Mercurial > illumos > illumos-gate
changeset 2881:ea6360e7e1c5
PSARC 2006/424 Kerberos 1.4 KDC Resync
6406993 kdc and client resync with MIT 1.4
line wrap: on
line diff
--- a/usr/src/cmd/krb5/kadmin/cli/Makefile Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/cli/Makefile Sat Oct 07 13:37:05 2006 -0700 @@ -1,11 +1,15 @@ # -# Copyright 2004 Sun Microsystems, Inc. All rights reserved. +# Copyright 2006 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # ident "%Z%%M% %I% %E% SMI" # PROG= kadmin kadmin.local +SHFILES= k5srvutil +CLOBBERFILES= $(SHFILES) + +KRB5SBINSHFILES= $(SHFILES:%=$(KRB5SBIN)/%) COMMON_OBJS = kadmin.o kadmin_ct.o ss_wrapper.o getdate.o keytab.o RMT_OBJS= $(COMMON_OBJS) kadmin_rmt.o @@ -16,8 +20,8 @@ include ../../../Makefile.cmd include $(SRC)/lib/gss_mechs/mech_krb5/Makefile.mech_krb5 -POFILE = kadmin.po -POFILES = generic.po +POFILE = generic.po +POFILES = kadmin.po k5srvutil.po DEFS = -DHAVE_LIBSOCKET=1 -DHAVE_LIBNSL=1 -DHAVE_UNISTD_H=1 -DHAVE_SYS_TIMEB_H=1 \ -DHAVE_ALLOCA_H=1 -DHAVE_FTIME=1 -DHAVE_TIMEZONE @@ -43,7 +47,7 @@ .KEEP_STATE: -all: $(PROG) +all: $(PROG) $(SHFILES) kadmin: $(RMT_OBJS) $(LINK.c) $(RMT_OBJS) -o $@ $(CLLIBS) @@ -53,7 +57,11 @@ $(LINK.c) $(LOC_OBJS) -o $@ $(SRVLIBS) $(POST_PROCESS) -install: $(KRB5SBINPROG) +$(SHFILES): $(SHFILES).sh + $(RM) $(SHFILES) + $(CP) $(SHFILES).sh $(SHFILES) + +install: $(KRB5SBINPROG) $(KRB5SBINSHFILES) clean: $(RM) $(OBJS) @@ -66,7 +74,7 @@ $(RM) $@ $(CAT) $(POFILES) > $@ -generic.po: FRC +kadmin.po: FRC $(RM) messages.po $(XGETTEXT) $(XGETFLAGS) `$(GREP) -l gettext *.[ch]` $(SED) "/^domain/d" messages.po > $@
--- a/usr/src/cmd/krb5/kadmin/cli/getdate.y Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/cli/getdate.y Sat Oct 07 13:37:05 2006 -0700 @@ -18,30 +18,28 @@ %{ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" /* - * Originally written by Steven M. Bellovin <smb@research.att.com> while - * at the University of North Carolina at Chapel Hill. Later tweaked by - * a couple of people on Usenet. Completely overhauled by Rich $alz - * <rsalz@bbn.com> and Jim Berets <jberets@bbn.com> in August, 1990; - * send any email to Rich. - * - * This grammar has nine shift/reduce conflicts. - * - * This code is in the public domain and has no copyright. - */ - -/* SUPPRESS 287 on yaccpar_sccsid */ /* Unusd static variable */ - -/* SUPPRESS 288 on yyerrlab */ /* Label unused */ +** Originally written by Steven M. Bellovin <smb@research.att.com> while +** at the University of North Carolina at Chapel Hill. Later tweaked by +** a couple of people on Usenet. Completely overhauled by Rich $alz +** <rsalz@bbn.com> and Jim Berets <jberets@bbn.com> in August, 1990; +** send any email to Rich. +** +** This grammar has nine shift/reduce conflicts. +** +** This code is in the public domain and has no copyright. +*/ +/* SUPPRESS 287 on yaccpar_sccsid *//* Unusd static variable */ +/* SUPPRESS 288 on yyerrlab *//* Label unused */ #ifdef HAVE_CONFIG_H -#if defined(emacs) || defined(CONFIG_BROKETS) +#if defined (emacs) || defined (CONFIG_BROKETS) #include <config.h> #else #include "config.h" @@ -49,37 +47,32 @@ #endif #include <string.h> -/* - * Since the code of getdate.y is not included in the Emacs executable - * itself, there is no need to #define static in this file. Even if - * the code were included in the Emacs executable, it probably - * wouldn't do any harm to #undef it here; this will only cause - * problems if we try to write to a static variable, which I don't - * think this code needs to do. - */ - +/* Since the code of getdate.y is not included in the Emacs executable + itself, there is no need to #define static in this file. Even if + the code were included in the Emacs executable, it probably + wouldn't do any harm to #undef it here; this will only cause + problems if we try to write to a static variable, which I don't + think this code needs to do. */ #ifdef emacs #undef static #endif -/* - * The following block of alloca-related preprocessor directives is here - * solely to allow compilation by non GNU-C compilers of the C parser - * produced from this file by old versions of bison. Newer versions of - * bison include a block similar to this one in bison.simple. - */ +/* The following block of alloca-related preprocessor directives is here + solely to allow compilation by non GNU-C compilers of the C parser + produced from this file by old versions of bison. Newer versions of + bison include a block similar to this one in bison.simple. */ #ifdef __GNUC__ #undef alloca -#define alloca __builtin_alloca +#define alloca __builtin_alloca #else #ifdef HAVE_ALLOCA_H #include <alloca.h> #else #ifdef _AIX /* for Bison */ -#pragma alloca + #pragma alloca #else -void *alloca(); +void *alloca (); #endif #endif #endif @@ -87,12 +80,14 @@ #include <stdio.h> #include <ctype.h> -/* - * The code at the top of get_date which figures out the offset of the - * current time zone checks various CPP symbols to see if special - * tricks are need, but defaults to using the gettimeofday system call. - * Include <sys/time.h> if that will be used. - */ +#if defined(HAVE_STDLIB_H) +#include <stdlib.h> +#endif + +/* The code at the top of get_date which figures out the offset of the + current time zone checks various CPP symbols to see if special + tricks are need, but defaults to using the gettimeofday system call. + Include <sys/time.h> if that will be used. */ #if defined(vms) @@ -119,10 +114,10 @@ #endif /* - * We use the obsolete `struct my_timeb' as part of our interface! - * Since the system doesn't have it, we define it here; - * our callers must do likewise. - */ +** We use the obsolete `struct my_timeb' as part of our interface! +** Since the system doesn't have it, we define it here; +** our callers must do likewise. +*/ struct my_timeb { time_t time; /* Seconds since the epoch */ unsigned short millitm; /* Field not used */ @@ -131,18 +126,15 @@ }; #endif /* defined(vms) */ -#if defined(STDC_HEADERS) || defined(USG) +#if defined (STDC_HEADERS) || defined (USG) #include <string.h> #endif -/* - * Some old versions of bison generate parsers that use bcopy. - * That loses on systems that don't provide the function, so we have - * to redefine it here. - */ - -#if !defined(HAVE_BCOPY) && defined(HAVE_MEMCPY) && !defined(bcopy) -#define bcopy(from, to, len) memcpy((to), (from), (len)) +/* Some old versions of bison generate parsers that use bcopy. + That loses on systems that don't provide the function, so we have + to redefine it here. */ +#ifndef bcopy +#define bcopy(from, to, len) memcpy ((to), (from), (len)) #endif /* @@ -179,28 +171,23 @@ extern struct tm *gmtime(); extern struct tm *localtime(); -#define yyparse getdate_yyparse -#define yylex getdate_yylex -#define yyerror getdate_yyerror +#define yyparse getdate_yyparse +#define yylex getdate_yylex +#define yyerror getdate_yyerror -static int yylex(); -static int yyerror(); - -#if !defined(lint) && !defined(SABER) -static char RCS[] = - "$Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/kadmin/cli/getdate.y,v 1.9 1996/10/18 17:48:04 bjaspan Exp $"; -#endif /* !defined(lint) && !defined(SABER) */ +static int getdate_yylex (void); +static int getdate_yyerror (char *); -#define EPOCH 1970 +#define EPOCH 1970 #define EPOCH_END 2099 /* Solaris 64 bit can support this at this point */ -#define HOUR(x) ((time_t)(x) * 60) -#define SECSPERDAY (24L * 60L * 60L) +#define HOUR(x) ((time_t)(x) * 60) +#define SECSPERDAY (24L * 60L * 60L) /* - * An entry in the lexical lookup table. - */ +** An entry in the lexical lookup table. +*/ typedef struct _TABLE { char *name; int type; @@ -209,26 +196,26 @@ /* - * Daylight-savings mode: on, off, or not yet known. - */ +** Daylight-savings mode: on, off, or not yet known. +*/ typedef enum _DSTMODE { DSTon, DSToff, DSTmaybe } DSTMODE; /* - * Meridian: am, pm, or 24-hour style. - */ +** Meridian: am, pm, or 24-hour style. +*/ typedef enum _MERIDIAN { MERam, MERpm, MER24 } MERIDIAN; /* - * Global variables. We could get rid of most of these by using a good - * union as the yacc stack. (This routine was originally written before - * yacc had the %union construct.) Maybe someday; right now we only use - * the %union very rarely. - */ +** Global variables. We could get rid of most of these by using a good +** union as the yacc stack. (This routine was originally written before +** yacc had the %union construct.) Maybe someday; right now we only use +** the %union very rarely. +*/ static char *yyInput; static DSTMODE yyDSTmode; static time_t yyDayOrdinal; @@ -267,7 +254,7 @@ spec : /* NULL */ | spec item - | tNEVER { + | tNEVER { yyYear = 1970; yyMonth = 1; yyDay = 1; @@ -275,7 +262,7 @@ yyDSTmode = DSToff; yyTimezone = 0; /* gmt */ yyHaveDate++; - } + } ; item : time { @@ -339,7 +326,7 @@ yyDSTmode = DSTon; } | - tZONE tDST { + tZONE tDST { yyTimezone = $1; yyDSTmode = DSTon; } @@ -519,20 +506,18 @@ /* The timezone table. */ /* Some of these are commented out because a time_t can't store a float. */ static TABLE const TimezoneTable[] = { - { gettext("gmt"), tZONE, HOUR(0) }, /* Greenwich Mean */ - { gettext("ut"), tZONE, HOUR(0) }, /* Universal (Coordinated) */ - { gettext("utc"), tZONE, HOUR(0) }, - { gettext("wet"), tZONE, HOUR(0) }, /* Western European */ - { gettext("bst"), tDAYZONE, HOUR(0) }, /* British Summer */ - { gettext("wat"), tZONE, HOUR(1) }, /* West Africa */ - { gettext("at"), tZONE, HOUR(2) }, /* Azores */ + { gettext("gmt"), tZONE, HOUR( 0) }, /* Greenwich Mean */ + { gettext("ut"), tZONE, HOUR( 0) }, /* Universal (Coordinated) */ + { gettext("utc"), tZONE, HOUR( 0) }, + { gettext("wet"), tZONE, HOUR( 0) }, /* Western European */ + { gettext("bst"), tDAYZONE, HOUR( 0) }, /* British Summer */ + { gettext("wat"), tZONE, HOUR( 1) }, /* West Africa */ + { gettext("at"), tZONE, HOUR( 2) }, /* Azores */ #if 0 - /* - * For completeness. BST is also British Summer, and GST is - * also Guam Standard. - */ - { gettext("bst"), tZONE, HOUR( 3) }, /* Brazil Standard */ - { gettext("gst"), tZONE, HOUR( 3) }, /* Greenland Standard */ + /* For completeness. BST is also British Summer, and GST is + * also Guam Standard. */ + { gettext("bst"), tZONE, HOUR( 3) }, /* Brazil Standard */ + { gettext("gst"), tZONE, HOUR( 3) }, /* Greenland Standard */ #endif #if 0 { gettext("nft"), tZONE, HOUR(3.5) }, /* Newfoundland */ @@ -577,12 +562,10 @@ #endif { gettext("zp6"), tZONE, -HOUR(6) }, /* USSR Zone 5 */ #if 0 - /* - * For completeness. NST is also Newfoundland Stanard, and SST is - * also Swedish Summer. - */ - { gettext("nst"), tZONE, -HOUR(6.5) },/* North Sumatra */ - { gettext("sst"), tZONE, -HOUR(7) }, /* South Sumatra, USSR Zone 6 */ + /* For completeness. NST is also Newfoundland Stanard, and SST is + * also Swedish Summer. */ + { gettext("nst"), tZONE, -HOUR(6.5) },/* North Sumatra */ + { gettext("sst"), tZONE, -HOUR(7) }, /* South Sumatra, USSR Zone 6 */ #endif /* 0 */ { gettext("wast"), tZONE, -HOUR(7) }, /* West Australian Standard */ { gettext("wadt"), tDAYZONE, -HOUR(7) }, /* West Australian Daylight */ @@ -610,34 +593,38 @@ /* ARGSUSED */ static int yyerror(s) -char *s; + char *s; { - return (0); + return 0; } static time_t -ToSeconds(time_t Hours, time_t Minutes, time_t Seconds, MERIDIAN Meridian) +ToSeconds(Hours, Minutes, Seconds, Meridian) + time_t Hours; + time_t Minutes; + time_t Seconds; + MERIDIAN Meridian; { - if (Minutes < 0 || Minutes > 59 || Seconds < 0 || Seconds > 59) - return (-1); - switch (Meridian) { - case MER24: - if (Hours < 0 || Hours > 23) - return (-1); - return (Hours * 60L + Minutes) * 60L + Seconds; - case MERam: - if (Hours < 1 || Hours > 12) - return (-1); - return (Hours * 60L + Minutes) * 60L + Seconds; - case MERpm: - if (Hours < 1 || Hours > 12) - return (-1); - return ((Hours + 12) * 60L + Minutes) * 60L + Seconds; - default: - abort (); - } - /* NO TREACHED */ + if (Minutes < 0 || Minutes > 59 || Seconds < 0 || Seconds > 59) + return -1; + switch (Meridian) { + case MER24: + if (Hours < 0 || Hours > 23) + return -1; + return (Hours * 60L + Minutes) * 60L + Seconds; + case MERam: + if (Hours < 1 || Hours > 12) + return -1; + return (Hours * 60L + Minutes) * 60L + Seconds; + case MERpm: + if (Hours < 1 || Hours > 12) + return -1; + return ((Hours + 12) * 60L + Minutes) * 60L + Seconds; + default: + abort (); + } + /* NOTREACHED */ } /* @@ -645,452 +632,460 @@ * of seconds since 00:00:00 1/1/70 GMT. */ static time_t -Convert(time_t Month, time_t Day, time_t Year, time_t Hours, - time_t Minutes, time_t Seconds, MERIDIAN Meridian, DSTMODE DSTmode) +Convert(Month, Day, Year, Hours, Minutes, Seconds, Meridian, DSTmode) + time_t Month; + time_t Day; + time_t Year; + time_t Hours; + time_t Minutes; + time_t Seconds; + MERIDIAN Meridian; + DSTMODE DSTmode; { - static int DaysInMonth[12] = { - 31, 0, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 - }; - time_t tod; - time_t Julian; - int i; + static int DaysInMonth[12] = { + 31, 0, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 + }; + time_t tod; + time_t Julian; + int i; - if (Year < 0) - Year = -Year; - if (Year < 1900) - Year += 1900; - DaysInMonth[1] = Year % 4 == 0 && (Year % 100 != 0 || Year % 400 == 0) - ? 29 : 28; - if (Year < EPOCH || Year > EPOCH_END || Month < 1 || Month > 12 - /* Lint fluff: " conversion from long may lose accuracy" */ - || Day < 1 || Day > DaysInMonth[(int)--Month]) - return (-1); + if (Year < 0) + Year = -Year; + if (Year < 1900) + Year += 1900; + DaysInMonth[1] = Year % 4 == 0 && (Year % 100 != 0 || Year % 400 == 0) + ? 29 : 28; + if (Year < EPOCH + || Year > EPOCH_END + || Month < 1 || Month > 12 + /* Lint fluff: "conversion from long may lose accuracy" */ + || Day < 1 || Day > DaysInMonth[(int)--Month]) + return -1; - for (Julian = Day - 1, i = 0; i < Month; i++) - Julian += DaysInMonth[i]; - for (i = EPOCH; i < Year; i++) - Julian += 365 + ((i % 4 == 0) && ((Year % 100 != 0) || - (Year % 400 == 0))); - Julian *= SECSPERDAY; - Julian += yyTimezone * 60L; - if ((tod = ToSeconds(Hours, Minutes, Seconds, Meridian)) < 0) - return (-1); - Julian += tod; - - if (DSTmode == DSTon - || (DSTmode == DSTmaybe && localtime(&Julian)->tm_isdst)) - Julian -= 60 * 60; - - return (Julian); + for (Julian = Day - 1, i = 0; i < Month; i++) + Julian += DaysInMonth[i]; + for (i = EPOCH; i < Year; i++) + Julian += 365 + ((i % 4 == 0) && ((Year % 100 != 0) || + (Year % 400 == 0))); + Julian *= SECSPERDAY; + Julian += yyTimezone * 60L; + if ((tod = ToSeconds(Hours, Minutes, Seconds, Meridian)) < 0) + return -1; + Julian += tod; + if (DSTmode == DSTon + || (DSTmode == DSTmaybe && localtime(&Julian)->tm_isdst)) + Julian -= 60 * 60; + return Julian; } static time_t DSTcorrect(Start, Future) -time_t Start; -time_t Future; + time_t Start; + time_t Future; { - time_t StartDay; - time_t FutureDay; + time_t StartDay; + time_t FutureDay; - StartDay = (localtime(&Start)->tm_hour + 1) % 24; - FutureDay = (localtime(&Future)->tm_hour + 1) % 24; - return (Future - Start) + (StartDay - FutureDay) * 60L * 60L; + StartDay = (localtime(&Start)->tm_hour + 1) % 24; + FutureDay = (localtime(&Future)->tm_hour + 1) % 24; + return (Future - Start) + (StartDay - FutureDay) * 60L * 60L; } static time_t RelativeDate(Start, DayOrdinal, DayNumber) -time_t Start; -time_t DayOrdinal; -time_t DayNumber; + time_t Start; + time_t DayOrdinal; + time_t DayNumber; { - struct tm *tm; - time_t now; + struct tm *tm; + time_t now; - now = Start; - tm = localtime(&now); - now += SECSPERDAY * ((DayNumber - tm->tm_wday + 7) % 7); - now += 7 * SECSPERDAY * (DayOrdinal <= 0 ? DayOrdinal : DayOrdinal - 1); - - return (DSTcorrect(Start, now)); + now = Start; + tm = localtime(&now); + now += SECSPERDAY * ((DayNumber - tm->tm_wday + 7) % 7); + now += 7 * SECSPERDAY * (DayOrdinal <= 0 ? DayOrdinal : DayOrdinal - 1); + return DSTcorrect(Start, now); } static time_t -RelativeMonth(time_t Start, time_t RelMonth) +RelativeMonth(Start, RelMonth) + time_t Start; + time_t RelMonth; { - struct tm *tm; - time_t Month; - time_t Year; - time_t ret; + struct tm *tm; + time_t Month; + time_t Year; + time_t ret; - if (RelMonth == 0) - return (0); - tm = localtime(&Start); - Month = 12 * tm->tm_year + tm->tm_mon + RelMonth; - Year = Month / 12; - Month = Month % 12 + 1; + if (RelMonth == 0) + return 0; + tm = localtime(&Start); + Month = 12 * tm->tm_year + tm->tm_mon + RelMonth; + Year = Month / 12; + Month = Month % 12 + 1; ret = Convert(Month, (time_t)tm->tm_mday, Year, - (time_t)tm->tm_hour, (time_t)tm->tm_min, (time_t)tm->tm_sec, - MER24, DSTmaybe); + (time_t)tm->tm_hour, (time_t)tm->tm_min, (time_t)tm->tm_sec, + MER24, DSTmaybe); if (ret == -1) - return ret; + return ret; return DSTcorrect(Start, ret); } static int -LookupWord(char *buff) +LookupWord(buff) + char *buff; { - register char *p; - register char *q; - register const TABLE *tp; - int i; - int abbrev; + register char *p; + register char *q; + register const TABLE *tp; + int i; + int abbrev; + + /* Make it lowercase. */ + for (p = buff; *p; p++) + if (isupper((int) *p)) + *p = tolower((int) *p); - /* Make it lowercase. */ - for (p = buff; *p; p++) - if (isupper(*p)) - *p = tolower(*p); + if (strcmp(buff, gettext("am")) == 0 || strcmp(buff, gettext("a.m.")) == 0) { + yylval.Meridian = MERam; + return tMERIDIAN; + } + if (strcmp(buff, gettext("pm")) == 0 || + strcmp(buff, gettext("p.m.")) == 0) { + yylval.Meridian = MERpm; + return tMERIDIAN; + } - if (strcmp(buff, gettext("am")) == 0 || - strcmp(buff, gettext("a.m.")) == 0) { - yylval.Meridian = MERam; - return (tMERIDIAN); - } - if (strcmp(buff, gettext("pm")) == 0 || - strcmp(buff, gettext("p.m.")) == 0) { - yylval.Meridian = MERpm; - return (tMERIDIAN); + /* See if we have an abbreviation for a month. */ + if (strlen(buff) == 3) + abbrev = 1; + else if (strlen(buff) == 4 && buff[3] == '.') { + abbrev = 1; + buff[3] = '\0'; + } + else + abbrev = 0; + + for (tp = MonthDayTable; tp->name; tp++) { + if (abbrev) { + if (strncmp(buff, GETTEXT(tp->name), 3) == 0) { + yylval.Number = tp->value; + return tp->type; + } } - - /* See if we have an abbreviation for a month. */ - if (strlen(buff) == 3) - abbrev = 1; - else if (strlen(buff) == 4 && buff[3] == '.') { - abbrev = 1; - buff[3] = '\0'; + else if (strcmp(buff, GETTEXT(tp->name)) == 0) { + yylval.Number = tp->value; + return tp->type; } - else - abbrev = 0; + } - for (tp = MonthDayTable; tp->name; tp++) { - if (abbrev) { - if (strncmp(buff, GETTEXT(tp->name), 3) == 0) { - yylval.Number = tp->value; - return (tp->type); - } - } - else if (strcmp(buff, GETTEXT(tp->name)) == 0) { - yylval.Number = tp->value; - return (tp->type); - } + for (tp = TimezoneTable; tp->name; tp++) + if (strcmp(buff, GETTEXT(tp->name)) == 0) { + yylval.Number = tp->value; + return tp->type; } - for (tp = TimezoneTable; tp->name; tp++) - if (strcmp(buff, GETTEXT(tp->name)) == 0) { - yylval.Number = tp->value; - return (tp->type); - } + if (strcmp(buff, gettext("dst")) == 0) + return tDST; - if (strcmp(buff, gettext("dst")) == 0) - return (tDST); - - for (tp = UnitsTable; tp->name; tp++) - if (strcmp(buff, GETTEXT(tp->name)) == 0) { - yylval.Number = tp->value; - return (tp->type); - } + for (tp = UnitsTable; tp->name; tp++) + if (strcmp(buff, GETTEXT(tp->name)) == 0) { + yylval.Number = tp->value; + return tp->type; + } /* Strip off any plural and try the units table again. */ - i = strlen(buff) - 1; - if (buff[i] == 's') { - buff[i] = '\0'; - for (tp = UnitsTable; tp->name; tp++) - if (strcmp(buff, GETTEXT(tp->name)) == 0) { - yylval.Number = tp->value; - return (tp->type); - } - buff[i] = 's'; /* Put back for "this" in OtherTable. */ + i = strlen(buff) - 1; + if (buff[i] == 's') { + buff[i] = '\0'; + for (tp = UnitsTable; tp->name; tp++) + if (strcmp(buff, GETTEXT(tp->name)) == 0) { + yylval.Number = tp->value; + return tp->type; + } + buff[i] = 's'; /* Put back for "this" in OtherTable. */ + } + + for (tp = OtherTable; tp->name; tp++) + if (strcmp(buff, GETTEXT(tp->name)) == 0) { + yylval.Number = tp->value; + return tp->type; } - for (tp = OtherTable; tp->name; tp++) - if (strcmp(buff, GETTEXT(tp->name)) == 0) { - yylval.Number = tp->value; - return (tp->type); - } + /* Drop out any periods and try the timezone table again. */ + for (i = 0, p = q = buff; *q; q++) + if (*q != '.') + *p++ = *q; + else + i++; + *p = '\0'; + if (i) + for (tp = TimezoneTable; tp->name; tp++) + if (strcmp(buff, GETTEXT(tp->name)) == 0) { + yylval.Number = tp->value; + return tp->type; + } - /* Drop out any periods and try the timezone table again. */ - for (i = 0, p = q = buff; *q; q++) - if (*q != '.') - *p++ = *q; - else - i++; - *p = '\0'; - if (i) - for (tp = TimezoneTable; tp->name; tp++) - if (strcmp(buff, GETTEXT(tp->name)) == 0) { - yylval.Number = tp->value; - return (tp->type); - } - - return (tID); + return tID; } static int yylex() { - register char c; - register char *p; - char buff[20]; - int Count; - int sign; + register char c; + register char *p; + char buff[20]; + int Count; + int sign; - for ( ; ; ) { - while (isspace(*yyInput)) - yyInput++; + for ( ; ; ) { + while (isspace((int) *yyInput)) + yyInput++; - if (isdigit(c = *yyInput) || c == '-' || c == '+') { - if (c == '-' || c == '+') { - sign = c == '-' ? -1 : 1; - if (!isdigit(*++yyInput)) - /* skip the '-' sign */ - continue; - } - else - sign = 0; - for (yylval.Number = 0; isdigit(c = *yyInput++); ) - yylval.Number = 10 * yylval.Number + c - '0'; - yyInput--; - if (sign < 0) - yylval.Number = -yylval.Number; - return (sign ? tSNUMBER : tUNUMBER); - } - if (isalpha(c)) { - for (p = buff; isalpha(c = *yyInput++) || c == '.'; ) - if (p < &buff[sizeof buff - 1]) - *p++ = c; - *p = '\0'; - yyInput--; - return (LookupWord(buff)); - } - if (c != '(') - return (*yyInput++); - Count = 0; - do { - c = *yyInput++; - if (c == '\0') - return (c); - if (c == '(') - Count++; - else if (c == ')') - Count--; - } while (Count > 0); + c = *yyInput; + if (isdigit((int) c) || c == '-' || c == '+') { + if (c == '-' || c == '+') { + sign = c == '-' ? -1 : 1; + if (!isdigit((int) (*++yyInput))) + /* skip the '-' sign */ + continue; + } + else + sign = 0; + for (yylval.Number = 0; isdigit((int) (c = *yyInput++)); ) + yylval.Number = 10 * yylval.Number + c - '0'; + yyInput--; + if (sign < 0) + yylval.Number = -yylval.Number; + return sign ? tSNUMBER : tUNUMBER; } + if (isalpha((int) c)) { + for (p = buff; isalpha((int) (c = *yyInput++)) || c == '.'; ) + if (p < &buff[sizeof buff - 1]) + *p++ = c; + *p = '\0'; + yyInput--; + return LookupWord(buff); + } + if (c != '(') + return *yyInput++; + Count = 0; + do { + c = *yyInput++; + if (c == '\0') + return c; + if (c == '(') + Count++; + else if (c == ')') + Count--; + } while (Count > 0); + } } -#define TM_YEAR_ORIGIN 1900 +#define TM_YEAR_ORIGIN 1900 /* Yield A - B, measured in seconds. */ static time_t -difftm(struct tm *a, struct tm *b) +difftm(a, b) + struct tm *a, *b; { - int ay = a->tm_year + (TM_YEAR_ORIGIN - 1); - int by = b->tm_year + (TM_YEAR_ORIGIN - 1); - return (((( - /* difference in day of year */ - a->tm_yday - b->tm_yday - /* + intervening leap days */ - + ((ay >> 2) - (by >> 2)) - - (ay/100 - by/100) - + ((ay/100 >> 2) - (by/100 >> 2)) - /* + difference in years * 365 */ - + (time_t)(ay-by) * 365 - )*24 + (a->tm_hour - b->tm_hour) - )*60 + (a->tm_min - b->tm_min) - )*60 + (a->tm_sec - b->tm_sec)); + int ay = a->tm_year + (TM_YEAR_ORIGIN - 1); + int by = b->tm_year + (TM_YEAR_ORIGIN - 1); + return + ( + ( + ( + /* difference in day of year */ + a->tm_yday - b->tm_yday + /* + intervening leap days */ + + ((ay >> 2) - (by >> 2)) + - (ay/100 - by/100) + + ((ay/100 >> 2) - (by/100 >> 2)) + /* + difference in years * 365 */ + + (time_t)(ay-by) * 365 + )*24 + (a->tm_hour - b->tm_hour) + )*60 + (a->tm_min - b->tm_min) + )*60 + (a->tm_sec - b->tm_sec); } +/* For get_date extern declaration compatibility check... yuck. */ +#include <krb5.h> +#include "kadmin.h" + time_t -get_date(char *p, struct my_timeb *now) +get_date(p) + char *p; { - struct tm *tm, gmt; - struct my_timeb ftz; - time_t Start; - time_t tod; + struct my_timeb *now = NULL; + struct tm *tm, gmt; + struct my_timeb ftz; + time_t Start; + time_t tod; time_t delta; - yyInput = p; - if (now == NULL) { - now = &ftz; + yyInput = p; + if (now == NULL) { + now = &ftz; - ftz.time = time((time_t *) 0); + ftz.time = time((time_t *) 0); - if (! (tm = gmtime (&ftz.time))) - return (-1); - gmt = *tm; /* Make a copy, in case localtime modifies *tm. */ - ftz.timezone = difftm (&gmt, localtime (&ftz.time)) / 60; - } - - tm = localtime(&now->time); - yyYear = tm->tm_year; - yyMonth = tm->tm_mon + 1; - yyDay = tm->tm_mday; - yyTimezone = now->timezone; + if (! (tm = gmtime (&ftz.time))) + return -1; + gmt = *tm; /* Make a copy, in case localtime modifies *tm. */ + ftz.timezone = difftm (&gmt, localtime (&ftz.time)) / 60; + } - /* - * Since the logic later depends on the yyTimezone being the difference - * between gmt and local time, non daylight savings time, we need to - * correct the difference if local time is daylight savings time. - */ - - if ((tm->tm_isdst > 0) && (yyTimezone > 0)) - yyTimezone += 60; - else if ((tm->tm_isdst > 0) && (yyTimezone < 0)) - yyTimezone -= 60; - yyDSTmode = DSTmaybe; - yyHour = 0; - yyMinutes = 0; - yySeconds = 0; - yyMeridian = MER24; - yyRelSeconds = 0; - yyRelMonth = 0; - yyHaveDate = 0; - yyHaveDay = 0; - yyHaveRel = 0; - yyHaveTime = 0; - yyHaveZone = 0; + tm = localtime(&now->time); + yyYear = tm->tm_year; + yyMonth = tm->tm_mon + 1; + yyDay = tm->tm_mday; + yyTimezone = now->timezone; + yyDSTmode = DSTmaybe; + yyHour = 0; + yyMinutes = 0; + yySeconds = 0; + yyMeridian = MER24; + yyRelSeconds = 0; + yyRelMonth = 0; + yyHaveDate = 0; + yyHaveDay = 0; + yyHaveRel = 0; + yyHaveTime = 0; + yyHaveZone = 0; - /* - * When yyparse returns, zero or more of yyHave{Time,Zone,Date,Day,Rel} - * will have been incremented. The value is number of items of - * that type that were found; for all but Rel, more than one is - * illegal. - * - * For each yyHave indicator, the following values are set: - * - * yyHaveTime: - * yyHour, yyMinutes, yySeconds: hh:mm:ss specified, initialized - * to zeros above - * yyMeridian: MERam, MERpm, or MER24 - * yyTimeZone: time zone specified in minutes - * yyDSTmode: DSToff if yyTimeZone is set, otherwise unchanged - * (initialized above to DSTmaybe) - * - * yyHaveZone: - * yyTimezone: as above - * yyDSTmode: DSToff if a non-DST zone is specified, otherwise DSTon - * XXX don't understand interaction with yyHaveTime zone info - * - * yyHaveDay: - * yyDayNumber: 0-6 for Sunday-Saturday - * yyDayOrdinal: val specified with day ("second monday", - * Ordinal=2), otherwise 1 - * - * yyHaveDate: - * yyMonth, yyDay, yyYear: mm/dd/yy specified, initialized to - * today above - * - * yyHaveRel: - * yyRelSeconds: seconds specified with MINUTE_UNITs ("3 hours") or - * SEC_UNITs ("30 seconds") - * yyRelMonth: months specified with MONTH_UNITs ("3 months", "1 - * year") - * - * The code following yyparse turns these values into a single - * date stamp. - */ - if (yyparse() || yyHaveTime > 1 || yyHaveZone > 1 || - yyHaveDate > 1 || yyHaveDay > 1) - return (-1); + /* + * When yyparse returns, zero or more of yyHave{Time,Zone,Date,Day,Rel} + * will have been incremented. The value is number of items of + * that type that were found; for all but Rel, more than one is + * illegal. + * + * For each yyHave indicator, the following values are set: + * + * yyHaveTime: + * yyHour, yyMinutes, yySeconds: hh:mm:ss specified, initialized + * to zeros above + * yyMeridian: MERam, MERpm, or MER24 + * yyTimeZone: time zone specified in minutes + * yyDSTmode: DSToff if yyTimeZone is set, otherwise unchanged + * (initialized above to DSTmaybe) + * + * yyHaveZone: + * yyTimezone: as above + * yyDSTmode: DSToff if a non-DST zone is specified, otherwise DSTon + * XXX don't understand interaction with yyHaveTime zone info + * + * yyHaveDay: + * yyDayNumber: 0-6 for Sunday-Saturday + * yyDayOrdinal: val specified with day ("second monday", + * Ordinal=2), otherwise 1 + * + * yyHaveDate: + * yyMonth, yyDay, yyYear: mm/dd/yy specified, initialized to + * today above + * + * yyHaveRel: + * yyRelSeconds: seconds specified with MINUTE_UNITs ("3 hours") or + * SEC_UNITs ("30 seconds") + * yyRelMonth: months specified with MONTH_UNITs ("3 months", "1 + * year") + * + * The code following yyparse turns these values into a single + * date stamp. + */ + if (yyparse() + || yyHaveTime > 1 || yyHaveZone > 1 || yyHaveDate > 1 || yyHaveDay > 1) + return -1; - /* - * If an absolute time specified, set Start to the equivalent Unix - * timestamp. Otherwise, set Start to now, and if we do not have - * a relatime time (ie: only yyHaveZone), decrement Start to the - * beginning of today. - * - * By having yyHaveDay in the "absolute" list, "next Monday" means - * midnight next Monday. Otherwise, "next Monday" would mean the - * time right now, next Monday. It's not clear to me why the - * current behavior is preferred. - */ - if (yyHaveDate || yyHaveTime || yyHaveDay) { - Start = Convert(yyMonth, yyDay, yyYear, - yyHour, yyMinutes, yySeconds, - yyMeridian, yyDSTmode); - if (Start < 0) - return (-1); - } - else { - Start = now->time; - if (!yyHaveRel) - Start -= ((tm->tm_hour * 60L + tm->tm_min) * 60L) - + tm->tm_sec; - } + /* + * If an absolute time specified, set Start to the equivalent Unix + * timestamp. Otherwise, set Start to now, and if we do not have + * a relatime time (ie: only yyHaveZone), decrement Start to the + * beginning of today. + * + * By having yyHaveDay in the "absolute" list, "next Monday" means + * midnight next Monday. Otherwise, "next Monday" would mean the + * time right now, next Monday. It's not clear to me why the + * current behavior is preferred. + */ + if (yyHaveDate || yyHaveTime || yyHaveDay) { + Start = Convert(yyMonth, yyDay, yyYear, yyHour, yyMinutes, yySeconds, + yyMeridian, yyDSTmode); + if (Start < 0) + return -1; + } + else { + Start = now->time; + if (!yyHaveRel) + Start -= ((tm->tm_hour * 60L + tm->tm_min) * 60L) + tm->tm_sec; + } - /* - * Add in the relative time specified. RelativeMonth adds in the - * months, accounting for the fact that the actual length of "3 - * months" depends on where you start counting. - * - * XXX By having this separate from the previous block, we are - * allowing dates like "10:00am 3 months", which means 3 months - * from 10:00am today, or even "1/1/99 two days" which means two - * days after 1/1/99. - * - * XXX Shouldn't this only be done if yyHaveRel, just for - * thoroughness? - */ - Start += yyRelSeconds; + /* + * Add in the relative time specified. RelativeMonth adds in the + * months, accounting for the fact that the actual length of "3 + * months" depends on where you start counting. + * + * XXX By having this separate from the previous block, we are + * allowing dates like "10:00am 3 months", which means 3 months + * from 10:00am today, or even "1/1/99 two days" which means two + * days after 1/1/99. + * + * XXX Shouldn't this only be done if yyHaveRel, just for + * thoroughness? + */ + Start += yyRelSeconds; delta = RelativeMonth(Start, yyRelMonth); if (delta == (time_t) -1) - return -1; + return -1; Start += delta; - /* - * Now, if you specified a day of week and counter, add it in. By - * disallowing Date but allowing Time, you can say "5pm next - * monday". - * - * XXX The yyHaveDay && !yyHaveDate restriction should be enforced - * above and be able to cause failure. - */ - if (yyHaveDay && !yyHaveDate) { - tod = RelativeDate(Start, yyDayOrdinal, yyDayNumber); - Start += tod; - } + /* + * Now, if you specified a day of week and counter, add it in. By + * disallowing Date but allowing Time, you can say "5pm next + * monday". + * + * XXX The yyHaveDay && !yyHaveDate restriction should be enforced + * above and be able to cause failure. + */ + if (yyHaveDay && !yyHaveDate) { + tod = RelativeDate(Start, yyDayOrdinal, yyDayNumber); + Start += tod; + } - /* Have to do *something* with a legitimate -1 so it's distinguishable - * from the error return value. (Alternately could set errno on error.) */ - return (Start == -1 ? 0 : Start); + /* Have to do *something* with a legitimate -1 so it's distinguishable + * from the error return value. (Alternately could set errno on error.) */ + return Start == -1 ? 0 : Start; } #if defined(TEST) /* ARGSUSED */ -main(int ac, char *av[]) +main(ac, av) + int ac; + char *av[]; { - char buff[128]; - time_t d; + char buff[128]; + time_t d; - (void)printf(gettext("Enter date, or blank line to exit.\n\t> ")); + (void)printf(gettext("Enter date, or blank line to exit.\n\t> ")); + (void)fflush(stdout); + while (gets(buff) && buff[0]) { + d = get_date(buff, (struct my_timeb *)NULL); + if (d == -1) + (void)printf( + gettext("Bad format - couldn't convert.\n")); + else + (void)printf("%s", ctime(&d)); + (void)printf("\t> "); (void)fflush(stdout); - while (gets(buff) && buff[0]) { - d = get_date(buff, (struct my_timeb *)NULL); - if (d == -1) - (void)printf( - gettext("Bad format - couldn't convert.\n")); - else - (void)printf("%s", ctime(&d)); - (void)printf("\t> "); - (void)fflush(stdout); - } - exit(0); - /* NOTREA CHED */ + } + exit(0); + /* NOTREACHED */ } #endif /* defined(TEST) */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/usr/src/cmd/krb5/kadmin/cli/k5srvutil.sh Sat Oct 07 13:37:05 2006 -0700 @@ -0,0 +1,147 @@ +#!/bin/sh +# +# +# Copyright 2006 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +# +# +# +#pragma ident "%Z%%M% %I% %E% SMI" + +TEXTDOMAIN=SUNW_OST_OSCMD +export TEXTDOMAIN + +# list_princs keytab +# returns a list of principals in the keytab +# sorted and uniquified +list_princs() { + klist -k $keytab | tail +4 | awk '{print $2}' | sort | uniq +} + +set_command() { + if [ x$command != x ] ; then + cmd_error `gettext "Only one command can be specified"` + usage + exit 1 + fi + command=$1 +} + +#interactive_prompt prompt princ +# If in interactive mode return true if the principal should be acted on +# otherwise return true all the time +# +# SUNW14resync: If in interactive mode the default is now to return false +# i.e. if in interactive mode unless the user types "Yes" or +# "yes" false will be returned. +# +interactive_prompt() { + if [ $interactive = 0 ] ; then + return 0 + fi + PROMPT=`gettext "%s for %s? [yes no] "` + Y1=`gettext "yes"` + Y2=`gettext "Yes"` + printf "$PROMPT" "$1" "$2" + read ans + case $ans in + ${Y1}|${Y2}) + return 0 + ;; + esac + return 1 + } + +cmd_error() { + echo $@ 2>&1 + } + +usage() { + USAGE=`gettext "Usage: $0 [-i] [-f file] list|change|delete|delold"` + echo $USAGE +} + + + +change_key() { + princs=`list_princs ` + for princ in $princs; do + ACTION=`gettext "Change key"` + if interactive_prompt "$ACTION" $princ; then + kadmin -k -t $keytab -p $princ -q "ktadd -k $keytab $princ" + fi + done + } + +delete_old_keys() { + princs=`list_princs ` + for princ in $princs; do + ACTION=`gettext "Delete old keys"` + if interactive_prompt "$ACTION" $princ; then + kadmin -k -t $keytab -p $princ -q "ktrem -k $keytab $princ old" + fi + done + } + +delete_keys() { + interactive=1 + princs=`list_princs ` + for princ in $princs; do + ACTION=`gettext "Delete all keys"` + if interactive_prompt "$ACTION" $princ; then + kadmin -p $princ -k -t $keytab -q "ktrem -k $keytab $princ all" + fi + done + } + + +keytab=/etc/krb5/krb5.keytab +interactive=0 + +CHANGE=`gettext "change"` +DELOLD=`gettext "delold"` +DELETE=`gettext "delete"` +LIST=`gettext "list"` + +while [ $# -gt 0 ] ; do + opt=$1 + shift + case $opt in + "-f") + keytab=$1 + shift + ;; + "-i") + interactive=1 + ;; + ${CHANGE}|${DELOLD}|${DELETE}|${LIST}) + set_command $opt + ;; + *) + ILLEGAL=`gettext "Illegal option: "` + cmd_error $ILLEGAL $opt + usage + exit 1 + ;; + esac +done + + +case $command in + $CHANGE) + change_key + ;; + $DELOLD) + delete_old_keys + ;; + $DELETE) + delete_keys + ;; + $LIST) + klist -k $keytab + ;; + *) + usage + ;; + esac
--- a/usr/src/cmd/krb5/kadmin/cli/kadmin.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/cli/kadmin.c Sat Oct 07 13:37:05 2006 -0700 @@ -33,8 +33,8 @@ */ #include <krb5.h> -#include <k5-int.h> #include <kadm5/admin.h> +#include <krb5/adm_proto.h> #include <stdio.h> #include <string.h> #include <sys/types.h> @@ -56,17 +56,9 @@ /* functions defined in remote/local specific files */ extern void usage(const char *); -extern void debugEnable(int); -/* local principal helpers */ -static char *find_component(const char *, char); -static char *trim_principal(char *); -static char *build_admin_princ(const char *, const char *); - -/* - * special struct to convert flag names for principals - * to actual krb5_flags for a principal - */ +/* special struct to convert flag names for principals + to actual krb5_flags for a principal */ struct pflag { char *flagname; /* name of flag as typed to CLI */ int flaglen; /* length of string (not counting -,+) */ @@ -113,19 +105,23 @@ int exit_status = 0; char *def_realm = NULL; char *whoami = NULL; -time_t get_date(); void *handle = NULL; krb5_context context; char *ccache_name = NULL; -char * -strdur(duration) +int locked = 0; +static char *strdur(duration) time_t duration; { - static char out[100]; - int days, hours, minutes, seconds; - + static char out[50]; + int neg, days, hours, minutes, seconds; + + if (duration < 0) { + duration *= -1; + neg = 1; + } else + neg = 0; days = duration / (24 * 3600); duration %= 24 * 3600; hours = duration / 3600; @@ -133,35 +129,27 @@ minutes = duration / 60; duration %= 60; seconds = duration; - if (days == 1) { - snprintf(out, sizeof (out), gettext("%d day %02d:%02d:%02d"), - days, hours, minutes, seconds); - } else { - snprintf(out, sizeof (out), gettext("%d days %02d:%02d:%02d"), - days, hours, minutes, seconds); -} - return (out); + snprintf(out, sizeof (out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "", + days, days == 1 ? gettext("day") : gettext("days"), + hours, minutes, seconds); + return out; } -char * -strdate(when) +static char *strdate(when) krb5_timestamp when; { struct tm *tm; - static char out[30]; + static char out[40]; time_t lcltim = when; - tm = localtime(&lcltim); - strftime(out, 30, gettext("%a %b %d %H:%M:%S %Z %Y"), tm); - return (out); + strftime(out, sizeof(out), gettext("%a %b %d %H:%M:%S %Z %Y"), tm); + return out; } -/* - * this is a wrapper to go around krb5_parse_principal so we can set - * the default realm up properly - */ -krb5_error_code +/* this is a wrapper to go around krb5_parse_principal so we can set + the default realm up properly */ +static krb5_error_code kadmin_parse_name(name, principal) char *name; krb5_principal *principal; @@ -175,14 +163,14 @@ /* assumes def_realm is initialized! */ fullname = (char *)malloc(strlen(name) + 1 + strlen(def_realm) + 1); if (fullname == NULL) - return (ENOMEM); + return ENOMEM; strcpy(fullname, name); cp = strchr(fullname, '@'); while (cp) { if (cp - fullname && *(cp - 1) != '\\') break; else - cp = strchr((cp + 1), '@'); + cp = strchr(cp + 1, '@'); } if (cp == NULL) { strcat(fullname, "@"); @@ -190,120 +178,114 @@ } retval = krb5_parse_name(context, fullname, principal); free(fullname); - return (retval); + return retval; } -char * -kadmin_startup(argc, argv) +char *kadmin_startup(argc, argv) int argc; char *argv[]; { - extern krb5_kt_ops krb5_ktf_writable_ops; extern char *optarg; char *princstr = NULL, *keytab_name = NULL, *query = NULL; char *password = NULL; - char *kadmin_princ = NULL; char *luser, *canon, *cp; - int optchar, use_keytab = 0, debug = 0; + int optchar, freeprinc = 0, use_keytab = 0; struct passwd *pw; kadm5_ret_t retval; krb5_ccache cc; krb5_principal princ; kadm5_config_params params; + char *svcname = NULL; memset((char *) ¶ms, 0, sizeof(params)); - if (retval = krb5_init_context(&context)) { - com_err(whoami, retval, + retval = krb5_init_context(&context); + if (retval) { + com_err(whoami, retval, gettext("while initializing krb5 library")); exit(1); } - while ((optchar = getopt(argc, argv, "Dr:p:kq:w:d:s:mc:t:e:O")) != EOF) { + + while ((optchar = getopt(argc, argv, "r:p:kq:w:d:s:mc:t:e:O")) != EOF) { switch (optchar) { - case 'O': /* Undocumented option for testing only */ - kadmin_princ = KADM5_ADMIN_SERVICE_P; - break; - case 'D': - debug++; - break; case 'r': def_realm = optarg; break; case 'p': - princstr = strdup(optarg); - if (princstr == NULL) { - fprintf(stderr, gettext("Out of memory in %s\n"), - whoami); - exit(1); - } - break; - case 'c': + princstr = optarg; + break; + case 'c': ccache_name = optarg; break; - case 'k': + case 'k': use_keytab++; break; case 't': keytab_name = optarg; break; - case 'w': + case 'w': password = optarg; break; case 'q': query = optarg; break; - case 'd': + case 'd': params.dbname = optarg; params.mask |= KADM5_CONFIG_DBNAME; break; - case 's': + case 's': params.admin_server = optarg; params.mask |= KADM5_CONFIG_ADMIN_SERVER; break; - case 'm': + case 'm': params.mkey_from_kbd = 1; params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; break; - case 'e': + case 'e': retval = krb5_string_to_keysalts(optarg, - ", \t", ":.-", 0, - ¶ms.keysalts, - ¶ms.num_keysalts); + ", \t", + ":.-", + 0, + ¶ms.keysalts, + ¶ms.num_keysalts); if (retval) { - com_err(whoami, retval, + com_err(whoami, retval, gettext("while parsing keysalts %s"), optarg); - exit(1); + exit(1); } params.mask |= KADM5_CONFIG_ENCTYPES; break; + case 'O': /* Undocumented option for testing only */ + svcname = KADM5_ADMIN_SERVICE_P; + break; default: usage(whoami); } } - - debugEnable(debug); - if ((ccache_name && use_keytab) || (keytab_name && !use_keytab)) - usage(whoami); + usage(whoami); if (def_realm == NULL && krb5_get_default_realm(context, &def_realm)) { - free(princstr); + if (freeprinc) + free(princstr); fprintf(stderr, gettext("%s: unable to get default realm\n"), whoami); exit(1); } + params.mask |= KADM5_CONFIG_REALM; params.realm = def_realm; - if (kadmin_princ == NULL) { + if (svcname == NULL) { if (kadm5_get_adm_host_srv_name(context, - def_realm, &kadmin_princ)) { + def_realm, &svcname)) { fprintf(stderr, gettext("%s: unable to get host based " "service name for realm %s\n"), whoami, def_realm); - free(princstr); + if (freeprinc) + free(princstr); exit(1); } } @@ -313,14 +295,14 @@ * argument or the default. */ if (ccache_name == NULL) { - if (retval = krb5_cc_default(context, &cc)) { + if ((retval = krb5_cc_default(context, &cc))) { com_err(whoami, retval, gettext("while opening default " "credentials cache")); exit(1); } } else { - if (retval = krb5_cc_resolve(context, ccache_name, &cc)) { + if ((retval = krb5_cc_resolve(context, ccache_name, &cc))) { com_err(whoami, retval, gettext("while opening credentials cache %s"), ccache_name); @@ -329,47 +311,47 @@ } /* - * If no principal name is specified: If a ccache was specified and - * its primary principal name can be read, it is used, else if a - * keytab was specified, the principal name is host/hostname, + * If no principal name is specified: If a ccache was specified + * and its primary principal name can be read, it is used, else if + * a keytab was specified, the principal name is host/hostname, * otherwise append "/admin" to the primary name of the default * ccache, $USER, or pw_name. * * Gee, 100+ lines to figure out the client principal name. This * should be compressed... */ - + if (princstr == NULL) { if (ccache_name != NULL && !krb5_cc_get_principal(context, cc, &princ)) { - if (retval = krb5_unparse_name(context, princ, - &princstr)) { + if ((retval = krb5_unparse_name(context, princ, &princstr))) { com_err(whoami, retval, gettext("while canonicalizing principal name")); - krb5_free_principal(context, princ); + krb5_free_principal(context, princ); exit(1); - } - krb5_free_principal(context, princ); - } else if (use_keytab != 0) { - if (retval = krb5_sname_to_principal(context, NULL, - "host", KRB5_NT_SRV_HST, - &princ)) { - com_err(whoami, retval, + } + krb5_free_principal(context, princ); + freeprinc++; + } else if (use_keytab != 0) { + if ((retval = krb5_sname_to_principal(context, NULL, + "host", + KRB5_NT_SRV_HST, + &princ))) { + com_err(whoami, retval, gettext("creating host service principal")); - exit(1); - } - if (retval = krb5_unparse_name(context, princ, - &princstr)) { - com_err(whoami, retval, + exit(1); + } + if ((retval = krb5_unparse_name(context, princ, &princstr))) { + com_err(whoami, retval, gettext("while canonicalizing " "principal name")); krb5_free_principal(context, princ); exit(1); } krb5_free_principal(context, princ); + freeprinc++; } else if (!krb5_cc_get_principal(context, cc, &princ)) { char *realm = NULL; - if (krb5_unparse_name(context, princ, &canon)) { fprintf(stderr, gettext("%s: unable to canonicalize " @@ -377,53 +359,98 @@ krb5_free_principal(context, princ); exit(1); } - krb5_free_principal(context, princ); - (void) trim_principal(canon); - princstr = build_admin_princ(canon, def_realm); + /* strip out realm of principal if it's there */ + realm = strchr(canon, '@'); + while (realm) { + if (realm - canon && *(realm - 1) != '\\') + break; + else + realm = strchr(realm, '@'); + } + if (realm) + *realm++ = '\0'; + cp = strchr(canon, '/'); + while (cp) { + if (cp - canon && *(cp - 1) != '\\') + break; + else + cp = strchr(cp, '/'); + } + if (cp != NULL) + *cp = '\0'; + princstr = (char*)malloc(strlen(canon) + 6 /* "/admin" */ + + (realm ? 1 + strlen(realm) : 0) + 1); + if (princstr == NULL) { + fprintf(stderr, + gettext("%s: out of memory\n"), + whoami); + exit(1); + } + strcpy(princstr, canon); + strcat(princstr, "/admin"); + if (realm) { + strcat(princstr, "@"); + strcat(princstr, realm); + } free(canon); - } else if (luser = getenv("USER")) { - princstr = build_admin_princ(luser, def_realm); - } else if (pw = getpwuid(getuid())) { - princstr = build_admin_princ(pw->pw_name, def_realm); + krb5_free_principal(context, princ); + freeprinc++; + } else if ((luser = getenv("USER"))) { + princstr = (char *) malloc(strlen(luser) + 7 /* "/admin@" */ + + strlen(def_realm) + 1); + if (princstr == NULL) { + fprintf(stderr, + gettext("%s: out of memory\n"), + whoami); + exit(1); + } + strcpy(princstr, luser); + strcat(princstr, "/admin"); + strcat(princstr, "@"); + strcat(princstr, def_realm); + freeprinc++; + } else if ((pw = getpwuid(getuid()))) { + princstr = (char *) malloc(strlen(pw->pw_name) + 7 /* "/admin@" */ + + strlen(def_realm) + 1); + if (princstr == NULL) { + fprintf(stderr, + gettext("%s: out of memory\n"), + whoami); + exit(1); + } + strcpy(princstr, pw->pw_name); + strcat(princstr, "/admin@"); + strcat(princstr, def_realm); + freeprinc++; } else { - fprintf(stderr, + fprintf(stderr, gettext("%s: unable to figure out " "a principal name\n"), - whoami); - exit(1); - } - } else { /* (princstr != NULL) */ - /* See if we need to add the default realm */ - if (find_component(princstr, '@') == NULL) { - size_t len; - - /* principal @ realm NULL */ - len = strlen(princstr) + 1 + strlen(def_realm) + 1; - princstr = realloc(princstr, len); - if (princstr == NULL) { - fprintf(stderr, - gettext("%s: out of memory\n"), whoami); - exit(1); - } - strcat(princstr, "@"); - strcat(princstr, def_realm); + whoami); + exit(1); } } + retval = krb5_klog_init(context, "admin_server", whoami, 0); + if (retval) { + com_err(whoami, retval, "while setting up logging"); + exit(1); + } + /* - * Initialize the kadm5 connection. If we were given a ccache, use - * it. Otherwise, use/prompt for the password. + * Initialize the kadm5 connection. If we were given a ccache, + * use it. Otherwise, use/prompt for the password. */ if (ccache_name) { printf(gettext( "Authenticating as principal %s with existing credentials.\n"), princstr); retval = kadm5_init_with_creds(princstr, cc, - kadmin_princ, - ¶ms, - KADM5_STRUCT_VERSION, - KADM5_API_VERSION_2, - &handle); + svcname, + ¶ms, + KADM5_STRUCT_VERSION, + KADM5_API_VERSION_2, + &handle); } else if (use_keytab) { if (keytab_name) printf(gettext("Authenticating as principal %s with keytab %s.\n"), @@ -433,19 +460,20 @@ "Authenticating as principal %s with default keytab.\n"), princstr); retval = kadm5_init_with_skey(princstr, keytab_name, - kadmin_princ, - ¶ms, - KADM5_STRUCT_VERSION, - KADM5_API_VERSION_2, - &handle); + svcname, + ¶ms, + KADM5_STRUCT_VERSION, + KADM5_API_VERSION_2, + &handle); } else { printf(gettext("Authenticating as principal %s with password.\n"), princstr); retval = kadm5_init_with_password(princstr, password, - kadmin_princ, ¶ms, - KADM5_STRUCT_VERSION, - KADM5_API_VERSION_2, - &handle); + svcname, + ¶ms, + KADM5_STRUCT_VERSION, + KADM5_API_VERSION_2, + &handle); } if (retval) { if (retval == KADM5_RPC_ERROR_CANTENCODEARGS || @@ -464,89 +492,47 @@ } exit(1); } - free(princstr); + if (freeprinc) + free(princstr); - if (retval = krb5_cc_close(context, cc)) { - com_err(whoami, retval, gettext("while closing ccache %s"), - ccache_name); - exit(1); - } - /* register the WRFILE keytab type and set it as the default */ - if (retval = krb5_kt_register(context, &krb5_ktf_writable_ops)) { - com_err(whoami, retval, - gettext("while registering writable key table functions")); + if ((retval = krb5_cc_close(context, cc))) { + com_err(whoami, retval, gettext("while closing ccache %s"), + ccache_name); exit(1); } + + /* register the WRFILE keytab type and set it as the default */ { - /* - * XXX krb5_defkeyname is an internal library global and - * should go away - */ + /* XXX krb5_defkeyname is an internal library global and + should go away */ extern char *krb5_defkeyname; - krb5_defkeyname = DEFAULT_KEYTAB; } - + if ((retval = kadm5_init_iprop(handle)) != 0) { com_err(whoami, retval, gettext("while mapping update log")); exit(1); } /* Solaris kerberos: fix memory leak */ - if (kadmin_princ) - free(kadmin_princ); - - return (query); -} + if (svcname) + free(svcname); -static char * -find_component(const char *principal, char sep) -{ - char *p = strchr(principal, sep); - - for(p = strchr(principal, sep); p; p = strchr(p, sep)) - if (p != principal && *(p - 1) != '\\') - break; - return (p); + return query; } -static char * -trim_principal(char *principal) +int quit() { - char *p = find_component(principal, '/'); - - if (p == NULL) - p = find_component(principal, '@'); - - if (p) - *p = '\0'; - - return (principal); -} - -static char * -build_admin_princ(const char *user, const char *realm) -{ - char *princstr; + kadm5_ret_t retval; - /* Add 7 to the length for "/admin@" */ - princstr = (char *) malloc(strlen(user) + 7 + strlen(realm) + 1); - if (princstr == NULL) { - fprintf(stderr, - gettext("%s: out of memory\n"), - whoami); - exit(1); + if (locked) { + retval = kadm5_unlock(handle); + if (retval) { + com_err("quit", retval, gettext("while unlocking locked database")); + return 1; } - sprintf(princstr, "%s/admin@%s", user, realm); - - return (princstr); -} - -int -quit() -{ - krb5_ccache cc; - int retval; + locked = 0; + } kadm5_destroy(handle); if (ccache_name != NULL) { @@ -554,31 +540,64 @@ gettext("\n\a\a\aAdministration credentials " "NOT DESTROYED.\n")); } + /* insert more random cleanup here */ + krb5_klog_close(context); krb5_free_context(context); context = NULL; - return (0); + return 0; } -void -kadmin_delprinc(argc, argv) +void kadmin_lock(argc, argv) + int argc; + char *argv[]; +{ + kadm5_ret_t retval; + + if (locked) + return; + retval = kadm5_lock(handle); + if (retval) { + com_err("lock", retval, ""); + return; + } + locked = 1; +} + +void kadmin_unlock(argc, argv) + int argc; + char *argv[]; +{ + kadm5_ret_t retval; + + if (!locked) + return; + retval = kadm5_unlock(handle); + if (retval) { + com_err("unlock", retval, ""); + return; + } + locked = 0; +} + +void kadmin_delprinc(argc, argv) int argc; char *argv[]; { kadm5_ret_t retval; krb5_principal princ; char *canon; - char reply[32]; + char reply[32]; if (! (argc == 2 || - (argc == 3 && strcmp("-force", argv[1]) == 0))) { - fprintf(stderr, "%s: delete_principal [-force] %s\n", + (argc == 3 && !strcmp("-force", argv[1])))) { + fprintf(stderr, "%s: delete_principal [-force] %s\n", gettext("usage"), gettext("principal")); return; } retval = kadmin_parse_name(argv[argc - 1], &princ); if (retval) { - com_err("delete_principal", retval, + com_err("delete_principal", retval, gettext("while parsing principal name")); return; } @@ -590,7 +609,7 @@ return; } if (argc == 2) { - printf(gettext("Are you sure you want to delete " + printf(gettext("Are you sure you want to delete " "the principal \"%s\"? (yes/no): "), canon); fgets(reply, sizeof (reply), stdin); if (strncmp(gettext("yes\n"), reply, sizeof (reply)) && @@ -612,14 +631,14 @@ free(canon); return; } - printf(gettext("Principal \"%s\" deleted.\n"), canon); + printf(gettext("Principal \"%s\" deleted.\n"), canon); printf(gettext("Make sure that you have removed this principal " "from all ACLs before reusing.\n")); free(canon); + return; } -void -kadmin_cpw(argc, argv) +void kadmin_cpw(argc, argv) int argc; char *argv[]; { @@ -628,7 +647,8 @@ static char prompt1[1024], prompt2[1024]; char *canon; char *pwarg = NULL; - int n_ks_tuple = 0, keepold = 0, randkey = 0; + int n_ks_tuple = 0, randkey = 0; + krb5_boolean keepold = FALSE; krb5_key_salt_tuple *ks_tuple = NULL; krb5_principal princ; int local_kadmin = 0; @@ -654,7 +674,7 @@ continue; } if (!strcmp("-keepold", *argv)) { - keepold++; + keepold = TRUE; continue; } if (!strcmp("-e", *argv)) { @@ -779,6 +799,8 @@ free(canon); krb5_free_principal(context, princ); usage: + if (ks_tuple != NULL) + free(ks_tuple); fprintf(stderr, "%s: change_password [-randkey] [-keepold] " "[-e keysaltlist] [-pw password] %s\n", gettext("usage"), gettext("principal")); @@ -786,8 +808,9 @@ } } -int kadmin_parse_princ_args(argc, argv, oprinc, mask, pass, randkey, - ks_tuple, n_ks_tuple, caller) +static int +kadmin_parse_princ_args(argc, argv, oprinc, mask, pass, randkey, + ks_tuple, n_ks_tuple, caller) int argc; char *argv[]; kadm5_principal_ent_t oprinc; @@ -814,16 +837,16 @@ if (strlen(argv[i]) == 7 && strcmp("-expire", argv[i]) == 0) { if (++i > argc - 2) - return (-1); + return -1; else { - date = get_date(argv[i], NULL); + date = get_date(argv[i]); if (date == (time_t)-1) { - fprintf(stderr, + fprintf(stderr, gettext("Invalid date " "specification " "\"%s\".\n"), argv[i]); - return (-1); + return -1; } oprinc->princ_expire_time = date; *mask |= KADM5_PRINC_EXPIRE_TIME; @@ -831,18 +854,18 @@ } } if (strlen(argv[i]) == 9 && - strcmp("-pwexpire", argv[i]) == 0) { + !strcmp("-pwexpire", argv[i])) { if (++i > argc - 2) - return (-1); + return -1; else { - date = get_date(argv[i], NULL); + date = get_date(argv[i]); if (date == (time_t)-1) { - fprintf(stderr, + fprintf(stderr, gettext("Invalid date " "specification " "\"%s\".\n"), argv[i]); - return (-1); + return -1; } oprinc->pw_expiration = date; *mask |= KADM5_PW_EXPIRATION; @@ -850,18 +873,18 @@ } } if (strlen(argv[i]) == 8 && - strcmp("-maxlife", argv[i]) == 0) { + !strcmp("-maxlife", argv[i])) { if (++i > argc - 2) - return (-1); + return -1; else { - date = get_date(argv[i], NULL); + date = get_date(argv[i]); if (date == (time_t)-1) { fprintf(stderr, gettext("Invalid date " "specification " "\"%s\".\n"), argv[i]); - return (-1); + return -1; } if (date <= now) { fprintf(stderr, @@ -877,18 +900,18 @@ } } if (strlen(argv[i]) == 13 && - strcmp("-maxrenewlife", argv[i]) == 0) { + !strcmp("-maxrenewlife", argv[i])) { if (++i > argc - 2) - return (-1); + return -1; else { - date = get_date(argv[i], NULL); + date = get_date(argv[i]); if (date == (time_t)-1) { fprintf(stderr, gettext("Invalid date " "specification " "\"%s\".\n"), argv[i]); - return (-1); + return -1; } if (date <= now) { fprintf(stderr, @@ -904,9 +927,9 @@ } } if (strlen(argv[i]) == 5 && - strcmp("-kvno", argv[i]) == 0) { + !strcmp("-kvno", argv[i])) { if (++i > argc - 2) - return (-1); + return -1; else { oprinc->kvno = atoi(argv[i]); *mask |= KADM5_KVNO; @@ -914,9 +937,9 @@ } } if (strlen(argv[i]) == 7 && - strcmp("-policy", argv[i]) == 0) { + !strcmp("-policy", argv[i])) { if (++i > argc - 2) - return (-1); + return -1; else { oprinc->policy = argv[i]; *mask |= KADM5_POLICY; @@ -924,22 +947,22 @@ } } if (strlen(argv[i]) == 12 && - strcmp("-clearpolicy", argv[i]) == 0) { + !strcmp("-clearpolicy", argv[i])) { oprinc->policy = NULL; *mask |= KADM5_POLICY_CLR; continue; } if (strlen(argv[i]) == 3 && - strcmp("-pw", argv[i]) == 0) { + !strcmp("-pw", argv[i])) { if (++i > argc - 2) - return (-1); + return -1; else { *pass = argv[i]; continue; } } if (strlen(argv[i]) == 8 && - strcmp("-randkey", argv[i]) == 0) { + !strcmp("-randkey", argv[i])) { ++*randkey; continue; } @@ -959,41 +982,40 @@ } for (j = 0; j < sizeof (flags) / sizeof (struct pflag); j++) { if (strlen(argv[i]) == flags[j].flaglen + 1 && - strcmp(flags[j].flagname, - /* strip off leading + or - */ - &argv[i][1]) == 0) { - if (flags[j].set && argv[i][0] == '-' || - !flags[j].set && argv[i][0] == '+') { + !strcmp(flags[j].flagname, + &argv[i][1] /* strip off leading + or - */)) { + if ((flags[j].set && argv[i][0] == '-') || + (!flags[j].set && argv[i][0] == '+')) { oprinc->attributes |= flags[j].theflag; *mask |= KADM5_ATTRIBUTES; attrib_set++; break; - } else if (flags[j].set && argv[i][0] == '+' || - !flags[j].set && argv[i][0] == '-') { + } else if ((flags[j].set && argv[i][0] == '+') || + (!flags[j].set && argv[i][0] == '-')) { oprinc->attributes &= ~flags[j].theflag; *mask |= KADM5_ATTRIBUTES; attrib_set++; break; } else { - return (-1); + return -1; } } } if (!attrib_set) - return (-1); /* nothing was parsed */ + return -1; /* nothing was parsed */ } if (i != argc - 1) { - return (-1); + return -1; } retval = kadmin_parse_name(argv[i], &oprinc->principal); if (retval) { - com_err(caller, retval, gettext("while parsing principal")); - return (-1); + com_err(caller, retval, gettext("while parsing principal")); + return -1; } - return (0); + return 0; } -void +static void kadmin_addprinc_usage(func) char *func; { @@ -1014,7 +1036,7 @@ "password_changing_service\n"); } -void +static void kadmin_modprinc_usage(func) char *func; { @@ -1035,8 +1057,7 @@ "password_changing_service\n"); } -void -kadmin_addprinc(argc, argv) +void kadmin_addprinc(argc, argv) int argc; char *argv[]; { @@ -1100,7 +1121,8 @@ (void) kadm5_free_policy_ent(handle, &defpol); } else fprintf(stderr, gettext("WARNING: no policy specified " - "for %s; defaulting to no policy\n"), canon); + "for %s; defaulting to no policy\n"), + canon); } mask &= ~KADM5_POLICY_CLR; @@ -1115,11 +1137,11 @@ if (randkey || (mask & KADM5_ATTRIBUTES)) princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; - if (randkey) { - pass = dummybuf; + if (randkey) { mask |= KADM5_ATTRIBUTES; + pass = dummybuf; } else if (pass == NULL) { - unsigned int i = sizeof (newpw) - 1; + unsigned int sz = sizeof (newpw) - 1; snprintf(prompt1, sizeof (prompt1), gettext("Enter password for principal \"%.900s\""), canon); @@ -1127,7 +1149,7 @@ gettext("Re-enter password for principal \"%.900s\""), canon); retval = krb5_read_password(context, prompt1, prompt2, - newpw, &i); + newpw, &sz); if (retval) { com_err("add_principal", retval, gettext("while reading password for \"%s\"."), canon); @@ -1158,8 +1180,7 @@ free(ks_tuple); return; } - - if (randkey) { /* more special stuff for -randkey */ + if (randkey) { /* more special stuff for -randkey */ if (ks_tuple != NULL || local_kadmin) { retval = kadm5_randkey_principal_3(handle, princ.principal, FALSE, @@ -1219,7 +1240,6 @@ return; } } - krb5_free_principal(context, princ.principal); printf(gettext("Principal \"%s\" created.\n"), canon); if (ks_tuple != NULL) @@ -1227,8 +1247,7 @@ free(canon); } -void -kadmin_modprinc(argc, argv) +void kadmin_modprinc(argc, argv) int argc; char *argv[]; { @@ -1251,7 +1270,7 @@ retval = kadmin_parse_name(argv[argc - 1], &kprinc); if (retval) { - com_err("modify_principal", retval, + com_err("modify_principal", retval, gettext("while parsing principal")); return; } @@ -1266,7 +1285,7 @@ KADM5_PRINCIPAL_NORMAL_MASK); krb5_free_principal(context, kprinc); if (retval) { - com_err("modify_principal", retval, + com_err("modify_principal", retval, gettext("while getting \"%s\"."), canon); free(canon); return; @@ -1316,8 +1335,7 @@ free(canon); } -void -kadmin_getprinc(argc, argv) +void kadmin_getprinc(argc, argv) int argc; char *argv[]; { @@ -1328,23 +1346,25 @@ int i; if (! (argc == 2 || - (argc == 3 && strcmp("-terse", argv[1]) == 0))) { + (argc == 3 && !strcmp("-terse", argv[1])))) { fprintf(stderr, "%s: get_principal [-terse] %s\n", gettext("usage"), gettext("principal")); return; } + + memset(&dprinc, 0, sizeof(dprinc)); memset(&princ, 0, sizeof(princ)); retval = kadmin_parse_name(argv[argc - 1], &princ); if (retval) { - com_err("get_principal", retval, + com_err("get_principal", retval, gettext("while parsing principal")); return; } retval = krb5_unparse_name(context, princ, &canon); if (retval) { - com_err("get_principal", retval, + com_err("get_principal", retval, gettext("while canonicalizing principal")); krb5_free_principal(context, princ); return; @@ -1353,14 +1373,14 @@ KADM5_PRINCIPAL_NORMAL_MASK | KADM5_KEY_DATA); krb5_free_principal(context, princ); if (retval) { - com_err("get_principal", retval, + com_err("get_principal", retval, gettext("while retrieving \"%s\"."), canon); free(canon); return; } retval = krb5_unparse_name(context, dprinc.mod_name, &modcanon); if (retval) { - com_err("get_principal", retval, + com_err("get_principal", retval, gettext("while unparsing modname")); kadm5_free_principal_ent(handle, &dprinc); free(canon); @@ -1431,7 +1451,7 @@ canon, dprinc.princ_expire_time, dprinc.last_pwd_change, dprinc.pw_expiration, dprinc.max_life, modcanon, dprinc.mod_date, dprinc.attributes, dprinc.kvno, - dprinc.mkvno, dprinc.policy ? + dprinc.mkvno, dprinc.policy ? dprinc.policy : gettext("[none]"), dprinc.max_renewable_life, dprinc.last_success, dprinc.last_failed, dprinc.fail_auth_count, @@ -1449,13 +1469,12 @@ free(canon); } -void -kadmin_getprincs(argc, argv) +void kadmin_getprincs(argc, argv) int argc; char *argv[]; { krb5_error_code retval; - char *exp, **names; + char *expr, **names; int i, count; FILE *output; @@ -1464,15 +1483,15 @@ sigset_t nmask, omask; int waitb; - exp = NULL; - if (! (argc == 1 || (argc == 2 && (exp = argv[1])))) { + expr = NULL; + if (! (argc == 1 || (argc == 2 && (expr = argv[1])))) { fprintf(stderr, "%s: get_principals %s\n", gettext("usage"), gettext("[expression]")); return; } - retval = kadm5_get_principals(handle, exp, &names, &count); + retval = kadm5_get_principals(handle, expr, &names, &count); if (retval) { - com_err("get_principals", retval, + com_err("get_principals", retval, gettext("while retrieving list.")); return; } @@ -1496,7 +1515,7 @@ sigprocmask(SIG_SETMASK, &omask, (sigset_t *)0); for (i = 0; i < count; i++) - fprintf(output, "%s\n", names[i]); + fprintf(output, "%s\n", names[i]); fclose(output); @@ -1505,7 +1524,7 @@ kadm5_free_name_list(handle, names, count); } -int +static int kadmin_parse_policy_args(argc, argv, policy, mask, caller) int argc; char *argv[]; @@ -1516,24 +1535,23 @@ int i; time_t now; time_t date; - krb5_error_code retval; time(&now); *mask = 0; for (i = 1; i < argc - 1; i++) { if (strlen(argv[i]) == 8 && - strcmp(argv[i], "-maxlife") == 0) { + !strcmp(argv[i], "-maxlife")) { if (++i > argc -2) - return (-1); + return -1; else { - date = get_date(argv[i], NULL); + date = get_date(argv[i]); if (date == (time_t)-1) { fprintf(stderr, gettext("Invalid date " "specification " "\"%s\".\n"), argv[i]); - return (-1); + return -1; } if (date <= now) { fprintf(stderr, @@ -1548,18 +1566,18 @@ continue; } } else if (strlen(argv[i]) == 8 && - strcmp(argv[i], "-minlife") == 0) { + !strcmp(argv[i], "-minlife")) { if (++i > argc - 2) - return (-1); + return -1; else { - date = get_date(argv[i], NULL); + date = get_date(argv[i]); if (date == (time_t)-1) { fprintf(stderr, gettext("Invalid date " "specification " "\"%s\".\n"), argv[i]); - return (-1); + return -1; } if (date <= now) { fprintf(stderr, @@ -1574,43 +1592,43 @@ continue; } } else if (strlen(argv[i]) == 10 && - strcmp(argv[i], "-minlength") == 0) { + !strcmp(argv[i], "-minlength")) { if (++i > argc - 2) - return (-1); + return -1; else { policy->pw_min_length = atoi(argv[i]); *mask |= KADM5_PW_MIN_LENGTH; continue; } } else if (strlen(argv[i]) == 11 && - strcmp(argv[i], "-minclasses") == 0) { + !strcmp(argv[i], "-minclasses")) { if (++i > argc - 2) - return (-1); + return -1; else { policy->pw_min_classes = atoi(argv[i]); *mask |= KADM5_PW_MIN_CLASSES; continue; } } else if (strlen(argv[i]) == 8 && - strcmp(argv[i], "-history") == 0) { + !strcmp(argv[i], "-history")) { if (++i > argc - 2) - return (-1); + return -1; else { policy->pw_history_num = atoi(argv[i]); *mask |= KADM5_PW_HISTORY_NUM; continue; } } else - return (-1); + return -1; } if (i != argc -1) { - fprintf(stderr, gettext("%s: parser lost count!\n"), caller); - return (-1); + fprintf(stderr, gettext("%s: parser lost count!\n"), caller); + return -1; } else - return (0); + return 0; } -void +static void kadmin_addmodpol_usage(func) char *func; { @@ -1622,8 +1640,7 @@ "[-history number]\n"); } -void -kadmin_addpol(argc, argv) +void kadmin_addpol(argc, argv) int argc; char *argv[]; { @@ -1632,8 +1649,7 @@ kadm5_policy_ent_rec policy; memset(&policy, 0, sizeof(policy)); - if (kadmin_parse_policy_args(argc, argv, - &policy, &mask, "add_policy")) { + if (kadmin_parse_policy_args(argc, argv, &policy, &mask, "add_policy")) { kadmin_addmodpol_usage("add_policy"); return; } else { @@ -1647,10 +1663,10 @@ return; } } + return; } -void -kadmin_modpol(argc, argv) +void kadmin_modpol(argc, argv) int argc; char *argv[]; { @@ -1673,19 +1689,19 @@ return; } } + return; } -void -kadmin_delpol(argc, argv) +void kadmin_delpol(argc, argv) int argc; char *argv[]; { krb5_error_code retval; - char reply[32]; + char reply[32]; if (! (argc == 2 || - (argc == 3 && strcmp("-force", argv[1]) == 0))) { - fprintf(stderr, "%s: delete_policy [-force] %s\n", + (argc == 3 && !strcmp("-force", argv[1])))) { + fprintf(stderr, "%s: delete_policy [-force] %s\n", gettext("usage"), gettext("policy")); return; } @@ -1710,10 +1726,10 @@ argv[argc - 1]); return; } + return; } -void -kadmin_getpol(argc, argv) +void kadmin_getpol(argc, argv) int argc; char *argv[]; { @@ -1721,7 +1737,7 @@ kadm5_policy_ent_rec policy; if (! (argc == 2 || - (argc == 3 && strcmp("-terse", argv[1]) == 0))) { + (argc == 3 && !strcmp("-terse", argv[1])))) { fprintf(stderr, "%s: get_policy [-terse] %s\n", gettext("usage"), gettext("policy")); return; @@ -1735,45 +1751,45 @@ } if (argc == 2) { printf(gettext("Policy: %s\n"), policy.policy); - printf(gettext("Maximum password life: %d\n"), + printf(gettext("Maximum password life: %ld\n"), policy.pw_max_life); - printf(gettext("Minimum password life: %d\n"), + printf(gettext("Minimum password life: %ld\n"), policy.pw_min_life); - printf(gettext("Minimum password length: %d\n"), + printf(gettext("Minimum password length: %ld\n"), policy.pw_min_length); printf(gettext("Minimum number of password " - "character classes: %d\n"), + "character classes: %ld\n"), policy.pw_min_classes); - printf(gettext("Number of old keys kept: %d\n"), + printf(gettext("Number of old keys kept: %ld\n"), policy.pw_history_num); - printf(gettext("Reference count: %d\n"), policy.policy_refcnt); + printf(gettext("Reference count: %ld\n"), policy.policy_refcnt); } else { - printf("\"%s\"\t%d\t%d\t%d\t%d\t%d\t%d\n", + printf("\"%s\"\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\n", policy.policy, policy.pw_max_life, policy.pw_min_life, policy.pw_min_length, policy.pw_min_classes, policy.pw_history_num, policy.policy_refcnt); } kadm5_free_policy_ent(handle, &policy); + return; } -void -kadmin_getpols(argc, argv) +void kadmin_getpols(argc, argv) int argc; char *argv[]; { krb5_error_code retval; - char *exp, **names; + char *expr, **names; int i, count; - exp = NULL; - if (! (argc == 1 || (argc == 2 && (exp = argv[1])))) { - fprintf(stderr, "%s: get_policies %s\n", + expr = NULL; + if (! (argc == 1 || (argc == 2 && (expr = argv[1])))) { + fprintf(stderr, "%s: get_policies %s\n", gettext("usage"), gettext("[expression]\n")); return; } - retval = kadm5_get_policies(handle, exp, &names, &count); + retval = kadm5_get_policies(handle, expr, &names, &count); if (retval) { - com_err("get_policies", retval, + com_err("get_policies", retval, gettext("while retrieving list.")); return; } @@ -1781,3 +1797,4 @@ printf("%s\n", names[i]); kadm5_free_name_list(handle, names, count); } +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/usr/src/cmd/krb5/kadmin/cli/kadmin.h Sat Oct 07 13:37:05 2006 -0700 @@ -0,0 +1,75 @@ +#pragma ident "%Z%%M% %I% %E% SMI" + +/* + * kadmin/cli/kadmin.h + * + * Copyright 2001 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * Prototypes for kadmin functions called from SS library. + */ + +#ifndef __KADMIN_H__ +#define __KADMIN_H__ + +/* It would be nice if ss produced a header file we could reference */ +extern char *kadmin_startup(int argc, char *argv[]); +extern int quit (void); +extern void kadmin_lock(int argc, char *argv[]); +extern void kadmin_unlock(int argc, char *argv[]); +extern void kadmin_delprinc(int argc, char *argv[]); +extern void kadmin_cpw(int argc, char *argv[]); +extern void kadmin_addprinc(int argc, char *argv[]); +extern void kadmin_modprinc(int argc, char *argv[]); +extern void kadmin_getprinc(int argc, char *argv[]); +extern void kadmin_getprincs(int argc, char *argv[]); +extern void kadmin_addpol(int argc, char *argv[]); +extern void kadmin_modpol(int argc, char *argv[]); +extern void kadmin_delpol(int argc, char *argv[]); +extern void kadmin_getpol(int argc, char *argv[]); +extern void kadmin_getpols(int argc, char *argv[]); +extern void kadmin_getprivs(int argc, char *argv[]); +extern void kadmin_keytab_add(int argc, char *argv[]); +extern void kadmin_keytab_remove(int argc, char *argv[]); + +#ifdef TIME_WITH_SYS_TIME +#include <sys/time.h> +#include <time.h> +#else +#ifdef HAVE_SYS_TIME_H +#include <sys/time.h> +#else +#include <time.h> +#endif +#endif + +extern time_t get_date(char *); + +/* Yucky global variables */ +extern krb5_context context; +extern char *krb5_defkeyname; +extern char *whoami; +extern void *handle; + +#endif /* __KADMIN_H__ */ +
