diff options
| author | Greg Hudson <ghudson@mit.edu> | 2009-08-13 21:25:54 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2009-08-13 21:25:54 +0000 |
| commit | 1ddf7efda0fa665d86431dfc2a57e90e892b81ab (patch) | |
| tree | 141ed4abf608f1143e4344aaae0f244dc62d578b /src/lib/kadm5/srv | |
| parent | 45eefd6a6fa51ccf67aaf073c0237bbbd142ae81 (diff) | |
| download | krb5-1ddf7efda0fa665d86431dfc2a57e90e892b81ab.zip krb5-1ddf7efda0fa665d86431dfc2a57e90e892b81ab.tar.gz krb5-1ddf7efda0fa665d86431dfc2a57e90e892b81ab.tar.bz2 | |
Remove kadmin v1 API support
The kadmin v1 API and the even older ovsec_kadm_* API were legacy when
kadmin was first incorporated in 1996, and compatibility with them is
no longer believed to be necessary.
The uninstalled kadmin/passwd has been removed (since it used the ovsec
API). The test suite has been updated to use the v2 API where
appropriate, and the parts specifically designed to test the old API
have been excised.
ticket: 6544
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22521 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/kadm5/srv')
| -rw-r--r-- | src/lib/kadm5/srv/libkadm5srv.exports | 24 | ||||
| -rw-r--r-- | src/lib/kadm5/srv/server_init.c | 54 | ||||
| -rw-r--r-- | src/lib/kadm5/srv/svr_misc_free.c | 3 | ||||
| -rw-r--r-- | src/lib/kadm5/srv/svr_policy.c | 22 | ||||
| -rw-r--r-- | src/lib/kadm5/srv/svr_principal.c | 188 |
5 files changed, 62 insertions, 229 deletions
diff --git a/src/lib/kadm5/srv/libkadm5srv.exports b/src/lib/kadm5/srv/libkadm5srv.exports index 545d43b..35745be 100644 --- a/src/lib/kadm5/srv/libkadm5srv.exports +++ b/src/lib/kadm5/srv/libkadm5srv.exports @@ -90,29 +90,6 @@ master_keyblock master_keylist master_princ osa_free_princ_ent -ovsec_kadm_chpass_principal -ovsec_kadm_chpass_principal_util -ovsec_kadm_create_policy -ovsec_kadm_create_principal -ovsec_kadm_delete_policy -ovsec_kadm_delete_principal -ovsec_kadm_destroy -ovsec_kadm_flush -ovsec_kadm_free_name_list -ovsec_kadm_free_policy_ent -ovsec_kadm_free_principal_ent -ovsec_kadm_get_policies -ovsec_kadm_get_policy -ovsec_kadm_get_principal -ovsec_kadm_get_principals -ovsec_kadm_get_privs -ovsec_kadm_init -ovsec_kadm_init_with_password -ovsec_kadm_init_with_skey -ovsec_kadm_modify_policy -ovsec_kadm_modify_principal -ovsec_kadm_randkey_principal -ovsec_kadm_rename_principal passwd_check xdr_chpass3_arg xdr_chpass_arg @@ -136,7 +113,6 @@ xdr_gprincs_arg xdr_gprincs_ret xdr_kadm5_policy_ent_rec xdr_kadm5_principal_ent_rec -xdr_kadm5_principal_ent_rec_v1 xdr_kadm5_ret_t xdr_krb5_deltat xdr_krb5_enctype diff --git a/src/lib/kadm5/srv/server_init.c b/src/lib/kadm5/srv/server_init.c index 77a83ba..e41ecca 100644 --- a/src/lib/kadm5/srv/server_init.c +++ b/src/lib/kadm5/srv/server_init.c @@ -113,13 +113,11 @@ kadm5_ret_t kadm5_init_with_creds(char *client_name, void **server_handle) { /* - * A program calling init_with_creds *never* expects to prompt the - * user. Therefore, always pass a dummy password in case this is - * KADM5_API_VERSION_1. If this is KADM5_API_VERSION_2 and - * MKEY_FROM_KBD is non-zero, return an error. + * A program calling init_with_creds *never* expects to prompt + * the user. If this is KADM5_API_VERSION_2 and MKEY_FROM_KBD is + * non-zero, return an error. */ - if (api_version == KADM5_API_VERSION_2 && params && - (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) && + if (params && (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) && params->mkey_from_kbd) return KADM5_BAD_SERVER_PARAMS; return kadm5_init(client_name, NULL, service_name, params, @@ -138,12 +136,10 @@ kadm5_ret_t kadm5_init_with_skey(char *client_name, char *keytab, { /* * A program calling init_with_skey *never* expects to prompt the - * user. Therefore, always pass a dummy password in case this is - * KADM5_API_VERSION_1. If this is KADM5_API_VERSION_2 and - * MKEY_FROM_KBD is non-zero, return an error. + * user. If this is KADM5_API_VERSION_2 and MKEY_FROM_KBD is + * non-zero, return an error. */ - if (api_version == KADM5_API_VERSION_2 && params && - (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) && + if (params && (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) && params->mkey_from_kbd) return KADM5_BAD_SERVER_PARAMS; return kadm5_init(client_name, NULL, service_name, params, @@ -202,21 +198,11 @@ kadm5_ret_t kadm5_init(char *client_name, char *pass, KADM5_NEW_SERVER_API_VERSION); /* - * Acquire relevant profile entries. In version 2, merge values + * Acquire relevant profile entries. Merge values * in params_in with values from profile, based on * params_in->mask. - * - * In version 1, we've given a realm (which may be NULL) instead - * of params_in. So use that realm, make params_in contain an - * empty mask, and behave like version 2. */ memset(¶ms_local, 0, sizeof(params_local)); - if (api_version == KADM5_API_VERSION_1) { - params_local.realm = (char *) params_in; - if (params_in) - params_local.mask = KADM5_CONFIG_REALM; - params_in = ¶ms_local; - } #if 0 /* Now that we look at krb5.conf as well as kdc.conf, we can expect to see admin_server being set sometimes. */ @@ -311,29 +297,9 @@ kadm5_ret_t kadm5_init(char *client_name, char *pass, return ret; } - /* - * The KADM5_API_VERSION_1 spec said "If pass (or keytab) is NULL - * or an empty string, reads the master password from [the stash - * file]. Otherwise, the non-NULL password is ignored and the - * user is prompted for it via the tty." However, the code was - * implemented the other way: when a non-NULL password was - * provided, the stash file was used. This is somewhat more - * sensible, as then a local or remote client that provides a - * password does not prompt the user. This code maintains the - * previous actual behavior, and not the old spec behavior, - * because that is how the unit tests are written. - * - * In KADM5_API_VERSION_2, this decision is controlled by - * params. - * - * kdb_init_master's third argument is "from_keyboard". - */ ret = kdb_init_master(handle, handle->params.realm, - (handle->api_version == KADM5_API_VERSION_1 ? - ((pass == NULL) || !(strlen(pass))) : - ((handle->params.mask & KADM5_CONFIG_MKEY_FROM_KBD) - && handle->params.mkey_from_kbd) - )); + (handle->params.mask & KADM5_CONFIG_MKEY_FROM_KBD) + && handle->params.mkey_from_kbd); if (ret) { krb5_db_fini(handle->context); krb5_free_context(handle->context); diff --git a/src/lib/kadm5/srv/svr_misc_free.c b/src/lib/kadm5/srv/svr_misc_free.c index d203397..1c87f06 100644 --- a/src/lib/kadm5/srv/svr_misc_free.c +++ b/src/lib/kadm5/srv/svr_misc_free.c @@ -29,9 +29,6 @@ kadm5_free_principal_ent(void *server_handle, free(val->policy); /* XXX free key_data and tl_data */ - - if (handle->api_version == KADM5_API_VERSION_1) - free(val); } return KADM5_OK; } diff --git a/src/lib/kadm5/srv/svr_policy.c b/src/lib/kadm5/srv/svr_policy.c index 7add671..5b7828c 100644 --- a/src/lib/kadm5/srv/svr_policy.c +++ b/src/lib/kadm5/srv/svr_policy.c @@ -258,7 +258,6 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name, kadm5_policy_ent_t entry) { osa_policy_ent_t t; - kadm5_policy_ent_rec entry_local, **entry_orig, *new; int