if (ret)
- goto done;
+ goto done;
/* unlock principal on this KDC */
kdb.fail_auth_count = 0;
/* key data and attributes changed, let the database provider know */
kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES |
- KADM5_FAIL_AUTH_COUNT;
- /* | KADM5_CPW_FUNCTION */
+ KADM5_FAIL_AUTH_COUNT;
+ /* | KADM5_CPW_FUNCTION */
if ((ret = kdb_put_entry(handle, &kdb, &adb)))
- goto done;
+ goto done;
ret = KADM5_OK;
done:
if (!hist_added && hist.key_data)
- free_history_entry(handle->context, &hist);
+ free_history_entry(handle->context, &hist);
kdb_free_entry(handle, &kdb, &adb);
kdb_free_entry(handle, &kdb_save, NULL);
krb5_db_free_principal(handle->context, &kdb, 1);
if (have_pol && (ret2 = kadm5_free_policy_ent(handle->lhandle, &pol))
- && !ret)
- ret = ret2;
+ && !ret)
+ ret = ret2;
return ret;
}
kadm5_ret_t
kadm5_randkey_principal(void *server_handle,
- krb5_principal principal,
- krb5_keyblock **keyblocks,
- int *n_keys)
+ krb5_principal principal,
+ krb5_keyblock **keyblocks,
+ int *n_keys)
{
return
- kadm5_randkey_principal_3(server_handle, principal,
- FALSE, 0, NULL,
- keyblocks, n_keys);
+ kadm5_randkey_principal_3(server_handle, principal,
+ FALSE, 0, NULL,
+ keyblocks, n_keys);
}
kadm5_ret_t
kadm5_randkey_principal_3(void *server_handle,
- krb5_principal principal,
- krb5_boolean keepold,
- int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
- krb5_keyblock **keyblocks,
- int *n_keys)
+ krb5_principal principal,
+ krb5_boolean keepold,
+ int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
+ krb5_keyblock **keyblocks,
+ int *n_keys)
{
- krb5_db_entry kdb;
- osa_princ_ent_rec adb;
- krb5_int32 now;
- kadm5_policy_ent_rec pol;
- int ret, last_pwd, have_pol = 0;
- kadm5_server_handle_t handle = server_handle;
+ krb5_db_entry kdb;
+ osa_princ_ent_rec adb;
+ krb5_int32 now;
+ kadm5_policy_ent_rec pol;
+ int ret, last_pwd, have_pol = 0;
+ kadm5_server_handle_t handle = server_handle;
krb5_keyblock *act_mkey;
if (keyblocks)
- *keyblocks = NULL;
+ *keyblocks = NULL;
CHECK_HANDLE(server_handle);
krb5_clear_error_message(handle->context);
if (principal == NULL)
- return EINVAL;
+ return EINVAL;
if (hist_princ && /* this will be NULL when initializing the databse */
- ((krb5_principal_compare(handle->context,
- principal, hist_princ)) == TRUE))
- return KADM5_PROTECT_PRINCIPAL;
+ ((krb5_principal_compare(handle->context,
+ principal, hist_princ)) == TRUE))
+ return KADM5_PROTECT_PRINCIPAL;
if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
- return(ret);
+ return(ret);
ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
- active_mkey_list, NULL, &act_mkey);
+ active_mkey_list, NULL, &act_mkey);
if (ret)
- goto done;
+ goto done;
ret = krb5_dbe_crk(handle->context, act_mkey,
- n_ks_tuple?ks_tuple:handle->params.keysalts,
- n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
- keepold,
- &kdb);
+ n_ks_tuple?ks_tuple:handle->params.keysalts,
+ n_ks_tuple?n_ks_tuple:handle->params.num_keysalts,
+ keepold,
+ &kdb);
if (ret)
- goto done;
+ goto done;
kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
ret = krb5_timeofday(handle->context, &now);
if (ret)
- goto done;
+ goto done;
if ((adb.aux_attributes & KADM5_POLICY)) {
- if ((ret = kadm5_get_policy(handle->lhandle, adb.policy,
- &pol)) != KADM5_OK)
- goto done;
- have_pol = 1;
+ if ((ret = kadm5_get_policy(handle->lhandle, adb.policy,
+ &pol)) != KADM5_OK)
+ goto done;
+ have_pol = 1;
- ret = krb5_dbe_lookup_last_pwd_change(handle->context,
- &kdb, &last_pwd);
- if (ret)
- goto done;
+ ret = krb5_dbe_lookup_last_pwd_change(handle->context,
+ &kdb, &last_pwd);
+ if (ret)
+ goto done;
#if 0
- /*
- * The spec says this check is overridden if the caller has
- * modify privilege. The admin server therefore makes this
- * check itself (in chpass_principal_wrapper, misc.c). A
- * local caller implicitly has all authorization bits.
