diff options
author | dfr <dfr@FreeBSD.org> | 2008-05-07 13:39:42 +0000 |
---|---|---|
committer | dfr <dfr@FreeBSD.org> | 2008-05-07 13:39:42 +0000 |
commit | 51b6601db456e699ea5d4843cbc7239ee92d9c13 (patch) | |
tree | 4dbb862199a916e3ffe75f1cb08703ec0e662ffc /crypto/heimdal/lib/kadm5/get_s.c | |
parent | 2565fa13487d5bfc858144e431e3dfd7ffa5200e (diff) | |
download | FreeBSD-src-51b6601db456e699ea5d4843cbc7239ee92d9c13.zip FreeBSD-src-51b6601db456e699ea5d4843cbc7239ee92d9c13.tar.gz |
Vendor import of Heimdal 1.1
Diffstat (limited to 'crypto/heimdal/lib/kadm5/get_s.c')
-rw-r--r-- | crypto/heimdal/lib/kadm5/get_s.c | 187 |
1 files changed, 140 insertions, 47 deletions
diff --git a/crypto/heimdal/lib/kadm5/get_s.c b/crypto/heimdal/lib/kadm5/get_s.c index 0851900..5d0db9b 100644 --- a/crypto/heimdal/lib/kadm5/get_s.c +++ b/crypto/heimdal/lib/kadm5/get_s.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,72 +33,105 @@ #include "kadm5_locl.h" -RCSID("$Id: get_s.c,v 1.13 2000/06/19 16:11:31 joda Exp $"); +RCSID("$Id: get_s.c 21745 2007-07-31 16:11:25Z lha $"); + +static kadm5_ret_t +add_tl_data(kadm5_principal_ent_t ent, int16_t type, + const void *data, size_t size) +{ + krb5_tl_data *tl; + + tl = calloc(1, sizeof(*tl)); + if (tl == NULL) + return _kadm5_error_code(ENOMEM); + + tl->tl_data_type = type; + tl->tl_data_length = size; + tl->tl_data_contents = malloc(size); + if (tl->tl_data_contents == NULL) { + free(tl); + return _kadm5_error_code(ENOMEM); + } + memcpy(tl->tl_data_contents, data, size); + + tl->tl_data_next = ent->tl_data; + ent->tl_data = tl; + ent->n_tl_data++; + + return 0; +} + +krb5_ssize_t KRB5_LIB_FUNCTION +_krb5_put_int(void *buffer, unsigned long value, size_t size); /* XXX */ kadm5_ret_t kadm5_s_get_principal(void *server_handle, krb5_principal princ, kadm5_principal_ent_t out, - u_int32_t mask) + uint32_t mask) { kadm5_server_context *context = server_handle; kadm5_ret_t ret; - hdb_entry ent; + hdb_entry_ex ent; - ent.principal = princ; - ret = context->db->open(context->context, context->db, O_RDONLY, 0); + memset(&ent, 0, sizeof(ent)); + ret = context->db->hdb_open(context->context, context->db, O_RDONLY, 0); if(ret) return ret; - ret = context->db->fetch(context->context, context->db, - HDB_F_DECRYPT, &ent); - context->db->close(context->context, context->db); + ret = context->db->hdb_fetch(context->context, context->db, princ, + HDB_F_DECRYPT|HDB_F_GET_ANY, &ent); + context->db->hdb_close(context->context, context->db); if(ret) return _kadm5_error_code(ret); memset(out, 0, sizeof(*out)); if(mask & KADM5_PRINCIPAL) - ret = krb5_copy_principal(context->context, ent.principal, + ret = krb5_copy_principal(context->context, ent.entry.principal, &out->principal); if(ret) goto out; - if(mask & KADM5_PRINC_EXPIRE_TIME && ent.valid_end) - out->princ_expire_time = *ent.valid_end; - if(mask & KADM5_PW_EXPIRATION && ent.pw_end) - out->pw_expiration = *ent.pw_end; + if(mask & KADM5_PRINC_EXPIRE_TIME && ent.entry.valid_end) + out->princ_expire_time = *ent.entry.valid_end; + if(mask & KADM5_PW_EXPIRATION && ent.entry.pw_end) + out->pw_expiration = *ent.entry.pw_end; if(mask & KADM5_LAST_PWD_CHANGE) - /* XXX implement */; + hdb_entry_get_pw_change_time(&ent.entry, &out->last_pwd_change); if(mask & KADM5_ATTRIBUTES){ - out->attributes |= ent.flags.postdate ? 