kadm5_ret_t kadm5_log_replay_modify (kadm5_server_context *context, u_int32_t ver, u_int32_t len, krb5_storage *sp) { krb5_error_code ret; int32_t mask; krb5_data value; hdb_entry ent, log_ent; krb5_ret_int32 (sp, &mask); len -= 4; ret = krb5_data_alloc (&value, len); if (ret) return ret; krb5_storage_read (sp, value.data, len); ret = hdb_value2entry (context->context, &value, &log_ent); krb5_data_free(&value); if (ret) return ret; ent.principal = log_ent.principal; log_ent.principal = NULL; ret = context->db->hdb_fetch(context->context, context->db, HDB_F_DECRYPT, &ent); if (ret) return ret; if (mask & KADM5_PRINC_EXPIRE_TIME) { if (log_ent.valid_end == NULL) { ent.valid_end = NULL; } else { if (ent.valid_end == NULL) ent.valid_end = malloc(sizeof(*ent.valid_end)); *ent.valid_end = *log_ent.valid_end; } } if (mask & KADM5_PW_EXPIRATION) { if (log_ent.pw_end == NULL) { ent.pw_end = NULL; } else { if (ent.pw_end == NULL) ent.pw_end = malloc(sizeof(*ent.pw_end)); *ent.pw_end = *log_ent.pw_end; } } if (mask & KADM5_LAST_PWD_CHANGE) { abort (); /* XXX */ } if (mask & KADM5_ATTRIBUTES) { ent.flags = log_ent.flags; } if (mask & KADM5_MAX_LIFE) { if (log_ent.max_life == NULL) { ent.max_life = NULL; } else { if (ent.max_life == NULL) ent.max_life = malloc (sizeof(*ent.max_life)); *ent.max_life = *log_ent.max_life; } } if ((mask & KADM5_MOD_TIME) && (mask & KADM5_MOD_NAME)) { if (ent.modified_by == NULL) { ent.modified_by = malloc(sizeof(*ent.modified_by)); } else free_Event(ent.modified_by); copy_Event(log_ent.modified_by, ent.modified_by); } if (mask & KADM5_KVNO) { ent.kvno = log_ent.kvno; } if (mask & KADM5_MKVNO) { abort (); /* XXX */ } if (mask & KADM5_AUX_ATTRIBUTES) { abort (); /* XXX */ } if (mask & KADM5_POLICY) { abort (); /* XXX */ } if (mask & KADM5_POLICY_CLR) { abort (); /* XXX */ } if (mask & KADM5_MAX_RLIFE) { if (log_ent.max_renew == NULL) { ent.max_renew = NULL; } else { if (ent.max_renew == NULL) ent.max_renew = malloc (sizeof(*ent.max_renew)); *ent.max_renew = *log_ent.max_renew; } } if (mask & KADM5_LAST_SUCCESS) { abort (); /* XXX */ } if (mask & KADM5_LAST_FAILED) { abort (); /* XXX */ } if (mask & KADM5_FAIL_AUTH_COUNT) { abort (); /* XXX */ } if (mask & KADM5_KEY_DATA) { size_t len; int i; for (i = 0; i < ent.keys.len; ++i) free_Key(&ent.keys.val[i]); free (ent.keys.val); len = log_ent.keys.len; ent.keys.len = len; ent.keys.val = malloc(len * sizeof(*ent.keys.val)); for (i = 0; i < ent.keys.len; ++i) copy_Key(&log_ent.keys.val[i], &ent.keys.val[i]); } ret = context->db->hdb_store(context->context, context->db, HDB_F_REPLACE, &ent); hdb_free_entry (context->context, &ent); hdb_free_entry (context->context, &log_ent); return ret; }
static kadm5_ret_t kadm5_log_replay_modify (kadm5_server_context *context, uint32_t ver, uint32_t len, krb5_storage *sp) { krb5_error_code ret; int32_t mask; krb5_data value; hdb_entry_ex ent, log_ent; memset(&log_ent, 0, sizeof(log_ent)); krb5_ret_int32 (sp, &mask); len -= 4; ret = krb5_data_alloc (&value, len); if (ret) { krb5_set_error_message(context->context, ret, "out of memory"); return ret; } krb5_storage_read (sp, value.data, len); ret = hdb_value2entry (context->context, &value, &log_ent.entry); krb5_data_free(&value); if (ret) return ret; memset(&ent, 0, sizeof(ent)); ret = context->db->hdb_fetch_kvno(context->context, context->db, log_ent.entry.principal, HDB_F_DECRYPT|HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent); if (ret) goto out; if (mask & KADM5_PRINC_EXPIRE_TIME) { if (log_ent.entry.valid_end == NULL) { ent.entry.valid_end = NULL; } else { if (ent.entry.valid_end == NULL) { ent.entry.valid_end = malloc(sizeof(*ent.entry.valid_end)); if (ent.entry.valid_end == NULL) { ret = ENOMEM; krb5_set_error_message(context->context, ret, "out of memory"); goto out; } } *ent.entry.valid_end = *log_ent.entry.valid_end; } } if (mask & KADM5_PW_EXPIRATION) { if (log_ent.entry.pw_end == NULL) { ent.entry.pw_end = NULL; } else { if (ent.entry.pw_end == NULL) { ent.entry.pw_end = malloc(sizeof(*ent.entry.pw_end)); if (ent.entry.pw_end == NULL) { ret = ENOMEM; krb5_set_error_message(context->context, ret, "out of memory"); goto out; } } *ent.entry.pw_end = *log_ent.entry.pw_end; } } if (mask & KADM5_LAST_PWD_CHANGE) { abort (); /* XXX */ } if (mask & KADM5_ATTRIBUTES) { ent.entry.flags = log_ent.entry.flags; } if (mask & KADM5_MAX_LIFE) { if (log_ent.entry.max_life == NULL) { ent.entry.max_life = NULL; } else { if (ent.entry.max_life == NULL) { ent.entry.max_life = malloc (sizeof(*ent.entry.max_life)); if (ent.entry.max_life == NULL) { ret = ENOMEM; krb5_set_error_message(context->context, ret, "out of memory"); goto out; } } *ent.entry.max_life = *log_ent.entry.max_life; } } if ((mask & KADM5_MOD_TIME) && (mask & KADM5_MOD_NAME)) { if (ent.entry.modified_by == NULL) { ent.entry.modified_by = malloc(sizeof(*ent.entry.modified_by)); if (ent.entry.modified_by == NULL) { ret = ENOMEM; krb5_set_error_message(context->context, ret, "out of memory"); goto out; } } else free_Event(ent.entry.modified_by); ret = copy_Event(log_ent.entry.modified_by, ent.entry.modified_by); if (ret) { krb5_set_error_message(context->context, ret, "out of memory"); goto out; } } if (mask & KADM5_KVNO) { ent.entry.kvno = log_ent.entry.kvno; } if (mask & KADM5_MKVNO) { abort (); /* XXX */ } if (mask & KADM5_AUX_ATTRIBUTES) { abort (); /* XXX */ } if (mask & KADM5_POLICY) { abort (); /* XXX */ } if (mask & KADM5_POLICY_CLR) { abort (); /* XXX */ } if (mask & KADM5_MAX_RLIFE) { if (log_ent.entry.max_renew == NULL) { ent.entry.max_renew = NULL; } else { if (ent.entry.max_renew == NULL) { ent.entry.max_renew = malloc (sizeof(*ent.entry.max_renew)); if (ent.entry.max_renew == NULL) { ret = ENOMEM; krb5_set_error_message(context->context, ret, "out of memory"); goto out; } } *ent.entry.max_renew = *log_ent.entry.max_renew; } } if (mask & KADM5_LAST_SUCCESS) { abort (); /* XXX */ } if (mask & KADM5_LAST_FAILED) { abort (); /* XXX */ } if (mask & KADM5_FAIL_AUTH_COUNT) { abort (); /* XXX */ } if (mask & KADM5_KEY_DATA) { size_t num; int i; for (i = 0; i < ent.entry.keys.len; ++i) free_Key(&ent.entry.keys.val[i]); free (ent.entry.keys.val); num = log_ent.entry.keys.len; ent.entry.keys.len = num; ent.entry.keys.val = malloc(len * sizeof(*ent.entry.keys.val)); if (ent.entry.keys.val == NULL) { krb5_set_error_message(context->context, ENOMEM, "out of memory"); return