diff options
Diffstat (limited to 'src/lib/kadm5/srv')
-rw-r--r-- | src/lib/kadm5/srv/libkadm5srv.exports | 24 | ||||
-rw-r--r-- | src/lib/kadm5/srv/server_init.c | 54 | ||||
-rw-r--r-- | src/lib/kadm5/srv/svr_misc_free.c | 3 | ||||
-rw-r--r-- | src/lib/kadm5/srv/svr_policy.c | 22 | ||||
-rw-r--r-- | src/lib/kadm5/srv/svr_principal.c | 188 |
5 files changed, 62 insertions, 229 deletions
diff --git a/src/lib/kadm5/srv/libkadm5srv.exports b/src/lib/kadm5/srv/libkadm5srv.exports index 545d43b..35745be 100644 --- a/src/lib/kadm5/srv/libkadm5srv.exports +++ b/src/lib/kadm5/srv/libkadm5srv.exports @@ -90,29 +90,6 @@ master_keyblock master_keylist master_princ osa_free_princ_ent -ovsec_kadm_chpass_principal -ovsec_kadm_chpass_principal_util -ovsec_kadm_create_policy -ovsec_kadm_create_principal -ovsec_kadm_delete_policy -ovsec_kadm_delete_principal -ovsec_kadm_destroy -ovsec_kadm_flush -ovsec_kadm_free_name_list -ovsec_kadm_free_policy_ent -ovsec_kadm_free_principal_ent -ovsec_kadm_get_policies -ovsec_kadm_get_policy -ovsec_kadm_get_principal -ovsec_kadm_get_principals -ovsec_kadm_get_privs -ovsec_kadm_init -ovsec_kadm_init_with_password -ovsec_kadm_init_with_skey -ovsec_kadm_modify_policy -ovsec_kadm_modify_principal -ovsec_kadm_randkey_principal -ovsec_kadm_rename_principal passwd_check xdr_chpass3_arg xdr_chpass_arg @@ -136,7 +113,6 @@ xdr_gprincs_arg xdr_gprincs_ret xdr_kadm5_policy_ent_rec xdr_kadm5_principal_ent_rec -xdr_kadm5_principal_ent_rec_v1 xdr_kadm5_ret_t xdr_krb5_deltat xdr_krb5_enctype diff --git a/src/lib/kadm5/srv/server_init.c b/src/lib/kadm5/srv/server_init.c index 77a83ba..e41ecca 100644 --- a/src/lib/kadm5/srv/server_init.c +++ b/src/lib/kadm5/srv/server_init.c @@ -113,13 +113,11 @@ kadm5_ret_t kadm5_init_with_creds(char *client_name, void **server_handle) { /* - * A program calling init_with_creds *never* expects to prompt the - * user. Therefore, always pass a dummy password in case this is - * KADM5_API_VERSION_1. If this is KADM5_API_VERSION_2 and - * MKEY_FROM_KBD is non-zero, return an error. + * A program calling init_with_creds *never* expects to prompt + * the user. If this is KADM5_API_VERSION_2 and MKEY_FROM_KBD is + * non-zero, return an error. */ - if (api_version == KADM5_API_VERSION_2 && params && - (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) && + if (params && (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) && params->mkey_from_kbd) return KADM5_BAD_SERVER_PARAMS; return kadm5_init(client_name, NULL, service_name, params, @@ -138,12 +136,10 @@ kadm5_ret_t kadm5_init_with_skey(char *client_name, char *keytab, { /* * A program calling init_with_skey *never* expects to prompt the - * user. Therefore, always pass a dummy password in case this is - * KADM5_API_VERSION_1. If this is KADM5_API_VERSION_2 and - * MKEY_FROM_KBD is non-zero, return an error. + * user. If this is KADM5_API_VERSION_2 and MKEY_FROM_KBD is + * non-zero, return an error. */ - if (api_version == KADM5_API_VERSION_2 && params && - (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) && + if (params && (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) && params->mkey_from_kbd) return KADM5_BAD_SERVER_PARAMS; return kadm5_init(client_name, NULL, service_name, params, @@ -202,21 +198,11 @@ kadm5_ret_t kadm5_init(char *client_name, char *pass, KADM5_NEW_SERVER_API_VERSION); /* - * Acquire relevant profile entries. In version 2, merge values + * Acquire relevant profile entries. Merge values * in params_in with values from profile, based on * params_in->mask. - * - * In version 1, we've given a realm (which may be NULL) instead - * of params_in. So use that realm, make params_in contain an - * empty mask, and behave like version 2. */ memset(¶ms_local, 0, sizeof(params_local)); - if (api_version == KADM5_API_VERSION_1) { - params_local.realm = (char *) params_in; - if (params_in) - params_local.mask = KADM5_CONFIG_REALM; - params_in = ¶ms_local; - } #if 0 /* Now that we look at krb5.conf as well as kdc.conf, we can expect to see admin_server being set sometimes. */ @@ -311,29 +297,9 @@ kadm5_ret_t kadm5_init(char *client_name, char *pass, return ret; } - /* - * The KADM5_API_VERSION_1 spec said "If pass (or keytab) is NULL - * or an empty string, reads the master password from [the stash - * file]. Otherwise, the non-NULL password is ignored and the - * user is prompted for it via the tty." However, the code was - * implemented the other way: when a non-NULL password was - * provided, the stash file was used. This is somewhat more - * sensible, as then a local or remote client that provides a - * password does not prompt the user. This code maintains the - * previous actual behavior, and not the old spec behavior, - * because that is how the unit tests are written. - * - * In KADM5_API_VERSION_2, this decision is controlled by - * params. - * - * kdb_init_master's third argument is "from_keyboard". - */ ret = kdb_init_master(handle, handle->params.realm, - (handle->api_version == KADM5_API_VERSION_1 ? - ((pass == NULL) || !(strlen(pass))) : - ((handle->params.mask & KADM5_CONFIG_MKEY_FROM_KBD) - && handle->params.mkey_from_kbd) - )); + (handle->params.mask & KADM5_CONFIG_MKEY_FROM_KBD) + && handle->params.mkey_from_kbd); if (ret) { krb5_db_fini(handle->context); krb5_free_context(handle->context); diff --git a/src/lib/kadm5/srv/svr_misc_free.c b/src/lib/kadm5/srv/svr_misc_free.c index d203397..1c87f06 100644 --- a/src/lib/kadm5/srv/svr_misc_free.c +++ b/src/lib/kadm5/srv/svr_misc_free.c @@ -29,9 +29,6 @@ kadm5_free_principal_ent(void *server_handle, free(val->policy); /* XXX free key_data and tl_data */ - - if (handle->api_version == KADM5_API_VERSION_1) - free(val); } return KADM5_OK; } diff --git a/src/lib/kadm5/srv/svr_policy.c b/src/lib/kadm5/srv/svr_policy.c index 7add671..5b7828c 100644 --- a/src/lib/kadm5/srv/svr_policy.c +++ b/src/lib/kadm5/srv/svr_policy.c @@ -258,7 +258,6 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name, kadm5_policy_ent_t entry) { osa_policy_ent_t t; - kadm5_policy_ent_rec entry_local, **entry_orig, *new; int ret; kadm5_server_handle_t handle = server_handle; int cnt=1; @@ -267,16 +266,6 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name, krb5_clear_error_message(handle->context); - /* - * In version 1, entry is a pointer to a kadm5_policy_ent_t that - * should be filled with allocated memory. - */ - if (handle->api_version == KADM5_API_VERSION_1) { - entry_orig = (kadm5_policy_ent_rec **) entry; - *entry_orig = NULL; - entry = &entry_local; - } - if (name == (kadm5_policy_t) NULL) return EINVAL; if(strlen(name) == 0) @@ -299,16 +288,5 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name, entry->policy_refcnt = t->policy_refcnt; krb5_db_free_policy(handle->context, t); - if (handle->api_version == KADM5_API_VERSION_1) { - new = (kadm5_policy_ent_t) malloc(sizeof(kadm5_policy_ent_rec)); - if (new == NULL) { - free(entry->policy); - krb5_db_free_policy(handle->context, t); - return ENOMEM; - } - *new = *entry; - *entry_orig = new; - } - return KADM5_OK; } diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index 4ee842f..63f6aea 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -745,7 +745,6 @@ kadm5_get_principal(void *server_handle, krb5_principal principal, long mask; int i; kadm5_server_handle_t handle = server_handle; - kadm5_principal_ent_rec entry_local, *entry_orig; CHECK_HANDLE(server_handle); @@ -756,13 +755,7 @@ kadm5_get_principal(void *server_handle, krb5_principal principal, * entry is a pointer to a kadm5_principal_ent_t_v1 that should be * filled with allocated memory. */ - if (handle->api_version == KADM5_API_VERSION_1) { - mask = KADM5_PRINCIPAL_NORMAL_MASK; - entry_orig = entry; - entry = &entry_local; - } else { - mask = in_mask; - } + mask = in_mask; memset(entry, 0, sizeof(*entry)); @@ -833,102 +826,51 @@ kadm5_get_principal(void *server_handle, krb5_principal principal, if (ret) goto done; - /* - * It's my understanding that KADM5_API_VERSION_1 is for OpenVision admin - * system compatiblity and is not required to maintain at this point so I'm - * commenting out this code. - * -- Will Fiveash - */ -#if 0 /************** Begin IFDEF'ed OUT *******************************/ - if (handle->api_version == KADM5_API_VERSION_2) - entry->mkvno = 0; - else { - /* XXX I'll be damned if I know how to deal with this one --marc */ - entry->mkvno = 1; - } -#endif /**************** END IFDEF'ed OUT *******************************/ - - /* - * The new fields that only exist in version 2 start here - */ - if (handle->api_version == KADM5_API_VERSION_2) { - if (mask & KADM5_MAX_RLIFE) - entry->max_renewable_life = kdb.max_renewable_life; - if (mask & KADM5_LAST_SUCCESS) - entry->last_success = kdb.last_success; - if (mask & KADM5_LAST_FAILED) - entry->last_failed = kdb.last_failed; - if (mask & KADM5_FAIL_AUTH_COUNT) - entry->fail_auth_count = kdb.fail_auth_count; - if (mask & KADM5_TL_DATA) { - krb5_tl_data *tl, *tl2; - - entry->tl_data = NULL; - - tl = kdb.tl_data; - while (tl) { - if (tl->tl_data_type > 255) { - if ((tl2 = dup_tl_data(tl)) == NULL) { - ret = ENOMEM; - goto done; - } - tl2->tl_data_next = entry->tl_data; - entry->tl_data = tl2; - entry->n_tl_data++; - } + if (mask & KADM5_MAX_RLIFE) + entry->max_renewable_life = kdb.max_renewable_life; + if (mask & KADM5_LAST_SUCCESS) + entry->last_success = kdb.last_success; + if (mask & KADM5_LAST_FAILED) + entry->last_failed = kdb.last_failed; + if (mask & KADM5_FAIL_AUTH_COUNT) + entry->fail_auth_count = kdb.fail_auth_count; + if (mask & KADM5_TL_DATA) { + krb5_tl_data *tl, *tl2; - tl = tl->tl_data_next; - } - } - if (mask & KADM5_KEY_DATA) { - entry->n_key_data = kdb.n_key_data; - if(entry->n_key_data) { - entry->key_data = (krb5_key_data *) - malloc(entry->n_key_data*sizeof(krb5_key_data)); - if (entry->key_data == NULL) { - ret = ENOMEM; - goto done; - } - } else - entry->key_data = NULL; - - for (i = 0; i < entry->n_key_data; i++) - ret = krb5_copy_key_data_contents(handle->context, - &kdb.key_data[i], - &entry->key_data[i]); - if (ret) - goto done; - } - } + entry->tl_data = NULL; - /* - * If KADM5_API_VERSION_1, we return an allocated structure, and - * we need to convert the new structure back into the format the - * caller is expecting. - */ - if (handle->api_version == KADM5_API_VERSION_1) { - kadm5_principal_ent_t_v1 newv1; + tl = kdb.tl_data; + while (tl) { + if (tl->tl_data_type > 255) { + if ((tl2 = dup_tl_data(tl)) == NULL) { + ret = ENOMEM; + goto done; + } + tl2->tl_data_next = entry->tl_data; + entry->tl_data = tl2; + entry->n_tl_data++; + } - newv1 = ((kadm5_principal_ent_t_v1) calloc(1, sizeof(*newv1))); - if (newv1 == NULL) { - ret = ENOMEM; - goto done; - } + tl = tl->tl_data_next; + } + } + if (mask & KADM5_KEY_DATA) { + entry->n_key_data = kdb.n_key_data; + if(entry->n_key_data) { + entry->key_data = malloc(entry->n_key_data*sizeof(krb5_key_data)); + if (entry->key_data == NULL) { + ret = ENOMEM; + goto done; + } + } else + entry->key_data = NULL; - newv1->principal = entry->principal; - newv1->princ_expire_time = entry->princ_expire_time; - newv1->last_pwd_change = entry->last_pwd_change; - newv1->pw_expiration = entry->pw_expiration; - newv1->max_life = entry->max_life; - newv1->mod_name = entry->mod_name; - newv1->mod_date = entry->mod_date; - newv1->attributes = entry->attributes; - newv1->kvno = entry->kvno; - newv1->mkvno = entry->mkvno; - newv1->policy = entry->policy; - newv1->aux_attributes = entry->aux_attributes; - - *((kadm5_principal_ent_t_v1 *) entry_orig) = newv1; + for (i = 0; i < entry->n_key_data; i++) + ret = krb5_copy_key_data_contents(handle->context, + &kdb.key_data[i], + &entry->key_data[i]); + if (ret) + goto done; } ret = KADM5_OK; @@ -1625,25 +1567,11 @@ kadm5_randkey_principal_3(void *server_handle, goto done; if (keyblocks) { - if (handle->api_version == KADM5_API_VERSION_1) { - /* Version 1 clients will expect to see a DES_CRC enctype. */ - ret = krb5_dbe_find_enctype(handle->context, &kdb, - ENCTYPE_DES_CBC_CRC, - -1, -1, &key_data); - if (ret) - goto done; - - ret = decrypt_key_data(handle->context, act_mkey, 1, key_data, - keyblocks, NULL); - if (ret) - goto done; - } else { - ret = decrypt_key_data(handle->context, act_mkey, - kdb.n_key_data, kdb.key_data, - keyblocks, n_keys); - if (ret) - goto done; - } + ret = decrypt_key_data(handle->context, act_mkey, + kdb.n_key_data, kdb.key_data, + keyblocks, n_keys); + if (ret) + goto done; } /* key data changed, let the database provider know */ @@ -2112,23 +2040,11 @@ kadm5_get_principal_keys(void *server_handle /* IN */, } } - if (handle->api_version == KADM5_API_VERSION_1) { - /* Version 1 clients will expect to see a DES_CRC enctype. */ - if ((ret = krb5_dbe_find_enctype(handle->context, &kdb, - ENCTYPE_DES_CBC_CRC, - -1, -1, &key_data))) - goto done; - - if ((ret = decrypt_key_data(handle->context, mkey_ptr, 1, key_data, - keyblocks, NULL))) - goto done; - } else { - ret = decrypt_key_data(handle->context, mkey_ptr, - kdb.n_key_data, kdb.key_data, - keyblocks, n_keys); - if (ret) - goto done; - } + ret = decrypt_key_data(handle->context, mkey_ptr, + kdb.n_key_data, kdb.key_data, + keyblocks, n_keys); + if (ret) + goto done; } ret = KADM5_OK; |