- */
- if((now - last_pwd) < pol.pw_min_life &&
- !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
- ret = KADM5_PASS_TOOSOON;
- goto done;
- }
+ /*
+ * The spec says this check is overridden if the caller has
+ * modify privilege. The admin server therefore makes this
+ * check itself (in chpass_principal_wrapper, misc.c). A
+ * local caller implicitly has all authorization bits.
+ */
+ if((now - last_pwd) < pol.pw_min_life &&
+ !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
+ ret = KADM5_PASS_TOOSOON;
+ goto done;
+ }
#endif
- if(pol.pw_history_num > 1) {
- if(adb.admin_history_kvno != hist_kvno) {
- ret = KADM5_BAD_HIST_KEY;
- goto done;
- }
-
- ret = check_pw_reuse(handle->context, act_mkey, &hist_key,
- kdb.n_key_data, kdb.key_data,
- adb.old_key_len, adb.old_keys);
- if (ret)
- goto done;
- }
- if (pol.pw_max_life)
- kdb.pw_expiration = now + pol.pw_max_life;
- else
- kdb.pw_expiration = 0;
+ if(pol.pw_history_num > 1) {
+ if(adb.admin_history_kvno != hist_kvno) {
+ ret = KADM5_BAD_HIST_KEY;
+ goto done;
+ }
+
+ ret = check_pw_reuse(handle->context, act_mkey, &hist_key,
+ kdb.n_key_data, kdb.key_data,
+ adb.old_key_len, adb.old_keys);
+ if (ret)
+ goto done;
+ }
+ if (pol.pw_max_life)
+ kdb.pw_expiration = now + pol.pw_max_life;
+ else
+ kdb.pw_expiration = 0;
} else {
- kdb.pw_expiration = 0;
+ kdb.pw_expiration = 0;
}
ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now);
if (ret)
- goto done;
+ goto done;
/* unlock principal on this KDC */
kdb.fail_auth_count = 0;
- if (keyblocks) {
- ret = decrypt_key_data(handle->context, act_mkey,
- kdb.n_key_data, kdb.key_data,
- keyblocks, n_keys);
- if (ret)
- goto done;
+ if (keyblocks) {
+ ret = decrypt_key_data(handle->context, act_mkey,
+ kdb.n_key_data, kdb.key_data,
+ keyblocks, n_keys);
+ if (ret)
+ goto done;
}
/* key data changed, let the database provider know */
kdb.mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT;
- /* | KADM5_RANDKEY_USED */;
+ /* | KADM5_RANDKEY_USED */;
if ((ret = kdb_put_entry(handle, &kdb, &adb)))
- goto done;
+ goto done;
ret = KADM5_OK;
done:
kdb_free_entry(handle, &kdb, &adb);
if (have_pol)
- kadm5_free_policy_ent(handle->lhandle, &pol);
+ kadm5_free_policy_ent(handle->lhandle, &pol);
return ret;
}
@@ -1631,19 +1632,19 @@ done:
*/
kadm5_ret_t
kadm5_setv4key_principal(void *server_handle,
- krb5_principal principal,
- krb5_keyblock *keyblock)
+ krb5_principal principal,
+ krb5_keyblock *keyblock)
{
- krb5_db_entry kdb;
- osa_princ_ent_rec adb;
- krb5_int32 now;
- kadm5_policy_ent_rec pol;
- krb5_keysalt keysalt;
- int i, k, kvno, ret, have_pol = 0;
+ krb5_db_entry kdb;
+ osa_princ_ent_rec adb;
+ krb5_int32 now;
+ kadm5_policy_ent_rec pol;
+ krb5_keysalt keysalt;
+ int i, k, kvno, ret, have_pol = 0;
#if 0
int last_pwd;
#endif
- kadm5_server_handle_t handle = server_handle;
+ kadm5_server_handle_t handle = server_handle;
krb5_key_data tmp_key_data;
krb5_keyblock *act_mkey;
@@ -1654,28 +1655,28 @@ kadm5_setv4key_principal(void *server_handle,
krb5_clear_error_message(handle->context);
if (principal == NULL || keyblock == NULL)
- return EINVAL;
+ return EINVAL;
if (hist_princ && /* this will be NULL when initializing the databse */
- ((krb5_principal_compare(handle->context,
- principal, hist_princ)) == TRUE))
- return KADM5_PROTECT_PRINCIPAL;
+ ((krb5_principal_compare(handle->context,
+ principal, hist_princ)) == TRUE))
+ return KADM5_PROTECT_PRINCIPAL;
if (keyblock->enctype != ENCTYPE_DES_CBC_CRC)
- return KADM5_SETV4KEY_INVAL_ENCTYPE;
+ return KADM5_SETV4KEY_INVAL_ENCTYPE;
if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
- return(ret);
+ return(ret);
for (kvno = 0, i=0; i<kdb.n_key_data; i++)
- if (kdb.key_data[i].key_data_kvno > kvno)
