diff options
Diffstat (limited to 'src/plugins/kdb')
| -rw-r--r-- | src/plugins/kdb/db2/db2_exp.c | 28 | ||||
| -rw-r--r-- | src/plugins/kdb/db2/kdb_db2.c | 42 | ||||
| -rw-r--r-- | src/plugins/kdb/db2/kdb_db2.h | 13 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_exp.c | 4 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c | 27 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 6 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c | 45 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c | 42 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 9 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h | 2 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 18 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h | 1 |
12 files changed, 206 insertions, 31 deletions
diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c index 123d20afb..5c8162468 100644 --- a/src/plugins/kdb/db2/db2_exp.c +++ b/src/plugins/kdb/db2/db2_exp.c @@ -59,7 +59,7 @@ static char *_csrc = "@(#) %filespec: db2_exp.c~5 % (%full_filespec: db2_exp.c~ locking code into the top and bottom of each referenced function won't do. (We aren't doing recursive locks, currently.) */ -static k5_mutex_t *krb5_db2_mutex; +k5_mutex_t *krb5_db2_mutex; #define WRAP(NAME,TYPE,ARGLIST,ARGNAMES,ERROR_RESULT) \ static TYPE wrap_##NAME ARGLIST \ @@ -178,21 +178,21 @@ WRAP_VOID (krb5_db2_free_policy, ( krb5_context kcontext, osa_policy_ent_t entry ), (kcontext, entry)); -WRAP (krb5_db2_alloc, void *, - ( krb5_context kcontext, - void *ptr, - size_t size ), - (kcontext, ptr, size), NULL); -WRAP_VOID (krb5_db2_free, - ( krb5_context kcontext, void *ptr ), - (kcontext, ptr)); - WRAP_K (krb5_db2_set_master_key_ext, ( krb5_context kcontext, char *pwd, krb5_keyblock *key), (kcontext, pwd, key)); WRAP_K (krb5_db2_db_get_mkey, ( krb5_context context, krb5_keyblock **key), (context, key)); + +WRAP_K (krb5_db2_db_set_mkey_list, + ( krb5_context kcontext, krb5_keylist_node *keylist), + (kcontext, keylist)); + +WRAP_K (krb5_db2_db_get_mkey_list, + ( krb5_context context, krb5_keylist_node **keylist), + (context, keylist)); + WRAP_K (krb5_db2_promote_db, ( krb5_context kcontext, char *conf_section, char **db_args ), (kcontext, conf_section, db_args)); @@ -248,11 +248,13 @@ kdb_vftabl kdb_function_table = { /* db_free_supported_realms */ NULL, /* errcode_2_string */ NULL, /* release_errcode_string */ NULL, - /* db_alloc */ wrap_krb5_db2_alloc, - /* db_free */ wrap_krb5_db2_free, + /* db_alloc */ krb5_db2_alloc, + /* db_free */ krb5_db2_free, /* set_master_key */ wrap_krb5_db2_set_master_key_ext, /* get_master_key */ wrap_krb5_db2_db_get_mkey, - /* blah blah blah */ 0,0,0,0,0,0, + /* set_master_key_list */ wrap_krb5_db2_db_set_mkey_list, + /* get_master_key_list */ wrap_krb5_db2_db_get_mkey_list, + /* blah blah blah */ 0,0,0,0,0,0,0,0, /* promote_db */ wrap_krb5_db2_promote_db, 0,0,0, }; diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c index 704e47d6b..90c893305 100644 --- a/src/plugins/kdb/db2/kdb_db2.c +++ b/src/plugins/kdb/db2/kdb_db2.c @@ -431,6 +431,37 @@ krb5_db2_db_get_mkey(krb5_context context, krb5_keyblock **key) return 0; } +krb5_error_code +krb5_db2_db_set_mkey_list(krb5_context context, krb5_keylist_node *key_list) +{ + krb5_db2_context *db_ctx; + kdb5_dal_handle *dal_handle; + + if (!k5db2_inited(context)) + return (KRB5_KDB_DBNOTINITED); + + dal_handle = context->dal_handle; + db_ctx = dal_handle->db_context; + db_ctx->db_master_key_list = key_list; + return 0; +} + +krb5_error_code +krb5_db2_db_get_mkey_list(krb5_context context, krb5_keylist_node **key_list) +{ + krb5_db2_context *db_ctx; + kdb5_dal_handle *dal_handle; + + if (!k5db2_inited(context)) + return (KRB5_KDB_DBNOTINITED); + + dal_handle = context->dal_handle; + db_ctx = dal_handle->db_context; + *key_list = db_ctx->db_master_key_list; + + return 