--- a/usr/src/cmd/krb5/kadmin/cli/kadmin_ct.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/cli/kadmin_ct.c Sat Oct 07 13:37:05 2006 -0700 @@ -32,180 +32,201 @@ #include <ss/ss.h> #ifndef __STDC__ -#define const +#define const #endif -static char const *const ssu00001[] = { - "add_principal", - "addprinc", - "ank", - (char const *) 0 +static char const * const ssu00001[] = { +"add_principal", + "addprinc", + "ank", + (char const *)0 }; extern void kadmin_addprinc __SS_PROTO; -static char const *const ssu00002[] = { - "delete_principal", - "delprinc", - (char const *) 0 +static char const * const ssu00002[] = { +"delete_principal", + "delprinc", + (char const *)0 }; extern void kadmin_delprinc __SS_PROTO; -static char const *const ssu00003[] = { - "modify_principal", - "modprinc", - (char const *) 0 +static char const * const ssu00003[] = { +"modify_principal", + "modprinc", + (char const *)0 }; extern void kadmin_modprinc __SS_PROTO; -static char const *const ssu00004[] = { - "change_password", - "cpw", - (char const *) 0 +static char const * const ssu00004[] = { +"change_password", + "cpw", + (char const *)0 }; extern void kadmin_cpw __SS_PROTO; -static char const *const ssu00005[] = { - "get_principal", - "getprinc", - (char const *) 0 +static char const * const ssu00005[] = { +"get_principal", + "getprinc", + (char const *)0 }; extern void kadmin_getprinc __SS_PROTO; -static char const *const ssu00006[] = { - "list_principals", - "listprincs", - "get_principals", - "getprincs", - (char const *) 0 +static char const * const ssu00006[] = { +"list_principals", + "listprincs", + "get_principals", + "getprincs", + (char const *)0 }; extern void kadmin_getprincs __SS_PROTO; -static char const *const ssu00007[] = { - "add_policy", - "addpol", - (char const *) 0 +static char const * const ssu00007[] = { +"add_policy", + "addpol", + (char const *)0 }; extern void kadmin_addpol __SS_PROTO; -static char const *const ssu00008[] = { - "modify_policy", - "modpol", - (char const *) 0 +static char const * const ssu00008[] = { +"modify_policy", + "modpol", + (char const *)0 }; extern void kadmin_modpol __SS_PROTO; -static char const *const ssu00009[] = { - "delete_policy", - "delpol", - (char const *) 0 +static char const * const ssu00009[] = { +"delete_policy", + "delpol", + (char const *)0 }; extern void kadmin_delpol __SS_PROTO; -static char const *const ssu00010[] = { - "get_policy", - "getpol", - (char const *) 0 +static char const * const ssu00010[] = { +"get_policy", + "getpol", + (char const *)0 }; extern void kadmin_getpol __SS_PROTO; -static char const *const ssu00011[] = { - "list_policies", - "listpols", - "get_policies", - "getpols", - (char const *) 0 +static char const * const ssu00011[] = { +"list_policies", + "listpols", + "get_policies", + "getpols", + (char const *)0 }; extern void kadmin_getpols __SS_PROTO; -static char const *const ssu00012[] = { - "get_privs", - "getprivs", - (char const *) 0 +static char const * const ssu00012[] = { +"get_privs", + "getprivs", + (char const *)0 }; extern void kadmin_getprivs __SS_PROTO; -static char const *const ssu00013[] = { - "ktadd", - "xst", - (char const *) 0 +static char const * const ssu00013[] = { +"ktadd", + "xst", + (char const *)0 }; extern void kadmin_keytab_add __SS_PROTO; -static char const *const ssu00014[] = { - "ktremove", - "ktrem", - (char const *) 0 +static char const * const ssu00014[] = { +"ktremove", + "ktrem", + (char const *)0 }; extern void kadmin_keytab_remove __SS_PROTO; -static char const *const ssu00015[] = { - "list_requests", - "lr", - "?", - (char const *) 0 + +static char const * const ssu00015[] = { +"lock", + (char const *)0 +}; +extern void kadmin_lock __SS_PROTO; +static char const * const ssu00016[] = { +"unlock", + (char const *)0 }; +extern void kadmin_unlock __SS_PROTO; + +static char const * const ssu00017[] = { +"list_requests", + "lr", + "?", + (char const *)0 +}; + extern void ss_list_requests __SS_PROTO; -static char const *const ssu00016[] = { - "quit", - "exit", - "q", - (char const *) 0 +static char const * const ssu00018[] = { +"quit", + "exit", + "q", + (char const *)0 }; extern void ss_quit __SS_PROTO; -static ss_request_entry ssu00017[] = { - {ssu00001, - kadmin_addprinc, - gettext("Add principal"), - 0}, - {ssu00002, - kadmin_delprinc, - gettext("Delete principal"), - 0}, - {ssu00003, - kadmin_modprinc, - gettext("Modify principal"), - 0}, - {ssu00004, - kadmin_cpw, - gettext("Change password"), - 0}, - {ssu00005, - kadmin_getprinc, - gettext("Get principal"), - 0}, - {ssu00006, - kadmin_getprincs, - gettext("List principals"), - 0}, - {ssu00007, - kadmin_addpol, - gettext("Add policy"), - 0}, - {ssu00008, - kadmin_modpol, - gettext("Modify policy"), - 0}, - {ssu00009, - kadmin_delpol, - gettext("Delete policy"), - 0}, - {ssu00010, - kadmin_getpol, - gettext("Get policy"), - 0}, - {ssu00011, - kadmin_getpols, - gettext("List policies"), - 0}, - {ssu00012, - kadmin_getprivs, - gettext("Get privileges"), - 0}, - {ssu00013, - kadmin_keytab_add, - gettext("Add entry(s) to a keytab"), - 0}, - {ssu00014, - kadmin_keytab_remove, - gettext("Remove entry(s) from a keytab"), - 0}, - {ssu00015, - ss_list_requests, - gettext("List available requests."), - 0}, - {ssu00016, - ss_quit, - gettext("Exit program."), - 0}, - {0, 0, 0, 0} +static ss_request_entry ssu00019[] = { + { ssu00001, + kadmin_addprinc, + gettext("Add principal"), + 0 }, + { ssu00002, + kadmin_delprinc, + gettext("Delete principal"), + 0 }, + { ssu00003, + kadmin_modprinc, + gettext("Modify principal"), + 0 }, + { ssu00004, + kadmin_cpw, + gettext("Change password"), + 0 }, + { ssu00005, + kadmin_getprinc, + gettext("Get principal"), + 0 }, + { ssu00006, + kadmin_getprincs, + gettext("List principals"), + 0 }, + { ssu00007, + kadmin_addpol, + gettext("Add policy"), + 0 }, + { ssu00008, + kadmin_modpol, + gettext("Modify policy"), + 0 }, + { ssu00009, + kadmin_delpol, + gettext("Delete policy"), + 0 }, + { ssu00010, + kadmin_getpol, + gettext("Get policy"), + 0 }, + { ssu00011, + kadmin_getpols, + gettext("List policies"), + 0 }, + { ssu00012, + kadmin_getprivs, + gettext("Get privileges"), + 0 }, + { ssu00013, + kadmin_keytab_add, + gettext("Add entry(s) to a keytab"), + 0 }, + { ssu00014, + kadmin_keytab_remove, + gettext("Remove entry(s) from a keytab"), + 0 }, + { ssu00015, + kadmin_lock, + gettext("Lock database exclusively (use with extreme caution!)"), + 0 }, + { ssu00016, + kadmin_unlock, + gettext("Release exclusive database lock"), + 0 }, + { ssu00017, + ss_list_requests, + gettext("List available requests."), + 0 }, + { ssu00018, + ss_quit, + gettext("Exit program."), + 0 }, + { 0, 0, 0, 0 } }; -ss_request_table kadmin_cmds = {2, ssu00017}; +ss_request_table kadmin_cmds = { 2, ssu00019 }; #undef gettext
--- a/usr/src/cmd/krb5/kadmin/cli/kadmin_rmt.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/cli/kadmin_rmt.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,6 +1,6 @@ /* - * Copyright (c) 1998-1999 by Sun Microsystems, Inc. - * All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" @@ -41,31 +41,30 @@ #endif } -void -kadmin_getprivs(argc, argv) -int argc; -char *argv[]; +void kadmin_getprivs(argc, argv) + int argc; + char *argv[]; { - static char *privs[] = {"GET", "ADD", "MODIFY", "DELETE", "LIST", - "CHANGE"}; - krb5_error_code retval; - int i; - long plist; + static char *privs[] = {"GET", "ADD", "MODIFY", "DELETE", "LIST", "CHANGE"}; + krb5_error_code retval; + int i; + long plist; - if (argc != 1) { - fprintf(stderr, "%s: get_privs\n", gettext("usage")); - return; - } - retval = kadm5_get_privs(handle, &plist); - if (retval) { - com_err("get_privs", retval, + if (argc != 1) { + fprintf(stderr, "%s: get_privs\n", gettext("usage")); + return; + } + retval = kadm5_get_privs(handle, &plist); + if (retval) { + com_err("get_privs", retval, gettext("while retrieving privileges")); - return; - } - printf(gettext("current privileges:")); - for (i = 0; i < sizeof (privs) / sizeof (char *); i++) { - if (plist & 1 << i) - printf(" %s", gettext(privs[i])); - } - printf("\n"); + return; + } + printf(gettext("current privileges:")); + for (i = 0; i < sizeof (privs) / sizeof (char *); i++) { + if (plist & 1 << i) + printf(" %s", gettext(privs[i])); + } + printf("\n"); + return; }
--- a/usr/src/cmd/krb5/kadmin/cli/keytab.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/cli/keytab.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -8,7 +8,7 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. * - * $Id: keytab.c,v 1.26 2000/02/19 01:57:07 tlyu Exp $ + * $Id: keytab.c,v 1.28 2004/05/31 12:39:16 epeisach Exp $ * $Source: /cvs/krbdev/krb5/src/kadmin/cli/keytab.c,v $ */ @@ -39,7 +39,7 @@ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /cvs/krbdev/krb5/src/kadmin/cli/keytab.c,v 1.26 2000/02/19 01:57:07 tlyu Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/kadmin/cli/keytab.c,v 1.28 2004/05/31 12:39:16 epeisach Exp $"; #endif #include <stdio.h> @@ -48,33 +48,28 @@ #include <libintl.h> #include <krb5.h> -#include <k5-int.h> #include <kadm5/admin.h> +#include <krb5/adm_proto.h> +#include "kadmin.h" -static int add_principal(void *handle, char *keytab_str, krb5_keytab keytab, - int keepold, +static int add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab, + krb5_boolean keepold, int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, char *princ_str); static int remove_principal(char *keytab_str, krb5_keytab keytab, char *princ_str, char *kvno_str); static char *etype_string(krb5_enctype enctype); -extern char *krb5_defkeyname; -extern char *whoami; -extern krb5_context context; -extern void *handle; static int quiet; -void -add_usage() +static void add_usage() { fprintf(stderr, "%s: %s\n", gettext("Usage"), "ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] " "[principal | -glob princ-exp] [...]\n"); } -void -rem_usage() +static void rem_usage() { fprintf(stderr, "%s: %s\n", gettext("Usage"), @@ -82,25 +77,24 @@ "[kvno|\"all\"|\"old\"]\n"); } -int -process_keytab(krb5_context context, char **keytab_str, +static int process_keytab(krb5_context my_context, char **keytab_str, krb5_keytab *keytab) { int code; char buf[BUFSIZ]; if (*keytab_str == NULL) { - if (code = krb5_kt_default(context, keytab)) { + if (code = krb5_kt_default(my_context, keytab)) { com_err(whoami, code, gettext("while opening default keytab")); - return (1); + return 1; } - if (code = krb5_kt_get_name(context, *keytab, buf, BUFSIZ)) { + if (code = krb5_kt_get_name(my_context, *keytab, buf, BUFSIZ)) { com_err(whoami, code, gettext("while retrieving keytab name")); - return (1); + return 1; } if (!(*keytab_str = strdup(buf))) { com_err(whoami, ENOMEM, gettext("while creating keytab name")); - return(1); + return 1; } } else { if (strchr(*keytab_str, ':') != NULL) { @@ -108,7 +102,7 @@ if (*keytab_str == NULL) { com_err(whoami, ENOMEM, gettext("while creating keytab name")); - return (1); + return 1; } } else { char *tmp = *keytab_str; @@ -118,41 +112,39 @@ if (*keytab_str == NULL) { com_err(whoami, ENOMEM, gettext("while creating keytab name")); - return (1); + return 1; } sprintf(*keytab_str, "WRFILE:%s", tmp); } - code = krb5_kt_resolve(context, *keytab_str, keytab); + code = krb5_kt_resolve(my_context, *keytab_str, keytab); if (code != 0) { com_err(whoami, code, gettext("while resolving keytab %s"), *keytab_str); free(keytab_str); - return (1); + return 1; } } - return (0); + return 0; } -void -kadmin_keytab_add(int argc, char **argv) +void kadmin_keytab_add(int argc, char **argv) { krb5_keytab keytab = 0; - char *princ_str, *keytab_str = NULL, **princs; + char *keytab_str = NULL, **princs; int code, num, i; krb5_error_code retval; - int keepold = 0, n_ks_tuple = 0; + int n_ks_tuple = 0; + krb5_boolean keepold = FALSE; krb5_key_salt_tuple *ks_tuple = NULL; - argc--; - argv++; + argc--; argv++; quiet = 0; while (argc) { if (strncmp(*argv, "-k", 2) == 0) { - argc--; - argv++; + argc--; argv++; if (!argc || keytab_str) { add_usage(); return; @@ -177,8 +169,7 @@ } } else break; - argc--; - argv++; + argc--; argv++; } if (argc == 0) { @@ -195,8 +186,9 @@ add_usage(); break; } - if (code = kadm5_get_principals(handle, *argv, - &princs, &num)) { + + code = kadm5_get_principals(handle, *argv, &princs, &num); + if (code) { com_err(whoami, code, gettext("while expanding expression " "\"%s\"."), @@ -224,20 +216,17 @@ free(keytab_str); } -void -kadmin_keytab_remove(int argc, char **argv) +void kadmin_keytab_remove(int argc, char **argv) { krb5_keytab keytab = 0; - char *princ_str, *keytab_str = NULL; + char *keytab_str = NULL; int code; - argc--; - argv++; + argc--; argv++; quiet = 0; while (argc) { if (strncmp(*argv, "-k", 2) == 0) { - argc--; - argv++; + argc--; argv++; if (!argc || keytab_str) { rem_usage(); return; @@ -247,8 +236,7 @@ quiet++; } else break; - argc--; - argv++; + argc--; argv++; } if (argc != 1 && argc != 2) { @@ -267,8 +255,9 @@ free(keytab_str); } -int add_principal(void *handle, char *keytab_str, krb5_keytab keytab, - int keepold, int n_ks_tuple, +static +int add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab, + krb5_boolean keepold, int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, char *princ_str) { @@ -276,7 +265,7 @@ krb5_principal princ; krb5_keytab_entry new_entry; krb5_keyblock *keys; - int code, code2, mask, nkeys, i; + int code, nkeys, i; int nktypes = 0; krb5_key_salt_tuple *permitted_etypes = NULL; @@ -336,9 +325,9 @@ nktypes = n_ks_tuple; } - code = kadm5_randkey_principal_3(handle, princ, - keepold, nktypes, permitted_etypes, - &keys, &nkeys); + code = kadm5_randkey_principal_3(lhandle, princ, + keepold, nktypes, permitted_etypes, + &keys, &nkeys); #ifndef _KADMIN_LOCAL_ /* this block is not needed in the kadmin.local client */ @@ -351,20 +340,19 @@ code = kadm5_randkey_principal_old(handle, princ, &keys, &nkeys); } #endif /* !KADMIN_LOCAL */ - if (code != 0) { - if (code == KADM5_UNK_PRINC) { + if (code != 0) { + if (code == KADM5_UNK_PRINC) { fprintf(stderr, gettext("%s: Principal %s does not exist.\n"), whoami, princ_str); - } else { + } else com_err(whoami, code, gettext("while changing %s's key"), princ_str); - } - goto cleanup; - } + goto cleanup; + } - code = kadm5_get_principal(handle, princ, &princ_rec, + code = kadm5_get_principal(lhandle, princ, &princ_rec, KADM5_PRINCIPAL_NORMAL_MASK); if (code != 0) { com_err(whoami, code, gettext("while retrieving principal")); @@ -381,7 +369,7 @@ if (code != 0) { com_err(whoami, code, gettext("while adding key to keytab")); - (void) kadm5_free_principal_ent(handle, &princ_rec); + (void) kadm5_free_principal_ent(lhandle, &princ_rec); goto cleanup; } @@ -392,7 +380,7 @@ etype_string(keys[i].enctype), keytab_str); } - code = kadm5_free_principal_ent(handle, &princ_rec); + code = kadm5_free_principal_ent(lhandle, &princ_rec); if (code != 0) { com_err(whoami, code, gettext("while freeing principal entry")); goto cleanup; @@ -410,28 +398,27 @@ if (permitted_etypes != NULL && ks_tuple == NULL) free(permitted_etypes); - return (code); + return code; } -int -remove_principal(char *keytab_str, krb5_keytab keytab, char +int remove_principal(char *keytab_str, krb5_keytab keytab, char *princ_str, char *kvno_str) { krb5_principal princ; krb5_keytab_entry entry; krb5_kt_cursor cursor; - enum { - UNDEF, SPEC, HIGH, ALL, OLD - } mode; - int code, kvno, did_something; + enum { UNDEF, SPEC, HIGH, ALL, OLD } mode; + int code, did_something; + krb5_kvno kvno; code = krb5_parse_name(context, princ_str, &princ); if (code != 0) { com_err(whoami, code, gettext("while parsing principal name %s"), princ_str); - return (code); + return code; } + mode = UNDEF; if (kvno_str == NULL) { mode = HIGH; @@ -471,8 +458,9 @@ gettext("while retrieving highest " "kvno from keytab")); } - return (code); + return code; } + /* set kvno to spec'ed value for SPEC, highest kvno otherwise */ kvno = entry.vno; krb5_kt_free_entry(context, &entry); @@ -480,11 +468,11 @@ code = krb5_kt_start_seq_get(context, keytab, &cursor); if (code != 0) { com_err(whoami, code, gettext("while starting keytab scan")); - return (code); + return code; } + did_something = 0; - while ((code = krb5_kt_next_entry(context, - keytab, &entry, &cursor)) == 0) { + while ((code = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) { if (krb5_principal_compare(context, princ, entry.principal) && ((mode == ALL) || (mode == SPEC && entry.vno == kvno) || @@ -492,30 +480,31 @@ (mode == HIGH && entry.vno == kvno))) { /* - * Ack! What a kludge... the scanning functions - * lock the keytab so entries cannot be removed - * while they are operating. + * Ack! What a kludge... the scanning functions lock + * the keytab so entries cannot be removed while they + * are operating. */ code = krb5_kt_end_seq_get(context, keytab, &cursor); if (code != 0) { com_err(whoami, code, gettext("while temporarily " "ending keytab scan")); - return (code); + return code; } code = krb5_kt_remove_entry(context, keytab, &entry); if (code != 0) { com_err(whoami, code, gettext("while deleting entry " "from keytab")); - return (code); + return code; } code = krb5_kt_start_seq_get(context, keytab, &cursor); if (code != 0) { com_err(whoami, code, gettext("while restarting keytab scan")); - return (code); + return code; } + did_something++; if (!quiet) printf(gettext("Entry for principal " @@ -527,25 +516,27 @@ } if (code && code != KRB5_KT_END) { com_err(whoami, code, gettext("while scanning keytab")); - return (code); + return code; } - if (code = krb5_kt_end_seq_get(context, keytab, &cursor)) { + if ((code = krb5_kt_end_seq_get(context, keytab, &cursor))) { com_err(whoami, code, gettext("while ending keytab scan")); - return (code); + return code; } + /* - * If !did_someting then mode must be OLD or we would have already - * returned with an error. But check it anyway just to prevent - * unexpected error messages... + * If !did_someting then mode must be OLD or we would have + * already returned with an error. But check it anyway just to + * prevent unexpected error messages... */ if (!did_something && mode == OLD) { fprintf(stderr, gettext("%s: There is only one entry for principal " "%s in keytab %s\n"), whoami, princ_str, keytab_str); - return (1); + return 1; } - return (0); + + return 0; } /* @@ -553,15 +544,14 @@ * encryption type. XXX copied from klist.c; this should be a * library function, or perhaps just #defines */ -static char * -etype_string(enctype) +static char *etype_string(enctype) krb5_enctype enctype; { static char buf[100]; krb5_error_code ret; - if (ret = krb5_enctype_to_string(enctype, buf, sizeof(buf))) + if ((ret = krb5_enctype_to_string(enctype, buf, sizeof(buf)))) sprintf(buf, "etype %d", enctype); - return (buf); + return buf; }
--- a/usr/src/cmd/krb5/kadmin/cli/ss_wrapper.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/cli/ss_wrapper.c Sat Oct 07 13:37:05 2006 -0700 @@ -26,7 +26,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -40,7 +40,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * ss wrapper for kadmin */ @@ -51,22 +51,21 @@ #include <string.h> #include <libintl.h> #include <locale.h> +#include "kadmin.h" extern ss_request_table kadmin_cmds; extern int exit_status; -extern char *kadmin_startup(); extern char *whoami; -int -main(argc, argv) -int argc; -char *argv[]; +int main(argc, argv) + int argc; + char *argv[]; { - char *request; - krb5_error_code retval; - int sci_idx, code = 0; + char *request; + krb5_error_code retval; + int sci_idx, code = 0; - whoami = ((whoami = strrchr(argv[0], '/')) ? whoami + 1 : argv[0]); + whoami = ((whoami = strrchr(argv[0], '/')) ? whoami+1 : argv[0]); (void) setlocale(LC_ALL, ""); @@ -76,24 +75,24 @@ (void) textdomain(TEXT_DOMAIN); - request = kadmin_startup(argc, argv); - sci_idx = ss_create_invocation(whoami, "5.0", (char *) NULL, - &kadmin_cmds, &retval); - if (retval) { - ss_perror(sci_idx, retval, gettext("creating invocation")); - exit(1); - } + request = kadmin_startup(argc, argv); + sci_idx = ss_create_invocation(whoami, "5.0", (char *) NULL, + &kadmin_cmds, &retval); + if (retval) { + ss_perror(sci_idx, retval, gettext("creating invocation")); + exit(1); + } (void) setlocale(LC_ALL, ""); (void) textdomain(TEXT_DOMAIN); - if (request) { - code = ss_execute_line(sci_idx, request); - if (code != 0) { - ss_perror(sci_idx, code, request); - exit_status++; - } - } else - ss_listen(sci_idx, &retval); - return (quit() ? 1 : exit_status); + if (request) { + code = ss_execute_line(sci_idx, request); + if (code != 0) { + ss_perror(sci_idx, code, request); + exit_status++; + } + } else + retval = ss_listen(sci_idx); + return quit() ? 1 : exit_status; }
--- a/usr/src/cmd/krb5/kadmin/dbutil/Makefile Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/dbutil/Makefile Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ # -# Copyright 2004 Sun Microsystems, Inc. All rights reserved. +# Copyright 2006 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # ident "%Z%%M% %I% %E% SMI" @@ -9,7 +9,7 @@ OBJS = kdb5_util.o \ kdb5_create.o kadm5_create.o string_table.o kdb5_stash.o \ - kdb5_destroy.o ovload.o dump.o + kdb5_destroy.o ovload.o strtok.o dump.o SRCS = $(OBJS:.o=.c)
--- a/usr/src/cmd/krb5/kadmin/dbutil/dump.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/dbutil/dump.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -73,7 +73,7 @@ #define krb5_dbm_db_set_lockmode krb5_db_set_lockmode #define krb5_dbm_db_close_database krb5_db_close_database #define krb5_dbm_db_open_database krb5_db_open_database -#define krb5_dbm_db_iterate krb5_db_iterate +#define krb5_dbm_db_iterate krb5_db_iterate_ext #include <stdio.h> #include <com_err.h> @@ -82,8 +82,7 @@ #include <libintl.h> #include "kdb5_util.h" - -#if HAVE_REGEX_H +#if defined(HAVE_REGEX_H) && defined(HAVE_REGCOMP) #include <regex.h> #endif /* HAVE_REGEX_H */ @@ -92,11 +91,12 @@ */ extern krb5_keyblock master_key; extern krb5_principal master_princ; -extern int valid_master_key; -extern void usage(); static int mkey_convert; static krb5_keyblock new_master_key; +static int backwards; +static int recursive; + /* * Use compile(3) if no regcomp present. */ @@ -120,45 +120,41 @@ int verbose; }; -static krb5_error_code dump_k5beta_iterator -(krb5_pointer, - krb5_db_entry *); -static krb5_error_code dump_k5beta6_iterator -(krb5_pointer, - krb5_db_entry *); -static krb5_error_code dump_iprop_iterator -(krb5_pointer, - krb5_db_entry *); -static krb5_error_code dump_k5beta7_princ -(krb5_pointer, - krb5_db_entry *); -static krb5_error_code dump_iprop_princ -(krb5_pointer, - krb5_db_entry *); -static krb5_error_code dump_ov_princ -(krb5_pointer, - krb5_db_entry *); +static krb5_error_code dump_k5beta_iterator (krb5_pointer, + krb5_db_entry *); +static krb5_error_code dump_k5beta6_iterator (krb5_pointer, + krb5_db_entry *); +static krb5_error_code dump_k5beta6_iterator_ext (krb5_pointer, + krb5_db_entry *, + int); +static krb5_error_code dump_iprop_iterator (krb5_pointer, + krb5_db_entry *); +static krb5_error_code dump_k5beta7_princ (krb5_pointer, + krb5_db_entry *); +static krb5_error_code dump_k5beta7_princ_ext (krb5_pointer, + krb5_db_entry *, + int); +static krb5_error_code dump_k5beta7_princ_withpolicy + (krb5_pointer, krb5_db_entry *); +static krb5_error_code dump_iprop_princ (krb5_pointer, + krb5_db_entry *); +static krb5_error_code dump_ov_princ (krb5_pointer, + krb5_db_entry *); static void dump_k5beta7_policy (void *, osa_policy_ent_t); -typedef -krb5_error_code(*dump_func) (krb5_pointer, - krb5_db_entry *); +typedef krb5_error_code (*dump_func)(krb5_pointer, + krb5_db_entry *); -static int process_k5beta_record -(char *, krb5_context, - FILE *, int, int *, void *); -static int process_k5beta6_record -(char *, krb5_context, - FILE *, int, int *, void *); -static int process_k5beta7_record -(char *, krb5_context, - FILE *, int, int *, void *); -static int process_ov_record -(char *, krb5_context, - FILE *, int, int *, void *); -typedef -krb5_error_code(*load_func) (char *, krb5_context, - FILE *, int, int *, void *); +static int process_k5beta_record (char *, krb5_context, + FILE *, int, int *, void *); +static int process_k5beta6_record (char *, krb5_context, + FILE *, int, int *, void *); +static int process_k5beta7_record (char *, krb5_context, + FILE *, int, int *, void *); +static int process_ov_record (char *, krb5_context, + FILE *, int, int *, void *); +typedef krb5_error_code (*load_func)(char *, krb5_context, + FILE *, int, int *, void *); typedef struct _dump_version { char *name; @@ -216,6 +212,16 @@ process_ov_record, }; +dump_version r1_3_version = { + "Kerberos version 5 release 1.3", + "kdb5_util load_dump version 5\n", + 0, + 0, + dump_k5beta7_princ_withpolicy, + dump_k5beta7_policy, + process_k5beta7_record, +}; + /* External data */ extern char *current_dbname; extern krb5_boolean dbactive; @@ -225,9 +231,7 @@ /* Strings */ -static const char k5beta_dump_header[] = "kdb5_edit load_dump version 2.0\n"; -static const char k5beta6_dump_header[] = "kdb5_edit load_dump version 3.0\n"; -static const char k5beta7_dump_header[] = "kdb5_edit load_dump version 4\n"; +#define k5beta_dump_header "kdb5_edit load_dump version 2.0\n" static const char null_mprinc_name[] = "kdb5_dump@MISSING"; @@ -369,6 +373,7 @@ static const char oldoption[] = "-old"; static const char b6option[] = "-b6"; +static const char b7option[] = "-b7"; static const char ipropoption[] = "-i"; static const char verboseoption[] = "-verbose"; static const char updateoption[] = "-update"; @@ -379,14 +384,14 @@ /* * Re-encrypt the key_data with the new master key... */ -krb5_error_code master_key_convert(context, db_entry) +static krb5_error_code master_key_convert(context, db_entry) krb5_context context; krb5_db_entry * db_entry; { krb5_error_code retval; krb5_keyblock v5plainkey, *key_ptr; krb5_keysalt keysalt; - int i; + int i, j; krb5_key_data new_key_data, *key_data; krb5_boolean is_mkey; @@ -416,7 +421,11 @@ if (retval) return retval; krb5_free_keyblock_contents(context, &v5plainkey); - free(key_data->key_data_contents); + for (j = 0; j < key_data->key_data_ver; j++) { + if (key_data->key_data_length[j]) { + free(key_data->key_data_contents[j]); + } + } *key_data = new_key_data; } return 0; @@ -425,8 +434,7 @@ /* * Update the "ok" file. */ -void -update_ok_file(file_name) +void update_ok_file (file_name) char *file_name; { /* handle slave locking/failure stuff */ @@ -460,8 +468,10 @@ free(file_ok); return; } + free(file_ok); close(fd); + return; } /* @@ -479,20 +489,16 @@ int match_error; char match_errmsg[BUFSIZ]; size_t errmsg_size; - #elif HAVE_REGEXP_H char regexp_buffer[RE_BUF_SIZE]; - #elif HAVE_RE_COMP extern char *re_comp(); char *re_result; - #endif /* HAVE_RE_COMP */ int i, match; /* - * Plow, brute force, through the list of names/regular - * expressions. + * Plow, brute force, through the list of names/regular expressions. */ match = (arglist->nnames) ? 0 : 1; for (i=0; i<arglist->nnames; i++) { @@ -500,9 +506,8 @@ /* * Compile the regular expression. */ - if (match_error = regcomp(&match_exp, - arglist->names[i], - REG_EXTENDED)) { + match_error = regcomp(&match_exp, arglist->names[i], REG_EXTENDED); + if (match_error) { errmsg_size = regerror(match_error, &match_exp, match_errmsg, @@ -514,8 +519,8 @@ /* * See if we have a match. */ - if (match_error = regexec(&match_exp, - name, 1, &match_match, 0)) { + match_error = regexec(&match_exp, name, 1, &match_match, 0); + if (match_error) { if (match_error != REG_NOMATCH) { errmsg_size = regerror(match_error, &match_exp, @@ -525,7 +530,8 @@ arglist->programname, match_errmsg); break; } - } else { + } + else { /* * We have a match. See if it matches the whole * name. @@ -553,18 +559,16 @@ * Compile the regular expression. */ if (re_result = re_comp(arglist->names[i])) { - fprintf(stderr, gettext(regex_err), - arglist->programname, re_result); + fprintf(stderr, gettext(regex_err), arglist->programname, re_result); break; } if (re_exec(name)) match = 1; #else /* HAVE_RE_COMP */ /* - * If no regular expression support, then just compare the - * strings. + * If no regular expression support, then just compare the strings. */ - if (strcmp(arglist->names[i], name) == 0) + if (!strcmp(arglist->names[i], name)) match = 1; #endif /* HAVE_REGCOMP */ if (match) @@ -601,6 +605,7 @@ return(ENOENT); } +#if 0 /* * dump_k5beta_header() - Make a dump header that is recognizable by Kerberos * Version 5 Beta 5 and previous releases. @@ -613,6 +618,7 @@ fprintf(arglist->ofile, k5beta_dump_header); return(0); } +#endif /* * dump_k5beta_iterator() - Dump an entry in a format that is usable @@ -693,12 +699,11 @@ mod_name = strdup(null_mprinc_name); /* - * Find the last password change record and set it - * straight. + * Find the last password change record and set it straight. */ if ((retval = krb5_dbe_lookup_last_pwd_change(arg->kcontext, entry, - &last_pwd_change))) { + &last_pwd_change))) { fprintf(stderr, gettext(nokeys_err), arg->programname, name); krb5_xfree(mod_name); @@ -723,25 +728,22 @@ krb5_xfree(name); return(retval); } - /* - * If we only have one type, then ship it out as the - * primary. - */ + + /* If we only have one type, then ship it out as the primary. */ if (!pkey && akey) { pkey = akey; akey = &nullkey; - } else { + } + else { if (!akey) akey = &nullkey; } /* - * First put out strings representing the length of the - * variable length data in this record, then the name and - * the primary key type. + * First put out strings representing the length of the variable + * length data in this record, then the name and the primary key type. */ - fprintf(arg->ofile, "%d\t%d\t%d\t%d\t%d\t%d\t%s\t%d\t", - strlen(name), + fprintf(arg->ofile, "%d\t%d\t%d\t%d\t%d\t%d\t%s\t%d\t", strlen(name), strlen(mod_name), (krb5_int32) pkey->key_data_length[0], (krb5_int32) akey->key_data_length[0], @@ -750,40 +752,34 @@ name, (krb5_int32) pkey->key_data_type[0]); for (i=0; i<pkey->key_data_length[0]; i++) { - fprintf(arg->ofile, "%02x", - pkey->key_data_contents[0][i]); + fprintf(arg->ofile, "%02x", pkey->key_data_contents[0][i]); } /* - * Second, print out strings representing the standard - * integer data in this record. + * Second, print out strings representing the standard integer + * data in this record. */ fprintf(arg->ofile, - "\t%u\t%u\t%u\t%u\t%u\t%u\t%u" - "\t%u\t%u\t%u\t%s\t%u\t%u\t%u\t", + "\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%s\t%u\t%u\t%u\t", (krb5_int32) pkey->key_data_kvno, entry->max_life, entry->max_renewable_life, - 1 /* Fake mkvno */, entry->expiration, - entry->pw_expiration, last_pwd_change, - entry->last_success, entry->last_failed, + 1 /* Fake mkvno */, entry->expiration, entry->pw_expiration, + last_pwd_change, entry->last_success, entry->last_failed, entry->fail_auth_count, mod_name, mod_date, entry->attributes, pkey->key_data_type[1]); /* Pound out the salt data, if present. */ for (i=0; i<pkey->key_data_length[1]; i++) { - fprintf(arg->ofile, "%02x", - pkey->key_data_contents[1][i]); + fprintf(arg->ofile, "%02x", pkey->key_data_contents[1][i]); } /* Pound out the alternate key type and contents */ fprintf(arg->ofile, "\t%u\t", akey->key_data_type[0]); for (i=0; i<akey->key_data_length[0]; i++) { - fprintf(arg->ofile, "%02x", - akey->key_data_contents[0][i]); + fprintf(arg->ofile, "%02x", akey->key_data_contents[0][i]); } /* Pound out the alternate salt type and contents */ fprintf(arg->ofile, "\t%u\t", akey->key_data_type[1]); for (i=0; i<akey->key_data_length[1]; i++) { - fprintf(arg->ofile, "%02x", - akey->key_data_contents[1][i]); + fprintf(arg->ofile, "%02x", akey->key_data_contents[1][i]); } /* Pound out the expansion data. (is null) */ for (i=0; i < 8; i++) { @@ -807,6 +803,15 @@ krb5_pointer ptr; krb5_db_entry *entry; { + return dump_k5beta6_iterator_ext(ptr, entry, 0); +} + +static krb5_error_code +dump_k5beta6_iterator_ext(ptr, entry, kadm) + krb5_pointer ptr; + krb5_db_entry *entry; + int kadm; +{ krb5_error_code retval; struct dump_args *arg; char *name; @@ -846,39 +851,45 @@ */ if (!arg->nnames || name_matches(name, arg)) { /* - * We'd like to just blast out the contents as they would - * appear in the database so that we can just suck it back - * in, but it doesn't lend itself to easy editing. + * We'd like to just blast out the contents as they would appear in + * the database so that we can just suck it back in, but it doesn't + * lend itself to easy editing. */ /* - * The dump format is as follows: len strlen(name) - * n_tl_data n_key_data e_length name attributes max_life - * max_renewable_life expiration pw_expiration last_success - * last_failed fail_auth_count n_tl_data*[type length - * <contents>] n_key_data*[ver kvno ver*(type length - * <contents>)] <e_data> Fields which are not encapsulated - * by angle-brackets are to appear verbatim. Bracketed - * fields absence is indicated by a -1 in its place + * The dump format is as follows: + * len strlen(name) n_tl_data n_key_data e_length + * name + * attributes max_life max_renewable_life expiration + * pw_expiration last_success last_failed fail_auth_count + * n_tl_data*[type length <contents>] + * n_key_data*[ver kvno ver*(type length <contents>)] + * <e_data> + * Fields which are not encapsulated by angle-brackets are to appear + * verbatim. A bracketed field's absence is indicated by a -1 in its + * place */ - /* + /* * Make sure that the tagged list is reasonably correct. */ counter = skip = 0; for (tlp = entry->tl_data; tlp; tlp = tlp->tl_data_next) { - /* - * don't dump tl data types we know aren't - * understood by earlier revisions [krb5-admin/89] - */ - switch (tlp->tl_data_type) { - case KRB5_TL_KADM_DATA: - skip++; - break; - default: - counter++; - break; - } + /* + * don't dump tl data types we know aren't understood by + * earlier revisions [krb5-admin/89] + */ + switch (tlp->tl_data_type) { + case KRB5_TL_KADM_DATA: + if (kadm) + counter++; + else + skip++; + break; + default: + counter++; + break; + } } if (counter + skip == entry->n_tl_data) { @@ -900,30 +911,23 @@ entry->last_failed, entry->fail_auth_count); /* Pound out tagged data. */ - for (tlp = entry->tl_data; tlp; - tlp = tlp->tl_data_next) { - if (tlp->tl_data_type == KRB5_TL_KADM_DATA) - /* see above, [krb5-admin/89] */ - continue; + for (tlp = entry->tl_data; tlp; tlp = tlp->tl_data_next) { + if (tlp->tl_data_type == KRB5_TL_KADM_DATA && !kadm) + continue; /* see above, [krb5-admin/89] */ fprintf(arg->ofile, "%d\t%d\t", (int) tlp->tl_data_type, (int) tlp->tl_data_length); if (tlp->tl_data_length) - for (i = 0; - i < tlp->tl_data_length; - i++) - fprintf(arg->ofile, "%02x", - tlp-> - tl_data_contents[i]); + for (i=0; i<tlp->tl_data_length; i++) + fprintf(arg->ofile, "%02x", tlp->tl_data_contents[i]); else fprintf(arg->ofile, "%d", -1); fprintf(arg->ofile, "\t"); } /* Pound out key data */ - for (counter = 0; - counter < entry->n_key_data; counter++) { + for (counter=0; counter<entry->n_key_data; counter++) { kdata = &entry->key_data[counter]; fprintf(arg->ofile, "%d\t%d\t", (int) kdata->key_data_ver, @@ -933,15 +937,9 @@ kdata->key_data_type[i], kdata->key_data_length[i]); if (kdata->key_data_length[i]) - for (j = 0; - j < kdata-> - key_data_length[i]; - j++) - fprintf(arg->ofile, - "%02x", - kdata-> - key_data_contents - [i][j]); + for (j=0; j<kdata->key_data_length[i]; j++) + fprintf(arg->ofile, "%02x", + kdata->key_data_contents[i][j]); else fprintf(arg->ofile, "%d", -1); fprintf(arg->ofile, "\t"); @@ -951,8 +949,7 @@ /* Pound out extra data */ if (entry->e_length) for (i=0; i<entry->e_length; i++) - fprintf(arg->ofile, "%02x", - entry->e_data[i]); + fprintf(arg->ofile, "%02x", entry->e_data[i]); else fprintf(arg->ofile, "%d", -1); @@ -961,9 +958,10 @@ if (arg->verbose) fprintf(stderr, "%s\n", name); - } else { + } + else { fprintf(stderr, gettext(sdump_tl_inc_err), - arg->programname, name, counter + skip, + arg->programname, name, counter+skip, (int) entry->n_tl_data); retval = EINVAL; } @@ -971,6 +969,7 @@ krb5_xfree(name); return(retval); } + /* * dump_iprop_iterator() - Output a dump record in iprop format. */ @@ -1136,6 +1135,15 @@ krb5_pointer ptr; krb5_db_entry *entry; { + return dump_k5beta7_princ_ext(ptr, entry, 0); +} + +static krb5_error_code +dump_k5beta7_princ_ext(ptr, entry, kadm) + krb5_pointer ptr; + krb5_db_entry *entry; + int kadm; +{ krb5_error_code retval; struct dump_args *arg; char *name; @@ -1165,11 +1173,12 @@ /* save the callee from matching the name again */ tmp_nnames = arg->nnames; arg->nnames = 0; - retval = dump_k5beta6_iterator(ptr, entry); + retval = dump_k5beta6_iterator_ext(ptr, entry, kadm); arg->nnames = tmp_nnames; } + free(name); - return (retval); + return retval; } /* @@ -1216,8 +1225,16 @@ free(name); return (retval); } -void -dump_k5beta7_policy(void *data, osa_policy_ent_t entry) + +static krb5_error_code +dump_k5beta7_princ_withpolicy(ptr, entry) + krb5_pointer ptr; + krb5_db_entry *entry; +{ + return dump_k5beta7_princ_ext(ptr, entry, 1); +} + +void dump_k5beta7_policy(void *data, osa_policy_ent_t entry) { struct dump_args *arg; @@ -1228,8 +1245,7 @@ entry->policy_refcnt); } -void -print_key_data(FILE * f, krb5_key_data * key_data) +static void print_key_data(FILE *f, krb5_key_data *key_data) { int c; @@ -1263,11 +1279,10 @@ * nuttin * */ -static krb5_error_code -dump_ov_princ(krb5_pointer ptr, krb5_db_entry * kdb) +static krb5_error_code dump_ov_princ(krb5_pointer ptr, krb5_db_entry *kdb) { char *princstr; - int x, y, foundcrc, ret; + int x, y, foundcrc; struct dump_args *arg; krb5_tl_data tl_data; osa_princ_ent_rec adb; @@ -1276,21 +1291,21 @@ arg = (struct dump_args *) ptr; /* * XXX Currently, lookup_tl_data always returns zero; it sets - * tl_data->tl_data_length to zero if the type isn't found. This - * should be fixed... + * tl_data->tl_data_length to zero if the type isn't found. + * This should be fixed... */ /* * XXX Should this function do nothing for a principal with no - * admin data, or print a record of "default" values? See comment - * in server_kdb.c to help decide. + * admin data, or print a record of "default" values? See + * comment in server_kdb.c to help decide. */ tl_data.tl_data_type = KRB5_TL_KADM_DATA; - if ((ret = krb5_dbe_lookup_tl_data(arg->kcontext, kdb, &tl_data)) || - (tl_data.tl_data_length == 0)) - return (0); + if (krb5_dbe_lookup_tl_data(arg->kcontext, kdb, &tl_data) + || (tl_data.tl_data_length == 0)) + return 0; memset(&adb, 0, sizeof(adb)); - xdrmem_create(&xdrs, (const caddr_t) tl_data.tl_data_contents, + xdrmem_create(&xdrs, (const caddr_t) tl_data.tl_data_contents, tl_data.tl_data_length, XDR_DECODE); if (! xdr_osa_princ_ent_rec(&xdrs, &adb)) { xdr_destroy(&xdrs); @@ -1304,7 +1319,7 @@ fputc('\t', arg->ofile); else fprintf(arg->ofile, "%s\t", adb.policy); - fprintf(arg->ofile, "%x\t%d\t%d\t%d", adb.aux_attributes, + fprintf(arg->ofile, "%lx\t%d\t%d\t%d", adb.aux_attributes, adb.old_key_len,adb.old_key_next, adb.admin_history_kvno); for (x = 0; x < adb.old_key_len; x++) { @@ -1337,12 +1352,14 @@ fputc('\n', arg->ofile); free(princstr); - return (0); + return 0; } /* * usage is: - * dump_db [-i] [-old] [-b6] [-ov] [-verbose] [filename [principals...]] + * dump_db [-i] [-old] [-b6] [-b7] [-ov] [-verbose] [-mkey_convert] + * [-new_mkey_file mkey_file] [-rev] [-recurse] + * [filename [principals...]] */ void dump_db(argc, argv) @@ -1351,7 +1368,6 @@ { FILE *f; struct dump_args arglist; - int error; char *programname; char *ofile; krb5_error_code kret, retval; @@ -1370,24 +1386,27 @@ if (strrchr(programname, (int) '/')) programname = strrchr(argv[0], (int) '/') + 1; ofile = (char *) NULL; - error = 0; - dump = &beta7_version; + dump = &r1_3_version; arglist.verbose = 0; new_mkey_file = 0; mkey_convert = 0; + backwards = 0; + recursive = 0; log_ctx = util_context->kdblog_context; /* * Parse the qualifiers. */ for (aindex = 1; aindex < argc; aindex++) { - if (strcmp(argv[aindex], oldoption) == 0) + if (!strcmp(argv[aindex], oldoption)) dump = &old_version; - else if (strcmp(argv[aindex], b6option) == 0) + else if (!strcmp(argv[aindex], b6option)) dump = &beta6_version; - else if (strcmp(argv[aindex], ovoption) == 0) + else if (!strcmp(argv[aindex], b7option)) + dump = &beta7_version; + else if (!strcmp(argv[aindex], ovoption)) dump = &ov_version; - else if (!strcmp(argv[aindex], ipropoption)) { + else if (!strcmp(argv[aindex], ipropoption)) { if (log_ctx && log_ctx->iproprole) { dump = &iprop_version; /* @@ -1403,14 +1422,18 @@ return; } } - else if (strcmp(argv[aindex], verboseoption) == 0) + else if (!strcmp(argv[aindex], verboseoption)) arglist.verbose++; else if (!strcmp(argv[aindex], "-mkey_convert")) mkey_convert = 1; else if (!strcmp(argv[aindex], "-new_mkey_file")) { new_mkey_file = argv[++aindex]; mkey_convert = 1; - } else + } else if (!strcmp(argv[aindex], "-rev")) + backwards = 1; + else if (!strcmp(argv[aindex], "-recurse")) + recursive = 1; + else break; } @@ -1463,10 +1486,11 @@ } if (!new_mkey_file) printf(gettext("Please enter new master key....\n")); - if ((retval = krb5_db_fetch_mkey(util_context, master_princ, global_params.enctype, - !new_mkey_file, TRUE, + (new_mkey_file == 0) ? + (krb5_boolean) 1 : 0, + TRUE, new_mkey_file, 0, &new_master_key))) { com_err(argv[0], retval, @@ -1479,13 +1503,19 @@ locked = 0; if (ofile && strcmp(ofile, "-")) { /* + * Discourage accidental dumping to filenames beginning with '-'. + */ + if (ofile[0] == '-') + usage(); + /* * Make sure that we don't open and truncate on the fopen, * since that may hose an on-going kprop process. * - * We could also control this by opening for read and write, - * doing an flock with LOCK_EX, and then truncating the - * file once we have gotten the lock, but that would - * involve more OS dependencies than I want to get into. + * We could also control this by opening for read and + * write, doing an flock with LOCK_EX, and then + * truncating the file once we have gotten the lock, + * but that would involve more OS dependencies than I + * want to get into. */ unlink(ofile); if (!(f = fopen(ofile, "w"))) { @@ -1500,7 +1530,8 @@ fprintf(stderr, gettext(oflock_error), programname, ofile, error_message(kret)); exit_status++; - } else + } + else locked = 1; } else { f = stdout; @@ -1538,9 +1569,10 @@ if (dump->header[strlen(dump->header)-1] != '\n') fputc('\n', arglist.ofile); - if ((kret = krb5_dbm_db_iterate(util_context, - dump->dump_princ, - (krb5_pointer) &arglist))) { + if ((kret = krb5_dbm_db_iterate(util_context, + dump->dump_princ, + (krb5_pointer) &arglist, + backwards, recursive))) { fprintf(stderr, gettext(dumprec_err), programname, dump->name, error_message(kret)); exit_status++; @@ -1563,8 +1595,7 @@ } } if (locked) - (void) krb5_lock_file(util_context, - fileno(f), KRB5_LOCKMODE_UNLOCK); + (void) krb5_lock_file(util_context, fileno(f), KRB5_LOCKMODE_UNLOCK); } /* @@ -1673,6 +1704,7 @@ if (mprinc.mod_princ) krb5_free_principal(kcontext, mprinc.mod_princ); } + /* * Handle last password change. */ @@ -1689,119 +1721,42 @@ linked = 0; if (!pwchg) { /* No, allocate a new one */ - if ((pwchg = (krb5_tl_data *) - malloc(sizeof (krb5_tl_data)))) { - memset(pwchg, 0, sizeof(krb5_tl_data)); - if (!(pwchg->tl_data_contents = - (krb5_octet *) malloc(sizeof (krb5_timestamp)))) { - free(pwchg); - pwchg = (krb5_tl_data *) NULL; - } else { - pwchg->tl_data_type = KRB5_TL_LAST_PWD_CHANGE; - pwchg->tl_data_length = - (krb5_int16) sizeof (krb5_timestamp); - } + if ((pwchg = (krb5_tl_data *) malloc(sizeof(krb5_tl_data)))) { + memset(pwchg, 0, sizeof(krb5_tl_data)); + if (!(pwchg->tl_data_contents = + (krb5_octet *) malloc(sizeof(krb5_timestamp)))) { + free(pwchg); + pwchg = (krb5_tl_data *) NULL; + } + else { + pwchg->tl_data_type = KRB5_TL_LAST_PWD_CHANGE; + pwchg->tl_data_length = + (krb5_int16) sizeof(krb5_timestamp); + } } - } else - linked = 1; + } + else + linked = 1; /* Do we have an entry? */ if (pwchg && pwchg->tl_data_contents) { /* Encode it */ - krb5_kdb_encode_int32(last_pwd_change, - pwchg->tl_data_contents); + krb5_kdb_encode_int32(last_pwd_change, pwchg->tl_data_contents); /* Link it in if necessary */ if (!linked) { pwchg->tl_data_next = dbentp->tl_data; dbentp->tl_data = pwchg; dbentp->n_tl_data++; } - } else + } + else kret = ENOMEM; } + return(kret); } - #endif -static int -k5beta_parse_and_store(char *fname, krb5_context kcontext, int verbose, - int *linenop, krb5_db_entry *dbent, - char *name, char *mod_name, - krb5_timestamp last_pwd_change, - krb5_timestamp mod_date -) -{ - int error; - int retval = 1; - krb5_error_code kret; - krb5_principal mod_princ; - krb5_key_data *pkey, *akey; - - pkey = &dbent->key_data[0]; - akey = &dbent->key_data[1]; - - if (!(kret = krb5_parse_name(kcontext, name, &dbent->princ))) { - if (!(kret = - krb5_parse_name(kcontext, mod_name, &mod_princ))) { - if (!(kret = krb5_dbe_update_mod_princ_data( - kcontext, dbent, - mod_date, mod_princ)) && - !(kret = krb5_dbe_update_last_pwd_change( - kcontext, dbent, last_pwd_change))) { - int one = 1; - - dbent->len = KRB5_KDB_V1_BASE_LENGTH; - pkey->key_data_ver = - (pkey->key_data_type[1] || - pkey->key_data_length[1]) ? 2 : 1; - akey->key_data_ver = - (akey->key_data_type[1] || - akey->key_data_length[1]) ? 2 : 1; - if ((pkey->key_data_type[0] == - akey->key_data_type[0]) && - (pkey->key_data_type[1] == - akey->key_data_type[1])) - dbent->n_key_data--; - else if ((akey->key_data_type[0] == 0) && - (akey->key_data_length[0] == 0) && - (akey->key_data_type[1] == 0) && - (akey->key_data_length[1] == 0)) - dbent->n_key_data--; - if ((kret = krb5_db_put_principal( - kcontext, dbent, &one)) || - (one != 1)) { - fprintf(stderr, gettext(store_err_fmt), - fname, *linenop, name, - error_message(kret)); - error++; - } else { - if (verbose) - fprintf(stderr, - gettext(add_princ_fmt), - name); - retval = 0; - } - dbent->n_key_data = 2; - } - krb5_free_principal(kcontext, mod_princ); - } else { - fprintf(stderr, - gettext(parse_err_fmt), - fname, *linenop, mod_name, - error_message(kret)); - error++; - } - } else { - fprintf(stderr, gettext(parse_err_fmt), - fname, *linenop, name, - error_message(kret)); - error++; - } - - return (retval); -} - /* * process_k5beta_record() - Handle a dump record in old format. * @@ -1871,15 +1826,14 @@ (krb5_octet *) malloc((size_t) (key_len + 1)))) && (!alt_key_len || (akey->key_data_contents[0] = - (krb5_octet *) - malloc((size_t) (alt_key_len + 1)))) && + (krb5_octet *) malloc((size_t) (alt_key_len + 1)))) && (!salt_len || (pkey->key_data_contents[1] = (krb5_octet *) malloc((size_t) (salt_len + 1)))) && (!alt_salt_len || (akey->key_data_contents[1] = - (krb5_octet *) - malloc((size_t) (alt_salt_len + 1))))) { + (krb5_octet *) malloc((size_t) (alt_salt_len + 1)))) + ) { error = 0; /* Read the principal name */ @@ -1888,10 +1842,9 @@ error++; } /* Read the key type */ - if (!error && - (fscanf(filep, "\t%d\t", &tmpint1) != 1)) { - try2read = read_key_type; - error++; + if (!error && (fscanf(filep, "\t%d\t", &tmpint1) != 1)) { + try2read = read_key_type; + error++; } pkey->key_data_type[0] = tmpint1; /* Read the old format key */ @@ -1902,24 +1855,15 @@ error++; } /* convert to a new format key */ - /* - * the encrypted version is stored as the - * unencrypted key length (4 bytes, MSB first) - * followed by the encrypted key. - */ - if ((pkey->key_data_length[0] > 4) && - (pkey->key_data_contents[0][0] == 0) && - (pkey->key_data_contents[0][1] == 0)) { - /* - * this really does look like an old key, - * so drop and swap - */ - /* - * the *new* length is 2 bytes, LSB first, - * sigh. - */ - size_t shortlen = pkey->key_data_length[0] - 4 + 2; - krb5_octet *origdata = pkey->key_data_contents[0]; + /* the encrypted version is stored as the unencrypted key length + (4 bytes, MSB first) followed by the encrypted key. */ + if ((pkey->key_data_length[0] > 4) + && (pkey->key_data_contents[0][0] == 0) + && (pkey->key_data_contents[0][1] == 0)) { + /* this really does look like an old key, so drop and swap */ + /* the *new* length is 2 bytes, LSB first, sigh. */ + size_t shortlen = pkey->key_data_length[0]-4+2; + krb5_octet *origdata = pkey->key_data_contents[0]; shortcopy1 = (krb5_octet *) malloc(shortlen); if (shortcopy1) { @@ -1934,18 +1878,18 @@ error++; } } + /* Read principal attributes */ - if (!error && - (fscanf(filep, "\t%u\t%u\t%u\t%u\t%u\t%u" - "\t%u\t%u\t%u\t%u\t", - &tmpint1, &dbent.max_life, - &dbent.max_renewable_life, - &tmpint2, &dbent.expiration, - &dbent.pw_expiration, &last_pwd_change, - &dbent.last_success, &dbent.last_failed, - &tmpint3) != 10)) { - try2read = read_pr_data1; - error++; + if (!error && (fscanf(filep, + "\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t", + &tmpint1, &dbent.max_life, + &dbent.max_renewable_life, + &tmpint2, &dbent.expiration, + &dbent.pw_expiration, &last_pwd_change, + &dbent.last_success, &dbent.last_failed, + &tmpint3) != 10)) { + try2read = read_pr_data1; + error++; } pkey->key_data_kvno = tmpint1; dbent.fail_auth_count = tmpint3; @@ -1973,37 +1917,28 @@ error++; } /* Read alternate key type */ - if (!error && - (fscanf(filep, "\t%u\t", &tmpint1) != 1)) { - try2read = read_akey_type; - error++; + if (!error && (fscanf(filep, "\t%u\t", &tmpint1) != 1)) { + try2read = read_akey_type; + error++; } akey->key_data_type[0] = tmpint1; /* Read alternate key */ if (!error && read_octet_string(filep, akey->key_data_contents[0], akey->key_data_length[0])) { - try2read = read_akey_data; - error++; + try2read = read_akey_data; + error++; } + /* convert to a new format key */ - /* - * the encrypted version is stored as the - * unencrypted key length (4 bytes, MSB first) - * followed by the encrypted key. - */ - if ((akey->key_data_length[0] > 4) && - (akey->key_data_contents[0][0] == 0) && - (akey->key_data_contents[0][1] == 0)) { - /* - * this really does look like an old key, - * so drop and swap - */ - /* - * the *new* length is 2 bytes, LSB first, - * sigh. - */ - size_t shortlen = akey->key_data_length[0] - 4 + 2; + /* the encrypted version is stored as the unencrypted key length + (4 bytes, MSB first) followed by the encrypted key. */ + if ((akey->key_data_length[0] > 4) + && (akey->key_data_contents[0][0] == 0) + && (akey->key_data_contents[0][1] == 0)) { + /* this really does look like an old key, so drop and swap */ + /* the *new* length is 2 bytes, LSB first, sigh. */ + size_t shortlen = akey->key_data_length[0]-4+2; krb5_octet *origdata = akey->key_data_contents[0]; @@ -2021,11 +1956,11 @@ error++; } } + /* Read alternate salt type */ - if (!error && - (fscanf(filep, "\t%u\t", &tmpint1) != 1)) { - try2read = read_asalt_type; - error++; + if (!error && (fscanf(filep, "\t%u\t", &tmpint1) != 1)) { + try2read = read_asalt_type; + error++; } akey->key_data_type[1] = tmpint1; /* Read alternate salt data */ @@ -2038,31 +1973,93 @@ /* Read expansion data - discard it */ if (!error) { for (i=0; i<8; i++) { - if (fscanf(filep, - "\t%u", &tmpint1) != 1) { + if (fscanf(filep, "\t%u", &tmpint1) != 1) { try2read = read_exp_data; error++; break; - } + } } if (!error) find_record_end(filep, fname, *linenop); } + /* - * If no error, then we're done reading. Now parse - * the names and store the database dbent. + * If no error, then we're done reading. Now parse the names + * and store the database dbent. */ if (!error) { - retval = k5beta_parse_and_store( - fname, kcontext, verbose, - linenop, &dbent, name, mod_name, - last_pwd_change, mod_date); - } else { - fprintf(stderr, gettext(read_err_fmt), - fname, *linenop, try2read); + if (!(kret = krb5_parse_name(kcontext, + name, + &dbent.princ))) { + if (!(kret = krb5_parse_name(kcontext, + mod_name, + &mod_princ))) { + if (!(kret = + krb5_dbe_update_mod_princ_data(kcontext, + &dbent, + mod_date, + mod_princ)) && + !(kret = + krb5_dbe_update_last_pwd_change(kcontext, + &dbent, + last_pwd_change))) { + int one = 1; + + dbent.len = KRB5_KDB_V1_BASE_LENGTH; + pkey->key_data_ver = (pkey->key_data_type[1] || pkey->key_data_length[1]) ? + 2 : 1; + akey->key_data_ver = (akey->key_data_type[1] || akey->key_data_length[1]) ? + 2 : 1; + if ((pkey->key_data_type[0] == + akey->key_data_type[0]) && + (pkey->key_data_type[1] == + akey->key_data_type[1])) + dbent.n_key_data--; + else if ((akey->key_data_type[0] == 0) + && (akey->key_data_length[0] == 0) + && (akey->key_data_type[1] == 0) + && (akey->key_data_length[1] == 0)) + dbent.n_key_data--; + if ((kret = krb5_db_put_principal(kcontext, + &dbent, + &one)) || + (one != 1)) { + fprintf(stderr, gettext(store_err_fmt), + fname, *linenop, name, + error_message(kret)); + error++; + } + else { + if (verbose) + fprintf(stderr, + gettext(add_princ_fmt), + name); + retval = 0; + } + dbent.n_key_data = 2; + } + krb5_free_principal(kcontext, mod_princ); + } + else { + fprintf(stderr, + gettext(parse_err_fmt), + fname, *linenop, mod_name, + error_message(kret)); + error++; + } + } + else { + fprintf(stderr, gettext(parse_err_fmt), + fname, *linenop, name, error_message(kret)); + error++; + } } - } else { - fprintf(stderr, gettext(no_mem_fmt), fname, *linenop); + else { + fprintf(stderr, gettext(no_mem_fmt), fname, *linenop, try2read); + } + } + else { + fprintf(stderr, gettext(read_err_fmt), fname, *linenop); } krb5_db_free_principal(kcontext, &dbent, 1); @@ -2070,12 +2067,13 @@ free(mod_name); if (name) free(name); - } else { + } + else { if (nmatched != EOF) fprintf(stderr, gettext(rhead_err_fmt), fname, *linenop); else - retval = -1; + retval = -1; } if (shortcopy1) @@ -2083,111 +2081,7 @@ if (shortcopy2) free(shortcopy2); - return (retval); -} - -static int -get_k5beta6_tag_data(FILE *filep, krb5_db_entry dbentry, const char **try2read) -{ - int error = 0; - int i; - - krb5_int32 t1, t2, t3, t4, t5, t6, t7, t8, t9; - int nread; - krb5_tl_data *tl; - - for (tl = dbentry.tl_data; tl; tl = tl->tl_data_next) { - nread = fscanf(filep, "%d\t%d\t", &t1, &t2); - if (nread == 2) { - tl->tl_data_type = (krb5_int16) t1; - tl->tl_data_length = (krb5_int16) t2; - if (tl->tl_data_length) { - if (!(tl->tl_data_contents = - (krb5_octet *) - malloc((size_t) t2 + 1)) || - read_octet_string(filep, - tl->tl_data_contents, t2)) { - *try2read = read_tcontents; - error++; - break; - } - } else { - /* Should be a null field */ - nread = fscanf(filep, "%d", &t9); - if ((nread != 1) || (t9 != -1)) { - error++; - *try2read = read_tcontents; - break; - } - } - } else { - *try2read = read_ttypelen; - error++; - break; - } - } - - return (error); -} - -static int -get_k5beta6_key_data(FILE *filep, krb5_db_entry dbentry, const char **try2read) -{ - int error = 0; - int i, j; - - krb5_int32 t1, t2, t3, t4, t5, t6, t7, t8, t9; - int nread; - krb5_key_data *kdatap; - - for (i = 0; !error && (i < dbentry.n_key_data); i++) { - kdatap = &dbentry.key_data[i]; - nread = fscanf(filep, "%d\t%d\t", &t1, &t2); - if (nread == 2) { - kdatap->key_data_ver = (krb5_int16) t1; - kdatap->key_data_kvno = (krb5_int16) t2; - - for (j = 0; j < t1; j++) { - nread = fscanf(filep, "%d\t%d\t", &t3, &t4); - if (nread == 2) { - kdatap->key_data_type[j] = t3; - kdatap->key_data_length[j] = t4; - if (t4) { - if (!