- kvno = kdb.key_data[i].key_data_kvno;
+ if (kdb.key_data[i].key_data_kvno > kvno)
+ kvno = kdb.key_data[i].key_data_kvno;
if (kdb.key_data != NULL)
- cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data);
+ cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data);
kdb.key_data = (krb5_key_data*)krb5_db_alloc(handle->context, NULL, sizeof(krb5_key_data));
if (kdb.key_data == NULL)
- return ENOMEM;
+ return ENOMEM;
memset(kdb.key_data, 0, sizeof(krb5_key_data));
kdb.n_key_data = 1;
keysalt.type = KRB5_KDB_SALTTYPE_V4;
@@ -1684,36 +1685,36 @@ kadm5_setv4key_principal(void *server_handle,
keysalt.data.data = NULL;
ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
- active_mkey_list, NULL, &act_mkey);
+ active_mkey_list, NULL, &act_mkey);
if (ret)
- goto done;
+ goto done;
/* use tmp_key_data as temporary location and reallocate later */
ret = krb5_dbekd_encrypt_key_data(handle->context, act_mkey,
- keyblock, &keysalt, kvno + 1,
- &tmp_key_data);
+ keyblock, &keysalt, kvno + 1,
+ &tmp_key_data);
if (ret) {
- goto done;
+ goto done;
}
for (k = 0; k < tmp_key_data.key_data_ver; k++) {
- kdb.key_data->key_data_type[k] = tmp_key_data.key_data_type[k];
- kdb.key_data->key_data_length[k] = tmp_key_data.key_data_length[k];
- if (tmp_key_data.key_data_contents[k]) {
- kdb.key_data->key_data_contents[k] = krb5_db_alloc(handle->context, NULL, tmp_key_data.key_data_length[k]);
- if (kdb.key_data->key_data_contents[k] == NULL) {
- cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data);
- kdb.key_data = NULL;
- kdb.n_key_data = 0;
- ret = ENOMEM;
- goto done;
- }
- memcpy (kdb.key_data->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]);
-
- memset (tmp_key_data.key_data_contents[k], 0, tmp_key_data.key_data_length[k]);
- free (tmp_key_data.key_data_contents[k]);
- tmp_key_data.key_data_contents[k] = NULL;
- }
+ kdb.key_data->key_data_type[k] = tmp_key_data.key_data_type[k];
+ kdb.key_data->key_data_length[k] = tmp_key_data.key_data_length[k];
+ if (tmp_key_data.key_data_contents[k]) {
+ kdb.key_data->key_data_contents[k] = krb5_db_alloc(handle->context, NULL, tmp_key_data.key_data_length[k]);
+ if (kdb.key_data->key_data_contents[k] == NULL) {
+ cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data);
+ kdb.key_data = NULL;
+ kdb.n_key_data = 0;
+ ret = ENOMEM;
+ goto done;
+ }
+ memcpy (kdb.key_data->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]);
+
+ memset (tmp_key_data.key_data_contents[k], 0, tmp_key_data.key_data_length[k]);
+ free (tmp_key_data.key_data_contents[k]);
+ tmp_key_data.key_data_contents[k] = NULL;
+ }
}
@@ -1722,115 +1723,115 @@ kadm5_setv4key_principal(void *server_handle,
ret = krb5_timeofday(handle->context, &now);
if (ret)
- goto done;
+ goto done;
if ((adb.aux_attributes & KADM5_POLICY)) {
- if ((ret = kadm5_get_policy(handle->lhandle, adb.policy,
- &pol)) != KADM5_OK)
- goto done;
- have_pol = 1;
+ if ((ret = kadm5_get_policy(handle->lhandle, adb.policy,
+ &pol)) != KADM5_OK)
+ goto done;
+ have_pol = 1;
#if 0
- /*
- * The spec says this check is overridden if the caller has
- * modify privilege. The admin server therefore makes this
- * check itself (in chpass_principal_wrapper, misc.c). A
- * local caller implicitly has all authorization bits.
- */
- if (ret = krb5_dbe_lookup_last_pwd_change(handle->context,
- &kdb, &last_pwd))
- goto done;
- if((now - last_pwd) < pol.pw_min_life &&
- !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
- ret = KADM5_PASS_TOOSOON;
- goto done;
- }
+ /*
+ * The spec says this check is overridden if the caller has
+ * modify privilege. The admin server therefore makes this
+ * check itself (in chpass_principal_wrapper, misc.c). A
+ * local caller implicitly has all authorization bits.
