aboutsummaryrefslogtreecommitdiff
path: root/src/lib/kadm5/srv
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/kadm5/srv')
-rw-r--r--src/lib/kadm5/srv/libkadm5srv.exports24
-rw-r--r--src/lib/kadm5/srv/server_init.c54
-rw-r--r--src/lib/kadm5/srv/svr_misc_free.c3
-rw-r--r--src/lib/kadm5/srv/svr_policy.c22
-rw-r--r--src/lib/kadm5/srv/svr_principal.c188
5 files changed, 62 insertions, 229 deletions
diff --git a/src/lib/kadm5/srv/libkadm5srv.exports b/src/lib/kadm5/srv/libkadm5srv.exports
index 545d43b..35745be 100644
--- a/src/lib/kadm5/srv/libkadm5srv.exports
+++ b/src/lib/kadm5/srv/libkadm5srv.exports
@@ -90,29 +90,6 @@ master_keyblock
master_keylist
master_princ
osa_free_princ_ent
-ovsec_kadm_chpass_principal
-ovsec_kadm_chpass_principal_util
-ovsec_kadm_create_policy
-ovsec_kadm_create_principal
-ovsec_kadm_delete_policy
-ovsec_kadm_delete_principal
-ovsec_kadm_destroy
-ovsec_kadm_flush
-ovsec_kadm_free_name_list
-ovsec_kadm_free_policy_ent
-ovsec_kadm_free_principal_ent
-ovsec_kadm_get_policies
-ovsec_kadm_get_policy
-ovsec_kadm_get_principal
-ovsec_kadm_get_principals
-ovsec_kadm_get_privs
-ovsec_kadm_init
-ovsec_kadm_init_with_password
-ovsec_kadm_init_with_skey
-ovsec_kadm_modify_policy
-ovsec_kadm_modify_principal
-ovsec_kadm_randkey_principal
-ovsec_kadm_rename_principal
passwd_check
xdr_chpass3_arg
xdr_chpass_arg
@@ -136,7 +113,6 @@ xdr_gprincs_arg
xdr_gprincs_ret
xdr_kadm5_policy_ent_rec
xdr_kadm5_principal_ent_rec
-xdr_kadm5_principal_ent_rec_v1
xdr_kadm5_ret_t
xdr_krb5_deltat
xdr_krb5_enctype
diff --git a/src/lib/kadm5/srv/server_init.c b/src/lib/kadm5/srv/server_init.c
index 77a83ba..e41ecca 100644
--- a/src/lib/kadm5/srv/server_init.c
+++ b/src/lib/kadm5/srv/server_init.c
@@ -113,13 +113,11 @@ kadm5_ret_t kadm5_init_with_creds(char *client_name,
void **server_handle)
{
/*
- * A program calling init_with_creds *never* expects to prompt the
- * user. Therefore, always pass a dummy password in case this is
- * KADM5_API_VERSION_1. If this is KADM5_API_VERSION_2 and
- * MKEY_FROM_KBD is non-zero, return an error.
+ * A program calling init_with_creds *never* expects to prompt
+ * the user. If this is KADM5_API_VERSION_2 and MKEY_FROM_KBD is
+ * non-zero, return an error.
*/
- if (api_version == KADM5_API_VERSION_2 && params &&
- (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) &&
+ if (params && (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) &&
params->mkey_from_kbd)
return KADM5_BAD_SERVER_PARAMS;
return kadm5_init(client_name, NULL, service_name, params,
@@ -138,12 +136,10 @@ kadm5_ret_t kadm5_init_with_skey(char *client_name, char *keytab,
{
/*
* A program calling init_with_skey *never* expects to prompt the
- * user. Therefore, always pass a dummy password in case this is
- * KADM5_API_VERSION_1. If this is KADM5_API_VERSION_2 and
- * MKEY_FROM_KBD is non-zero, return an error.
+ * user. If this is KADM5_API_VERSION_2 and MKEY_FROM_KBD is
+ * non-zero, return an error.