0; +} + /* * Set the "name" of the current database to some alternate value. * @@ -1171,8 +1202,19 @@ krb5_db2_db_iterate_ext(krb5_context context, retval = krb5_decode_princ_contents(context, &contdata, &entries); if (retval) break; + retval = k5_mutex_unlock(krb5_db2_mutex); + if (retval) + break; retval = (*func) (func_arg, &entries); krb5_dbe_free_contents(context, &entries); + /* Note: If re-locking fails, the wrapper in db2_exp.c will + still try to unlock it again. That would be a bug. Fix + when integrating the locking better. */ + if (retval) { + (void) k5_mutex_lock(krb5_db2_mutex); + break; + } + retval = k5_mutex_lock(krb5_db2_mutex); if (retval) break; if (!recursive) { diff --git a/src/plugins/kdb/db2/kdb_db2.h b/src/plugins/kdb/db2/kdb_db2.h index d6cb1e881..640c4d62d 100644 --- a/src/plugins/kdb/db2/kdb_db2.h +++ b/src/plugins/kdb/db2/kdb_db2.h @@ -42,7 +42,8 @@ typedef struct _krb5_db2_context { int db_locks_held; /* Number of times locked */ int db_lock_mode; /* Last lock mode, e.g. greatest*/ krb5_boolean db_nb_locks; /* [Non]Blocking lock modes */ - krb5_keyblock *db_master_key; /* Master key of database */ + krb5_keyblock *db_master_key; /* Master key of database */ + krb5_keylist_node *db_master_key_list; /* Master key list of database */ osa_adb_policy_t policy_db; krb5_boolean tempdb; } krb5_db2_context; @@ -121,6 +122,13 @@ krb5_db2_db_set_mkey( krb5_context context, krb5_error_code krb5_db2_db_get_mkey( krb5_context context, krb5_keyblock **key); +krb5_error_code +krb5_db2_db_set_mkey_list( krb5_context context, + krb5_keylist_node *keylist); + +krb5_error_code +krb5_db2_db_get_mkey_list( krb5_context context, + krb5_keylist_node **keylist); krb5_error_code krb5_db2_db_put_principal( krb5_context context, @@ -208,4 +216,7 @@ krb5_error_code krb5_db2_delete_policy ( krb5_context kcontext, void krb5_db2_free_policy( krb5_context kcontext, osa_policy_ent_t entry ); +/* Thread-safety wrapper slapped on top of original implementation. */ +extern k5_mutex_t *krb5_db2_mutex; + #endif /* KRB5_KDB_DB2_H */ diff --git a/src/plugins/kdb/ldap/ldap_exp.c b/src/plugins/kdb/ldap/ldap_exp.c index eaeef2a8c..dcfe93cf9 100644 --- a/src/plugins/kdb/ldap/ldap_exp.c +++ b/src/plugins/kdb/ldap/ldap_exp.c @@ -78,10 +78,14 @@ kdb_vftabl kdb_function_table = { /* optional functions */ /* set_master_key */ krb5_ldap_set_mkey, /* get_master_key */ krb5_ldap_get_mkey, + /* set_master_key_list */ krb5_ldap_set_mkey_list, + /* get_master_key_list */ krb5_ldap_get_mkey_list, /* setup_master_key_name */ NULL, /* store_master_key */ NULL, /* fetch_master_key */ NULL /* krb5_ldap_fetch_mkey */, /* verify_master_key */ NULL /* krb5_ldap_verify_master_key */, + /* fetch_master_key_list */ NULL, + /* store_master_key_list */ NULL, /* Search enc type */ NULL, /* Change pwd */ NULL diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c index c13d96710..60d9e25f7 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c @@ -2379,6 +2379,8 @@ kdb_ldap_create_principal (context, princ, op, pblock) krb5_ldap_context *ldap_context=NULL; struct iterate_args iargs; krb5_data *pdata; + krb5_timestamp now; + krb5_actkvno_node actkvno; if ((pblock == NULL) || (context == NULL)) { retval = EINVAL; @@ -2425,14 +2427,12 @@ kdb_ldap_create_principal (context, princ, op, pblock) entry.tl_data = tl_data; entry.n_tl_data += 1; /* Set the creator's name */ - { - krb5_timestamp now; - if ((retval = krb5_timeofday(context, &now))) - goto cleanup; - if ((retval = krb5_dbe_update_mod_princ_data_new(context, &entry, - now, &db_create_princ))) - goto cleanup; - } + if ((retval = krb5_timeofday(context, &now))) + goto cleanup; + if ((retval = krb5_dbe_update_mod_princ_data_new(context, &entry, + now, &db_create_princ))) + goto cleanup; + entry.attributes = pblock->flags; entry.max_life = pblock->max_life; entry.max_renewable_life = pblock->max_rlife; @@ -2507,6 +2507,17 @@ kdb_ldap_create_principal (context, princ, op, pblock) if (retval) { goto cleanup; } + /* + * There should always be at least one "active" mkey so creating the + * KRB5_TL_ACTKVNO entry now so the initial mkey is active. + */ + actkvno.next = NULL; + actkvno.act_kvno = kvno; + actkvno.act_time = now; + retval = krb5_dbe_update_actkvno(context, &entry, &actkvno); + if (retval) + goto cleanup; + break; case NULL_KEY: diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h index 74bf4b17e..802ab0fc3 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h @@ -267,6 +267,12 @@ krb5_error_code krb5_ldap_set_mkey(krb5_context, char *, krb5_keyblock *); krb5_error_code +krb5_ldap_get_mkey_list (krb5_context context, krb5_keylist_node **key_list); + +krb5_error_code +krb5_ldap_set_mkey_list(krb5_context, krb5_keylist_node *); + +krb5_error_code krb5_ldap_create(krb5_context , char *, char **); krb5_error_code diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c index d4c6ac832..f8e1d4415 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c @@ -148,6 +148,51 @@ krb5_dbe_lookup_last_pwd_change(context, entry, stamp) return(0); } +#if 0 /************** Begin IFDEF'ed OUT *******************************/ +krb5_error_code +krb5_dbe_lookup_mkvno(krb5_context context, + krb5_db_entry *entry, + krb5_kvno *mkvno) +{ + krb5_tl_data tl_data; + krb5_error_code code; + krb5_int16 tmp; + + tl_data.tl_data_type = KRB5_TL_MKVNO; + + if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data))) + return (code); + + /* XXX need to think about this */ + if (tl_data.tl_data_length != 2) { + *mkvno = 0; + return (0); + } + + /* XXX this needs to be the inverse of how this is encoded */ + krb5_kdb_decode_int16(tl_data.tl_data_contents, tmp); + + *mkvno = (krb5_kvno) tmp; + + return (0); +} + +krb5_error_code +krb5_dbe_update_mkvno(krb5_context context, + krb5_db_entry * entry, + krb5_kvno mkvno) +{ + krb5_tl_data tl_data; + krb5_octet buf[2]; /* this is the encoded size of an int16 */ + + tl_data.tl_data_type = KRB5_TL_MKVNO; + tl_data.tl_data_length = sizeof(buf); + krb5_kdb_encode_int16((krb5_int16) mkvno, buf); + tl_data.tl_data_contents = buf; + + return (krb5_dbe_update_tl_data(context, entry, &tl_data)); +} +#endif /**************** END IFDEF'ed OUT *******************************/ /* it seems odd that there's no function to remove a tl_data, but if I need one, I'll add one */ diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c index 9a364192a..6da080664 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c @@ -98,3 +98,45 @@ krb5_ldap_set_mkey (context, pwd, key) memcpy(r_params->mkey.contents, key->contents, key->length); return 0; } + +krb5_error_code +krb5_ldap_get_mkey_list (krb5_context context, krb5_keylist_node **key_list) + +{ + kdb5_dal_handle *dal_handle=NULL; + krb5_ldap_context *ldap_context=NULL; + + /* Clear the global error string */ + krb5_clear_error_message(context); + + dal_handle = context->dal_handle; + ldap_context = (krb5_ldap_context *) dal_handle->db_context; + + if (ldap_context == NULL || ldap_context->lrparams == NULL) + return KRB5_KDB_DBNOTINITED; + + *key_list = ldap_context->lrparams->mkey_list; + return 0; +} + +krb5_error_code +krb5_ldap_set_mkey_list(krb5_context context, krb5_keylist_node *key_list) +{ + kdb5_dal_handle *dal_handle=NULL; + krb5_ldap_context *ldap_context=NULL; + krb5_ldap_realm_params *r_params = NULL; + + /* Clear the global error string */ + krb5_clear_error_message(context); + + dal_handle = context->dal_handle; + ldap_context = (krb5_ldap_context *) dal_handle->db_context; + + if (ldap_context == NULL || ldap_context->lrparams == NULL) + return KRB5_KDB_DBNOTINITED; + + r_params = ldap_context->lrparams; + r_params->mkey_list = key_list; + return 