+ */
+ if (ret = krb5_dbe_lookup_last_pwd_change(handle->context,
+ &kdb, &last_pwd))
+ goto done;
+ if((now - last_pwd) < pol.pw_min_life &&
+ !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
+ ret = KADM5_PASS_TOOSOON;
+ goto done;
+ }
#endif
#if 0
- /*
- * Should we be checking/updating pw history here?
- */
- if(pol.pw_history_num > 1) {
- if(adb.admin_history_kvno != hist_kvno) {
- ret = KADM5_BAD_HIST_KEY;
- goto done;
- }
-
- if (ret = check_pw_reuse(handle->context,
- &hist_key,
- kdb.n_key_data, kdb.key_data,
- adb.old_key_len, adb.old_keys))
- goto done;
- }
+ /*
+ * Should we be checking/updating pw history here?
+ */
+ if(pol.pw_history_num > 1) {
+ if(adb.admin_history_kvno != hist_kvno) {
+ ret = KADM5_BAD_HIST_KEY;
+ goto done;
+ }
+
+ if (ret = check_pw_reuse(handle->context,
+ &hist_key,
+ kdb.n_key_data, kdb.key_data,
+ adb.old_key_len, adb.old_keys))
+ goto done;
+ }
#endif
- if (pol.pw_max_life)
- kdb.pw_expiration = now + pol.pw_max_life;
- else
- kdb.pw_expiration = 0;
+ if (pol.pw_max_life)
+ kdb.pw_expiration = now + pol.pw_max_life;
+ else
+ kdb.pw_expiration = 0;
} else {
- kdb.pw_expiration = 0;
+ kdb.pw_expiration = 0;
}
ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now);
if (ret)
- goto done;
+ goto done;
/* unlock principal on this KDC */
kdb.fail_auth_count = 0;
if ((ret = kdb_put_entry(handle, &kdb, &adb)))
- goto done;
+ goto done;
ret = KADM5_OK;
done:
for (i = 0; i < tmp_key_data.key_data_ver; i++) {
- if (tmp_key_data.key_data_contents[i]) {
- memset (tmp_key_data.key_data_contents[i], 0, tmp_key_data.key_data_length[i]);
- free (tmp_key_data.key_data_contents[i]);
- }
+ if (tmp_key_data.key_data_contents[i]) {
+ memset (tmp_key_data.key_data_contents[i], 0, tmp_key_data.key_data_length[i]);
+ free (tmp_key_data.key_data_contents[i]);
+ }
}
kdb_free_entry(handle, &kdb, &adb);
if (have_pol)
- kadm5_free_policy_ent(handle->lhandle, &pol);
+ kadm5_free_policy_ent(handle->lhandle, &pol);
return ret;
}
kadm5_ret_t
kadm5_setkey_principal(void *server_handle,
- krb5_principal principal,
- krb5_keyblock *keyblocks,
- int n_keys)
+ krb5_principal principal,
+ krb5_keyblock *keyblocks,
+ int n_keys)
{
return
- kadm5_setkey_principal_3(server_handle, principal,
- FALSE, 0, NULL,
- keyblocks, n_keys);
+ kadm5_setkey_principal_3(server_handle, principal,
+ FALSE, 0, NULL,
+ keyblocks, n_keys);
}
kadm5_ret_t
kadm5_setkey_principal_3(void *server_handle,
- krb5_principal principal,
- krb5_boolean keepold,
- int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
- krb5_keyblock *keyblocks,
- int n_keys)
+ krb5_principal principal,
+ krb5_boolean keepold,
+ int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
+ krb5_keyblock *keyblocks,
+ int n_keys)
{
- krb5_db_entry kdb;
- osa_princ_ent_rec adb;
- krb5_int32 now;
- kadm5_policy_ent_rec pol;
- krb5_key_data *old_key_data;
- int n_old_keys;
- int i, j, k, kvno, ret, have_pol = 0;
+ krb5_db_entry kdb;
+ osa_princ_ent_rec adb;
+ krb5_int32 now;
+ kadm5_policy_ent_rec pol;
+ krb5_key_data *old_key_data;
+ int n_old_keys;
+ int i, j, k, kvno, ret, have_pol = 0;
#if 0
int last_pwd;
#endif
- kadm5_server_handle_t handle = server_handle;
- krb5_boolean similar;
- krb5_keysalt keysalt;
+ kadm5_server_handle_t handle = server_handle;
+ krb5_boolean similar;
+ krb5_keysalt keysalt;
krb5_key_data tmp_key_data;
krb5_key_data *tptr;
krb5_keyblock *act_mkey;
@@ -1840,177 +1841,177 @@ kadm5_setkey_principal_3(void *server_handle,
krb5_clear_error_message(handle->context);
if (principal == NULL || keyblocks == NULL)