ENOMEM; } for (i = 0; i < ent.entry.keys.len; ++i) { ret = copy_Key(&log_ent.entry.keys.val[i], &ent.entry.keys.val[i]); if (ret) { krb5_set_error_message(context->context, ret, "out of memory"); goto out; } } } if ((mask & KADM5_TL_DATA) && log_ent.entry.extensions) { HDB_extensions *es = ent.entry.extensions; ent.entry.extensions = calloc(1, sizeof(*ent.entry.extensions)); if (ent.entry.extensions == NULL) goto out; ret = copy_HDB_extensions(log_ent.entry.extensions, ent.entry.extensions); if (ret) { krb5_set_error_message(context->context, ret, "out of memory"); free(ent.entry.extensions); ent.entry.extensions = es; goto out; } if (es) { free_HDB_extensions(es); free(es); } } ret = context->db->hdb_store(context->context, context->db, HDB_F_REPLACE, &ent); out: hdb_free_entry (context->context, &ent); hdb_free_entry (context->context, &log_ent); return ret; }
static int ka_convert(struct prop_data *pd, int fd, struct ka_entry *ent) { int32_t flags = ntohl(ent->flags); krb5_error_code ret; hdb_entry_ex hdb; if(!kaspecials_flag && (flags & KAFNORMAL) == 0) /* remove special entries */ return 0; memset(&hdb, 0, sizeof(hdb)); ret = krb5_425_conv_principal(pd->context, ent->name, ent->instance, v4_realm, &hdb.entry.principal); if(ret) { krb5_warn(pd->context, ret, "krb5_425_conv_principal (%s.%s@%s)", ent->name, ent->instance, v4_realm); return 0; } hdb.entry.kvno = ntohl(ent->kvno); hdb.entry.keys.len = 3; hdb.entry.keys.val = malloc(hdb.entry.keys.len * sizeof(*hdb.entry.keys.val)); if (hdb.entry.keys.val == NULL) krb5_errx(pd->context, ENOMEM, "malloc"); hdb.entry.keys.val[0].mkvno = NULL; hdb.entry.keys.val[0].salt = calloc(1, sizeof(*hdb.entry.keys.val[0].salt)); if (hdb.entry.keys.val[0].salt == NULL) krb5_errx(pd->context, ENOMEM, "calloc"); if (ka_use_null_salt) { hdb.entry.keys.val[0].salt->type = hdb_pw_salt; hdb.entry.keys.val[0].salt->salt.data = NULL; hdb.entry.keys.val[0].salt->salt.length = 0; } else { hdb.entry.keys.val[0].salt->type = hdb_afs3_salt; hdb.entry.keys.val[0].salt->salt.data = strdup(afs_cell); if (hdb.entry.keys.val[0].salt->salt.data == NULL) krb5_errx(pd->context, ENOMEM, "strdup"); hdb.entry.keys.val[0].salt->salt.length = strlen(afs_cell); } hdb.entry.keys.val[0].key.keytype = ETYPE_DES_CBC_MD5; krb5_data_copy(&hdb.entry.keys.val[0].key.keyvalue, ent->key, sizeof(ent->key)); copy_Key(&hdb.entry.keys.val[0], &hdb.entry.keys.val[1]); hdb.entry.keys.val[1].key.keytype = ETYPE_DES_CBC_MD4; copy_Key(&hdb.entry.keys.val[0], &hdb.entry.keys.val[2]); hdb.entry.keys.val[2].key.keytype = ETYPE_DES_CBC_CRC; ALLOC(hdb.entry.max_life); *hdb.entry.max_life = ntohl(ent->max_life); if(ntohl(ent->valid_end) != NEVERDATE && ntohl(ent->valid_end) != 0xffffffff) { ALLOC(hdb.entry.valid_end); *hdb.entry.valid_end = ntohl(ent->valid_end); } if (ntohl(ent->pw_change) != NEVERDATE && ent->pw_expire != 255 && ent->pw_expire != 0) { ALLOC(hdb.entry.pw_end); *hdb.entry.pw_end = ntohl(ent->pw_change) + 24 * 60 * 60 * ent->pw_expire; } ret = krb5_make_principal(pd->context, &hdb.entry.created_by.principal, v4_realm, "kadmin", "hprop", NULL); hdb.entry.created_by.time = time(NULL); if(ent->mod_ptr){ struct ka_entry