(kdatap-> - key_data_contents[j] = - (krb5_octet *) - malloc((size_t) t4 - + 1)) || - read_octet_string(filep, - kdatap-> - key_data_contents[j], - t4)) { - *try2read = - read_kcontents; - error++; - break; - } - } else { - /* Should be a null field */ - nread = fscanf(filep, - "%d", &t9); - if ((nread != 1) || - (t9 != -1)) { - error++; - *try2read = - read_kcontents; - break; - } - } - } else { - *try2read = read_ktypelen; - error++; - break; - } - } - } - } - return (error); + return(retval); } /* @@ -2235,12 +2129,12 @@ /* Get memory for and form tagged data linked list */ tlp = &dbentry.tl_data; for (i=0; i<t3; i++) { - if ((*tlp = (krb5_tl_data *) - malloc(sizeof (krb5_tl_data)))) { + if ((*tlp = (krb5_tl_data *) malloc(sizeof(krb5_tl_data)))) { memset(*tlp, 0, sizeof(krb5_tl_data)); tlp = &((*tlp)->tl_data_next); dbentry.n_tl_data++; - } else { + } + else { error++; break; } @@ -2260,8 +2154,7 @@ dbentry.n_key_data = t4; dbentry.e_length = t5; if (kp) { - memset(kp, 0, - (size_t) (t4 * sizeof (krb5_key_data))); + memset(kp, 0, (size_t) (t4*sizeof(krb5_key_data))); dbentry.key_data = kp; kp = (krb5_key_data *) NULL; } @@ -2270,31 +2163,23 @@ dbentry.e_data = op; op = (krb5_octet *) NULL; } + /* Read in and parse the principal name */ if (!read_string(filep, name, t2, linenop) && - !(kret = krb5_parse_name(kcontext, - name, &dbentry.princ))) { + !(kret = krb5_parse_name(kcontext, name, &dbentry.princ))) { /* Get the fixed principal attributes */ - nread = fscanf(filep, "%d\t%d\t%d\t%d" - "\t%d\t%d\t%d\t%d\t", - &t2, &t3, &t4, &t5, - &t6, &t7, &t8, &t9); + nread = fscanf(filep, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t", + &t2, &t3, &t4, &t5, &t6, &t7, &t8, &t9); if (nread == 8) { dbentry.attributes = (krb5_flags) t2; dbentry.max_life = (krb5_deltat) t3; - dbentry.max_renewable_life = - (krb5_deltat) t4; - dbentry.expiration = - (krb5_timestamp) t5; - dbentry.pw_expiration = - (krb5_timestamp) t6; - dbentry.last_success = - (krb5_timestamp) t7; - dbentry.last_failed = - (krb5_timestamp) t8; - dbentry.fail_auth_count = - (krb5_kvno) t9; + dbentry.max_renewable_life = (krb5_deltat) t4; + dbentry.expiration = (krb5_timestamp) t5; + dbentry.pw_expiration = (krb5_timestamp) t6; + dbentry.last_success = (krb5_timestamp) t7; + dbentry.last_failed = (krb5_timestamp) t8; + dbentry.fail_auth_count = (krb5_kvno) t9; } else { try2read = read_nint_data; error++; @@ -2303,27 +2188,94 @@ /* * Get the tagged data. * - * Really, this code ought to discard tl data - * types that it knows are special to the - * current version and were not supported - * in the previous version. But it's a pain - * to implement that here, and doing it at - * dump time has almost as good an effect, - * so that's what I did. [krb5-admin/89/ + * Really, this code ought to discard tl data types + * that it knows are special to the current version + * and were not supported in the previous version. + * But it's a pain to implement that here, and doing + * it at dump time has almost as good an effect, so + * that's what I did. [krb5-admin/89] */ if (!error && dbentry.n_tl_data) { - error = get_k5beta6_tag_data( - filep, - dbentry, - &try2read); + for (tl = dbentry.tl_data; tl; tl = tl->tl_data_next) { + nread = fscanf(filep, "%d\t%d\t", &t1, &t2); + if (nread == 2) { + tl->tl_data_type = (krb5_int16) t1; + tl->tl_data_length = (krb5_int16) t2; + if (tl->tl_data_length) { + if (!(tl->tl_data_contents = + (krb5_octet *) malloc((size_t) t2+1)) || + read_octet_string(filep, + tl->tl_data_contents, + t2)) { + try2read = read_tcontents; + error++; + break; } + } + else { + /* Should be a null field */ + nread = fscanf(filep, "%d", &t9); + if ((nread != 1) || (t9 != -1)) { + error++; + try2read = read_tcontents; + break; + } + } + } + else { + try2read = read_ttypelen; + error++; + break; + } + } + } + /* Get the key data */ if (!error && dbentry.n_key_data) { - error = get_k5beta6_key_data( - filep, - dbentry, - &try2read); + for (i=0; !error && (i<dbentry.n_key_data); i++) { + kdatap = &dbentry.key_data[i]; + nread = fscanf(filep, "%d\t%d\t", &t1, &t2); + if (nread == 2) { + kdatap->key_data_ver = (krb5_int16) t1; + kdatap->key_data_kvno = (krb5_int16) t2; + + for (j=0; j<t1; j++) { + nread = fscanf(filep, "%d\t%d\t", &t3, &t4); + if (nread == 2) { + kdatap->key_data_type[j] = t3; + kdatap->key_data_length[j] = t4; + if (t4) { + if (!(kdatap->key_data_contents[j] = + (krb5_octet *) + malloc((size_t) t4+1)) || + read_octet_string(filep, + kdatap->key_data_contents[j], + t4)) { + try2read = read_kcontents; + error++; + break; } + } + else { + /* Should be a null field */ + nread = fscanf(filep, "%d", &t9); + if ((nread != 1) || (t9 != -1)) { + error++; + try2read = read_kcontents; + break; + } + } + } + else { + try2read = read_ktypelen; + error++; + break; + } + } + } + } + } + /* Get the extra data */ if (!error && dbentry.e_length) { if (read_octet_string(filep, @@ -2332,7 +2284,8 @@ try2read = read_econtents; error++; } - } else { + } + else { nread = fscanf(filep, "%d", &t9); if ((nread != 1) || (t9 != -1)) { error++; @@ -2345,20 +2298,19 @@ find_record_end(filep, fname, *linenop); /* - * We have either read in all the data or - * choked. + * We have either read in all the data or choked. */ if (!error) { one = 1; - if ((kret = krb5_db_put_principal( - kcontext, + if ((kret = krb5_db_put_principal(kcontext, &dbentry, &one))) { fprintf(stderr, gettext(store_err_fmt), fname, *linenop, name, error_message(kret)); - } else { + } + else { if (verbose) fprintf(stderr, gettext( @@ -2366,21 +2318,23 @@ name); retval = 0; } - } else { + } + else { fprintf(stderr, gettext(read_err_fmt), fname, *linenop, try2read); } - } else { + } + else { if (kret) fprintf(stderr, gettext(parse_err_fmt), - fname, *linenop, name, - error_message(kret)); + fname, *linenop, name, error_message(kret)); else - fprintf(stderr, gettext(no_mem_fmt), + fprintf(stderr, gettext(no_mem_fmt), fname, *linenop); } - } else { - fprintf(stderr, + } + else { + fprintf(stderr, gettext(rhead_err_fmt), fname, *linenop); } @@ -2391,14 +2345,15 @@ if (name) free(name); krb5_db_free_principal(kcontext, &dbentry, 1); - } else { + } + else { if (nread == EOF) retval = -1; } return(retval); } -int +static int process_k5beta7_policy(fname, kcontext, filep, verbose, linenop, pol_db) char *fname; krb5_context kcontext; @@ -2419,12 +2374,12 @@ &rec.pw_min_length, &rec.pw_min_classes, &rec.pw_history_num, &rec.policy_refcnt); if (nread == EOF) - return (-1); + return -1; else if (nread != 7) { fprintf(stderr, gettext("cannot parse policy on line %d (%d read)\n"), *linenop, nread); - return (1); + return 1; } if ((ret = osa_adb_create_policy(pol_db, &rec))) { @@ -2432,17 +2387,17 @@ ((ret = osa_adb_put_policy(pol_db, &rec)))) { fprintf(stderr, gettext("cannot create policy on line %d: %s\n"), *linenop, error_message(ret)); - return (1); + return 1; } } if (verbose) fprintf(stderr, gettext("created policy %s\n"), rec.name); - return (0); + return 0; } /* - * process_k5beta7_record() - Handle a dump record in krb5b6 format. + * process_k5beta7_record() - Handle a dump record in krb5b7 format. * * Returns -1 for end of file, 0 for success and 1 for failure. */ @@ -2460,9 +2415,9 @@ nread = fscanf(filep, "%100s\t", rectype); if (nread == EOF) - return (-1); + return -1; else if (nread != 1) - return (1); + return 1; if (strcmp(rectype, "princ") == 0) process_k5beta6_record(fname, kcontext, filep, verbose, linenop, pol_db); @@ -2473,10 +2428,10 @@ fprintf(stderr, gettext("unknown record type \"%s\" on line %d\n"), rectype, *linenop); - return (1); + return 1; } - return (0); + return 0; } /* @@ -2498,9 +2453,9 @@ nread = fscanf(filep, "%100s\t", rectype); if (nread == EOF) - return (-1); + return -1; else if (nread != 1) - return (1); + return 1; if (strcmp(rectype, "princ") == 0) process_ov_principal(fname, kcontext, filep, verbose, linenop, pol_db); @@ -2508,15 +2463,15 @@ process_k5beta7_policy(fname, kcontext, filep, verbose, linenop, pol_db); else if (strcmp(rectype, "End") == 0) - return (-1); + return -1; else { fprintf(stderr, gettext("unknown record type \"%s\" on line %d\n"), rectype, *linenop); - return (1); + return 1; } - return (0); + return 0; } /* @@ -2546,7 +2501,8 @@ f, verbose, &lineno, - pol_db))); + pol_db))) + ; if (error != -1) fprintf(stderr, gettext(err_line_fmt), programname, lineno, dumpfile); @@ -2557,7 +2513,8 @@ } /* - * Usage: load_db [-i] [-old] [-ov] [-b6] [-verbose] [-update] [-hash] filename + * Usage: load_db [-i] [-old] [-ov] [-b6] [-b7] [-verbose] [-update] [-hash] + * filename */ void load_db(argc, argv) @@ -2603,13 +2560,15 @@ log_ctx = util_context->kdblog_context; for (aindex = 1; aindex < argc; aindex++) { - if (strcmp(argv[aindex], oldoption) == 0) + if (!strcmp(argv[aindex], oldoption)) load = &old_version; - else if (strcmp(argv[aindex], b6option) == 0) + else if (!strcmp(argv[aindex], b6option)) load = &beta6_version; - else if (strcmp(argv[aindex], ovoption) == 0) + else if (!strcmp(argv[aindex], b7option)) + load = &beta7_version; + else if (!strcmp(argv[aindex], ovoption)) load = &ov_version; - else if (!strcmp(argv[aindex], ipropoption)) { + else if (!strcmp(argv[aindex], ipropoption)) { if (log_ctx && log_ctx->iproprole) { load = &iprop_version; add_update = FALSE; @@ -2618,9 +2577,10 @@ exit_status++; return; } - } else if (strcmp(argv[aindex], verboseoption) == 0) + } + else if (!strcmp(argv[aindex], verboseoption)) verbose = 1; - else if (strcmp(argv[aindex], updateoption) == 0) + else if (!strcmp(argv[aindex], updateoption)) update = 1; else if (!strcmp(argv[aindex], hashoption)) crflags = KRB5_KDB_CREATE_HASH; @@ -2677,21 +2637,16 @@ f = stdin; /* - * Auto-detect dump version if we weren't told, verify if we were - * told. + * Auto-detect dump version if we weren't told, verify if we + * were told. */ fgets(buf, sizeof(buf), f); if (load) { - /* - * only check what we know; some headers only contain a - * prefix - */ + /* only check what we know; some headers only contain a prefix */ if (strncmp(buf, load->header, strlen(load->header)) != 0) { - fprintf(stderr, gettext(head_bad_fmt), - programname, dumpfile); + fprintf(stderr, gettext(head_bad_fmt), programname, dumpfile); exit_status++; - if (dumpfile) - fclose(f); + if (dumpfile) fclose(f); return; } } else { @@ -2702,15 +2657,16 @@ load = &beta6_version; else if (strcmp(buf, beta7_version.header) == 0) load = &beta7_version; + else if (strcmp(buf, r1_3_version.header) == 0) + load = &r1_3_version; else if (strncmp(buf, ov_version.header, strlen(ov_version.header)) == 0) load = &ov_version; - else { + else { fprintf(stderr, gettext(head_bad_fmt), programname, dumpfile); exit_status++; - if (dumpfile) - fclose(f); + if (dumpfile) fclose(f); return; } } @@ -2722,6 +2678,7 @@ exit_status++; return; } + /* * Cons up params for the new databases. If we are not in update * mode use a temp name that we'll rename later. @@ -2740,6 +2697,7 @@ return; } } + /* * If not an update restoration, create the temp database. Always * create a temp policy db, even if we are not loading a dump file @@ -2760,22 +2718,22 @@ programname, error_message(kret)); exit_status++; kadm5_free_config_params(kcontext, &newparams); - if (dumpfile) - fclose(f); + if (dumpfile) fclose(f); return; } + /* * Point ourselves at the new databases. */ - if ((kret = krb5_db_set_name(kcontext, - (update) ? dbname : dbname_tmp))) { + if ((kret = krb5_db_set_name(kcontext, + (update) ? dbname : dbname_tmp))) { fprintf(stderr, gettext(dbname_err_fmt), programname, (update) ? dbname : dbname_tmp, error_message(kret)); exit_status++; goto error; } - if ((kret = osa_adb_open_policy(&tmppol_db, &newparams))) { + if ((kret = osa_adb_open_policy(&tmppol_db, &newparams))) { fprintf(stderr, gettext("%s: %s while opening policy database\n"), programname, error_message(kret)); @@ -2787,7 +2745,7 @@ * the update fails. */ if (update) { - if ((kret = osa_adb_get_lock(tmppol_db, OSA_ADB_PERMANENT))) { + if ((kret = osa_adb_get_lock(tmppol_db, OSA_ADB_PERMANENT))) { fprintf(stderr, gettext("%s: %s while " "permanently locking database\n"), @@ -2800,8 +2758,8 @@ /* * Initialize the database. */ - if ((kret = krb5_db_init(kcontext))) { - fprintf(stderr, gettext(dbinit_err_fmt), + if ((kret = krb5_db_init(kcontext))) { + fprintf(stderr, gettext(dbinit_err_fmt), programname, error_message(kret)); exit_status++; goto error; @@ -2812,13 +2770,13 @@ if (!update) { kret = krb5_db_lock(kcontext, KRB5_LOCKMODE_EXCLUSIVE); if (kret) { - fprintf(stderr, gettext(dblock_err_fmt), + fprintf(stderr, gettext(dblock_err_fmt), programname, error_message(kret)); exit_status++; goto error; } } - + if (log_ctx && log_ctx->iproprole) { if (add_update) caller = FKCOMMAND; @@ -2866,27 +2824,27 @@ } } - if (restore_dump(programname, kcontext, - (dumpfile) ? dumpfile : stdin_name, + if (restore_dump(programname, kcontext, (dumpfile) ? dumpfile : stdin_name, f, verbose, load, tmppol_db)) { fprintf(stderr, gettext(restfail_fmt), programname, load->name); exit_status++; } + if (!update && (kret = krb5_db_unlock(kcontext))) { /* change this error? */ fprintf(stderr, gettext(dbunlockerr_fmt), programname, dbname_tmp, error_message(kret)); exit_status++; } - if ((kret = krb5_db_fini(kcontext))) { + if ((kret = krb5_db_fini(kcontext))) { fprintf(stderr, gettext(close_err_fmt), programname, error_message(kret)); exit_status++; } if (!update && load->create_kadm5 && - ((kret = kadm5_create_magic_princs(&newparams, kcontext)))) { + ((kret = kadm5_create_magic_princs(&newparams, kcontext)))) { /* error message printed by create_magic_princs */ exit_status++; } @@ -2895,28 +2853,27 @@ error: /* - * If not an update: if there was an error, destroy the temp - * database, otherwise rename it into place. + * If not an update: if there was an error, destroy the temp database, + * otherwise rename it into place. * * If an update: if there was no error, unlock the database. */ if (!update) { if (exit_status) { - if ((kret = - krb5_db_destroy(kcontext, dbname_tmp))) { + if ((kret = krb5_db_destroy(kcontext, dbname_tmp))) { fprintf(stderr, gettext(dbdelerr_fmt), - programname, dbname_tmp, - error_message(kret)); + programname, dbname_tmp, error_message(kret)); exit_status++; } - if ((kret = osa_adb_destroy_policy_db(&newparams))) { + if ((kret = osa_adb_destroy_policy_db(&newparams))) { fprintf(stderr, gettext("%s: %s while destroying " "policy database\n"), programname, error_message(kret)); exit_status++; } - } else { + } + else { if ((kret = krb5_db_rename(kcontext, dbname_tmp, dbname))) { @@ -2925,13 +2882,15 @@ error_message(kret)); exit_status++; } - if ((kret = osa_adb_close_policy(tmppol_db))) { - fprintf(stderr, gettext(close_err_fmt), + + if ((kret = osa_adb_close_policy(tmppol_db))) { + fprintf(stderr, gettext(close_err_fmt), programname, error_message(kret)); exit_status++; } - if ((kret = osa_adb_rename_policy_db(&newparams, - &global_params))) { + + if ((kret = osa_adb_rename_policy_db(&newparams, + &global_params))) { fprintf(stderr, gettext("%s: %s while renaming " "policy db %s to %s\n"), @@ -2941,25 +2900,26 @@ exit_status++; } } - } else { /* update */ - if (!exit_status && ((kret = osa_adb_release_lock(tmppol_db)))) { - fprintf(stderr, + } else /* update */ { + if (! exit_status && ((kret = osa_adb_release_lock(tmppol_db)))) { + fprintf(stderr, gettext("%s: %s while releasing permanent lock\n"), programname, error_message(kret)); exit_status++; } - if (tmppol_db && ((kret = osa_adb_close_policy(tmppol_db)))) { - fprintf(stderr, gettext(close_err_fmt), + + if (tmppol_db && ((kret = osa_adb_close_policy(tmppol_db)))) { + fprintf(stderr, gettext(close_err_fmt), programname, error_message(kret)); exit_status++; } } if (dumpfile) { - (void) krb5_lock_file(kcontext, - fileno(f), KRB5_LOCKMODE_UNLOCK); + (void) krb5_lock_file(kcontext, fileno(f), KRB5_LOCKMODE_UNLOCK); fclose(f); } + if (dbname_tmp) free(dbname_tmp); krb5_free_context(kcontext);
--- a/usr/src/cmd/krb5/kadmin/dbutil/import_err.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/dbutil/import_err.h Sat Oct 07 13:37:05 2006 -0700 @@ -1,11 +1,8 @@ /* - * Copyright (c) 1997-2000 by Sun Microsystems, Inc. - * All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. */ -#ifndef _IMPORT_ERR_H -#define _IMPORT_ERR_H - #pragma ident "%Z%%M% %I% %E% SMI" /* @@ -25,45 +22,49 @@ * */ -#ifdef __cplusplus -extern "C" { -#endif - /* * import_err.h: * This file is automatically generated; please do not edit it. */ -#define IMPORT_NO_ERR (37349888L) -#define IMPORT_BAD_FILE (37349889L) -#define IMPORT_BAD_TOKEN (37349890L) -#define IMPORT_BAD_VERSION (37349891L) -#define IMPORT_BAD_RECORD (37349892L) -#define IMPORT_BAD_FOOTER (37349893L) -#define IMPORT_FAILED (37349894L) -#define IMPORT_COUNT_MESSAGE (37349895L) -#define IMPORT_MISMATCH_COUNT (37349896L) -#define IMPORT_UNK_OPTION (37349897L) -#define IMPORT_WARN_DB (37349898L) -#define IMPORT_RENAME_FAILED (37349899L) -#define IMPORT_EXTRA_DATA (37349900L) -#define IMPORT_CONFIRM (37349901L) -#define IMPORT_OPEN_DUMP (37349902L) -#define IMPORT_IMPORT (37349903L) -#define IMPORT_TTY (37349904L) -#define IMPORT_RENAME_OPEN (37349905L) -#define IMPORT_RENAME_LOCK (37349906L) -#define IMPORT_RENAME_UNLOCK (37349907L) -#define IMPORT_RENAME_CLOSE (37349908L) -#define IMPORT_SINGLE_RECORD (37349909L) -#define IMPORT_PLURAL_RECORDS (37349910L) -#define IMPORT_GET_PARAMS (37349911L) -#define ERROR_TABLE_BASE_imp (37349888L) + +#include <com_err.h> -/* for compatibility with older versions... */ -#define imp_err_base ERROR_TABLE_BASE_imp +#define IMPORT_NO_ERR (37349888L) +#define IMPORT_BAD_FILE (37349889L) +#define IMPORT_BAD_TOKEN (37349890L) +#define IMPORT_BAD_VERSION (37349891L) +#define IMPORT_BAD_RECORD (37349892L) +#define IMPORT_BAD_FOOTER (37349893L) +#define IMPORT_FAILED (37349894L) +#define IMPORT_COUNT_MESSAGE (37349895L) +#define IMPORT_MISMATCH_COUNT (37349896L) +#define IMPORT_UNK_OPTION (37349897L) +#define IMPORT_WARN_DB (37349898L) +#define IMPORT_RENAME_FAILED (37349899L) +#define IMPORT_EXTRA_DATA (37349900L) +#define IMPORT_CONFIRM (37349901L) +#define IMPORT_OPEN_DUMP (37349902L) +#define IMPORT_IMPORT (37349903L) +#define IMPORT_TTY (37349904L) +#define IMPORT_RENAME_OPEN (37349905L) +#define IMPORT_RENAME_LOCK (37349906L) +#define IMPORT_RENAME_UNLOCK (37349907L) +#define IMPORT_RENAME_CLOSE (37349908L) +#define IMPORT_SINGLE_RECORD (37349909L) +#define IMPORT_PLURAL_RECORDS (37349910L) +#define IMPORT_GET_PARAMS (37349911L) +#define ERROR_TABLE_BASE_imp (37349888L) -#ifdef __cplusplus -} +extern const struct error_table et_imp_error_table; + +#if !defined(_WIN32) +/* for compatibility with older versions... */ +extern void initialize_imp_error_table (void) /*@modifies internalState@*/; +#else +#define initialize_imp_error_table() #endif -#endif /* !_IMPORT_ERR_H */ +#if !defined(_WIN32) +#define init_imp_err_tbl initialize_imp_error_table +#define imp_err_base ERROR_TABLE_BASE_imp +#endif
--- a/usr/src/cmd/krb5/kadmin/dbutil/kadm5_create.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/dbutil/kadm5_create.c Sat Oct 07 13:37:05 2006 -0700 @@ -37,10 +37,6 @@ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ -#if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /cvs/krbdev/krb5/src/kadmin/dbutil/kadm5_create.c,v 1.6 1998/10/30 02:52:37 marc Exp $"; -#endif - #include "string_table.h" #include <stdio.h> @@ -48,6 +44,8 @@ #include <string.h> #include <kadm5/adb.h> #include <kadm5/admin.h> +#include <krb5/adm_proto.h> + #include <krb5.h> #include <krb5/kdb.h> @@ -63,8 +61,10 @@ add_admin_princ(void *handle, krb5_context context, krb5_principal principal, int attrs, int lifetime); -#define KADM5_ERR 1 -#define KADM5_OK 0 +static int add_admin_princs(void *handle, krb5_context context, char *realm); + +#define ERR 1 +#define OK 0 #define ADMIN_LIFETIME 60*60*3 /* 3 hours */ #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */ @@ -82,18 +82,15 @@ * principals in the KDC database and sets their attributes * appropriately. */ -int -kadm5_create(kadm5_config_params * params) +int kadm5_create(kadm5_config_params *params) { int retval; - void *handle; krb5_context context; - FILE *f; kadm5_config_params lparams; - if (retval = krb5_init_context(&context)) - exit(KADM5_ERR); + if ((retval = krb5_init_context(&context))) + exit(ERR); (void) memset(&lparams, 0, sizeof (kadm5_config_params)); @@ -101,14 +98,15 @@ * The lock file has to exist before calling kadm5_init, but * params->admin_lockfile may not be set yet... */ - if (retval = kadm5_get_config_params(context, NULL, NULL, - params, &lparams)) { - com_err(progname, retval, gettext(str_INITING_KCONTEXT)); - return (1); + if ((retval = kadm5_get_config_params(context, NULL, NULL, + params, &lparams))) { + com_err(progname, retval, gettext("while looking up the Kerberos configuration")); + return 1; } - if (retval = osa_adb_create_policy_db(&lparams)) { + + if ((retval = osa_adb_create_policy_db(&lparams))) { com_err(progname, retval, gettext(str_CREATING_POLICY_DB)); - return (1); + return 1; } retval = kadm5_create_magic_princs(&lparams, context); @@ -116,28 +114,33 @@ kadm5_free_config_params(context, &lparams); krb5_free_context(context); - return (retval); + return retval; } -int -kadm5_create_magic_princs(kadm5_config_params * params, - krb5_context *context) +int kadm5_create_magic_princs(kadm5_config_params *params, + krb5_context context) { int retval; void *handle; + retval = krb5_klog_init(context, "admin_server", progname, 0); + if (retval) + return retval; if ((retval = kadm5_init(progname, NULL, NULL, params, KADM5_STRUCT_VERSION, KADM5_API_VERSION_2, &handle))) { - com_err(progname, retval, gettext(str_INITING_KCONTEXT)); - return (retval); + com_err(progname, retval, gettext("while initializing the Kerberos admin interface")); + return retval; } + retval = add_admin_princs(handle, context, params->realm); kadm5_destroy(handle); - return (retval); + krb5_klog_close(context); + + return retval; } /* @@ -157,14 +160,13 @@ * * Requires: both strings are null-terminated */ -char * -build_name_with_realm(char *name, char *realm) +static char *build_name_with_realm(char *name, char *realm) { char *n; n = (char *) malloc(strlen(name) + strlen(realm) + 2); sprintf(n, "%s@%s", name, realm); - return (n); + return n; } /* @@ -187,8 +189,7 @@ * printed. If any of these existing principal do not have the proper * attributes, a warning message is printed. */ -int -add_admin_princs(void *handle, krb5_context context, char *realm) +static int add_admin_princs(void *handle, krb5_context context, char *realm) { krb5_error_code ret = 0; @@ -236,7 +237,7 @@ clean_and_exit: - return (ret); + return ret; } /* @@ -255,8 +256,8 @@ * * Returns: * - * KADM5_OK on success - * KADM5_ERR on serious errors + * OK on success + * ERR on serious errors * * Effects: * @@ -267,8 +268,7 @@ * attributes attrs and max life of lifetime (if not zero). */ -int -add_admin_princ(void *handle, krb5_context context, +int add_admin_princ(void *handle, krb5_context context, krb5_principal principal, int attrs, int lifetime) { char *fullname; @@ -278,23 +278,23 @@ memset(&ent, 0, sizeof(ent)); if (krb5_unparse_name(context, principal, &fullname)) - return (KADM5_ERR); + return ERR; ent.principal = principal; ent.max_life = lifetime; ent.attributes = attrs | KRB5_KDB_DISALLOW_ALL_TIX; - if (ret = kadm5_create_principal(handle, &ent, - (KADM5_PRINCIPAL | - KADM5_MAX_LIFE | - KADM5_ATTRIBUTES), - "to-be-random")) { + ret = kadm5_create_principal(handle, &ent, + (KADM5_PRINCIPAL | KADM5_MAX_LIFE | + KADM5_ATTRIBUTES), + "to-be-random"); + if (ret) { if (ret != KADM5_DUP) { com_err(progname, ret, gettext(str_PUT_PRINC), fullname); krb5_free_principal(context, ent.principal); free(fullname); - return (KADM5_ERR); + return ERR; } } else { /* only randomize key if we created the principal */ @@ -302,25 +302,26 @@ if (ret) { com_err(progname, ret, gettext(str_RANDOM_KEY), fullname); - krb5_free_principal(context, ent.principal); - free(fullname); - return (KADM5_ERR); - } - ent.attributes = attrs; - ret = kadm5_modify_principal(handle, &ent, KADM5_ATTRIBUTES); - if (ret) { - com_err(progname, ret, - gettext(str_PUT_PRINC), fullname); - krb5_free_principal(context, ent.principal); - free(fullname); - return (KADM5_ERR); - } - } + krb5_free_principal(context, ent.principal); + free(fullname); + return ERR; + } + + ent.attributes = attrs; + ret = kadm5_modify_principal(handle, &ent, KADM5_ATTRIBUTES); + if (ret) { + com_err(progname, ret, + gettext(str_PUT_PRINC), fullname); + krb5_free_principal(context, ent.principal); + free(fullname); + return ERR; + } + } - krb5_free_principal(context, ent.principal); - free(fullname); + krb5_free_principal(context, ent.principal); + free(fullname); - return (KADM5_OK); + return OK; } int @@ -334,7 +335,7 @@ fullname = build_name_with_realm(name, realm); if (ret = krb5_parse_name(context, fullname, &principal)) { com_err(progname, ret, gettext(str_PARSE_NAME)); - return (KADM5_ERR); + return (ERR); } return (add_admin_princ(handle, context, principal, attrs, lifetime)); @@ -352,7 +353,7 @@ com_err(progname, ret, gettext("Could not get host based " "service name for %s principal\n"), sname); - return (KADM5_ERR); + return (ERR); } return (add_admin_princ(handle, context, principal, attrs, lifetime)); }
--- a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_create.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_create.c Sat Oct 07 13:37:05 2006 -0700 @@ -94,8 +94,7 @@ TGT_KEY /* special handling for tgt key */ }; -krb5_key_salt_tuple def_kslist = - {ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL}; +krb5_key_salt_tuple def_kslist = { ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL }; struct realm_info { krb5_deltat max_life; @@ -106,7 +105,6 @@ krb5_int32 nkslist; krb5_key_salt_tuple *kslist; } rblock = { /* XXX */ - KRB5_KDB_MAX_LIFE, KRB5_KDB_MAX_RLIFE, KRB5_KDB_EXPIRATION, @@ -122,10 +120,11 @@ krb5_db_entry *dbentp; }; -static krb5_error_code add_principal(krb5_context, - krb5_principal, - enum ap_op, - struct realm_info *, +static krb5_error_code add_principal + (krb5_context, + krb5_principal, + enum ap_op, + struct realm_info *, krb5_keyblock *); /* @@ -151,10 +150,8 @@ krb5_data db_creator_entries[] = { {0, sizeof("db_creation")-1, "db_creation"} }; -/* - * XXX knows about contents of krb5_principal, and that tgt names - * are of form TGT/REALM@REALM - */ +/* XXX knows about contents of krb5_principal, and that tgt names + are of form TGT/REALM@REALM */ krb5_principal_data tgt_princ = { 0, /* magic number */ {0, 0, 0}, /* krb5_data realm */ @@ -179,8 +176,7 @@ extern kadm5_config_params global_params; extern krb5_context util_context; -void -kdb5_create(argc, argv) +void kdb5_create(argc, argv) int argc; char *argv[]; { @@ -196,7 +192,7 @@ kdb_log_context *log_ctx; krb5_keyblock mkey; krb5_data master_salt = { 0, NULL }; - + if (strrchr(argv[0], '/')) argv[0] = strrchr(argv[0], '/')+1; @@ -224,41 +220,41 @@ log_ctx = util_context->kdblog_context; retval = krb5_db_set_name(util_context, global_params.dbname); - if (!retval) - retval = EEXIST; + if (!retval) retval = EEXIST; if (retval == EEXIST || retval == EACCES || retval == EPERM) { /* it exists ! */ com_err(argv[0], 0, gettext("The database '%s' appears to already exist"), global_params.dbname); - exit_status++; - return; + exit_status++; return; } +/* SUNW14resync XXX */ +#if 0 + printf ("Loading random data\n"); + retval = krb5_c_random_os_entropy (util_context, 1, NULL); + if (retval) { + com_err (argv[0], retval, "Loading random data"); + exit_status++; return; + } +#endif /* assemble & parse the master key name */ if ((retval = krb5_db_setup_mkey_name(util_context, global_params.mkey_name, global_params.realm, &mkey_fullname, &master_princ))) { - com_err(argv[0], retval, + com_err(argv[0], retval, gettext("while setting up master key name")); - exit_status++; - return; + exit_status++; return; } - krb5_princ_set_realm_data(util_context, - &db_create_princ, global_params.realm); - krb5_princ_set_realm_length(util_context, - &db_create_princ, - strlen(global_params.realm)); - krb5_princ_set_realm_data(util_context, - &tgt_princ, global_params.realm); - krb5_princ_set_realm_length(util_context, - &tgt_princ, strlen(global_params.realm)); - krb5_princ_component(util_context, &tgt_princ, 1)->data = - global_params.realm; - krb5_princ_component(util_context, &tgt_princ, 1)->length = - strlen(global_params.realm); + + krb5_princ_set_realm_data(util_context, &db_create_princ, global_params.realm); + krb5_princ_set_realm_length(util_context, &db_create_princ, strlen(global_params.realm)); + krb5_princ_set_realm_data(util_context, &tgt_princ, global_params.realm); + krb5_princ_set_realm_length(util_context, &tgt_princ, strlen(global_params.realm)); + krb5_princ_component(util_context, &tgt_princ,1)->data = global_params.realm; + krb5_princ_component(util_context, &tgt_princ,1)->length = strlen(global_params.realm); printf(gettext("Initializing database '%s' for realm '%s',\n" "master key name '%s'\n"), @@ -279,17 +275,15 @@ "master key to verify"), pw_str, &pw_size); if (retval) { - com_err(argv[0], retval, + com_err(argv[0], retval, gettext("while reading master key from keyboard")); - exit_status++; - return; + exit_status++; return; } mkey_password = pw_str; } pwd.data = mkey_password; pwd.length = strlen(mkey_password); - retval = krb5_principal2salt(util_context, master_princ, &master_salt); if (retval) { com_err(argv[0], retval, @@ -298,8 +292,9 @@ goto cleanup; } - if (retval = krb5_c_string_to_key(util_context, global_params.enctype, - &pwd, &master_salt, &mkey)) { + retval = krb5_c_string_to_key(util_context, global_params.enctype, + &pwd, &master_salt, &mkey); + if (retval) { com_err(argv[0], retval, gettext("while transforming master key from password")); exit_status++; @@ -393,10 +388,11 @@ * it; delete the file below if it was not requested. DO NOT EXIT * BEFORE DELETING THE KEYFILE if do_stash is not set. */ - if (retval = krb5_db_store_mkey(util_context, - global_params.stash_file, - master_princ, - &mkey)) { + retval = krb5_db_store_mkey(util_context, + global_params.stash_file, + master_princ, + &mkey); + if (retval) { com_err(argv[0], errno, gettext("while storing key")); printf(gettext("Warning: couldn't stash master key.\n")); } @@ -405,13 +401,11 @@ memset(pw_str, 0, pw_size); if (kadm5_create(&global_params)) { - if (!do_stash) - unlink(global_params.stash_file); - exit_status++; - goto cleanup; + if (!do_stash) unlink(global_params.stash_file); + exit_status++; + goto cleanup; } - if (!do_stash) - unlink(global_params.stash_file); + if (!do_stash) unlink(global_params.stash_file); cleanup: if (pw_str) { @@ -426,7 +420,6 @@ (void) krb5_db_fini(util_context); return; - } static krb5_error_code @@ -439,7 +432,6 @@ struct iterate_args *iargs; krb5_keyblock key; krb5_int32 ind; - krb5_pointer rseed; krb5_data pwd; iargs = (struct iterate_args *) ptr; @@ -453,7 +445,8 @@ */ pwd.data = mkey_password; pwd.length = strlen(mkey_password); - if (kret = krb5_c_random_seed(context, &pwd)) + kret = krb5_c_random_seed(context, &pwd); + if (kret) return kret; if (!(kret = krb5_dbe_create_key_data(iargs->ctx, iargs->dbentp))) { @@ -474,11 +467,12 @@ } static krb5_error_code -add_principal(krb5_context context, - krb5_principal princ, - enum ap_op op, - struct realm_info *pblock, - krb5_keyblock *mkey) +add_principal(context, princ, op, pblock, mkey) + krb5_context context; + krb5_principal princ; + enum ap_op op; + struct realm_info *pblock; + krb5_keyblock *mkey; { krb5_error_code retval; krb5_db_entry entry; @@ -508,17 +502,17 @@ switch (op) { case MASTER_KEY: - entry.key_data = (krb5_key_data *) malloc(sizeof (krb5_key_data)); - if (entry.key_data == NULL) + if ((entry.key_data=(krb5_key_data*)malloc(sizeof(krb5_key_data))) + == NULL) goto error_out; - memset((char *) entry.key_data, 0, sizeof(krb5_key_data)); entry.n_key_data = 1; entry.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; if ((retval = krb5_dbekd_encrypt_key_data(context, pblock->key, - mkey, NULL, 1, entry.key_data))) - goto error_out; + mkey, NULL, + 1, entry.key_data))) + goto error_out; break; case TGT_KEY: iargs.ctx = context; @@ -532,10 +526,10 @@ 1, tgt_keysalt_iterate, (krb5_pointer) &iargs))) - return (retval); + return retval; break; case NULL_KEY: - return (EOPNOTSUPP); + return EOPNOTSUPP; default: break; } @@ -543,6 +537,6 @@ retval = krb5_db_put_principal(context, &entry, &nentries); error_out:; - krb5_dbe_free_contents(context, &entry); - return (retval); + krb5_dbe_free_contents(context, &entry); + return retval; }
--- a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_destroy.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_destroy.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -82,7 +82,6 @@ #include <libintl.h> #include "kdb5_util.h" -extern int errno; extern int exit_status; extern krb5_boolean dbactive; extern kadm5_config_params global_params; @@ -98,9 +97,9 @@ int optchar; char *dbname; char buf[5]; - char dbfilename[MAXPATHLEN]; krb5_error_code retval, retval1, retval2; krb5_context context; + int force = 0; char ufilename[MAX_FILENAME]; krb5_init_context(&context); @@ -110,29 +109,42 @@ dbname = global_params.dbname; - printf(gettext("Deleting KDC database stored in '%s', " + optind = 1; + while ((optchar = getopt(argc, argv, "f")) != -1) { + switch(optchar) { + case 'f': + force++; + break; + case '?': + default: + usage(); + return; + /*NOTREACHED*/ + } + } + if (!force) { + printf(gettext("Deleting KDC database stored in '%s', " "are you sure?\n"), dbname); - printf(gettext("(type 'yes' or 'y' to confirm)? ")); - - if (fgets(buf, sizeof (buf), stdin) == NULL) { - exit_status++; - return; - } - if ((strncmp(buf, gettext("yes\n"), + printf(gettext("(type 'yes' or 'y' to confirm)? ")); + if (fgets(buf, sizeof(buf), stdin) == NULL) { + exit_status++; return; + } + if ((strncmp(buf, gettext("yes\n"), strlen(gettext("yes\n"))) != 0) && (strncmp(buf, gettext("y\n"), strlen(gettext("y\n"))) != 0)) { printf(gettext("database not deleted !! '%s'...\n"), dbname); - exit_status++; - return; + exit_status++; return; + } + printf(gettext("OK, deleting database '%s'...\n"), dbname); } - printf(gettext("OK, deleting database '%s'...\n"), dbname); - if (retval = krb5_db_set_name(context, dbname)) { + + retval = krb5_db_set_name(context, dbname); + if (retval) { com_err(argv[0], retval, "'%s'",dbname); - exit_status++; - return; + exit_status++; return; } retval1 = krb5_db_destroy(context, dbname); @@ -160,14 +172,12 @@ if (retval1) { com_err(argv[0], retval1, gettext("deleting database '%s'"), dbname); - exit_status++; - return; + exit_status++; return; } if (retval2) { com_err(argv[0], retval2, gettext("destroying policy database")); - exit_status++; - return; + exit_status++; return; } if (global_params.iprop_enabled) { @@ -184,5 +194,6 @@ } dbactive = FALSE; - printf(gettext("** Database '%s' destroyed.\n"), dbname); + printf(gettext("** Database '%s' destroyed.\n"), dbname); + return; }
--- a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_stash.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_stash.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -52,6 +52,33 @@ * Store the master database key in a file. */ +/* + * Copyright (C) 1998 by the FundsXpress, INC. + * + * All rights reserved. + * + * Export of this software from the United States of America may require + * a specific license from the United States Government. It is the + * responsibility of any person or organization contemplating export to + * obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of FundsXpress. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. FundsXpress makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + + #define KDB5_DISPATCH #define KRB5_KDB5_DBM__ #include <k5-int.h> @@ -78,8 +105,7 @@ #include <kadm5/admin.h> #include <stdio.h> #include <libintl.h> - -extern int errno; +#include "kdb5_util.h" extern krb5_principal master_princ; extern kadm5_config_params global_params; @@ -89,8 +115,8 @@ void kdb5_stash(argc, argv) -int argc; -char *argv[]; + int argc; + char *argv[]; { extern char *optarg; extern int optind; @@ -104,8 +130,6 @@ krb5_context context; krb5_keyblock mkey; - int enctypedone = 0; - if (strrchr(argv[0], '/')) argv[0] = strrchr(argv[0], '/')+1; @@ -142,67 +166,71 @@ global_params.enctype); else com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP, tmp); - exit_status++; - return; + exit_status++; return; } - if (retval = krb5_db_set_name(context, dbname)) { + retval = krb5_db_set_name(context, dbname); + if (retval) { com_err(argv[0], retval, gettext("while setting active database to '%s'"), dbname); - exit_status++; - return; + exit_status++; return; } /* assemble & parse the master key name */ - if (retval = krb5_db_setup_mkey_name(context, mkey_name, realm, - &mkey_fullname, &master_princ)) { + retval = krb5_db_setup_mkey_name(context, mkey_name, realm, + &mkey_fullname, &master_princ); + if (retval) { com_err(argv[0], retval, gettext("while setting up master key name")); - exit_status++; - return; + exit_status++; return; } - if (retval = krb5_db_init(context)) { + + retval = krb5_db_init(context); + if (retval) { com_err(argv[0], retval, gettext("while initializing the database '%s'"), - dbname); - exit_status++; - return; + dbname); + exit_status++; return; } /* TRUE here means read the keyboard, but only once */ - if (retval = krb5_db_fetch_mkey(context, master_princ, - global_params.enctype, - TRUE, FALSE, (char *) NULL, - 0, &mkey)) { + retval = krb5_db_fetch_mkey(context, master_princ, + global_params.enctype, + TRUE, FALSE, (char *) NULL, + 0, &mkey); + if (retval) { com_err(argv[0], retval, gettext("while reading master key")); (void) krb5_db_fini(context); - exit_status++; - return; + exit_status++; return; } - if (retval = krb5_db_verify_master_key(context, master_princ, &mkey)) { + + retval = krb5_db_verify_master_key(context, master_princ, &mkey); + if (retval) { com_err(argv[0], retval, gettext("while verifying master key")); krb5_free_keyblock_contents(context, &mkey); (void) krb5_db_fini(context); - exit_status++; - return; + exit_status++; return; } - if (retval = krb5_db_store_mkey(context, keyfile, master_princ, - &mkey)) { + + retval = krb5_db_store_mkey(context, keyfile, master_princ, + &mkey); + if (retval) { com_err(argv[0], errno, gettext("while storing key")); krb5_free_keyblock_contents(context, &mkey); (void) krb5_db_fini(context); - exit_status++; - return; + exit_status++; return; } krb5_free_keyblock_contents(context, &mkey); - if (retval = krb5_db_fini(context)) { + + retval = krb5_db_fini(context); + if (retval) { com_err(argv[0], retval, gettext("closing database '%s'"), dbname); - exit_status++; - return; + exit_status++; return; } krb5_free_context(context); exit_status = 0; + return; }
--- a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -53,6 +53,32 @@ */ /* + * Copyright (C) 1998 by the FundsXpress, INC. + * + * All rights reserved. + * + * Export of this software from the United States of America may require + * a specific license from the United States Government. It is the + * responsibility of any person or organization contemplating export to + * obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of FundsXpress. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. FundsXpress makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + +/* * Yes, I know this is a hack, but we need admin.h without including the * rpc.h header. Additionally, our rpc.h header brings in * a des.h header which causes other problems. @@ -108,23 +134,24 @@ osa_adb_policy_t policy_db; kadm5_config_params global_params; -void -usage() +void usage() { - fprintf(stderr, "%s: " - "kdb5_util cmd [-r realm] [-d dbname] [-k mkeytype] [-M mkeyname]\n" - "\t [-f] [stashfile] [-P password] [-m ] [cmd options]\n" - "\tcreate [-s]\n" - "\tdestroy \n" - "\tstash \n" - "\tdump [-old] [-ov] [-b6] [-verbose] [filename [princs...]]\n" - "\tload [-old] [-ov] [-b6] [-verbose] [-update] filename\n" + fprintf(stderr, "%s: " + "kdb5_util [-r realm] [-d dbname] [-k mkeytype] [-M mkeyname]\n" + "\t [-f | -sf stashfilename] [-P password] [-m] cmd [cmd_options]\n" + "\tcreate [-s]\n" + "\tdestroy [-f]\n" + "\tstash [-f keyfile]\n" + "\tdump [-old] [-ov] [-b6] [-verbose] [filename [princs...]]\n" + "\t [-mkey_convert] [-new_mkey_file mkey_file]\n" + "\t [-rev] [-recurse] [filename [princs...]]\n" + "\tload [-old] [-ov] [-b6] [-verbose] [-update] filename\n" #ifdef SUNWOFF - "\tload_v4 [-t] [-n] [-v] [-K] [-s stashfile] inputfile\n" + "\tload_v4 [-t] [-n] [-v] [-K] [-s stashfile] inputfile\n" #endif - "\tark [-e etype_list] principal\n", + "\tark [-e etype_list] principal\n", gettext("Usage")); - exit(1); + exit(1); } krb5_keyblock master_key; @@ -137,55 +164,48 @@ krb5_boolean manual_mkey = FALSE; krb5_boolean dbactive = FALSE; -int kdb5_create(int, char **); -int kdb5_destroy(int, char **); -int kdb5_stash(int, char **); -int dump_db(int, char **); -int load_db(int, char **); -int open_db_and_mkey(); -int add_random_key(int, char **); +static int open_db_and_mkey(void); + +static void add_random_key(int, char **); -typedef int (*cmd_func)(int, char **); +typedef void (*cmd_func)(int, char **); struct _cmd_table { char *name; cmd_func func; int opendb; } cmd_table[] = { - "create", kdb5_create, 0, - "destroy", kdb5_destroy, 1, - "stash", kdb5_stash, 1, - "dump", dump_db, 1, - "load", load_db, 0, - "ark", add_random_key, 1, - NULL, NULL, 0, + {"create", kdb5_create, 0}, + {"destroy", kdb5_destroy, 1}, + {"stash", kdb5_stash, 1}, + {"dump", dump_db, 1}, + {"load", load_db, 0}, + {"ark", add_random_key, 1}, + {NULL, NULL, 0}, }; -struct _cmd_table * -cmd_lookup(name) +static struct _cmd_table *cmd_lookup(name) char *name; { struct _cmd_table *cmd = cmd_table; - while (cmd->name) { if (strcmp(cmd->name, name) == 0) - return (cmd); + return cmd; else cmd++; } - return (NULL); + return NULL; } -#define ARG_VAL (--argc > 0 ? (optarg = *(++argv)) : (char *)(usage(), NULL)) +#define ARG_VAL (--argc > 0 ? (koptarg = *(++argv)) : (char *)(usage(), NULL)) -int -main(argc, argv) +int main(argc, argv) int argc; char *argv[]; { struct _cmd_table *cmd = NULL; - char *optarg, **cmd_argv; + char *koptarg, **cmd_argv; int cmd_argc; krb5_error_code retval; @@ -218,17 +238,16 @@ memset(cmd_argv, 0, sizeof(char *)*argc); cmd_argc = 1; - argv++; - argc--; + argv++; argc--; while (*argv) { if (strcmp(*argv, "-P") == 0 && ARG_VAL) { - mkey_password = optarg; + mkey_password = koptarg; manual_mkey = TRUE; } else if (strcmp(*argv, "-d") == 0 && ARG_VAL) { - global_params.dbname = optarg; + global_params.dbname = koptarg; global_params.mask |= KADM5_CONFIG_DBNAME; } else if (strcmp(*argv, "-r") == 0 && ARG_VAL) { - global_params.realm = optarg; + global_params.realm = koptarg; global_params.mask |= KADM5_CONFIG_REALM; /* not sure this is really necessary */ if ((retval = krb5_set_default_realm(util_context, @@ -239,20 +258,20 @@ exit(1); } } else if (strcmp(*argv, "-k") == 0 && ARG_VAL) { - if (krb5_string_to_enctype(optarg, + if (krb5_string_to_enctype(koptarg, &global_params.enctype)) com_err(argv[0], 0, gettext("%s is an invalid enctype"), - optarg); + koptarg); else global_params.mask |= KADM5_CONFIG_ENCTYPE; } else if (strcmp(*argv, "-M") == 0 && ARG_VAL) { - global_params.mkey_name = optarg; + global_params.mkey_name = koptarg; global_params.mask |= KADM5_CONFIG_MKEY_NAME; } else if (((strcmp(*argv, "-sf") == 0) /* SUNWresync121 - carry the old -f forward too */ || (strcmp(*argv, "-f") == 0)) && ARG_VAL) { - global_params.stash_file = optarg; + global_params.stash_file = koptarg; global_params.mask |= KADM5_CONFIG_STASH_FILE; } else if (strcmp(*argv, "-m") == 0) { manual_mkey = TRUE; @@ -266,19 +285,20 @@ } else { cmd_argv[cmd_argc++] = *argv; } - argv++; - argc--; + argv++; argc--; } if (cmd_argv[0] == NULL) usage(); - if (retval = kadm5_get_config_params(util_context, NULL, NULL, - &global_params, &global_params)) { + retval = kadm5_get_config_params(util_context, NULL, NULL, + &global_params, &global_params); + if (retval) { com_err(argv[0], retval, gettext("while retreiving configuration parameters")); exit(1); } + /* * Dump creates files which should not be world-readable. It is * easiest to do a single umask call here. @@ -295,7 +315,7 @@ cmd = cmd_lookup(cmd_argv[0]); if (cmd->opendb && open_db_and_mkey()) - return (exit_status); + return exit_status; if (global_params.iprop_enabled == TRUE) ulog_set_role(util_context, IPROP_MASTER); @@ -309,7 +329,7 @@ } kadm5_free_config_params(util_context, &global_params); krb5_free_context(util_context); - return (exit_status); + return exit_status; } #if 0 @@ -317,8 +337,7 @@ * This function is no longer used in kdb5_util (and it would no * longer work, anyway). */ -void -set_dbname(argc, argv) +void set_dbname(argc, argv) int argc; char *argv[]; { @@ -348,8 +367,8 @@ } (void) set_dbname_help(argv[0], argv[1]); + return; } - #endif /* @@ -361,8 +380,7 @@ * cannot be fetched (the master key stash file may not exist when the * program is run). */ -int -open_db_and_mkey() +static int open_db_and_mkey() { krb5_error_code retval; int nentries; @@ -385,12 +403,13 @@ exit_status++; return(1); } - if (retval = osa_adb_open_policy(&policy_db, &global_params)) { + if ((retval = osa_adb_open_policy(&policy_db, &global_params))) { com_err(progname, retval, gettext("opening policy database")); exit_status++; - return (1); + return (1); } + /* assemble & parse the master key name */ if ((retval = krb5_db_setup_mkey_name(util_context, @@ -423,6 +442,7 @@ (void) krb5_db_fini(util_context); return(1); } + krb5_db_free_principal(util_context, &master_entry, nentries); /* the databases are now open, and the master principal exists */ @@ -431,13 +451,13 @@ if (mkey_password) { pwd.data = mkey_password; pwd.length = strlen(mkey_password); - retval = krb5_principal2salt(util_context, - master_princ, &scratch); + retval = krb5_principal2salt(util_context, master_princ, &scratch); if (retval) { com_err(progname, retval, gettext("while calculated master key salt")); - return(1); + return(1); } + /* If no encryption type is set, use the default */ if (global_params.enctype == ENCTYPE_UNKNOWN) { global_params.enctype = DEFAULT_KDC_ENCTYPE; @@ -491,7 +511,7 @@ valid_master_key = 1; dbactive = TRUE; - return (0); + return 0; } #ifdef HAVE_GETCWD @@ -505,7 +525,7 @@ static krb5_boolean finished = 0; if (finished) - return (0); + return 0; retval = krb5_db_fini(util_context); krb5_free_keyblock_contents(util_context, &master_key); finished = TRUE; @@ -513,12 +533,12 @@ if (retval && retval != KRB5_KDB_DBNOTINITED) { com_err(progname, retval, gettext("while closing database")); exit_status++; - return (1); + return 1; } - return (0); + return 0; } -int +static void add_random_key(argc, argv) int argc; char **argv; @@ -526,7 +546,7 @@ krb5_error_code ret; krb5_principal princ; krb5_db_entry dbent; - int n, i; + int n; krb5_boolean more; krb5_timestamp now; @@ -554,23 +574,27 @@ ret = krb5_parse_name(util_context, pr_str, &princ); if (ret) { com_err(me, ret, gettext("while parsing principal name %s"), pr_str); - return 1; + exit_status++; + return; } n = 1; ret = krb5_db_get_principal(util_context, princ, &dbent, &n, &more); if (ret) { com_err(me, ret, gettext("while fetching principal %s"), pr_str); - return 1; + exit_status++; + return; } if (n != 1) { fprintf(stderr, gettext("principal %s not found\n"), pr_str); - return 1; + exit_status++; + return; } if (more) { fprintf(stderr, gettext("principal %s not unique\n"), pr_str); krb5_dbe_free_contents(util_context, &dbent); - return 1; + exit_status++; + return; } ret = krb5_string_to_keysalts(ks_str, ", \t", ":.-", 0, @@ -578,7 +602,8 @@ &num_keysalts); if (ret) { com_err(me, ret, gettext("while parsing keysalts %s"), ks_str); - return 1; + exit_status++; + return; } if (!num_keysalts || keysalts == NULL) { num_keysalts = global_params.num_keysalts; @@ -594,27 +619,30 @@ if (ret) { com_err(me, ret, gettext("while randomizing principal %s"), pr_str); krb5_dbe_free_contents(util_context, &dbent); - return 1; + exit_status++; + return; } dbent.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; ret = krb5_timeofday(util_context, &now); if (ret) { com_err(me, ret, gettext("while getting time")); krb5_dbe_free_contents(util_context, &dbent); - return 1; + exit_status++; + return; } ret = krb5_dbe_update_last_pwd_change(util_context, &dbent, now); if (ret) { com_err(me, ret, gettext("while setting changetime")); krb5_dbe_free_contents(util_context, &dbent); - return 1; + exit_status++; + return; } ret = krb5_db_put_principal(util_context, &dbent, &n); krb5_dbe_free_contents(util_context, &dbent); if (ret) { com_err(me, ret, gettext("while saving principal %s"), pr_str); - return 1; + exit_status++; + return; } printf("%s changed\n", pr_str); - return 0; }
--- a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.h Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -39,7 +39,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -47,40 +47,68 @@ * this permission notice appear in supporting documentation, and that * the name of M.I.T. not be used in advertising or publicity pertaining * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ - #include <kdb/kdb_log.h> - -#define MAX_HEADER 1024 -#define REALM_SEP '@' -#define REALM_SEP_STR "@" +#define MAX_HEADER 1024 +#define REALM_SEP '@' +#define REALM_SEP_STR "@" extern char *progname; extern char *Err_no_database; +extern krb5_boolean dbactive; +extern int exit_status; +extern krb5_context util_context; +extern kadm5_config_params global_params; +extern int valid_master_key; +extern krb5_db_entry master_db; -void add_key -(char const *, char const *, - krb5_const_principal, const krb5_keyblock *, - krb5_kvno, krb5_keysalt *); -int set_dbname_help - (char *, char *); +extern void usage(void); -char *kdb5_util_Init (int, char **); +extern void add_key + (char const *, char const *, + krb5_const_principal, const krb5_keyblock *, + krb5_kvno, krb5_keysalt *); +extern int set_dbname_help + (char *, char *); + +extern char *kdb5_util_Init (int, char **); + +extern int quit (void); + +extern int check_for_match + (char *, int, krb5_db_entry *, int, int); -int quit(); +extern void parse_token + (char *, int *, int *, char *); -int check_for_match - (char *, int, krb5_db_entry *, int, int); +extern int create_db_entry (krb5_principal, krb5_db_entry *); + +extern int kadm5_create_magic_princs (kadm5_config_params *params, + krb5_context context); -void parse_token - (char *, int *, int *, char *); +extern int process_ov_principal (char *fname, krb5_context kcontext, + FILE *filep, int verbose, + int *linenop, + void *pol_db); -int create_db_entry - (krb5_principal, krb5_db_entry *); +extern void load_db (int argc, char **argv); +extern void dump_db (int argc, char **argv); +extern void kdb5_create (int argc, char **argv); +extern void kdb5_destroy (int argc, char **argv); +extern void kdb5_stash (int argc, char **argv); + +extern void update_ok_file (char *file_name); + +extern int kadm5_create (kadm5_config_params *params); + +void usage (void); #ifdef __cplusplus }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/usr/src/cmd/krb5/kadmin/dbutil/nstrtok.h Sat Oct 07 13:37:05 2006 -0700 @@ -0,0 +1,7 @@ + +#pragma ident "%Z%%M% %I% %E% SMI" + + +/* Prototype for nstrtok */ +char *nstrtok(char *, const char *delim); +
--- a/usr/src/cmd/krb5/kadmin/dbutil/ovload.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/dbutil/ovload.c Sat Oct 07 13:37:05 2006 -0700 @@ -21,212 +21,210 @@ #include <unistd.h> #include <string.h> #include <stdlib.h> +#ifdef HAVE_MEMORY_H #include <memory.h> +#endif #include <kadm5/adb.h> #include "import_err.h" - -#define LINESIZE 32768 /* XXX */ -#define PLURAL(count) (((count) == 1) ? \ - error_message(IMPORT_SINGLE_RECORD) : \ - error_message(IMPORT_PLURAL_RECORDS)) +#include "kdb5_util.h" +#include "nstrtok.h" -int -parse_pw_hist_ent(current, hist) -char *current; -osa_pw_hist_ent *hist; -{ - int tmp, i, j, ret; - char *cp; +#define LINESIZE 32768 /* XXX */ +#define PLURAL(count) (((count) == 1) ? error_message(IMPORT_SINGLE_RECORD) : error_message(IMPORT_PLURAL_RECORDS)) - ret = 0; - hist->n_key_data = 1; +static int parse_pw_hist_ent(current, hist) + char *current; + osa_pw_hist_ent *hist; +{ + int tmp, i, j, ret; + char *cp; - hist->key_data = (krb5_key_data *) malloc(hist->n_key_data * - sizeof (krb5_key_data)); - if (hist->key_data == NULL) - return (ENOMEM); - memset(hist->key_data, 0, sizeof (krb5_key_data) * hist->n_key_data); + ret = 0; + hist->n_key_data = 1; - for (i = 0; i < hist->n_key_data; i++) { - krb5_key_data *key_data = &hist->key_data[i]; + hist->key_data = (krb5_key_data *) malloc(hist->n_key_data * + sizeof(krb5_key_data)); + if (hist->key_data == NULL) + return ENOMEM; + memset(hist->key_data, 0, sizeof(krb5_key_data)*hist->n_key_data); - key_data->key_data_ver = 1; + for (i = 0; i < hist->n_key_data; i++) { + krb5_key_data *key_data = &hist->key_data[i]; - if ((cp = strtok((char *) NULL, "\t")) == NULL) { - com_err(NULL, IMPORT_BAD_RECORD, "%s", current); - ret = IMPORT_FAILED; - goto done; - } - key_data->key_data_type[0] = atoi(cp); - - if ((cp = strtok((char *) NULL, "\t")) == NULL) { - com_err(NULL, IMPORT_BAD_RECORD, "%s", current); - ret = IMPORT_FAILED; - goto done; - } - key_data->key_data_length[0] = atoi(cp); + key_data->key_data_ver = 1; + + if((cp = nstrtok((char *) NULL, "\t")) == NULL) { + com_err(NULL, IMPORT_BAD_RECORD, "%s", current); + ret = IMPORT_FAILED; + goto done; + } + key_data->key_data_type[0] = atoi(cp); - if ((cp = strtok((char *) NULL, "\t")) == NULL) { - com_err(NULL, IMPORT_BAD_RECORD, "%s", current); - ret = IMPORT_FAILED; - goto done; - } - if (!(key_data->key_data_contents[0] = (krb5_octet *) - malloc(key_data->key_data_length[0] + 1))) { - ret = ENOMEM; - goto done; - } - for (j = 0; j < key_data->key_data_length[0]; j++) { - if (sscanf(cp, "%02x", &tmp) != 1) { - com_err(NULL, IMPORT_BAD_RECORD, "%s", current); - ret = IMPORT_FAILED; - goto done; - } - key_data->key_data_contents[0][j] = tmp; - cp = strchr(cp, ' ') + 1; - } - } - + if((cp = nstrtok((char *) NULL, "\t")) == NULL) { + com_err(NULL, IMPORT_BAD_RECORD, "%s", current); + ret = IMPORT_FAILED; + goto done; + } + key_data->key_data_length[0] = atoi(cp); + + if((cp = nstrtok((char *) NULL, "\t")) == NULL) { + com_err(NULL, IMPORT_BAD_RECORD, "%s", current); + ret = IMPORT_FAILED; + goto done; + } + if(!(key_data->key_data_contents[0] = + (krb5_octet *) malloc(key_data->key_data_length[0]+1))) { + ret = ENOMEM; + goto done; + } + for(j = 0; j < key_data->key_data_length[0]; j++) { + if(sscanf(cp, "%02x", &tmp) != 1) { + com_err(NULL, IMPORT_BAD_RECORD, "%s", current); + ret = IMPORT_FAILED; + goto done; + } + key_data->key_data_contents[0][j] = tmp; + cp = strchr(cp, ' ') + 1; + } + } + done: - return (ret); + return ret; } /* * Function: parse_principal - * + * * Purpose: parse principal line in db dump file * * Arguments: - * <return value> 0 on sucsess, error code on failure + * <return value> 0 on success, error code on failure * * Requires: * principal database to be opened. - * strtok(3) to have a valid buffer in memory. - * + * nstrtok(3) to have a valid buffer in memory. + * * Effects: * [effects] * * Modifies: * [modifies] - * + * */ -int -process_ov_principal(fname, kcontext, filep, verbose, linenop, pol_db) -char *fname; -krb5_context kcontext; -FILE *filep; -int verbose; -int *linenop; -void *pol_db; +int process_ov_principal(fname, kcontext, filep, verbose, linenop, pol_db) + char *fname; + krb5_context kcontext; + FILE *filep; + int verbose; + int *linenop; + void *pol_db; { - XDR xdrs; - osa_princ_ent_t rec; - osa_adb_ret_t ret; - krb5_tl_data tl_data; - krb5_principal princ; - krb5_db_entry kdb; - char *current; - char *cp; - int tmp, x, i, one; - unsigned int more; - char line[LINESIZE]; + XDR xdrs; + osa_princ_ent_t rec; + osa_adb_ret_t ret; + krb5_tl_data tl_data; + krb5_principal princ; + krb5_db_entry kdb; + char *current; + char *cp; + int x, one; + krb5_boolean more; + char line[LINESIZE]; - if (fgets(line, LINESIZE, filep) == (char *) NULL) { - return (IMPORT_BAD_FILE); - } - if ((cp = strtok(line, "\t")) == NULL) - return (IMPORT_BAD_FILE); - if ((rec = (osa_princ_ent_t) - malloc(sizeof (osa_princ_ent_rec))) == NULL) - return (ENOMEM); - memset(rec, 0, sizeof (osa_princ_ent_rec)); - if ((ret = krb5_parse_name(kcontext, cp, &princ))) - goto done; - krb5_unparse_name(kcontext, princ, ¤t); - if ((cp = strtok((char *) NULL, "\t")) == NULL) { - com_err(NULL, IMPORT_BAD_RECORD, "%s", current); - ret = IMPORT_FAILED; - goto done; - } else { - if (strcmp(cp, "")) { - if ((rec->policy = (char *) - malloc(strlen(cp) + 1)) == NULL) { - ret = ENOMEM; - goto done; - } - strcpy(rec->policy, cp); - } else - rec->policy = NULL; - } - if ((cp = strtok((char *) NULL, "\t")) == NULL) { - com_err(NULL, IMPORT_BAD_RECORD, "%s", current); - ret = IMPORT_FAILED; + if (fgets(line, LINESIZE, filep) == (char *) NULL) { + return IMPORT_BAD_FILE; + } + if((cp = nstrtok(line, "\t")) == NULL) + return IMPORT_BAD_FILE; + if((rec = (osa_princ_ent_t) malloc(sizeof(osa_princ_ent_rec))) == NULL) + return ENOMEM; + memset(rec, 0, sizeof(osa_princ_ent_rec)); + if((ret = krb5_parse_name(kcontext, cp, &princ))) + goto done; + krb5_unparse_name(kcontext, princ, ¤t); + if((cp = nstrtok((char *) NULL, "\t")) == NULL) { + com_err(NULL, IMPORT_BAD_RECORD, "%s", current); + ret = IMPORT_FAILED; + goto done; + } else { + if(strcmp(cp, "")) { + if((rec->policy = (char *) malloc(strlen(cp)+1)) == NULL) { + ret = ENOMEM; goto done; - } - rec->aux_attributes = strtol(cp, (char **) NULL, 16); - if ((cp = strtok((char *) NULL, "\t")) == NULL) { - com_err(NULL, IMPORT_BAD_RECORD, "%s", current); - ret = IMPORT_FAILED; - goto done; - } - rec->old_key_len = atoi(cp); - if ((cp = strtok((char *) NULL, "\t")) == NULL) { - com_err(NULL, IMPORT_BAD_RECORD, "%s", current); - ret = IMPORT_FAILED; - goto done; - } - rec->old_key_next = atoi(cp); - if ((cp = strtok((char *) NULL, "\t")) == NULL) { - com_err(NULL, IMPORT_BAD_RECORD, "%s", current); - ret = IMPORT_FAILED; - goto done; - } - rec->admin_history_kvno = atoi(cp); - if (!rec->old_key_len) { - rec->old_keys = NULL; - } else { - if (!(rec->old_keys = (osa_pw_hist_ent *) - malloc(sizeof (osa_pw_hist_ent) * rec->old_key_len))) { - ret = ENOMEM; - goto done; - } - memset(rec->old_keys, 0, - sizeof (osa_pw_hist_ent) * rec->old_key_len); - for (x = 0; x < rec->old_key_len; x++) - parse_pw_hist_ent(current, &rec->old_keys[x]); - } + } + strcpy(rec->policy, cp); + } else rec->policy = NULL; + } + if((cp = nstrtok((char *) NULL, "\t")) == NULL) { + com_err(NULL, IMPORT_BAD_RECORD, "%s", current); + ret = IMPORT_FAILED; + goto done; + } + rec->aux_attributes = strtol(cp, (char **)NULL, 16); + if((cp = nstrtok((char *) NULL, "\t")) == NULL) { + com_err(NULL, IMPORT_BAD_RECORD, "%s", current); + ret = IMPORT_FAILED; + goto done; + } + rec->old_key_len = atoi(cp); + if((cp = nstrtok((char *) NULL, "\t")) == NULL) { + com_err(NULL, IMPORT_BAD_RECORD, "%s", current); + ret = IMPORT_FAILED; + goto done; + } + rec->old_key_next = atoi(cp); + if((cp = nstrtok((char *) NULL, "\t")) == NULL) { + com_err(NULL, IMPORT_BAD_RECORD, "%s", current); + ret = IMPORT_FAILED; + goto done; + } + rec->admin_history_kvno = atoi(cp); + if (! rec->old_key_len) { + rec->old_keys = NULL; + } else { + if(!(rec->old_keys = (osa_pw_hist_ent *) + malloc(sizeof(osa_pw_hist_ent) * rec->old_key_len))) { + ret = ENOMEM; + goto done; + } + memset(rec->old_keys,0, + sizeof(osa_pw_hist_ent) * rec->old_key_len); + for(x = 0; x < rec->old_key_len; x++) + parse_pw_hist_ent(current, &rec->old_keys[x]); + } - xdralloc_create(&xdrs, XDR_ENCODE); - if (!xdr_osa_princ_ent_rec(&xdrs, rec)) { - xdr_destroy(&xdrs); - ret = OSA_ADB_XDR_FAILURE; - goto done; - } - tl_data.tl_data_type = KRB5_TL_KADM_DATA; - tl_data.tl_data_length = xdr_getpos(&xdrs); - tl_data.tl_data_contents = (krb5_octet *) xdralloc_getdata(&xdrs); + xdralloc_create(&xdrs, XDR_ENCODE); + if (! xdr_osa_princ_ent_rec(&xdrs, rec)) { + xdr_destroy(&xdrs); + ret = OSA_ADB_XDR_FAILURE; + goto done; + } + + tl_data.tl_data_type = KRB5_TL_KADM_DATA; + tl_data.tl_data_length = xdr_getpos(&xdrs); + tl_data.tl_data_contents = (krb5_octet *) xdralloc_getdata(&xdrs); - one = 1; - ret = krb5_db_get_principal(kcontext, princ, &kdb, &one, - &more); - if (ret) - goto done; + one = 1; + ret = krb5_db_get_principal(kcontext, princ, &kdb, &one, &more); + if (ret) + goto done; + + ret = krb5_dbe_update_tl_data(kcontext, &kdb, &tl_data); + if (ret) + goto done; - if (ret = krb5_dbe_update_tl_data(kcontext, &kdb, - &tl_data)) - goto done; + ret = krb5_db_put_principal(kcontext, &kdb, &one); + if (ret) + goto done; - if (ret = krb5_db_put_principal(kcontext, &kdb, &one)) - goto done; + xdr_destroy(&xdrs); - xdr_destroy(&xdrs); - - (*linenop)++; + (*linenop)++; done: - free(current); - krb5_free_principal(kcontext, princ); - osa_free_princ_ent(rec); - return (ret); + free(current); + krb5_free_principal(kcontext, princ); + osa_free_princ_ent(rec); + return ret; }
--- a/usr/src/cmd/krb5/kadmin/dbutil/string_table.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/dbutil/string_table.c Sat Oct 07 13:37:05 2006 -0700 @@ -20,18 +20,9 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. - * - * $Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/kadmin/\ - * dbutil/string_table.c,v 1.3 1996/08/05 18:38:26 bjaspan Exp $ + * */ -#if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev/" - ".cvsroot/src/kadmin/dbutil/string_table.c,v 1.3 " - "1996/08/05 18:38:26 bjaspan Exp $"; - -#endif - /* String table of messages for kadm5_create */ /* * I18n HACK. We define gettext(s) to be s so that we can extract the @@ -41,9 +32,6 @@ #define gettext(s) s -char *str_INITING_KCONTEXT = -gettext("while initializing the kerberos context"); - char *str_PARSE_NAME = gettext("while parsing admin principal name."); char *str_HISTORY_PARSE_NAME = @@ -115,7 +103,7 @@ char *str_INIT_KDB = gettext("while initializing kdb."); -char *str_NO_KDB = +char *str_NO_KDB = gettext("while initializing kdb.\nThe Kerberos KDC database " "needs to exist in /krb5.\nIf you haven't run " "kdb5_create you need to do so before running this command."); @@ -124,14 +112,14 @@ char *str_INIT_RANDOM_KEY = gettext("while initializing random key generator."); -char *str_TOO_MANY_ADMIN_PRINC = +char *str_TOO_MANY_ADMIN_PRINC = gettext("while fetching admin princ. Can only have one admin principal."); -char *str_TOO_MANY_CHANGEPW_PRINC = +char *str_TOO_MANY_CHANGEPW_PRINC = gettext("while fetching changepw princ. " "Can only have one changepw principal."); -char *str_TOO_MANY_HIST_PRINC = +char *str_TOO_MANY_HIST_PRINC = gettext("while fetching history princ. " "Can only have one history principal.");