- return EINVAL;
+ return EINVAL;
if (hist_princ && /* this will be NULL when initializing the databse */
- ((krb5_principal_compare(handle->context,
- principal, hist_princ)) == TRUE))
- return KADM5_PROTECT_PRINCIPAL;
+ ((krb5_principal_compare(handle->context,
+ principal, hist_princ)) == TRUE))
+ return KADM5_PROTECT_PRINCIPAL;
for (i = 0; i < n_keys; i++) {
- for (j = i+1; j < n_keys; j++) {
- if ((ret = krb5_c_enctype_compare(handle->context,
- keyblocks[i].enctype,
- keyblocks[j].enctype,
- &similar)))
- return(ret);
- if (similar) {
- if (n_ks_tuple) {
- if (ks_tuple[i].ks_salttype == ks_tuple[j].ks_salttype)
- return KADM5_SETKEY_DUP_ENCTYPES;
- } else
- return KADM5_SETKEY_DUP_ENCTYPES;
- }
- }
+ for (j = i+1; j < n_keys; j++) {
+ if ((ret = krb5_c_enctype_compare(handle->context,
+ keyblocks[i].enctype,
+ keyblocks[j].enctype,
+ &similar)))
+ return(ret);
+ if (similar) {
+ if (n_ks_tuple) {
+ if (ks_tuple[i].ks_salttype == ks_tuple[j].ks_salttype)
+ return KADM5_SETKEY_DUP_ENCTYPES;
+ } else
+ return KADM5_SETKEY_DUP_ENCTYPES;
+ }
+ }
}
if (n_ks_tuple && n_ks_tuple != n_keys)
- return KADM5_SETKEY3_ETYPE_MISMATCH;
+ return KADM5_SETKEY3_ETYPE_MISMATCH;
if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
- return(ret);
+ return(ret);
for (kvno = 0, i=0; i<kdb.n_key_data; i++)
- if (kdb.key_data[i].key_data_kvno > kvno)
- kvno = kdb.key_data[i].key_data_kvno;
+ if (kdb.key_data[i].key_data_kvno > kvno)
+ kvno = kdb.key_data[i].key_data_kvno;
if (keepold) {
- old_key_data = kdb.key_data;
- n_old_keys = kdb.n_key_data;
+ old_key_data = kdb.key_data;
+ n_old_keys = kdb.n_key_data;
} else {
- if (kdb.key_data != NULL)
- cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data);
- n_old_keys = 0;
- old_key_data = NULL;
+ if (kdb.key_data != NULL)
+ cleanup_key_data(handle->context, kdb.n_key_data, kdb.key_data);
+ n_old_keys = 0;
+ old_key_data = NULL;
}
kdb.key_data = (krb5_key_data*)krb5_db_alloc(handle->context, NULL, (n_keys+n_old_keys)
- *sizeof(krb5_key_data));
+ *sizeof(krb5_key_data));
if (kdb.key_data == NULL) {
- ret = ENOMEM;
- goto done;
+ ret = ENOMEM;
+ goto done;
}
memset(kdb.key_data, 0, (n_keys+n_old_keys)*sizeof(krb5_key_data));
kdb.n_key_data = 0;
for (i = 0; i < n_keys; i++) {
- if (n_ks_tuple) {
- keysalt.type = ks_tuple[i].ks_salttype;
- keysalt.data.length = 0;
- keysalt.data.data = NULL;
- if (ks_tuple[i].ks_enctype != keyblocks[i].enctype) {
- ret = KADM5_SETKEY3_ETYPE_MISMATCH;
- goto done;
- }
- }
- memset (&tmp_key_data, 0, sizeof(tmp_key_data));
-
- ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
- active_mkey_list, NULL, &act_mkey);
- if (ret)
- goto done;
-
- ret = krb5_dbekd_encrypt_key_data(handle->context,
- act_mkey,
- &keyblocks[i],
- n_ks_tuple ? &keysalt : NULL,
- kvno + 1,
- &tmp_key_data);
- if (ret)
- goto done;
-
- tptr = &kdb.key_data[i];
- tptr->key_data_ver = tmp_key_data.key_data_ver;
- tptr->key_data_kvno = tmp_key_data.key_data_kvno;
- for (k = 0; k < tmp_key_data.key_data_ver; k++) {
- tptr->key_data_type[k] = tmp_key_data.key_data_type[k];
- tptr->key_data_length[k] = tmp_key_data.key_data_length[k];
- if (tmp_key_data.key_data_contents[k]) {
- tptr->key_data_contents[k] = krb5_db_alloc(handle->context, NULL, tmp_key_data.key_data_length[k]);
- if (tptr->key_data_contents[k] == NULL) {
- int i1;
- for (i1 = k; i1 < tmp_key_data.key_data_ver; i1++) {
- if (tmp_key_data.key_data_contents[i1]) {
- memset (tmp_key_data.key_data_contents[i1], 0, tmp_key_data.key_data_length[i1]);
- free (tmp_key_data.key_data_contents[i1]);
- }
- }
-