*/
- if (api_version == KADM5_API_VERSION_2 && params &&
- (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) &&
+ if (params && (params->mask & KADM5_CONFIG_MKEY_FROM_KBD) &&
params->mkey_from_kbd)
return KADM5_BAD_SERVER_PARAMS;
return kadm5_init(client_name, NULL, service_name, params,
@@ -202,21 +198,11 @@ kadm5_ret_t kadm5_init(char *client_name, char *pass,
KADM5_NEW_SERVER_API_VERSION);
/*
- * Acquire relevant profile entries. In version 2, merge values
+ * Acquire relevant profile entries. Merge values
* in params_in with values from profile, based on
* params_in->mask.
- *
- * In version 1, we've given a realm (which may be NULL) instead
- * of params_in. So use that realm, make params_in contain an
- * empty mask, and behave like version 2.
*/
memset(&params_local, 0, sizeof(params_local));
- if (api_version == KADM5_API_VERSION_1) {
- params_local.realm = (char *) params_in;
- if (params_in)
- params_local.mask = KADM5_CONFIG_REALM;
- params_in = &params_local;
- }
#if 0 /* Now that we look at krb5.conf as well as kdc.conf, we can
expect to see admin_server being set sometimes. */
@@ -311,29 +297,9 @@ kadm5_ret_t kadm5_init(char *client_name, char *pass,
return ret;
}
- /*
- * The KADM5_API_VERSION_1 spec said "If pass (or keytab) is NULL
- * or an empty string, reads the master password from [the stash
- * file]. Otherwise, the non-NULL password is ignored and the
- * user is prompted for it via the tty." However, the code was
- * implemented the other way: when a non-NULL password was
- * provided, the stash file was used. This is somewhat more
- * sensible, as then a local or remote client that provides a
- * password does not prompt the user. This code maintains the
- * previous actual behavior, and not the old spec behavior,
- * because that is how the unit tests are written.
- *
- * In KADM5_API_VERSION_2, this decision is controlled by
- * params.
- *
- * kdb_init_master's third argument is "from_keyboard".
- */
ret = kdb_init_master(handle, handle->params.realm,
- (handle->api_version == KADM5_API_VERSION_1 ?
- ((pass == NULL) || !(strlen(pass))) :
- ((handle->params.mask & KADM5_CONFIG_MKEY_FROM_KBD)
- && handle->params.mkey_from_kbd)
- ));
+ (handle->params.mask & KADM5_CONFIG_MKEY_FROM_KBD)
+ && handle->params.mkey_from_kbd);
if (ret) {
krb5_db_fini(handle->context);
krb5_free_context(handle->context);
diff --git a/src/lib/kadm5/srv/svr_misc_free.c b/src/lib/kadm5/srv/svr_misc_free.c
index d203397..1c87f06 100644
--- a/src/lib/kadm5/srv/svr_misc_free.c
+++ b/src/lib/kadm5/srv/svr_misc_free.c
@@ -29,9 +29,6 @@ kadm5_free_principal_ent(void *server_handle,
free(val->policy);
/* XXX free key_data and tl_data */
-
- if (handle->api_version == KADM5_API_VERSION_1)
- free(val);
}
return KADM5_OK;
}
diff --git a/src/lib/kadm5/srv/svr_policy.c b/src/lib/kadm5/srv/svr_policy.c
index 7add671..5b7828c 100644
--- a/src/lib/kadm5/srv/svr_policy.c
+++ b/src/lib/kadm5/srv/svr_policy.c
@@ -258,7 +258,6 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name,
kadm5_policy_ent_t entry)
{
osa_policy_ent_t t;
- kadm5_policy_ent_rec entry_local, **entry_orig, *new;
int ret;
kadm5_server_handle_t handle = server_handle;
int cnt=1;
@@ -267,16 +266,6 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name,
krb5_clear_error_message(handle->context);
- /*
- * In version 1, entry is a pointer to a kadm5_policy_ent_t that
- * should be filled with allocated memory.
