static kadm5_ret_t
kadm5_log_replay_modify (kadm5_server_context *context,
uint32_t ver,
uint32_t len,
krb5_storage *sp)
{
krb5_error_code ret;
int32_t mask;
krb5_data value;
hdb_entry_ex ent, log_ent;
memset(&log_ent, 0, sizeof(log_ent));
krb5_ret_int32 (sp, &mask);
len -= 4;
ret = krb5_data_alloc (&value, len);
if (ret) {
krb5_set_error_message(context->context, ret, "out of memory");
return ret;
}
krb5_storage_read (sp, value.data, len);
ret = hdb_value2entry (context->context, &value, &log_ent.entry);
krb5_data_free(&value);
if (ret)
return ret;
memset(&ent, 0, sizeof(ent));
ret = context->db->hdb_fetch_kvno(context->context, context->db,
log_ent.entry.principal,
HDB_F_DECRYPT|HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent);
if (ret)
goto out;
if (mask & KADM5_PRINC_EXPIRE_TIME) {
if (log_ent.entry.valid_end == NULL) {
ent.entry.valid_end = NULL;
} else {
if (ent.entry.valid_end == NULL) {
ent.entry.valid_end = malloc(sizeof(*ent.entry.valid_end));
if (ent.entry.valid_end == NULL) {
ret = ENOMEM;
krb5_set_error_message(context->context, ret, "out of memory");
goto out;
}
}
*ent.entry.valid_end = *log_ent.entry.valid_end;
}
}
if (mask & KADM5_PW_EXPIRATION) {
if (log_ent.entry.pw_end == NULL) {
ent.entry.pw_end = NULL;
} else {
if (ent.entry.pw_end == NULL) {
ent.entry.pw_end = malloc(sizeof(*ent.entry.pw_end));
if (ent.entry.pw_end == NULL) {
ret = ENOMEM;
krb5_set_error_message(context->context, ret, "out of memory");
goto out;
}
}
*ent.entry.pw_end = *log_ent.entry.pw_end;
}
}
if (mask & KADM5_LAST_PWD_CHANGE) {
abort (); /* XXX */
}
if (mask & KADM5_ATTRIBUTES) {
ent.entry.flags = log_ent.entry.flags;
}
if (mask & KADM5_MAX_LIFE) {
if (log_ent.entry.max_life == NULL) {
ent.entry.max_life = NULL;
} else {
if (ent.entry.max_life == NULL) {
ent.entry.max_life = malloc (sizeof(*ent.entry.max_life));
if (ent.entry.max_life == NULL) {
ret = ENOMEM;
krb5_set_error_message(context->context, ret, "out of memory");
goto out;
}
}
*ent.entry.max_life = *log_ent.entry.max_life;
}
}
if ((mask & KADM5_MOD_TIME) && (mask & KADM5_MOD_NAME)) {
if (ent.entry.modified_by == NULL) {
ent.entry.modified_by = malloc(sizeof(*ent.entry.modified_by));
if (ent.entry.modified_by == NULL) {
ret = ENOMEM;
krb5_set_error_message(context->context, ret, "out of memory");
goto out;
}
} else
free_Event(ent.entry.modified_by);
ret = copy_Event(log_ent.entry.modified_by, ent.entry.modified_by);
if (ret) {
krb5_set_error_message(context->context, ret, "out of memory");
goto out;
}
}
if (mask & KADM5_KVNO) {
ent.entry.kvno = log_ent.entry.kvno;
}
if (mask & KADM5_MKVNO) {
abort (); /* XXX */
}
if (mask & KADM5_AUX_ATTRIBUTES) {
abort (); /* XXX */
}
if (mask & KADM5_POLICY) {
abort (); /* XXX */
}
if (mask & KADM5_POLICY_CLR) {
abort (); /* XXX */
}
if (mask & KADM5_MAX_RLIFE) {
if (log_ent.entry.max_renew == NULL) {
ent.entry.max_renew = NULL;
} else {
if (ent.entry.max_renew == NULL) {
ent.entry.max_renew = malloc (sizeof(*ent.entry.max_renew));
if (ent.entry.max_renew == NULL) {
ret = ENOMEM;
krb5_set_error_message(context->context, ret, "out of memory");
goto out;
}
}
*ent.entry.max_renew = *log_ent.entry.max_renew;
}
}
if (mask & KADM5_LAST_SUCCESS) {
abort (); /* XXX */
}
if (mask & KADM5_LAST_FAILED) {
abort (); /* XXX */
}
if (mask & KADM5_FAIL_AUTH_COUNT) {
abort (); /* XXX */