- ret = ENOMEM;
- goto done;
- }
- memcpy (tptr->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]);
-
- memset (tmp_key_data.key_data_contents[k], 0, tmp_key_data.key_data_length[k]);
- free (tmp_key_data.key_data_contents[k]);
- tmp_key_data.key_data_contents[k] = NULL;
- }
- }
- kdb.n_key_data++;
+ if (n_ks_tuple) {
+ keysalt.type = ks_tuple[i].ks_salttype;
+ keysalt.data.length = 0;
+ keysalt.data.data = NULL;
+ if (ks_tuple[i].ks_enctype != keyblocks[i].enctype) {
+ ret = KADM5_SETKEY3_ETYPE_MISMATCH;
+ goto done;
+ }
+ }
+ memset (&tmp_key_data, 0, sizeof(tmp_key_data));
+
+ ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
+ active_mkey_list, NULL, &act_mkey);
+ if (ret)
+ goto done;
+
+ ret = krb5_dbekd_encrypt_key_data(handle->context,
+ act_mkey,
+ &keyblocks[i],
+ n_ks_tuple ? &keysalt : NULL,
+ kvno + 1,
+ &tmp_key_data);
+ if (ret)
+ goto done;
+
+ tptr = &kdb.key_data[i];
+ tptr->key_data_ver = tmp_key_data.key_data_ver;
+ tptr->key_data_kvno = tmp_key_data.key_data_kvno;
+ for (k = 0; k < tmp_key_data.key_data_ver; k++) {
+ tptr->key_data_type[k] = tmp_key_data.key_data_type[k];
+ tptr->key_data_length[k] = tmp_key_data.key_data_length[k];
+ if (tmp_key_data.key_data_contents[k]) {
+ tptr->key_data_contents[k] = krb5_db_alloc(handle->context, NULL, tmp_key_data.key_data_length[k]);
+ if (tptr->key_data_contents[k] == NULL) {
+ int i1;
+ for (i1 = k; i1 < tmp_key_data.key_data_ver; i1++) {
+ if (tmp_key_data.key_data_contents[i1]) {
+ memset (tmp_key_data.key_data_contents[i1], 0, tmp_key_data.key_data_length[i1]);
+ free (tmp_key_data.key_data_contents[i1]);
+ }
+ }
+
+ ret = ENOMEM;
+ goto done;
+ }
+ memcpy (tptr->key_data_contents[k], tmp_key_data.key_data_contents[k], tmp_key_data.key_data_length[k]);
+
+ memset (tmp_key_data.key_data_contents[k], 0, tmp_key_data.key_data_length[k]);
+ free (tmp_key_data.key_data_contents[k]);
+ tmp_key_data.key_data_contents[k] = NULL;
+ }
+ }
+ kdb.n_key_data++;
}
/* copy old key data if necessary */
for (i = 0; i < n_old_keys; i++) {
- kdb.key_data[i+n_keys] = old_key_data[i];
- memset(&old_key_data[i], 0, sizeof (krb5_key_data));
- kdb.n_key_data++;
+ kdb.key_data[i+n_keys] = old_key_data[i];
+ memset(&old_key_data[i], 0, sizeof (krb5_key_data));
+ kdb.n_key_data++;
}
if (old_key_data)
- krb5_db_free(handle->context, old_key_data);
+ krb5_db_free(handle->context, old_key_data);
/* assert(kdb.n_key_data == n_keys + n_old_keys) */
kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
if ((ret = krb5_timeofday(handle->context, &now)))
- goto done;
+ goto done;
if ((adb.aux_attributes & KADM5_POLICY)) {
- if ((ret = kadm5_get_policy(handle->lhandle, adb.policy,
- &pol)) != KADM5_OK)
- goto done;
- have_pol = 1;
+ if ((ret = kadm5_get_policy(handle->lhandle, adb.policy,
+ &pol)) != KADM5_OK)
+ goto done;
+ have_pol = 1;
#if 0
- /*
- * The spec says this check is overridden if the caller has
- * modify privilege. The admin server therefore makes this
- * check itself (in chpass_principal_wrapper, misc.c). A
- * local caller implicitly has all authorization bits.
- */
- if (ret = krb5_dbe_lookup_last_pwd_change(handle->context,
- &kdb, &last_pwd))
- goto done;
- if((now - last_pwd) < pol.pw_min_life &&
- !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
- ret = KADM5_PASS_TOOSOON;
- goto done;
- }
+ /*
+ * The spec says this check is overridden if the caller has
+ * modify privilege. The admin server therefore makes this
+ * check itself (in chpass_principal_wrapper, misc.c). A
+ * local caller implicitly has all authorization bits.