0 : KRB5_KDB_DISALLOW_POSTDATED; - out->attributes |= ent.flags.forwardable ? 0 : KRB5_KDB_DISALLOW_FORWARDABLE; - out->attributes |= ent.flags.initial ? KRB5_KDB_DISALLOW_TGT_BASED : 0; - out->attributes |= ent.flags.renewable ? 0 : KRB5_KDB_DISALLOW_RENEWABLE; - out->attributes |= ent.flags.proxiable ? 0 : KRB5_KDB_DISALLOW_PROXIABLE; - out->attributes |= ent.flags.invalid ? KRB5_KDB_DISALLOW_ALL_TIX : 0; - out->attributes |= ent.flags.require_preauth ? KRB5_KDB_REQUIRES_PRE_AUTH : 0; - out->attributes |= ent.flags.server ? 0 : KRB5_KDB_DISALLOW_SVR; - out->attributes |= ent.flags.change_pw ? KRB5_KDB_PWCHANGE_SERVICE : 0; + out->attributes |= ent.entry.flags.postdate ? 0 : KRB5_KDB_DISALLOW_POSTDATED; + out->attributes |= ent.entry.flags.forwardable ? 0 : KRB5_KDB_DISALLOW_FORWARDABLE; + out->attributes |= ent.entry.flags.initial ? KRB5_KDB_DISALLOW_TGT_BASED : 0; + out->attributes |= ent.entry.flags.renewable ? 0 : KRB5_KDB_DISALLOW_RENEWABLE; + out->attributes |= ent.entry.flags.proxiable ? 0 : KRB5_KDB_DISALLOW_PROXIABLE; + out->attributes |= ent.entry.flags.invalid ? KRB5_KDB_DISALLOW_ALL_TIX : 0; + out->attributes |= ent.entry.flags.require_preauth ? KRB5_KDB_REQUIRES_PRE_AUTH : 0; + out->attributes |= ent.entry.flags.server ? 0 : KRB5_KDB_DISALLOW_SVR; + out->attributes |= ent.entry.flags.change_pw ? KRB5_KDB_PWCHANGE_SERVICE : 0; + out->attributes |= ent.entry.flags.ok_as_delegate ? KRB5_KDB_OK_AS_DELEGATE : 0; + out->attributes |= ent.entry.flags.trusted_for_delegation ? KRB5_KDB_TRUSTED_FOR_DELEGATION : 0; + out->attributes |= ent.entry.flags.allow_kerberos4 ? KRB5_KDB_ALLOW_KERBEROS4 : 0; + out->attributes |= ent.entry.flags.allow_digest ? KRB5_KDB_ALLOW_DIGEST : 0; } if(mask & KADM5_MAX_LIFE) { - if(ent.max_life) - out->max_life = *ent.max_life; + if(ent.entry.max_life) + out->max_life = *ent.entry.max_life; else out->max_life = INT_MAX; } if(mask & KADM5_MOD_TIME) { - if(ent.modified_by) - out->mod_date = ent.modified_by->time; + if(ent.entry.modified_by) + out->mod_date = ent.entry.modified_by->time; else - out->mod_date = ent.created_by.time; + out->mod_date = ent.entry.created_by.time; } if(mask & KADM5_MOD_NAME) { - if(ent.modified_by) { - if (ent.modified_by->principal != NULL) + if(ent.entry.modified_by) { + if (ent.entry.modified_by->principal != NULL) ret = krb5_copy_principal(context->context, - ent.modified_by->principal, + ent.entry.modified_by->principal, &out->mod_name); - } else if(ent.created_by.principal != NULL) + } else if(ent.entry.created_by.principal != NULL) ret = krb5_copy_principal(context->context, - ent.created_by.principal, + ent.entry.created_by.principal, &out->mod_name); else out->mod_name = NULL; @@ -107,13 +140,13 @@ kadm5_s_get_principal(void *server_handle, goto out; if(mask & KADM5_KVNO) - out->kvno = ent.kvno; + out->kvno = ent.entry.kvno; if(mask & KADM5_MKVNO) { int n; out->mkvno = 0; /* XXX */ - for(n = 0; n < ent.keys.len; n++) - if(ent.keys.val[n].mkvno) { - out->mkvno = *ent.keys.val[n].mkvno; /* XXX this isn't right */ + for(n = 0; n < ent.entry.keys.len; n++) + if(ent.entry.keys.val[n].mkvno) { + out->mkvno = *ent.entry.keys.val[n].mkvno; /* XXX this isn't right */ break; } } @@ -122,8 +155,8 @@ kadm5_s_get_principal(void *server_handle, if(mask & KADM5_POLICY) out->policy = NULL; if(mask & KADM5_MAX_RLIFE) { - if(ent.max_renew) - out->max_renewable_life = *ent.max_renew; + if(ent.entry.max_renew) + out->max_renewable_life = *ent.entry.max_renew; else out->max_renewable_life = INT_MAX; } @@ -139,13 +172,17 @@ kadm5_s_get_principal(void *server_handle, krb5_key_data *kd; krb5_salt salt; krb5_data *sp; - krb5_get_pw_salt(context->context, ent.principal, &salt); - out->key_data = malloc(ent.keys.len * sizeof(*out->key_data)); - for(i = 0; i < ent.keys.len; i++){ - key = &ent.keys.val[i]; + krb5_get_pw_salt(context->context, ent.entry.principal, &salt); + out->key_data = malloc(ent.entry.keys.len * sizeof(*out->key_data)); + if (out->key_data == NULL) { + ret = ENOMEM; + goto out; + } + for(i = 0; i < ent.entry.keys.len; i++){ + key = &ent.entry.keys.val[i]; kd = &out->key_data[i]; kd->key_data_ver = 2; - kd->key_data_kvno = ent.kvno; + kd->key_data_kvno = ent.entry.kvno; kd->key_data_type[0] = key->key.keytype; if(key->salt) kd->key_data_type[1] = key->salt->type; @@ -182,8 +219,64 @@ kadm5_s_get_principal(void *server_handle, kadm5_free_principal_ent(context, out); goto out; } - if(mask & KADM5_TL_DATA) - /* XXX implement */; + if(mask & KADM5_TL_DATA) { + time_t last_pw_expire; + const HDB_Ext_Aliases *aliases; + + ret = hdb_entry_get_pw_change_time(&ent.entry, &last_pw_expire); + if (ret == 0 && last_pw_expire) { + unsigned char buf[4]; + _krb5_put_int(buf, last_pw_expire, sizeof(buf)); + ret = add_tl_data(out, KRB5_TL_LAST_PWD_CHANGE, buf, sizeof(buf)); + } + if(ret){ + kadm5_free_principal_ent(context, out); + goto out; + } + /* + * If the client was allowed to get key data, let it have the + * password too. + */ + if(mask & KADM5_KEY_DATA) { + heim_utf8_string pw; + + ret = hdb_entry_get_password(context->context, + context->db, &ent.entry, &pw); + if (ret == 0) { + ret = add_tl_data(out, KRB5_TL_PASSWORD, pw, strlen(pw) + 1); + free(pw); + } + krb5_clear_error_string(context->context); + ret = 0; + } + + ret = hdb_entry_get_aliases(&ent.entry, &aliases); + if (ret == 0 && aliases) { + krb5_data buf; + size_t len; + + ASN1_MALLOC_ENCODE(HDB_Ext_Aliases, buf.data, buf.length, + aliases, &len, ret); + if (ret) { + kadm5_free_principal_ent(context, out); + goto out; + } + if (len != buf.length) + krb5_abortx(context->context, + "internal ASN.1 encoder error"); + ret = add_tl_data(out, KRB5_TL_ALIASES, buf.data, buf.length); + free(buf.data); + if (ret) { + kadm5_free_principal_ent(context, out); + goto out; + } + } + if(ret){ + kadm5_free_principal_ent(context, out); + goto out; + } + + } out: hdb_free_entry(context->context, &ent); |