}
if (mask & KADM5_KEY_DATA) {
size_t num;
int i;
for (i = 0; i < ent.entry.keys.len; ++i)
free_Key(&ent.entry.keys.val[i]);
free (ent.entry.keys.val);
num = log_ent.entry.keys.len;
ent.entry.keys.len = num;
ent.entry.keys.val = malloc(len * sizeof(*ent.entry.keys.val));
if (ent.entry.keys.val == NULL) {
krb5_set_error_message(context->context, ENOMEM, "out of memory");
return ENOMEM;
}
for (i = 0; i < ent.entry.keys.len; ++i) {
ret = copy_Key(&log_ent.entry.keys.val[i],
&ent.entry.keys.val[i]);
if (ret) {
krb5_set_error_message(context->context, ret, "out of memory");
goto out;
}
}
}
if ((mask & KADM5_TL_DATA) && log_ent.entry.extensions) {
HDB_extensions *es = ent.entry.extensions;
ent.entry.extensions = calloc(1, sizeof(*ent.entry.extensions));
if (ent.entry.extensions == NULL)
goto out;
ret = copy_HDB_extensions(log_ent.entry.extensions,
ent.entry.extensions);
if (ret) {
krb5_set_error_message(context->context, ret, "out of memory");
free(ent.entry.extensions);
ent.entry.extensions = es;
goto out;
}
if (es) {
free_HDB_extensions(es);
free(es);
}
}
ret = context->db->hdb_store(context->context, context->db,
HDB_F_REPLACE, &ent);
out:
hdb_free_entry (context->context, &ent);
hdb_free_entry (context->context, &log_ent);
return ret;
}
static kadm5_ret_t
kadm5_log_replay_modify (kadm5_server_context *context,
uint32_t ver,
uint32_t len,
krb5_storage *sp)
{
krb5_error_code ret;
int32_t mask;
krb5_data value;
hdb_entry_ex ent, log_ent;
memset(&log_ent, 0, sizeof(log_ent));
krb5_ret_int32 (sp, &mask);
len -= 4;
ret = krb5_data_alloc (&value, len);
if (ret) {
krb5_set_error_message(context->context, ret, "out of memory");
return ret;
}
krb5_storage_read (sp, value.data, len);
ret = hdb_value2entry (context->context, &value, &log_ent.entry);
krb5_data_free(&value);
if (ret)
return ret;
memset(&ent, 0, sizeof(ent));
ret = context->db->hdb_fetch_kvno(context->context, context->db,
log_ent.entry.principal,
HDB_F_DECRYPT|HDB_F_ALL_KVNOS|
HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent);
if (ret)
goto out;
if (mask & KADM5_PRINC_EXPIRE_TIME) {
if (log_ent.entry.valid_end == NULL) {
ent.entry.valid_end = NULL;
} else {
if (ent.entry.valid_end == NULL) {
ent.entry.valid_end = malloc(sizeof(*ent.entry.valid_end));
if (ent.entry.valid_end == NULL) {
ret = ENOMEM;
krb5_set_error_message(context->context, ret, "out of memory");
goto out;
}
}
*ent.entry.valid_end = *log_ent.entry.valid_end;
}
}
if (mask & KADM5_PW_EXPIRATION) {
if (log_ent.entry.pw_end == NULL) {
ent.entry.pw_end = NULL;
} else {
if (ent.entry.pw_end == NULL) {
ent.entry.pw_end = malloc(sizeof(*ent.entry.pw_end));
if (ent.entry.pw_end == NULL) {
ret = ENOMEM;
krb5_set_error_message(context->context, ret, "out of memory");
goto out;
}
}
*ent.entry.pw_end = *log_ent.entry.pw_end;
}
}
if (mask & KADM5_LAST_PWD_CHANGE) {
abort (); /* XXX */
}
if (mask & KADM5_ATTRIBUTES) {
ent.entry.flags = log_ent.entry.flags;
}
if (mask & KADM5_MAX_LIFE) {
if (log_ent.entry.max_life == NULL) {
ent.entry.max_life = NULL;
} else {
if (ent.entry.max_life == NULL) {
ent.entry.max_life = malloc (sizeof(*ent.entry.max_life));
if (ent.entry.max_life == NULL) {
ret = ENOMEM;
krb5_set_error_message(context->context, ret, "out of memory");
goto out;
}
}
*ent.entry.max_life = *log_ent.entry.max_life;
}
}