+ */
+ if (ret = krb5_dbe_lookup_last_pwd_change(handle->context,
+ &kdb, &last_pwd))
+ goto done;
+ if((now - last_pwd) < pol.pw_min_life &&
+ !(kdb.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
+ ret = KADM5_PASS_TOOSOON;
+ goto done;
+ }
#endif
#if 0
- /*
- * Should we be checking/updating pw history here?
- */
- if (pol.pw_history_num > 1) {
- if(adb.admin_history_kvno != hist_kvno) {
- ret = KADM5_BAD_HIST_KEY;
- goto done;
- }
-
- if (ret = check_pw_reuse(handle->context,
- &hist_key,
- kdb.n_key_data, kdb.key_data,
- adb.old_key_len, adb.old_keys))
- goto done;
- }
+ /*
+ * Should we be checking/updating pw history here?
+ */
+ if (pol.pw_history_num > 1) {
+ if(adb.admin_history_kvno != hist_kvno) {
+ ret = KADM5_BAD_HIST_KEY;
+ goto done;
+ }
+
+ if (ret = check_pw_reuse(handle->context,
+ &hist_key,
+ kdb.n_key_data, kdb.key_data,
+ adb.old_key_len, adb.old_keys))
+ goto done;
+ }
#endif
- if (pol.pw_max_life)
- kdb.pw_expiration = now + pol.pw_max_life;
- else
- kdb.pw_expiration = 0;
+ if (pol.pw_max_life)
+ kdb.pw_expiration = now + pol.pw_max_life;
+ else
+ kdb.pw_expiration = 0;
} else {
- kdb.pw_expiration = 0;
+ kdb.pw_expiration = 0;
}
if ((ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now)))
@@ -2020,13 +2021,13 @@ kadm5_setkey_principal_3(void *server_handle,
kdb.fail_auth_count = 0;
if ((ret = kdb_put_entry(handle, &kdb, &adb)))
- goto done;
+ goto done;
ret = KADM5_OK;
done:
kdb_free_entry(handle, &kdb, &adb);
if (have_pol)
- kadm5_free_policy_ent(handle->lhandle, &pol);
+ kadm5_free_policy_ent(handle->lhandle, &pol);
return ret;
}
@@ -2048,7 +2049,7 @@ kadm5_get_principal_keys(void *server_handle /* IN */,
krb5_keyblock *mkey_ptr;
if (keyblocks)
- *keyblocks = NULL;
+ *keyblocks = NULL;
CHECK_HANDLE(server_handle);
@@ -2056,10 +2057,10 @@ kadm5_get_principal_keys(void *server_handle /* IN */,
return EINVAL;
if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
- return(ret);
+ return(ret);
if (keyblocks) {
- if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, &kdb,
+ if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, &kdb,
&mkey_ptr))) {
krb5_keylist_node *tmp_mkey_list;
/* try refreshing master key list */
@@ -2078,11 +2079,11 @@ kadm5_get_principal_keys(void *server_handle /* IN */,
}
}
- ret = decrypt_key_data(handle->context, mkey_ptr,
- kdb.n_key_data, kdb.key_data,
- keyblocks, n_keys);
- if (ret)
- goto done;
+ ret = decrypt_key_data(handle->context, mkey_ptr,
+ kdb.n_key_data, kdb.key_data,
+ keyblocks, n_keys);
+ if (ret)
+ goto done;
}
ret = KADM5_OK;
@@ -2100,40 +2101,40 @@ done:
* number of keys decrypted.