--- a/usr/src/cmd/krb5/kadmin/dbutil/string_table.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/dbutil/string_table.h Sat Oct 07 13:37:05 2006 -0700 @@ -1,6 +1,6 @@ /* - * Copyright (c) 1997-2000 by Sun Microsystems, Inc. - * All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. */ #ifndef _STRING_TABLE_H @@ -38,8 +38,7 @@ */ #ifndef _OVSEC_ADM_STRINGS_ - -extern char *str_INITING_KCONTEXT; + extern char *str_PARSE_NAME; extern char *str_HISTORY_PARSE_NAME; extern char *str_ADMIN_PRINC_EXISTS; @@ -68,8 +67,8 @@ extern char *str_TOO_MANY_CHANGEPW_PRINC; extern char *str_TOO_MANY_HIST_PRINC; extern char *str_WHILE_DESTROYING_ADMIN_SESSION; - -#endif /* _OVSEC_ADM_STRINGS_ */ + +#endif /* _OVSEC_ADM_STRINGS_ */ #ifdef __cplusplus }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/usr/src/cmd/krb5/kadmin/dbutil/strtok.c Sat Oct 07 13:37:05 2006 -0700 @@ -0,0 +1,107 @@ +/* + * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved + * + */ + +/* + * Copyright (c) 1988 Regents of the University of California. + * All rights reserved. + * + * Redistribution and use in source and binary forms are permitted + * provided that: (1) source distributions retain this entire copyright + * notice and comment, and (2) distributions including binaries display + * the following acknowledgement: ``This product includes software + * developed by the University of California, Berkeley and its contributors'' + * in the documentation or other materials provided with the distribution + * and in all advertising materials mentioning features or use of this + * software. Neither the name of the University nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + +#pragma ident "%Z%%M% %I% %E% SMI" + +#include <stddef.h> +#include <string.h> +#include "nstrtok.h" + +/* + * Function: nstrtok + * + * Purpose: the same as strtok ... just different. does not deal with + * multiple tokens in row. + * + * Arguments: + * s (input) string to scan + * delim (input) list of delimiters + * <return value> string or null on error. + * + * Requires: + * nuttin + * + * Effects: + * sets last to string + * + * Modifies: + * last + * + */ + +char * +nstrtok(s, delim) + register char *s; + register const char *delim; +{ + register const char *spanp; + register int c, sc; + char *tok; + static char *last; + + + if (s == NULL && (s = last) == NULL) + return (NULL); + + /* + * Skip (span) leading delimiters (s += strspn(s, delim), sort of). + */ +#ifdef OLD +cont: + c = *s++; + for (spanp = delim; (sc = *spanp++) != 0;) { + if (c == sc) + goto cont; + } + + if (c == 0) { /* no non-delimiter characters */ + last = NULL; + return (NULL); + } + tok = s - 1; +#else + tok = s; +#endif + + /* + * Scan token (scan for delimiters: s += strcspn(s, delim), sort of). + * Note that delim must have one NUL; we stop if we see that, too. + */ + for (;;) { + c = *s++; + spanp = delim; + do { + if ((sc = *spanp++) == c) { + if (c == 0) + s = NULL; + else + s[-1] = 0; + last = s; + return (tok); + } + } while (sc != 0); + } + /* NOTREACHED */ +} +
--- a/usr/src/cmd/krb5/kadmin/dbutil/util.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/dbutil/util.c Sat Oct 07 13:37:05 2006 -0700 @@ -28,7 +28,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -36,18 +36,21 @@ * this permission notice appear in supporting documentation, and that * the name of M.I.T. not be used in advertising or publicity pertaining * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * Utilities for kdb5_edit. - * + * * Some routines derived from code contributed by the Sandia National * Laboratories. Sandia National Laboratories also makes no * representations about the suitability of the modifications, or * additions to this software for any purpose. It is provided "as is" * without express or implied warranty. - * + * */ #define KDB5_DISPATCH @@ -71,7 +74,6 @@ #define krb5_dbm_db_close_database krb5_db_close_database #define krb5_dbm_db_open_database krb5_db_open_database -#include <kadm5/admin.h> #include "./kdb5_edit.h" #ifndef HAVE_STRSTR @@ -80,117 +82,117 @@ char *s1; char *s2; { - int s2len; - int i; - char *temp_ptr; + int s2len; + int i; + char *temp_ptr; - temp_ptr = s1; - for (i = 0; i < strlen(s1); i++) { - if (memcmp(temp_ptr, s2, strlen(s2)) == 0) - return (temp_ptr); - temp_ptr += 1; - } - return ((char *) 0); + temp_ptr = s1; + for ( i = 0; i < strlen(s1); i++) { + if (memcmp(temp_ptr, s2, strlen(s2)) == 0) return(temp_ptr); + temp_ptr += 1; + } + return ((char *) 0); } - -#endif /* HAVE_STRSTR */ +#endif /* HAVE_STRSTR */ void parse_token(token_in, must_be_first_char, num_tokens, tokens_out) char *token_in; -int *must_be_first_char; -int *num_tokens; +int *must_be_first_char; +int *num_tokens; char *tokens_out; { - int i, j; - int token_count = 0; + int i, j; + int token_count = 0; - i = 0; - j = 0; + i = 0; + j = 0; /* Eliminate Up Front Asterisks */ - *must_be_first_char = 1; - for (i = 0; token_in[i] == '*'; i++) { - *must_be_first_char = 0; - } + *must_be_first_char = 1; + for (i = 0; token_in[i] == '*'; i++) { + *must_be_first_char = 0; + } - if (i == strlen(token_in)) { - *num_tokens = 0; - return; - } + if (i == strlen(token_in)) { + *num_tokens = 0; + return; + } + /* Fill first token_out */ - token_count++; - while ((token_in[i] != '*') && (token_in[i] != '\0')) { - tokens_out[j] = token_in[i]; - j++; - i++; - } + token_count++; + while ((token_in[i] != '*') && (token_in[i] != '\0')) { + tokens_out[j] = token_in[i]; + j++; + i++; + } - if (i == strlen(token_in)) { - tokens_out[j] = '\0'; - *num_tokens = token_count; - return; - } + if (i == strlen(token_in)) { + tokens_out[j] = '\0'; + *num_tokens = token_count; + return; + } + /* Then All Subsequent Tokens */ - while (i < strlen(token_in)) { - if (token_in[i] == '*') { - token_count++; - tokens_out[j] = '\t'; - } else { - tokens_out[j] = token_in[i]; - } - i++; - j++; + while (i < strlen(token_in)) { + if (token_in[i] == '*') { + token_count++; + tokens_out[j] = '\t'; + } else { + tokens_out[j] = token_in[i]; } - tokens_out[j] = '\0'; + i++; + j++; + } + tokens_out[j] = '\0'; - if (tokens_out[j - 1] == '\t') { - token_count--; - tokens_out[j - 1] = '\0'; - } - *num_tokens = token_count; + if (tokens_out[j - 1] == '\t') { + token_count--; + tokens_out[j - 1] = '\0'; + } + + *num_tokens = token_count; + return; } int -check_for_match(search_field, must_be_first_character, chk_entry, - num_tokens, type) +check_for_match(search_field, must_be_first_character, chk_entry, + num_tokens, type) int must_be_first_character; char *search_field; krb5_db_entry *chk_entry; int num_tokens; int type; { - char token1[256]; - char *found1; - char token2[256]; - char *found2; - char token3[256]; - char *found3; - char *local_entry; + char token1[256]; + char *found1; + char token2[256]; + char *found2; + char token3[256]; + char *found3; + char *local_entry; - local_entry = chk_entry->princ->data[type].data; + local_entry = chk_entry->princ->data[type].data; - token1[0] = token2[0] = token3[0] = '\0'; + token1[0] = token2[0] = token3[0] = '\0'; - (void) sscanf(search_field, "%s\t%s\t%s", token1, token2, token3); + (void) sscanf(search_field, "%s\t%s\t%s", token1, token2, token3); - found1 = strstr(local_entry, token1); + found1 = strstr(local_entry, token1); - if (must_be_first_character && (found1 != local_entry)) - return (0); + if (must_be_first_character && (found1 != local_entry)) return(0); - if (found1 && (num_tokens == 1)) - return (1); + if (found1 && (num_tokens == 1)) return(1); - if (found1 && (num_tokens > 1)) { - found2 = strstr(local_entry, token2); - if (found2 && (found2 > found1) && (num_tokens == 2)) - return (1); - } - if ((found2 > found1) && (num_tokens == 3)) { - found3 = strstr(local_entry, token3); - if (found3 && (found3 > found2) && (found2 > found1)) - return (1); - } - return (0); + if (found1 && (num_tokens > 1)) { + found2 = strstr(local_entry, token2); + if (found2 && (found2 > found1) && (num_tokens == 2)) return(1); + } + + if ((found2 > found1) && (num_tokens == 3)) { + found3 = strstr(local_entry, token3); + if (found3 && (found3 > found2) && (found2 > found1)) return(1); + } + return(0); } +
--- a/usr/src/cmd/krb5/kadmin/kpasswd/Makefile Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/kpasswd/Makefile Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ # -# Copyright 2004 Sun Microsystems, Inc. All rights reserved. +# Copyright 2006 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # ident "%Z%%M% %I% %E% SMI" @@ -29,7 +29,7 @@ -I$(SRC)/lib/krb5 \ -DHAVE_LIBSOCKET=1 -DHAVE_LIBNSL=1 -DHAVE_UNISTD_H=1 \ -DHAVE_SYS_TIMEB_H=1 -DHAVE_ALLOCA_H=1 -DHAVE_FTIME=1 \ - -DHAVE_TIMEZONE -DUSE_KADM5_API_VERSION=1 + -DHAVE_TIMEZONE -DUSE_KADM5_API_VERSION=2 COPTFLAG += $(XESS) #-I$(KINCDIR)
--- a/usr/src/cmd/krb5/kadmin/kpasswd/kpasswd.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/kpasswd/kpasswd.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 1998-2002 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -25,21 +25,21 @@ /* * Copyright 1993-1994 OpenVision Technologies, Inc., All Rights Reserved. - * - * $Header: /cvs/krbdev/krb5/src/kadmin/passwd/kpasswd.c,v 1.24 1997/02/20\ - * 06:12:57 probe Exp $ + * + * $Header: /cvs/krbdev/krb5/src/kadmin/passwd/kpasswd.c,v 1.25 2001/02/26 18:22:08 epeisach Exp $ * * */ -static char rcsid[] = "$Id: kpasswd.c,v 1.24 1997/02/20 " - "06:12:57 probe Exp $"; +static char rcsid[] = "$Id: kpasswd.c,v 1.25 2001/02/26 18:22:08 epeisach Exp $"; #include <kadm5/admin.h> #include <krb5.h> #include "kpasswd_strings.h" -#define string_text error_message +#define string_text error_message + +#include "kpasswd.h" #include <stdio.h> #include <pwd.h> @@ -52,7 +52,7 @@ extern long read_old_password(); extern long read_new_password(); -#define MISC_EXIT_STATUS 6 +#define MISC_EXIT_STATUS 6 /* * Function: kpasswd @@ -67,7 +67,7 @@ * read_new_password (f) function to read new and change password * display_intro_message (f) function to display intro message * whoami (extern) argv[0] - * + * * Returns: * exit status of 0 for success * 1 principal unknown @@ -77,10 +77,10 @@ * 5 password not typed * 6 misc error * 7 incorrect usage - * + * * Requires: * Passwords cannot be more than 255 characters long. - * + * * Effects: * * If argc is 2, the password for the principal specified in argv[1] @@ -93,7 +93,7 @@ * read_new_password is called to read the new password and change the * principal's password (presumably ovsec_kadm_chpass_principal). * admin system is de-initialized before the function returns. - * + * * Modifies: * * Changes the principal's password. @@ -101,129 +101,113 @@ */ int kpasswd(context, argc, argv) -krb5_context context; -int argc; -char *argv[]; + krb5_context context; + int argc; + char *argv[]; { - kadm5_ret_t code; - krb5_ccache ccache = NULL; - krb5_principal princ = 0; - char *princ_str; - struct passwd *pw = 0; - int pwsize; - char password[255]; /* I don't really like 255 */ - /* but that's what kinit uses */ - char msg_ret[1024], admin_realm[1024]; - kadm5_principal_ent_rec principal_entry; - kadm5_policy_ent_rec policy_entry; - void *server_handle; - kadm5_config_params params; - char *cpw_service; + kadm5_ret_t code; + krb5_ccache ccache = NULL; + krb5_principal princ = 0; + char *princ_str; + struct passwd *pw = 0; + unsigned int pwsize; + char password[255]; /* I don't really like 255 but that's what kinit uses */ + char msg_ret[1024], admin_realm[1024]; + kadm5_principal_ent_rec principal_entry; + kadm5_policy_ent_rec policy_entry; + void *server_handle; + kadm5_config_params params; + char *cpw_service; memset((char *)¶ms, 0, sizeof (params)); memset(&principal_entry, 0, sizeof (principal_entry)); memset(&policy_entry, 0, sizeof (policy_entry)); - if (argc > 2) { - com_err(whoami, KPW_STR_USAGE, 0); - return (7); - /* NOTREACHED */ + if (argc > 2) { + com_err(whoami, KPW_STR_USAGE, 0); + return(7); + /*NOTREACHED*/ + } + + /************************************ + * Get principal name to change * + ************************************/ + + /* Look on the command line first, followed by the default credential + cache, followed by defaulting to the Unix user name */ + + if (argc == 2) + princ_str = strdup(argv[1]); + else { + code = krb5_cc_default(context, &ccache); + /* If we succeed, find who is in the credential cache */ + if (code == 0) { + /* Get default principal from cache if one exists */ + code = krb5_cc_get_principal(context, ccache, &princ); + /* if we got a principal, unparse it, otherwise get out of the if + with an error code */ + (void) krb5_cc_close(context, ccache); + if (code == 0) { + code = krb5_unparse_name(context, princ, &princ_str); + if (code != 0) { + com_err(whoami, code, string_text(KPW_STR_UNPARSE_NAME)); + return(MISC_EXIT_STATUS); } - /* - * Get principal name to change - */ + } + } - /* - * Look on the command line first, followed by the default - * credential cache, followed by defaulting to the Unix user name - */ + /* this is a crock.. we want to compare against */ + /* "KRB5_CC_DOESNOTEXIST" but there is no such error code, and */ + /* both the file and stdio types return FCC_NOFILE. If there is */ + /* ever another ccache type (or if the error codes are ever */ + /* fixed), this code will have to be updated. */ + if (code && code != KRB5_FCC_NOFILE) { + com_err(whoami, code, string_text(KPW_STR_WHILE_LOOKING_AT_CC)); + return(MISC_EXIT_STATUS); + } - if (argc == 2) - princ_str = strdup(argv[1]); - else { - code = krb5_cc_default(context, &ccache); - /* If we succeed, find who is in the credential cache */ - if (code == 0) { - /* Get default principal from cache if one exists */ - code = krb5_cc_get_principal(context, ccache, &princ); - /* - * if we got a principal, unparse it, otherwise get - * out of the if with an error code - */ - (void) krb5_cc_close(context, ccache); - if (code == 0) { - code = krb5_unparse_name(context, - princ, &princ_str); - if (code != 0) { - com_err(whoami, code, - string_text( - KPW_STR_UNPARSE_NAME)); - return (MISC_EXIT_STATUS); - } - } - } - /* this is a crock.. we want to compare against */ - /* - * "KRB5_CC_DOESNOTEXIST" but there is no such error code, - * and - */ - /* - * both the file and stdio types return FCC_NOFILE. If - * there is - */ - /* ever another ccache type (or if the error codes are ever */ - /* fixed), this code will have to be updated. */ - if (code && code != KRB5_FCC_NOFILE) { - com_err(whoami, code, - string_text(KPW_STR_WHILE_LOOKING_AT_CC)); - return (MISC_EXIT_STATUS); - } - /* if either krb5_cc failed check the passwd file */ - if (code != 0) { - pw = getpwuid(getuid()); - if (pw == NULL) { - com_err(whoami, 0, - string_text(KPW_STR_NOT_IN_PASSWD_FILE)); - return (MISC_EXIT_STATUS); - } - princ_str = strdup(pw->pw_name); - } - } + /* if either krb5_cc failed check the passwd file */ + if (code != 0) { + pw = getpwuid( getuid()); + if (pw == NULL) { + com_err(whoami, 0, string_text(KPW_STR_NOT_IN_PASSWD_FILE)); + return(MISC_EXIT_STATUS); + } + princ_str = strdup(pw->pw_name); + } + } + + display_intro_message(string_text(KPW_STR_CHANGING_PW_FOR), princ_str); + + /* Need to get a krb5_principal, unless we started from with one from + the credential cache */ - display_intro_message(string_text(KPW_STR_CHANGING_PW_FOR), princ_str); - - /* - * Need to get a krb5_principal, unless we started from with one - * from the credential cache - */ + if (! princ) { + code = krb5_parse_name (context, princ_str, &princ); + if (code != 0) { + com_err(whoami, code, string_text(KPW_STR_PARSE_NAME), princ_str); + free(princ_str); + return(MISC_EXIT_STATUS); + } + } + + pwsize = sizeof(password); + code = read_old_password(context, password, &pwsize); - if (!princ) { - code = krb5_parse_name(context, princ_str, &princ); - if (code != 0) { - com_err(whoami, code, - string_text(KPW_STR_PARSE_NAME), princ_str); - free(princ_str); - return (MISC_EXIT_STATUS); - } - } - pwsize = sizeof (password); - code = read_old_password(context, password, &pwsize); - - if (code != 0) { - memset(password, 0, sizeof (password)); - com_err(whoami, code, - string_text(KPW_STR_WHILE_READING_PASSWORD)); - krb5_free_principal(context, princ); - free(princ_str); - return (MISC_EXIT_STATUS); - } - if (pwsize == 0) { - memset(password, 0, sizeof (password)); - com_err(whoami, 0, string_text(KPW_STR_NO_PASSWORD_READ)); - krb5_free_principal(context, princ); - free(princ_str); - return (5); - } + if (code != 0) { + memset(password, 0, sizeof(password)); + com_err(whoami, code, string_text(KPW_STR_WHILE_READING_PASSWORD)); + krb5_free_principal(context, princ); + free(princ_str); + return(MISC_EXIT_STATUS); + } + if (pwsize == 0) { + memset(password, 0, sizeof(password)); + com_err(whoami, 0, string_text(KPW_STR_NO_PASSWORD_READ)); + krb5_free_principal(context, princ); + free(princ_str); + return(5); + } snprintf(admin_realm, sizeof (admin_realm), krb5_princ_realm(context, princ)->data); @@ -346,23 +330,22 @@ } } /* if protocol == KRB5_CHGPWD_RPCSEC */ - pwsize = sizeof (password); - code = read_new_password(server_handle, password, - &pwsize, msg_ret, sizeof (msg_ret), princ); - memset(password, 0, sizeof (password)); + pwsize = sizeof(password); + code = read_new_password(server_handle, password, &pwsize, msg_ret, sizeof (msg_ret), princ); + memset(password, 0, sizeof(password)); - if (code) - com_err(whoami, 0, msg_ret); + if (code) + com_err(whoami, 0, msg_ret); + + krb5_free_principal(context, princ); + free(princ_str); - krb5_free_principal(context, princ); - free(princ_str); - - (void) kadm5_destroy(server_handle); - - if (code == KRB5_LIBOS_CANTREADPWD) - return (5); - else if (code) - return (4); - else - return (0); + (void) kadm5_destroy(server_handle); + + if (code == KRB5_LIBOS_CANTREADPWD) + return(5); + else if (code) + return(4); + else + return(0); }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/usr/src/cmd/krb5/kadmin/kpasswd/kpasswd.h Sat Oct 07 13:37:05 2006 -0700 @@ -0,0 +1,49 @@ +/* + * kadmin/passwd/kpasswd.h + * + * Copyright 2001 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * Prototypes for the kpasswd program callback functions. + */ + +#pragma ident "%Z%%M% %I% %E% SMI" + + +#ifndef __KPASSWD_H__ +#define __KPASSWD_H__ + +int kpasswd(krb5_context context, int argc, char *argv[]); + +long read_old_password(krb5_context context, char *password, + unsigned int *pwsize); + +long read_new_password(void *server_handle, char *password, + unsigned int *pwsize, char *msg_ret, + int msg_len, krb5_principal princ); + +void display_intro_message(const char *fmt_string, const char *arg_string); + +#endif /* __KPASSWD_H__ */ + +
--- a/usr/src/cmd/krb5/kadmin/kpasswd/kpasswd_strings.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/kpasswd/kpasswd_strings.h Sat Oct 07 13:37:05 2006 -0700 @@ -17,33 +17,45 @@ * */ +#include <com_err.h> /* * kpasswd_strings.h: * This file is automatically generated; please do not edit it. */ -#define KPW_STR_USAGE (-1767084800L) -#define KPW_STR_PRIN_UNKNOWN (-1767084799L) -#define KPW_STR_WHILE_LOOKING_AT_CC (-1767084798L) -#define KPW_STR_OLD_PASSWORD_INCORRECT (-1767084797L) -#define KPW_STR_CANT_OPEN_ADMIN_SERVER (-1767084796L) -#define KPW_STR_NEW_PASSWORD_MISMATCH (-1767084795L) -#define KPW_STR_PASSWORD_CHANGED (-1767084794L) -#define KPW_STR_PASSWORD_NOT_CHANGED (-1767084793L) -#define KPW_STR_PARSE_NAME (-1767084792L) -#define KPW_STR_UNPARSE_NAME (-1767084791L) -#define KPW_STR_NOT_IN_PASSWD_FILE (-1767084790L) -#define KPW_STR_CHANGING_PW_FOR (-1767084789L) -#define KPW_STR_OLD_PASSWORD_PROMPT (-1767084788L) -#define KPW_STR_WHILE_READING_PASSWORD (-1767084787L) -#define KPW_STR_NO_PASSWORD_READ (-1767084786L) -#define KPW_STR_WHILE_TRYING_TO_CHANGE (-1767084785L) -#define KPW_STR_WHILE_DESTROYING_ADMIN_SESSION (-1767084784L) -#define KPW_STR_WHILE_FREEING_PRINCIPAL (-1767084783L) -#define KPW_STR_WHILE_FREEING_POLICY (-1767084782L) -#define KPW_STR_CANT_GET_POLICY_INFO (-1767084781L) -#define KPW_STR_POLICY_EXPLANATION (-1767084780L) -#define ERROR_TABLE_BASE_kpws (-1767084800L) +#define KPW_STR_USAGE (-1767084800L) +#define KPW_STR_PRIN_UNKNOWN (-1767084799L) +#define KPW_STR_WHILE_LOOKING_AT_CC (-1767084798L) +#define KPW_STR_OLD_PASSWORD_INCORRECT (-1767084797L) +#define KPW_STR_CANT_OPEN_ADMIN_SERVER (-1767084796L) +#define KPW_STR_NEW_PASSWORD_MISMATCH (-1767084795L) +#define KPW_STR_PASSWORD_CHANGED (-1767084794L) +#define KPW_STR_PASSWORD_NOT_CHANGED (-1767084793L) +#define KPW_STR_PARSE_NAME (-1767084792L) +#define KPW_STR_UNPARSE_NAME (-1767084791L) +#define KPW_STR_NOT_IN_PASSWD_FILE (-1767084790L) +#define KPW_STR_CHANGING_PW_FOR (-1767084789L) +#define KPW_STR_OLD_PASSWORD_PROMPT (-1767084788L) +#define KPW_STR_WHILE_READING_PASSWORD (-1767084787L) +#define KPW_STR_NO_PASSWORD_READ (-1767084786L) +#define KPW_STR_WHILE_TRYING_TO_CHANGE (-1767084785L) +#define KPW_STR_WHILE_DESTROYING_ADMIN_SESSION (-1767084784L) +#define KPW_STR_WHILE_FREEING_PRINCIPAL (-1767084783L) +#define KPW_STR_WHILE_FREEING_POLICY (-1767084782L) +#define KPW_STR_CANT_GET_POLICY_INFO (-1767084781L) +#define KPW_STR_POLICY_EXPLANATION (-1767084780L) +#define ERROR_TABLE_BASE_kpws (-1767084800L) +extern const struct error_table et_kpws_error_table; + +#if !defined(_WIN32) /* for compatibility with older versions... */ -#define kpws_err_base ERROR_TABLE_BASE_kpws +extern void initialize_kpws_error_table (void) /*@modifies internalState@*/; +#else +#define initialize_kpws_error_table() +#endif + +#if !defined(_WIN32) +#define init_kpws_err_tbl initialize_kpws_error_table +#define kpws_err_base ERROR_TABLE_BASE_kpws +#endif
--- a/usr/src/cmd/krb5/kadmin/kpasswd/tty_kpasswd.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/kpasswd/tty_kpasswd.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -25,22 +25,21 @@ /* * Copyright 1993-1994 OpenVision Technologies, Inc., All Rights Reserved. - * - * $Header: /cvs/krbdev/krb5/src/kadmin/passwd/tty_kpasswd.c,v 1.7\ - * 1997/02/20 06:13:01 probe Exp $ + * + * $Header: /cvs/krbdev/krb5/src/kadmin/passwd/tty_kpasswd.c,v 1.9 2001/02/26 18:22:08 epeisach Exp $ * * */ -static char rcsid[] = "$Id: tty_kpasswd.c,v 1.7 " - "1997/02/20 06:13:01 probe Exp $"; +static char rcsid[] = "$Id: tty_kpasswd.c,v 1.9 2001/02/26 18:22:08 epeisach Exp $"; #include <kadm5/admin.h> #include <krb5.h> #include "kpasswd_strings.h" -#define string_text error_message +#define string_text error_message +#include "kpasswd.h" #include <stdio.h> #include <pwd.h> #include <string.h> @@ -49,39 +48,34 @@ char *whoami; -void -display_intro_message(fmt_string, arg_string) -char *fmt_string; -char *arg_string; +void display_intro_message(fmt_string, arg_string) + const char *fmt_string; + const char *arg_string; { - com_err(whoami, 0, fmt_string, arg_string); + com_err(whoami, 0, fmt_string, arg_string); } -long -read_old_password(context, password, pwsize) -krb5_context context; -char *password; -unsigned int *pwsize; +long read_old_password(context, password, pwsize) + krb5_context context; + char *password; + unsigned int *pwsize; { - long code = krb5_read_password(context, + long code = krb5_read_password(context, (char *) string_text(KPW_STR_OLD_PASSWORD_PROMPT), - 0, password, pwsize); - - return (code); + 0, password, pwsize); + return code; } -long -read_new_password(server_handle, password, pwsize, - msg_ret, msg_len, princ) -void *server_handle; -char *password; -int *pwsize; -char *msg_ret; -int msg_len; -krb5_principal princ; +long read_new_password(server_handle, password, pwsize, msg_ret, msg_len, princ) + void *server_handle; + char *password; + unsigned int *pwsize; + char *msg_ret; + int msg_len; + krb5_principal princ; { return (kadm5_chpass_principal_util(server_handle, princ, NULL, - NULL /* don't need new pw back */, + NULL /* don't need new pw back */, msg_ret, msg_len)); } @@ -91,13 +85,13 @@ */ int main(argc, argv) -int argc; -char *argv[]; + int argc; + char *argv[]; { - krb5_context context; - int retval; + krb5_context context; + int retval; - whoami = (whoami = strrchr(argv[0], '/')) ? whoami + 1 : argv[0]; + whoami = (whoami = strrchr(argv[0], '/')) ? whoami + 1 : argv[0]; (void) setlocale(LC_ALL, ""); @@ -107,15 +101,17 @@ (void) textdomain(TEXT_DOMAIN); - if (retval = krb5_init_context(&context)) { + retval = krb5_init_context(&context); + if (retval) { com_err(whoami, retval, gettext("initializing krb5 context")); - exit(retval); - } + exit(retval); + } /* initialize_kpws_error_table(); SUNWresync121 */ - retval = kpasswd(context, argc, argv); + + retval = kpasswd(context, argc, argv); - if (!retval) - printf(string_text(KPW_STR_PASSWORD_CHANGED)); + if (!retval) + printf(string_text(KPW_STR_PASSWORD_CHANGED)); - exit(retval); + exit(retval); }
--- a/usr/src/cmd/krb5/kadmin/ktutil/ktutil.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/ktutil/ktutil.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2003 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -33,7 +33,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -47,7 +47,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * SS user interface for ktutil. */ @@ -66,14 +66,12 @@ krb5_context kcontext; krb5_kt_list ktlist = NULL; -int -main(argc, argv) -int argc; -char *argv[]; +int main(argc, argv) + int argc; + char *argv[]; { - krb5_error_code retval; - extern krb5_kt_ops krb5_ktf_writable_ops; - int sci_idx; + krb5_error_code retval; + int sci_idx; (void) setlocale(LC_ALL, ""); @@ -83,84 +81,75 @@ (void) textdomain(TEXT_DOMAIN); - retval = krb5_init_context(&kcontext); - if (retval) { + retval = krb5_init_context(&kcontext); + if (retval) { com_err(argv[0], retval, gettext("while initializing krb5")); - exit(1); - } - retval = krb5_kt_register(kcontext, &krb5_ktf_writable_ops); - if (retval) { - com_err(argv[0], retval, - gettext("while registering writable key table functions")); - exit(1); - } + exit(1); + } retval = ktutil_initialize_cmds_table (&ktutil_cmds); if (retval) { com_err(argv[0], retval, gettext("while localizing command description messages")); exit(1); } - sci_idx = ss_create_invocation("ktutil", "5.0", (char *) NULL, - &ktutil_cmds, &retval); - if (retval) { - ss_perror(sci_idx, retval, gettext("creating invocation")); - exit(1); - } - ss_listen(sci_idx, &retval); - ktutil_free_kt_list(kcontext, ktlist); - exit(0); + sci_idx = ss_create_invocation("ktutil", "5.0", (char *) NULL, + &ktutil_cmds, &retval); + if (retval) { + ss_perror(sci_idx, retval, gettext("creating invocation")); + exit(1); + } + retval = ss_listen(sci_idx); + ktutil_free_kt_list(kcontext, ktlist); + exit(0); } -void -ktutil_clear_list(argc, argv) -int argc; -char *argv[]; +void ktutil_clear_list(argc, argv) + int argc; + char *argv[]; { - krb5_error_code retval; + krb5_error_code retval; - if (argc != 1) { + if (argc != 1) { fprintf(stderr, gettext("%s: invalid arguments\n"), argv[0]); - return; - } - retval = ktutil_free_kt_list(kcontext, ktlist); - if (retval) + return; + } + retval = ktutil_free_kt_list(kcontext, ktlist); + if (retval) com_err(argv[0], retval, gettext("while freeing ktlist")); - ktlist = NULL; + ktlist = NULL; } -void -ktutil_read_v5(argc, argv) -int argc; -char *argv[]; +void ktutil_read_v5(argc, argv) + int argc; + char *argv[]; { - krb5_error_code retval; + krb5_error_code retval; - if (argc != 2) { + if (argc != 2) { fprintf(stderr, gettext("%s: must specify keytab to read\n"), argv[0]); - return; - } - retval = ktutil_read_keytab(kcontext, argv[1], &ktlist); - if (retval) + return; + } + retval = ktutil_read_keytab(kcontext, argv[1], &ktlist); + if (retval) com_err(argv[0], retval, gettext("while reading keytab \"%s\""), argv[1]); } -void -ktutil_read_v4(argc, argv) -int argc; -char *argv[]; +void ktutil_read_v4(argc, argv) + int argc; + char *argv[]; { #ifdef KRB5_KRB4_COMPAT - krb5_error_code retval; + krb5_error_code retval; - if (argc != 2) { + if (argc != 2) { fprintf(stderr, gettext("%s: must specify the srvtab to read\n"), argv[0]); - return; - } - retval = ktutil_read_srvtab(kcontext, argv[1], &ktlist); - if (retval) + return; + } + retval = ktutil_read_srvtab(kcontext, argv[1], &ktlist); + if (retval) com_err(argv[0], retval, gettext("while reading srvtab \"%s\""), argv[1]); #else @@ -168,39 +157,37 @@ #endif } -void -ktutil_write_v5(argc, argv) -int argc; -char *argv[]; +void ktutil_write_v5(argc, argv) + int argc; + char *argv[]; { - krb5_error_code retval; + krb5_error_code retval; - if (argc != 2) { + if (argc != 2) { fprintf(stderr, gettext("%s: must specify keytab to write\n"), argv[0]); - return; - } - retval = ktutil_write_keytab(kcontext, ktlist, argv[1]); - if (retval) + return; + } + retval = ktutil_write_keytab(kcontext, ktlist, argv[1]); + if (retval) com_err(argv[0], retval, gettext("while writing keytab \"%s\""), argv[1]); } -void -ktutil_write_v4(argc, argv) -int argc; -char *argv[]; +void ktutil_write_v4(argc, argv) + int argc; + char *argv[]; { #ifdef KRB5_KRB4_COMPAT - krb5_error_code retval; + krb5_error_code retval; - if (argc != 2) { + if (argc != 2) { fprintf(stderr, gettext("%s: must specify srvtab to write\n"), argv[0]); - return; - } - retval = ktutil_write_srvtab(kcontext, ktlist, argv[1]); - if (retval) + return; + } + retval = ktutil_write_srvtab(kcontext, ktlist, argv[1]); + if (retval) com_err(argv[0], retval, gettext("while writing srvtab \"%s\""), argv[1]); #else @@ -252,108 +239,102 @@ com_err(argv[0], retval, gettext("while adding new entry")); } -void -ktutil_delete_entry(argc, argv) -int argc; -char *argv[]; +void ktutil_delete_entry(argc, argv) + int argc; + char *argv[]; { - krb5_error_code retval; + krb5_error_code retval; - if (argc != 2) { - fprintf(stderr, - gettext("%s: must specify entry to delete\n"), argv[0]); - return; - } - retval = ktutil_delete(kcontext, &ktlist, atoi(argv[1])); - if (retval) - com_err(argv[0], retval, + if (argc != 2) { + fprintf(stderr, + gettext("%s: must specify entry to delete\n"), argv[0]); + return; + } + retval = ktutil_delete(kcontext, &ktlist, atoi(argv[1])); + if (retval) + com_err(argv[0], retval, gettext("while deleting entry %d"), atoi(argv[1])); } -void -ktutil_list(argc, argv) -int argc; -char *argv[]; +void ktutil_list(argc, argv) + int argc; + char *argv[]; { - krb5_error_code retval; - krb5_kt_list lp; - struct tm *stime; - int show_time = 0, show_keys = 0, show_enctype = 0; - int i, j; - char *pname; + krb5_error_code retval; + krb5_kt_list lp; + int show_time = 0, show_keys = 0, show_enctype = 0; + int i, j; + char *pname; - for (i = 1; i < argc; i++) { - if ((strlen(argv[i]) == 2) && strncmp(argv[i], "-t", 2) == 0) { - show_time++; - continue; - } - if ((strlen(argv[i]) == 2) && strncmp(argv[i], "-k", 2) == 0) { - show_keys++; - continue; - } - if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) { - show_enctype++; - continue; - } - if ((strlen(argv[i]) == 2) && - (strncmp(argv[i], "-e", 2) == 0)) { - show_enctype = 1; - continue; - } - fprintf(stderr, gettext("%s: illegal arguments\n"), argv[0]); - return; + for (i = 1; i < argc; i++) { + if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-t", 2)) { + show_time++; + continue; } - if (show_time) { - printf(gettext("slot KVNO Timestamp Principal\n")); - printf("---- ---- ----------------- ---------------------------------------------------\n"); - } else { - printf(gettext("slot KVNO Principal\n")); - printf("---- ---- ---------------------------------------------------------------------\n"); + if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) { + show_keys++; + continue; + } + if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) { + show_enctype++; + continue; } - for (i = 1, lp = ktlist; lp; i++, lp = lp->next) { - retval = krb5_unparse_name(kcontext, - lp->entry->principal, &pname); - if (retval) { - com_err(argv[0], retval, - gettext("while unparsing principal name")); - return; - } - printf("%4d %4d ", i, lp->entry->vno); - if (show_time) { - char fmtbuf[18]; - char fill; - stime = localtime((time_t *) & lp->entry->timestamp); - fill = ' '; - if (!krb5_timestamp_to_sfstring( - (krb5_timestamp) lp->entry->timestamp, - fmtbuf, - sizeof (fmtbuf), - &fill)) - printf("%s ", fmtbuf); + fprintf(stderr, "%s: %s [-t] [-k] [-e]\n", gettext("usage"), argv[0]); + return; + } + if (show_time) { + printf(gettext("slot KVNO Timestamp Principal\n")); + printf("---- ---- ----------------- ---------------------------------------------------\n"); + } else { + printf(gettext("slot KVNO Principal\n")); + printf("---- ---- ---------------------------------------------------------------------\n"); + } + for (i = 1, lp = ktlist; lp; i++, lp = lp->next) { + retval = krb5_unparse_name(kcontext, lp->entry->principal, &pname); + if (retval) { + com_err(argv[0], retval, + gettext("while unparsing principal name")); + return; + } + printf("%4d %4d ", i, lp->entry->vno); + if (show_time) { + char fmtbuf[18]; + char fill; + time_t tstamp; + + (void) localtime(&tstamp); + lp->entry->timestamp = tstamp; + fill = ' '; + if (!krb5_timestamp_to_sfstring((krb5_timestamp)lp->entry-> + timestamp, + fmtbuf, + sizeof(fmtbuf), + &fill)) + printf("%s ", fmtbuf); + } + printf("%40s", pname); + if (show_enctype) { + static char buf[256]; + if ((retval = krb5_enctype_to_string( + lp->entry->key.enctype, buf, 256))) { + com_err(argv[0], retval, + gettext("While converting " + "enctype to string")); + return; } - printf("%40s", pname); - if (show_enctype) { - static char buf[256]; - - if ((retval = krb5_enctype_to_string( - lp->entry->key.enctype, buf, 256))) { - com_err(argv[0], retval, - gettext("While converting " - "enctype to string")); - return; - } - printf(" (%s) ", buf); - } - if (show_keys) { - printf(" (0x"); - for (j = 0; j < lp->entry->key.length; j++) - printf("%02x", lp->entry->key.contents[j]); - printf(")"); - } - printf("\n"); - krb5_xfree(pname); + printf(" (%s) ", buf); } + + if (show_keys) { + printf(" (0x"); + for (j = 0; j < lp->entry->key.length; j++) + printf("%02x", lp->entry->key.contents[j]); + printf(")"); + } + printf("\n"); + krb5_xfree(pname); + } }
--- a/usr/src/cmd/krb5/kadmin/ktutil/ktutil.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/ktutil/ktutil.h Sat Oct 07 13:37:05 2006 -0700 @@ -28,7 +28,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -42,49 +42,54 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ typedef struct _krb5_kt_list { - struct _krb5_kt_list *next; - krb5_keytab_entry *entry; + struct _krb5_kt_list *next; + krb5_keytab_entry *entry; } *krb5_kt_list; -krb5_error_code ktutil_free_kt_list -(krb5_context, - krb5_kt_list); +krb5_error_code ktutil_free_kt_list (krb5_context, krb5_kt_list); -krb5_error_code ktutil_delete -(krb5_context, - krb5_kt_list *, - int); +krb5_error_code ktutil_delete (krb5_context, krb5_kt_list *, int); -krb5_error_code ktutil_add - (krb5_context, - krb5_kt_list *, - char *, - krb5_kvno, - char *, - int); +krb5_error_code ktutil_add (krb5_context, + krb5_kt_list *, + char *, + krb5_kvno, + char *, + int); -krb5_error_code ktutil_read_keytab -(krb5_context, - char *, - krb5_kt_list *); +krb5_error_code ktutil_read_keytab (krb5_context, + char *, + krb5_kt_list *); -krb5_error_code ktutil_write_keytab -(krb5_context, - krb5_kt_list, - char *); +krb5_error_code ktutil_write_keytab (krb5_context, + krb5_kt_list, + char *); #ifdef KRB5_KRB4_COMPAT -krb5_error_code ktutil_read_srvtab -(krb5_context, - char *, - krb5_kt_list *); -krb5_error_code ktutil_write_srvtab -(krb5_context, - krb5_kt_list, - char *); +krb5_error_code ktutil_read_srvtab (krb5_context, + char *, + krb5_kt_list *); +krb5_error_code ktutil_write_srvtab (krb5_context, + krb5_kt_list, + char *); +#endif + +void ktutil_add_entry (int, char *[]); + +void ktutil_clear_list (int, char *[]); -#endif +void ktutil_read_v5 (int, char *[]); + +void ktutil_read_v4 (int, char *[]); + +void ktutil_write_v5 (int, char *[]); + +void ktutil_write_v4 (int, char *[]); + +void ktutil_delete_entry (int, char *[]); + +void ktutil_list (int, char *[]);
--- a/usr/src/cmd/krb5/kadmin/ktutil/ktutil_ct.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/ktutil/ktutil_ct.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2003 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -38,116 +38,116 @@ #define gettext(s) s #ifndef __STDC__ -#define const +#define const #endif -static char const *const ssu00001[] = { - "clear_list", - "clear", - (char const *) 0 +static char const * const ssu00001[] = { +"clear_list", + "clear", + (char const *)0 }; extern void ktutil_clear_list __SS_PROTO; -static char const *const ssu00002[] = { - "read_kt", - "rkt", - (char const *) 0 +static char const * const ssu00002[] = { +"read_kt", + "rkt", + (char const *)0 }; extern void ktutil_read_v5 __SS_PROTO; -static char const *const ssu00003[] = { - "read_st", - "rst", - (char const *) 0 +static char const * const ssu00003[] = { +"read_st", + "rst", + (char const *)0 }; extern void ktutil_read_v4 __SS_PROTO; -static char const *const ssu00004[] = { - "write_kt", - "wkt", - (char const *) 0 +static char const * const ssu00004[] = { +"write_kt", + "wkt", + (char const *)0 }; extern void ktutil_write_v5 __SS_PROTO; -static char const *const ssu00005[] = { - "write_st", - "wst", - (char const *) 0 +static char const * const ssu00005[] = { +"write_st", + "wst", + (char const *)0 }; extern void ktutil_write_v4 __SS_PROTO; -static char const *const ssu00006[] = { - "add_entry", - "addent", - (char const *) 0 +static char const * const ssu00006[] = { +"add_entry", + "addent", + (char const *)0 }; extern void ktutil_add_entry __SS_PROTO; -static char const *const ssu00007[] = { - "delete_entry", - "delent", - (char const *) 0 +static char const * const ssu00007[] = { +"delete_entry", + "delent", + (char const *)0 }; extern void ktutil_delete_entry __SS_PROTO; -static char const *const ssu00008[] = { - "list", - "l", - (char const *) 0 +static char const * const ssu00008[] = { +"list", + "l", + (char const *)0 }; extern void ktutil_list __SS_PROTO; -static char const *const ssu00009[] = { - "list_requests", - "lr", - "?", - (char const *) 0 +static char const * const ssu00009[] = { +"list_requests", + "lr", + "?", + (char const *)0 }; extern void ss_list_requests __SS_PROTO; -static char const *const ssu00010[] = { - "quit", - "exit", - "q", - (char const *) 0 +static char const * const ssu00010[] = { +"quit", + "exit", + "q", + (char const *)0 }; extern void ss_quit __SS_PROTO; static ss_request_entry ssu00011[] = { - {ssu00001, - ktutil_clear_list, + { ssu00001, + ktutil_clear_list, gettext("Clear the current keylist."), - 0}, - {ssu00002, - ktutil_read_v5, + 0 }, + { ssu00002, + ktutil_read_v5, gettext("Read a krb5 keytab into the current keylist."), - 0}, - {ssu00003, - ktutil_read_v4, + 0 }, + { ssu00003, + ktutil_read_v4, gettext("Read a krb4 srvtab into the current keylist."), - 0}, - {ssu00004, - ktutil_write_v5, + 0 }, + { ssu00004, + ktutil_write_v5, gettext("Write the current keylist to a krb5 keytab."), - 0}, - {ssu00005, - ktutil_write_v4, + 0 }, + { ssu00005, + ktutil_write_v4, gettext("Write the current keylist to a krb4 srvtab."), - 0}, - {ssu00006, - ktutil_add_entry, + 0 }, + { ssu00006, + ktutil_add_entry, gettext("Add an entry to the current keylist."), - 0}, - {ssu00007, - ktutil_delete_entry, + 0 }, + { ssu00007, + ktutil_delete_entry, gettext("Delete an entry from the current keylist."), - 0}, - {ssu00008, - ktutil_list, + 0 }, + { ssu00008, + ktutil_list, gettext("List the current keylist."), - 0}, - {ssu00009, - ss_list_requests, + 0 }, + { ssu00009, + ss_list_requests, gettext("List available requests."), - 0}, - {ssu00010, - ss_quit, + 0 }, + { ssu00010, + ss_quit, gettext("Exit program."), - 0}, - {0, 0, 0, 0} + 0 }, + { 0, 0, 0, 0 } }; -ss_request_table ktutil_cmds = {2, ssu00011}; +ss_request_table ktutil_cmds = { 2, ssu00011 }; #undef gettext
--- a/usr/src/cmd/krb5/kadmin/ktutil/ktutil_funcs.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/ktutil/ktutil_funcs.c Sat Oct 07 13:37:05 2006 -0700 @@ -5,6 +5,7 @@ #pragma ident "%Z%%M% %I% %E% SMI" + /* * kadmin/ktutil/ktutil_funcs.c * @@ -69,16 +70,16 @@ * Delete a numbered entry in a kt_list. Takes a pointer to a kt_list * in case head gets deleted. */ -krb5_error_code ktutil_delete(context, list, index) +krb5_error_code ktutil_delete(context, list, idx) krb5_context context; krb5_kt_list *list; - int index; + int idx; { krb5_kt_list lp, prev; int i; for (lp = *list, i = 1; lp; prev = lp, lp = lp->next, i++) { - if (i == index) { + if (i == idx) { if (i == 1) *list = lp->next; else @@ -117,7 +118,8 @@ char promptstr[1024]; char *cp; - int i, tmp, pwsize = BUFSIZ; + int i, tmp; + unsigned int pwsize = BUFSIZ; retval = krb5_parse_name(context, princ_str, &princ); if (retval) @@ -211,7 +213,7 @@ i = 0; for (cp = buf; *cp; cp += 2) { - if (!isxdigit(cp[0]) || !isxdigit(cp[1])) { + if (!isxdigit((int) cp[0]) || !isxdigit((int) cp[1])) { fprintf(stderr, "addent: %s", gettext("Illegal character in key.\n")); retval = 0; @@ -296,7 +298,7 @@ } if (entry) free((char *)entry); - if (retval) + if (retval) { if (retval == KRB5_KT_END) retval = 0; else { @@ -305,6 +307,7 @@ if (back) back->next = NULL; } + } if (!*list) *list = tail; krb5_kt_end_seq_get(context, kt, &cursor); @@ -353,12 +356,12 @@ * including the null terminator. */ -int getstr(fp, s, n) +static int getstr(fp, s, n) FILE *fp; register char *s; int n; { - register count = n; + register int count = n; while (fread(s, 1, 1, fp) > 0 && --count) if (*s++ == '\0') return (n - count); @@ -512,10 +515,22 @@ lp1 = prev->next; } lp1->entry = lp->entry; - } else if (lp1->entry->vno < lp->entry->vno) - /* Check if lp->entry is newer kvno; if so, update */ - lp1->entry = lp->entry; + } else { + /* This heuristic should be roughly the same as in the + keytab-reading code in libkrb5. */ + int offset = 0; + if (lp1->entry->vno > 240 || lp->entry->vno > 240) { + offset = 128; + } +#define M(X) (((X) + offset) % 256) + if (M(lp1->entry->vno) < M(lp->entry->vno)) + /* Check if lp->entry is newer kvno; if so, update */ + lp1->entry = lp->entry; + } } + umask(0077); /*Changing umask for all of ktutil is OK + * We don't ever write out anything that should use + * default umask.*/ fp = fopen(name, "w"); if (!fp) { retval = EIO;
--- a/usr/src/cmd/krb5/kadmin/server/ipropd_svc.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/server/ipropd_svc.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -151,7 +151,7 @@ whoami); goto out; } - if (!acl_check(handle->context, + if (!kadm5int_acl_check(handle->context, name, ACL_IPROP, NULL, @@ -271,7 +271,7 @@ whoami); goto out; } - if (!acl_check(handle->context, + if (!kadm5int_acl_check(handle->context, name, ACL_IPROP, NULL,
--- a/usr/src/cmd/krb5/kadmin/server/kadm_rpc_svc.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/server/kadm_rpc_svc.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -36,14 +36,27 @@ #include <stdio.h> #include <rpc/rpc.h> /* SUNWresync 121 XXX */ +#include <gssapi_krb5.h> /* for gss_nt_krb5_name */ #include <syslog.h> +#ifdef HAVE_MEMORY_H #include <memory.h> +#endif #include <rpc/rpcsec_gss.h> #include <kadm5/kadm_rpc.h> #include <krb5.h> #include <kadm5/admin.h> #include <libintl.h> +#include <krb5/adm_proto.h> +#ifdef HAVE_ARPA_INET_H +#include <arpa/inet.h> +#endif +#include "misc.h" +#include "kadm5/server_internal.h" +extern void *global_server_handle; + +void log_badauth(OM_uint32 major, OM_uint32 minor, + struct sockaddr_in *addr, char *data); /* * Function: kadm_1 * @@ -61,8 +74,7 @@ * Modifies: */ -void -kadm_1(rqstp, transp) +void kadm_1(rqstp, transp) struct svc_req *rqstp; register SVCXPRT *transp; { @@ -86,11 +98,10 @@ setkey3_arg setkey_principal3_1_arg; } argument; char *result; - bool_t (*xdr_argument)(), (*xdr_result)(); char *(*local)(); - if (rqstp->rq_cred.oa_flavor != RPCSEC_GSS) { + if (rqstp->rq_cred.oa_flavor != RPCSEC_GSS) { krb5_klog_syslog(LOG_ERR, gettext("Authentication attempt failed: invalid " "RPC authentication flavor %d"), @@ -107,154 +118,154 @@ case CREATE_PRINCIPAL: xdr_argument = xdr_cprinc_arg; xdr_result = xdr_generic_ret; - local = (char *(*)()) create_principal_1; + local = (char *(*)()) create_principal_1_svc; break; case DELETE_PRINCIPAL: xdr_argument = xdr_dprinc_arg; xdr_result = xdr_generic_ret; - local = (char *(*)()) delete_principal_1; + local = (char *(*)()) delete_principal_1_svc; break; case MODIFY_PRINCIPAL: xdr_argument = xdr_mprinc_arg; xdr_result = xdr_generic_ret; - local = (char *(*)()) modify_principal_1; + local = (char *(*)()) modify_principal_1_svc; break; case RENAME_PRINCIPAL: xdr_argument = xdr_rprinc_arg; xdr_result = xdr_generic_ret; - local = (char *(*)()) rename_principal_1; + local = (char *(*)()) rename_principal_1_svc; break; case GET_PRINCIPAL: xdr_argument = xdr_gprinc_arg; xdr_result = xdr_gprinc_ret; - local = (char *(*)()) get_principal_1; + local = (char *(*)()) get_principal_1_svc; break; case GET_PRINCS: xdr_argument = xdr_gprincs_arg; xdr_result = xdr_gprincs_ret; - local = (char *(*)()) get_princs_1; + local = (char *(*)()) get_princs_1_svc; break; case CHPASS_PRINCIPAL: xdr_argument = xdr_chpass_arg; xdr_result = xdr_generic_ret; - local = (char *(*)()) chpass_principal_1; + local = (char *(*)()) chpass_principal_1_svc; break; #ifdef SUNWOFF case SETV4KEY_PRINCIPAL: xdr_argument = xdr_setv4key_arg; xdr_result = xdr_generic_ret; - local = (char *(*)()) setv4key_principal_1; + local = (char *(*)()) setv4key_principal_1_svc; break; #endif case SETKEY_PRINCIPAL: xdr_argument = xdr_setkey_arg; xdr_result = xdr_generic_ret; - local = (char *(*)()) setkey_principal_1; + local = (char *(*)()) setkey_principal_1_svc; break; case CHRAND_PRINCIPAL: xdr_argument = xdr_chrand_arg; xdr_result = xdr_chrand_ret; - local = (char *(*)()) chrand_principal_1; + local = (char *(*)()) chrand_principal_1_svc; break; case CREATE_POLICY: xdr_argument = xdr_cpol_arg; xdr_result = xdr_generic_ret; - local = (char *(*)()) create_policy_1; + local = (char *(*)()) create_policy_1_svc; break; case DELETE_POLICY: xdr_argument = xdr_dpol_arg; xdr_result = xdr_generic_ret; - local = (char *(*)()) delete_policy_1; + local = (char *(*)()) delete_policy_1_svc; break; case MODIFY_POLICY: xdr_argument = xdr_mpol_arg; xdr_result = xdr_generic_ret; - local = (char *(*)()) modify_policy_1; + local = (char *(*)()) modify_policy_1_svc; break; case GET_POLICY: xdr_argument = xdr_gpol_arg; xdr_result = xdr_gpol_ret; - local = (char *(*)()) get_policy_1; + local = (char *(*)()) get_policy_1_svc; break; case GET_POLS: xdr_argument = xdr_gpols_arg; xdr_result = xdr_gpols_ret; - local = (char *(*)()) get_pols_1; + local = (char *(*)()) get_pols_1_svc; break; case GET_PRIVS: - xdr_argument = xdr_u_int; + xdr_argument = xdr_u_int; xdr_result = xdr_getprivs_ret; - local = (char *(*)()) get_privs_1; + local = (char *(*)()) get_privs_1_svc; break; case INIT: - xdr_argument = xdr_u_int; + xdr_argument = xdr_u_int; xdr_result = xdr_generic_ret; - local = (char *(*)()) init_1; + local = (char *(*)()) init_1_svc; break; case CREATE_PRINCIPAL3: xdr_argument = xdr_cprinc3_arg; xdr_result = xdr_generic_ret; - local = (char *(*)()) create_principal3_1; + local = (char *(*)()) create_principal3_1_svc; break; case CHPASS_PRINCIPAL3: xdr_argument = xdr_chpass3_arg; xdr_result = xdr_generic_ret; - local = (char *(*)()) chpass_principal3_1; + local = (char *(*)()) chpass_principal3_1_svc; break; case CHRAND_PRINCIPAL3: xdr_argument = xdr_chrand3_arg; xdr_result = xdr_chrand_ret; - local = (char *(*)()) chrand_principal3_1; + local = (char *(*)()) chrand_principal3_1_svc; break; case SETKEY_PRINCIPAL3: xdr_argument = xdr_setkey3_arg; xdr_result = xdr_generic_ret; - local = (char *(*)()) setkey_principal3_1; + local = (char *(*)()) setkey_principal3_1_svc; break; default: - krb5_klog_syslog(LOG_ERR, + krb5_klog_syslog(LOG_ERR, gettext("Invalid KADM5 procedure number: %d"), rqstp->rq_proc); svcerr_noproc(transp); return; } memset((char *)&argument, 0, sizeof(argument)); - if (!svc_getargs(transp, xdr_argument, (char *) &argument)) { + if (!svc_getargs(transp, xdr_argument, (char *) &argument)) { svcerr_decode(transp); return; } result = (*local)(&argument, rqstp); - if (result != NULL && - !svc_sendreply(transp, xdr_result, (char *) result)) { + if (result != NULL && !svc_sendreply(transp, xdr_result, (char *) result)) { krb5_klog_syslog(LOG_ERR, gettext("WARNING! Unable to send function results, " "continuing.")); svcerr_systemerr(transp); } - if (!svc_freeargs(transp, xdr_argument, (char *) &argument)) { - krb5_klog_syslog(LOG_ERR, + if (!svc_freeargs(transp, xdr_argument, (char *) &argument)) { + krb5_klog_syslog(LOG_ERR, gettext("WARNING! Unable to free arguments, " "continuing.")); } + return; }
--- a/usr/src/cmd/krb5/kadmin/server/misc.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/server/misc.c Sat Oct 07 13:37:05 2006 -0700 @@ -21,25 +21,16 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/kadmin/\ - * server/misc.c,v 1.10 1996/07/22 20:28:55 marc Exp $ */ -#if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev" - "/.cvsroot/src/kadmin/server/misc.c,v 1.10 1996/07/22 20:28:55 " - "marc Exp $"; - -#endif - #include <kadm5/adb.h> #include <kadm5/server_internal.h> #include <krb5/kdb.h> #include "misc.h" /* - * Function: chpass_principal_wrapper - * + * Function: chpass_principal_wrapper_3 + * * Purpose: wrapper to kadm5_chpass_principal that checks to see if * pw_min_life has been reached. if not it returns an error. * otherwise it calls kadm5_chpass_principal @@ -47,123 +38,134 @@ * Arguments: * principal (input) krb5_principals whose password we are * changing - * passoword (input) passowrd we are going to change to. - * <return value> 0 on sucsess error code on failure. + * keepold (input) whether to preserve old keys + * n_ks_tuple (input) the number of key-salt tuples in ks_tuple + * ks_tuple (input) array of tuples indicating the caller's + * requested enctypes/salttypes + * password (input) password we are going to change to. + * <return value> 0 on success error code on failure. * * Requires: * kadm5_init to have been run. - * + * * Effects: * calls kadm5_chpass_principal which changes the kdb and the * the admin db. * */ kadm5_ret_t -chpass_principal_wrapper(void *server_handle, - krb5_principal principal, char *password) +chpass_principal_wrapper_3(void *server_handle, + krb5_principal principal, + krb5_boolean keepold, + int n_ks_tuple, + krb5_key_salt_tuple *ks_tuple, + char *password) { - krb5_int32 now; - kadm5_ret_t ret; - kadm5_policy_ent_rec pol; - kadm5_principal_ent_rec princ; - kadm5_server_handle_t handle = server_handle; - - if (ret = krb5_timeofday(handle->context, &now)) - return (ret); + kadm5_ret_t ret; - if ((ret = kadm5_get_principal(handle->lhandle, principal, - &princ, - KADM5_PRINCIPAL_NORMAL_MASK)) != - KADM5_OK) - return (ret); - if (princ.aux_attributes & KADM5_POLICY) { - if ((ret = kadm5_get_policy(handle->lhandle, - princ.policy, &pol)) != KADM5_OK) { - (void) kadm5_free_principal_ent(handle->lhandle, - &princ); - return (ret); - } - if ((now - princ.last_pwd_change) < pol.pw_min_life && - !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - (void) kadm5_free_policy_ent(handle->lhandle, &pol); - (void) kadm5_free_principal_ent(handle->lhandle, - &princ); - return (KADM5_PASS_TOOSOON); - } - if (ret = kadm5_free_policy_ent(handle->lhandle, &pol)) { - (void) kadm5_free_principal_ent(handle->lhandle, - &princ); - return (ret); - } - } - if (ret = kadm5_free_principal_ent(handle->lhandle, &princ)) - return (ret); + ret = check_min_life(server_handle, principal); + if (ret) + return ret; - return (kadm5_chpass_principal(server_handle, principal, password)); + return kadm5_chpass_principal_3(server_handle, principal, + keepold, n_ks_tuple, ks_tuple, + password); } /* - * Function: randkey_principal_wrapper - * + * Function: randkey_principal_wrapper_3 + * * Purpose: wrapper to kadm5_randkey_principal which checks the - * passwords min. life. + * password's min. life. * * Arguments: * principal (input) krb5_principal whose password we are * changing + * keepold (input) whether to preserve old keys + * n_ks_tuple (input) the number of key-salt tuples in ks_tuple + * ks_tuple (input) array of tuples indicating the caller's + * requested enctypes/salttypes * key (output) new random key - * < return value > 0, error code on error. + * <return value> 0, error code on error. * * Requires: * kadm5_init needs to be run - * + * * Effects: * calls kadm5_randkey_principal * */ kadm5_ret_t -randkey_principal_wrapper(void *server_handle, - krb5_principal principal, - krb5_keyblock ** keys, int *n_keys) +randkey_principal_wrapper_3(void *server_handle, + krb5_principal principal, + krb5_boolean keepold, + int n_ks_tuple, + krb5_key_salt_tuple *ks_tuple, + krb5_keyblock **keys, int *n_keys) { + kadm5_ret_t ret; - krb5_int32 now; - kadm5_ret_t ret; - kadm5_policy_ent_rec pol; - kadm5_principal_ent_rec princ; - kadm5_server_handle_t handle = server_handle; + ret = check_min_life(server_handle, principal); + if (ret) + return ret; + return kadm5_randkey_principal_3(server_handle, principal, + keepold, n_ks_tuple, ks_tuple, + keys, n_keys); +} - if (ret = krb5_timeofday(handle->context, &now)) - return (ret); +kadm5_ret_t +chpass_util_wrapper(void *server_handle, krb5_principal princ, + char *new_pw, char **ret_pw, + char *msg_ret, unsigned int msg_len) +{ + kadm5_ret_t ret; + + ret = check_min_life(server_handle, princ); + if (ret) + return ret; + + return kadm5_chpass_principal_util(server_handle, princ, + new_pw, ret_pw, + msg_ret, msg_len); +} - if ((ret = kadm5_get_principal(handle->lhandle, - principal, &princ, - KADM5_PRINCIPAL_NORMAL_MASK)) != - OSA_ADB_OK) - return (ret); - if (princ.aux_attributes & KADM5_POLICY) { - if ((ret = kadm5_get_policy(handle->lhandle, - princ.policy, &pol)) != KADM5_OK) { - (void) kadm5_free_principal_ent(handle->lhandle, - &princ); - return (ret); - } - if ((now - princ.last_pwd_change) < pol.pw_min_life && - !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - (void) kadm5_free_policy_ent(handle->lhandle, &pol); - (void) kadm5_free_principal_ent(handle->lhandle, - &princ); - return (KADM5_PASS_TOOSOON); - } - if (ret = kadm5_free_policy_ent(handle->lhandle, &pol)) { - (void) kadm5_free_principal_ent(handle->lhandle, - &princ); - return (ret); - } +kadm5_ret_t +check_min_life(void *server_handle, krb5_principal principal) +{ + krb5_int32 now; + kadm5_ret_t ret; + kadm5_policy_ent_rec pol; + kadm5_principal_ent_rec princ; + kadm5_server_handle_t handle = server_handle; + + ret = krb5_timeofday(handle->context, &now); + if (ret) + return ret; + + ret = kadm5_get_principal(handle->lhandle, principal, + &princ, KADM5_PRINCIPAL_NORMAL_MASK); + if(ret != OSA_ADB_OK) + return ret; + if(princ.aux_attributes & KADM5_POLICY) { + if((ret=kadm5_get_policy(handle->lhandle, + princ.policy, &pol)) != KADM5_OK) { + (void) kadm5_free_principal_ent(handle->lhandle, &princ); + return ret; } - if (ret = kadm5_free_principal_ent(handle->lhandle, &princ)) - return (ret); - return (kadm5_randkey_principal(server_handle, - principal, keys, n_keys)); + if((now - princ.last_pwd_change) < pol.pw_min_life && + !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { + (void) kadm5_free_policy_ent(handle->lhandle, &pol); + (void) kadm5_free_principal_ent(handle->lhandle, &princ); + return KADM5_PASS_TOOSOON; + } + + ret = kadm5_free_policy_ent(handle->lhandle, &pol); + if (ret) { + (void) kadm5_free_principal_ent(handle->lhandle, &princ); + return ret; + } + } + + return kadm5_free_principal_ent(handle->lhandle, &princ); }
--- a/usr/src/cmd/krb5/kadmin/server/misc.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/server/misc.h Sat Oct 07 13:37:05 2006 -0700 @@ -1,6 +1,6 @@ /* - * Copyright (c) 1997-2000 by Sun Microsystems, Inc. - * All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. */ #ifndef _MISC_H @@ -33,69 +33,45 @@ /* * Copyright 1994 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/kadmin/\ - * server/misc.h,v 1.6 1996/07/22 20:28:56 marc Exp $ - * - * $Log: misc.h,v $ - * Revision 1.6 1996/07/22 20:28:56 marc - * this commit includes all the changes on the OV_9510_INTEGRATION and - * OV_MERGE branches. This includes, but is not limited to, the new openvision - * admin system, and major changes to gssapi to add functionality, and bring - * the implementation in line with rfc1964. before committing, the - * code was built and tested for netbsd and solaris. - * - * Revision 1.5.4.1 1996/07/18 03:03:40 marc - * merged in changes from OV_9510_BP to OV_9510_FINAL1 - * - * Revision 1.5.2.1 1996/06/20 21:57:20 marc - * File added to the repository on a branch - * - * Revision 1.5 1996/05/30 21:13:24 bjaspan - * kadm5_get_principal_v1 takes a kadm5_principal_ent_t_v1 - * add kadm5_get_policy_v1 - * - * Revision 1.4 1996/05/20 21:39:05 bjaspan - * rename to kadm5 - * add kadm5_get_principal_v1 - * - * Revision 1.3 1994/09/13 18:24:41 jik - * Back out randkey changes. - * - * Revision 1.2 1994/09/12 20:26:12 jik - * randkey_principal_wrapper now takes a new_kvno option. - * - * Revision 1.1 1994/08/11 17:00:44 jik - * Initial revision - * */ kadm5_ret_t -chpass_principal_wrapper(void *server_handle, - krb5_principal principal, - char *password); +chpass_principal_wrapper_3(void *server_handle, + krb5_principal principal, + krb5_boolean keepold, + int n_ks_tuple, + krb5_key_salt_tuple *ks_tuple, + char *password); kadm5_ret_t -randkey_principal_wrapper(void *server_handle, - krb5_principal principal, - krb5_keyblock ** key, - int *n_keys); +randkey_principal_wrapper_3(void *server_handle, + krb5_principal principal, + krb5_boolean keepold, + int n_ks_tuple, + krb5_key_salt_tuple *ks_tuple, + krb5_keyblock **keys, int *n_keys); kadm5_ret_t -kadm5_get_principal_v1(void *server_handle, - krb5_principal principal, - kadm5_principal_ent_t_v1 * ent); +chpass_util_wrapper(void *server_handle, krb5_principal princ, + char *new_pw, char **ret_pw, + char *msg_ret, unsigned int msg_len); + +kadm5_ret_t check_min_life(void *server_handle, krb5_principal principal); -kadm5_ret_t -kadm5_get_policy_v1(void *server_handle, kadm5_policy_t name, - kadm5_policy_ent_t * ent); +kadm5_ret_t kadm5_get_principal_v1(void *server_handle, + krb5_principal principal, + kadm5_principal_ent_t_v1 *ent); -/* BSM */ -extern void audit_kadmind_auth(SVCXPRT *, in_port_t, char *, char *, - char *, int); -extern void audit_kadmind_unauth(SVCXPRT *, in_port_t, char *, char *, char *); +kadm5_ret_t kadm5_get_policy_v1(void *server_handle, kadm5_policy_t name, + kadm5_policy_ent_t *ent); + +#ifdef SVC_GETARGS +void kadm_1(struct svc_req *, SVCXPRT *); +#endif #ifdef __cplusplus } #endif #endif /* !_MISC_H */ +
--- a/usr/src/cmd/krb5/kadmin/server/ovsec_kadmd.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/server/ovsec_kadmd.c Sat Oct 07 13:37:05 2006 -0700 @@ -22,42 +22,72 @@ * */ - /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved */ /* + * Copyright (C) 1998 by the FundsXpress, INC. + * + * All rights reserved. + * + * Export of this software from the United States of America may require + * a specific license from the United States Government. It is the + * responsibility of any person or organization contemplating export to + * obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of FundsXpress. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. FundsXpress makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + + +/* * SUNWresync121 XXX * Beware future resyncers, this file is much diff from MIT (1.0...) */ -#include <stdio.h> -#include <stdio_ext.h> -#include <signal.h> -#include <syslog.h> -#include <sys/types.h> -#include <sys/time.h> -#include <sys/socket.h> -#include <unistd.h> -#include <netinet/in.h> -#include <arpa/inet.h> /* inet_ntoa */ -#include <netdb.h> -#include <gssapi/gssapi.h> -#include <rpc/rpc.h> -#include <kadm5/admin.h> -#include <kadm5/kadm_rpc.h> -#include <kadm5/server_internal.h> -#include <server_acl.h> -#include <krb5/adm_proto.h> -#include <string.h> -#include <gssapi_krb5.h> -#include <libintl.h> -#include <locale.h> -#include <sys/resource.h> -#include <kdb/kdb_log.h> +#include <stdio.h> +#include <stdio_ext.h> +#include <signal.h> +#include <syslog.h> +#include <sys/types.h> +#ifdef _AIX +#include <sys/select.h> +#endif +#include <sys/time.h> +#include <sys/socket.h> +#include <unistd.h> +#include <netinet/in.h> +#include <arpa/inet.h> /* inet_ntoa */ +#include <gssapi/gssapi.h> +#include <rpc/rpc.h> +#include <kadm5/admin.h> +#include <kadm5/kadm_rpc.h> +#include <server_acl.h> +#include <krb5/adm_proto.h> +#include <string.h> +#include <kadm5/server_internal.h> +#include <gssapi_krb5.h> +#include <libintl.h> +#include <locale.h> +#include <sys/resource.h> +#include <kdb/kdb_log.h> +#include <kdb/kdb_kt.h> #include <rpc/rpcsec_gss.h> +#include "misc.h" #ifndef FD_SETSIZE #define FD_SETSIZE 256 @@ -67,6 +97,12 @@ #define MAX(a, b) (((a) > (b)) ? (a) : (b)) #endif +#if defined(NEED_DAEMON_PROTO) +extern int daemon(int, int); +#endif + + + static int signal_request_exit = 0; static int schpw; kadm5_config_params chgpw_params; @@ -80,6 +116,7 @@ static struct sigaction s_action; #endif /* POSIX_SIGNALS */ + #define TIMEOUT 15 typedef struct _auth_gssapi_name { @@ -92,7 +129,7 @@ /* * This is a kludge, but the server needs these constants to be - * compatible with old clients. They are defined in <kadm5/admin.h>, + * compatible with old clients. They are defined in <kadm5/admin.h>, * but only if USE_KADM5_API_VERSION == 1. */ #define OVSEC_KADM_ADMIN_SERVICE_P "ovsec_adm@admin" @@ -113,6 +150,8 @@ static krb5_context context; /* XXX yuck. the signal handlers need this */ +static krb5_context hctx; + in_port_t l_port = 0; /* global local port num, for BSM audits */ int nofork = 0; /* global; don't fork (debug mode) */ @@ -120,7 +159,7 @@ /* * Function: usage - * + * * Purpose: print out the server usage message * * Arguments: @@ -129,8 +168,7 @@ * Modifies: */ -void -usage() +static void usage() { fprintf(stderr, gettext("Usage: kadmind [-r realm] [-m] [-d] " "[-p port-number]\n")); @@ -154,9 +192,9 @@ * displayed on stderr, each preceeded by "GSS-API error <msg>: " and * followed by a newline. */ -static void display_status_1(); +static void display_status_1(char *, OM_uint32, int); -void display_status(msg, maj_stat, min_stat) +static void display_status(msg, maj_stat, min_stat) char *msg; OM_uint32 maj_stat; OM_uint32 min_stat; @@ -366,7 +404,6 @@ int main(int argc, char *argv[]) { - void kadm_1(struct svc_req *, SVCXPRT *); SVCXPRT *transp; extern char *optarg; extern int optind, opterr; @@ -489,7 +526,16 @@ } krb5_klog_init(context, "admin_server", whoami, 1); - + /* SUNW14resync */ +#if 0 + krb5_klog_syslog(LOG_INFO, "Seeding random number generator"); + ret = krb5_c_random_os_entropy(context, 1, NULL); + if(ret) { + krb5_klog_syslog(LOG_ERR, "Error getting random seed: %s, aborting", + error_message(ret)); + exit(1); + } +#endif /* * When using the Horowitz/IETF protocol for @@ -574,8 +620,7 @@ krb5_klog_close(context); exit(1); } -#define REQUIRED_PARAMS (KADM5_CONFIG_REALM | KADM5_CONFIG_ACL_FILE | \ - KADM5_CONFIG_ADMIN_KEYTAB) +#define REQUIRED_PARAMS (KADM5_CONFIG_REALM | KADM5_CONFIG_ACL_FILE) if ((params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) { krb5_klog_syslog(LOG_ERR, @@ -584,7 +629,7 @@ (params.mask & REQUIRED_PARAMS) ^ REQUIRED_PARAMS); fprintf(stderr, gettext("%s: Missing required configuration values " - "(%x) while initializing, aborting\n"), whoami, + "(%lx) while initializing, aborting\n"), whoami, (params.mask & REQUIRED_PARAMS) ^ REQUIRED_PARAMS); krb5_klog_close(context); exit(1); @@ -820,7 +865,7 @@ (gss_OID) nt_krb5_name_oid, &gss_oldchangepw_name); } - if (ret = acl_init(context, 0, params.acl_file)) { + if (ret = kadm5int_acl_init(context, 0, params.acl_file)) { krb5_klog_syslog(LOG_ERR, gettext("Cannot initialize acl file: %s"), error_message(ret)); fprintf(stderr, gettext("%s: Cannot initialize acl file: %s\n"),