- */
- if (handle->api_version == KADM5_API_VERSION_1) {
- entry_orig = (kadm5_policy_ent_rec **) entry;
- *entry_orig = NULL;
- entry = &entry_local;
- }
-
if (name == (kadm5_policy_t) NULL)
return EINVAL;
if(strlen(name) == 0)
@@ -299,16 +288,5 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name,
entry->policy_refcnt = t->policy_refcnt;
krb5_db_free_policy(handle->context, t);
- if (handle->api_version == KADM5_API_VERSION_1) {
- new = (kadm5_policy_ent_t) malloc(sizeof(kadm5_policy_ent_rec));
- if (new == NULL) {
- free(entry->policy);
- krb5_db_free_policy(handle->context, t);
- return ENOMEM;
- }
- *new = *entry;
- *entry_orig = new;
- }
-
return KADM5_OK;
}
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 4ee842f..63f6aea 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -745,7 +745,6 @@ kadm5_get_principal(void *server_handle, krb5_principal principal,
long mask;
int i;
kadm5_server_handle_t handle = server_handle;
- kadm5_principal_ent_rec entry_local, *entry_orig;
CHECK_HANDLE(server_handle);
@@ -756,13 +755,7 @@ kadm5_get_principal(void *server_handle, krb5_principal principal,
* entry is a pointer to a kadm5_principal_ent_t_v1 that should be
* filled with allocated memory.
*/
- if (handle->api_version == KADM5_API_VERSION_1) {
- mask = KADM5_PRINCIPAL_NORMAL_MASK;
- entry_orig = entry;
- entry = &entry_local;
- } else {
- mask = in_mask;
- }
+ mask = in_mask;
memset(entry, 0, sizeof(*entry));
@@ -833,102 +826,51 @@ kadm5_get_principal(void *server_handle, krb5_principal principal,
if (ret)
goto done;
- /*
- * It's my understanding that KADM5_API_VERSION_1 is for OpenVision admin
- * system compatiblity and is not required to maintain at this point so I'm
- * commenting out this code.
- * -- Will Fiveash
- */
-#if 0 /************** Begin IFDEF'ed OUT *******************************/
- if (handle->api_version == KADM5_API_VERSION_2)
- entry->mkvno = 0;
- else {
- /* XXX I'll be damned if I know how to deal with this one --marc */
- entry->mkvno = 1;
- }
-#endif /**************** END IFDEF'ed OUT *******************************/
-
- /*
- * The new fields that only exist in version 2 start here
- */
- if (handle->api_version == KADM5_API_VERSION_2) {
- if (mask & KADM5_MAX_RLIFE)
- entry->max_renewable_life = kdb.max_renewable_life;
- if (mask & KADM5_LAST_SUCCESS)
- entry->last_success = kdb.last_success;
- if (mask & KADM5_LAST_FAILED)
- entry->last_failed = kdb.last_failed;
- if (mask & KADM5_FAIL_AUTH_COUNT)
- entry->fail_auth_count = kdb.fail_auth_count;
- if (mask & KADM5_TL_DATA) {
- krb5_tl_data *tl, *tl2;
-
- entry->tl_data = NULL;
-
- tl = kdb.tl_data;
- while (tl) {
- if (tl->tl_data_type > 255) {
- if ((tl2 = dup_tl_data(tl)) == NULL) {
- ret = ENOMEM;
- goto done;
- }
- tl2->tl_data_next = entry->tl_data;
- entry->tl_data = tl2;
- entry->n_tl_data++;
- }
+ if (mask & KADM5_MAX_RLIFE)
+ entry->max_renewable_life = kdb.max_renewable_life;
+ if (mask & KADM5_LAST_SUCCESS)
+ entry->last_success = kdb.last_success;
+ if (mask & KADM5_LAST_FAILED)
+ entry->last_failed = kdb.last_failed;
+ if (mask & KADM5_FAIL_AUTH_COUNT)
+ entry->fail_auth_count = kdb.fail_auth_count;
+ if (mask & KADM5_TL_DATA) {
+ krb5_tl_data *tl, *tl2;
- tl = tl->tl_data_next;
- }
- }
- if (mask & KADM5_KEY_DATA) {
- entry->n_key_data = kdb.n_key_data;
- if(entry->n_key_data) {
- entry->key_data = (krb5_key_data *)
- malloc(entry->n_key_data*sizeof(krb5_key_data));
- if (entry->key_data == NULL) {
- ret = ENOMEM;
- goto done;
- }
- } else
- entry->key_data = NULL;
-
- for (i = 0; i < entry->n_key_data; i++)
- ret = krb5_copy_key_data_contents(handle->context,
- &kdb.key_data[i],
- &entry->key_data[i]);
- if (ret)
- goto done;
- }
- }
+ entry->tl_data = NULL;
- /*
- * If KADM5_API_VERSION_1, we return an allocated structure, and
- * we need to convert the new structure back into the format the
- * caller is expecting.
