Exemple #1
0
/*
 * Fetch the current history key(s), creating the history principal if
 * necessary.  Database created since krb5 1.3 will have only one key, but
 * databases created before that may have multiple keys (of the same kvno)
 * and we need to try them all.  History keys will be returned in a list
 * terminated by an entry with enctype 0.
 */
krb5_error_code
kdb_get_hist_key(kadm5_server_handle_t handle, krb5_keyblock **keyblocks_out,
                 krb5_kvno *kvno_out)
{
    krb5_error_code ret;
    krb5_db_entry *kdb;
    krb5_keyblock *mkey, *kblist = NULL;
    krb5_int16 i;

    /* Fetch the history principal, creating it if necessary. */
    ret = kdb_get_entry(handle, hist_princ, &kdb, NULL);
    if (ret == KADM5_UNK_PRINC) {
        ret = create_hist(handle);
        if (ret)
            return ret;
        ret = kdb_get_entry(handle, hist_princ, &kdb, NULL);
    }
    if (ret)
        return ret;

    if (kdb->n_key_data <= 0) {
        ret = KRB5_KDB_NO_MATCHING_KEY;
        k5_setmsg(handle->context, ret,
                  _("History entry contains no key data"));
        goto done;
    }

    ret = krb5_dbe_find_mkey(handle->context, kdb, &mkey);
    if (ret)
        goto done;

    kblist = k5calloc(kdb->n_key_data + 1, sizeof(*kblist), &ret);
    if (kblist == NULL)
        goto done;
    for (i = 0; i < kdb->n_key_data; i++) {
        ret = krb5_dbe_decrypt_key_data(handle->context, mkey,
                                        &kdb->key_data[i], &kblist[i],
                                        NULL);
        if (ret)
            goto done;
    }

    *keyblocks_out = kblist;
    kblist = NULL;
    *kvno_out = kdb->key_data[0].key_data_kvno;

done:
    kdb_free_entry(handle, kdb, NULL);
    kdb_free_keyblocks(handle, kblist);
    return ret;
}
Exemple #2
0
/* Write a principal's metadata. */
static krb5_error_code
princ_meta(struct rec_args *args, const char *name, krb5_db_entry *dbe)
{
    int got_adb = 0;
    char *modby;
    krb5_kvno mkvno;
    const char *policy;
    krb5_principal mod_princ = NULL;
    krb5_timestamp mod_time, last_pwd;
    krb5_error_code ret;
    osa_princ_ent_rec adb;
    struct rechandle *h = args->rh;

    memset(&adb, 0, sizeof(adb));
    if (startrec(h) < 0)
        return errno;
    if (writefield(h, "%s", name) < 0)
        return errno;

    ret = krb5_dbe_lookup_last_pwd_change(util_context, dbe, &last_pwd);
    if (ret)
        return ret;
    ret = krb5_dbe_get_mkvno(util_context, dbe, &mkvno);
    if (ret)
        return ret;

    ret = krb5_dbe_lookup_mod_princ_data(util_context, dbe, &mod_time,
                                         &mod_princ);
    if (ret)
        return ret;
    ret = krb5_unparse_name(util_context, mod_princ, &modby);
    krb5_free_principal(util_context, mod_princ);
    if (ret)
        return ret;
    ret = writefield(h, "%s", modby);
    krb5_free_unparsed_name(util_context, modby);
    if (ret < 0)
        return errno;

    if (write_date(args, mod_time) < 0)
        return errno;
    if (write_date(args, last_pwd) < 0)
        return errno;

    got_adb = get_adb(dbe, &adb);
    if (got_adb && adb.policy != NULL)
        policy = adb.policy;
    else
        policy = "";
    ret = writefield(h, "%s", policy);
    if (ret < 0) {
        ret = errno;
        goto cleanup;
    }
    if (writefield(h, "%d", mkvno) < 0) {
        ret = errno;
        goto cleanup;
    }
    if (writefield(h, "%d", adb.admin_history_kvno) < 0) {
        ret = errno;
        goto cleanup;
    }
    if (endrec(h) < 0)
        ret = errno;
    else
        ret = 0;

cleanup:
    kdb_free_entry(NULL, NULL, &adb);
    return ret;
}