--- a/usr/src/cmd/krb5/kadmin/server/server_glue_v1.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/server/server_glue_v1.c Sat Oct 07 13:37:05 2006 -0700 @@ -19,6 +19,7 @@ #include <kadm5/admin.h> +#include "misc.h" /* * In server_stubs.c, kadmind has to be able to call kadm5 functions @@ -36,19 +37,15 @@ * typecasts instead. */ -kadm5_ret_t -kadm5_get_principal_v1(void *server_handle, - krb5_principal principal, - kadm5_principal_ent_t_v1 * ent) +kadm5_ret_t kadm5_get_principal_v1(void *server_handle, + krb5_principal principal, + kadm5_principal_ent_t_v1 *ent) { - return (kadm5_get_principal(server_handle, principal, - (kadm5_principal_ent_t) ent, 0)); + return kadm5_get_principal(server_handle, principal,(kadm5_principal_ent_t) ent, 0); } -kadm5_ret_t -kadm5_get_policy_v1(void *server_handle, kadm5_policy_t name, - kadm5_policy_ent_t * ent) +kadm5_ret_t kadm5_get_policy_v1(void *server_handle, kadm5_policy_t name, + kadm5_policy_ent_t *ent) { - return (kadm5_get_policy(server_handle, name, - (kadm5_policy_ent_t) ent)); + return kadm5_get_policy(server_handle, name,(kadm5_policy_ent_t) ent); }
--- a/usr/src/cmd/krb5/kadmin/server/server_stubs.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kadmin/server/server_stubs.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -26,17 +26,8 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/ - * kadmin/server/server_stubs.c,v 1.34 1996/07/22 20:29:13 marc Exp $ */ -#if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev" - "/.cvsroot/src/kadmin/server/server_stubs.c,v 1.34 " - "1996/07/22 20:29:13 marc Exp $"; - -#endif - #include <gssapi/gssapi.h> #include <gssapi_krb5.h> /* for gss_nt_krb5_name */ #include <krb5.h> @@ -47,27 +38,37 @@ #include <security/pam_appl.h> #include <syslog.h> +#include <arpa/inet.h> /* inet_ntoa */ +#include <krb5/adm_proto.h> /* krb5_klog_syslog */ #include <libintl.h> #include "misc.h" -#define LOG_UNAUTH gettext("Unauthorized request: %s, %s, " \ +#define LOG_UNAUTH gettext("Unauthorized request: %s, %s, " \ "client=%s, service=%s, addr=%s") -#define LOG_DONE gettext("Request: %s, %s, %s, client=%s, " \ +#define LOG_DONE gettext("Request: %s, %s, %s, client=%s, " \ "service=%s, addr=%s") -extern gss_name_t gss_changepw_name; -extern gss_name_t gss_oldchangepw_name; -extern void *global_server_handle; +extern gss_name_t gss_changepw_name; +extern gss_name_t gss_oldchangepw_name; +extern void * global_server_handle; extern short l_port; char buf[33]; -#define CHANGEPW_SERVICE(rqstp) \ +#define CHANGEPW_SERVICE(rqstp) \ (cmp_gss_names_rel_1(acceptor_name(rqstp), gss_changepw_name) |\ - (gss_oldchangepw_name && \ - cmp_gss_names_rel_1(acceptor_name(rqstp), \ + (gss_oldchangepw_name && \ + cmp_gss_names_rel_1(acceptor_name(rqstp), \ gss_oldchangepw_name))) + +static int gss_to_krb5_name(kadm5_server_handle_t handle, + gss_name_t gss_name, krb5_principal *princ); + +static int gss_name_to_string(gss_name_t gss_name, gss_buffer_desc *str); + +static gss_name_t acceptor_name(struct svc_req * rqstp); + kadm5_ret_t kadm5_get_priv(void *server_handle, long *privs, gss_name_t clnt); @@ -120,26 +121,25 @@ return (buf); } -int -cmp_gss_names(gss_name_t n1, gss_name_t n2) +static int cmp_gss_names(gss_name_t n1, gss_name_t n2) { - OM_uint32 emaj, emin; - int equal; + OM_uint32 emaj, emin; + int equal; - if (GSS_ERROR(emaj = gss_compare_name(&emin, n1, n2, &equal))) - return (0); + if (GSS_ERROR(emaj = gss_compare_name(&emin, n1, n2, &equal))) + return(0); - return (equal); + return(equal); } /* Does a comparison of the names and then releases the first entity */ /* For use above in CHANGEPW_SERVICE */ -int cmp_gss_names_rel_1(gss_name_t n1, gss_name_t n2) +static int cmp_gss_names_rel_1(gss_name_t n1, gss_name_t n2) { OM_uint32 min_stat; int ret; - - ret = cmp_gss_names(n1, n2); + + ret = cmp_gss_names(n1, n2); if (n1) (void) gss_release_name(&min_stat, &n1); return ret; } @@ -155,29 +155,10 @@ * handle The server handle. */ -static int -check_handle(void *handle) -{ - CHECK_HANDLE(handle); - return (0); -} - -int -gss_to_krb5_name(kadm5_server_handle_t handle, - gss_name_t gss_name, krb5_principal * princ) +static int check_handle(void *handle) { - OM_uint32 stat, min_stat; - gss_buffer_desc gss_str; - gss_OID gss_type; - int success; - - stat = gss_display_name(&min_stat, gss_name, &gss_str, &gss_type); - if ((stat != GSS_S_COMPLETE) || - (!g_OID_equal(gss_type, gss_nt_krb5_name))) - return (0); - success = (krb5_parse_name(handle->context, gss_str.value, princ) == 0); - gss_release_buffer(&min_stat, &gss_str); - return (success); + CHECK_HANDLE(handle); + return 0; } /* @@ -193,46 +174,46 @@ * rqstp (input) The RPC request * handle (output) The returned handle * <return value> (output) An error code, or 0 if no error occurred - * + * * Effects: * Returns a pointer to allocated storage containing the server * handle. If an error occurs, then no allocated storage is * returned, and the return value of the function will be a * non-zero com_err code. - * + * * The allocated storage for the handle should be freed with * free_server_handle (see below) when it is no longer needed. */ -static kadm5_ret_t -new_server_handle(krb5_ui_4 api_version, - struct svc_req * rqstp, - kadm5_server_handle_t *out_handle) +static kadm5_ret_t new_server_handle(krb5_ui_4 api_version, + struct svc_req *rqstp, + kadm5_server_handle_t + *out_handle) { - kadm5_server_handle_t handle; + kadm5_server_handle_t handle; gss_name_t name; OM_uint32 min_stat; - if (!(handle = (kadm5_server_handle_t) - malloc(sizeof (*handle)))) - return (ENOMEM); + if (! (handle = (kadm5_server_handle_t) + malloc(sizeof(*handle)))) + return ENOMEM; - *handle = *(kadm5_server_handle_t) global_server_handle; - handle->api_version = api_version; + *handle = *(kadm5_server_handle_t)global_server_handle; + handle->api_version = api_version; - if (!(name = get_clnt_name(rqstp))) { - free(handle); - return (KADM5_FAILURE); - } - if (!gss_to_krb5_name(handle, name, &handle->current_caller)) { - free(handle); + if (!(name = get_clnt_name(rqstp))) { + free(handle); + return KADM5_FAILURE; + } + if (! gss_to_krb5_name(handle, name, &handle->current_caller)) { + free(handle); gss_release_name(&min_stat, &name); - return (KADM5_FAILURE); + return KADM5_FAILURE; } gss_release_name(&min_stat, &name); - *out_handle = handle; - return (0); + *out_handle = handle; + return 0; } /* @@ -243,39 +224,10 @@ * Arguments: * handle (input/output) The handle to free */ -static void -free_server_handle(kadm5_server_handle_t handle) -{ - krb5_free_principal(handle->context, handle->current_caller); - free(handle); -} - -gss_name_t -acceptor_name(struct svc_req * rqstp) +static void free_server_handle(kadm5_server_handle_t handle) { - OM_uint32 maj_stat, min_stat; - gss_name_t name; - rpc_gss_rawcred_t *raw_cred; - void *cookie; - gss_buffer_desc name_buff; - - rpc_gss_getcred(rqstp, &raw_cred, NULL, &cookie); - name_buff.value = raw_cred->svc_principal; - name_buff.length = strlen(raw_cred->svc_principal); - maj_stat = gss_import_name(&min_stat, &name_buff, - (gss_OID) gss_nt_krb5_name, &name); - if (maj_stat != GSS_S_COMPLETE) { - gss_release_buffer(&min_stat, &name_buff); - return (NULL); - } - maj_stat = gss_display_name(&min_stat, name, &name_buff, NULL); - if (maj_stat != GSS_S_COMPLETE) { - gss_release_buffer(&min_stat, &name_buff); - return (NULL); - } - gss_release_buffer(&min_stat, &name_buff); - - return (name); + krb5_free_principal(handle->context, handle->current_caller); + free(handle); } /* @@ -296,11 +248,11 @@ * on success and -1 on failure. On failure client_name and server_name * will point to null. */ -int -setup_gss_names(struct svc_req * rqstp, +/* SUNW14resync */ +int setup_gss_names(struct svc_req *rqstp, char **client_name, char **server_name) { - OM_uint32 maj_stat, min_stat; + OM_uint32 maj_stat, min_stat; rpc_gss_rawcred_t *raw_cred; gss_buffer_desc name_buf; char *tmp, *val; @@ -358,18 +310,44 @@ return (tmp ? 0 : -1); } -int -cmp_gss_krb5_name(kadm5_server_handle_t handle, - gss_name_t gss_name, krb5_principal princ) +static gss_name_t acceptor_name(struct svc_req * rqstp) { - krb5_principal princ2; - int stat; + OM_uint32 maj_stat, min_stat; + gss_name_t name; + rpc_gss_rawcred_t *raw_cred; + void *cookie; + gss_buffer_desc name_buff; - if (!gss_to_krb5_name(handle, gss_name, &princ2)) - return (0); - stat = krb5_principal_compare(handle->context, princ, princ2); - krb5_free_principal(handle->context, princ2); - return (stat); + rpc_gss_getcred(rqstp, &raw_cred, NULL, &cookie); + name_buff.value = raw_cred->svc_principal; + name_buff.length = strlen(raw_cred->svc_principal); + maj_stat = gss_import_name(&min_stat, &name_buff, + (gss_OID) gss_nt_krb5_name, &name); + if (maj_stat != GSS_S_COMPLETE) { + gss_release_buffer(&min_stat, &name_buff); + return (NULL); + } + maj_stat = gss_display_name(&min_stat, name, &name_buff, NULL); + if (maj_stat != GSS_S_COMPLETE) { + gss_release_buffer(&min_stat, &name_buff); + return (NULL); + } + gss_release_buffer(&min_stat, &name_buff); + + return name; +} + +static int cmp_gss_krb5_name(kadm5_server_handle_t handle, + gss_name_t gss_name, krb5_principal princ) +{ + krb5_principal princ2; + int status; + + if (! gss_to_krb5_name(handle, gss_name, &princ2)) + return 0; + status = krb5_principal_compare(handle->context, princ, princ2); + krb5_free_principal(handle->context, princ2); + return status; } @@ -438,75 +416,102 @@ return (result); } -generic_ret * -create_principal_1(cprinc_arg * arg, struct svc_req * rqstp) +static int gss_to_krb5_name(kadm5_server_handle_t handle, + gss_name_t gss_name, krb5_principal *princ) { - static generic_ret ret; - char *prime_arg = NULL; - char *client_name = NULL, *service_name = NULL; - int policy_migrate = 0; + OM_uint32 status, minor_stat; + gss_buffer_desc gss_str; + gss_OID gss_type; + int success; - OM_uint32 min_stat; - kadm5_server_handle_t handle; - kadm5_ret_t retval; - restriction_t *rp; - gss_name_t name = NULL; + status = gss_display_name(&minor_stat, gss_name, &gss_str, &gss_type); + if ((status != GSS_S_COMPLETE) || (!g_OID_equal(gss_type, gss_nt_krb5_name))) + return 0; + success = (krb5_parse_name(handle->context, gss_str.value, princ) == 0); + gss_release_buffer(&minor_stat, &gss_str); + return success; +} - xdr_free(xdr_generic_ret, (char *) &ret); +static int +gss_name_to_string(gss_name_t gss_name, gss_buffer_desc *str) +{ + OM_uint32 status, minor_stat; + gss_OID gss_type; + + status = gss_display_name(&minor_stat, gss_name, str, &gss_type); + if ((status != GSS_S_COMPLETE) || (gss_type != gss_nt_krb5_name)) + return 1; + return 0; +} - if (ret.code = new_server_handle(arg->api_version, rqstp, &handle)) - return (&ret); +generic_ret * +create_principal_1_svc(cprinc_arg *arg, struct svc_req *rqstp) +{ + static generic_ret ret; + char *prime_arg = NULL; + char *client_name = NULL, *service_name = NULL; + int policy_migrate = 0; - if (ret.code = check_handle((void *) handle)) - goto error; - ret.api_version = handle->api_version; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + kadm5_ret_t retval; + restriction_t *rp; + gss_name_t name = NULL; + + xdr_free(xdr_generic_ret, (char *) &ret); - if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + return &ret; + + if ((ret.code = check_handle((void *)handle))) goto error; - } - if (krb5_unparse_name(handle->context, arg->rec.principal, - &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto error; - } + ret.api_version = handle->api_version; + + if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + ret.code = KADM5_FAILURE; + goto error; + } + if (krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg)) { + ret.code = KADM5_BAD_PRINCIPAL; + goto error; + } if (!(name = get_clnt_name(rqstp))) { ret.code = KADM5_FAILURE; goto error; } - if (acl_check(handle->context, name, ACL_MIGRATE, + if (kadm5int_acl_check(handle->context, name, ACL_MIGRATE, arg->rec.principal, &rp) && verify_pam_pw(prime_arg, arg->passwd)) { policy_migrate = 1; } - if (CHANGEPW_SERVICE(rqstp) - || (!acl_check(handle->context, name, ACL_ADD, + if (CHANGEPW_SERVICE(rqstp) + || (!kadm5int_acl_check(handle->context, name, ACL_ADD, arg->rec.principal, &rp) && !(policy_migrate)) - || acl_impose_restrictions(handle->context, - &arg->rec, &arg->mask, rp)) { - ret.code = KADM5_AUTH_ADD; + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_ADD; audit_kadmind_unauth(rqstp->rq_xprt, l_port, "kadm5_create_principal", prime_arg, client_name); - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, - "kadm5_create_principal", prime_arg, client_name, + krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal", + prime_arg, client_name, service_name, client_addr(rqstp, buf)); - } else { - ret.code = kadm5_create_principal((void *) handle, - &arg->rec, arg->mask, - arg->passwd); + } else { + ret.code = kadm5_create_principal((void *)handle, + &arg->rec, arg->mask, + arg->passwd); audit_kadmind_auth(rqstp->rq_xprt, l_port, "kadm5_create_principal", prime_arg, client_name, ret.code); - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal", - prime_arg, ((ret.code == 0) ? "success" : - error_message(ret.code)), - client_name, service_name, client_addr(rqstp, buf)); + krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal", + prime_arg,((ret.code == 0) ? "success" : + error_message(ret.code)), + client_name, service_name, client_addr(rqstp, buf)); if (policy_migrate && (ret.code == 0)) { arg->rec.policy = strdup("default"); @@ -530,27 +535,27 @@ } error: - if (name) - gss_release_name(&min_stat, &name); - free_server_handle(handle); - if (prime_arg) - free(prime_arg); - if (client_name) - free(client_name); - if (service_name) - free(service_name); - return (&ret); + if (name) + gss_release_name(&minor_stat, &name); + free_server_handle(handle); + if (prime_arg) + free(prime_arg); + if (client_name) + free(client_name); + if (service_name) + free(service_name); + return (&ret); } generic_ret * -create_principal3_1(cprinc3_arg *arg, struct svc_req *rqstp) +create_principal3_1_svc(cprinc3_arg *arg, struct svc_req *rqstp) { static generic_ret ret; char *prime_arg = NULL; char *client_name = NULL, *service_name = NULL; int policy_migrate = 0; - OM_uint32 min_stat; + OM_uint32 minor_stat; kadm5_server_handle_t handle; kadm5_ret_t retval; restriction_t *rp; @@ -558,19 +563,19 @@ xdr_free(xdr_generic_ret, (char *) &ret); - if (ret.code = new_server_handle(arg->api_version, rqstp, &handle)) + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) return &ret; - if (ret.code = check_handle((void *)handle)) + if ((ret.code = check_handle((void *)handle))) goto error; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; + ret.code = KADM5_FAILURE; goto error; } if (krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; + ret.code = KADM5_BAD_PRINCIPAL; goto error; } if (!(name = get_clnt_name(rqstp))) { @@ -578,22 +583,22 @@ goto error; } - if (acl_check(handle->context, name, ACL_MIGRATE, + if (kadm5int_acl_check(handle->context, name, ACL_MIGRATE, arg->rec.principal, &rp) && verify_pam_pw(prime_arg, arg->passwd)) { policy_migrate = 1; } if (CHANGEPW_SERVICE(rqstp) - || (!acl_check(handle->context, name, ACL_ADD, + || (!kadm5int_acl_check(handle->context, name, ACL_ADD, arg->rec.principal, &rp) && !(policy_migrate)) - || acl_impose_restrictions(handle->context, + || kadm5int_acl_impose_restrictions(handle->context, &arg->rec, &arg->mask, rp)) { ret.code = KADM5_AUTH_ADD; krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal", - prime_arg, client_name, service_name, - client_addr(rqstp, buf)); + prime_arg, client_name, service_name, + client_addr(rqstp, buf)); } else { ret.code = kadm5_create_principal_3((void *)handle, &arg->rec, arg->mask, @@ -601,7 +606,7 @@ arg->ks_tuple, arg->passwd); krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal", - prime_arg,((ret.code == 0) ? "success" : + prime_arg,((ret.code == 0) ? "success" : error_message(ret.code)), client_name, service_name, client_addr(rqstp, buf)); @@ -629,77 +634,389 @@ error: if (name) - gss_release_name(&min_stat, &name); + gss_release_name(&minor_stat, &name); free_server_handle(handle); if (client_name) - free(client_name); + free(client_name); if (service_name) - free(service_name); + free(service_name); if (prime_arg) - free(prime_arg); - return (&ret); + free(prime_arg); + return &ret; +} + +generic_ret * +delete_principal_1_svc(dprinc_arg *arg, struct svc_req *rqstp) +{ + static generic_ret ret; + char *prime_arg = NULL; + char *client_name = NULL, *service_name = NULL; + OM_uint32 min_stat; + kadm5_server_handle_t handle; + gss_name_t name = NULL; + + xdr_free(xdr_generic_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + return &ret; + + if ((ret.code = check_handle((void *)handle))) + goto error; + ret.api_version = handle->api_version; + + if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + ret.code = KADM5_FAILURE; + goto error; + } + if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { + ret.code = KADM5_BAD_PRINCIPAL; + goto error; + } + if (!(name = get_clnt_name(rqstp))) { + ret.code = KADM5_FAILURE; + goto error; + } + + if (CHANGEPW_SERVICE(rqstp) + || !kadm5int_acl_check(handle->context, name, ACL_DELETE, + arg->princ, NULL)) { + ret.code = KADM5_AUTH_DELETE; + + audit_kadmind_unauth(rqstp->rq_xprt, l_port, + "kadm5_delete_principal", + prime_arg, client_name); + krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_principal", + prime_arg, client_name, + service_name, client_addr(rqstp, buf)); + } else { + ret.code = kadm5_delete_principal((void *)handle, arg->princ); + + audit_kadmind_auth(rqstp->rq_xprt, l_port, + "kadm5_delete_principal", + prime_arg, client_name, ret.code); + krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_principal", prime_arg, + ((ret.code == 0) ? "success" : error_message(ret.code)), + client_name, service_name, client_addr(rqstp, buf)); + } + +error: + if (name) + gss_release_name(&min_stat, &name); + if (prime_arg) + free(prime_arg); + free_server_handle(handle); + if (client_name) + free(client_name); + if (service_name) + free(service_name); + return &ret; } generic_ret * -delete_principal_1(dprinc_arg * arg, struct svc_req * rqstp) +modify_principal_1_svc(mprinc_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg = NULL; - char *client_name = NULL, *service_name = NULL; - OM_uint32 min_stat; - kadm5_server_handle_t handle; - gss_name_t name = NULL; + static generic_ret ret; + char *prime_arg = NULL; + char *client_name = NULL, *service_name = NULL; + OM_uint32 min_stat; + kadm5_server_handle_t handle; + restriction_t *rp; + gss_name_t name = NULL; + + xdr_free(xdr_generic_ret, (char *) &ret); - xdr_free(xdr_generic_ret, (char *) &ret); - - if (ret.code = new_server_handle(arg->api_version, rqstp, &handle)) - return (&ret); + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + return &ret; - if (ret.code = check_handle((void *) handle)) + if ((ret.code = check_handle((void *)handle))) + goto error; + if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + ret.code = KADM5_FAILURE; goto error; - ret.api_version = handle->api_version; - - if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + } + if (krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg)) { + ret.code = KADM5_BAD_PRINCIPAL; + goto error; + } + if (!(name = get_clnt_name(rqstp))) { ret.code = KADM5_FAILURE; goto error; } - if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto error; - } + + if (CHANGEPW_SERVICE(rqstp) + || !kadm5int_acl_check(handle->context, name, ACL_MODIFY, + arg->rec.principal, &rp) + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_MODIFY; + + audit_kadmind_unauth(rqstp->rq_xprt, l_port, + "kadm5_modify_principal", + prime_arg, client_name); + krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_principal", + prime_arg, client_name, + service_name, client_addr(rqstp, buf)); + } else { + ret.code = kadm5_modify_principal((void *)handle, &arg->rec, + arg->mask); + + audit_kadmind_auth(rqstp->rq_xprt, l_port, + "kadm5_modify_principal", + prime_arg, client_name, ret.code); + krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_principal", + prime_arg, ((ret.code == 0) ? "success" : + error_message(ret.code)), + client_name, service_name, client_addr(rqstp, buf)); + } + +error: + if (name) + gss_release_name(&min_stat, &name); + free_server_handle(handle); + if (prime_arg) + free(prime_arg); + if (client_name) + free(client_name); + if (service_name) + free(service_name); + return &ret; +} + +generic_ret * +rename_principal_1_svc(rprinc_arg *arg, struct svc_req *rqstp) +{ + static generic_ret ret; + char *prime_arg1 = NULL, *prime_arg2 = NULL; + char prime_arg[BUFSIZ]; + char *client_name = NULL, *service_name = NULL; + OM_uint32 min_stat; + kadm5_server_handle_t handle; + restriction_t *rp; + gss_name_t name = NULL; + + xdr_free(xdr_generic_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + return &ret; + + if ((ret.code = check_handle((void *)handle))) + goto error; + if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + ret.code = KADM5_FAILURE; + goto error; + } + if (krb5_unparse_name(handle->context, arg->src, &prime_arg1) || + krb5_unparse_name(handle->context, arg->dest, &prime_arg2)) { + ret.code = KADM5_BAD_PRINCIPAL; + goto error; + } + sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2); + + ret.code = KADM5_OK; + if (!(name = get_clnt_name(rqstp))) { ret.code = KADM5_FAILURE; goto error; } - if (CHANGEPW_SERVICE(rqstp) - || !acl_check(handle->context, name, ACL_DELETE, - arg->princ, NULL)) { - ret.code = KADM5_AUTH_DELETE; + if (! CHANGEPW_SERVICE(rqstp)) { + if (!kadm5int_acl_check(handle->context, name, + ACL_DELETE, arg->src, NULL)) + ret.code = KADM5_AUTH_DELETE; + /* any restrictions at all on the ADD kills the RENAME */ + if (!kadm5int_acl_check(handle->context, name, + ACL_ADD, arg->dest, &rp)) { + if (ret.code == KADM5_AUTH_DELETE) + ret.code = KADM5_AUTH_INSUFFICIENT; + else + ret.code = KADM5_AUTH_ADD; + } + } else + ret.code = KADM5_AUTH_INSUFFICIENT; + if (ret.code != KADM5_OK) { + + audit_kadmind_unauth(rqstp->rq_xprt, l_port, + "kadm5_rename_principal", + prime_arg, client_name); + krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_rename_principal", + prime_arg, client_name, + service_name, client_addr(rqstp, buf)); + } else { + ret.code = kadm5_rename_principal((void *)handle, arg->src, + arg->dest); + + audit_kadmind_auth(rqstp->rq_xprt, l_port, + "kadm5_rename_principal", + prime_arg, client_name, ret.code); + krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal", + prime_arg, ((ret.code == 0) ? "success" : + error_message(ret.code)), + client_name, service_name, client_addr(rqstp, buf)); + } + +error: + if (name) + gss_release_name(&min_stat, &name); + free_server_handle(handle); + if (prime_arg1) + free(prime_arg1); + if (prime_arg2) + free(prime_arg2); + if (client_name) + free(client_name); + if (service_name) + free(service_name); + return &ret; +} + +gprinc_ret * +get_principal_1_svc(gprinc_arg *arg, struct svc_req *rqstp) +{ + static gprinc_ret ret; + kadm5_principal_ent_t_v1 e; + char *prime_arg = NULL, *funcname; + char *client_name = NULL, *service_name = NULL; + OM_uint32 min_stat; + kadm5_server_handle_t handle; + gss_name_t name = NULL; + + xdr_free(xdr_gprinc_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + return &ret; + + if ((ret.code = check_handle((void *)handle))) + goto error; + ret.api_version = handle->api_version; + + funcname = handle->api_version == KADM5_API_VERSION_1 ? + "kadm5_get_principal (V1)" : "kadm5_get_principal"; + + if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + ret.code = KADM5_FAILURE; + goto error; + } + if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { + ret.code = KADM5_BAD_PRINCIPAL; + goto error; + } + if (!(name = get_clnt_name(rqstp))) { + ret.code = KADM5_FAILURE; + goto error; + } + + if (! cmp_gss_krb5_name(handle, name, arg->princ) && + (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, + name, + ACL_INQUIRE, + arg->princ, + NULL))) { + ret.code = KADM5_AUTH_GET; audit_kadmind_unauth(rqstp->rq_xprt, l_port, - "kadm5_delete_principal", + funcname, prime_arg, client_name); - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, - "kadm5_delete_principal", prime_arg, client_name, - service_name, client_addr(rqstp, buf)); - } else { - ret.code = kadm5_delete_principal((void *) handle, arg->princ); + krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, + prime_arg, client_name, service_name, + client_addr(rqstp, buf)); + } else { + if (handle->api_version == KADM5_API_VERSION_1) { + ret.code = kadm5_get_principal_v1((void *)handle, + arg->princ, &e); + if(ret.code == KADM5_OK) { + memcpy(&ret.rec, e, sizeof(kadm5_principal_ent_rec_v1)); + free(e); + } + } else { + ret.code = kadm5_get_principal((void *)handle, + arg->princ, &ret.rec, + arg->mask); + } + + audit_kadmind_auth(rqstp->rq_xprt, l_port, + funcname, + prime_arg, client_name, ret.code); + krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, + prime_arg, + ((ret.code == 0) ? "success" : error_message(ret.code)), + client_name, service_name, client_addr(rqstp, buf)); + } + +error: + if (name) + gss_release_name(&min_stat, &name); + free_server_handle(handle); + if (prime_arg) + free(prime_arg); + if (client_name) + free(client_name); + if (service_name) + free(service_name); + return &ret; +} + +gprincs_ret * +get_princs_1_svc(gprincs_arg *arg, struct svc_req *rqstp) +{ + static gprincs_ret ret; + char *prime_arg = NULL; + char *client_name = NULL, *service_name = NULL; + OM_uint32 min_stat; + kadm5_server_handle_t handle; + gss_name_t name = NULL; + + xdr_free(xdr_gprincs_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + return &ret; + + if ((ret.code = check_handle((void *)handle))) + goto error; + ret.api_version = handle->api_version; + + if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + ret.code = KADM5_FAILURE; + goto error; + } + prime_arg = arg->exp; + if (prime_arg == NULL) + prime_arg = "*"; + + if (!(name = get_clnt_name(rqstp))) { + ret.code = KADM5_FAILURE; + goto error; + } + + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, + name, + ACL_LIST, + NULL, + NULL)) { + ret.code = KADM5_AUTH_LIST; + + audit_kadmind_unauth(rqstp->rq_xprt, l_port, + "kadm5_get_principals", + prime_arg, client_name); + krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_principals", + prime_arg, client_name, + service_name, client_addr(rqstp, buf)); + } else { + ret.code = kadm5_get_principals((void *)handle, + arg->exp, &ret.princs, + &ret.count); audit_kadmind_auth(rqstp->rq_xprt, l_port, - "kadm5_delete_principal", + "kadm5_get_principals", prime_arg, client_name, ret.code); - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, - "kadm5_delete_principal", prime_arg, - ((ret.code == 0) ? "success" : error_message(ret.code)), - client_name, service_name, client_addr(rqstp, buf)); + krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_principals", + prime_arg, + ((ret.code == 0) ? "success" : error_message(ret.code)), + client_name, service_name, client_addr(rqstp, buf)); } error: if (name) gss_release_name(&min_stat, &name); - if (prime_arg) - free(prime_arg); free_server_handle(handle); if (client_name) free(client_name); @@ -709,30 +1026,30 @@ } generic_ret * -modify_principal_1(mprinc_arg * arg, struct svc_req * rqstp) +chpass_principal_1_svc(chpass_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg = NULL; - char *client_name = NULL, *service_name = NULL; - OM_uint32 min_stat; - kadm5_server_handle_t handle; - restriction_t *rp; - gss_name_t name = NULL; + static generic_ret ret; + char *prime_arg = NULL; + char *client_name = NULL, *service_name = NULL; + OM_uint32 min_stat; + kadm5_server_handle_t handle; + gss_name_t name = NULL; - xdr_free(xdr_generic_ret, (char *) &ret); + xdr_free(xdr_generic_ret, (char *) &ret); - if (ret.code = new_server_handle(arg->api_version, rqstp, &handle)) - return (&ret); + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + return &ret; - if (ret.code = check_handle((void *) handle)) + if ((ret.code = check_handle((void *)handle))) goto error; - if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; + ret.api_version = handle->api_version; + + if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + ret.code = KADM5_FAILURE; goto error; - } - if (krb5_unparse_name(handle->context, arg->rec.principal, - &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; + } + if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { + ret.code = KADM5_BAD_PRINCIPAL; goto error; } if (!(name = get_clnt_name(rqstp))) { @@ -740,31 +1057,33 @@ goto error; } - if (CHANGEPW_SERVICE(rqstp) - || !acl_check(handle->context, name, ACL_MODIFY, - arg->rec.principal, &rp) - || acl_impose_restrictions(handle->context, - &arg->rec, &arg->mask, rp)) { - ret.code = KADM5_AUTH_MODIFY; - + if (cmp_gss_krb5_name(handle, name, arg->princ)) { + ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ, + FALSE, 0, NULL, arg->pass); + } else if (!(CHANGEPW_SERVICE(rqstp)) && + kadm5int_acl_check(handle->context, name, + ACL_CHANGEPW, arg->princ, NULL)) { + ret.code = kadm5_chpass_principal((void *)handle, arg->princ, + arg->pass); + } else { audit_kadmind_unauth(rqstp->rq_xprt, l_port, - "kadm5_modify_principal", + "kadm5_chpass_principal", prime_arg, client_name); - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, - "kadm5_modify_principal", prime_arg, client_name, + krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal", + prime_arg, client_name, service_name, client_addr(rqstp, buf)); - } else { - ret.code = kadm5_modify_principal((void *) handle, &arg->rec, - arg->mask); + ret.code = KADM5_AUTH_CHANGEPW; + } + if(ret.code != KADM5_AUTH_CHANGEPW) { audit_kadmind_auth(rqstp->rq_xprt, l_port, - "kadm5_modify_principal", + "kadm5_chpass_principal", prime_arg, client_name, ret.code); - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_principal", - prime_arg, ((ret.code == 0) ? "success" : - error_message(ret.code)), - client_name, service_name, client_addr(rqstp, buf)); - } + krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", + prime_arg, ((ret.code == 0) ? "success" : + error_message(ret.code)), + client_name, service_name, client_addr(rqstp, buf)); + } error: if (name) @@ -780,328 +1099,7 @@ } generic_ret * -rename_principal_1(rprinc_arg * arg, struct svc_req * rqstp) -{ - static generic_ret ret; - char *prime_arg1 = NULL, *prime_arg2 = NULL; - char prime_arg[BUFSIZ]; - char *client_name = NULL, *service_name = NULL; - OM_uint32 min_stat; - kadm5_server_handle_t handle; - restriction_t *rp; - gss_name_t name = NULL; - - xdr_free(xdr_generic_ret, (char *) &ret); - - if (ret.code = new_server_handle(arg->api_version, rqstp, &handle)) - return (&ret); - - if (ret.code = check_handle((void *) handle)) - goto error; - if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto error; - } - if (krb5_unparse_name(handle->context, arg->src, &prime_arg1)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto error; - } - if (krb5_unparse_name(handle->context, arg->dest, &prime_arg2)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto error; - } - sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2); - ret.code = KADM5_OK; - - if (!(name = get_clnt_name(rqstp))) { - ret.code = KADM5_FAILURE; - goto error; - } - - if (!CHANGEPW_SERVICE(rqstp)) { - if (!acl_check(handle->context, name, - ACL_DELETE, arg->src, NULL)) - ret.code = KADM5_AUTH_DELETE; - /* any restrictions at all on the ADD kills the RENAME */ - if (!acl_check(handle->context, name, - ACL_ADD, arg->dest, &rp)) { - if (ret.code == KADM5_AUTH_DELETE) - ret.code = KADM5_AUTH_INSUFFICIENT; - else - ret.code = KADM5_AUTH_ADD; - } - } else - ret.code = KADM5_AUTH_INSUFFICIENT; - - if (ret.code != KADM5_OK) { - - audit_kadmind_unauth(rqstp->rq_xprt, l_port, - "kadm5_rename_principal", - prime_arg, client_name); - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, - "kadm5_rename_principal", prime_arg, client_name, - service_name, client_addr(rqstp, buf)); - } else { - ret.code = kadm5_rename_principal((void *) handle, arg->src, - arg->dest); - - audit_kadmind_auth(rqstp->rq_xprt, l_port, - "kadm5_rename_principal", - prime_arg, client_name, ret.code); - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal", - prime_arg, ((ret.code == 0) ? "success" : - error_message(ret.code)), - client_name, service_name, client_addr(rqstp, buf)); - } - -error: - if (name) - gss_release_name(&min_stat, &name); - free_server_handle(handle); - if (prime_arg1) - free(prime_arg1); - if (prime_arg2) - free(prime_arg2); - if (client_name) - free(client_name); - if (service_name) - free(service_name); - return (&ret); -} - -gprinc_ret * -get_principal_1(gprinc_arg * arg, struct svc_req * rqstp) -{ - static gprinc_ret ret; - kadm5_principal_ent_t_v1 e; - char *prime_arg = NULL, *funcname; - char *client_name = NULL, *service_name = NULL; - OM_uint32 min_stat; - kadm5_server_handle_t handle; - gss_name_t name = NULL; - - xdr_free(xdr_gprinc_ret, (char *) &ret); - - if (ret.code = new_server_handle(arg->api_version, rqstp, &handle)) - return (&ret); - - if (ret.code = check_handle((void *) handle)) - goto error; - ret.api_version = handle->api_version; - - funcname = handle->api_version == KADM5_API_VERSION_1 ? - "kadm5_get_principal (V1)" : "kadm5_get_principal"; - - if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto error; - } - if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto error; - } - if (!(name = get_clnt_name(rqstp))) { - ret.code = KADM5_FAILURE; - goto error; - } - - if (!cmp_gss_krb5_name(handle, name, arg->princ) && - (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context, - name, - ACL_INQUIRE, - arg->princ, - NULL))) { - ret.code = KADM5_AUTH_GET; - - audit_kadmind_unauth(rqstp->rq_xprt, l_port, - funcname, - prime_arg, client_name); - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, - prime_arg, client_name, service_name, - client_addr(rqstp, buf)); - } else { - if (handle->api_version == KADM5_API_VERSION_1) { - ret.code = kadm5_get_principal_v1((void *) handle, - arg->princ, &e); - if (ret.code == KADM5_OK) { - memcpy(&ret.rec, e, - sizeof (kadm5_principal_ent_rec_v1)); - free(e); - } - } else { - ret.code = kadm5_get_principal((void *) handle, - arg->princ, &ret.rec, - arg->mask); - } - - audit_kadmind_auth(rqstp->rq_xprt, l_port, - funcname, - prime_arg, client_name, ret.code); - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, - prime_arg, - ((ret.code == 0) ? "success" : error_message(ret.code)), - client_name, service_name, client_addr(rqstp, buf)); - } - -error: - if (name) - gss_release_name(&min_stat, &name); - free_server_handle(handle); - if (prime_arg) - free(prime_arg); - if (client_name) - free(client_name); - if (service_name) - free(service_name); - return (&ret); -} - -gprincs_ret * -get_princs_1(gprincs_arg * arg, struct svc_req * rqstp) -{ - static gprincs_ret ret; - char *prime_arg = NULL; - char *client_name = NULL, *service_name = NULL; - OM_uint32 min_stat; - kadm5_server_handle_t handle; - gss_name_t name = NULL; - - xdr_free(xdr_gprincs_ret, (char *) &ret); - - if (ret.code = new_server_handle(arg->api_version, rqstp, &handle)) - return (&ret); - - if (ret.code = check_handle((void *) handle)) - goto error; - ret.api_version = handle->api_version; - - if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto error; - } - prime_arg = arg->exp; - if (prime_arg == NULL) - prime_arg = "*"; - - if (!(name = get_clnt_name(rqstp))) { - ret.code = KADM5_FAILURE; - goto error; - } - - if (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context, - name, - ACL_LIST, - NULL, - NULL)) { - ret.code = KADM5_AUTH_LIST; - - audit_kadmind_unauth(rqstp->rq_xprt, l_port, - "kadm5_get_principals", - prime_arg, client_name); - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_principals", - prime_arg, client_name, - service_name, client_addr(rqstp, buf)); - } else { - ret.code = kadm5_get_principals((void *) handle, - arg->exp, &ret.princs, - &ret.count); - - audit_kadmind_auth(rqstp->rq_xprt, l_port, - "kadm5_get_principals", - prime_arg, client_name, ret.code); - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_principals", - prime_arg, - ((ret.code == 0) ? "success" : error_message(ret.code)), - client_name, service_name, client_addr(rqstp, buf)); - } - -error: - if (name) - gss_release_name(&min_stat, &name); - free_server_handle(handle); - if (client_name) - free(client_name); - if (service_name) - free(service_name); - return (&ret); -} - -generic_ret * -chpass_principal_1(chpass_arg * arg, struct svc_req * rqstp) -{ - static generic_ret ret; - char *prime_arg = NULL; - char *client_name = NULL, *service_name = NULL; - OM_uint32 min_stat; - kadm5_server_handle_t handle; - gss_name_t name = NULL; - - xdr_free(xdr_generic_ret, (char *) &ret); - - if (ret.code = new_server_handle(arg->api_version, rqstp, &handle)) - return (&ret); - - if (ret.code = check_handle((void *) handle)) - goto error; - ret.api_version = handle->api_version; - - if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto error; - } - if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto error; - } - if (!(name = get_clnt_name(rqstp))) { - ret.code = KADM5_FAILURE; - goto error; - } - - if (cmp_gss_krb5_name(handle, name, arg->princ)) { - ret.code = chpass_principal_wrapper((void *) handle, arg->princ, - arg->pass); - } else if (!(CHANGEPW_SERVICE(rqstp)) && - acl_check(handle->context, name, - ACL_CHANGEPW, arg->princ, NULL)) { - ret.code = kadm5_chpass_principal((void *) handle, arg->princ, - arg->pass); - } else { - audit_kadmind_unauth(rqstp->rq_xprt, l_port, - "kadm5_chpass_principal", - prime_arg, client_name); - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, - "kadm5_chpass_principal", prime_arg, client_name, - service_name, client_addr(rqstp, buf)); - ret.code = KADM5_AUTH_CHANGEPW; - } - - if (ret.code != KADM5_AUTH_CHANGEPW) { - - audit_kadmind_auth(rqstp->rq_xprt, l_port, - "kadm5_chpass_principal", - prime_arg, client_name, ret.code); - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", - prime_arg, ((ret.code == 0) ? "success" : - error_message(ret.code)), - client_name, service_name, client_addr(rqstp, buf)); - } - -error: - if (name) - gss_release_name(&min_stat, &name); - free_server_handle(handle); - if (prime_arg) - free(prime_arg); - if (client_name) - free(client_name); - if (service_name) - free(service_name); - return (&ret); -} - -generic_ret * -chpass_principal3_1(chpass3_arg *arg, struct svc_req *rqstp) +chpass_principal3_1_svc(chpass3_arg *arg, struct svc_req *rqstp) { static generic_ret ret; char *prime_arg = NULL; @@ -1113,19 +1111,19 @@ xdr_free(xdr_generic_ret, (char *) &ret); - if (ret.code = new_server_handle(arg->api_version, rqstp, &handle)) + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) return &ret; - if (ret.code = check_handle((void *)handle)) + if ((ret.code = check_handle((void *)handle))) goto error; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; + ret.code = KADM5_FAILURE; goto error; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; + ret.code = KADM5_BAD_PRINCIPAL; goto error; } if (!(name = get_clnt_name(rqstp))) { @@ -1134,10 +1132,13 @@ } if (cmp_gss_krb5_name(handle, name, arg->princ)) { - ret.code = chpass_principal_wrapper((void *)handle, arg->princ, - arg->pass); + ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ, + arg->keepold, + arg->n_ks_tuple, + arg->ks_tuple, + arg->pass); } else if (!(CHANGEPW_SERVICE(rqstp)) && - acl_check(handle->context, name, + kadm5int_acl_check(handle->context, name, ACL_CHANGEPW, arg->princ, NULL)) { ret.code = kadm5_chpass_principal_3((void *)handle, arg->princ, arg->keepold, @@ -1146,14 +1147,14 @@ arg->pass); } else { krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal", - prime_arg, client_name, service_name, - client_addr(rqstp, buf)); + prime_arg, client_name, service_name, + client_addr(rqstp, buf)); ret.code = KADM5_AUTH_CHANGEPW; } if(ret.code != KADM5_AUTH_CHANGEPW) { krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", - prime_arg, ((ret.code == 0) ? "success" : + prime_arg, ((ret.code == 0) ? "success" : error_message(ret.code)), client_name, service_name, client_addr(rqstp, buf)); @@ -1164,17 +1165,17 @@ gss_release_name(&min_stat, &name); free_server_handle(handle); if (client_name) - free(client_name); + free(client_name); if (service_name) - free(service_name); + free(service_name); if (prime_arg) - free(prime_arg); + free(prime_arg); return (&ret); } #ifdef SUNWOFF generic_ret * -setv4key_principal_1(setv4key_arg *arg, struct svc_req *rqstp) +setv4key_principal_1_svc(setv4key_arg *arg, struct svc_req *rqstp) { static generic_ret ret; char *prime_arg = NULL; @@ -1186,19 +1187,19 @@ xdr_free(xdr_generic_ret, (char *) &ret); - if (ret.code = new_server_handle(arg->api_version, rqstp, &handle)) + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) return &ret; - if (ret.code = check_handle((void *)handle)) + if ((ret.code = check_handle((void *)handle))) goto error; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; + ret.code = KADM5_FAILURE; goto error; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; + ret.code = KADM5_BAD_PRINCIPAL; goto error; } if (!(name = get_clnt_name(rqstp))) { @@ -1207,13 +1208,14 @@ } if (!(CHANGEPW_SERVICE(rqstp)) && - acl_check(handle->context, name, ACL_SETKEY, arg->princ, NULL)) { + kadm5int_acl_check(handle->context, name, + ACL_SETKEY, arg->princ, NULL)) { ret.code = kadm5_setv4key_principal((void *)handle, arg->princ, arg->keyblock); } else { - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setv4key_principal", - prime_arg, client_name, service_name, - client_addr(rqstp, buf)); + krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setv4key_principal", + prime_arg, client_name, service_name, + client_addr(rqstp, buf)); ret.code = KADM5_AUTH_SETKEY; } @@ -1240,7 +1242,7 @@ #endif generic_ret * -setkey_principal_1(setkey_arg *arg, struct svc_req *rqstp) +setkey_principal_1_svc(setkey_arg *arg, struct svc_req *rqstp) { static generic_ret ret; char *prime_arg; @@ -1252,28 +1254,28 @@ xdr_free(xdr_generic_ret, (char *) &ret); - if (ret.code = new_server_handle(arg->api_version, rqstp, &handle)) + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) return &ret; - if (ret.code = check_handle((void *)handle)) + if ((ret.code = check_handle((void *)handle))) goto error; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; + ret.code = KADM5_FAILURE; goto error; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; + ret.code = KADM5_BAD_PRINCIPAL; goto error; } if (!(name = get_clnt_name(rqstp))) { - ret.code = KADM5_FAILURE; + ret.code = KADM5_FAILURE; goto error; } if (!(CHANGEPW_SERVICE(rqstp)) && - acl_check(handle->context, name, ACL_SETKEY, arg->princ, NULL)) { + kadm5int_acl_check(handle->context, name, ACL_SETKEY, arg->princ, NULL)) { ret.code = kadm5_setkey_principal((void *)handle, arg->princ, arg->keyblocks, arg->n_keys); } else { @@ -1296,16 +1298,16 @@ gss_release_name(&min_stat, &name); free_server_handle(handle); if (client_name) - free(client_name); + free(client_name); if (service_name) - free(service_name); + free(service_name); if (prime_arg) - free(prime_arg); + free(prime_arg); return (&ret); } generic_ret * -setkey_principal3_1(setkey3_arg *arg, struct svc_req *rqstp) +setkey_principal3_1_svc(setkey3_arg *arg, struct svc_req *rqstp) { static generic_ret ret; char *prime_arg = NULL; @@ -1317,28 +1319,29 @@ xdr_free(xdr_generic_ret, (char *) &ret); - if (ret.code = new_server_handle(arg->api_version, rqstp, &handle)) + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) return &ret; - if (ret.code = check_handle((void *)handle)) + if ((ret.code = check_handle((void *)handle))) goto error; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; + ret.code = KADM5_FAILURE; goto error; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; + ret.code = KADM5_BAD_PRINCIPAL; goto error; } if (!(name = get_clnt_name(rqstp))) { - ret.code = KADM5_FAILURE; + ret.code = KADM5_FAILURE; goto error; } if (!(CHANGEPW_SERVICE(rqstp)) && - acl_check(handle->context, name, ACL_SETKEY, arg->princ, NULL)) { + kadm5int_acl_check(handle->context, name, + ACL_SETKEY, arg->princ, NULL)) { ret.code = kadm5_setkey_principal_3((void *)handle, arg->princ, arg->keepold, arg->n_ks_tuple, @@ -1352,11 +1355,11 @@ } if(ret.code != KADM5_AUTH_SETKEY) { - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", + krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", prime_arg, ((ret.code == 0) ? "success" : - error_message(ret.code)), - client_name, service_name, - client_addr(rqstp, buf)); + error_message(ret.code)), + client_name, service_name, + client_addr(rqstp, buf)); } error: @@ -1366,100 +1369,101 @@ if (client_name) free(client_name); if (service_name) - free(service_name); + free(service_name); if (prime_arg) - free(prime_arg); - return (&ret); + free(prime_arg); + return &ret; } chrand_ret * -chrand_principal_1(chrand_arg * arg, struct svc_req * rqstp) +chrand_principal_1_svc(chrand_arg *arg, struct svc_req *rqstp) { - static chrand_ret ret; - krb5_keyblock *k; - int nkeys; - char *prime_arg = NULL, *funcname; - char *client_name = NULL, *service_name = NULL; - OM_uint32 min_stat; - kadm5_server_handle_t handle; - gss_name_t name = NULL; + static chrand_ret ret; + krb5_keyblock *k; + int nkeys; + char *prime_arg = NULL, *funcname; + char *client_name = NULL, *service_name = NULL; + OM_uint32 min_stat; + kadm5_server_handle_t handle; + gss_name_t name = NULL; - xdr_free(xdr_chrand_ret, (char *) &ret); + xdr_free(xdr_chrand_ret, (char *) &ret); - if (ret.code = new_server_handle(arg->api_version, rqstp, &handle)) - return (&ret); + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + return &ret; - if (ret.code = check_handle((void *) handle)) + if ((ret.code = check_handle((void *)handle))) goto error; - ret.api_version = handle->api_version; + + ret.api_version = handle->api_version; - funcname = handle->api_version == KADM5_API_VERSION_1 ? - "kadm5_randkey_principal (V1)" : "kadm5_randkey_principal"; + funcname = handle->api_version == KADM5_API_VERSION_1 ? + "kadm5_randkey_principal (V1)" : "kadm5_randkey_principal"; - if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; + if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + ret.code = KADM5_FAILURE; goto error; - } - if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; + } + if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { + ret.code = KADM5_BAD_PRINCIPAL; goto error; - } + } if (!(name = get_clnt_name(rqstp))) { ret.code = KADM5_FAILURE; goto error; } - if (cmp_gss_krb5_name(handle, name, arg->princ)) { - ret.code = randkey_principal_wrapper((void *) handle, - arg->princ, &k, &nkeys); - } else if (!(CHANGEPW_SERVICE(rqstp)) && - acl_check(handle->context, name, - ACL_CHANGEPW, arg->princ, NULL)) { - ret.code = kadm5_randkey_principal((void *) handle, arg->princ, - &k, &nkeys); - } else { + if (cmp_gss_krb5_name(handle, name, arg->princ)) { + ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ, + FALSE, 0, NULL, &k, &nkeys); + } else if (!(CHANGEPW_SERVICE(rqstp)) && + kadm5int_acl_check(handle->context, name, + ACL_CHANGEPW, arg->princ, NULL)) { + ret.code = kadm5_randkey_principal((void *)handle, arg->princ, + &k, &nkeys); + } else { audit_kadmind_unauth(rqstp->rq_xprt, l_port, funcname, prime_arg, client_name); - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, - prime_arg, client_name, service_name, - client_addr(rqstp, buf)); - ret.code = KADM5_AUTH_CHANGEPW; - } + krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, + prime_arg, client_name, service_name, + client_addr(rqstp, buf)); + ret.code = KADM5_AUTH_CHANGEPW; + } - if (ret.code == KADM5_OK) { - if (handle->api_version == KADM5_API_VERSION_1) { - krb5_copy_keyblock_contents(handle->context, - k, &ret.key); - krb5_free_keyblock(handle->context, k); - } else { - ret.keys = k; - ret.n_keys = nkeys; - } - } - if (ret.code != KADM5_AUTH_CHANGEPW) { + if(ret.code == KADM5_OK) { + if (handle->api_version == KADM5_API_VERSION_1) { + krb5_copy_keyblock_contents(handle->context, k, &ret.key); + krb5_free_keyblock(handle->context, k); + } else { + ret.keys = k; + ret.n_keys = nkeys; + } + } + + if(ret.code != KADM5_AUTH_CHANGEPW) { audit_kadmind_auth(rqstp->rq_xprt, l_port, funcname, prime_arg, client_name, ret.code); - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, - prime_arg, ((ret.code == 0) ? "success" : - error_message(ret.code)), - client_name, service_name, client_addr(rqstp, buf)); - } + krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, + prime_arg, ((ret.code == 0) ? "success" : + error_message(ret.code)), + client_name, service_name, client_addr(rqstp, buf)); + } error: if (name) gss_release_name(&min_stat, &name); free_server_handle(handle); if (prime_arg) - free(prime_arg); - if (client_name) - free(client_name); - if (service_name) - free(service_name); - return (&ret); + free(prime_arg); + if (client_name) + free(client_name); + if (service_name) + free(service_name); + return &ret; } chrand_ret * -chrand_principal3_1(chrand3_arg *arg, struct svc_req *rqstp) +chrand_principal3_1_svc(chrand3_arg *arg, struct svc_req *rqstp) { static chrand_ret ret; krb5_keyblock *k; @@ -1473,10 +1477,10 @@ xdr_free(xdr_chrand_ret, (char *) &ret); - if (ret.code = new_server_handle(arg->api_version, rqstp, &handle)) + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) return &ret; - if (ret.code = check_handle((void *)handle)) + if ((ret.code = check_handle((void *)handle))) goto error; ret.api_version = handle->api_version; @@ -1488,7 +1492,7 @@ goto error; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; + ret.code = KADM5_BAD_PRINCIPAL; goto error; } if (!(name = get_clnt_name(rqstp))) { @@ -1497,10 +1501,13 @@ } if (cmp_gss_krb5_name(handle, name, arg->princ)) { - ret.code = randkey_principal_wrapper((void *)handle, - arg->princ, &k, &nkeys); + ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ, + arg->keepold, + arg->n_ks_tuple, + arg->ks_tuple, + &k, &nkeys); } else if (!(CHANGEPW_SERVICE(rqstp)) && - acl_check(handle->context, name, + kadm5int_acl_check(handle->context, name, ACL_CHANGEPW, arg->princ, NULL)) { ret.code = kadm5_randkey_principal_3((void *)handle, arg->princ, arg->keepold, @@ -1509,8 +1516,8 @@ &k, &nkeys); } else { krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, - prime_arg, client_name, service_name, - client_addr(rqstp, buf)); + prime_arg, client_name, service_name, + client_addr(rqstp, buf)); ret.code = KADM5_AUTH_CHANGEPW; } @@ -1526,10 +1533,10 @@ if(ret.code != KADM5_AUTH_CHANGEPW) { krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, - prime_arg, ((ret.code == 0) ? "success" : + prime_arg, ((ret.code == 0) ? "success" : error_message(ret.code)), - client_name, service_name, - client_addr(rqstp, buf)); + client_name, service_name, + client_addr(rqstp, buf)); } error: @@ -1545,125 +1552,190 @@ return (&ret); } - generic_ret * -create_policy_1(cpol_arg * arg, struct svc_req * rqstp) +create_policy_1_svc(cpol_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg = NULL; - char *client_name = NULL, *service_name = NULL; - OM_uint32 min_stat; - kadm5_server_handle_t handle; - gss_name_t name = NULL; + static generic_ret ret; + char *prime_arg = NULL; + char *client_name = NULL, *service_name = NULL; + OM_uint32 min_stat; + kadm5_server_handle_t handle; + gss_name_t name = NULL; - xdr_free(xdr_generic_ret, (char *) &ret); + xdr_free(xdr_generic_ret, (char *) &ret); - if (ret.code = new_server_handle(arg->api_version, rqstp, &handle)) - return (&ret); + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + return &ret; - if (ret.code = check_handle((void *) handle)) + if ((ret.code = check_handle((void *)handle))) goto error; - ret.api_version = handle->api_version; + + ret.api_version = handle->api_version; - if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; + if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + ret.code = KADM5_FAILURE; goto error; - } - prime_arg = arg->rec.policy; + } + prime_arg = arg->rec.policy; if (!(name = get_clnt_name(rqstp))) { ret.code = KADM5_FAILURE; goto error; } - if (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context, - name, - ACL_ADD, NULL, NULL)) { - ret.code = KADM5_AUTH_ADD; + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, + name, + ACL_ADD, NULL, NULL)) { + ret.code = KADM5_AUTH_ADD; audit_kadmind_unauth(rqstp->rq_xprt, l_port, "kadm5_create_policy", prime_arg, client_name); - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy", - prime_arg, client_name, - service_name, client_addr(rqstp, buf)); - - } else { - ret.code = kadm5_create_policy((void *) handle, &arg->rec, - arg->mask); + krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy", + prime_arg, client_name, + service_name, client_addr(rqstp, buf)); + + } else { + ret.code = kadm5_create_policy((void *)handle, &arg->rec, + arg->mask); audit_kadmind_auth(rqstp->rq_xprt, l_port, "kadm5_create_policy", prime_arg, client_name, ret.code); - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_policy", - ((prime_arg == NULL) ? "(null)" : prime_arg), - ((ret.code == 0) ? "success" : error_message(ret.code)), - client_name, service_name, client_addr(rqstp, buf)); - } + krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_policy", + ((prime_arg == NULL) ? "(null)" : prime_arg), + ((ret.code == 0) ? "success" : error_message(ret.code)), + client_name, service_name, client_addr(rqstp, buf)); + } error: if (name) gss_release_name(&min_stat, &name); - free_server_handle(handle); - if (client_name) - free(client_name); - if (service_name) - free(service_name); - return (&ret); + free_server_handle(handle); + if (client_name) + free(client_name); + if (service_name) + free(service_name); + return &ret; } generic_ret * -delete_policy_1(dpol_arg * arg, struct svc_req * rqstp) +delete_policy_1_svc(dpol_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg = NULL; - char *client_name = NULL, *service_name = NULL; - OM_uint32 min_stat; - kadm5_server_handle_t handle; - gss_name_t name = NULL; + static generic_ret ret; + char *prime_arg = NULL; + char *client_name = NULL, *service_name = NULL; + OM_uint32 min_stat; + kadm5_server_handle_t handle; + gss_name_t name = NULL; - xdr_free(xdr_generic_ret, (char *) &ret); + xdr_free(xdr_generic_ret, (char *) &ret); - if (ret.code = new_server_handle(arg->api_version, rqstp, &handle)) - return (&ret); + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + return &ret; - if (ret.code = check_handle((void *) handle)) + if ((ret.code = check_handle((void *)handle))) goto error; - ret.api_version = handle->api_version; + ret.api_version = handle->api_version; - if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; + if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + ret.code = KADM5_FAILURE; goto error; - } - prime_arg = arg->name; - + } + prime_arg = arg->name; + if (!(name = get_clnt_name(rqstp))) { ret.code = KADM5_FAILURE; goto error; } - if (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context, + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, name, - ACL_DELETE, NULL, NULL)) { + ACL_DELETE, NULL, NULL)) { audit_kadmind_unauth(rqstp->rq_xprt, l_port, "kadm5_delete_policy", prime_arg, client_name); - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy", - prime_arg, client_name, service_name, - client_addr(rqstp, buf)); - ret.code = KADM5_AUTH_DELETE; - } else { - ret.code = kadm5_delete_policy((void *) handle, arg->name); + krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy", + prime_arg, client_name, service_name, + client_addr(rqstp, buf)); + ret.code = KADM5_AUTH_DELETE; + } else { + ret.code = kadm5_delete_policy((void *)handle, arg->name); audit_kadmind_auth(rqstp->rq_xprt, l_port, "kadm5_delete_policy", prime_arg, client_name, ret.code); - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_policy", - ((prime_arg == NULL) ? "(null)" : prime_arg), - ((ret.code == 0) ? "success" : error_message(ret.code)), - client_name, service_name, client_addr(rqstp, buf)); - } + krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_policy", + ((prime_arg == NULL) ? "(null)" : prime_arg), + ((ret.code == 0) ? "success" : error_message(ret.code)), + client_name, service_name, client_addr(rqstp, buf)); + } + +error: + if (name) + gss_release_name(&min_stat, &name); + free_server_handle(handle); + if (client_name) + free(client_name); + if (service_name) + free(service_name); + return &ret; +} + +generic_ret * +modify_policy_1_svc(mpol_arg *arg, struct svc_req *rqstp) +{ + static generic_ret ret; + char *prime_arg = NULL; + char *client_name = NULL, *service_name = NULL; + OM_uint32 min_stat; + kadm5_server_handle_t handle; + gss_name_t name = NULL; + + xdr_free(xdr_generic_ret, (char *) &ret); + + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + return &ret; + + if ((ret.code = check_handle((void *)handle))) + goto error; + ret.api_version = handle->api_version; + + if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + ret.code = KADM5_FAILURE; + goto error; + } + prime_arg = arg->rec.policy; + + if (!(name = get_clnt_name(rqstp))) { + ret.code = KADM5_FAILURE; + goto error; + } + + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, + name, + ACL_MODIFY, NULL, NULL)) { + + audit_kadmind_unauth(rqstp->rq_xprt, l_port, + "kadm5_modify_policy", + prime_arg, client_name); + krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy", + prime_arg, client_name, + service_name, client_addr(rqstp, buf)); + ret.code = KADM5_AUTH_MODIFY; + } else { + ret.code = kadm5_modify_policy((void *)handle, &arg->rec, + arg->mask); + + audit_kadmind_auth(rqstp->rq_xprt, l_port, + "kadm5_modify_policy", + prime_arg, client_name, ret.code); + krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_policy", + ((prime_arg == NULL) ? "(null)" : prime_arg), + ((ret.code == 0) ? "success" : error_message(ret.code)), + client_name, service_name, client_addr(rqstp, buf)); + } error: if (name) @@ -1676,102 +1748,38 @@ return (&ret); } -generic_ret * -modify_policy_1(mpol_arg * arg, struct svc_req * rqstp) +gpol_ret * +get_policy_1_svc(gpol_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg = NULL; - char *client_name = NULL, *service_name = NULL; - OM_uint32 min_stat; - kadm5_server_handle_t handle; - gss_name_t name = NULL; - - xdr_free(xdr_generic_ret, (char *) &ret); - - if (ret.code = new_server_handle(arg->api_version, rqstp, &handle)) - return (&ret); - - if (ret.code = check_handle((void *) handle)) - goto error; - ret.api_version = handle->api_version; + static gpol_ret ret; + kadm5_ret_t ret2; + char *prime_arg = NULL, *funcname; + char *client_name = NULL, *service_name = NULL; + OM_uint32 min_stat; + kadm5_policy_ent_t e; + kadm5_principal_ent_rec caller_ent; + krb5_principal caller; + kadm5_server_handle_t handle; + gss_name_t name = NULL; - if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto error; - } - prime_arg = arg->rec.policy; - - if (!(name = get_clnt_name(rqstp))) { - ret.code = KADM5_FAILURE; - goto error; - } - - if (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context, - name, - ACL_MODIFY, NULL, NULL)) { - - audit_kadmind_unauth(rqstp->rq_xprt, l_port, - "kadm5_modify_policy", - prime_arg, client_name); - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy", - prime_arg, client_name, - service_name, client_addr(rqstp, buf)); - ret.code = KADM5_AUTH_MODIFY; - } else { - ret.code = kadm5_modify_policy((void *) handle, &arg->rec, - arg->mask); + xdr_free(xdr_gpol_ret, (char *) &ret); - audit_kadmind_auth(rqstp->rq_xprt, l_port, - "kadm5_modify_policy", - prime_arg, client_name, ret.code); - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_policy", - ((prime_arg == NULL) ? "(null)" : prime_arg), - ((ret.code == 0) ? "success" : error_message(ret.code)), - client_name, service_name, client_addr(rqstp, buf)); - } + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + return &ret; -error: - if (name) - gss_release_name(&min_stat, &name); - free_server_handle(handle); - if (client_name) - free(client_name); - if (service_name) - free(service_name); - return (&ret); -} + if ((ret.code = check_handle((void *) handle))) + goto error; + + ret.api_version = handle->api_version; -gpol_ret * -get_policy_1(gpol_arg * arg, struct svc_req * rqstp) -{ - static gpol_ret ret; - kadm5_ret_t ret2; - char *prime_arg = NULL, *funcname; - char *client_name = NULL, *service_name = NULL; - OM_uint32 min_stat; - kadm5_policy_ent_t e; - kadm5_principal_ent_rec caller_ent; - krb5_principal caller; - kadm5_server_handle_t handle; - gss_name_t name = NULL; - - xdr_free(xdr_gpol_ret, (char *) &ret); + funcname = handle->api_version == KADM5_API_VERSION_1 ? + "kadm5_get_policy (V1)" : "kadm5_get_policy"; - if (ret.code = new_server_handle(arg->api_version, rqstp, &handle)) - return (&ret); - - if (ret.code = check_handle((void *) handle)) + if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + ret.code = KADM5_FAILURE; goto error; - ret.api_version = handle->api_version; - - funcname = handle->api_version == KADM5_API_VERSION_1 ? - "kadm5_get_policy (V1)" : "kadm5_get_policy"; - - if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto error; - } - prime_arg = arg->name; + } + prime_arg = arg->name; ret.code = KADM5_AUTH_GET; if (!(name = get_clnt_name(rqstp))) { @@ -1779,7 +1787,7 @@ goto error; } - if (!CHANGEPW_SERVICE(rqstp) && acl_check(handle->context, + if (!CHANGEPW_SERVICE(rqstp) && kadm5int_acl_check(handle->context, name, ACL_INQUIRE, NULL, NULL)) ret.code = KADM5_OK; @@ -1791,42 +1799,39 @@ if (ret.code == KADM5_OK) { if (caller_ent.aux_attributes & KADM5_POLICY && strcmp(caller_ent.policy, arg->name) == 0) { - ret.code = KADM5_OK; - } else - ret.code = KADM5_AUTH_GET; - ret2 = kadm5_free_principal_ent(handle->lhandle, - &caller_ent); - ret.code = ret.code ? ret.code : ret2; - } - } - - if (ret.code == KADM5_OK) { - if (handle->api_version == KADM5_API_VERSION_1) { - ret.code = kadm5_get_policy_v1((void *) handle, - arg->name, &e); - if (ret.code == KADM5_OK) { - memcpy(&ret.rec, e, - sizeof (kadm5_policy_ent_rec)); - free(e); - } - } else { - ret.code = kadm5_get_policy((void *) handle, arg->name, - &ret.rec); - } - + ret.code = KADM5_OK; + } else ret.code = KADM5_AUTH_GET; + ret2 = kadm5_free_principal_ent(handle->lhandle, + &caller_ent); + ret.code = ret.code ? ret.code : ret2; + } + } + + if (ret.code == KADM5_OK) { + if (handle->api_version == KADM5_API_VERSION_1) { + ret.code = kadm5_get_policy_v1((void *)handle, arg->name, &e); + if(ret.code == KADM5_OK) { + memcpy(&ret.rec, e, sizeof(kadm5_policy_ent_rec)); + free(e); + } + } else { + ret.code = kadm5_get_policy((void *)handle, arg->name, + &ret.rec); + } + audit_kadmind_auth(rqstp->rq_xprt, l_port, funcname, prime_arg, client_name, ret.code); - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, - ((prime_arg == NULL) ? "(null)" : prime_arg), - ((ret.code == 0) ? "success" : error_message(ret.code)), - client_name, service_name, client_addr(rqstp, buf)); + krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, + ((prime_arg == NULL) ? "(null)" : prime_arg), + ((ret.code == 0) ? "success" : error_message(ret.code)), + client_name, service_name, client_addr(rqstp, buf)); } else { audit_kadmind_unauth(rqstp->rq_xprt, l_port, funcname, prime_arg, client_name); - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, - prime_arg, client_name, - service_name, client_addr(rqstp, buf)); - } + krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, + prime_arg, client_name, + service_name, client_addr(rqstp, buf)); + } error: if (name) @@ -1841,61 +1846,62 @@ } gpols_ret * -get_pols_1(gpols_arg * arg, struct svc_req * rqstp) +get_pols_1_svc(gpols_arg *arg, struct svc_req *rqstp) { - static gpols_ret ret; - char *prime_arg = NULL; - char *client_name = NULL, *service_name = NULL; - OM_uint32 min_stat; - kadm5_server_handle_t handle; - gss_name_t name = NULL; + static gpols_ret ret; + char *prime_arg = NULL; + char *client_name = NULL, *service_name = NULL; + OM_uint32 min_stat; + kadm5_server_handle_t handle; + gss_name_t name = NULL; - xdr_free(xdr_gpols_ret, (char *) &ret); + xdr_free(xdr_gpols_ret, (char *) &ret); - if (ret.code = new_server_handle(arg->api_version, rqstp, &handle)) - return (&ret); + if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) + return &ret; - if (ret.code = check_handle((void *) handle)) + if ((ret.code = check_handle((void *)handle))) goto error; - ret.api_version = handle->api_version; + + ret.api_version = handle->api_version; - if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto error; - } - prime_arg = arg->exp; - if (prime_arg == NULL) - prime_arg = "*"; + if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + ret.code = KADM5_FAILURE; + goto error; + } + prime_arg = arg->exp; + if (prime_arg == NULL) + prime_arg = "*"; if (!(name = get_clnt_name(rqstp))) { ret.code = KADM5_FAILURE; goto error; } - if (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context, - name, - ACL_LIST, NULL, NULL)) { - ret.code = KADM5_AUTH_LIST; + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, + name, + ACL_LIST, NULL, NULL)) { + ret.code = KADM5_AUTH_LIST; audit_kadmind_unauth(rqstp->rq_xprt, l_port, "kadm5_get_policies", prime_arg, client_name); - krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies", - prime_arg, client_name, service_name, - client_addr(rqstp, buf)); - } else { - ret.code = kadm5_get_policies((void *) handle, + krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies", + prime_arg, client_name, service_name, + client_addr(rqstp, buf)); + } else { + ret.code = kadm5_get_policies((void *)handle, arg->exp, &ret.pols, &ret.count); audit_kadmind_auth(rqstp->rq_xprt, l_port, "kadm5_get_policies", prime_arg, client_name, ret.code); - krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_policies", - prime_arg, - ((ret.code == 0) ? "success" : error_message(ret.code)), - client_name, service_name, client_addr(rqstp, buf)); - } + krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_policies", + prime_arg, + ((ret.code == 0) ? "success" : error_message(ret.code)), + client_name, service_name, client_addr(rqstp, buf)); + } error: if (name) @@ -1908,28 +1914,28 @@ return (&ret); } -getprivs_ret * -get_privs_1(krb5_ui_4 * arg, struct svc_req * rqstp) +getprivs_ret * get_privs_1_svc(krb5_ui_4 *arg, struct svc_req *rqstp) { - static getprivs_ret ret; - char *client_name = NULL, *service_name = NULL; - OM_uint32 min_stat; - kadm5_server_handle_t handle; - gss_name_t name = NULL; + static getprivs_ret ret; + char *client_name = NULL, *service_name = NULL; + OM_uint32 min_stat; + kadm5_server_handle_t handle; + gss_name_t name = NULL; - xdr_free(xdr_getprivs_ret, (char *) &ret); + xdr_free(xdr_getprivs_ret, (char *) &ret); - if (ret.code = new_server_handle(*arg, rqstp, &handle)) - return (&ret); + if ((ret.code = new_server_handle(*arg, rqstp, &handle))) + return &ret; - if (ret.code = check_handle((void *) handle)) + if ((ret.code = check_handle((void *)handle))) goto error; - ret.api_version = handle->api_version; + + ret.api_version = handle->api_version; - if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto error; - } + if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + ret.code = KADM5_FAILURE; + goto error; + } if (!(name = get_clnt_name(rqstp))) { ret.code = KADM5_FAILURE; goto error; @@ -1956,26 +1962,26 @@ return (&ret); } -generic_ret * -init_1(krb5_ui_4 * arg, struct svc_req * rqstp) +generic_ret *init_1_svc(krb5_ui_4 *arg, struct svc_req *rqstp) { - static generic_ret ret; + static generic_ret ret; char *client_name, *service_name; kadm5_server_handle_t handle; - xdr_free(xdr_generic_ret, (char *) &ret); + xdr_free(xdr_generic_ret, (char *) &ret); - if (ret.code = new_server_handle(*arg, rqstp, &handle)) - return (&ret); - if (!(ret.code = check_handle((void *) handle))) { - ret.api_version = handle->api_version; - } - free_server_handle(handle); + if ((ret.code = new_server_handle(*arg, rqstp, &handle))) + return &ret; + if (! (ret.code = check_handle((void *)handle))) { + ret.api_version = handle->api_version; + } - if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - return (&ret); - } + free_server_handle(handle); + + if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + ret.code = KADM5_FAILURE; + return &ret; + } audit_kadmind_auth(rqstp->rq_xprt, l_port, (ret.api_version == KADM5_API_VERSION_1 ? @@ -1983,8 +1989,9 @@ NULL, client_name, ret.code); krb5_klog_syslog(LOG_NOTICE, LOG_DONE, (ret.api_version == KADM5_API_VERSION_1 ? - "kadm5_init (V1)" : "kadm5_init"), - client_name, (ret.code == 0) ? "success" : error_message(ret.code), + "kadm5_init (V1)" : "kadm5_init"), + client_name, + (ret.code == 0) ? "success" : error_message(ret.code), client_name, service_name, client_addr(rqstp, buf)); free(client_name); free(service_name);