mod; ALLOC(hdb.entry.modified_by); read_block(pd->context, fd, ntohl(ent->mod_ptr), &mod, sizeof(mod)); krb5_425_conv_principal(pd->context, mod.name, mod.instance, v4_realm, &hdb.entry.modified_by->principal); hdb.entry.modified_by->time = ntohl(ent->mod_time); memset(&mod, 0, sizeof(mod)); } hdb.entry.flags.forwardable = 1; hdb.entry.flags.renewable = 1; hdb.entry.flags.proxiable = 1; hdb.entry.flags.postdate = 1; /* XXX - AFS 3.4a creates krbtgt.REALMOFCELL as NOTGS+NOSEAL */ if (strcmp(ent->name, "krbtgt") == 0 && (flags & (KAFNOTGS|KAFNOSEAL)) == (KAFNOTGS|KAFNOSEAL)) flags &= ~(KAFNOTGS|KAFNOSEAL); hdb.entry.flags.client = (flags & KAFNOTGS) == 0; hdb.entry.flags.server = (flags & KAFNOSEAL) == 0; ret = v5_prop(pd->context, NULL, &hdb, pd); hdb_free_entry(pd->context, &hdb); return ret; }
static kadm5_ret_t kadm5_log_replay_modify (kadm5_server_context *context, uint32_t ver, uint32_t len, krb5_storage *sp) { krb5_error_code ret; int32_t mask; krb5_data value; hdb_entry_ex ent, log_ent; memset(&log_ent, 0, sizeof(log_ent)); krb5_ret_int32 (sp, &mask); len -= 4; ret = krb5_data_alloc (&value, len); if (ret) { krb5_set_error_message(context->context, ret, "out of memory"); return ret; } krb5_storage_read (sp, value.data, len); ret = hdb_value2entry (context->context, &value, &log_ent.entry); krb5_data_free(&value); if (ret) return ret; memset(&ent, 0, sizeof(ent)); ret = context->db->hdb_fetch_kvno(context->context, context->db, log_ent.entry.principal, HDB_F_DECRYPT|HDB_F_ALL_KVNOS| HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent); if (ret) goto out; if (mask & KADM5_PRINC_EXPIRE_TIME) { if (log_ent.entry.valid_end == NULL) { ent.entry.valid_end = NULL; } else { if (ent.entry.valid_end == NULL) { ent.entry.valid_end = malloc(sizeof(*ent.entry.valid_end)); if (ent.entry.valid_end == NULL) { ret = ENOMEM; krb5_set_error_message(context->context, ret, "out of memory"); goto out; } } *ent.entry.valid_end = *log_ent.entry.valid_end; } } if (mask & KADM5_PW_EXPIRATION) { if (log_ent.entry.pw_end == NULL) { ent.entry.pw_end = NULL; } else { if (ent.entry.pw_end == NULL) { ent.entry.pw_end = malloc(sizeof(*ent.entry.pw_end)); if (ent.entry.pw_end == NULL) { ret = ENOMEM; krb5_set_error_message(context->context, ret, "out of memory"); goto out; } } *ent.entry.pw_end = *log_ent.entry.pw_end; } } if (mask & KADM5_LAST_PWD_CHANGE) { abort (); /* XXX */ } if (mask & KADM5_ATTRIBUTES) { ent.entry.flags = log_ent.entry.flags; } if (mask & KADM5_MAX_LIFE) { if (log_ent.entry.max_life == NULL) { ent.entry.max_life = NULL; } else { if (ent.entry.max_life == NULL) { ent.entry.max_life = malloc (sizeof(*ent.entry.max_life)); if (ent.entry.max_life == NULL) { ret = ENOMEM; krb5_set_error_message(context->context, ret, "out of memory"); goto out; } } *ent.entry.max_life = *log_ent.entry.max_life; } } if ((mask & KADM5_MOD_TIME) && (mask & KADM5_MOD_NAME)) { if (ent.entry.modified_by == NULL) { ent.entry.modified_by = malloc(sizeof(*ent.entry.modified_by)); if (ent.entry.modified_by == NULL) { ret = ENOMEM; krb5_set_error_message(context->context, ret, "out of memory"); goto out; } } else free_Event(ent.entry.modified_by); ret = copy_Event(log_ent.entry.modified_by, ent.entry.modified_by); if (ret) { krb5_set_error_message(context->context, ret, "out of memory"); goto out; } } if (mask & KADM5_KVNO) { ent.entry.kvno = log_ent.entry.kvno; } if (mask & KADM5_MKVNO) { abort (); /* XXX */ } if (mask & KADM5_AUX_ATTRIBUTES) { abort (); /* XXX */ } if (mask & KADM5_POLICY) { abort (); /* XXX */ } if (mask & KADM5_POLICY_CLR) { abort (); /* XXX */ } if (mask & KADM5_MAX_RLIFE) { if (log_ent.entry.max_renew == NULL) { ent.entry.max_renew = NULL; } else { if (ent.entry.max_renew == NULL) { ent.entry.max_renew = malloc (sizeof(*ent.entry.max_renew)); if (ent.entry.max_renew == NULL) { ret = ENOMEM; krb5_set_error_message(context->context, ret, "out of memory"); goto out; } } *ent.entry.max_renew = *log_ent.entry.max_renew; } } if (mask & KADM5_LAST_SUCCESS) { abort (); /* XXX */ } if (mask & KADM5_LAST_FAILED) { abort (); /* XXX */ } if (mask & KADM5_FAIL_AUTH_COUNT) { abort (); /* XXX */ } if (mask & KADM5_KEY_DATA) { size_t num; size_t i; /* * We don't need to do anything about key history here because * we always log KADM5_TL_DATA when we change keys/passwords, so * the code below this will handle key history implicitly. * However, if we had to, the code to handle key history here * would look like this: * * HDB_extension *ext; * ... * ext = hdb_find_extension(&log_ent.entry, * choice_HDB_extension_data_hist_keys); * if (ext); * ret = hdb_replace_extension(context->context, &ent.entry, ext); * else * ret = hdb_clear_extension(context->context, &ent.entry, * choice_HDB_extension_data_hist_keys); * * Maybe we should do this here anyways, wasteful as it would * be, as a defensive programming measure? For now we heim_assert(). */ heim_assert((mask & KADM5_TL_DATA), "Wouldn't log and replay key history"); for (i = 0; i < ent.entry.keys.len; ++i) free_Key(&ent.entry.keys.val[i]); free (ent.entry.keys.val); num = log_ent.entry.keys.len; ent.entry.keys.len = num; ent.entry.keys.val = malloc(len * sizeof(*ent.entry.keys.val)); if (ent.entry.keys.val == NULL) { krb5_set_error_message(context->context, ENOMEM, "out of memory"); return ENOMEM; } for (i = 0; i < ent.entry.keys.len; ++i) { ret = copy_Key(&log_ent.entry.keys.val[i], &ent.entry.keys.val[i]); if (ret) { krb5_set_error_message(context->context, ret, "out of memory"); goto out; } } } if ((mask & KADM5_TL_DATA) && log_ent.entry.extensions) { HDB_extensions *es = ent.entry.extensions; ent.entry.extensions = calloc(1, sizeof(*ent.entry.extensions)); if (ent.entry.extensions == NULL) goto out; ret = copy_HDB_extensions(log_ent.entry.extensions, ent.entry.extensions); if (ret) { krb5_set_error_message(context->context, ret, "out of memory"); free(ent.entry.extensions); ent.entry.extensions = es; goto out; } if (es) { free_HDB_extensions(es); free(es); } } ret = context->db->hdb_store(context->context, context->db, HDB_F_REPLACE, &ent); out: hdb_free_entry (context->context, &ent); hdb_free_entry (context->context, &log_ent); return ret; }