if ((mask & KADM5_MOD_TIME) && (mask & KADM5_MOD_NAME)) {
if (ent.entry.modified_by == NULL) {
ent.entry.modified_by = malloc(sizeof(*ent.entry.modified_by));
if (ent.entry.modified_by == NULL) {
ret = ENOMEM;
krb5_set_error_message(context->context, ret, "out of memory");
goto out;
}
} else
free_Event(ent.entry.modified_by);
ret = copy_Event(log_ent.entry.modified_by, ent.entry.modified_by);
if (ret) {
krb5_set_error_message(context->context, ret, "out of memory");
goto out;
}
}
if (mask & KADM5_KVNO) {
ent.entry.kvno = log_ent.entry.kvno;
}
if (mask & KADM5_MKVNO) {
abort (); /* XXX */
}
if (mask & KADM5_AUX_ATTRIBUTES) {
abort (); /* XXX */
}
if (mask & KADM5_POLICY) {
abort (); /* XXX */
}
if (mask & KADM5_POLICY_CLR) {
abort (); /* XXX */
}
if (mask & KADM5_MAX_RLIFE) {
if (log_ent.entry.max_renew == NULL) {
ent.entry.max_renew = NULL;
} else {
if (ent.entry.max_renew == NULL) {
ent.entry.max_renew = malloc (sizeof(*ent.entry.max_renew));
if (ent.entry.max_renew == NULL) {
ret = ENOMEM;
krb5_set_error_message(context->context, ret, "out of memory");
goto out;
}
}
*ent.entry.max_renew = *log_ent.entry.max_renew;
}
}
if (mask & KADM5_LAST_SUCCESS) {
abort (); /* XXX */
}
if (mask & KADM5_LAST_FAILED) {
abort (); /* XXX */
}
if (mask & KADM5_FAIL_AUTH_COUNT) {
abort (); /* XXX */
}
if (mask & KADM5_KEY_DATA) {
size_t num;
size_t i;
/*
* We don't need to do anything about key history here because
* we always log KADM5_TL_DATA when we change keys/passwords, so
* the code below this will handle key history implicitly.
* However, if we had to, the code to handle key history here
* would look like this:
*
* HDB_extension *ext;
* ...
* ext = hdb_find_extension(&log_ent.entry,
* choice_HDB_extension_data_hist_keys);
* if (ext);
* ret = hdb_replace_extension(context->context, &ent.entry, ext);
* else
* ret = hdb_clear_extension(context->context, &ent.entry,
* choice_HDB_extension_data_hist_keys);
*
* Maybe we should do this here anyways, wasteful as it would
* be, as a defensive programming measure? For now we heim_assert().
*/
heim_assert((mask & KADM5_TL_DATA),
"Wouldn't log and replay key history");
for (i = 0; i < ent.entry.keys.len; ++i)
free_Key(&ent.entry.keys.val[i]);
free (ent.entry.keys.val);
num = log_ent.entry.keys.len;
ent.entry.keys.len = num;
ent.entry.keys.val = malloc(len * sizeof(*ent.entry.keys.val));
if (ent.entry.keys.val == NULL) {
krb5_set_error_message(context->context, ENOMEM, "out of memory");
return ENOMEM;
}
for (i = 0; i < ent.entry.keys.len; ++i) {
ret = copy_Key(&log_ent.entry.keys.val[i],
&ent.entry.keys.val[i]);
if (ret) {
krb5_set_error_message(context->context, ret, "out of memory");
goto out;
}
}
}
if ((mask & KADM5_TL_DATA) && log_ent.entry.extensions) {
HDB_extensions *es = ent.entry.extensions;
ent.entry.extensions = calloc(1, sizeof(*ent.entry.extensions));
if (ent.entry.extensions == NULL)
goto out;
ret = copy_HDB_extensions(log_ent.entry.extensions,
ent.entry.extensions);
if (ret) {
krb5_set_error_message(context->context, ret, "out of memory");
free(ent.entry.extensions);
ent.entry.extensions = es;
goto out;
}
if (es) {
free_HDB_extensions(es);
free(es);
}
}
ret = context->db->hdb_store(context->context, context->db,
HDB_F_REPLACE, &ent);
out:
hdb_free_entry (context->context, &ent);
hdb_free_entry (context->context, &log_ent);
return ret;
}