--- a/usr/src/cmd/krb5/kdestroy/kdestroy.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kdestroy/kdestroy.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2002-2003 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -38,6 +38,9 @@ #include <com_err.h> #include <string.h> #include <stdio.h> +#ifdef HAVE_UNISTD_H +#include <unistd.h> +#endif #include <locale.h> #include <rpc/types.h> #include <rpc/rpcsys.h> @@ -77,7 +80,7 @@ #endif -void usage() +static void usage() { #define KRB_AVAIL_STRING(x) ((x)?gettext("available"):gettext("not available")) @@ -240,7 +243,8 @@ exit(1); } } else { - if (code = krb5_cc_default(kcontext, &cache)) { + code = krb5_cc_default(kcontext, &cache); + if (code) { com_err(progname, code, gettext("while getting default ccache")); exit(1); }
--- a/usr/src/cmd/krb5/kinit/kinit.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/kinit/kinit.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -73,15 +73,17 @@ #ifdef HAVE_PWD_H #include <pwd.h> +static char * get_name_from_os() { struct passwd *pw; - if (pw = getpwuid((int) getuid())) + if ((pw = getpwuid((int) getuid()))) return pw->pw_name; return 0; } #else /* HAVE_PWD_H */ #ifdef _WIN32 +static char * get_name_from_os() { static char name[1024]; @@ -94,6 +96,7 @@ } } #else /* _WIN32 */ +static char * get_name_from_os() { return 0; @@ -101,8 +104,6 @@ #endif /* _WIN32 */ #endif /* HAVE_PWD_H */ -static char *progname; - static char* progname_v5 = 0; #ifdef KRB5_KRB4_COMPAT static char* progname_v4 = 0; @@ -123,7 +124,7 @@ static int authed_k5 = 0; static int authed_k4 = 0; -#define KRB4_BACKUP_DEFAULT_LIFE_SECS 10*60*60 /* 10 hours */ +#define KRB4_BACKUP_DEFAULT_LIFE_SECS 24*60*60 /* 1 day */ #define ROOT_UNAME "root" typedef enum { INIT_PW, INIT_KT, RENEW, VALIDATE } action_type; @@ -236,10 +237,11 @@ /* Save the program name for the error messages */ static char *progname; -void -usage(void) +static void +usage(progname) { #define USAGE_BREAK "\n\t" + #ifdef GETOPT_LONG #define USAGE_LONG_FORWARDABLE " | --forwardable | --noforwardable" #define USAGE_LONG_PROXIABLE " | --proxiable | --noproxiable" @@ -260,7 +262,7 @@ USAGE_BREAK_LONG "[-p | -P" USAGE_LONG_PROXIABLE "] " USAGE_BREAK_LONG - "[-A" USAGE_LONG_ADDRESSES "] " + "[-a | -A" USAGE_LONG_ADDRESSES "] " USAGE_BREAK "[-v] [-R] " "[-k [-t keytab_file]] " @@ -283,13 +285,14 @@ #ifdef KRB5_KRB4_COMPAT #define USAGE_OPT_FMT "%s%-50s%s\n" +#define ULINE(indent, col1, col2) \ +fprintf(stderr, USAGE_OPT_FMT, indent, col1, col2) #else #define USAGE_OPT_FMT "%s%s\n" +#define ULINE(indent, col1, col2) \ +fprintf(stderr, USAGE_OPT_FMT, indent, col1) #endif -#define ULINE(indent, col1, col2) \ -fprintf(stderr, USAGE_OPT_FMT, indent, col1, col2) - ULINE(" ", "options:", "valid with Kerberos:"); fprintf(stderr, "\t-5 Kerberos 5 (%s)\n", KRB_AVAIL_STRING(got_k5)); fprintf(stderr, "\t-4 Kerberos 4 (%s)\n", KRB_AVAIL_STRING(got_k4)); @@ -307,6 +310,7 @@ ULINE("\t", gettext("-p proxiable"), OPTTYPE_KRB5); ULINE("\t", gettext("-P not proxiable"), OPTTYPE_KRB5); ULINE("\t", gettext("-A do not include addresses"), OPTTYPE_KRB5); + ULINE("\t", gettext("-a include addresses"), OPTTYPE_KRB5); ULINE("\t", gettext("-v validate"), OPTTYPE_KRB5); ULINE("\t", gettext("-R renew"), OPTTYPE_BOTH); ULINE("\t", gettext("-k use keytab"), OPTTYPE_BOTH); @@ -318,11 +322,12 @@ exit(2); } -char * -parse_options(argc, argv, opts) +static char * +parse_options(argc, argv, opts, progname) int argc; char **argv; struct k_opts* opts; + char *progname; { krb5_error_code code; int errflg = 0; @@ -330,7 +335,7 @@ int use_k5 = 0; int i; - while ((i = GETOPT(argc, argv, "r:fpFP54AVl:s:c:kt:RS:v")) + while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:RS:v")) != -1) { switch (i) { case 'V': @@ -516,7 +521,7 @@ } if (errflg) { - usage(); + usage(progname); } got_k5 = got_k5 && use_k5; @@ -526,7 +531,7 @@ return opts->principal_name; } -int +static int k5_begin(opts, k5, k4) struct k_opts* opts; struct k5_data* k5; @@ -534,12 +539,12 @@ { char* progname = progname_v5; krb5_error_code code = 0; - char* cp; if (!got_k5) return 0; - if (code = krb5_init_context(&k5->ctx)) { + code = krb5_init_context(&k5->ctx); + if (code) { com_err(progname, code, gettext("while initializing Kerberos 5 library")); return 0; } @@ -575,21 +580,25 @@ /* No principal name specified */ if (opts->action == INIT_KT) { /* Use the default host/service name */ - if (code = krb5_sname_to_principal(k5->ctx, NULL, NULL, - KRB5_NT_SRV_HST, &k5->me)) { - com_err(progname, code, gettext( - "when creating default server principal name")); - return 0; - } + code = krb5_sname_to_principal(k5->ctx, NULL, NULL, + KRB5_NT_SRV_HST, &k5->me); + if (code) { + com_err(progname, code, gettext( + "when creating default server principal name")); + return 0; + } } else { - /* Get default principal from cache if one exists */ - if (code = krb5_cc_get_principal(k5->ctx, k5->cc, &k5->me)) { - char *name = get_name_from_os(); - if (!name) - { - fprintf(stderr, gettext("Unable to identify user\n")); - return 0; - } + /* Get default principal from cache if one exists */ + code = krb5_cc_get_principal(k5->ctx, k5->cc, + &k5->me); + if (code) + { + char *name = get_name_from_os(); + if (!name) + { + fprintf(stderr, gettext("Unable to identify user\n")); + return 0; + } /* use strcmp to ensure only "root" is matched */ if (strcmp(name, ROOT_UNAME) == 0) { @@ -599,21 +608,25 @@ "when creating default server principal name")); return 0; } - } else if (code = krb5_parse_name(k5->ctx, name, &k5->me)) { - com_err(progname, code, gettext("when parsing name %s"), - name); - return 0; + } else + if ((code = krb5_parse_name(k5->ctx, name, + &k5->me))) + { + com_err(progname, code, gettext("when parsing name %s"), + name); + return 0; } - } - } + } + } } - if (code = krb5_unparse_name(k5->ctx, k5->me, &k5->name)) { + + code = krb5_unparse_name(k5->ctx, k5->me, &k5->name); + if (code) { com_err(progname, code, gettext("when unparsing name")); return 0; } opts->principal_name = k5->name; - #ifdef KRB5_KRB4_COMPAT if (got_k4) { @@ -630,7 +643,7 @@ return 1; } -void +static void k5_end(k5) struct k5_data* k5; { @@ -645,7 +658,7 @@ memset(k5, 0, sizeof(*k5)); } -int +static int k4_begin(opts, k4) struct k_opts* opts; struct k4_data* k4; @@ -665,8 +678,9 @@ if (opts->principal_name) { /* Use specified name */ - if (k_errno = kname_parse(k4->aname, k4->inst, k4->realm, - opts->principal_name)) + k_errno = kname_parse(k4->aname, k4->inst, k4->realm, + opts->principal_name); + if (k_errno) { fprintf(stderr, "%s: %s\n", progname, krb_get_err_text(k_errno)); @@ -682,8 +696,9 @@ return 0; } else { /* Get default principal from cache if one exists */ - if (k_errno = krb_get_tf_fullname(tkt_string(), k4->aname, - k4->inst, k4->realm)) + k_errno = krb_get_tf_fullname(tkt_string(), k4->aname, + k4->inst, k4->realm); + if (k_errno) { char *name = get_name_from_os(); if (!name) @@ -691,8 +706,9 @@ fprintf(stderr, "Unable to identify user\n"); return 0; } - if (k_errno = kname_parse(k4->aname, k4->inst, k4->realm, - name)) + k_errno = kname_parse(k4->aname, k4->inst, k4->realm, + name); + if (k_errno) { fprintf(stderr, "%s: %s\n", progname, krb_get_err_text(k_errno)); @@ -733,7 +749,7 @@ return 1; } -void +static void k4_end(k4) struct k4_data* k4; { @@ -745,7 +761,7 @@ static int got_password = 0; #endif /* KRB5_KRB4_COMPAT */ -krb5_error_code +static krb5_error_code KRB5_CALLCONV kinit_prompter( krb5_context ctx, @@ -771,11 +787,10 @@ got_password = 1; #endif } - return rc; } -int +static int k5_kinit(opts, k5) struct k_opts* opts; struct k5_data* k5; @@ -905,7 +920,6 @@ goto cleanup; } krb5_get_init_creds_opt_set_address_list(&options, addresses); - krb5_free_addresses(k5->ctx, addresses); } if (opts->no_addresses) krb5_get_init_creds_opt_set_address_list(&options, NULL); @@ -920,8 +934,6 @@ } } - - switch (opts->action) { case INIT_PW: code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me, @@ -982,13 +994,15 @@ opts->lifetime = my_creds.times.endtime - my_creds.times.authtime; } - if (code = krb5_cc_initialize(k5->ctx, k5->cc, k5->me)) { + code = krb5_cc_initialize(k5->ctx, k5->cc, k5->me); + if (code) { com_err(progname, code, gettext("when initializing cache %s"), opts->k5_cache_name?opts->k5_cache_name:""); goto cleanup; } - if (code = krb5_cc_store_cred(k5->ctx, k5->cc, &my_creds)) { + code = krb5_cc_store_cred(k5->ctx, k5->cc, &my_creds); + if (code) { com_err(progname, code, gettext("while storing credentials")); goto cleanup; } @@ -1012,7 +1026,7 @@ return notix?0:1; } -int +static int k4_kinit(opts, k4, ctx) struct k_opts* opts; struct k4_data* k4; @@ -1035,17 +1049,13 @@ if (!k4->lifetime) k4->lifetime = KRB4_BACKUP_DEFAULT_LIFE_SECS; - k4->lifetime /= (5 * 60); - if (k4->lifetime < 1) - k4->lifetime = 1; - if (k4->lifetime > 255) - k4->lifetime = 255; + k4->lifetime = krb_time_to_life(0, k4->lifetime); switch (opts->action) { case INIT_PW: if (!got_password) { - int pwsize = sizeof(stash_password); + unsigned int pwsize = sizeof(stash_password); krb5_error_code code; char prompt[1024]; @@ -1074,7 +1084,7 @@ fprintf(stderr, "%s: %s\n", progname, krb_get_err_text(k_errno)); if (authed_k5) - fprintf(stderr, gettext("Maybe your KDC does not support v4. " + fprintf(stderr, gettext("Maybe your KDC does not support v4. " "Try the -5 option next time.\n")); return 0; } @@ -1087,17 +1097,25 @@ fprintf(stderr, gettext("%s: renewal of krb4 tickets is not supported\n"), progname); return 0; +#else + /* These cases are handled by the 524 code - this prevents the compiler + warnings of not using all the enumerated types. + */ + case INIT_KT: + case RENEW: + case VALIDATE: + return 0; #endif } #endif return 0; } -char* -getvprogname(v) - char *v; +static char* +getvprogname(v, progname) + char *v, *progname; { - int len = strlen(progname) + 2 + strlen(v) + 2; + unsigned int len = strlen(progname) + 2 + strlen(v) + 2; char *ret = malloc(len); if (ret) sprintf(ret, "%s(v%s)", progname, v); @@ -1108,7 +1126,7 @@ #ifdef HAVE_KRB524 /* Convert krb5 tickets to krb4. */ -int try_convert524(k5) +static int try_convert524(k5) struct k5_data* k5; { char * progname = progname_v524; @@ -1128,9 +1146,6 @@ initialized. */ - /* or do this directly with krb524_convert_creds_kdc */ - krb524_init_ets(k5->ctx); - if ((code = krb5_build_principal(k5->ctx, &kpcserver, krb5_princ_realm(k5->ctx, k5->me)->length, @@ -1217,10 +1232,10 @@ (void) textdomain(TEXT_DOMAIN); progname = GET_PROGNAME(argv[0]); - progname_v5 = getvprogname("5"); + progname_v5 = getvprogname("5", progname); #ifdef KRB5_KRB4_COMPAT - progname_v4 = getvprogname("4"); - progname_v524 = getvprogname("524"); + progname_v4 = getvprogname("4", progname); + progname_v524 = getvprogname("524", progname); #endif /* Ensure we can be driven from a pipe */ @@ -1246,7 +1261,7 @@ memset(&k5, 0, sizeof(k5)); memset(&k4, 0, sizeof(k4)); - parse_options(argc, argv, &opts); + parse_options(argc, argv, &opts, progname); got_k5 = k5_begin(&opts, &k5, &k4); got_k4 = k4_begin(&opts, &k4); @@ -1270,7 +1285,8 @@ k5_end(&k5); k4_end(&k4); - if ((got_k5 && !authed_k5) || (got_k4 && !authed_k4)) + if ((got_k5 && !authed_k5) || (got_k4 && !authed_k4) || + (!got_k5 && !got_k4)) exit(1); return 0; }
--- a/usr/src/cmd/krb5/klist/klist.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/klist/klist.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" @@ -36,7 +36,6 @@ #include <k5-int.h> #include "com_err.h" #include <krb5.h> - #ifdef KRB5_KRB4_COMPAT #include <kerberosIV/krb.h> #endif /* KRB5_KRB4_COMPAT */ @@ -48,7 +47,9 @@ #include <libintl.h> #include <locale.h> #include <netinet/in.h> +#if defined(HAVE_ARPA_INET_H) #include <arpa/inet.h> +#endif #include <inet/ip.h> #include <inet/ip6.h> @@ -58,9 +59,10 @@ #define GET_PROGNAME(x) max(max(strrchr((x), '/'), strrchr((x), '\\')) + 1,(x)) #endif /* _WIN32 */ +#ifndef _WIN32 #include <sys/socket.h> #include <netdb.h> - +#endif extern int optind; @@ -74,15 +76,13 @@ krb5_context kcontext; char * etype_string (krb5_enctype ); -void show_credential (char *, - krb5_context, - krb5_creds *); +void show_credential (krb5_creds *); void do_ccache (char *); void do_keytab (char *); void printtime (time_t); void one_addr (krb5_address *); -void fillit (FILE *, int, int); +void fillit (FILE *, unsigned int, int); void show_addr(krb5_address *a); #ifdef KRB5_KRB4_COMPAT @@ -109,7 +109,7 @@ static int default_k4 = 0; #endif /* KRB5_KRB4_COMPAT */ -void usage() +static void usage() { #define KRB_AVAIL_STRING(x) ((x)?gettext("available"):gettext("not available")) @@ -140,7 +140,9 @@ int -main(int argc, char *argv[]) +main(argc, argv) + int argc; + char **argv; { int c; char *name; @@ -260,7 +262,7 @@ if (!krb5_timestamp_to_sfstring(now, tmp, 20, (char *) NULL) || !krb5_timestamp_to_sfstring(now, tmp, sizeof(tmp), (char *) NULL)) - timestamp_width = strlen(tmp); + timestamp_width = (int) strlen(tmp); else timestamp_width = 15; } @@ -321,42 +323,40 @@ } if ((code = krb5_kt_get_name(kcontext, kt, buf, BUFSIZ))) { - com_err(progname, code, + com_err(progname, code, gettext("while getting keytab name")); exit(1); } - printf(gettext("Keytab name: %s\n"), buf); + printf(gettext("Keytab name: %s\n"), buf); if ((code = krb5_kt_start_seq_get(kcontext, kt, &cursor))) { - com_err(progname, code, + com_err(progname, code, gettext("while starting keytab scan")); exit(1); } if (show_time) { - printf(gettext("KVNO Timestamp")); - fillit(stdout, timestamp_width - - sizeof (gettext("Timestamp")) + 2, (int)' '); - printf(gettext("Principal\n")); - printf("---- "); + printf(gettext("KVNO Timestamp")); + fillit(stdout, timestamp_width - + sizeof (gettext("Timestamp")) + 2, (int)' '); + printf(gettext("Principal\n")); + printf("---- "); fillit(stdout, timestamp_width, (int) '-'); printf(" "); - fillit(stdout, 78 - timestamp_width - + fillit(stdout, 78 - timestamp_width - sizeof (gettext("KVNO")), (int)'-'); printf("\n"); } else { - printf(gettext("KVNO Principal\n")); - printf("---- ------------------------------" + printf(gettext("KVNO Principal\n")); + printf("---- ------------------------------" "--------------------------------------" "------\n"); } - while ((code = krb5_kt_next_entry(kcontext, kt, - &entry, &cursor)) == 0) { - if (code = krb5_unparse_name(kcontext, - entry.principal, &pname)) { - com_err(progname, code, + while ((code = krb5_kt_next_entry(kcontext, kt, &entry, &cursor)) == 0) { + if ((code = krb5_unparse_name(kcontext, entry.principal, &pname))) { + com_err(progname, code, gettext("while unparsing principal name")); exit(1); } @@ -443,7 +443,7 @@ gettext("while setting cache " "flags(ticket cache %s:%s)"), krb5_cc_get_type(kcontext, cache), - krb5_cc_get_name(kcontext, cache)); + krb5_cc_get_name(kcontext, cache)); } exit(1); } @@ -463,7 +463,7 @@ printf(gettext("Ticket cache: %s:%s\nDefault principal: " "%s\n\n"), krb5_cc_get_type(kcontext, cache), - krb5_cc_get_name(kcontext, cache), defname); + krb5_cc_get_name(kcontext, cache), defname); fputs(gettext("Valid starting"), stdout); fillit(stdout, timestamp_width - sizeof (gettext("Valid starting")) + 3, (int)' '); @@ -490,7 +490,7 @@ creds.times.endtime > now) exit_status = 0; } else { - show_credential(progname, kcontext, &creds); + show_credential(&creds); } krb5_free_cred_contents(kcontext, &creds); } @@ -537,7 +537,7 @@ return buf; } -char * +static char * flags_string(cred) register krb5_creds *cred; { @@ -566,6 +566,12 @@ buf[i++] = 'H'; if (cred->ticket_flags & TKT_FLG_PRE_AUTH) buf[i++] = 'A'; + if (cred->ticket_flags & TKT_FLG_TRANSIT_POLICY_CHECKED) + buf[i++] = 'T'; + if (cred->ticket_flags & TKT_FLG_OK_AS_DELEGATE) + buf[i++] = 'O'; /* D/d are taken. Use short strings? */ + if (cred->ticket_flags & TKT_FLG_ANONYMOUS) + buf[i++] = 'a'; buf[i] = '\0'; return(buf); } @@ -585,9 +591,7 @@ } void -show_credential(progname, kcontext, cred) - char * progname; - krb5_context kcontext; +show_credential(cred) register krb5_creds * cred; { krb5_error_code retval; @@ -657,18 +661,22 @@ if (show_etype) { retval = decode_krb5_ticket(&cred->ticket, &tkt); - if (retval == 0) { - if (!extra_field) - fputs("\t",stdout); - else - fputs(", ",stdout); - printf(gettext("Etype(skey, tkt): %s, "), - etype_string(cred->keyblock.enctype)); - printf("%s ", - etype_string(tkt->enc_part.enctype)); + if (retval) + goto err_tkt; + + if (!extra_field) + fputs("\t",stdout); + else + fputs(", ",stdout); + printf(gettext("Etype(skey, tkt): %s, "), + etype_string(cred->keyblock.enctype)); + printf("%s ", + etype_string(tkt->enc_part.enctype)); + extra_field++; + + err_tkt: + if (tkt != NULL) krb5_free_ticket(kcontext, tkt); - extra_field++; - } } /* if any additional info was printed, extra_field is non-zero */ @@ -762,7 +770,7 @@ void fillit(f, num, c) FILE *f; - int num; + unsigned int num; int c; { int i; @@ -812,7 +820,8 @@ */ /* Open ticket file */ - if (k_errno = tf_init(file, R_TKT_FIL)) { + k_errno = tf_init(file, R_TKT_FIL); + if (k_errno) { fprintf(stderr, "%s: %s\n", progname, krb_get_err_text (k_errno)); exit(1); } @@ -832,7 +841,7 @@ } /* Open ticket file */ - if (k_errno = tf_init(file, R_TKT_FIL)) { + if ((k_errno = tf_init(file, R_TKT_FIL))) { fprintf(stderr, "%s: %s\n", progname, krb_get_err_text (k_errno)); exit(1); } @@ -861,7 +870,7 @@ } printtime(c.issue_date); fputs(" ", stdout); - printtime(c.issue_date + ((unsigned char) c.lifetime) * 5 * 60); + printtime(krb_life_to_time(c.issue_date, c.lifetime)); printf(" %s%s%s%s%s\n", c.service, (c.instance[0] ? "." : ""), c.instance, (c.realm[0] ? "@" : ""), c.realm);
--- a/usr/src/cmd/krb5/krb5kdc/dispatch.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/krb5kdc/dispatch.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -44,15 +44,16 @@ #include <string.h> extern krb5_error_code setup_server_realm(krb5_principal); +static krb5_int32 last_usec = 0, last_os_random = 0; krb5_error_code -dispatch(krb5_data *pkt, const krb5_fulladdr *from, int portnum, - krb5_data **response) +dispatch(krb5_data *pkt, const krb5_fulladdr *from, krb5_data **response) { krb5_error_code retval; krb5_kdc_req *as_req; - + krb5_int32 now, now_usec; + /* decode incoming packet, and dispatch */ #ifndef NOCACHE @@ -67,15 +68,37 @@ if (name == 0) name = "[unknown address type]"; krb5_klog_syslog(LOG_INFO, - "DISPATCH: repeated (retransmitted?) request from %s port %d, resending previous response", - name, portnum); + "DISPATCH: repeated (retransmitted?) request from %s, resending previous response", + name); return 0; } #endif +/* SUNW14resync XXX */ +#if 0 + retval = krb5_crypto_us_timeofday(&now, &now_usec); + if (retval == 0) { + krb5_int32 usec_difference = now_usec-last_usec; + krb5_data data; + if(last_os_random == 0) + last_os_random = now; + /* Grab random data from OS every hour*/ + if(now-last_os_random >= 60*60) { + krb5_c_random_os_entropy(kdc_context, 0, NULL); + last_os_random = now; + } + + data.length = sizeof(krb5_int32); + data.data = (void *) &usec_difference; + + krb5_c_random_add_entropy(kdc_context, + KRB5_C_RANDSOURCE_TIMING, &data); + last_usec = now_usec; + } +#endif /* try TGS_REQ first; they are more common! */ if (krb5_is_tgs_req(pkt)) { - retval = process_tgs_req(pkt, from, portnum, response); + retval = process_tgs_req(pkt, from, response); } else if (krb5_is_as_req(pkt)) { if (!(retval = decode_krb5_as_req(pkt, &as_req))) { /* @@ -83,11 +106,15 @@ * pointer. */ if (!(retval = setup_server_realm(as_req->server))) { - retval = process_as_req(as_req, from, portnum, response); + retval = process_as_req(as_req, from, response); } krb5_free_kdc_req(kdc_context, as_req); } } +#ifdef KRB5_KRB4_COMPAT + else if (pkt->data[0] == 4) /* old version */ + retval = process_v4(pkt, from, response); +#endif else retval = KRB5KRB_AP_ERR_MSG_TYPE; #ifndef NOCACHE
--- a/usr/src/cmd/krb5/krb5kdc/do_as_req.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/krb5kdc/do_as_req.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -34,6 +34,7 @@ * KDC Routines to deal with AS_REQ's */ +#define NEED_SOCKETS #include "k5-int.h" #include "com_err.h" @@ -52,20 +53,14 @@ #include "adm_proto.h" #include "extern.h" -static krb5_error_code prepare_error_as (krb5_kdc_req *, - int, - krb5_data *, - krb5_data **); +static krb5_error_code prepare_error_as (krb5_kdc_req *, int, krb5_data *, + krb5_data **, const char *); /*ARGSUSED*/ krb5_error_code -process_as_req(request, from, portnum, response) -register krb5_kdc_req *request; -const krb5_fulladdr *from; /* who sent it ? */ -int portnum; -krb5_data **response; /* filled in with a response packet */ +process_as_req(krb5_kdc_req *request, const krb5_fulladdr *from, + krb5_data **response) { - krb5_db_entry client, server; krb5_kdc_rep reply; krb5_enc_kdc_rep_part reply_encpart; @@ -87,22 +82,28 @@ register int i; krb5_timestamp until, rtime; long long tmp_client_times, tmp_server_times, tmp_realm_times; - char *cname = 0, *sname = 0, *fromstring = 0; + char *cname = 0, *sname = 0; + const char *fromstring = 0; + char ktypestr[128]; + char rep_etypestr[128]; + char fromstringbuf[70]; struct in_addr from_in4; /* IPv4 address of sender */ ticket_reply.enc_part.ciphertext.data = 0; e_data.data = 0; + (void) memset(&encrypting_key, 0, sizeof(krb5_keyblock)); reply.padata = 0; /* avoid bogus free in error_out */ - (void) memset(&encrypting_key, 0, sizeof(krb5_keyblock)); (void) memset(&session_key, 0, sizeof(krb5_keyblock)); -#ifdef HAVE_NETINET_IN_H - if (from->address->addrtype == ADDRTYPE_INET) { + ktypes2str(ktypestr, sizeof(ktypestr), + request->nktypes, request->ktype); + (void) memcpy(&from_in4, from->address->contents, /* SUNW */ sizeof (struct in_addr)); - fromstring = inet_ntoa(from_in4); - } -#endif + + fromstring = inet_ntop(ADDRTYPE2FAMILY (from->address->addrtype), + &from_in4, + fromstringbuf, sizeof(fromstringbuf)); if (!fromstring) fromstring = "<unknown>"; @@ -190,7 +191,7 @@ } if ((errcode = krb5_c_make_random_key(kdc_context, useenctype, - &session_key))) { + &session_key))) { /* random key failed */ status = "RANDOM_KEY_FAILED"; goto errout; @@ -240,8 +241,8 @@ tmp_realm_times = (long long) enc_tkt_reply.times.starttime + max_life_for_realm; - enc_tkt_reply.times.endtime = - min(until, + enc_tkt_reply.times.endtime = + min(until, min(tmp_client_times, min(tmp_server_times, min(tmp_realm_times,KRB5_KDB_EXPIRATION)))); @@ -270,9 +271,9 @@ tmp_realm_times = (double) enc_tkt_reply.times.starttime + max_renewable_life_for_realm; enc_tkt_reply.times.renew_till = - min(rtime, min(tmp_client_times, - min(tmp_server_times, - min(tmp_realm_times,KRB5_KDB_EXPIRATION)))); + min(rtime, min(tmp_client_times, + min(tmp_server_times, + min(tmp_realm_times,KRB5_KDB_EXPIRATION)))); } else enc_tkt_reply.times.renew_till = 0; /* XXX */ @@ -347,9 +348,6 @@ status = "DECRYPT_SERVER_KEY"; goto errout; } - if ((encrypting_key.enctype == ENCTYPE_DES_CBC_CRC) && - (isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5))) - encrypting_key.enctype = ENCTYPE_DES_CBC_MD5; errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key, &ticket_reply); krb5_free_keyblock_contents(kdc_context, &encrypting_key); @@ -439,11 +437,20 @@ memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length); free(reply.enc_part.ciphertext.data); - audit_krb5kdc_as_req(&from_in4, (in_port_t)from->port, (in_port_t)portnum, + /* SUNW14resync: + * The third argument to audit_krb5kdc_as_req() is zero as the local + * portnumber is no longer passed to process_as_req(). + */ + audit_krb5kdc_as_req(&from_in4, (in_port_t)from->port, 0, cname, sname, 0); - - krb5_klog_syslog(LOG_INFO, "AS_REQ %s(%d): ISSUE: authtime %d, %s for %s", - fromstring, portnum, authtime, cname, sname); + rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), &reply); + krb5_klog_syslog(LOG_INFO, + "AS_REQ (%s) %s: ISSUE: authtime %d, " + "%s, %s for %s", + ktypestr, + fromstring, authtime, + rep_etypestr, + cname, sname); #ifdef KRBCONF_KDC_MODIFIES_KDB /* @@ -457,24 +464,28 @@ errout: if (status) { audit_krb5kdc_as_req(&from_in4, (in_port_t)from->port, - (in_port_t)portnum, cname, sname, errcode); - krb5_klog_syslog(LOG_INFO, "AS_REQ %s(%d): %s: %s for %s%s%s", - fromstring, portnum, status, + 0, cname, sname, errcode); + krb5_klog_syslog(LOG_INFO, "AS_REQ (%s) %s: %s: %s for %s%s%s", + ktypestr, + fromstring, status, cname ? cname : "<unknown client>", sname ? sname : "<unknown server>", errcode ? ", " : "", errcode ? error_message(errcode) : ""); } if (errcode) { + if (status == 0) + status = error_message (errcode); errcode -= ERROR_TABLE_BASE_krb5; if (errcode < 0 || errcode > 128) errcode = KRB_ERR_GENERIC; - errcode = prepare_error_as(request, errcode, &e_data, response); + errcode = prepare_error_as(request, errcode, &e_data, response, + status); } - krb5_free_keyblock_contents(kdc_context, &encrypting_key); - + if (encrypting_key.contents) + krb5_free_keyblock_contents(kdc_context, &encrypting_key); if (reply.padata) krb5_free_pa_data(kdc_context, reply.padata); @@ -495,7 +506,7 @@ kdc_active_realm->realm_dbname); krb5_db_init(kdc_context); /* Reset master key */ - krb5_db_set_mkey(kdc_context, &kdc_active_realm->realm_encblock); + krb5_db_set_mkey(kdc_context, &kdc_active_realm->realm_mkey); } #endif /* KRBCONF_KDC_MODIFIES_KDB */ krb5_db_free_principal(kdc_context, &client, c_nprincs); @@ -516,11 +527,8 @@ } static krb5_error_code -prepare_error_as (request, error, e_data, response) -register krb5_kdc_req *request; -int error; -krb5_data *e_data; -krb5_data **response; +prepare_error_as (krb5_kdc_req *request, int error, krb5_data *e_data, + krb5_data **response, const char *status) { krb5_error errpkt; krb5_error_code retval; @@ -535,10 +543,10 @@ errpkt.error = error; errpkt.server = request->server; errpkt.client = request->client; - errpkt.text.length = strlen(error_message(error+KRB5KDC_ERR_NONE))+1; + errpkt.text.length = strlen(status)+1; if (!(errpkt.text.data = malloc(errpkt.text.length))) return ENOMEM; - (void) strcpy(errpkt.text.data, error_message(error+KRB5KDC_ERR_NONE)); + (void) strcpy(errpkt.text.data, status); if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) { free(errpkt.text.data);
--- a/usr/src/cmd/krb5/krb5kdc/do_tgs_req.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/krb5kdc/do_tgs_req.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -8,7 +8,7 @@ /* * kdc/do_tgs_req.c * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * Copyright 1990,1991,2001 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -34,6 +34,7 @@ * KDC Routines to deal with TGS_REQ's */ +#define NEED_SOCKETS #include "k5-int.h" #include "com_err.h" @@ -53,27 +54,18 @@ extern krb5_error_code setup_server_realm(krb5_principal); -static void find_alternate_tgs (krb5_kdc_req *, - krb5_db_entry *, - krb5_boolean *, - int *, - const krb5_fulladdr *, - int, - char *); +static void find_alternate_tgs (krb5_kdc_req *, krb5_db_entry *, + krb5_boolean *, int *, + const krb5_fulladdr *from, char *cname); -static krb5_error_code prepare_error_tgs (krb5_kdc_req *, - krb5_ticket *, - int, - const char *, - krb5_data **); +static krb5_error_code prepare_error_tgs (krb5_kdc_req *, krb5_ticket *, + int, const char *, krb5_data **, + const char *); /*ARGSUSED*/ krb5_error_code -process_tgs_req(pkt, from, portnum, response) -krb5_data *pkt; -const krb5_fulladdr *from; /* who sent it ? */ -int portnum; -krb5_data **response; /* filled in with a response packet */ +process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, + krb5_data **response) { krb5_keyblock * subkey; krb5_kdc_req *request = 0; @@ -93,7 +85,8 @@ krb5_timestamp until, rtime; krb5_keyblock encrypting_key; krb5_key_data *server_key; - char *cname = 0, *sname = 0, *tmp = 0, *fromstring = 0; + char *cname = 0, *sname = 0, *tmp = 0; + const char *fromstring = 0; krb5_last_req_entry *nolrarray[2], nolrentry; /* krb5_address *noaddrarray[1]; */ krb5_enctype useenctype; @@ -101,6 +94,9 @@ register int i; int firstpass = 1; const char *status = 0; + char ktypestr[128]; + char rep_etypestr[128]; + char fromstringbuf[70]; long long tmp_server_times, tmp_realm_times; (void) memset(&encrypting_key, 0, sizeof(krb5_keyblock)); @@ -110,17 +106,17 @@ if (retval) return retval; + ktypes2str(ktypestr, sizeof(ktypestr), + request->nktypes, request->ktype); /* * setup_server_realm() sets up the global realm-specific data pointer. */ if ((retval = setup_server_realm(request->server))) return retval; -#ifdef HAVE_NETINET_IN_H - if (from->address->addrtype == ADDRTYPE_INET) - fromstring = - (char *) inet_ntoa(*(struct in_addr *)from->address->contents); -#endif + fromstring = inet_ntop(ADDRTYPE2FAMILY(from->address->addrtype), + from->address->contents, + fromstringbuf, sizeof(fromstringbuf)); if (!fromstring) fromstring = "<unknown>"; @@ -172,7 +168,6 @@ nprincs = 0; goto cleanup; } - tgt_again: if (more) { status = "NON_UNIQUE_PRINCIPAL"; @@ -190,11 +185,11 @@ krb5_data *tgs_1 = krb5_princ_component(kdc_context, tgs_server, 1); - if (server_1->length != tgs_1->length || + if (!tgs_1 || server_1->length != tgs_1->length || memcmp(server_1->data, tgs_1->data, tgs_1->length)) { krb5_db_free_principal(kdc_context, &server, nprincs); find_alternate_tgs(request, &server, &more, &nprincs, - from, portnum, cname); /* SUNW */ + from, cname); firstpass = 0; goto tgt_again; } @@ -402,7 +397,7 @@ request->rtime = min(request->till, min(KRB5_KDB_EXPIRATION, - header_ticket->enc_part2->times.renew_till)); + header_ticket->enc_part2->times.renew_till)); } } rtime = (request->rtime == 0) ? kdc_infinity : request->rtime; @@ -523,6 +518,36 @@ } newtransited = 1; } + if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) { + errcode = krb5_check_transited_list (kdc_context, + &enc_tkt_reply.transited.tr_contents, + krb5_princ_realm (kdc_context, header_ticket->enc_part2->client), + krb5_princ_realm (kdc_context, request->server)); + if (errcode == 0) { + setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED); + } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT) + krb5_klog_syslog (LOG_INFO, + "bad realm transit path from '%s' to '%s' via '%.*s'", + cname ? cname : "<unknown client>", + sname ? sname : "<unknown server>", + enc_tkt_reply.transited.tr_contents.length, + enc_tkt_reply.transited.tr_contents.data); + else + krb5_klog_syslog (LOG_ERR, + "unexpected error checking transit from '%s' to '%s' via '%.*s': %s", + cname ? cname : "<unknown client>", + sname ? sname : "<unknown server>", + enc_tkt_reply.transited.tr_contents.length, + enc_tkt_reply.transited.tr_contents.data, + error_message (errcode)); + } else + krb5_klog_syslog (LOG_INFO, "not checking transit path"); + if (reject_bad_transit + && !isflagset (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED)) { + errcode = KRB5KDC_ERR_POLICY; + status = "BAD_TRANSIT"; + goto cleanup; + } ticket_reply.enc_part2 = &enc_tkt_reply; @@ -537,31 +562,30 @@ * Make sure the client for the second ticket matches * requested server. */ - if (!krb5_principal_compare(kdc_context, request->server, - request->second_ticket[st_idx]->enc_part2->client)) { - if ((errcode = krb5_unparse_name(kdc_context, - request->second_ticket[st_idx]->enc_part2->client, - &tmp))) + krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2; + krb5_principal client2 = t2enc->client; + if (!krb5_principal_compare(kdc_context, request->server, client2)) { + if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp))) tmp = 0; audit_krb5kdc_tgs_req_2ndtktmm( (struct in_addr *)from->address->contents, (in_port_t)from->port, - (in_port_t)portnum, cname, sname); - krb5_klog_syslog(LOG_INFO, "TGS_REQ %s(%d): 2ND_TKT_MISMATCH: authtime %d, %s for %s, 2nd tkt client %s", - fromstring, portnum, authtime, - cname ? cname : "<unknown client>", - sname ? sname : "<unknown server>", - tmp ? tmp : "<unknown>"); + 0, cname, sname); + krb5_klog_syslog(LOG_INFO, + "TGS_REQ %s: 2ND_TKT_MISMATCH: " + "authtime %d, %s for %s, 2nd tkt client %s", + fromstring, authtime, + cname ? cname : "<unknown client>", + sname ? sname : "<unknown server>", + tmp ? tmp : "<unknown>"); errcode = KRB5KDC_ERR_SERVER_NOMATCH; goto cleanup; } ticket_reply.enc_part.kvno = 0; - ticket_reply.enc_part.enctype = - request->second_ticket[st_idx]->enc_part2->session->enctype; - if ((errcode = krb5_encrypt_tkt_part(kdc_context, - request->second_ticket[st_idx]->enc_part2->session, - &ticket_reply))) { + ticket_reply.enc_part.enctype = t2enc->session->enctype; + if ((errcode = krb5_encrypt_tkt_part(kdc_context, t2enc->session, + &ticket_reply))) { status = "2ND_TKT_ENCRYPT"; goto cleanup; } @@ -587,9 +611,6 @@ status = "DECRYPT_SERVER_KEY"; goto cleanup; } - if ((encrypting_key.enctype == ENCTYPE_DES_CBC_CRC) && - (isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5))) - encrypting_key.enctype = ENCTYPE_DES_CBC_MD5; errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key, &ticket_reply); krb5_free_keyblock_contents(kdc_context, &encrypting_key); @@ -646,42 +667,51 @@ } if (ticket_reply.enc_part.ciphertext.data) { - memset(ticket_reply.enc_part.ciphertext.data, 0, + memset(ticket_reply.enc_part.ciphertext.data, 0, ticket_reply.enc_part.ciphertext.length); - free(ticket_reply.enc_part.ciphertext.data); + free(ticket_reply.enc_part.ciphertext.data); ticket_reply.enc_part.ciphertext.data = NULL; } /* these parts are left on as a courtesy from krb5_encode_kdc_rep so we can use them in raw form if needed. But, we don't... */ if (reply.enc_part.ciphertext.data) { - memset(reply.enc_part.ciphertext.data, 0, + memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length); - free(reply.enc_part.ciphertext.data); + free(reply.enc_part.ciphertext.data); reply.enc_part.ciphertext.data = NULL; } cleanup: if (status) { audit_krb5kdc_tgs_req((struct in_addr *)from->address->contents, - (in_port_t)from->port, (in_port_t)portnum, + (in_port_t)from->port, 0, cname ? cname : "<unknown client>", sname ? sname : "<unknown client>", errcode); - krb5_klog_syslog(LOG_INFO, - "TGS_REQ %s(%d): %s: authtime %d, %s for %s%s%s", - fromstring, portnum, status, authtime, - cname ? cname : "<unknown client>", - sname ? sname : "<unknown server>", - errcode ? ", " : "", - errcode ? error_message(errcode) : ""); + if (!errcode) + rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), &reply); + krb5_klog_syslog(LOG_INFO, + "TGS_REQ (%s) %s: %s: authtime %d, " + "%s%s %s for %s%s%s", + ktypestr, + fromstring, status, authtime, + !errcode ? rep_etypestr : "", + !errcode ? "," : "", + cname ? cname : "<unknown client>", + sname ? sname : "<unknown server>", + errcode ? ", " : "", + errcode ? error_message(errcode) : ""); } + if (errcode) { + if (status == 0) + status = error_message (errcode); errcode -= ERROR_TABLE_BASE_krb5; if (errcode < 0 || errcode > 128) errcode = KRB_ERR_GENERIC; retval = prepare_error_tgs(request, header_ticket, errcode, - fromstring, response); + fromstring, response, status); } if (header_ticket) @@ -703,12 +733,8 @@ } static krb5_error_code -prepare_error_tgs (request, ticket, error, ident, response) -register krb5_kdc_req *request; -krb5_ticket *ticket; -int error; -const char *ident; -krb5_data **response; +prepare_error_tgs (krb5_kdc_req *request, krb5_ticket *ticket, int error, + const char *ident, krb5_data **response, const char *status) { krb5_error errpkt; krb5_error_code retval; @@ -726,10 +752,10 @@ errpkt.client = ticket->enc_part2->client; else errpkt.client = 0; - errpkt.text.length = strlen(error_message(error+KRB5KDC_ERR_NONE))+1; + errpkt.text.length = strlen(status) + 1; if (!(errpkt.text.data = malloc(errpkt.text.length))) return ENOMEM; - (void) strcpy(errpkt.text.data, error_message(error+KRB5KDC_ERR_NONE)); + (void) strcpy(errpkt.text.data, status); if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) { free(errpkt.text.data); @@ -754,15 +780,9 @@ * some intermediate realm. */ static void -find_alternate_tgs(request, server, more, nprincs, from, portnum, cname) -krb5_kdc_req *request; -krb5_db_entry *server; -krb5_boolean *more; -int *nprincs; -const krb5_fulladdr *from; /* who sent it ? */ -int portnum; -char *cname; - +find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server, + krb5_boolean *more, int *nprincs, + const krb5_fulladdr *from, char *cname) { krb5_error_code retval; krb5_principal *plist, *pl2; @@ -822,17 +842,18 @@ krb5_free_principal(kdc_context, request->server); request->server = tmpprinc; if (krb5_unparse_name(kdc_context, request->server, &sname)) { + audit_krb5kdc_tgs_req_alt_tgt( (struct in_addr *)from->address->contents, (in_port_t)from->port, - (in_port_t)portnum, cname, "<unparseable>", 0); + 0, cname, "<unparseable>", 0); krb5_klog_syslog(LOG_INFO, "TGS_REQ: issuing alternate <un-unparseable> TGT"); } else { audit_krb5kdc_tgs_req_alt_tgt( (struct in_addr *)from->address->contents, (in_port_t)from->port, - (in_port_t)portnum, cname, sname, 0); + 0, cname, sname, 0); krb5_klog_syslog(LOG_INFO, "TGS_REQ: issuing TGT %s", sname); free(sname); @@ -848,4 +869,3 @@ krb5_free_realm_tree(kdc_context, plist); return; } -
--- a/usr/src/cmd/krb5/krb5kdc/extern.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/krb5kdc/extern.h Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -15,7 +15,7 @@ #endif /* - * Copyright 1990 by the Massachusetts Institute of Technology. + * Copyright 1990,2001 by the Massachusetts Institute of Technology. * * Export of this software from the United States of America may * require a specific license from the United States Government. @@ -60,13 +60,10 @@ char * realm_mpname; /* Master principal name for realm */ krb5_principal realm_mprinc; /* Master principal for realm */ krb5_keyblock realm_mkey; /* Master key for this realm */ - krb5_kvno realm_mkvno; /* Master key vno for this realm */ /* * TGS per-realm data. */ krb5_principal realm_tgsprinc; /* TGS principal for this realm */ - krb5_keyblock realm_tgskey; /* TGS' key for this realm */ - krb5_kvno realm_tgskvno; /* TGS' key vno for this realm */ /* * Other per-realm data. */ @@ -77,14 +74,15 @@ */ krb5_deltat realm_maxlife; /* Maximum ticket life for realm */ krb5_deltat realm_maxrlife; /* Maximum renewable life for realm */ - void *realm_kstypes; /* Key/Salts supported for realm */ - krb5_int32 realm_nkstypes; /* Number of key/salts */ + krb5_boolean realm_reject_bad_transit; /* Accept unverifiable transited_realm ? */ } kdc_realm_t; extern kdc_realm_t **kdc_realmlist; extern int kdc_numrealms; extern kdc_realm_t *kdc_active_realm; +kdc_realm_t *find_realm_data (char *, krb5_ui_4); + /* * Replace previously used global variables with the active (e.g. request's) * realm data. This allows us to support multiple realms with minimal logic @@ -95,12 +93,11 @@ #define max_renewable_life_for_realm kdc_active_realm->realm_maxrlife #define master_keyblock kdc_active_realm->realm_mkey #define master_princ kdc_active_realm->realm_mprinc -#define tgs_key kdc_active_realm->realm_tgskey -#define tgs_kvno kdc_active_realm->realm_tgskvno #define tgs_server_struct *(kdc_active_realm->realm_tgsprinc) #define tgs_server kdc_active_realm->realm_tgsprinc #define dbm_db_name kdc_active_realm->realm_dbname #define primary_port kdc_active_realm->realm_pport +#define reject_bad_transit kdc_active_realm->realm_reject_bad_transit /* various externs for KDC */ extern krb5_data empty_string; /* an empty string */
--- a/usr/src/cmd/krb5/krb5kdc/kdc_preauth.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/krb5kdc/kdc_preauth.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -8,7 +8,7 @@ /* * kdc/kdc_preauth.c * - * Copyright 1995 by the Massachusetts Institute of Technology. + * Copyright 1995, 2003 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -65,26 +65,38 @@ #include "com_err.h" #include <assert.h> #include <stdio.h> +#include "adm_proto.h" #include <libintl.h> #include <syslog.h> +#include <assert.h> + +/* XXX This is ugly and should be in a header file somewhere */ +#ifndef KRB5INT_DES_TYPES_DEFINED +#define KRB5INT_DES_TYPES_DEFINED +typedef unsigned char des_cblock[8]; /* crypto-block size */ +#endif +typedef des_cblock mit_des_cblock; +extern void mit_des_fixup_key_parity (mit_des_cblock ); +extern int mit_des_is_weak_key (mit_des_cblock ); + typedef krb5_error_code (*verify_proc) (krb5_context, krb5_db_entry *client, - krb5_kdc_req *request, - krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data); + krb5_kdc_req *request, + krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data); typedef krb5_error_code (*edata_proc) (krb5_context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_pa_data *data); + krb5_db_entry *client, krb5_db_entry *server, + krb5_pa_data *data); typedef krb5_error_code (*return_proc) (krb5_context, krb5_pa_data * padata, - krb5_db_entry *client, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa); + krb5_db_entry *client, + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa); typedef struct _krb5_preauth_systems { char * name; @@ -97,54 +109,50 @@ static krb5_error_code verify_enc_timestamp (krb5_context, krb5_db_entry *client, - krb5_kdc_req *request, - krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data); + krb5_kdc_req *request, + krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data); static krb5_error_code get_etype_info (krb5_context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_pa_data *data); - + krb5_db_entry *client, krb5_db_entry *server, + krb5_pa_data *data); static krb5_error_code get_etype_info2(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, + krb5_db_entry *client, krb5_db_entry *server, krb5_pa_data *pa_data); - static krb5_error_code -return_etype_info2(krb5_context, krb5_pa_data * padata, - krb5_db_entry *client, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa); - +return_etype_info2(krb5_context, krb5_pa_data * padata, + krb5_db_entry *client, + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa); static krb5_error_code return_pw_salt (krb5_context, krb5_pa_data * padata, - krb5_db_entry *client, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa); + krb5_db_entry *client, + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa); /* SAM preauth support */ static krb5_error_code verify_sam_response - (krb5_context, krb5_db_entry *client, - krb5_kdc_req *request, - krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data); + (krb5_context, krb5_db_entry *client, + krb5_kdc_req *request, + krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data); static krb5_error_code get_sam_edata (krb5_context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_pa_data *data); - + krb5_db_entry *client, krb5_db_entry *server, + krb5_pa_data *data); static krb5_error_code return_sam_data (krb5_context, krb5_pa_data * padata, - krb5_db_entry *client, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa); + krb5_db_entry *client, + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa); /* * Preauth property flags */ @@ -172,12 +180,12 @@ 0 }, { - "etype-info2", + "etype-info2", KRB5_PADATA_ETYPE_INFO2, 0, - get_etype_info2, + get_etype_info2, 0, - return_etype_info2 + return_etype_info2 }, { "pw-salt", @@ -221,9 +229,9 @@ return 0; } -const char *missing_required_preauth(client, server, enc_tkt_reply) - krb5_db_entry *client, *server; - krb5_enc_tkt_part *enc_tkt_reply; +const char *missing_required_preauth(krb5_db_entry *client, + krb5_db_entry *server, + krb5_enc_tkt_part *enc_tkt_reply) { #if 0 /* @@ -258,11 +266,8 @@ return 0; } -void get_preauth_hint_list( - krb5_kdc_req *request, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_data *e_data) +void get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client, + krb5_db_entry *server, krb5_data *e_data) { int hw_only; krb5_preauth_systems *ap; @@ -329,11 +334,8 @@ */ krb5_error_code -check_padata ( - krb5_context context, - krb5_db_entry * client, - krb5_kdc_req * request, - krb5_enc_tkt_part * enc_tkt_reply) +check_padata (krb5_context context, krb5_db_entry *client, + krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply) { krb5_error_code retval = 0; krb5_pa_data **padata; @@ -388,16 +390,15 @@ if (!pa_found) krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s", error_message (retval)); - - /* The following switch statement allows us - * to return some preauth system errors back to the client. - */ - switch(retval) { +/* The following switch statement allows us + * to return some preauth system errors back to the client. + */ + switch(retval) { case KRB5KRB_AP_ERR_BAD_INTEGRITY: - case KRB5KRB_AP_ERR_SKEW: - return retval; - default: - return KRB5KDC_ERR_PREAUTH_FAILED; + case KRB5KRB_AP_ERR_SKEW: + return retval; + default: + return KRB5KDC_ERR_PREAUTH_FAILED; } } @@ -406,13 +407,9 @@ * structures which should be returned by the KDC to the client */ krb5_error_code -return_padata( - krb5_context context, - krb5_db_entry * client, - krb5_kdc_req * request, - krb5_kdc_rep * reply, - krb5_key_data * client_key, - krb5_keyblock * encrypting_key) +return_padata(krb5_context context, krb5_db_entry *client, + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_key_data *client_key, krb5_keyblock *encrypting_key) { krb5_error_code retval; krb5_pa_data ** padata; @@ -466,6 +463,7 @@ krb5_free_pa_data(context, send_pa_list); return (retval); } + static krb5_boolean enctype_requires_etype_info_2(krb5_enctype enctype) { @@ -480,7 +478,7 @@ return 0; default: if (krb5_c_valid_enctype(enctype)) - return 1; + return 1; else return 0; } } @@ -496,13 +494,11 @@ return 0; } + static krb5_error_code -verify_enc_timestamp( - krb5_context context, - krb5_db_entry * client, - krb5_kdc_req * request, - krb5_enc_tkt_part * enc_tkt_reply, - krb5_pa_data * pa) +verify_enc_timestamp(krb5_context context, krb5_db_entry *client, + krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, + krb5_pa_data *pa) { krb5_pa_enc_ts * pa_enc = 0; krb5_error_code retval; @@ -514,7 +510,7 @@ krb5_int32 start; krb5_timestamp timenow; krb5_error_code decrypt_err; - + (void) memset(&key, 0, sizeof(krb5_keyblock)); scratch.data = (char *) pa->contents; scratch.length = pa->length; @@ -574,7 +570,6 @@ krb5_free_data_contents(context, &enc_ts_data); if (pa_enc) free(pa_enc); - /* * If we get NO_MATCHING_KEY and decryption previously failed, and * we failed to find any other keys of the correct enctype after @@ -583,15 +578,14 @@ */ if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0) retval = decrypt_err; - return retval; } static krb5_error_code _make_etype_info_entry(krb5_context context, - krb5_kdc_req *request, krb5_key_data *client_key, - krb5_enctype etype, krb5_etype_info_entry **entry, - int etype_info2) + krb5_kdc_req *request, krb5_key_data *client_key, + krb5_enctype etype, krb5_etype_info_entry **entry, + int etype_info2) { krb5_data salt; krb5_etype_info_entry * tmp_entry; @@ -618,16 +612,16 @@ case ENCTYPE_DES_CBC_CRC: case ENCTYPE_DES_CBC_MD4: case ENCTYPE_DES_CBC_MD5: - tmp_entry->s2kparams.data = malloc(1); - if (tmp_entry->s2kparams.data == NULL) { + tmp_entry->s2kparams.data = malloc(1); + if (tmp_entry->s2kparams.data == NULL) { retval = ENOMEM; goto fail; - } - tmp_entry->s2kparams.length = 1; - tmp_entry->s2kparams.data[0] = 1; - break; + } + tmp_entry->s2kparams.length = 1; + tmp_entry->s2kparams.data[0] = 1; + break; default: - break; + break; } } @@ -642,7 +636,7 @@ fail: if (tmp_entry) { if (tmp_entry->s2kparams.data) - free(tmp_entry->s2kparams.data); + free(tmp_entry->s2kparams.data); free(tmp_entry); } if (salt.data) @@ -653,81 +647,81 @@ * This function returns the etype information for a particular * client, to be passed back in the preauth list in the KRB_ERROR * message. It supports generating both etype_info and etype_info2 - * as most of the work is the same. + * as most of the work is the same. */ static krb5_error_code etype_info_helper(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_pa_data *pa_data, int etype_info2) + krb5_db_entry *client, krb5_db_entry *server, + krb5_pa_data *pa_data, int etype_info2) { krb5_etype_info_entry ** entry = 0; krb5_key_data *client_key; krb5_error_code retval; krb5_data * scratch; krb5_enctype db_etype; - int i = 0; - int start = 0; + int i = 0; + int start = 0; int seen_des = 0; - entry = malloc((client->n_key_data * 2 + 1) * - sizeof(krb5_etype_info_entry *)); + entry = malloc((client->n_key_data * 2 + 1) * sizeof(krb5_etype_info_entry *)); if (entry == NULL) return ENOMEM; entry[0] = NULL; while (1) { retval = krb5_dbe_search_enctype(context, client, &start, -1, - -1, 0, &client_key); + -1, 0, &client_key); if (retval == KRB5_KDB_NO_MATCHING_KEY) - break; + break; if (retval) - goto cleanup; + goto cleanup; db_etype = client_key->key_data_type[0]; if (db_etype == ENCTYPE_DES_CBC_MD4) - db_etype = ENCTYPE_DES_CBC_MD5; + db_etype = ENCTYPE_DES_CBC_MD5; + if (request_contains_enctype(context, request, db_etype)) { - assert(etype_info2 || - !enctype_requires_etype_info_2(db_etype)); - if ((retval = _make_etype_info_entry(context, request, client_key, - db_etype, &entry[i], etype_info2)) != 0) { + assert(etype_info2 || + !enctype_requires_etype_info_2(db_etype)); + if ((retval = _make_etype_info_entry(context, request, client_key, + db_etype, &entry[i], etype_info2)) != 0) { goto cleanup; - } - entry[i+1] = 0; - i++; + } + entry[i+1] = 0; + i++; } - /* - * If there is a des key in the kdb, try the "similar" enctypes, - * avoid duplicate entries. + /* + * If there is a des key in the kdb, try the "similar" enctypes, + * avoid duplicate entries. */ if (!seen_des) { - switch (db_etype) { - case ENCTYPE_DES_CBC_MD5: + switch (db_etype) { + case ENCTYPE_DES_CBC_MD5: db_etype = ENCTYPE_DES_CBC_CRC; break; - case ENCTYPE_DES_CBC_CRC: + case ENCTYPE_DES_CBC_CRC: db_etype = ENCTYPE_DES_CBC_MD5; break; - default: + default: continue; - } - if (request_contains_enctype(context, request, db_etype)) { + } + if (request_contains_enctype(context, request, db_etype)) { if ((retval = _make_etype_info_entry(context, request, - client_key, db_etype, &entry[i], etype_info2)) != 0) { - goto cleanup; + client_key, db_etype, &entry[i], etype_info2)) != 0) { + goto cleanup; } - entry[i+1] = 0; + entry[i+1] = 0; i++; - } - seen_des++; + } + seen_des++; } } if (etype_info2) retval = encode_krb5_etype_info2((const krb5_etype_info_entry **) entry, - &scratch); - else - retval = encode_krb5_etype_info((const krb5_etype_info_entry **) entry, &scratch); + &scratch); + else retval = encode_krb5_etype_info((const krb5_etype_info_entry **) entry, + &scratch); if (retval) goto cleanup; pa_data->contents = (unsigned char *)scratch->data; @@ -748,40 +742,39 @@ static krb5_error_code get_etype_info(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_pa_data *pa_data) + krb5_db_entry *client, krb5_db_entry *server, + krb5_pa_data *pa_data) { int i; for (i=0; i < request->nktypes; i++) { - if (enctype_requires_etype_info_2(request->ktype[i])) - return KRB5KDC_ERR_PADATA_TYPE_NOSUPP ;;;; /*Caller will - * skip this - * type*/ + if (enctype_requires_etype_info_2(request->ktype[i])) + return KRB5KDC_ERR_PADATA_TYPE_NOSUPP ;;;; /*Caller will + * skip this + * type*/ } return etype_info_helper(context, request, client, server, pa_data, 0); } static krb5_error_code get_etype_info2(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_pa_data *pa_data) + krb5_db_entry *client, krb5_db_entry *server, + krb5_pa_data *pa_data) { return etype_info_helper( context, request, client, server, pa_data, 1); } static krb5_error_code -return_etype_info2(krb5_context context, krb5_pa_data * padata, - krb5_db_entry *client, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa) +return_etype_info2(krb5_context context, krb5_pa_data * padata, + krb5_db_entry *client, + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa) { krb5_error_code retval; krb5_pa_data *tmp_padata; krb5_etype_info_entry **entry = NULL; krb5_data *scratch = NULL; - tmp_padata = malloc( sizeof(krb5_pa_data)); if (tmp_padata == NULL) return ENOMEM; @@ -794,61 +787,51 @@ entry[0] = NULL; entry[1] = NULL; /* using encrypting_key->enctype as this is specified in rfc4120 */ - retval = _make_etype_info_entry(context, request, - client_key, encrypting_key->enctype, - entry, 1); + retval = _make_etype_info_entry(context, request, client_key, encrypting_key->enctype, + entry, 1); if (retval) goto cleanup; - - retval = encode_krb5_etype_info2((const krb5_etype_info_entry **) entry, - &scratch); + retval = encode_krb5_etype_info2((const krb5_etype_info_entry **) entry, &scratch); if (retval) goto cleanup; tmp_padata->contents = (uchar_t *)scratch->data; tmp_padata->length = scratch->length; *send_pa = tmp_padata; - /* For cleanup - we no longer own the contents of the krb5_data + /* For cleanup - we no longer own the contents of the krb5_data * only to pointer to the krb5_data */ - scratch->data = 0; + scratch->data = 0; cleanup: if (entry) krb5_free_etype_info(context, entry); if (retval) { if (tmp_padata) - free(tmp_padata); + free(tmp_padata); } if (scratch) - krb5_free_data(context, scratch); + krb5_free_data(context, scratch); return retval; } static krb5_error_code -return_pw_salt(context, in_padata, client, request, reply, client_key, - encrypting_key, send_pa) - krb5_context context; - krb5_pa_data * in_padata; - krb5_db_entry * client; - krb5_kdc_req * request; - krb5_kdc_rep * reply; - krb5_key_data * client_key; - krb5_keyblock * encrypting_key; - krb5_pa_data ** send_pa; +return_pw_salt(krb5_context context, krb5_pa_data *in_padata, + krb5_db_entry *client, krb5_kdc_req *request, + krb5_kdc_rep *reply, krb5_key_data *client_key, + krb5_keyblock *encrypting_key, krb5_pa_data **send_pa) { krb5_error_code retval; krb5_pa_data * padata; krb5_data * scratch; krb5_data salt_data; int i; - + for (i = 0; i < request->nktypes; i++) { if (enctype_requires_etype_info_2(request->ktype[i])) - return 0; + return 0; } - if (client_key->key_data_ver == 1 || client_key->key_data_type[1] == KRB5_KDB_SALTTYPE_NORMAL) return 0; @@ -921,16 +904,10 @@ } static krb5_error_code -return_sam_data(context, in_padata, client, request, reply, client_key, - encrypting_key, send_pa) - krb5_context context; - krb5_pa_data * in_padata; - krb5_db_entry * client; - krb5_kdc_req * request; - krb5_kdc_rep * reply; - krb5_key_data * client_key; - krb5_keyblock * encrypting_key; - krb5_pa_data ** send_pa; +return_sam_data(krb5_context context, krb5_pa_data *in_padata, + krb5_db_entry *client, krb5_kdc_req *request, + krb5_kdc_rep *reply, krb5_key_data *client_key, + krb5_keyblock *encrypting_key, krb5_pa_data **send_pa) { krb5_error_code retval; krb5_data scratch; @@ -1070,12 +1047,9 @@ }; static krb5_error_code -get_sam_edata(context, request, client, server, pa_data) - krb5_context context; - krb5_kdc_req * request; - krb5_db_entry * client; - krb5_db_entry * server; - krb5_pa_data * pa_data; +get_sam_edata(krb5_context context, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + krb5_pa_data *pa_data) { krb5_error_code retval; krb5_sam_challenge sc; @@ -1104,7 +1078,8 @@ */ { - int npr = 1, more; + int npr = 1; + krb5_boolean more; krb5_db_entry assoc; krb5_key_data *assoc_key; krb5_principal newp; @@ -1131,7 +1106,7 @@ strlen(sam_ptr->name); npr = 1; retval = krb5_db_get_principal(kdc_context, newp, &assoc, &npr, (uint *)&more); - if(!retval) { + if(!retval && npr) { sc.sam_type = sam_ptr->sam_type; break; } @@ -1289,6 +1264,7 @@ int i; (void) memset(&session_key, 0, sizeof(krb5_keyblock)); + (void) memset(inputblock, 0, 8); retval = krb5_c_make_random_key(kdc_context, ENCTYPE_DES_CBC_CRC, @@ -1457,12 +1433,9 @@ } static krb5_error_code -verify_sam_response(context, client, request, enc_tkt_reply, pa) - krb5_context context; - krb5_db_entry * client; - krb5_kdc_req * request; - krb5_enc_tkt_part * enc_tkt_reply; - krb5_pa_data * pa; +verify_sam_response(krb5_context context, krb5_db_entry *client, + krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, + krb5_pa_data *pa) { krb5_error_code retval; krb5_data scratch; @@ -1544,7 +1517,8 @@ rep.server = "SAM/rc"; /* Should not match any principal name. */ rep.ctime = psr->stime; rep.cusec = psr->susec; - if (retval = krb5_rc_store(kdc_context, kdc_rcache, &rep)) { + retval = krb5_rc_store(kdc_context, kdc_rcache, &rep); + if (retval) { com_err("krb5kdc", retval, gettext("SAM psr replay attack!")); goto cleanup; } @@ -1592,6 +1566,8 @@ if (sr) free(sr); if (psr) free(psr); if (esre) free(esre); + if (princ_psr) free(princ_psr); + if (princ_req) free(princ_req); return retval; }