int v4_prop(void *arg, struct v4_principal *p) { struct prop_data *pd = arg; hdb_entry_ex ent; krb5_error_code ret; memset(&ent, 0, sizeof(ent)); ret = krb5_425_conv_principal(pd->context, p->name, p->instance, v4_realm, &ent.entry.principal); if(ret) { krb5_warn(pd->context, ret, "krb5_425_conv_principal %s.%s@%s", p->name, p->instance, v4_realm); return 0; } if(verbose_flag) { char *s; krb5_unparse_name_short(pd->context, ent.entry.principal, &s); krb5_warnx(pd->context, "%s.%s -> %s", p->name, p->instance, s); free(s); } ent.entry.kvno = p->kvno; ent.entry.keys.len = 3; ent.entry.keys.val = malloc(ent.entry.keys.len * sizeof(*ent.entry.keys.val)); if (ent.entry.keys.val == NULL) krb5_errx(pd->context, ENOMEM, "malloc"); if(p->mkvno != -1) { ent.entry.keys.val[0].mkvno = malloc (sizeof(*ent.entry.keys.val[0].mkvno)); if (ent.entry.keys.val[0].mkvno == NULL) krb5_errx(pd->context, ENOMEM, "malloc"); *(ent.entry.keys.val[0].mkvno) = p->mkvno; } else ent.entry.keys.val[0].mkvno = NULL; ent.entry.keys.val[0].salt = calloc(1, sizeof(*ent.entry.keys.val[0].salt)); if (ent.entry.keys.val[0].salt == NULL) krb5_errx(pd->context, ENOMEM, "calloc"); ent.entry.keys.val[0].salt->type = KRB5_PADATA_PW_SALT; ent.entry.keys.val[0].key.keytype = ETYPE_DES_CBC_MD5; krb5_data_alloc(&ent.entry.keys.val[0].key.keyvalue, DES_KEY_SZ); memcpy(ent.entry.keys.val[0].key.keyvalue.data, p->key, 8); copy_Key(&ent.entry.keys.val[0], &ent.entry.keys.val[1]); ent.entry.keys.val[1].key.keytype = ETYPE_DES_CBC_MD4; copy_Key(&ent.entry.keys.val[0], &ent.entry.keys.val[2]); ent.entry.keys.val[2].key.keytype = ETYPE_DES_CBC_CRC; { int life = _krb5_krb_life_to_time(0, p->max_life); if(life == NEVERDATE){ ent.entry.max_life = NULL; } else { /* clean up lifetime a bit */ if(life > 86400) life = (life + 86399) / 86400 * 86400; else if(life > 3600) life = (life + 3599) / 3600 * 3600; ALLOC(ent.entry.max_life); *ent.entry.max_life = life; } } ALLOC(ent.entry.valid_end); *ent.entry.valid_end = p->exp_date; ret = krb5_make_principal(pd->context, &ent.entry.created_by.principal, v4_realm, "kadmin", "hprop", NULL); if(ret){ krb5_warn(pd->context, ret, "krb5_make_principal"); ret = 0; goto out; } ent.entry.created_by.time = time(NULL); ALLOC(ent.entry.modified_by); ret = krb5_425_conv_principal(pd->context, p->mod_name, p->mod_instance, v4_realm, &ent.entry.modified_by->principal); if(ret){ krb5_warn(pd->context, ret, "%s.%s@%s", p->name, p->instance, v4_realm); ent.entry.modified_by->principal = NULL; ret = 0; goto out; } ent.entry.modified_by->time = p->mod_date; ent.entry.flags.forwardable = 1; ent.entry.flags.renewable = 1; ent.entry.flags.proxiable = 1; ent.entry.flags.postdate = 1; ent.entry.flags.client = 1; ent.entry.flags.server = 1; /* special case password changing service */ if(strcmp(p->name, "changepw") == 0 && strcmp(p->instance, "kerberos") == 0) { ent.entry.flags.forwardable = 0; ent.entry.flags.renewable = 0; ent.entry.flags.proxiable = 0; ent.entry.flags.postdate = 0; ent.entry.flags.initial = 1; ent.entry.flags.change_pw = 1; } ret = v5_prop(pd->context, NULL, &ent, pd); if (strcmp (p->name, "krbtgt") == 0 && strcmp (v4_realm, p->instance) != 0) { krb5_free_principal (pd->context, ent.entry.principal); ret = krb5_425_conv_principal (pd->context, p->name, v4_realm, p->instance, &ent.entry.principal); if (ret == 0) ret = v5_prop (pd->context, NULL, &ent, pd); } out: hdb_free_entry(pd->context, &ent); return ret; }