- */
- if (handle->api_version == KADM5_API_VERSION_1) {
- kadm5_principal_ent_t_v1 newv1;
+ tl = kdb.tl_data;
+ while (tl) {
+ if (tl->tl_data_type > 255) {
+ if ((tl2 = dup_tl_data(tl)) == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ tl2->tl_data_next = entry->tl_data;
+ entry->tl_data = tl2;
+ entry->n_tl_data++;
+ }
- newv1 = ((kadm5_principal_ent_t_v1) calloc(1, sizeof(*newv1)));
- if (newv1 == NULL) {
- ret = ENOMEM;
- goto done;
- }
+ tl = tl->tl_data_next;
+ }
+ }
+ if (mask & KADM5_KEY_DATA) {
+ entry->n_key_data = kdb.n_key_data;
+ if(entry->n_key_data) {
+ entry->key_data = malloc(entry->n_key_data*sizeof(krb5_key_data));
+ if (entry->key_data == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ } else
+ entry->key_data = NULL;
- newv1->principal = entry->principal;
- newv1->princ_expire_time = entry->princ_expire_time;
- newv1->last_pwd_change = entry->last_pwd_change;
- newv1->pw_expiration = entry->pw_expiration;
- newv1->max_life = entry->max_life;
- newv1->mod_name = entry->mod_name;
- newv1->mod_date = entry->mod_date;
- newv1->attributes = entry->attributes;
- newv1->kvno = entry->kvno;
- newv1->mkvno = entry->mkvno;
- newv1->policy = entry->policy;
- newv1->aux_attributes = entry->aux_attributes;
-
- *((kadm5_principal_ent_t_v1 *) entry_orig) = newv1;
+ for (i = 0; i < entry->n_key_data; i++)
+ ret = krb5_copy_key_data_contents(handle->context,
+ &kdb.key_data[i],
+ &entry->key_data[i]);
+ if (ret)
+ goto done;
}
ret = KADM5_OK;
@@ -1625,25 +1567,11 @@ kadm5_randkey_principal_3(void *server_handle,
goto done;
if (keyblocks) {
- if (handle->api_version == KADM5_API_VERSION_1) {
- /* Version 1 clients will expect to see a DES_CRC enctype. */
- ret = krb5_dbe_find_enctype(handle->context, &kdb,
- ENCTYPE_DES_CBC_CRC,
- -1, -1, &key_data);
- if (ret)
- goto done;
-
- ret = decrypt_key_data(handle->context, act_mkey, 1, key_data,
- keyblocks, NULL);
- if (ret)
- goto done;
- } else {
- ret = decrypt_key_data(handle->context, act_mkey,
- kdb.n_key_data, kdb.key_data,
- keyblocks, n_keys);
- if (ret)
- goto done;
- }
+ ret = decrypt_key_data(handle->context, act_mkey,
+ kdb.n_key_data, kdb.key_data,
+ keyblocks, n_keys);
+ if (ret)
+ goto done;
}
/* key data changed, let the database provider know */
@@ -2112,23 +2040,11 @@ kadm5_get_principal_keys(void *server_handle /* IN */,
}
}
- if (handle->api_version == KADM5_API_VERSION_1) {
- /* Version 1 clients will expect to see a DES_CRC enctype. */
- if ((ret = krb5_dbe_find_enctype(handle->context, &kdb,
- ENCTYPE_DES_CBC_CRC,
- -1, -1, &key_data)))
- goto done;
-
- if ((ret = decrypt_key_data(handle->context, mkey_ptr, 1, key_data,
- keyblocks, NULL)))
- goto done;
- } else {
- ret = decrypt_key_data(handle->context, mkey_ptr,
- kdb.n_key_data, kdb.key_data,
- keyblocks, n_keys);
- if (ret)
- goto done;
- }
+ ret = decrypt_key_data(handle->context, mkey_ptr,
+ kdb.n_key_data, kdb.key_data,
+ keyblocks, n_keys);
+ if (ret)
+ goto done;
}
ret = KADM5_OK;
generated by cgit v1.1 at 2024-08-02 08:41:20 +0000