--- a/usr/src/cmd/krb5/krb5kdc/kdc_util.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/krb5kdc/kdc_util.c Sat Oct 07 13:37:05 2006 -0700 @@ -34,9 +34,11 @@ #include "kdc_util.h" #include "extern.h" #include <stdio.h> +#include <ctype.h> #include <syslog.h> #include "adm.h" #include "adm_proto.h" +#include <limits.h> #ifdef USE_RCACHE static char *kdc_current_rcname = (char *) NULL; @@ -48,9 +50,7 @@ * initialize the replay cache. */ krb5_error_code -kdc_initialize_rcache(kcontext, rcache_name) - krb5_context kcontext; - char *rcache_name; +kdc_initialize_rcache(krb5_context kcontext, char *rcache_name) { krb5_error_code retval; char *rcname; @@ -91,10 +91,8 @@ * The replacement should be freed with krb5_free_authdata(). */ krb5_error_code -concat_authorization_data(first, second, output) -krb5_authdata **first; -krb5_authdata **second; -krb5_authdata ***output; +concat_authorization_data(krb5_authdata **first, krb5_authdata **second, + krb5_authdata ***output) { register int i, j; register krb5_authdata **ptr, **retdata; @@ -140,9 +138,7 @@ } krb5_boolean -realm_compare(princ1, princ2) - krb5_principal princ1; - krb5_principal princ2; +realm_compare(krb5_principal princ1, krb5_principal princ2) { krb5_data *realm1 = krb5_princ_realm(kdc_context, princ1); krb5_data *realm2 = krb5_princ_realm(kdc_context, princ2); @@ -155,11 +151,9 @@ * Returns TRUE if the kerberos principal is the name of a Kerberos ticket * service. */ -krb5_boolean krb5_is_tgs_principal(principal) - krb5_principal principal; +krb5_boolean krb5_is_tgs_principal(krb5_principal principal) { - - if (krb5_princ_size(kdc_context, principal) > 0 && + if ((krb5_princ_size(kdc_context, principal) > 0) && (krb5_princ_component(kdc_context, principal, 0)->length == KRB5_TGS_NAME_SIZE) && (!memcmp(krb5_princ_component(kdc_context, principal, 0)->data, @@ -173,11 +167,8 @@ * for source data. */ static krb5_error_code -comp_cksum(kcontext, source, ticket, his_cksum) - krb5_context kcontext; - krb5_data * source; - krb5_ticket * ticket; - krb5_checksum * his_cksum; +comp_cksum(krb5_context kcontext, krb5_data *source, krb5_ticket *ticket, + krb5_checksum *his_cksum) { krb5_error_code retval; krb5_boolean valid; @@ -202,12 +193,9 @@ } krb5_error_code -kdc_process_tgs_req(request, from, pkt, ticket, subkey) - krb5_kdc_req * request; - const krb5_fulladdr * from; - krb5_data * pkt; - krb5_ticket ** ticket; - krb5_keyblock ** subkey; +kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from, + krb5_data *pkt, krb5_ticket **ticket, + krb5_keyblock **subkey) { krb5_pa_data ** tmppa; krb5_ap_req * apreq; @@ -218,8 +206,8 @@ krb5_auth_context auth_context = NULL; krb5_authenticator * authenticator = NULL; krb5_checksum * his_cksum = NULL; - krb5_keyblock * key = NULL; - krb5_kvno kvno = 0; +/* krb5_keyblock * key = NULL;*/ +/* krb5_kvno kvno = 0;*/ if (!request->padata) return KRB5KDC_ERR_PADATA_TYPE_NOSUPP; @@ -328,8 +316,8 @@ goto cleanup_auth_context; } - if ((retval = krb5_auth_con_getremotesubkey(kdc_context, - auth_context, subkey))) + if ((retval = krb5_auth_con_getrecvsubkey(kdc_context, + auth_context, subkey))) goto cleanup_auth_context; if ((retval = krb5_auth_con_getauthenticator(kdc_context, auth_context, @@ -396,17 +384,13 @@ * much else. -- tlyu */ krb5_error_code -kdc_get_server_key(ticket, key, kvno) - krb5_ticket * ticket; - krb5_keyblock ** key; - krb5_kvno * kvno; /* XXX nothing uses this */ +kdc_get_server_key(krb5_ticket *ticket, krb5_keyblock **key, krb5_kvno *kvno) { krb5_error_code retval; krb5_db_entry server; krb5_boolean more; int nprincs; krb5_key_data * server_key; - int i; nprincs = 1; @@ -456,9 +440,7 @@ static krb5_last_req_entry *nolrarray[] = { &nolrentry, 0 }; krb5_error_code -fetch_last_req_info(dbentry, lrentry) -krb5_db_entry *dbentry; -krb5_last_req_entry ***lrentry; +fetch_last_req_info(krb5_db_entry *dbentry, krb5_last_req_entry ***lrentry) { *lrentry = nolrarray; return 0; @@ -468,8 +450,7 @@ /* XXX! This is a temporary place-holder */ krb5_error_code -check_hot_list(ticket) -krb5_ticket *ticket; +check_hot_list(krb5_ticket *ticket) { return 0; } @@ -499,11 +480,9 @@ * If r2 is not a subrealm, SUBREALM returns 0. */ static int -subrealm(r1,r2) -char *r1; -char *r2; +subrealm(char *r1, char *r2) { - int l1,l2; + size_t l1,l2; l1 = strlen(r1); l2 = strlen(r2); if(l2 <= l1) return(0); @@ -573,12 +552,9 @@ */ krb5_error_code -add_to_transited(tgt_trans, new_trans, tgs, client, server) - krb5_data * tgt_trans; - krb5_data * new_trans; - krb5_principal tgs; - krb5_principal client; - krb5_principal server; +add_to_transited(krb5_data *tgt_trans, krb5_data *new_trans, + krb5_principal tgs, krb5_principal client, + krb5_principal server) { krb5_error_code retval; char *realm; @@ -634,20 +610,21 @@ /* read field into current */ for (i = 0; *otrans != '\0';) { - if (*otrans == '\\') - if (*(++otrans) == '\0') - break; - else - continue; - if (*otrans == ',') { - otrans++; - break; - } - current[i++] = *otrans++; - if (i >= MAX_REALM_LN) { - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; - goto fail; - } + if (*otrans == '\\') { + if (*(++otrans) == '\0') + break; + else + continue; + } + if (*otrans == ',') { + otrans++; + break; + } + current[i++] = *otrans++; + if (i >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } } current[i] = '\0'; @@ -690,20 +667,21 @@ /* read field into next */ for (i = 0; *otrans != '\0';) { - if (*otrans == '\\') - if (*(++otrans) == '\0') - break; - else - continue; - if (*otrans == ',') { - otrans++; - break; - } - next[i++] = *otrans++; - if (i >= MAX_REALM_LN) { - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; - goto fail; - } + if (*otrans == '\\') { + if (*(++otrans) == '\0') + break; + else + continue; + } + if (*otrans == ',') { + otrans++; + break; + } + next[i++] = *otrans++; + if (i >= MAX_REALM_LN) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + goto fail; + } } next[i] = '\0'; nlst = i - 1; @@ -734,10 +712,10 @@ } strncat(current, ",", sizeof(current) - 1 - strlen(current)); if (pl > 0) { - strncat(current, realm, pl); + strncat(current, realm, (unsigned) pl); } else { - strncat(current, realm+strlen(realm)+pl, -pl); + strncat(current, realm+strlen(realm)+pl, (unsigned) (-pl)); } } @@ -760,10 +738,10 @@ goto fail; } if (pl1 > 0) { - strncat(current, realm, pl1); + strncat(current, realm, (unsigned) pl1); } else { - strncat(current, realm+strlen(realm)+pl1, -pl1); + strncat(current, realm+strlen(realm)+pl1, (unsigned) (-pl1)); } } else { /* If not a subrealm */ @@ -789,10 +767,10 @@ strncat(current,",", sizeof(current) - 1 - strlen(current)); current[sizeof(current) - 1] = '\0'; if (pl > 0) { - strncat(current, exp, pl); + strncat(current, exp, (unsigned) pl); } else { - strncat(current, exp+strlen(exp)+pl, -pl); + strncat(current, exp+strlen(exp)+pl, (unsigned)(-pl)); } } } @@ -854,20 +832,16 @@ * as a com_err error number! */ #define AS_INVALID_OPTIONS (KDC_OPT_FORWARDED | KDC_OPT_PROXY |\ - KDC_OPT_VALIDATE | KDC_OPT_RENEW | KDC_OPT_ENC_TKT_IN_SKEY) - +KDC_OPT_VALIDATE | KDC_OPT_RENEW | KDC_OPT_ENC_TKT_IN_SKEY) int -validate_as_request(request, client, server, kdc_time, status) -register krb5_kdc_req *request; -krb5_db_entry client; -krb5_db_entry server; -krb5_timestamp kdc_time; -const char **status; +validate_as_request(register krb5_kdc_req *request, krb5_db_entry client, + krb5_db_entry server, krb5_timestamp kdc_time, + const char **status) { int errcode; /* - * If an illegal option is set, complain. + * If an option is set that is only allowed in TGS requests, complain. */ if (request->kdc_options & AS_INVALID_OPTIONS) { *status = "INVALID AS OPTIONS"; @@ -995,8 +969,7 @@ * returns -1 on failure. */ static int -asn1length(astream) -unsigned char **astream; +asn1length(unsigned char **astream) { int length; /* resulting length */ int sublen; /* sublengths */ @@ -1047,11 +1020,8 @@ * returns 0 on success, -1 otherwise. */ int -fetch_asn1_field(astream, level, field, data) -unsigned char *astream; -unsigned int level; -unsigned int field; -krb5_data *data; +fetch_asn1_field(unsigned char *astream, unsigned int level, + unsigned int field, krb5_data *data) { unsigned char *estream; /* end of stream */ int classes; /* # classes seen so far this level */ @@ -1138,23 +1108,18 @@ KDC_OPT_VALIDATE) int -validate_tgs_request(request, server, ticket, kdc_time, status) -register krb5_kdc_req *request; -krb5_db_entry server; -krb5_ticket *ticket; -krb5_timestamp kdc_time; -const char **status; +validate_tgs_request(register krb5_kdc_req *request, krb5_db_entry server, + krb5_ticket *ticket, krb5_timestamp kdc_time, + const char **status) { int errcode; int st_idx = 0; - krb5_flags badflags; /* * If an illegal option is set, ignore it. */ - badflags = request->kdc_options & ~(TGS_OPTIONS_HANDLED); - request->kdc_options &= ~badflags; - + request->kdc_options &= TGS_OPTIONS_HANDLED; + /* Check to see if server has expired */ if (server.expiration && server.expiration < kdc_time) { *status = "SERVICE EXPIRED"; @@ -1197,7 +1162,8 @@ return KRB_AP_ERR_NOT_US; } /* ...and that the second component matches the server realm... */ - if ((krb5_princ_component(kdc_context, ticket->server, 1)->length != + if ((krb5_princ_size(kdc_context, ticket->server) <= 1) || + (krb5_princ_component(kdc_context, ticket->server, 1)->length != krb5_princ_realm(kdc_context, request->server)->length) || memcmp(krb5_princ_component(kdc_context, ticket->server, 1)->data, krb5_princ_realm(kdc_context, request->server)->data, @@ -1387,10 +1353,8 @@ * keytype, and 0 if not. */ int -dbentry_has_key_for_enctype(context, client, enctype) - krb5_context context; - krb5_db_entry * client; - krb5_enctype enctype; +dbentry_has_key_for_enctype(krb5_context context, krb5_db_entry *client, + krb5_enctype enctype) { krb5_error_code retval; krb5_key_data *datap; @@ -1413,10 +1377,8 @@ * options bits for now. */ int -dbentry_supports_enctype(context, client, enctype) - krb5_context context; - krb5_db_entry * client; - krb5_enctype enctype; +dbentry_supports_enctype(krb5_context context, krb5_db_entry *client, + krb5_enctype enctype) { /* * If it's DES_CBC_MD5, there's a bit in the attribute mask which @@ -1454,19 +1416,18 @@ * requested, and what the KDC and the application server can support. */ krb5_enctype -select_session_keytype(context, server, nktypes, ktype) - krb5_context context; - krb5_db_entry * server; - int nktypes; - krb5_enctype *ktype; +select_session_keytype(krb5_context context, krb5_db_entry *server, + int nktypes, krb5_enctype *ktype) { int i; - krb5_enctype dfl = 0; for (i = 0; i < nktypes; i++) { if (!krb5_c_valid_enctype(ktype[i])) continue; + if (!krb5_is_permitted_enctype(context, ktype[i])) + continue; + if (dbentry_supports_enctype(context, server, ktype[i])) return ktype[i]; } @@ -1477,17 +1438,14 @@ * This function returns salt information for a particular client_key */ krb5_error_code -get_salt_from_key(context, client, client_key, salt) - krb5_context context; - krb5_principal client; - krb5_key_data * client_key; - krb5_data * salt; +get_salt_from_key(krb5_context context, krb5_principal client, + krb5_key_data *client_key, krb5_data *salt) { krb5_error_code retval; krb5_data * realm; salt->data = 0; - salt->length = -1; + salt->length = SALT_TYPE_NO_LENGTH; if (client_key->key_data_ver == 1) return 0; @@ -1548,3 +1506,82 @@ name[i] = '\0'; return; } + +/* + * L10_2 = log10(2**x), rounded up; log10(2) ~= 0.301. + */ +#define L10_2(x) ((int)(((x * 301) + 999) / 1000)) + +/* + * Max length of sprintf("%ld") for an int of type T; includes leading + * minus sign and terminating NUL. + */ +#define D_LEN(t) (L10_2(sizeof(t) * CHAR_BIT) + 2) + +void +ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype) +{ + int i; + char stmp[D_LEN(krb5_enctype) + 1]; + char *p; + + if (nktypes < 0 + || len < (sizeof(" etypes {...}") + D_LEN(int))) { + *s = '\0'; + return; + } + + sprintf(s, "%d etypes {", nktypes); + for (i = 0; i < nktypes; i++) { + sprintf(stmp, "%s%ld", i ? " " : "", (long)ktype[i]); + if (strlen(s) + strlen(stmp) + sizeof("}") > len) + break; + strcat(s, stmp); + } + if (i < nktypes) { + /* + * We broke out of the loop. Try to truncate the list. + */ + p = s + strlen(s); + while (p - s + sizeof("...}") > len) { + while (p > s && *p != ' ' && *p != '{') + *p-- = '\0'; + if (p > s && *p == ' ') { + *p-- = '\0'; + continue; + } + } + strcat(s, "..."); + } + strcat(s, "}"); + return; +} + +void +rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep) +{ + char stmp[sizeof("ses=") + D_LEN(krb5_enctype)]; + + if (len < (3 * D_LEN(krb5_enctype) + + sizeof("etypes {rep= tkt= ses=}"))) { + *s = '\0'; + return; + } + + sprintf(s, "etypes {rep=%ld", (long)rep->enc_part.enctype); + + if (rep->ticket != NULL) { + sprintf(stmp, " tkt=%ld", (long)rep->ticket->enc_part.enctype); + strcat(s, stmp); + } + + if (rep->ticket != NULL + && rep->ticket->enc_part2 != NULL + && rep->ticket->enc_part2->session != NULL) { + sprintf(stmp, " ses=%ld", + (long)rep->ticket->enc_part2->session->enctype); + strcat(s, stmp); + } + strcat(s, "}"); + return; +}
--- a/usr/src/cmd/krb5/krb5kdc/kdc_util.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/krb5kdc/kdc_util.h Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -32,7 +32,7 @@ */ #ifndef __KRB5_KDC_UTIL__ -#define __KRB5_KDC_UTIL__ +#define __KRB5_KDC_UTIL__ #pragma ident "%Z%%M% %I% %E% SMI" @@ -109,21 +109,24 @@ void limit_string (char *name); +void +ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype); + +void +rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep); + /* do_as_req.c */ krb5_error_code process_as_req (krb5_kdc_req *, const krb5_fulladdr *, - int, krb5_data ** ); /* do_tgs_req.c */ krb5_error_code process_tgs_req (krb5_data *, const krb5_fulladdr *, - int, krb5_data ** ); /* dispatch.c */ krb5_error_code dispatch (krb5_data *, const krb5_fulladdr *, - int, krb5_data **); /* main.c */ @@ -166,13 +169,7 @@ krb5_data **); void kdc_insert_lookaside (krb5_data *, const krb5_fulladdr *, krb5_data *); - -/* sock2p.c */ -#ifndef HAVE_INET_NTOP -/* It's provided by sock2p.c in this case. */ -extern const char *inet_ntop (int, const void *, char *, size_t); -#endif -extern void sockaddr2p (const struct sockaddr *, char *, size_t, int *); +void kdc_free_lookaside(krb5_context); /* which way to convert key? */ #define CONVERT_INTO_DB 0 @@ -185,8 +182,9 @@ #ifdef KRB5_KRB4_COMPAT krb5_error_code process_v4 (const krb5_data *, const krb5_fulladdr *, - int is_secondary, krb5_data **); +void process_v4_mode (const char *, const char *); +void enable_v4_crossrealm(char *); #else #define process_v4(foo,bar,quux,foobar) KRB5KRB_AP_ERR_BADVERSION #endif
--- a/usr/src/cmd/krb5/krb5kdc/main.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/krb5kdc/main.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -53,7 +53,13 @@ #include <netinet/in.h> #endif -kdc_realm_t *find_realm_data (char *, krb5_ui_4); +#ifdef KRB5_KRB4_COMPAT +#include <des.h> +#endif + +#if defined(NEED_DAEMON_PROTO) +extern int daemon(int, int); +#endif void usage (char *); @@ -84,9 +90,7 @@ * Find the realm entry for a given realm. */ kdc_realm_t * -find_realm_data(rname, rsize) - char *rname; - krb5_ui_4 rsize; +find_realm_data(char *rname, krb5_ui_4 rsize) { int i; for (i=0; i<kdc_numrealms; i++) { @@ -98,8 +102,7 @@ } krb5_error_code -setup_server_realm(sprinc) - krb5_principal sprinc; +setup_server_realm(krb5_principal sprinc) { krb5_error_code kret; kdc_realm_t *newrealm; @@ -118,8 +121,7 @@ } static void -finish_realm(rdp) - kdc_realm_t *rdp; +finish_realm(kdc_realm_t *rdp) { if (rdp->realm_dbname) free(rdp->realm_dbname); @@ -131,8 +133,6 @@ free(rdp->realm_ports); if (rdp->realm_tcp_ports) free(rdp->realm_tcp_ports); - if (rdp->realm_kstypes) - free(rdp->realm_kstypes); if (rdp->realm_keytab) krb5_kt_close(rdp->realm_context, rdp->realm_keytab); if (rdp->realm_context) { @@ -142,15 +142,12 @@ memset(rdp->realm_mkey.contents, 0, rdp->realm_mkey.length); free(rdp->realm_mkey.contents); } - if (rdp->realm_tgskey.length && rdp->realm_tgskey.contents) { - memset(rdp->realm_tgskey.contents, 0, rdp->realm_tgskey.length); - free(rdp->realm_tgskey.contents); - } krb5_db_fini(rdp->realm_context); if (rdp->realm_tgsprinc) krb5_free_principal(rdp->realm_context, rdp->realm_tgsprinc); krb5_free_context(rdp->realm_context); } + memset((char *) rdp, 0, sizeof(*rdp)); free(rdp); } @@ -162,32 +159,14 @@ * realm data and we should be all set to begin operation for that realm. */ static krb5_error_code -init_realm(progname, rdp, realm, def_dbname, def_mpname, - def_enctype, def_udp_ports, def_tcp_ports, def_manual) - char *progname; - kdc_realm_t *rdp; - char *realm; - char *def_dbname; - char *def_mpname; - krb5_enctype def_enctype; - char *def_udp_ports; - char *def_tcp_ports; - krb5_boolean def_manual; +init_realm(char *progname, kdc_realm_t *rdp, char *realm, char *def_dbname, + char *def_mpname, krb5_enctype def_enctype, char *def_udp_ports, + char *def_tcp_ports, krb5_boolean def_manual) { krb5_error_code kret; krb5_boolean manual; - krb5_db_entry db_entry; - int num2get; - krb5_boolean more; - krb5_boolean db_inited; krb5_realm_params *rparams; - krb5_key_data *kdata; - krb5_key_salt_tuple *kslist; - krb5_int32 nkslist; - int i; - krb5_deltat now, krb5_kdb_max_time; - db_inited = 0; memset((char *) rdp, 0, sizeof(kdc_realm_t)); if (!realm) { kret = EINVAL; @@ -208,7 +187,7 @@ com_err(progname, kret, gettext("while reading realm parameters")); goto whoops; } - + /* Handle profile file name */ if (rparams && rparams->realm_profile) rdp->realm_profile = strdup(rparams->realm_profile); @@ -249,50 +228,20 @@ rdp->realm_mkey.enctype = (krb5_enctype) rparams->realm_enctype; else rdp->realm_mkey.enctype = manual ? def_enctype : ENCTYPE_UNKNOWN; - if ((kret = krb5_timeofday(rdp->realm_context, &now))) { - com_err(progname, kret, gettext("while getting timeofday")); - goto whoops; - } + + /* Handle reject-bad-transit flag */ + if (rparams && rparams->realm_reject_bad_transit_valid) + rdp->realm_reject_bad_transit = rparams->realm_reject_bad_transit; + else + rdp->realm_reject_bad_transit = 1; /* Handle ticket maximum life */ - if (rparams && rparams->realm_max_life_valid) - rdp->realm_maxlife = rparams->realm_max_life; - else - rdp->realm_maxlife = KRB5_KDB_EXPIRATION - now - 3600; + rdp->realm_maxlife = (rparams && rparams->realm_max_life_valid) ? + rparams->realm_max_life : KRB5_KDB_MAX_LIFE; /* Handle ticket renewable maximum life */ - if (rparams && rparams->realm_max_rlife_valid) - rdp->realm_maxrlife = rparams->realm_max_rlife; - else - rdp->realm_maxrlife = KRB5_KDB_EXPIRATION - now - 3600; - - /* Handle key/salt list */ - if (rparams && rparams->realm_num_keysalts) { - rdp->realm_kstypes = rparams->realm_keysalts; - rdp->realm_nkstypes = rparams->realm_num_keysalts; - rparams->realm_keysalts = NULL; - rparams->realm_num_keysalts = 0; - kslist = (krb5_key_salt_tuple *) rdp->realm_kstypes; - nkslist = rdp->realm_nkstypes; - } else { - /* - * XXX Initialize default key/salt list. - */ - if ((kslist = (krb5_key_salt_tuple *) - malloc(sizeof(krb5_key_salt_tuple)))) { - kslist->ks_enctype = ENCTYPE_DES_CBC_CRC; - kslist->ks_salttype = KRB5_KDB_SALTTYPE_NORMAL; - rdp->realm_kstypes = kslist; - rdp->realm_nkstypes = 1; - nkslist = 1; - } - else { - com_err(progname, ENOMEM, - gettext("while setting up key/salt list for realm %s"), - realm); - exit(1); - } - } + rdp->realm_maxrlife = (rparams && rparams->realm_max_rlife_valid) ? + rparams->realm_max_rlife : KRB5_KDB_MAX_RLIFE; if (rparams) krb5_free_realm_params(rdp->realm_context, rparams); @@ -344,8 +293,7 @@ gettext("while initializing database "), gettext("for realm %s"), realm); goto whoops; - } else - db_inited = 1; + } /* Verify the master key */ if ((kret = krb5_db_verify_master_key(rdp->realm_context, @@ -357,52 +305,6 @@ goto whoops; } - /* Fetch the master key and get its version number */ - num2get = 1; - kret = krb5_db_get_principal(rdp->realm_context, rdp->realm_mprinc, - &db_entry, &num2get, &more); - if (!kret) { - if (num2get != 1) - kret = KRB5_KDB_NOMASTERKEY; - else { - if (more) { - krb5_db_free_principal(rdp->realm_context, - &db_entry, - num2get); - kret = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; - } - } - } - if (kret) { - com_err(progname, kret, - gettext("while fetching master entry for realm %s"), - realm); - goto whoops; - } - - /* - * Get the most recent master key. Search the key list in - * the order specified by the key/salt list. - */ - kdata = (krb5_key_data *) NULL; - for (i=0; i<nkslist; i++) { - if (!(kret = krb5_dbe_find_enctype(rdp->realm_context, - &db_entry, - kslist[i].ks_enctype, - -1, - -1, - &kdata))) - break; - } - if (!kdata) { - com_err(progname, kret, - gettext("while finding master key for realm %s"), - realm); - goto whoops; - } - rdp->realm_mkvno = kdata->key_data_kvno; - krb5_db_free_principal(rdp->realm_context, &db_entry, num2get); - if ((kret = krb5_db_set_mkey(rdp->realm_context, &rdp->realm_mkey))) { com_err(progname, kret, gettext("while processing master key for realm %s"), @@ -411,8 +313,7 @@ } /* Set up the keytab */ - if ((kret = krb5_ktkdb_resolve(rdp->realm_context, - NULL, + if ((kret = krb5_ktkdb_resolve(rdp->realm_context, NULL, &rdp->realm_keytab))) { com_err(progname, kret, gettext("while resolving kdb keytab for realm %s"), @@ -430,68 +331,7 @@ goto whoops; } - /* Get the TGS database entry */ - num2get = 1; - if (!(kret = krb5_db_get_principal(rdp->realm_context, - rdp->realm_tgsprinc, - &db_entry, - &num2get, - &more))) { - if (num2get != 1) - kret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; - else { - if (more) { - krb5_db_free_principal(rdp->realm_context, - &db_entry, - num2get); - kret = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; - } - } - } - if (kret) { - com_err(progname, kret, - gettext("while fetching TGS entry for realm %s"), - realm); - goto whoops; - } - /* - * Get the most recent TGS key. Search the key list in - * the order specified by the key/salt list. - */ - kdata = (krb5_key_data *) NULL; - for (i=0; i<nkslist; i++) { - if (!(kret = krb5_dbe_find_enctype(rdp->realm_context, - &db_entry, - kslist[i].ks_enctype, - -1, - -1, - &kdata))) - break; - } - if (!kdata) { - com_err(progname, kret, - gettext("while finding TGS key for realm %s"), - realm); - goto whoops; - } - if (!(kret = krb5_dbekd_decrypt_key_data(rdp->realm_context, - &rdp->realm_mkey, - kdata, - &rdp->realm_tgskey, NULL))){ - rdp->realm_tgskvno = kdata->key_data_kvno; - } - krb5_db_free_principal(rdp->realm_context, - &db_entry, - num2get); - if (kret) { - com_err(progname, kret, - gettext("while decrypting TGS key for realm %s"), - realm); - goto whoops; - } - if (!rkey_init_done) { - krb5_timestamp now; krb5_data seed; #ifdef KRB5_KRB4_COMPAT krb5_keyblock temp_key; @@ -501,18 +341,14 @@ * generators. */ - if ((kret = krb5_timeofday(rdp->realm_context, &now))) - goto whoops; - seed.length = sizeof(now); - seed.data = (char *) &now; - if ((kret = krb5_c_random_seed(rdp->realm_context, &seed))) - goto whoops; - seed.length = rdp->realm_mkey.length; seed.data = (char *)rdp->realm_mkey.contents; - - if ((kret = krb5_c_random_seed(rdp->realm_context, &seed))) +/* SUNW14resync - XXX */ +#if 0 + if ((kret = krb5_c_random_add_entropy(rdp->realm_context, + KRB5_C_RANDSOURCE_TRUSTEDPARTY, &seed))) goto whoops; +#endif #ifdef KRB5_KRB4_COMPAT if ((kret = krb5_c_make_random_key(rdp->realm_context, @@ -532,14 +368,14 @@ * If we choked, then clean up any dirt we may have dropped on the floor. */ if (kret) { + finish_realm(rdp); } return(kret); } krb5_sigtype -request_exit(signo) - int signo; +request_exit(int signo) { signal_requests_exit = 1; @@ -551,8 +387,7 @@ } krb5_sigtype -request_hup(signo) - int signo; +request_hup(int signo) { signal_requests_hup = 1; @@ -564,7 +399,7 @@ } void -setup_signal_handlers() +setup_signal_handlers(void) { #ifdef POSIX_SIGNALS (void) sigemptyset(&s_action.sa_mask); @@ -584,24 +419,20 @@ } krb5_error_code -setup_sam() +setup_sam(void) { return krb5_c_make_random_key(kdc_context, ENCTYPE_DES_CBC_MD5, &psr_key); } void -usage(name) -char *name; +usage(char *name) { fprintf(stderr, gettext("usage: %s [-d dbpathname] [-r dbrealmname] [-R replaycachename ]\n\t[-m] [-k masterenctype] [-M masterkeyname] [-p port] [-n]\n"), name); return; } void -initialize_realms(kcontext, argc, argv) - krb5_context kcontext; - int argc; - char **argv; +initialize_realms(krb5_context kcontext, int argc, char **argv) { int c; char *db_name = (char *) NULL; @@ -620,10 +451,6 @@ char *v4mode = 0; #endif extern char *optarg; -#ifdef ATHENA_DES3_KLUDGE - extern struct krb5_keytypes krb5_enctypes_list[]; - extern int krb5_enctypes_length; -#endif if (!krb5_aprof_init(DEFAULT_KDC_PROFILE, KDC_PROFILE_ENV, &aprof)) { hierarchy[0] = "kdcdefaults"; @@ -715,19 +542,11 @@ v4mode = strdup(optarg); #endif break; - case '3': -#ifdef ATHENA_DES3_KLUDGE - if (krb5_enctypes_list[krb5_enctypes_length-1].etype - != ENCTYPE_LOCAL_DES3_HMAC_SHA1) { - fprintf(stderr, - "internal inconsistency in enctypes_list" - " while disabling\n" - "des3-marc-hmac-sha1 enctype\n"); - exit(1); - } - krb5_enctypes_length--; - break; + case 'X': +#ifdef KRB5_KRB4_COMPAT + enable_v4_crossrealm(argv[0]); #endif + break; case '?': default: usage(argv[0]); @@ -750,6 +569,8 @@ if ((retval = krb5_get_default_realm(kcontext, &lrealm))) { com_err(argv[0], retval, gettext("while attempting to retrieve default realm")); + fprintf (stderr, "%s: %s, %s", argv[0], error_message (retval), + gettext("attempting to retrieve default realm\n")); exit(1); } if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) { @@ -771,7 +592,8 @@ * Now handle the replay cache. */ if ((retval = kdc_initialize_rcache(kcontext, rcname))) { - com_err(argv[0], retval, gettext("while initializing KDC replay cache")); + com_err(argv[0], retval, gettext("while initializing KDC replay cache '%s'"), + rcname); exit(1); } #endif @@ -787,8 +609,7 @@ } void -finish_realms(prog) - char *prog; +finish_realms(char *prog) { int i; @@ -824,13 +645,10 @@ exit */ -int main(argc, argv) - int argc; - char *argv[]; +int main(int argc, char **argv) { krb5_error_code retval; krb5_context kcontext; - int *port_list; int errout = 0; (void) setlocale(LC_ALL, ""); @@ -851,7 +669,6 @@ } memset((char *) kdc_realmlist, 0, (size_t) (sizeof(kdc_realm_t *) * KRB5_KDC_MAX_REALMS)); - port_list = NULL; /* * A note about Kerberos contexts: This context, "kcontext", is used @@ -874,7 +691,8 @@ setup_signal_handlers(); - if (retval = setup_sam()) { + retval = setup_sam(); + if (retval) { com_err(argv[0], retval, gettext("while initializing SAM")); finish_realms(argv[0]); return 1; @@ -906,6 +724,18 @@ krb5_klog_syslog(LOG_INFO, "shutting down"); krb5_klog_close(kdc_context); finish_realms(argv[0]); + if (kdc_realmlist) + free(kdc_realmlist); +#ifdef USE_RCACHE + (void) krb5_rc_close(kcontext, kdc_rcache); +#endif +#ifndef NOCACHE + kdc_free_lookaside(kcontext); +#endif krb5_free_context(kcontext); return errout; } + + + +
--- a/usr/src/cmd/krb5/krb5kdc/network.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/krb5kdc/network.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -93,8 +93,7 @@ } } -static int -ipv6_enabled() +static int ipv6_enabled() { #ifdef KRB5_USE_INET6 static int result = -1; @@ -107,9 +106,9 @@ } else result = 0; } - return (result); + return result; #else - return (0); + return 0; #endif } @@ -127,7 +126,7 @@ } #endif - + static const char *paddr (struct sockaddr *sa) { static char buf[100]; @@ -137,7 +136,7 @@ NI_NUMERICHOST|NI_NUMERICSERV)) strcpy(buf, "<unprintable>"); else { - int len = sizeof(buf) - strlen(buf); + unsigned int len = sizeof(buf) - strlen(buf); char *p = buf + strlen(buf); if (len > 2+strlen(portbuf)) { *p++ = '.'; @@ -150,10 +149,12 @@ /* KDC data. */ +enum kdc_conn_type { CONN_UDP, CONN_TCP_LISTENER, CONN_TCP }; + /* Per-connection info. */ struct connection { int fd; - enum { CONN_UDP, CONN_TCP_LISTENER, CONN_TCP } type; + enum kdc_conn_type type; void (*service)(struct connection *, const char *, int); /* Solaris Kerberos: for auditing */ in_port_t port; /* local port */ @@ -189,7 +190,7 @@ } u; }; - + #define SET(TYPE) struct { TYPE *data; int n, max; } /* Start at the top and work down -- this should allow for deletions @@ -270,10 +271,12 @@ return 0; } + #define USE_AF AF_INET #define USE_TYPE SOCK_DGRAM #define USE_PROTO 0 #define SOCKET_ERRNO errno +#include "foreachaddr.h" struct socksetup { const char *prog; @@ -281,7 +284,7 @@ }; static struct connection * -add_fd (struct socksetup *data, int sock, int conntype, +add_fd (struct socksetup *data, int sock, enum kdc_conn_type conntype, void (*service)(struct connection *, const char *, int)) { struct connection *newconn; @@ -305,7 +308,6 @@ newconn->type = conntype; newconn->fd = sock; newconn->service = service; - return newconn; } @@ -340,11 +342,8 @@ FOREACH_ELT(connections, i, conn) if (conn == xconn) { DEL(connections, i); - /* Solaris kerberos: fix memory leak */ - free(xconn); - return; + break; } - free(xconn); } @@ -354,7 +353,7 @@ static const int one = 1; return ioctlsocket(sock, FIONBIO, (const void *)&one); } - + static int setnolinger(int s) { @@ -478,8 +477,8 @@ if (add_tcp_listener_fd(data, s4) == 0) close(s4); else - krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s port %d", - s4, paddr((struct sockaddr *)&sin4), port); + krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s", + s4, paddr((struct sockaddr *)&sin4)); } #ifdef KRB5_USE_INET6 if (s6 >= 0) { @@ -490,8 +489,8 @@ close(s6); s6 = -1; } else - krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s port %d", - s6, paddr((struct sockaddr *)&sin6), port); + krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s", + s6, paddr((struct sockaddr *)&sin6)); if (s4 < 0) krb5_klog_syslog(LOG_INFO, "assuming IPv6 socket accepts IPv4"); @@ -537,6 +536,10 @@ case AF_LINK: return 0; #endif +#ifdef AF_DLI /* Direct Link Interface - DEC Ultrix/OSF1 link layer? */ + case AF_DLI: + return 0; +#endif default: krb5_klog_syslog (LOG_INFO, "skipping unrecognized local address family %d", @@ -564,8 +567,8 @@ FD_SET (sock, &sstate.rfds); if (sock >= sstate.max) sstate.max = sock + 1; - krb5_klog_syslog (LOG_INFO, "listening on fd %d: udp %s port %d", sock, - paddr((struct sockaddr *)addr), port); + krb5_klog_syslog (LOG_INFO, "listening on fd %d: udp %s", sock, + paddr((struct sockaddr *)addr)); if (add_udp_fd (data, sock) == 0) return 1; } @@ -617,6 +620,8 @@ } #endif +/* XXX */ +extern int krb5int_debug_sendto_kdc; extern void (*krb5int_sendtokdc_debug_handler)(const void*, size_t); krb5_error_code @@ -632,6 +637,7 @@ FD_ZERO(&sstate.xfds); sstate.max = 0; +/* krb5int_debug_sendto_kdc = 1; */ krb5int_sendtokdc_debug_handler = klog_handler; /* Handle each realm's ports */ @@ -732,7 +738,7 @@ krb5_data *response; char pktbuf[MAX_DGRAM_SIZE]; int port_fd = conn->fd; - + response = NULL; saddr_len = sizeof(saddr); cc = recvfrom(port_fd, pktbuf, sizeof(pktbuf), 0, @@ -755,7 +761,7 @@ faddr.address = &addr; init_addr(&faddr, ss2sa(&saddr)); /* this address is in net order */ - if ((retval = dispatch(&request, &faddr, conn->port, &response))) { + if ((retval = dispatch(&request, &faddr, &response))) { com_err(prog, retval, gettext("while dispatching (udp)")); return; } @@ -826,6 +832,10 @@ strcpy(p, tmpbuf); } } +#if 0 + krb5_klog_syslog(LOG_INFO, "accepted TCP connection on socket %d from %s", + s, newconn->u.tcp.addrbuf); +#endif newconn->u.tcp.addr_s = addr_s; newconn->u.tcp.addrlen = addrlen; @@ -865,6 +875,7 @@ newconn->u.tcp.addrbuf); delete_fd(newconn); close(s); + tcp_data_counter--; return; } newconn->u.tcp.offset = 0; @@ -896,24 +907,20 @@ sstate.max--; close(conn->fd); conn->fd = -1; + delete_fd(conn); tcp_data_counter--; - /* Solaris kerberos: fix memory leak */ - delete_fd(conn); } static void process_tcp_connection(struct connection *conn, const char *prog, int selflags) { - if (selflags & SSF_WRITE) { ssize_t nwrote; SOCKET_WRITEV_TEMP tmp; - krb5_error_code e; nwrote = SOCKET_WRITEV(conn->fd, conn->u.tcp.sgp, conn->u.tcp.sgnum, tmp); if (nwrote < 0) { - e = SOCKET_ERRNO; goto kill_tcp_connection; } if (nwrote == 0) @@ -991,11 +998,10 @@ conn->u.tcp.offset += nread; if (conn->u.tcp.offset < conn->u.tcp.msglen + 4) return; - /* have a complete message, and exactly one message */ request.length = conn->u.tcp.msglen; request.data = conn->u.tcp.buffer + 4; - err = dispatch(&request, &conn->u.tcp.faddr, conn->port, + err = dispatch(&request, &conn->u.tcp.faddr, &conn->u.tcp.response); if (err) { com_err(prog, err, gettext("while dispatching (tcp)")); @@ -1083,6 +1089,11 @@ if (conn->fd >= 0) (void) close(conn->fd); DEL (connections, i); + /* There may also be per-connection data in the tcp structure + (tcp.buffer, tcp.response) that we're not freeing here. + That should only happen if we quit with a connection in + progress. */ + free(conn); } FREE_SET_DATA(connections); FREE_SET_DATA(udp_port_data);
--- a/usr/src/cmd/krb5/krb5kdc/policy.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/krb5kdc/policy.c Sat Oct 07 13:37:05 2006 -0700 @@ -33,12 +33,9 @@ #include "kdc_util.h" int -against_local_policy_as(request, client, server, kdc_time, status) -register krb5_kdc_req *request; -krb5_db_entry client; -krb5_db_entry server; -krb5_timestamp kdc_time; -const char **status; +against_local_policy_as(register krb5_kdc_req *request, krb5_db_entry client, + krb5_db_entry server, krb5_timestamp kdc_time, + const char **status) { #if 0 /* An AS request must include the addresses field */ @@ -55,11 +52,8 @@ * This is where local policy restrictions for the TGS should placed. */ krb5_error_code -against_local_policy_tgs(request, server, ticket, status) -register krb5_kdc_req *request; -krb5_db_entry server; -krb5_ticket *ticket; -const char **status; +against_local_policy_tgs(register krb5_kdc_req *request, krb5_db_entry server, + krb5_ticket *ticket, const char **status) { #if 0 /*
--- a/usr/src/cmd/krb5/krb5kdc/replay.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/krb5kdc/replay.c Sat Oct 07 13:37:05 2006 -0700 @@ -74,10 +74,8 @@ FALSE if the caller should do the work */ krb5_boolean -kdc_check_lookaside(inpkt, from, outpkt) - register krb5_data *inpkt; - register const krb5_fulladdr *from; - register krb5_data **outpkt; +kdc_check_lookaside(krb5_data *inpkt, const krb5_fulladdr *from, + krb5_data **outpkt) { krb5_int32 timenow; register krb5_kdc_replay_ent *eptr, *last, *hold; @@ -130,10 +128,8 @@ already there, and can fail softly due to other weird errors. */ void -kdc_insert_lookaside(inpkt, from, outpkt) - register krb5_data *inpkt; - register const krb5_fulladdr *from; - register krb5_data *outpkt; +kdc_insert_lookaside(krb5_data *inpkt, const krb5_fulladdr *from, + krb5_data *outpkt) { register krb5_kdc_replay_ent *eptr; krb5_int32 timenow; @@ -175,4 +171,23 @@ return; } +/* frees memory associated with the lookaside queue for memory profiling */ +void +kdc_free_lookaside(krb5_context kcontext) +{ + register krb5_kdc_replay_ent *eptr, *last, *hold; + if (root_ptr.next) { + for (last = &root_ptr, eptr = root_ptr.next; + eptr; eptr = eptr->next) { + krb5_free_data(kcontext, eptr->req_packet); + krb5_free_data(kcontext, eptr->reply_packet); + krb5_free_address(kcontext, eptr->addr); + hold = eptr; + last->next = eptr->next; + eptr = last; + free(hold); + } + } +} + #endif /* NOCACHE */
--- a/usr/src/cmd/krb5/slave/kprop.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/slave/kprop.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -36,7 +36,6 @@ #include <errno.h> #include <stdio.h> -#include <stdlib.h> #include <ctype.h> #include <sys/file.h> #include <signal.h> @@ -73,27 +72,27 @@ krb5_address receiver_addr; void PRS - (int, char **); + (int, char **); void get_tickets - (krb5_context); + (krb5_context); static void usage - (void); + (void); krb5_error_code open_connection - (char *, int *, char *, int); + (char *, int *, char *, unsigned int); void kerberos_authenticate - (krb5_context, krb5_auth_context *, + (krb5_context, krb5_auth_context *, int, krb5_principal, krb5_creds **); int open_database - (krb5_context, char *, int *); + (krb5_context, char *, int *); void close_database - (krb5_context, int); + (krb5_context, int); void xmit_database - (krb5_context, krb5_auth_context, krb5_creds *, + (krb5_context, krb5_auth_context, krb5_creds *, int, int, int); void send_error - (krb5_context, krb5_creds *, int, char *, krb5_error_code); + (krb5_context, krb5_creds *, int, char *, krb5_error_code); void update_last_prop_file - (char *, char *); + (char *, char *); static void usage() { @@ -134,7 +133,8 @@ get_tickets(context); database_fd = open_database(context, file, &database_size); - if (retval = open_connection(slave_host, &fd, Errmsg, sizeof(Errmsg))) { + retval = open_connection(slave_host, &fd, Errmsg, sizeof(Errmsg)); + if (retval) { com_err(progname, retval, gettext("%s while opening connection to %s"), Errmsg, slave_host); exit(1); @@ -155,6 +155,7 @@ close_database(context, database_fd); exit(0); } + void PRS(argc, argv) int argc; char **argv; @@ -202,16 +203,12 @@ slave_host = *argv; else usage(); - } void get_tickets(context) krb5_context context; { - char my_host_name[MAXHOSTNAMELEN]; char buf[BUFSIZ]; - char *cp; - struct hostent *hp; krb5_error_code retval; static char tkstring[] = "/tmp/kproptktXXXXXX"; krb5_keytab keytab = NULL; @@ -262,11 +259,13 @@ com_err(progname, errno, gettext("while setting client principal name")); exit(1); } - if (realm) { - (void) krb5_xfree(krb5_princ_realm(context, my_principal)->data); - krb5_princ_set_realm_length(context, my_principal, strlen(realm)); - krb5_princ_set_realm_data(context, my_principal, strdup(realm)); + retval = krb5_set_principal_realm(context, my_principal, realm); + if (retval) { + com_err(progname, errno, + gettext("while setting client principal realm")); + exit(1); + } } #if 0 krb5_princ_type(context, my_principal) = KRB5_NT_PRINCIPAL; @@ -277,12 +276,16 @@ */ (void) mktemp(tkstring); snprintf(buf, sizeof (buf), gettext("FILE:%s"), tkstring); - if (retval = krb5_cc_resolve(context, buf, &ccache)) { + + retval = krb5_cc_resolve(context, buf, &ccache); + if (retval) { com_err(progname, retval, gettext("while opening credential cache %s"), buf); exit(1); } - if (retval = krb5_cc_initialize(context, ccache, my_principal)) { + + retval = krb5_cc_initialize(context, ccache, my_principal); + if (retval) { com_err (progname, retval, gettext("when initializing cache %s"), buf); exit(1); @@ -303,21 +306,26 @@ exit(1); } if (realm) { - (void) krb5_xfree(krb5_princ_realm(context, creds.server)->data); - krb5_princ_set_realm_length(context, creds.server, strlen(realm)); - krb5_princ_set_realm_data(context, creds.server, strdup(realm)); + retval = krb5_set_principal_realm(context, creds.server, realm); + if (retval) { + com_err(progname, errno, + gettext("while setting server principal realm")); + exit(1); + } } /* * Now fill in the client.... */ - if (retval = krb5_copy_principal(context, my_principal, &creds.client)) { + retval = krb5_copy_principal(context, my_principal, &creds.client); + if (retval) { com_err(progname, retval, gettext("While copying client principal")); (void) krb5_cc_destroy(context, ccache); exit(1); } if (srvtab) { - if (retval = krb5_kt_resolve(context, srvtab, &keytab)) { + retval = krb5_kt_resolve(context, srvtab, &keytab); + if (retval) { com_err(progname, retval, gettext("while resolving keytab")); (void) krb5_cc_destroy(context, ccache); exit(1); @@ -345,12 +353,13 @@ if (keytab) (void) krb5_kt_close(context, keytab); - + /* * Now destroy the cache right away --- the credentials we * need will be in my_creds. */ - if (retval = krb5_cc_destroy(context, ccache)) { + retval = krb5_cc_destroy(context, ccache); + if (retval) { com_err(progname, retval, gettext("while destroying ticket cache")); exit(1); } @@ -363,10 +372,10 @@ krb5_error_code open_connection(host, fd, Errmsg, ErrmsgSz) - char *host; - int *fd; - char *Errmsg; - int ErrmsgSz; + char *host; + int *fd; + char *Errmsg; + unsigned int ErrmsgSz; { int s; krb5_error_code retval; @@ -437,7 +446,6 @@ freeaddrinfo(aitop); return(retval); } - *fd = s; /* @@ -486,43 +494,46 @@ krb5_error *error = NULL; krb5_ap_rep_enc_part *rep_result; - if (retval = krb5_auth_con_init(context, auth_context)) + retval = krb5_auth_con_init(context, auth_context); + if (retval) exit(1); krb5_auth_con_setflags(context, *auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE); - if (retval = krb5_auth_con_setaddrs(context, *auth_context, &sender_addr, - &receiver_addr)) { + retval = krb5_auth_con_setaddrs(context, *auth_context, &sender_addr, + &receiver_addr); + if (retval) { com_err(progname, retval, gettext("in krb5_auth_con_setaddrs")); exit(1); } - if (retval = krb5_sendauth(context, auth_context, (void *)&fd, - kprop_version, me, creds.server, - AP_OPTS_MUTUAL_REQUIRED, NULL, &creds, NULL, - &error, &rep_result, new_creds)) { - com_err(progname, retval, gettext("while authenticating to server")); - if (error) { - if (error->error == KRB_ERR_GENERIC) { - if (error->text.data) - fprintf(stderr, - gettext("Generic remote error: %s\n"), - error->text.data); - } else if (error->error) { - com_err(progname, - error->error + ERROR_TABLE_BASE_krb5, - gettext("signalled from server")); - if (error->text.data) - fprintf(stderr, - gettext("Error text from server: %s\n"), - error->text.data); - } - krb5_free_error(context, error); - } - exit(1); + retval = krb5_sendauth(context, auth_context, (void *)&fd, + kprop_version, me, creds.server, + AP_OPTS_MUTUAL_REQUIRED, NULL, &creds, NULL, + &error, &rep_result, new_creds); + if (retval) { + com_err(progname, retval, gettext("while authenticating to server")); + if (error) { + if (error->error == KRB_ERR_GENERIC) { + if (error->text.data) + fprintf(stderr, + gettext("Generic remote error: %s\n"), + error->text.data); + } else if (error->error) { + com_err(progname, + (krb5_error_code) error->error + ERROR_TABLE_BASE_krb5, + gettext("signalled from server")); + if (error->text.data) + fprintf(stderr, + gettext("Error text from server: %s\n"), + error->text.data); + } + krb5_free_error(context, error); } - krb5_free_ap_rep_enc_part(context, rep_result); + exit(1); + } + krb5_free_ap_rep_enc_part(context, rep_result); } char * dbpathname; @@ -601,7 +612,8 @@ int fd; { int err; - if (err = krb5_lock_file(context, fd, KRB5_LOCKMODE_UNLOCK)) + err = krb5_lock_file(context, fd, KRB5_LOCKMODE_UNLOCK); + if (err) com_err(progname, err, gettext("while unlocking database '%s'"), dbpathname); free(dbpathname); (void)close(fd); @@ -618,20 +630,24 @@ * will abort the entire operation. */ void -xmit_database(context, auth_context, my_creds, fd, database_fd, database_size) +xmit_database(context, auth_context, my_creds, fd, database_fd, + in_database_size) krb5_context context; krb5_auth_context auth_context; krb5_creds *my_creds; int fd; int database_fd; - int database_size; + int in_database_size; { - krb5_int32 send_size, sent_size, n; + krb5_int32 sent_size, n; krb5_data inbuf, outbuf; char buf[KPROP_BUFSIZ]; krb5_error_code retval; krb5_error *error; - + /* These must be 4 bytes */ + krb5_ui_4 database_size = in_database_size; + krb5_ui_4 send_size; + /* * Send over the size */ @@ -639,36 +655,42 @@ inbuf.data = (char *) &send_size; inbuf.length = sizeof(send_size); /* must be 4, really */ /* KPROP_CKSUMTYPE */ - if (retval = krb5_mk_safe(context, auth_context, &inbuf, - &outbuf, NULL)) { + retval = krb5_mk_safe(context, auth_context, &inbuf, + &outbuf, NULL); + if (retval) { com_err(progname, retval, gettext("while encoding database size")); send_error(context, my_creds, fd, gettext("while encoding database size"), retval); exit(1); } - if (retval = krb5_write_message(context, (void *) &fd, &outbuf)) { + + retval = krb5_write_message(context, (void *) &fd, &outbuf); + if (retval) { krb5_free_data_contents(context, &outbuf); com_err(progname, retval, gettext("while sending database size")); exit(1); } krb5_free_data_contents(context, &outbuf); - /* - * Initialize the initial vector. - */ - if (retval = krb5_auth_con_initivector(context, auth_context)) { - send_error(context, my_creds, fd, + /* + * Initialize the initial vector. + */ + retval = krb5_auth_con_initivector(context, auth_context); + if (retval) { + send_error(context, my_creds, fd, gettext("failed while initializing i_vector"), retval); - com_err(progname, retval, gettext("while allocating i_vector")); - exit(1); - } + com_err(progname, retval, gettext("while allocating i_vector")); + exit(1); + } + /* * Send over the file, block by block.... */ inbuf.data = buf; sent_size = 0; - while (n = read(database_fd, buf, sizeof(buf))) { + while ((n = read(database_fd, buf, sizeof(buf)))) { inbuf.length = n; - if (retval = krb5_mk_priv(context, auth_context, &inbuf, - &outbuf, NULL)) { + retval = krb5_mk_priv(context, auth_context, &inbuf, + &outbuf, NULL); + if (retval) { snprintf(buf, sizeof (buf), gettext("while encoding database block starting at %d"), sent_size); @@ -676,7 +698,9 @@ send_error(context, my_creds, fd, buf, retval); exit(1); } - if (retval = krb5_write_message(context, (void *)&fd,&outbuf)) { + + retval = krb5_write_message(context, (void *)&fd,&outbuf); + if (retval) { krb5_free_data_contents(context, &outbuf); com_err(progname, retval, gettext("while sending database block starting at %d"), @@ -694,11 +718,13 @@ KRB5KRB_ERR_GENERIC); exit(1); } + /* * OK, we've sent the database; now let's wait for a success * indication from the remote end. */ - if (retval = krb5_read_message(context, (void *) &fd, &inbuf)) { + retval = krb5_read_message(context, (void *) &fd, &inbuf); + if (retval) { com_err(progname, retval, gettext("while reading response from server")); exit(1); @@ -708,7 +734,8 @@ * the error message */ if (krb5_is_krb_error(&inbuf)) { - if (retval = krb5_rd_error(context, &inbuf, &error)) { + retval = krb5_rd_error(context, &inbuf, &error); + if (retval) { com_err(progname, retval, gettext("while decoding error response from server")); exit(1); @@ -719,7 +746,9 @@ gettext("Generic remote error: %s\n"), error->text.data); } else if (error->error) { - com_err(progname, error->error + ERROR_TABLE_BASE_krb5, + com_err(progname, + (krb5_error_code) error->error + + ERROR_TABLE_BASE_krb5, gettext("signalled from server")); if (error->text.data) fprintf(stderr, @@ -729,11 +758,14 @@ krb5_free_error(context, error); exit(1); } - if (retval = krb5_rd_safe(context,auth_context,&inbuf,&outbuf,NULL)) { + + retval = krb5_rd_safe(context,auth_context,&inbuf,&outbuf,NULL); + if (retval) { com_err(progname, retval, gettext("while decoding final size packet from server")); exit(1); } + memcpy((char *)&send_size, outbuf.data, sizeof(send_size)); send_size = ntohl(send_size); if (send_size != database_size) { @@ -770,7 +802,8 @@ else text = error_message(err_code); error.text.length = strlen(text) + 1; - if (error.text.data = malloc(error.text.length)) { + error.text.data = malloc((unsigned int) error.text.length); + if (error.text.data) { strcpy(error.text.data, text); if (!krb5_mk_error(context, &error, &outbuf)) { (void) krb5_write_message(context, (void *)&fd,&outbuf); @@ -804,8 +837,8 @@ * have already specified a host name and therefore would be redundant. */ if (strcmp(file_name, KPROP_DEFAULT_FILE) == 0) { - strcat(file_last_prop, "."); - strcat(file_last_prop, hostname); + strcat(file_last_prop, "."); + strcat(file_last_prop, hostname); } strcat(file_last_prop, last_prop); if ((fd = THREEPARAMOPEN(file_last_prop, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) {
--- a/usr/src/cmd/krb5/slave/kprop.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/slave/kprop.h Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -22,7 +22,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -36,18 +36,17 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * */ -#define KPROP_SERVICE_NAME "host" -#define TGT_SERVICE_NAME "krbtgt" -#define KPROP_SERVICE "krb5_prop" -#define KPROP_CKSUMTYPE CKSUMTYPE_RSA_MD4_DES +#define KPROP_SERVICE_NAME "host" +#define TGT_SERVICE_NAME "krbtgt" +#define KPROP_SERVICE "krb5_prop" -#define KPROP_PROT_VERSION "kprop5_01" +#define KPROP_PROT_VERSION "kprop5_01" -#define KPROP_BUFSIZ 32768 +#define KPROP_BUFSIZ 32768 extern krb5_address *cvtkaddr(struct sockaddr_storage *ss, krb5_address *krbap);
--- a/usr/src/cmd/krb5/slave/kpropd.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/cmd/krb5/slave/kpropd.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * * All rights reserved. @@ -61,6 +61,7 @@ * write... */ + #include <stdio.h> #include <ctype.h> #include <sys/file.h> @@ -129,7 +130,6 @@ char *kerb_database = NULL; char *acl_file_name = KPROPD_ACL_FILE; -int database_fd; krb5_address sender_addr; krb5_address receiver_addr; short port = 0; @@ -139,36 +139,35 @@ int do_standalone (iprop_role iproprole); void doit - (int); + (int); krb5_error_code do_iprop(kdb_log_context *log_ctx); void kerberos_authenticate - (krb5_context, + (krb5_context, int, krb5_principal *, krb5_enctype *, struct sockaddr_storage); - krb5_boolean authorized_principal - (krb5_context, + (krb5_context, krb5_principal, krb5_enctype); void recv_database - (krb5_context, + (krb5_context, int, int, krb5_data *); void load_database - (krb5_context, + (krb5_context, char *, char *); void send_error - (krb5_context, + (krb5_context, int, krb5_error_code, char *); void recv_error - (krb5_context, + (krb5_context, krb5_data *); int convert_polltime (char *); @@ -283,64 +282,59 @@ gettext("in setsockopt(SO_REUSEADDR)")); } ret = bind(finet, (struct sockaddr *) &sin6, sizeof(sin6)); - } - - if (ret < 0) { - perror(gettext("bind")); - com_err(progname, errno, - gettext("while binding listener socket")); - exit(1); - } - } + } - if (!debug && (iproprole != IPROP_SLAVE)) - daemon(1, 0); - + if (ret < 0) { + perror(gettext("bind")); + com_err(progname, errno, + gettext("while binding listener socket")); + exit(1); + } + } + if (!debug && (iproprole != IPROP_SLAVE)) + daemon(1, 0); #ifdef PID_FILE - if ((pidfile = fopen(PID_FILE, "w")) != NULL) { - fprintf(pidfile, gettext("%d\n"), getpid()); - fclose(pidfile); - } else - com_err(progname, errno, + if ((pidfile = fopen(PID_FILE, "w")) != NULL) { + fprintf(pidfile, gettext("%d\n"), getpid()); + fclose(pidfile); + } else + com_err(progname, errno, gettext("while opening pid file %s for writing"), PID_FILE); #endif - - if (listen(finet, 5) < 0) { - com_err(progname, errno, gettext("in listen call")); - exit(1); - } - - while (1) { - int child_pid; + if (listen(finet, 5) < 0) { + com_err(progname, errno, gettext("in listen call")); + exit(1); + } + while (1) { + int child_pid; - s = accept(finet, (struct sockaddr *) &sin6, &sin6_size); - - if (s < 0) { - if (errno != EINTR) - com_err(progname, errno, - gettext("from accept system call")); - continue; - } + s = accept(finet, (struct sockaddr *) &sin6, &sin6_size); - if (debug && (iproprole != IPROP_SLAVE)) - child_pid = 0; - else - child_pid = fork(); + if (s < 0) { + if (errno != EINTR) + com_err(progname, errno, + gettext("from accept system call")); + continue; + } + if (debug && (iproprole != IPROP_SLAVE)) + child_pid = 0; + else + child_pid = fork(); + switch (child_pid) { + case -1: + com_err(progname, errno, gettext("while forking")); + exit(1); + /*NOTREACHED*/ + case 0: + /* child */ + (void) close(finet); - switch (child_pid) { - case -1: - com_err(progname, errno, gettext("while forking")); - exit(1); + doit(s); + close(s); + _exit(0); /*NOTREACHED*/ - case 0: - /* child */ - (void) close(finet); - doit(s); - close(s); - _exit(0); - /*NOTREACHED*/ - default: + default: /* parent */ if (wait(&status) < 0) { com_err(progname, errno, @@ -373,8 +367,9 @@ krb5_error_code retval; krb5_data confmsg; int lock_fd; - int omask; + mode_t omask; krb5_enctype etype; + int database_fd; char ntop[NI_MAXHOST] = ""; krb5_context doit_context; kdb_log_context *log_ctx; @@ -389,7 +384,6 @@ ulog_set_role(doit_context, IPROP_SLAVE); fromlen = (socklen_t)sizeof (from); - if (getpeername(fd, (struct sockaddr *) &from, &fromlen) < 0) { fprintf(stderr, "%s: ", progname); perror(gettext("getpeername")); @@ -461,18 +455,19 @@ kerberos_authenticate(doit_context, fd, &client, &etype, from); if (!authorized_principal(doit_context, client, etype)) { - char *name; + char *name; - if (retval = krb5_unparse_name(doit_context, client, &name)) { - com_err(progname, retval, + retval = krb5_unparse_name(doit_context, client, &name); + if (retval) { + com_err(progname, retval, gettext("While unparsing client name")); + exit(1); + } + syslog(LOG_WARNING, + gettext("Rejected connection from unauthorized principal %s"), + name); + free(name); exit(1); - } - syslog(LOG_WARNING, - gettext("Rejected connection from unauthorized principal %s"), - name); - free(name); - exit(1); } omask = umask(077); lock_fd = open(temp_file_name, O_RDWR|O_CREAT, 0600); @@ -519,8 +514,8 @@ * Send the acknowledgement message generated in * recv_database, then close the socket. */ - if (retval = krb5_write_message(doit_context, (void *) &fd, - &confmsg)) { + retval = krb5_write_message(doit_context, (void *) &fd, &confmsg); + if (retval) { krb5_free_data_contents(doit_context, &confmsg); com_err(progname, retval, gettext("while sending # of received bytes")); @@ -532,7 +527,7 @@ gettext("while trying to close database file")); exit(1); } - + exit(0); } @@ -1075,9 +1070,12 @@ exit(1); } if (realm) { - (void) krb5_xfree(krb5_princ_realm(context, server)->data); - krb5_princ_set_realm_length(context, server, strlen(realm)); - krb5_princ_set_realm_data(context, server, strdup(realm)); + retval = krb5_set_principal_realm(kpropd_context, server, realm); + if (retval) { + com_err(progname, errno, + gettext("while constructing my service realm")); + exit(1); + } } /* * Construct the name of the temporary file. @@ -1162,7 +1160,9 @@ if (debug) { char *name; - if (retval = krb5_unparse_name(context, server, &name)) { + + retval = krb5_unparse_name(context, server, &name); + if (retval) { com_err(progname, retval, gettext("While unparsing server name")); exit(1); } @@ -1171,42 +1171,46 @@ free(name); } - if (retval = krb5_auth_con_init(context, &auth_context)) { + retval = krb5_auth_con_init(context, &auth_context); + if (retval) { syslog(LOG_ERR, gettext("Error in krb5_auth_con_init: %s"), - error_message(retval)); + error_message(retval)); exit(1); } - if (retval = krb5_auth_con_setflags(context, auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE)) { + retval = krb5_auth_con_setflags(context, auth_context, + KRB5_AUTH_CONTEXT_DO_SEQUENCE); + if (retval) { syslog(LOG_ERR, gettext("Error in krb5_auth_con_setflags: %s"), error_message(retval)); exit(1); } - if (retval = krb5_auth_con_setaddrs(context, auth_context, &receiver_addr, - &sender_addr)) { + retval = krb5_auth_con_setaddrs(context, auth_context, &receiver_addr, + &sender_addr); + if (retval) { syslog(LOG_ERR, gettext("Error in krb5_auth_con_setaddrs: %s"), error_message(retval)); exit(1); } if (srvtab) { - if (retval = krb5_kt_resolve(context, srvtab, &keytab)) { + retval = krb5_kt_resolve(context, srvtab, &keytab); + if (retval) { syslog(LOG_ERR, gettext("Error in krb5_kt_resolve: %s"), error_message(retval)); exit(1); } } - if (retval = krb5_recvauth(context, &auth_context, (void *) &fd, - kprop_version, server, 0, keytab, &ticket)){ - syslog(LOG_ERR, gettext("Error in krb5_recvauth: %s"), - error_message(retval)); + retval = krb5_recvauth(context, &auth_context, (void *) &fd, + kprop_version, server, 0, keytab, &ticket); + if (retval) { + syslog(LOG_ERR, gettext("Error in krb5_recvauth: %s"), error_message(retval)); exit(1); } - if (retval = krb5_copy_principal(context, - ticket->enc_part2->client, clientp)) { + retval = krb5_copy_principal(context, ticket->enc_part2->client, clientp); + if (retval) { syslog(LOG_ERR, gettext("Error in krb5_copy_prinicpal: %s"), error_message(retval)); exit(1); @@ -1218,14 +1222,15 @@ char * name; char etypebuf[100]; - if (retval = krb5_unparse_name(context, *clientp, &name)) { + retval = krb5_unparse_name(context, *clientp, &name); + if (retval) { com_err(progname, retval, gettext("While unparsing client name")); exit(1); } - if (retval = krb5_enctype_to_string(*etype, etypebuf, - sizeof(etypebuf))) { + retval = krb5_enctype_to_string(*etype, etypebuf, sizeof(etypebuf)); + if (retval) { com_err(progname, retval, gettext("While unparsing ticket etype")); exit(1); } @@ -1269,11 +1274,11 @@ /* if the next character is not whitespace or nul, then the match is only partial. continue on to new lines. */ - if (*ptr && !isspace(*ptr)) + if (*ptr && !isspace((int) *ptr)) continue; /* otherwise, skip trailing whitespace */ - for (; *ptr && isspace(*ptr); ptr++) ; + for (; *ptr && isspace((int) *ptr); ptr++) ; /* now, look for an etype string. if there isn't one, return true. if there is an invalid string, continue. @@ -1302,7 +1307,7 @@ int database_fd; krb5_data *confmsg; { - int database_size; + krb5_ui_4 database_size; /* This must be 4 bytes */ int received_size, n; char buf[1024]; krb5_data inbuf, outbuf; @@ -1311,7 +1316,8 @@ /* * Receive and decode size from client */ - if (retval = krb5_read_message(context, (void *) &fd, &inbuf)) { + retval = krb5_read_message(context, (void *) &fd, &inbuf); + if (retval) { send_error(context, fd, retval, gettext("while reading database size")); com_err(progname, retval, gettext("while reading size of database from client")); @@ -1319,8 +1325,10 @@ } if (krb5_is_krb_error(&inbuf)) recv_error(context, &inbuf); - if (retval = krb5_rd_safe(context,auth_context,&inbuf,&outbuf,NULL)) { - send_error(context, fd, retval, gettext("while decoding database size")); + retval = krb5_rd_safe(context,auth_context,&inbuf,&outbuf,NULL); + if (retval) { + send_error(context, fd, retval, gettext( + "while decoding database size")); krb5_free_data_contents(context, &inbuf); com_err(progname, retval, gettext("while decoding database size from client")); @@ -1331,21 +1339,24 @@ krb5_free_data_contents(context, &outbuf); database_size = ntohl(database_size); - /* - * Initialize the initial vector. - */ - if (retval = krb5_auth_con_initivector(context, auth_context)) { - send_error(context, fd, retval, gettext("failed while initializing i_vector")); - com_err(progname, retval, gettext("while initializing i_vector")); - exit(1); - } + /* + * Initialize the initial vector. + */ + retval = krb5_auth_con_initivector(context, auth_context); + if (retval) { + send_error(context, fd, retval, gettext( + "failed while initializing i_vector")); + com_err(progname, retval, gettext("while initializing i_vector")); + exit(1); + } /* * Now start receiving the database from the net */ received_size = 0; while (received_size < database_size) { - if (retval = krb5_read_message(context, (void *) &fd, &inbuf)) { + retval = krb5_read_message(context, (void *) &fd, &inbuf); + if (retval) { snprintf(buf, sizeof (buf), gettext("while reading database block starting at offset %d"), received_size); @@ -1355,8 +1366,9 @@ } if (krb5_is_krb_error(&inbuf)) recv_error(context, &inbuf); - if (retval = krb5_rd_priv(context, auth_context, &inbuf, - &outbuf, NULL)) { + retval = krb5_rd_priv(context, auth_context, &inbuf, + &outbuf, NULL); + if (retval) { snprintf(buf, sizeof (buf), gettext("while decoding database block starting at offset %d"), received_size); @@ -1384,6 +1396,7 @@ /* SUNWresync121: our krb5...contents sets length to 0 */ krb5_free_data_contents(context, &inbuf); krb5_free_data_contents(context, &outbuf); + } /* * OK, we've seen the entire file. Did we get too many bytes? @@ -1401,7 +1414,8 @@ database_size = htonl(database_size); inbuf.data = (char *) &database_size; inbuf.length = sizeof(database_size); - if (retval = krb5_mk_safe(context,auth_context,&inbuf,confmsg,NULL)) { + retval = krb5_mk_safe(context,auth_context,&inbuf,confmsg,NULL); + if (retval) { com_err(progname, retval, gettext("while encoding # of receieved bytes")); send_error(context, fd, retval, @@ -1443,7 +1457,8 @@ } } error.text.length = strlen(text) + 1; - if (error.text.data = malloc(error.text.length)) { + error.text.data = malloc(error.text.length); + if (error.text.data) { strcpy(error.text.data, text); if (!krb5_mk_error(context, &error, &outbuf)) { (void) krb5_write_message(context, (void *)&fd,&outbuf); @@ -1461,7 +1476,8 @@ krb5_error *error; krb5_error_code retval; - if (retval = krb5_rd_error(context, inbuf, &error)) { + retval = krb5_rd_error(context, inbuf, &error); + if (retval) { com_err(progname, retval, gettext("while decoding error packet from client")); exit(1); @@ -1484,25 +1500,35 @@ } void -load_database(context, kdb5_util, database_file_name) +load_database(context, kdb_util, database_file_name) krb5_context context; - char *kdb5_util; + char *kdb_util; char *database_file_name; { static char *edit_av[10]; - int error_ret, save_stderr; + int error_ret, save_stderr = -1; int child_pid; int count; + + /* <sys/param.h> has been included, so BSD will be defined on + BSD systems */ +#if BSD > 0 && BSD <= 43 +#ifndef WEXITSTATUS +#define WEXITSTATUS(w) (w).w_retcode +#endif + union wait waitb; +#else int waitb; +#endif krb5_error_code retval; kdb_log_context *log_ctx; if (debug) - printf(gettext("calling kdb5_util to load database\n")); + printf(gettext("calling kdb_util to load database\n")); log_ctx = context->kdblog_context; - edit_av[0] = kdb5_util; + edit_av[0] = kdb_util; count = 1; if (realm) { edit_av[count++] = "-r"; @@ -1523,7 +1549,7 @@ switch(child_pid = fork()) { case -1: com_err(progname, errno, gettext("while trying to fork %s"), - kdb5_util); + kdb_util); exit(1); /*NOTREACHED*/ case 0: @@ -1537,12 +1563,12 @@ dup(0); } - execv(kdb5_util, edit_av); + execv(kdb_util, edit_av); retval = errno; if (!debug) dup2(save_stderr, 2); com_err(progname, retval, gettext("while trying to exec %s"), - kdb5_util); + kdb_util); _exit(1); /*NOTREACHED*/ default: @@ -1550,15 +1576,16 @@ printf(gettext("Child PID is %d\n"), child_pid); if (wait(&waitb) < 0) { com_err(progname, errno, gettext("while waiting for %s"), - kdb5_util); + kdb_util); exit(1); } } - if ((error_ret = WEXITSTATUS(waitb)) != 0) { + error_ret = WEXITSTATUS(waitb); + if (error_ret) { com_err(progname, 0, - gettext("%s returned a bad exit status (%d)"), kdb5_util, - error_ret); + gettext("%s returned a bad exit status (%d)"), + kdb_util, error_ret); exit(1); } return;