ret; kadm5_server_handle_t handle = server_handle; int cnt=1; @@ -267,16 +266,6 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name, krb5_clear_error_message(handle->context); - /* - * In version 1, entry is a pointer to a kadm5_policy_ent_t that - * should be filled with allocated memory. - */ - if (handle->api_version == KADM5_API_VERSION_1) { - entry_orig = (kadm5_policy_ent_rec **) entry; - *entry_orig = NULL; - entry = &entry_local; - } - if (name == (kadm5_policy_t) NULL) return EINVAL; if(strlen(name) == 0) @@ -299,16 +288,5 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name, entry->policy_refcnt = t->policy_refcnt; krb5_db_free_policy(handle->context, t); - if (handle->api_version == KADM5_API_VERSION_1) { - new = (kadm5_policy_ent_t) malloc(sizeof(kadm5_policy_ent_rec)); - if (new == NULL) { - free(entry->policy); - krb5_db_free_policy(handle->context, t); - return ENOMEM; - } - *new = *entry; - *entry_orig = new; - } - return KADM5_OK; } diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index 4ee842f..63f6aea 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -745,7 +745,6 @@ kadm5_get_principal(void *server_handle, krb5_principal principal, long mask; int i; kadm5_server_handle_t handle = server_handle; - kadm5_principal_ent_rec entry_local, *entry_orig; CHECK_HANDLE(server_handle); @@ -756,13 +755,7 @@ kadm5_get_principal(void *server_handle, krb5_principal principal, * entry is a pointer to a kadm5_principal_ent_t_v1 that should be * filled with allocated memory. */ - if (handle->api_version == KADM5_API_VERSION_1) { - mask = KADM5_PRINCIPAL_NORMAL_MASK; - entry_orig = entry; - entry = &entry_local; - } else { - mask = in_mask; - } + mask = in_mask; memset(entry, 0, sizeof(*entry)); @@ -833,102 +826,51 @@ kadm5_get_principal(void *server_handle, krb5_principal principal, if (ret) goto done; - /* - * It's my understanding that KADM5_API_VERSION_1 is for OpenVision admin - * system compatiblity and is not required to maintain at this point so I'm - * commenting out this code. - * -- Will Fiveash - */ -#if 0 /************** Begin IFDEF'ed OUT *******************************/ - if (handle->api_version == KADM5_API_VERSION_2) - entry->mkvno = 0; - else { - /* XXX I'll be damned if I know how to deal with this one --marc */ - entry->mkvno = 1; - } -#endif /**************** END IFDEF'ed OUT *******************************/ - - /* - * The new fields that only exist in version 2 start here - */ - if (handle->api_version == KADM5_API_VERSION_2) { - if (mask & KADM5_MAX_RLIFE) - entry->max_renewable_life = kdb.max_renewable_life; - if (mask & KADM5_LAST_SUCCESS) - entry->last_success = kdb.last_success; - if (mask & KADM5_LAST_FAILED) - entry->last_failed = kdb.last_failed; - if (mask & KADM5_FAIL_AUTH_COUNT) - entry->fail_auth_count = kdb.fail_auth_count; - if (mask & KADM5_TL_DATA) { - krb5_tl_data *tl, *tl2; - - entry->tl_data = NULL; - - tl = kdb.tl_data; - while (tl) { - if (tl->tl_data_type > 255) { - if ((tl2 = dup_tl_data(tl)) == NULL) { - ret = ENOMEM; - goto done; - } - tl2->tl_data_next = entry->tl_data; - entry->tl_data = tl2; - entry->n_tl_data++; - } + if (mask & KADM5_MAX_RLIFE) + entry->max_renewable_life = kdb.max_renewable_life; + if (mask & KADM5_LAST_SUCCESS) + entry->last_success = kdb.last_success; + if (mask & KADM5_LAST_FAILED) + entry->last_failed = kdb.last_failed; + if (mask & KADM5_FAIL_AUTH_COUNT) + entry->fail_auth_count = kdb.fail_auth_count; + if (mask & KADM5_TL_DATA) { + krb5_tl_data *tl, *tl2; - tl = tl->tl_data_next; - } - } - if (mask & KADM5_KEY_DATA) { - entry->n_key_data = kdb.n_key_data; - if(entry->n_key_data) { - entry->key_data = (krb5_key_data *) - malloc(entry->n_key_data*sizeof(krb5_key_data)); - if (entry->key_data == NULL) { - ret = ENOMEM; - goto done; - } - } else - entry->key_data = NULL; - - for (i = 0; i < entry->n_key_data; i++) - ret = krb5_copy_key_data_contents(handle->context, - &kdb.key_data[i], - &entry->key_data[i]); - if (ret) - goto done; - } - } + entry->tl_data = NULL; - /* - * If KADM5_API_VERSION_1, we return an allocated structure, and - * we need to convert the new structure back into the format the - * caller is expecting. - */ - if (handle->api_version == KADM5_API_VERSION_1) { - kadm5_principal_ent_t_v1 newv1; + tl = kdb.tl_data; + while (tl) { + if (tl->tl_data_type > 255) { + if ((tl2 = dup_tl_data(tl)) == NULL) { + ret = ENOMEM; + goto done; + } + tl2->tl_data_next = entry->tl_data; + entry->tl_data = tl2; + entry->n_tl_data++; + } - newv1 = ((kadm5_principal_ent_t_v1) calloc(1, sizeof(*newv1))); - if (newv1 == NULL) { - ret = ENOMEM; - goto done; - } + tl = tl->tl_data_next; + } + } + if (mask & KADM5_KEY_DATA) { + entry->n_key_data = kdb.n_key_data; + if(entry->n_key_data) { + entry->key_data = malloc(entry->n_key_data*sizeof(krb5_key_data)); + if (entry->key_data == NULL) { + ret = ENOMEM; + goto done; + } + } else + entry->key_data = NULL; - newv1->principal = entry->principal; - newv1->princ_expire_time = entry->princ_expire_time; - newv1->last_pwd_change = entry->last_pwd_change; - newv1->pw_expiration = entry->pw_expiration; - newv1->max_life = entry->max_life; - newv1->mod_name = entry->mod_name; - newv1->mod_date = entry->mod_date; - newv1->attributes = entry->attributes; - newv1->kvno = entry->kvno; - newv1->mkvno = entry->mkvno; - newv1->policy = entry->policy; - newv1->aux_attributes = entry->aux_attributes; - - *((kadm5_principal_ent_t_v1 *) entry_orig) = newv1; + for (i = 0; i < entry->n_key_data; i++) + ret = krb5_copy_key_data_contents(handle->context, + &kdb.key_data[i], + &entry->key_data[i]); + if (ret) + goto done; } ret = KADM5_OK; @@ -1625,25 +1567,11 @@ kadm5_randkey_principal_3(void *server_handle, goto done; if (keyblocks) { - if (handle->api_version == KADM5_API_VERSION_1) { - /* Version 1 clients will expect to see a DES_CRC enctype. */ - ret = krb5_dbe_find_enctype(handle->context, &kdb, - ENCTYPE_DES_CBC_CRC, - -1, -1, &key_data); - if (ret) - goto done; - - ret = decrypt_key_data(handle->context, act_mkey, 1, key_data, - keyblocks, NULL); - if (ret) - goto done; - } else { - ret = decrypt_key_data(handle->context, act_mkey, - kdb.n_key_data, kdb.key_data, - keyblocks, n_keys); - if (ret) - goto done; - } + ret = decrypt_key_data(handle->context, act_mkey, + kdb.n_key_data, kdb.key_data, + keyblocks, n_keys); + if (ret) + goto done; } /* key data changed, let the database provider know */ @@ -2112,23 +2040,11 @@ kadm5_get_principal_keys(void *server_handle /* IN */, } } - if (handle->api_version == KADM5_API_VERSION_1) { - /* Version 1 clients will expect to see a DES_CRC enctype. */ - if ((ret = krb5_dbe_find_enctype(handle->context, &kdb, - ENCTYPE_DES_CBC_CRC, - -1, -1, &key_data))) - goto done; - - if ((ret = decrypt_key_data(handle->context, mkey_ptr, 1, key_data, - keyblocks, NULL))) - goto done; - } else { - ret = decrypt_key_data(handle->context, mkey_ptr, - kdb.n_key_data, kdb.key_data, - keyblocks, n_keys); - if (ret) - goto done; - } + ret = decrypt_key_data(handle->context, mkey_ptr, + kdb.n_key_data, kdb.key_data, + keyblocks, n_keys); + if (ret) + goto done; } ret = KADM5_OK; |