0; +} + diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c index 79ca63472..f0734deb2 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c @@ -2059,9 +2059,16 @@ populate_krb5_db_entry (krb5_context context, /* KRBSECRETKEY */ if ((bvalues=ldap_get_values_len(ld, ent, "krbprincipalkey")) != NULL) { + krb5_kvno mkvno = 0; + mask |= KDB_SECRET_KEY_ATTR; - if ((st=krb5_decode_krbsecretkey(context, entry, bvalues, &userinfo_tl_data)) != 0) + if ((st=krb5_decode_krbsecretkey(context, entry, bvalues, &userinfo_tl_data, &mkvno)) != 0) goto cleanup; + if (mkvno != 0) { + /* don't add the tl data if mkvno == 0 */ + if ((st=krb5_dbe_update_mkvno(context, entry, mkvno)) != 0) + goto cleanup; + } } /* LAST PASSWORD CHANGE */ diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h index 18e2acc06..502e71ccd 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h @@ -112,7 +112,7 @@ krb5_ldap_parse_principal_name(char *, char **); krb5_error_code krb5_decode_krbsecretkey(krb5_context, krb5_db_entry *, struct berval **, - krb5_tl_data *); + krb5_tl_data *, krb5_kvno *); krb5_error_code berval2tl_data(struct berval *in, krb5_tl_data **out); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index 561a65d99..e52a61897 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -345,7 +345,7 @@ asn1_encode_sequence_of_keys (krb5_key_data *key_data, krb5_int16 n_key_data, static krb5_error_code asn1_decode_sequence_of_keys (krb5_data *in, krb5_key_data **out, - krb5_int16 *n_key_data, int *mkvno) + krb5_int16 *n_key_data, krb5_kvno *mkvno) { krb5_error_code err; ldap_seqof_key_data *p; @@ -371,7 +371,7 @@ asn1_decode_sequence_of_keys (krb5_data *in, krb5_key_data **out, /* Decoding ASN.1 encoded key */ static struct berval ** -krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data) { +krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data, krb5_kvno mkvno) { struct berval **ret = NULL; int currkvno; int num_versions = 1; @@ -396,7 +396,7 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data) { if (i == n_key_data - 1 || key_data[i + 1].key_data_kvno != currkvno) { asn1_encode_sequence_of_keys (key_data+last, (krb5_int16) i - last + 1, - 0, /* For now, mkvno == 0*/ + mkvno, &code); ret[j] = malloc (sizeof (struct berval)); if (ret[j] == NULL) { @@ -927,8 +927,12 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) } if (entries->mask & KADM5_KEY_DATA || entries->mask & KADM5_KVNO) { + krb5_kvno mkvno; + + if ((st=krb5_dbe_lookup_mkvno(context, entries, &mkvno)) != 0) + goto cleanup; bersecretkey = krb5_encode_krbsecretkey (entries->key_data, - entries->n_key_data); + entries->n_key_data, mkvno); if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0) @@ -1220,11 +1224,12 @@ cleanup: } krb5_error_code -krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data) +krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data, mkvno) krb5_context context; krb5_db_entry *entries; struct berval **bvalues; krb5_tl_data *userinfo_tl_data; + krb5_kvno *mkvno; { char *user=NULL; int i=0, j=0, noofkeys=0; @@ -1235,7 +1240,6 @@ krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data) goto cleanup; for (i=0; bvalues[i] != NULL; ++i) { - int mkvno; /* Not used currently */ krb5_int16 n_kd; krb5_key_data *kd; krb5_data in; @@ -1248,7 +1252,7 @@ krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data) st = asn1_decode_sequence_of_keys (&in, &kd, &n_kd, - &mkvno); + mkvno); if (st != 0) { const char *msg = error_message(st); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h index ffe6c3665..db17509ae 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h @@ -68,6 +68,7 @@ typedef struct _krb5_ldap_realm_params { char **passwdservers; krb5_tl_data *tl_data; krb5_keyblock mkey; + krb5_keylist_node *mkey_list; /* all master keys in use for the realm */ long mask; } krb5_ldap_realm_params; |