*/
static int decrypt_key_data(krb5_context context, krb5_keyblock *mkey,
- int n_key_data, krb5_key_data *key_data,
- krb5_keyblock **keyblocks, int *n_keys)
+ int n_key_data, krb5_key_data *key_data,
+ krb5_keyblock **keyblocks, int *n_keys)
{
- krb5_keyblock *keys;
- int ret, i;
-
- keys = (krb5_keyblock *) malloc(n_key_data*sizeof(krb5_keyblock));
- if (keys == NULL)
- return ENOMEM;
- memset(keys, 0, n_key_data*sizeof(krb5_keyblock));
-
- for (i = 0; i < n_key_data; i++) {
- ret = krb5_dbekd_decrypt_key_data(context, mkey,
- &key_data[i],
- &keys[i], NULL);
- if (ret) {
- for (; i >= 0; i--) {
- if (keys[i].contents) {
- memset (keys[i].contents, 0, keys[i].length);
- free( keys[i].contents );
- }
- }
-
- memset(keys, 0, n_key_data*sizeof(krb5_keyblock));
- free(keys);
- return ret;
- }
- }
-
- *keyblocks = keys;
- if (n_keys)
- *n_keys = n_key_data;
-
- return 0;
+ krb5_keyblock *keys;
+ int ret, i;
+
+ keys = (krb5_keyblock *) malloc(n_key_data*sizeof(krb5_keyblock));
+ if (keys == NULL)
+ return ENOMEM;
+ memset(keys, 0, n_key_data*sizeof(krb5_keyblock));
+
+ for (i = 0; i < n_key_data; i++) {
+ ret = krb5_dbekd_decrypt_key_data(context, mkey,
+ &key_data[i],
+ &keys[i], NULL);
+ if (ret) {
+ for (; i >= 0; i--) {
+ if (keys[i].contents) {
+ memset (keys[i].contents, 0, keys[i].length);
+ free( keys[i].contents );
+ }
+ }
+
+ memset(keys, 0, n_key_data*sizeof(krb5_keyblock));
+ free(keys);
+ return ret;
+ }
+ }
+
+ *keyblocks = keys;
+ if (n_keys)
+ *n_keys = n_key_data;
+
+ return 0;
}
/*
@@ -2143,15 +2144,15 @@ static int decrypt_key_data(krb5_context context, krb5_keyblock *mkey,
*
* Arguments:
*
- * server_handle (r) kadm5 handle
- * entry (r) principal retrieved with kadm5_get_principal
- * ktype (r) enctype to search for, or -1 to ignore
- * stype (r) salt type to search for, or -1 to ignore
- * kvno (r) kvno to search for, -1 for max, 0 for max
- * only if it also matches ktype and stype
- * keyblock (w) keyblock to fill in
- * keysalt (w) keysalt to fill in, or NULL
- * kvnop (w) kvno to fill in, or NULL
+ * server_handle (r) kadm5 handle
+ * entry (r) principal retrieved with kadm5_get_principal
+ * ktype (r) enctype to search for, or -1 to ignore
+ * stype (r) salt type to search for, or -1 to ignore
+ * kvno (r) kvno to search for, -1 for max, 0 for max
+ * only if it also matches ktype and stype
+ * keyblock (w) keyblock to fill in
+ * keysalt (w) keysalt to fill in, or NULL
+ * kvnop (w) kvno to fill in, or NULL
*
* Effects: Searches the key_data array of entry, which must have been
* retrived with kadm5_get_principal with the KADM5_KEY_DATA mask, to
@@ -2167,10 +2168,10 @@ static int decrypt_key_data(krb5_context context, krb5_keyblock *mkey,
* returned.
*/
kadm5_ret_t kadm5_decrypt_key(void *server_handle,
- kadm5_principal_ent_t entry, krb5_int32
- ktype, krb5_int32 stype, krb5_int32
- kvno, krb5_keyblock *keyblock,
- krb5_keysalt *keysalt, int *kvnop)
+ kadm5_principal_ent_t entry, krb5_int32
+ ktype, krb5_int32 stype, krb5_int32
+ kvno, krb5_keyblock *keyblock,
+ krb5_keysalt *keysalt, int *kvnop)
{
kadm5_server_handle_t handle = server_handle;
krb5_db_entry dbent;
@@ -2181,14 +2182,14 @@ kadm5_ret_t kadm5_decrypt_key(void *server_handle,
CHECK_HANDLE(server_handle);
if (entry->n_key_data == 0 || entry->key_data == NULL)
- return EINVAL;
+ return EINVAL;
/* find_enctype only uses these two fields */
dbent.n_key_data = entry->n_key_data;
dbent.key_data = entry->key_data;
if ((ret = krb5_dbe_find_enctype(handle->context, &dbent, ktype,
- stype, kvno, &key_data)))
- return ret;
+ stype, kvno, &key_data)))
+ return ret;
/* find_mkey only uses this field */
dbent.tl_data = entry->tl_data;
@@ -2211,9 +2212,9 @@ kadm5_ret_t kadm5_decrypt_key(void *server_handle,
}
if ((ret = krb5_dbekd_decrypt_key_data(handle->context,
- mkey_ptr, key_data,
- keyblock, keysalt)))
- return ret;
+ mkey_ptr, key_data,
+ keyblock, keysalt)))
+ return ret;
/*
* Coerce the enctype of the output keyblock in case we got an
@@ -2224,7 +2225,7 @@ kadm5_ret_t kadm5_decrypt_key(void *server_handle,
keyblock->enctype = ktype;
if (kvnop)
- *kvnop = key_data->key_data_kvno;
+ *kvnop = key_data->key_data_kvno;
return KADM5_OK;
}
generated by cgit (git 2.34.1) at 2024-09-28 22:21:51 +0000