--- a/usr/src/lib/gss_mechs/mech_krb5/include/db.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/gss_mechs/mech_krb5/include/db.h Sat Oct 07 13:37:05 2006 -0700 @@ -173,11 +173,4 @@ int bt_rseq(const DB*, DBT *, DBT *, void **, u_int); /* XXX kludge */ __END_DECLS -#if DEBUG_DB - -/* debugging aid used to turn on display of messages */ -void debugDisplayDB(int onOff); - -#endif - #endif /* !_DB_H_ */
--- a/usr/src/lib/gss_mechs/mech_krb5/include/krb5/adm.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/gss_mechs/mech_krb5/include/krb5/adm.h Sat Oct 07 13:37:05 2006 -0700 @@ -2,7 +2,7 @@ /* * include/krb5/adm.h * - * Copyright 1995 by the Massachusetts Institute of Technology. + * Copyright 1995,2001 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -17,7 +17,10 @@ * this permission notice appear in supporting documentation, and that * the name of M.I.T. not be used in advertising or publicity pertaining * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. * @@ -207,13 +210,14 @@ krb5_timestamp realm_expiration; krb5_flags realm_flags; krb5_key_salt_tuple *realm_keysalts; + unsigned int realm_reject_bad_transit:1; unsigned int realm_kadmind_port_valid:1; unsigned int realm_enctype_valid:1; unsigned int realm_max_life_valid:1; unsigned int realm_max_rlife_valid:1; unsigned int realm_expiration_valid:1; unsigned int realm_flags_valid:1; - unsigned int realm_filler:7; + unsigned int realm_reject_bad_transit_valid:1; krb5_int32 realm_num_keysalts; } krb5_realm_params; #endif /* KRB5_ADM_H__ */
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktbase.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktbase.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -15,7 +15,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -29,7 +29,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Registration functions for keytab. */ @@ -46,9 +46,6 @@ const krb5_kt_ops *ops; const struct krb5_kt_typelist *next; }; -static const struct krb5_kt_typelist krb5_kt_typelist_dfl = { &krb5_kt_dfl_ops, 0 }; -static const struct krb5_kt_typelist *kt_typehead = &krb5_kt_typelist_dfl; - static const struct krb5_kt_typelist krb5_kt_typelist_wrfile = { &krb5_ktf_writable_ops, 0 @@ -61,11 +58,7 @@ &krb5_kts_ops, &krb5_kt_typelist_file }; - -/* SUNW14resync */ -/* -static const struct krb5_kt_typelist *kt_typehead = &krb5_kt_typelist_srvtab;*/ - +static const struct krb5_kt_typelist *kt_typehead = &krb5_kt_typelist_srvtab; /* Lock for protecting the type list. */ static k5_mutex_t kt_typehead_lock = K5_MUTEX_PARTIAL_INITIALIZER;
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gic_pwd.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gic_pwd.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -33,7 +33,7 @@ extern kadm5_ret_t kadm5_init_with_password(char *, char *, char *, kadm5_config_params *, krb5_ui_4, krb5_ui_4, void **); extern kadm5_ret_t kadm5_chpass_principal_util(void *, krb5_principal, - char *, char **, char *, int); + char *, char **, char *, unsigned int); static krb5_error_code krb5_get_as_key_password(
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/sendto_kdc.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/sendto_kdc.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" @@ -319,10 +319,6 @@ /*LINTED*/ message->length, message->data, realm, *use_master, tcp_only); - /* - * Solaris Kerberos: keep it simple by not supporting a udp_preference_limit - */ -#if 0 /************** Begin IFDEF'ed OUT *******************************/ if (!tcp_only && context->udp_pref_limit < 0) { int tmp; retval = profile_get_integer(context->profile, @@ -332,15 +328,13 @@ return retval; if (tmp < 0) tmp = DEFAULT_UDP_PREF_LIMIT; - else if (tmp > HARD_UDP_LIMIT) { + else if (tmp > HARD_UDP_LIMIT) /* In the unlikely case that a *really* big value is given, let 'em use as big as we think we can support. */ tmp = HARD_UDP_LIMIT; - } context->udp_pref_limit = tmp; } -#endif /**************** END IFDEF'ed OUT *******************************/ retval = (*use_master ? KRB5_KDC_UNREACH : KRB5_REALM_UNKNOWN);
--- a/usr/src/lib/gss_mechs/mech_krb5/mapfile-vers Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/gss_mechs/mech_krb5/mapfile-vers Sat Oct 07 13:37:05 2006 -0700 @@ -38,26 +38,6 @@ global: adb_error_table; asn12krb5_buf; - asn1buf_create; - asn1buf_destroy; - asn1buf_ensure_space; - asn1buf_expand; - asn1buf_free; - asn1buf_hex_unparse; - asn1buf_imbed; - asn1buf_insert_charstring; - asn1buf_insert_octet; - asn1buf_insert_octetstring; - asn1buf_len; - asn1buf_remains; - asn1buf_remove_charstring; - asn1buf_remove_octet; - asn1buf_remove_octetstring; - asn1buf_size; - asn1buf_skiptail; - asn1buf_sync; - asn1buf_unparse; - asn1buf_wrap_data; asn1_decode_addrtype; asn1_decode_ap_options; asn1_decode_authdata_elt; @@ -67,10 +47,10 @@ asn1_decode_checksum; asn1_decode_cksumtype; asn1_decode_enc_kdc_rep_part; + asn1_decode_enc_sam_key; + asn1_decode_enc_sam_response_enc; asn1_decode_encrypted_data; asn1_decode_encryption_key; - asn1_decode_enc_sam_key; - asn1_decode_enc_sam_response_enc; asn1_decode_enctype; asn1_decode_etype_info; asn1_decode_generalstring; @@ -78,8 +58,8 @@ asn1_decode_host_address; asn1_decode_host_addresses; asn1_decode_ia5string; + asn1_decode_int32; asn1_decode_int; - asn1_decode_int32; asn1_decode_integer; asn1_decode_kdc_options; asn1_decode_kdc_rep; @@ -121,9 +101,9 @@ asn1_encode_charstring; asn1_encode_checksum; asn1_encode_enc_kdc_rep_part; + asn1_encode_enc_sam_response_enc; asn1_encode_encrypted_data; asn1_encode_encryption_key; - asn1_encode_enc_sam_response_enc; asn1_encode_etype_info; asn1_encode_etype_info_entry; asn1_encode_generalstring; @@ -176,6 +156,26 @@ asn1_make_set; asn1_make_string; asn1_make_tag; + asn1buf_create; + asn1buf_destroy; + asn1buf_ensure_space; + asn1buf_expand; + asn1buf_free; + asn1buf_hex_unparse; + asn1buf_imbed; + asn1buf_insert_charstring; + asn1buf_insert_octet; + asn1buf_insert_octetstring; + asn1buf_len; + asn1buf_remains; + asn1buf_remove_charstring; + asn1buf_remove_octet; + asn1buf_remove_octetstring; + asn1buf_size; + asn1buf_skiptail; + asn1buf_sync; + asn1buf_unparse; + asn1buf_wrap_data; com_err; com_err_va; daemon; @@ -192,15 +192,15 @@ decode_krb5_enc_data; decode_krb5_enc_kdc_rep_part; decode_krb5_enc_priv_part; - decode_krb5_encryption_key; decode_krb5_enc_sam_key; decode_krb5_enc_sam_response_enc; decode_krb5_enc_tkt_part; + decode_krb5_encryption_key; decode_krb5_error; decode_krb5_etype_info; decode_krb5_kdc_req_body; + decode_krb5_pa_enc_ts; decode_krb5_padata_sequence; - decode_krb5_pa_enc_ts; decode_krb5_predicted_sam_response; decode_krb5_priv; decode_krb5_pwd_data; @@ -225,15 +225,15 @@ encode_krb5_enc_data; encode_krb5_enc_kdc_rep_part; encode_krb5_enc_priv_part; - encode_krb5_encryption_key; encode_krb5_enc_sam_response_enc; encode_krb5_enc_tkt_part; + encode_krb5_encryption_key; encode_krb5_error; - encode_krb5_etype_info; encode_krb5_etype_info2; + encode_krb5_etype_info; encode_krb5_kdc_req_body; + encode_krb5_pa_enc_ts; encode_krb5_padata_sequence; - encode_krb5_pa_enc_ts; encode_krb5_predicted_sam_response; encode_krb5_priv; encode_krb5_pwd_data; @@ -246,17 +246,14 @@ encode_krb5_tgs_req; encode_krb5_ticket; error_message; - foreach_localaddr; g_delete_cred_id; g_delete_ctx_id; g_delete_name; g_display_com_err_status; g_display_major_status; - ggss_error_table; g_local_host_name; g_make_string_buffer; g_make_token_header; - gmt_mktime; g_order_check; g_order_free; g_order_init; @@ -271,6 +268,14 @@ g_set_entry_delete; g_set_entry_get; g_set_init; + g_strdup; + g_token_size; + g_validate_cred_id; + g_validate_ctx_id; + g_validate_name; + g_verify_token_header; + ggss_error_table; + gmt_mktime; gss_krb5_ccache_name; gss_krb5_copy_ccache; gss_krb5_get_tkt_flags; @@ -285,12 +290,6 @@ gss_nt_krb5_name; gss_nt_krb5_principal; gssspi_acquire_cred_with_password; - g_strdup; - g_token_size; - g_validate_cred_id; - g_validate_ctx_id; - g_validate_name; - g_verify_token_header; imp_error_table; k5_ef_hash; k5_ef_mac; @@ -331,9 +330,9 @@ krb5_appdefault_string; krb5_auth_con_free; krb5_auth_con_genaddrs; + krb5_auth_con_get_checksum_func; krb5_auth_con_getaddrs; krb5_auth_con_getauthenticator; - krb5_auth_con_get_checksum_func; krb5_auth_con_getflags; krb5_auth_con_getivector; krb5_auth_con_getkey; @@ -347,16 +346,16 @@ krb5_auth_con_getsendsubkey; krb5_auth_con_init; krb5_auth_con_initivector; + krb5_auth_con_set_checksum_func; + krb5_auth_con_set_req_cksumtype; + krb5_auth_con_set_safe_cksumtype; krb5_auth_con_setaddrs; - krb5_auth_con_set_checksum_func; krb5_auth_con_setflags; krb5_auth_con_setivector; krb5_auth_con_setpermetypes; krb5_auth_con_setports; krb5_auth_con_setrcache; krb5_auth_con_setrecvsubkey; - krb5_auth_con_set_req_cksumtype; - krb5_auth_con_set_safe_cksumtype; krb5_auth_con_setsendsubkey; krb5_auth_con_setuseruserkey; krb5_auth_to_rep; @@ -364,6 +363,25 @@ krb5_build_principal_ext; krb5_build_principal_va; krb5_c_block_size; + krb5_c_checksum_length; + krb5_c_decrypt; + krb5_c_encrypt; + krb5_c_encrypt_length; + krb5_c_enctype_compare; + krb5_c_free_state; + krb5_c_init_state; + krb5_c_is_coll_proof_cksum; + krb5_c_is_keyed_cksum; + krb5_c_keyed_checksum_types; + krb5_c_make_checksum; + krb5_c_make_random_key; + krb5_c_random_make_octets; + krb5_c_random_seed; + krb5_c_string_to_key; + krb5_c_string_to_key_with_params; + krb5_c_valid_cksumtype; + krb5_c_valid_enctype; + krb5_c_verify_checksum; krb5_cc_close; krb5_cc_copy_creds; krb5_cc_default; @@ -375,7 +393,6 @@ krb5_cc_get_name; krb5_cc_get_principal; krb5_cc_get_type; - krb5_c_checksum_length; krb5_cc_initialize; krb5_cc_next_cred; krb5_cc_register; @@ -385,24 +402,13 @@ krb5_cc_set_flags; krb5_cc_start_seq_get; krb5_cc_store_cred; - krb5_c_decrypt; - krb5_c_encrypt; - krb5_c_encrypt_length; - krb5_c_enctype_compare; - krb5_c_free_state; krb5_change_cache; krb5_change_password; + krb5_check_transited_list; krb5_checksum_size; - krb5_check_transited_list; - krb5_c_init_state; - krb5_c_is_coll_proof_cksum; - krb5_c_is_keyed_cksum; - krb5_c_keyed_checksum_types; + krb5_cksumtype_to_string; krb5_cksumtypes_length; krb5_cksumtypes_list; - krb5_cksumtype_to_string; - krb5_c_make_checksum; - krb5_c_make_random_key; krb5_copy_addr; krb5_copy_addresses; krb5_copy_authdata; @@ -415,15 +421,8 @@ krb5_copy_keyblock_data; krb5_copy_principal; krb5_copy_ticket; - krb5_c_random_make_octets; - krb5_c_random_seed; krb5_create_secure_file; krb5_crypto_us_timeofday; - krb5_c_string_to_key; - krb5_c_string_to_key_with_params; - krb5_c_valid_cksumtype; - krb5_c_valid_enctype; - krb5_c_verify_checksum; krb5_decode_kdc_rep; krb5_decode_ticket; krb5_decrypt_tkt_part; @@ -434,9 +433,9 @@ krb5_encode_kdc_rep; krb5_encrypt_helper; krb5_encrypt_tkt_part; + krb5_enctype_to_string; krb5_enctypes_length; krb5_enctypes_list; - krb5_enctype_to_string; krb5_error_table; krb5_externalize_data; krb5_externalize_opaque; @@ -500,21 +499,20 @@ krb5_free_uio; krb5_free_unparsed_name; krb5_fwd_tgt_creds; - krb5_generate_seq_number; - krb5_generate_subkey; krb5_gen_portaddr; krb5_gen_replay_name; - krb5_get_credentials; - krb5_get_credentials_renew; - krb5_get_credentials_validate; + krb5_generate_seq_number; + krb5_generate_subkey; krb5_get_cred_from_kdc; krb5_get_cred_from_kdc_renew; krb5_get_cred_from_kdc_validate; krb5_get_cred_via_tkt; + krb5_get_credentials; + krb5_get_credentials_renew; + krb5_get_credentials_validate; krb5_get_default_config_files; krb5_get_default_in_tkt_ktypes; krb5_get_default_realm; - krb5_getenv; krb5_get_host_realm; krb5_get_init_creds; krb5_get_init_creds_keytab; @@ -538,11 +536,12 @@ krb5_get_prompt_types; krb5_get_realm_domain; krb5_get_renewed_creds; + krb5_get_server_rcache; krb5_get_servername; - krb5_get_server_rcache; krb5_get_tgs_ktypes; krb5_get_time_offsets; krb5_get_validated_creds; + krb5_getenv; krb5_gss_import_name; krb5_gss_init_sec_context; krb5_gss_oid_array; @@ -553,11 +552,7 @@ krb5_init_ef_handle; krb5_init_keyblock; krb5_init_secure_context; - krb5int_aes_encrypt; - krb5int_cm_call_select; krb5_internalize_opaque; - krb5int_pbkdf2_hmac_sha1; - krb5int_sendtokdc_debug_handler; krb5_is_permitted_enctype; krb5_kdc_rep_decrypt_proc; krb5_kt_add_entry; @@ -566,12 +561,28 @@ krb5_kt_default_name; krb5_kt_dfl_ops; krb5_kt_end_seq_get; + krb5_kt_free_entry; + krb5_kt_get_entry; + krb5_kt_get_name; + krb5_kt_next_entry; + krb5_kt_read_service_key; + krb5_kt_register; + krb5_kt_remove_entry; + krb5_kt_resolve; + krb5_kt_start_seq_get; + krb5_ktf_ops; + krb5_ktf_writable_ops; krb5_ktfile_add; krb5_ktfile_close; krb5_ktfile_end_get; krb5_ktfile_get_entry; krb5_ktfile_get_name; krb5_ktfile_get_next; + krb5_ktfile_remove; + krb5_ktfile_resolve; + krb5_ktfile_ser_entry; + krb5_ktfile_start_seq_get; + krb5_ktfile_wresolve; krb5_ktfileint_close; krb5_ktfileint_delete_entry; krb5_ktfileint_find_slot; @@ -581,28 +592,12 @@ krb5_ktfileint_read_entry; krb5_ktfileint_size_entry; krb5_ktfileint_write_entry; - krb5_ktfile_remove; - krb5_ktfile_resolve; - krb5_ktfile_ser_entry; - krb5_ktfile_start_seq_get; - krb5_ktfile_wresolve; - krb5_ktf_ops; - krb5_kt_free_entry; - krb5_ktf_writable_ops; - krb5_kt_get_entry; - krb5_kt_get_name; - krb5_kt_next_entry; - krb5_kt_read_service_key; - krb5_kt_register; - krb5_kt_remove_entry; - krb5_kt_resolve; - krb5_kt_start_seq_get; krb5_kuserok; krb5_libdefault_boolean; krb5_locate_kdc; krb5_lock_file; + krb5_make_full_ipaddr; krb5_make_fulladdr; - krb5_make_full_ipaddr; krb5_max_dgram_size; krb5_max_skdc_timeout; krb5_mk_1cred; @@ -694,8 +689,8 @@ krb5_register_serializer; krb5_salttype_to_string; krb5_secure_config_files; + krb5_send_tgs; krb5_sendauth; - krb5_send_tgs; krb5_sendto_kdc; krb5_ser_address_init; krb5_ser_auth_context_init; @@ -717,7 +712,6 @@ krb5_set_default_in_tkt_ktypes; krb5_set_default_realm; krb5_set_default_tgs_ktypes; - krb5_setenv; krb5_set_key_data; krb5_set_key_enctype; krb5_set_key_length; @@ -725,6 +719,7 @@ krb5_set_principal_realm; krb5_set_real_time; krb5_set_time_offsets; + krb5_setenv; krb5_size_opaque; krb5_skdc_timeout_1; krb5_skdc_timeout_shift; @@ -745,15 +740,20 @@ krb5_unparse_name; krb5_unparse_name_ext; krb5_unsetenv; + krb5_us_timeofday; krb5_use_enctype; krb5_use_natural_time; - krb5_us_timeofday; krb5_validate_times; krb5_verify_init_creds; krb5_verify_init_creds_opt_init; krb5_verify_init_creds_opt_set_ap_req_nofail; krb5_walk_realm_tree; krb5_write_message; + krb5int_aes_encrypt; + krb5int_cm_call_select; + krb5int_foreach_localaddr; + krb5int_pbkdf2_hmac_sha1; + krb5int_sendtokdc_debug_handler; kv5m_error_table; mit_des_check_key_parity; mit_des_fixup_key_parity;
--- a/usr/src/lib/krb5/db2/btree/bt_debug.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/btree/bt_debug.c Sat Oct 07 13:37:05 2006 -0700 @@ -55,7 +55,7 @@ #include "db-int.h" #include "btree.h" -#if defined(DEBUG_DB) || defined(STATISTICS) +#if defined(DEBUG) || defined(STATISTICS) static FILE *tracefp; @@ -81,7 +81,7 @@ } #endif -#ifdef DEBUG_DB +#ifdef DEBUG /* * __bt_dump -- * dump the tree
--- a/usr/src/lib/krb5/db2/btree/bt_delete.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/btree/bt_delete.c Sat Oct 07 13:37:05 2006 -0700 @@ -152,7 +152,7 @@ EPG *e; EPGNO *parent; PAGE *h; - indx_t index; + indx_t idx; db_pgno_t pgno; recno_t nextpg, prevpg; int exact, level; @@ -190,8 +190,8 @@ /* Move to the next index. */ if (parent->index != NEXTINDEX(h) - 1) { - index = parent->index + 1; - BT_PUSH(t, h->pgno, index); + idx = parent->index + 1; + BT_PUSH(t, h->pgno, idx); break; } mpool_put(t->bt_mp, h, 0); @@ -200,7 +200,7 @@ /* Restore the stack. */ while (level--) { /* Push the next level down onto the stack. */ - bi = GETBINTERNAL(h, index); + bi = GETBINTERNAL(h, idx); pgno = bi->pgno; BT_PUSH(t, pgno, 0); @@ -210,7 +210,7 @@ /* Get the next level down. */ if ((h = mpool_get(t->bt_mp, pgno, 0)) == NULL) return (1); - index = 0; + idx = 0; } mpool_put(t->bt_mp, h, 0); if ((h = mpool_get(t->bt_mp, nextpg, 0)) == NULL) @@ -245,8 +245,8 @@ /* Move to the next index. */ if (parent->index != 0) { - index = parent->index - 1; - BT_PUSH(t, h->pgno, index); + idx = parent->index - 1; + BT_PUSH(t, h->pgno, idx); break; } mpool_put(t->bt_mp, h, 0); @@ -255,7 +255,7 @@ /* Restore the stack. */ while (level--) { /* Push the next level down onto the stack. */ - bi = GETBINTERNAL(h, index); + bi = GETBINTERNAL(h, idx); pgno = bi->pgno; /* Lose the currently pinned page. */ @@ -265,8 +265,8 @@ if ((h = mpool_get(t->bt_mp, pgno, 0)) == NULL) return (1); - index = NEXTINDEX(h) - 1; - BT_PUSH(t, pgno, index); + idx = NEXTINDEX(h) - 1; + BT_PUSH(t, pgno, idx); } mpool_put(t->bt_mp, h, 0); if ((h = mpool_get(t->bt_mp, prevpg, 0)) == NULL) @@ -384,7 +384,7 @@ BINTERNAL *bi; PAGE *pg; EPGNO *parent; - indx_t cnt, index, *ip, offset; + indx_t cnt, idx, *ip, offset; u_int32_t nksize; char *from; @@ -405,8 +405,8 @@ if ((pg = mpool_get(t->bt_mp, parent->pgno, 0)) == NULL) return (RET_ERROR); - index = parent->index; - bi = GETBINTERNAL(pg, index); + idx = parent->index; + bi = GETBINTERNAL(pg, idx); /* Free any overflow pages. */ if (bi->flags & P_BIGKEY && @@ -438,11 +438,11 @@ pg->upper += nksize; /* Adjust indices' offsets, shift the indices down. */ - offset = pg->linp[index]; - for (cnt = index, ip = &pg->linp[0]; cnt--; ++ip) + offset = pg->linp[idx]; + for (cnt = idx, ip = &pg->linp[0]; cnt--; ++ip) if (ip[0] < offset) ip[0] += nksize; - for (cnt = NEXTINDEX(pg) - index; --cnt; ++ip) + for (cnt = NEXTINDEX(pg) - idx; --cnt; ++ip) ip[0] = ip[1] < offset ? ip[1] + nksize : ip[1]; pg->lower -= sizeof(indx_t); } @@ -467,17 +467,17 @@ * t: tree * key: referenced key * h: page - * index: index on page to delete + * idx: index on page to delete * * Returns: * RET_SUCCESS, RET_ERROR. */ int -__bt_dleaf(t, key, h, index) +__bt_dleaf(t, key, h, idx) BTREE *t; const DBT *key; PAGE *h; - u_int index; + u_int idx; { BLEAF *bl; indx_t cnt, *ip, offset; @@ -488,12 +488,12 @@ /* If this record is referenced by the cursor, delete the cursor. */ if (F_ISSET(&t->bt_cursor, CURS_INIT) && !F_ISSET(&t->bt_cursor, CURS_ACQUIRE) && - t->bt_cursor.pg.pgno == h->pgno && t->bt_cursor.pg.index == index && - __bt_curdel(t, key, h, index)) + t->bt_cursor.pg.pgno == h->pgno && t->bt_cursor.pg.index == idx && + __bt_curdel(t, key, h, idx)) return (RET_ERROR); /* If the entry uses overflow pages, make them available for reuse. */ - to = bl = GETBLEAF(h, index); + to = bl = GETBLEAF(h, idx); if (bl->flags & P_BIGKEY && __ovfl_delete(t, bl->bytes) == RET_ERROR) return (RET_ERROR); if (bl->flags & P_BIGDATA && @@ -507,18 +507,18 @@ h->upper += nbytes; /* Adjust the indices' offsets, shift the indices down. */ - offset = h->linp[index]; - for (cnt = index, ip = &h->linp[0]; cnt--; ++ip) + offset = h->linp[idx]; + for (cnt = idx, ip = &h->linp[0]; cnt--; ++ip) if (ip[0] < offset) ip[0] += nbytes; - for (cnt = NEXTINDEX(h) - index; --cnt; ++ip) + for (cnt = NEXTINDEX(h) - idx; --cnt; ++ip) ip[0] = ip[1] < offset ? ip[1] + nbytes : ip[1]; h->lower -= sizeof(indx_t); /* If the cursor is on this page, adjust it as necessary. */ if (F_ISSET(&t->bt_cursor, CURS_INIT) && !F_ISSET(&t->bt_cursor, CURS_ACQUIRE) && - t->bt_cursor.pg.pgno == h->pgno && t->bt_cursor.pg.index > index) + t->bt_cursor.pg.pgno == h->pgno && t->bt_cursor.pg.index > idx) --t->bt_cursor.pg.index; return (RET_SUCCESS); @@ -532,17 +532,17 @@ * t: tree * key: referenced key (or NULL) * h: page - * index: index on page to delete + * idx: idx on page to delete * * Returns: * RET_SUCCESS, RET_ERROR. */ static int -__bt_curdel(t, key, h, index) +__bt_curdel(t, key, h, idx) BTREE *t; const DBT *key; PAGE *h; - u_int index; + u_int idx; { CURSOR *c; EPG e; @@ -565,7 +565,7 @@ */ if (key == NULL) { e.page = h; - e.index = index; + e.index = idx; if ((status = __bt_ret(t, &e, &c->key, &c->key, NULL, NULL, 1)) != RET_SUCCESS) return (status); @@ -573,25 +573,25 @@ key = &c->key; } /* Check previous key, if not at the beginning of the page. */ - if (index > 0) { + if (idx > 0) { e.page = h; - e.index = index - 1; + e.index = idx - 1; if (__bt_cmp(t, key, &e) == 0) { F_SET(c, CURS_BEFORE); goto dup2; } } /* Check next key, if not at the end of the page. */ - if (index < NEXTINDEX(h) - 1) { + if (idx < NEXTINDEX(h) - 1) { e.page = h; - e.index = index + 1; + e.index = idx + 1; if (__bt_cmp(t, key, &e) == 0) { F_SET(c, CURS_AFTER); goto dup2; } } /* Check previous key if at the beginning of the page. */ - if (index == 0 && h->prevpg != P_INVALID) { + if (idx == 0 && h->prevpg != P_INVALID) { if ((pg = mpool_get(t->bt_mp, h->prevpg, 0)) == NULL) return (RET_ERROR); e.page = pg; @@ -603,7 +603,7 @@ mpool_put(t->bt_mp, pg, 0); } /* Check next key if at the end of the page. */ - if (index == NEXTINDEX(h) - 1 && h->nextpg != P_INVALID) { + if (idx == NEXTINDEX(h) - 1 && h->nextpg != P_INVALID) { if ((pg = mpool_get(t->bt_mp, h->nextpg, 0)) == NULL) return (RET_ERROR); e.page = pg; @@ -619,7 +619,7 @@ } } e.page = h; - e.index = index; + e.index = idx; if (curcopy || (status = __bt_ret(t, &e, &c->key, &c->key, NULL, NULL, 1)) == RET_SUCCESS) { F_SET(c, CURS_ACQUIRE);
--- a/usr/src/lib/krb5/db2/btree/bt_open.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/btree/bt_open.c Sat Oct 07 13:37:05 2006 -0700 @@ -63,7 +63,7 @@ #include "db-int.h" #include "btree.h" -#ifdef DEBUG_DB +#ifdef DEBUG #undef MINPSIZE #define MINPSIZE 128 #endif @@ -127,7 +127,7 @@ */ if (b.psize && (b.psize < MINPSIZE || b.psize > MAX_PAGE_OFFSET + 1 || - b.psize & sizeof(indx_t) - 1)) + b.psize & (sizeof(indx_t) - 1))) goto einval; /* Minimum number of keys per page; absolute minimum is 2. */ @@ -247,7 +247,7 @@ if (m.magic != BTREEMAGIC || m.version != BTREEVERSION) goto eftype; if (m.psize < MINPSIZE || m.psize > MAX_PAGE_OFFSET + 1 || - m.psize & sizeof(indx_t) - 1) + m.psize & (sizeof(indx_t) - 1)) goto eftype; if (m.flags & ~SAVEMETA) goto eftype; @@ -280,8 +280,8 @@ t->bt_psize = b.psize; /* Set the cache size; must be a multiple of the page size. */ - if (b.cachesize && b.cachesize & b.psize - 1) - b.cachesize += (~b.cachesize & b.psize - 1) + 1; + if (b.cachesize && b.cachesize & (b.psize - 1)) + b.cachesize += (~b.cachesize & (b.psize - 1)) + 1; if (b.cachesize < b.psize * MINCACHE) b.cachesize = b.psize * MINCACHE;
--- a/usr/src/lib/krb5/db2/btree/bt_overflow.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/btree/bt_overflow.c Sat Oct 07 13:37:05 2006 -0700 @@ -95,7 +95,7 @@ memmove(&sz, (char *)p + sizeof(db_pgno_t), sizeof(u_int32_t)); *ssz = sz; -#ifdef DEBUG_DB +#ifdef DEBUG if (pg == P_INVALID || sz == 0) abort(); #endif @@ -204,7 +204,7 @@ memmove(&pg, p, sizeof(db_pgno_t)); memmove(&sz, (char *)p + sizeof(db_pgno_t), sizeof(u_int32_t)); -#ifdef DEBUG_DB +#ifdef DEBUG if (pg == P_INVALID || sz == 0) abort(); #endif
--- a/usr/src/lib/krb5/db2/btree/bt_put.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/btree/bt_put.c Sat Oct 07 13:37:05 2006 -0700 @@ -74,9 +74,9 @@ { BTREE *t; DBT tkey, tdata; - EPG *e; + EPG *e = 0; PAGE *h; - indx_t index, nxtindex; + indx_t idx, nxtindex; db_pgno_t pg; u_int32_t nbytes; int dflags, exact, status; @@ -126,24 +126,31 @@ dflags = 0; if (key->size + data->size > t->bt_ovflsize) { if (key->size > t->bt_ovflsize) { + u_int32_t yuck_this_is_gross_code; storekey: if (__ovfl_put(t, key, &pg) == RET_ERROR) return (RET_ERROR); tkey.data = kb; tkey.size = NOVFLSIZE; memmove(kb, &pg, sizeof(db_pgno_t)); + yuck_this_is_gross_code = key->size; + if (yuck_this_is_gross_code != key->size) + abort (); memmove(kb + sizeof(db_pgno_t), - &key->size, sizeof(u_int32_t)); + &yuck_this_is_gross_code, sizeof(u_int32_t)); dflags |= P_BIGKEY; key = &tkey; } if (key->size + data->size > t->bt_ovflsize) { + u_int32_t yuck_this_is_gross_code = data->size; if (__ovfl_put(t, data, &pg) == RET_ERROR) return (RET_ERROR); tdata.data = db; tdata.size = NOVFLSIZE; memmove(db, &pg, sizeof(db_pgno_t)); + if (yuck_this_is_gross_code != data->size) + abort (); memmove(db + sizeof(db_pgno_t), - &data->size, sizeof(u_int32_t)); + &yuck_this_is_gross_code, sizeof(u_int32_t)); dflags |= P_BIGDATA; data = &tdata; } @@ -155,7 +162,7 @@ if (flags == R_CURSOR) { if ((h = mpool_get(t->bt_mp, t->bt_cursor.pg.pgno, 0)) == NULL) return (RET_ERROR); - index = t->bt_cursor.pg.index; + idx = t->bt_cursor.pg.index; goto delete; } @@ -167,7 +174,7 @@ if ((e = __bt_search(t, key, &exact)) == NULL) return (RET_ERROR); h = e->page; - index = e->index; + idx = e->index; /* * Add the key/data pair to the tree. If an identical key is already @@ -189,7 +196,7 @@ * Note, the delete may empty the page, so we need to put a * new entry into the page immediately. */ -delete: if (__bt_dleaf(t, key, h, index) == RET_ERROR) { +delete: if (__bt_dleaf(t, key, h, idx) == RET_ERROR) { mpool_put(t->bt_mp, h, 0); return (RET_ERROR); } @@ -205,40 +212,41 @@ nbytes = NBLEAFDBT(key->size, data->size); if (h->upper - h->lower < nbytes + sizeof(indx_t)) { if ((status = __bt_split(t, h, key, - data, dflags, nbytes, index)) != RET_SUCCESS) + data, dflags, nbytes, idx)) != RET_SUCCESS) return (status); goto success; } - if (index < (nxtindex = NEXTINDEX(h))) - memmove(h->linp + index + 1, h->linp + index, - (nxtindex - index) * sizeof(indx_t)); + if (idx < (nxtindex = NEXTINDEX(h))) + memmove(h->linp + idx + 1, h->linp + idx, + (nxtindex - idx) * sizeof(indx_t)); h->lower += sizeof(indx_t); - h->linp[index] = h->upper -= nbytes; + h->linp[idx] = h->upper -= nbytes; dest = (char *)h + h->upper; WR_BLEAF(dest, key, data, dflags); /* If the cursor is on this page, adjust it as necessary. */ if (F_ISSET(&t->bt_cursor, CURS_INIT) && !F_ISSET(&t->bt_cursor, CURS_ACQUIRE) && - t->bt_cursor.pg.pgno == h->pgno && t->bt_cursor.pg.index >= index) + t->bt_cursor.pg.pgno == h->pgno && t->bt_cursor.pg.index >= idx) ++t->bt_cursor.pg.index; - if (t->bt_order == NOT) + if (t->bt_order == NOT) { if (h->nextpg == P_INVALID) { - if (index == NEXTINDEX(h) - 1) { + if (idx == NEXTINDEX(h) - 1) { t->bt_order = FORWARD; - t->bt_last.index = index; + t->bt_last.index = idx; t->bt_last.pgno = h->pgno; } } else if (h->prevpg == P_INVALID) { - if (index == 0) { + if (idx == 0) { t->bt_order = BACK; t->bt_last.index = 0; t->bt_last.pgno = h->pgno; } } + } mpool_put(t->bt_mp, h, MPOOL_DIRTY);
--- a/usr/src/lib/krb5/db2/btree/bt_search.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/btree/bt_search.c Sat Oct 07 13:37:05 2006 -0700 @@ -71,7 +71,7 @@ int *exactp; { PAGE *h; - indx_t base, index, lim; + indx_t base, idx, lim; db_pgno_t pg; int cmp; @@ -83,7 +83,7 @@ /* Do a binary search on the current page. */ t->bt_cur.page = h; for (base = 0, lim = NEXTINDEX(h); lim; lim >>= 1) { - t->bt_cur.index = index = base + (lim >> 1); + t->bt_cur.index = idx = base + (lim >> 1); if ((cmp = __bt_cmp(t, key, &t->bt_cur)) == 0) { if (h->flags & P_BLEAF) { *exactp = 1; @@ -92,7 +92,7 @@ goto next; } if (cmp > 0) { - base = index + 1; + base = idx + 1; --lim; } } @@ -128,10 +128,10 @@ * be a parent page for the key. If a split later occurs, the * inserted page will be to the right of the saved page. */ - index = base ? base - 1 : base; + idx = base ? base - 1 : base; -next: BT_PUSH(t, h->pgno, index); - pg = GETBINTERNAL(h, index)->pgno; +next: BT_PUSH(t, h->pgno, idx); + pg = GETBINTERNAL(h, idx)->pgno; mpool_put(t->bt_mp, h, 0); } } @@ -159,7 +159,7 @@ BINTERNAL *bi; EPG e; EPGNO *parent; - indx_t index; + indx_t idx; db_pgno_t pgno; int level; @@ -190,8 +190,8 @@ /* Move to the next index. */ if (parent->index != NEXTINDEX(h) - 1) { - index = parent->index + 1; - BT_PUSH(t, h->pgno, index); + idx = parent->index + 1; + BT_PUSH(t, h->pgno, idx); break; } mpool_put(t->bt_mp, h, 0); @@ -200,7 +200,7 @@ /* Restore the stack. */ while (level--) { /* Push the next level down onto the stack. */ - bi = GETBINTERNAL(h, index); + bi = GETBINTERNAL(h, idx); pgno = bi->pgno; BT_PUSH(t, pgno, 0); @@ -210,7 +210,7 @@ /* Get the next level down. */ if ((h = mpool_get(t->bt_mp, pgno, 0)) == NULL) return (0); - index = 0; + idx = 0; } mpool_put(t->bt_mp, h, 0); return (1); @@ -239,7 +239,7 @@ BINTERNAL *bi; EPG e; EPGNO *parent; - indx_t index; + indx_t idx; db_pgno_t pgno; int level; @@ -271,8 +271,8 @@ /* Move to the next index. */ if (parent->index != 0) { - index = parent->index - 1; - BT_PUSH(t, h->pgno, index); + idx = parent->index - 1; + BT_PUSH(t, h->pgno, idx); break; } mpool_put(t->bt_mp, h, 0); @@ -281,7 +281,7 @@ /* Restore the stack. */ while (level--) { /* Push the next level down onto the stack. */ - bi = GETBINTERNAL(h, index); + bi = GETBINTERNAL(h, idx); pgno = bi->pgno; /* Lose the currently pinned page. */ @@ -291,8 +291,8 @@ if ((h = mpool_get(t->bt_mp, pgno, 0)) == NULL) return (1); - index = NEXTINDEX(h) - 1; - BT_PUSH(t, pgno, index); + idx = NEXTINDEX(h) - 1; + BT_PUSH(t, pgno, idx); } mpool_put(t->bt_mp, h, 0); return (1);
--- a/usr/src/lib/krb5/db2/btree/bt_seq.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/btree/bt_seq.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -75,7 +75,7 @@ #include <stddef.h> #include <stdio.h> #include <stdlib.h> -#include <string.h> /* SUNWresync121 */ +#include <string.h> #include "db-int.h" #include "btree.h" @@ -276,7 +276,7 @@ { CURSOR *c; PAGE *h; - indx_t index; + indx_t idx; db_pgno_t pg; int exact, rval; @@ -344,15 +344,15 @@ */ if (F_ISSET(c, CURS_AFTER)) goto usecurrent; - index = c->pg.index; - if (++index == NEXTINDEX(h)) { + idx = c->pg.index; + if (++idx == NEXTINDEX(h)) { pg = h->nextpg; mpool_put(t->bt_mp, h, 0); if (pg == P_INVALID) return (RET_SPECIAL); if ((h = mpool_get(t->bt_mp, pg, 0)) == NULL) return (RET_ERROR); - index = 0; + idx = 0; } break; case R_PREV: /* Previous record. */ @@ -367,22 +367,22 @@ ep->index = c->pg.index; return (RET_SUCCESS); } - index = c->pg.index; - if (index == 0) { + idx = c->pg.index; + if (idx == 0) { pg = h->prevpg; mpool_put(t->bt_mp, h, 0); if (pg == P_INVALID) return (RET_SPECIAL); if ((h = mpool_get(t->bt_mp, pg, 0)) == NULL) return (RET_ERROR); - index = NEXTINDEX(h) - 1; + idx = NEXTINDEX(h) - 1; } else - --index; + --idx; break; } ep->page = h; - ep->index = index; + ep->index = idx; return (RET_SUCCESS); } @@ -502,10 +502,10 @@ * index: page index */ void -__bt_setcur(t, pgno, index) +__bt_setcur(t, pgno, idx) BTREE *t; db_pgno_t pgno; - u_int index; + u_int idx; { /* Lose any already deleted key. */ if (t->bt_cursor.key.data != NULL) { @@ -517,7 +517,7 @@ /* Update the cursor. */ t->bt_cursor.pg.pgno = pgno; - t->bt_cursor.pg.index = index; + t->bt_cursor.pg.index = idx; F_SET(&t->bt_cursor, CURS_INIT); }
--- a/usr/src/lib/krb5/db2/btree/extern.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/btree/extern.h Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 1997-2002 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -114,7 +114,7 @@ int __ovfl_get __P((BTREE *, void *, size_t *, void **, size_t *)); int __ovfl_put __P((BTREE *, const DBT *, db_pgno_t *)); -#ifdef DEBUG_DB +#ifdef DEBUG int __bt_dnpage __P((DB *, db_pgno_t)); int __bt_dpage __P((DB *, PAGE *)); int __bt_dmpage __P((PAGE *));
--- a/usr/src/lib/krb5/db2/db/db.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/db/db.c Sat Oct 07 13:37:05 2006 -0700 @@ -99,19 +99,3 @@ dbp->seq = (int (*)())__dberr; dbp->sync = (int (*)())__dberr; } - -/* global used to toggle display of debug messages */ -int g_displayDebugDB = 0; - -/* - * debugging aid - * call this function to enable/disable printing of debug messages - * code must be compiled with DEBUG_DB - */ -void debugDisplayDB(int onOff) -{ -#if DEBUG_DB - - g_displayDebugDB = onOff; -#endif -}
--- a/usr/src/lib/krb5/db2/hash/dbm.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/hash/dbm.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -234,7 +234,7 @@ DBM *db; { int status; - datum retdata, retkey; + datum retkey; #ifdef NEED_COPY DBT k, r; @@ -243,6 +243,8 @@ retkey.dptr = k.data; retkey.dsize = k.size; #else + datum retdata; + status = (db->seq)(db, (DBT *)&retkey, (DBT *)&retdata, R_FIRST); #endif if (status) @@ -260,7 +262,7 @@ DBM *db; { int status; - datum retdata, retkey; + datum retkey; #ifdef NEED_COPY DBT k, r; @@ -269,6 +271,8 @@ retkey.dptr = k.data; retkey.dsize = k.size; #else + datum retdata; + status = (db->seq)(db, (DBT *)&retkey, (DBT *)&retdata, R_NEXT); #endif if (status)
--- a/usr/src/lib/krb5/db2/hash/hash.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/hash/hash.c Sat Oct 07 13:37:05 2006 -0700 @@ -46,16 +46,14 @@ #include <sys/stat.h> #include <errno.h> - #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <libintl.h> -#ifdef DEBUG_DB +#ifdef DEBUG #include <assert.h> -extern int g_displayDebugDB; #endif #include "db-int.h" @@ -64,7 +62,7 @@ #include "extern.h" static int32_t flush_meta __P((HTAB *)); -static int32_t hash_access __P((HTAB *, ACTION, DBT *, DBT *)); +static int32_t hash_access __P((HTAB *, ACTION, const DBT *, DBT *)); static int32_t hash_close __P((DB *)); static int32_t hash_delete __P((const DB *, const DBT *, u_int32_t)); static int32_t hash_fd __P((const DB *)); @@ -76,7 +74,7 @@ static int32_t cursor_get __P((const DB *, CURSOR *, DBT *, DBT *, \ u_int32_t)); static int32_t cursor_delete __P((const DB *, CURSOR *, u_int32_t)); -static HTAB *init_hash __P((HTAB *, const char *, HASHINFO *)); +static HTAB *init_hash __P((HTAB *, const char *, const HASHINFO *)); static int32_t init_htab __P((HTAB *, int32_t)); #if DB_BYTE_ORDER == DB_LITTLE_ENDIAN static void swap_header __P((HTAB *)); @@ -140,9 +138,8 @@ } /* store the file name so that we can unlink it later */ - hashp->fname = (char *)file; -#ifdef DEBUG_DB - if (g_displayDebugDB) + hashp->fname = file; +#ifdef DEBUG fprintf(stderr, dgettext(TEXT_DOMAIN, "Using file name %s.\n"), file); #endif @@ -171,7 +168,7 @@ /* Process arguments to set up hash table header. */ if (new_table) { - if (!(hashp = init_hash(hashp, file, (HASHINFO *)info))) + if (!(hashp = init_hash(hashp, file, info))) RETURN_ERROR(errno, error1); } else { /* Table already exists */ @@ -257,9 +254,7 @@ dbp->sync = hash_sync; dbp->type = DB_HASH; -#ifdef DEBUG_DB - if (g_displayDebugDB) { - +#ifdef DEBUG (void)fprintf(stderr, "%s\n%s%lx\n%s%d\n%s%d\n%s%d\n%s%d\n%s%d\n%s%x\n%s%x\n%s%d\n%s%d\n", "init_htab:", @@ -273,7 +268,6 @@ "HIGH MASK ", hashp->hdr.high_mask, "LOW MASK ", hashp->hdr.low_mask, "NKEYS ", hashp->hdr.nkeys); - } #endif #ifdef HASH_STATISTICS hash_overflows = hash_accesses = hash_collisions = hash_expansions = 0; @@ -292,7 +286,7 @@ error0: if (!specified_file) - free(hashp->fname); + free((void*)(hashp->fname)); /* SUNW14resync */ free(hashp); errno = save_errno; return (NULL); @@ -336,7 +330,7 @@ init_hash(hashp, file, info) HTAB *hashp; const char *file; - HASHINFO *info; + const HASHINFO *info; { struct stat statbuf; int32_t nelem; @@ -393,7 +387,6 @@ int32_t nelem; { int32_t l2, nbuckets; - db_pgno_t i; /* * Divide number of elements by the fill factor and determine a @@ -572,9 +565,7 @@ * files within mpool itself. */ if (hashp->fname && !hashp->save_file) { -#ifdef DEBUG_DB - - if (g_displayDebugDB) +#ifdef DEBUG fprintf(stderr, dgettext(TEXT_DOMAIN, "Unlinking file %s.\n"), hashp->fname); #endif @@ -582,7 +573,7 @@ chmod(hashp->fname, 0700); unlink(hashp->fname); /* destroy the temporary name */ - free(hashp->fname); + free((void *)(hashp->fname)); /* SUNW14resync */ } free(hashp); @@ -672,7 +663,7 @@ hashp->local_errno = errno = EINVAL; return (ERROR); } - return (hash_access(hashp, HASH_GET, (DBT *)key, data)); + return (hash_access(hashp, HASH_GET, key, data)); } static int32_t @@ -694,7 +685,7 @@ return (ERROR); } return (hash_access(hashp, flag == R_NOOVERWRITE ? - HASH_PUTNEW : HASH_PUT, (DBT *)key, (DBT *)data)); + HASH_PUTNEW : HASH_PUT, key, (DBT *)data)); } static int32_t @@ -715,7 +706,7 @@ return (ERROR); } - return (hash_access(hashp, HASH_DELETE, (DBT *)key, NULL)); + return (hash_access(hashp, HASH_DELETE, key, NULL)); } /* @@ -725,7 +716,8 @@ hash_access(hashp, action, key, val) HTAB *hashp; ACTION action; - DBT *key, *val; + const DBT *key; + DBT *val; { DBT page_key, page_val; CURSOR cursor;
--- a/usr/src/lib/krb5/db2/hash/hash.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/hash/hash.h Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 1997-2002 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -103,7 +103,7 @@ u_int32_t (*hash) __P((const void *, size_t)); /* Hash Function */ int32_t flags; /* Flag values */ int32_t fp; /* File pointer */ - char *fname; /* File path */ + const char *fname; /* File path */ u_int8_t *bigdata_buf; /* Temporary Buffer for BIG data */ u_int8_t *bigkey_buf; /* Temporary Buffer for BIG keys */ u_int16_t *split_buf; /* Temporary buffer for splits */
--- a/usr/src/lib/krb5/db2/hash/hash_bigkey.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/hash/hash_bigkey.c Sat Oct 07 13:37:05 2006 -0700 @@ -62,7 +62,7 @@ #include <stdlib.h> #include <string.h> -#ifdef DEBUG_DB +#ifdef DEBUG #include <assert.h> #endif @@ -245,7 +245,7 @@ } } __put_page(hashp, pagep, A_RAW, 0); -#ifdef DEBUG_DB +#ifdef DEBUG assert(ksize >= 0); #endif if (ksize != 0) { @@ -379,7 +379,7 @@ PAGE16 *next_pagep; int32_t totlen, retval; db_pgno_t next_pgno; -#ifdef DEBUG_DB +#ifdef DEBUG db_pgno_t save_addr; #endif @@ -388,7 +388,7 @@ totlen = len + BIGKEYLEN(pagep); if (hashp->bigkey_buf) free(hashp->bigkey_buf); - hashp->bigkey_buf = (unsigned char *)malloc(totlen); + hashp->bigkey_buf = (u_int8_t *)malloc(totlen); if (!hashp->bigkey_buf) return (-1); memcpy(hashp->bigkey_buf + len, @@ -402,7 +402,7 @@ if (BIGKEYLEN(pagep) == 0) { if (hashp->bigkey_buf) free(hashp->bigkey_buf); - hashp->bigkey_buf = (unsigned char *)malloc(len); + hashp->bigkey_buf = (u_int8_t *)malloc(len); return (hashp->bigkey_buf ? len : -1); } totlen = len + BIGKEYLEN(pagep); @@ -414,12 +414,12 @@ next_pagep = __get_page(hashp, next_pgno, A_RAW); if (!next_pagep) return (-1); -#ifdef DEBUG_DB +#ifdef DEBUG save_addr = ADDR(pagep); #endif retval = collect_key(hashp, next_pagep, totlen, last_page); -#ifdef DEBUG_DB +#ifdef DEBUG assert(save_addr == ADDR(pagep)); #endif memcpy(hashp->bigkey_buf + len, BIGKEY(pagep), BIGKEYLEN(pagep)); @@ -446,7 +446,7 @@ PAGE16 *next_pagep; int32_t totlen, retval; db_pgno_t next_pgno; -#ifdef DEBUG_DB +#ifdef DEBUG db_pgno_t save_addr; #endif @@ -455,7 +455,7 @@ if (hashp->bigdata_buf) free(hashp->bigdata_buf); totlen = len + BIGDATALEN(pagep); - hashp->bigdata_buf = (unsigned char *)malloc(totlen); + hashp->bigdata_buf = (u_int8_t *)malloc(totlen); if (!hashp->bigdata_buf) return (-1); memcpy(hashp->bigdata_buf + totlen - BIGDATALEN(pagep), @@ -470,11 +470,11 @@ if (!next_pagep) return (-1); -#ifdef DEBUG_DB +#ifdef DEBUG save_addr = ADDR(pagep); #endif retval = collect_data(hashp, next_pagep, totlen); -#ifdef DEBUG_DB +#ifdef DEBUG assert(save_addr == ADDR(pagep)); #endif memcpy(hashp->bigdata_buf + totlen - BIGDATALEN(pagep),
--- a/usr/src/lib/krb5/db2/hash/hash_func.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/hash/hash_func.c Sat Oct 07 13:37:05 2006 -0700 @@ -47,9 +47,11 @@ #include "page.h" #include "extern.h" +#if 0 static u_int32_t hash1 __P((const void *, size_t)); static u_int32_t hash2 __P((const void *, size_t)); static u_int32_t hash3 __P((const void *, size_t)); +#endif static u_int32_t hash4 __P((const void *, size_t)); /* Default hash function. */ @@ -64,6 +66,7 @@ #define PRIME1 37 #define PRIME2 1048583 +#if 0 static u_int32_t hash1(key, len) const void *key; @@ -153,6 +156,8 @@ } return (n); } +#endif + /* Chris Torek's hash function. */ static u_int32_t @@ -161,14 +166,14 @@ size_t len; { u_int32_t h, loop; - u_int8_t *k; + const u_int8_t *k; #define HASH4a h = (h << 5) - h + *k++; #define HASH4b h = (h << 5) + h + *k++; #define HASH4 HASH4b h = 0; - k = (u_int8_t *)key; + k = (const u_int8_t *)key; if (len > 0) { loop = (len + 8 - 1) >> 3;
--- a/usr/src/lib/krb5/db2/hash/hash_log2.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/hash/hash_log2.c Sat Oct 07 13:37:05 2006 -0700 @@ -41,6 +41,9 @@ #endif /* LIBC_SCCS and not lint */ #include "db-int.h" +#include "hash.h" +#include "page.h" +#include "extern.h" u_int32_t __kdb2_log2(num)
--- a/usr/src/lib/krb5/db2/hash/hash_page.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/hash/hash_page.c Sat Oct 07 13:37:05 2006 -0700 @@ -58,7 +58,7 @@ #include <sys/types.h> -#ifdef DEBUG_DB +#ifdef DEBUG #include <assert.h> #endif #include <stdio.h> @@ -82,7 +82,7 @@ static void swap_page_header_in __P((PAGE16 *)); static void swap_page_header_out __P((PAGE16 *)); -#ifdef DEBUG_DB_SLOW +#ifdef DEBUG_SLOW static void account_page(HTAB *, db_pgno_t, int); #endif @@ -215,12 +215,12 @@ DBT *key, *val; ITEM_INFO *item_info; { - int stat; + int status; - stat = __get_item(hashp, cursorp, key, val, item_info); + status = __get_item(hashp, cursorp, key, val, item_info); cursorp->ndx++; cursorp->pgndx++; - return (stat); + return (status); } /* @@ -323,7 +323,7 @@ --ndx; } else pagep = cursorp->pagep; -#ifdef DEBUG_DB +#ifdef DEBUG assert(ADDR(pagep) == cursorp->pgno); #endif @@ -379,7 +379,7 @@ for (n = ndx; n < NUM_ENT(pagep) - 1; n++) if (KEY_OFF(pagep, (n + 1)) != BIGPAIR) { next_key = next_realkey(pagep, n); -#ifdef DEBUG_DB +#ifdef DEBUG assert(next_key != -1); #endif KEY_OFF(pagep, n) = KEY_OFF(pagep, (n + 1)) + delta; @@ -413,7 +413,7 @@ return (-1); while (NEXT_PGNO(pagep) != to_find) { next_pgno = NEXT_PGNO(pagep); -#ifdef DEBUG_DB +#ifdef DEBUG assert(next_pgno != INVALID_PGNO); #endif __put_page(hashp, pagep, A_RAW, 0); @@ -669,7 +669,7 @@ pagep = __add_ovflpage(hashp, pagep); if (!pagep) return (-1); -#ifdef DEBUG_DB +#ifdef DEBUG assert(BIGPAIRFITS(pagep)); #endif } @@ -819,7 +819,7 @@ pagep = mpool_new(hashp->mp, &paddr, MPOOL_PAGE_REQUEST); if (!pagep) return (-1); -#if DEBUG_DB_SLOW +#if DEBUG_SLOW account_page(hashp, paddr, 1); #endif @@ -938,7 +938,7 @@ PAGE16 *pagep; int32_t addr_type, is_dirty; { -#if DEBUG_DB_SLOW +#if DEBUG_SLOW account_page(hashp, ((BKT *)((char *)pagep - sizeof(BKT)))->pgno, -1); #endif @@ -974,10 +974,10 @@ } pagep = (PAGE16 *)mpool_get(hashp->mp, paddr, 0); -#if DEBUG_DB_SLOW +#if DEBUG_SLOW account_page(hashp, paddr, 1); #endif -#ifdef DEBUG_DB +#ifdef DEBUG assert(ADDR(pagep) == paddr || ADDR(pagep) == 0 || addr_type == A_BITMAP || addr_type == A_HEADER); #endif @@ -1079,7 +1079,7 @@ int32_t bit, first_page, free_bit, free_page, i, in_use_bits, j; int32_t max_free, offset, splitnum; u_int16_t addr; -#ifdef DEBUG_DB2 +#ifdef DEBUG2 int32_t tmp1, tmp2; #endif @@ -1158,7 +1158,7 @@ (int32_t)OADDR_OF(splitnum, offset), 1, free_page)) return (0); hashp->hdr.spares[splitnum]++; -#ifdef DEBUG_DB2 +#ifdef DEBUG2 free_bit = 2; #endif offset++; @@ -1185,7 +1185,7 @@ /* Calculate address of the new overflow page */ addr = OADDR_OF(splitnum, offset); -#ifdef DEBUG_DB2 +#ifdef DEBUG2 (void)fprintf(stderr, dgettext(TEXT_DOMAIN, "OVERFLOW_PAGE: ADDR: %d BIT: %d PAGE %d\n"), addr, free_bit, free_page); @@ -1200,7 +1200,7 @@ found: bit = bit + first_free(freep[j]); SETBIT(freep, bit); -#ifdef DEBUG_DB2 +#ifdef DEBUG2 tmp1 = bit; tmp2 = i; #endif @@ -1219,7 +1219,7 @@ if (offset >= SPLITMASK) return (0); /* Out of overflow pages */ addr = OADDR_OF(i, offset); -#ifdef DEBUG_DB2 +#ifdef DEBUG2 (void)fprintf(stderr, dgettext(TEXT_DOMAIN, "OVERFLOW_PAGE: ADDR: %d BIT: %d PAGE %d\n"), addr, tmp1, tmp2); @@ -1233,7 +1233,7 @@ return (addr); } -#ifdef DEBUG_DB +#ifdef DEBUG int bucket_to_page(hashp, n) HTAB *hashp; @@ -1260,7 +1260,7 @@ return (ret_val); } -#endif /* DEBUG_DB */ +#endif /* DEBUG */ static indx_t page_to_oaddr(hashp, pgno) @@ -1287,7 +1287,7 @@ ret_val = OADDR_OF(sp + 1, pgno - ((POW2(sp + 1) - 1) + hashp->hdr.spares[sp])); -#ifdef DEBUG_DB +#ifdef DEBUG assert(OADDR_TO_PAGE(ret_val) == (pgno + hashp->hdr.hdrpages)); #endif return (ret_val); @@ -1307,7 +1307,7 @@ addr = page_to_oaddr(hashp, ADDR(pagep)); -#ifdef DEBUG_DB2 +#ifdef DEBUG2 (void)fprintf(stderr, dgettext(TEXT_DOMAIN, "Freeing %d\n"), addr); #endif @@ -1320,7 +1320,7 @@ free_bit = bit_address & ((hashp->hdr.bsize << BYTE_SHIFT) - 1); freep = fetch_bitmap(hashp, free_page); -#ifdef DEBUG_DB +#ifdef DEBUG /* * This had better never happen. It means we tried to read a bitmap * that has already had overflow pages allocated off it, and we @@ -1330,7 +1330,7 @@ assert(0); #endif CLRBIT(freep, free_bit); -#ifdef DEBUG_DB2 +#ifdef DEBUG2 (void)fprintf(stderr, dgettext(TEXT_DOMAIN, "FREE_OVFLPAGE: ADDR: %d BIT: %d PAGE %d\n"), obufp->addr, free_bit, free_page); @@ -1351,7 +1351,7 @@ return (hashp->mapp[ndx]); } -#ifdef DEBUG_DB_SLOW +#ifdef DEBUG_SLOW static void account_page(hashp, pgno, inout) HTAB *hashp; @@ -1391,4 +1391,4 @@ "Warning: pg %d has been out for %d times\n"), list[i].pgno, list[i].times); } -#endif /* DEBUG_DB_SLOW */ +#endif /* DEBUG_SLOW */
--- a/usr/src/lib/krb5/db2/hash/hsearch.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/hash/hsearch.c Sat Oct 07 13:37:05 2006 -0700 @@ -70,7 +70,7 @@ extern ENTRY * hsearch(item, action) ENTRY item; - SEARCH_ACTION action; + ACTION action; { DBT key, val; int status;
--- a/usr/src/lib/krb5/db2/hash/search.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/hash/search.h Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 1997-2002 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -58,7 +58,7 @@ typedef enum { FIND, ENTER -} SEARCH_ACTION; +} ACTION; #define hcreate kdb2_hcreate #define hdestroy kdb2_hdestroy @@ -66,7 +66,7 @@ int hcreate __P((unsigned int)); void hdestroy __P((void)); -ENTRY *hsearch __P((ENTRY, SEARCH_ACTION)); +ENTRY *hsearch __P((ENTRY, ACTION)); #ifdef __cplusplus }
--- a/usr/src/lib/krb5/db2/include/db-int.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/include/db-int.h Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 1997-2002 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -52,23 +52,92 @@ #include <db.h> -/* deal with autoconf-based stuff (db.h includes db-config.h) */ - -#ifndef HAVE_MEMMOVE -#define memmove my_memmove -#endif - -#ifndef HAVE_MKSTEMP -#define mkstemp my_mkstemp -#endif - -#ifndef HAVE_STRERROR -#define strerror my_strerror -#endif +/* deal with autoconf-based stuff */ #define DB_LITTLE_ENDIAN 1234 #define DB_BIG_ENDIAN 4321 +#include <stdlib.h> +#ifdef HAVE_ENDIAN_H +# include <endian.h> +#endif +#ifdef HAVE_MACHINE_ENDIAN_H +# include <machine/endian.h> +#endif +#ifdef HAVE_SYS_PARAM_H +# include <sys/param.h> +#endif + +/* SUNW14resync: + The following code is disabled as it correctly determines the + endianness of the system. This would break backward compatability + for x86 as prior to this resync all architectures are treated + similarily - as big endian. See definition of "WORDS_BIGENDIAN" in + db-config.h. +*/ +#if 0 +/* Handle both BIG and LITTLE defined and BYTE_ORDER matches one, or + just one defined; both with and without leading underscores. + + Ignore "PDP endian" machines, this code doesn't support them + anyways. */ +#if !defined(LITTLE_ENDIAN) && !defined(BIG_ENDIAN) && !defined(BYTE_ORDER) +# ifdef __LITTLE_ENDIAN__ +# define LITTLE_ENDIAN __LITTLE_ENDIAN__ +# endif +# ifdef __BIG_ENDIAN__ +# define BIG_ENDIAN __BIG_ENDIAN__ +# endif +#endif +#if !defined(LITTLE_ENDIAN) && !defined(BIG_ENDIAN) && !defined(BYTE_ORDER) +# ifdef _LITTLE_ENDIAN +# define LITTLE_ENDIAN _LITTLE_ENDIAN +# endif +# ifdef _BIG_ENDIAN +# define BIG_ENDIAN _BIG_ENDIAN +# endif +# ifdef _BYTE_ORDER +# define BYTE_ORDER _BYTE_ORDER +# endif +#endif +#if !defined(LITTLE_ENDIAN) && !defined(BIG_ENDIAN) && !defined(BYTE_ORDER) +# ifdef __LITTLE_ENDIAN +# define LITTLE_ENDIAN __LITTLE_ENDIAN +# endif +# ifdef __BIG_ENDIAN +# define BIG_ENDIAN __BIG_ENDIAN +# endif +# ifdef __BYTE_ORDER +# define BYTE_ORDER __BYTE_ORDER +# endif +#endif + +#if defined(_MIPSEL) && !defined(LITTLE_ENDIAN) +# define LITTLE_ENDIAN +#endif +#if defined(_MIPSEB) && !defined(BIG_ENDIAN) +# define BIG_ENDIAN +#endif + +#if defined(LITTLE_ENDIAN) && defined(BIG_ENDIAN) && defined(BYTE_ORDER) +# if LITTLE_ENDIAN == BYTE_ORDER +# define DB_BYTE_ORDER DB_LITTLE_ENDIAN +# elif BIG_ENDIAN == BYTE_ORDER +# define DB_BYTE_ORDER DB_BIG_ENDIAN +# else +# error "LITTLE_ENDIAN and BIG_ENDIAN defined, but can't determine byte order" +# endif +#elif defined(LITTLE_ENDIAN) && !defined(BIG_ENDIAN) +# define DB_BYTE_ORDER DB_LITTLE_ENDIAN +#elif defined(BIG_ENDIAN) && !defined(LITTLE_ENDIAN) +# define DB_BYTE_ORDER DB_BIG_ENDIAN +#else +# error "can't determine byte order from included system headers" +#endif + +#endif + + #ifdef WORDS_BIGENDIAN #define DB_BYTE_ORDER DB_BIG_ENDIAN #else @@ -86,6 +155,13 @@ #include <fcntl.h> #include <stdio.h> #include <errno.h> +#ifdef HAVE_STDINT_H +#include <stdint.h> +#endif +#ifdef HAVE_INTTYPES_H +/* Tru64 5.1: int8_t is defined here, and stdint.h doesn't exist. */ +#include <inttypes.h> +#endif #include <sys/types.h> #include <sys/stat.h> #include <sys/param.h> @@ -227,7 +303,6 @@ #ifndef O_BINARY #define O_BINARY 0 /* Needed for Win32 compiles */ #endif - #endif /* _DB_INT_H_ */ #ifdef __cplusplus
--- a/usr/src/lib/krb5/db2/include/db-queue.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/include/db-queue.h Sat Oct 07 13:37:05 2006 -0700 @@ -1,6 +1,6 @@ /* - * Copyright (c) 1997-2000 by Sun Microsystems, Inc. - * All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. */ #ifndef _KRB5_DB2_DBQUEUE_H @@ -47,6 +47,9 @@ * @(#)queue.h 8.3 (Berkeley) 12/13/93 */ +#ifndef _QUEUE_H_ +#define _QUEUE_H_ + /* * This file defines three types of data structures: lists, tail queues, * and circular queues. @@ -253,6 +256,7 @@ (elm)->field.cqe_prev->field.cqe_next = \ (elm)->field.cqe_next; \ } +#endif /* !_QUEUE_H_ */ #ifdef __cplusplus }
--- a/usr/src/lib/krb5/db2/mapfile-vers Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/mapfile-vers Sat Oct 07 13:37:05 2006 -0700 @@ -36,7 +36,7 @@ SUNWprivate_1.1 { global: - debugDisplayDB; + kdb2_bt_rseq; kdb2_dbm_clearerr; kdb2_dbm_close; kdb2_dbm_delete; @@ -44,10 +44,10 @@ kdb2_dbm_error; kdb2_dbm_fetch; kdb2_dbm_firstkey; - kdb2_dbminit; kdb2_dbm_nextkey; kdb2_dbm_open; kdb2_dbm_store; + kdb2_dbminit; kdb2_dbopen; kdb2_delete; kdb2_fetch; @@ -55,16 +55,16 @@ kdb2_hcreate; kdb2_hdestroy; kdb2_hsearch; + kdb2_mpool_close; + kdb2_mpool_delete; + kdb2_mpool_filter; + kdb2_mpool_get; + kdb2_mpool_new; + kdb2_mpool_open; + kdb2_mpool_put; + kdb2_mpool_sync; kdb2_nextkey; kdb2_store; - mpool_close; - mpool_delete; - mpool_filter; - mpool_get; - mpool_new; - mpool_open; - mpool_put; - mpool_sync; local: *; };
--- a/usr/src/lib/krb5/db2/mpool/mpool.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/mpool/mpool.c Sat Oct 07 13:37:05 2006 -0700 @@ -53,11 +53,6 @@ static BKT *mpool_look __P((MPOOL *, db_pgno_t)); static int mpool_write __P((MPOOL *, BKT *)); -#if DEBUG_DB - -extern int g_displayDebugDB; -#endif - /* * mpool_open -- * Initialize a memory pool. @@ -165,13 +160,10 @@ bp = (BKT *)((char *)page - sizeof(BKT)); -#ifdef DEBUG_DB +#ifdef DEBUG if (!(bp->flags & MPOOL_PINNED)) { - if (g_displayDebugDB) { - fprintf(stderr, - "mpool_delete: page %d not pinned\n", - bp->pgno); - } + (void)fprintf(stderr, + "mpool_delete: page %d not pinned\n", bp->pgno); abort(); } #endif @@ -206,13 +198,10 @@ /* Check for a page that is cached. */ if ((bp = mpool_look(mp, pgno)) != NULL) { -#ifdef DEBUG_DB +#ifdef DEBUG if (!(flags & MPOOL_IGNOREPIN) && bp->flags & MPOOL_PINNED) { - if (g_displayDebugDB) { - fprintf(stderr, - "mpool_get: page %d already pinned\n", - bp->pgno); - } + (void)fprintf(stderr, + "mpool_get: page %d already pinned\n", bp->pgno); abort(); } #endif @@ -240,6 +229,12 @@ ++mp->pageread; #endif off = mp->pagesize * pgno; + if (off / mp->pagesize != pgno) { + /* Run past the end of the file, or at least the part we + can address without large-file support? */ + errno = E2BIG; + return NULL; + } if (lseek(mp->fd, off, SEEK_SET) != off) return (NULL); @@ -294,13 +289,10 @@ ++mp->pageput; #endif bp = (BKT *)((char *)page - sizeof(BKT)); -#ifdef DEBUG_DB +#ifdef DEBUG if (!(bp->flags & MPOOL_PINNED)) { - if (g_displayDebugDB) { - fprintf(stderr, - "mpool_put: page %d not pinned\n", - bp->pgno); - } + (void)fprintf(stderr, + "mpool_put: page %d not pinned\n", bp->pgno); abort(); } #endif @@ -387,7 +379,7 @@ head = &mp->hqh[HASHKEY(bp->pgno)]; CIRCLEQ_REMOVE(head, bp, hq); CIRCLEQ_REMOVE(&mp->lqh, bp, q); -#ifdef DEBUG_DB +#ifdef DEBUG { void *spage; spage = bp->page; memset(bp, 0xff, sizeof(BKT) + mp->pagesize); @@ -403,7 +395,7 @@ #ifdef STATISTICS ++mp->pagealloc; #endif -#if defined(DEBUG_DB) || defined(PURIFY) +#if defined(DEBUG) || defined(PURIFY) memset(bp, 0xff, sizeof(BKT) + mp->pagesize); #endif bp->page = (char *)bp + sizeof(BKT); @@ -432,6 +424,12 @@ (mp->pgout)(mp->pgcookie, bp->pgno, bp->page); off = mp->pagesize * bp->pgno; + if (off / mp->pagesize != bp->pgno) { + /* Run past the end of the file, or at least the part we + can address without large-file support? */ + errno = E2BIG; + return RET_ERROR; + } if (lseek(mp->fd, off, SEEK_SET) != off) return (RET_ERROR); if (write(mp->fd, bp->page, mp->pagesize) != mp->pagesize)
--- a/usr/src/lib/krb5/db2/mpool/mpool.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/mpool/mpool.h Sat Oct 07 13:37:05 2006 -0700 @@ -1,6 +1,6 @@ /* - * Copyright (c) 1997-2000 by Sun Microsystems, Inc. - * All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. */ #ifndef _KRB5_DB2_MPOOL_MPOOL_H @@ -105,6 +105,16 @@ #define MPOOL_PAGE_NEXT 0x02 /* Allocate a new page with the next page number. */ +#define mpool_open kdb2_mpool_open +#define mpool_filter kdb2_mpool_filter +#define mpool_new kdb2_mpool_new +#define mpool_get kdb2_mpool_get +#define mpool_delete kdb2_mpool_delete +#define mpool_put kdb2_mpool_put +#define mpool_sync kdb2_mpool_sync +#define mpool_close kdb2_mpool_close +#define mpool_stat kdb2_mpool_stat + __BEGIN_DECLS MPOOL *mpool_open __P((void *, int, db_pgno_t, db_pgno_t)); void mpool_filter __P((MPOOL *, void (*)(void *, db_pgno_t, void *),
--- a/usr/src/lib/krb5/db2/recno/extern.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/recno/extern.h Sat Oct 07 13:37:05 2006 -0700 @@ -1,6 +1,6 @@ /* - * Copyright (c) 1997-2000 by Sun Microsystems, Inc. - * All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. */ #ifndef _KRB5_DB2_RECNO_EXTERN_H @@ -50,6 +50,24 @@ #include "../btree/extern.h" +#define __rec_close __kdb2_rec_close +#define __rec_delete __kdb2_rec_delete +#define __rec_dleaf __kdb2_rec_dleaf +#define __rec_fd __kdb2_rec_fd +#define __rec_fmap __kdb2_rec_fmap +#define __rec_fout __kdb2_rec_fout +#define __rec_fpipe __kdb2_rec_fpipe +#define __rec_get __kdb2_rec_get +#define __rec_iput __kdb2_rec_iput +#define __rec_put __kdb2_rec_put +#define __rec_ret __kdb2_rec_ret +#define __rec_search __kdb2_rec_search +#define __rec_seq __kdb2_rec_seq +#define __rec_sync __kdb2_rec_sync +#define __rec_vmap __kdb2_rec_vmap +#define __rec_vout __kdb2_rec_vout +#define __rec_vpipe __kdb2_rec_vpipe + int __rec_close __P((DB *)); int __rec_delete __P((const DB *, const DBT *, u_int)); int __rec_dleaf __P((BTREE *, PAGE *, u_int32_t));
--- a/usr/src/lib/krb5/db2/recno/rec_close.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/recno/rec_close.c Sat Oct 07 13:37:05 2006 -0700 @@ -85,13 +85,14 @@ status = RET_ERROR; #endif - if (!F_ISSET(t, R_INMEM)) + if (!F_ISSET(t, R_INMEM)) { if (F_ISSET(t, R_CLOSEFP)) { if (fclose(t->bt_rfp)) status = RET_ERROR; } else if (close(t->bt_rfd)) status = RET_ERROR; + } if (__bt_close(dbp) == RET_ERROR) status = RET_ERROR;
--- a/usr/src/lib/krb5/db2/recno/rec_delete.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/recno/rec_delete.c Sat Oct 07 13:37:05 2006 -0700 @@ -147,16 +147,16 @@ * * Parameters: * t: tree - * index: index on current page to delete + * idx: index on current page to delete * * Returns: * RET_SUCCESS, RET_ERROR. */ int -__rec_dleaf(t, h, index) +__rec_dleaf(t, h, idx) BTREE *t; PAGE *h; - u_int32_t index; + u_int32_t idx; { RLEAF *rl; indx_t *ip, cnt, offset; @@ -174,7 +174,7 @@ * down, overwriting the deleted record and its index. If the record * uses overflow pages, make them available for reuse. */ - to = rl = GETRLEAF(h, index); + to = rl = GETRLEAF(h, idx); if (rl->flags & P_BIGDATA && __ovfl_delete(t, rl->bytes) == RET_ERROR) return (RET_ERROR); nbytes = NRLEAF(rl); @@ -187,8 +187,8 @@ memmove(from + nbytes, from, (char *)to - from); h->upper += nbytes; - offset = h->linp[index]; - for (cnt = &h->linp[index] - (ip = &h->linp[0]); cnt--; ++ip) + offset = h->linp[idx]; + for (cnt = &h->linp[idx] - (ip = &h->linp[0]); cnt--; ++ip) if (ip[0] < offset) ip[0] += nbytes; for (cnt = &h->linp[NEXTINDEX(h)] - ip; --cnt; ++ip)
--- a/usr/src/lib/krb5/db2/recno/rec_open.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/recno/rec_open.c Sat Oct 07 13:37:05 2006 -0700 @@ -70,7 +70,7 @@ int rfd, sverrno; /* Open the user's file -- if this fails, we're done. */ - if (fname != NULL && (rfd = open(fname, flags, mode)) < 0) + if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) return (NULL); /* Create a btree in memory (backed by disk). */ @@ -87,9 +87,9 @@ btopeninfo.prefix = NULL; btopeninfo.lorder = openinfo->lorder; dbp = __bt_open(openinfo->bfname, - O_RDWR, S_IRUSR | S_IWUSR, &btopeninfo, dflags); + O_RDWR | O_BINARY, S_IRUSR | S_IWUSR, &btopeninfo, dflags); } else - dbp = __bt_open(NULL, O_RDWR, S_IRUSR | S_IWUSR, NULL, dflags); + dbp = __bt_open(NULL, O_RDWR | O_BINARY, S_IRUSR | S_IWUSR, NULL, dflags); if (dbp == NULL) goto err; @@ -132,7 +132,7 @@ default: goto einval; } -slow: if ((t->bt_rfp = fdopen(rfd, "r")) == NULL) +slow: if ((t->bt_rfp = fdopen(rfd, "rb")) == NULL) goto err; F_SET(t, R_CLOSEFP); t->bt_irec =
--- a/usr/src/lib/krb5/db2/recno/rec_put.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/recno/rec_put.c Sat Oct 07 13:37:05 2006 -0700 @@ -198,7 +198,7 @@ DBT tdata; EPG *e; PAGE *h; - indx_t index, nxtindex; + indx_t idx, nxtindex; db_pgno_t pg; u_int32_t nbytes; int dflags, status; @@ -229,7 +229,7 @@ return (RET_ERROR); h = e->page; - index = e->index; + idx = e->index; /* * Add the specified key/data pair to the tree. The R_IAFTER and @@ -239,13 +239,13 @@ */ switch (flags) { case R_IAFTER: - ++index; + ++idx; break; case R_IBEFORE: break; default: if (nrec < t->bt_nrecs && - __rec_dleaf(t, h, index) == RET_ERROR) { + __rec_dleaf(t, h, idx) == RET_ERROR) { mpool_put(t->bt_mp, h, 0); return (RET_ERROR); } @@ -259,18 +259,18 @@ */ nbytes = NRLEAFDBT(data->size); if (h->upper - h->lower < nbytes + sizeof(indx_t)) { - status = __bt_split(t, h, NULL, data, dflags, nbytes, index); + status = __bt_split(t, h, NULL, data, dflags, nbytes, idx); if (status == RET_SUCCESS) ++t->bt_nrecs; return (status); } - if (index < (nxtindex = NEXTINDEX(h))) - memmove(h->linp + index + 1, h->linp + index, - (nxtindex - index) * sizeof(indx_t)); + if (idx < (nxtindex = NEXTINDEX(h))) + memmove(h->linp + idx + 1, h->linp + idx, + (nxtindex - idx) * sizeof(indx_t)); h->lower += sizeof(indx_t); - h->linp[index] = h->upper -= nbytes; + h->linp[idx] = h->upper -= nbytes; dest = (char *)h + h->upper; WR_RLEAF(dest, data, dflags);
--- a/usr/src/lib/krb5/db2/recno/rec_search.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/recno/rec_search.c Sat Oct 07 13:37:05 2006 -0700 @@ -68,7 +68,7 @@ recno_t recno; enum SRCHOP op; { - register indx_t index; + register indx_t idx; register PAGE *h; EPGNO *parent; RINTERNAL *r; @@ -86,23 +86,23 @@ t->bt_cur.index = recno - total; return (&t->bt_cur); } - for (index = 0, top = NEXTINDEX(h);;) { - r = GETRINTERNAL(h, index); - if (++index == top || total + r->nrecs > recno) + for (idx = 0, top = NEXTINDEX(h);;) { + r = GETRINTERNAL(h, idx); + if (++idx == top || total + r->nrecs > recno) break; total += r->nrecs; } - BT_PUSH(t, pg, index - 1); + BT_PUSH(t, pg, idx - 1); pg = r->pgno; switch (op) { case SDELETE: - --GETRINTERNAL(h, (index - 1))->nrecs; + --GETRINTERNAL(h, (idx - 1))->nrecs; mpool_put(t->bt_mp, h, MPOOL_DIRTY); break; case SINSERT: - ++GETRINTERNAL(h, (index - 1))->nrecs; + ++GETRINTERNAL(h, (idx - 1))->nrecs; mpool_put(t->bt_mp, h, MPOOL_DIRTY); break; case SEARCH:
--- a/usr/src/lib/krb5/db2/recno/rec_seq.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/db2/recno/rec_seq.c Sat Oct 07 13:37:05 2006 -0700 @@ -33,7 +33,7 @@ * SUCH DAMAGE. */ -#ifndef lint +#if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)rec_seq.c 8.3 (Berkeley) 7/14/94"; #endif /* not lint */
--- a/usr/src/lib/krb5/kadm5/adb.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/adb.h Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -69,8 +69,10 @@ int magic; DB *db; HASHINFO info; + BTREEINFO btinfo; char *filename; osa_adb_lock_t lock; + int opencnt; } osa_adb_db_ent, *osa_adb_db_t, *osa_adb_princ_t, *osa_adb_policy_t; /* an osa_pw_hist_ent stores all the key_datas for a single password */ @@ -92,12 +94,12 @@ typedef struct _osa_policy_ent_t { int version; char *name; - rpc_u_int32 pw_min_life; - rpc_u_int32 pw_max_life; - rpc_u_int32 pw_min_length; - rpc_u_int32 pw_min_classes; - rpc_u_int32 pw_history_num; - rpc_u_int32 policy_refcnt; + uint32_t pw_min_life; + uint32_t pw_max_life; + uint32_t pw_min_length; + uint32_t pw_min_classes; + uint32_t pw_history_num; + uint32_t policy_refcnt; } osa_policy_ent_rec, *osa_policy_ent_t; typedef void (*osa_adb_iter_princ_func) (void *, osa_princ_ent_t); @@ -115,6 +117,8 @@ */ bool_t xdr_osa_princ_ent_rec(XDR *xdrs, osa_princ_ent_t objp); bool_t xdr_osa_policy_ent_rec(XDR *xdrs, osa_policy_ent_t objp); +bool_t xdr_osa_pw_hist_ent(XDR *xdrs, osa_pw_hist_ent *objp); +bool_t xdr_krb5_key_data(XDR *xdrs, krb5_key_data *objp); /* * Functions @@ -122,6 +126,10 @@ osa_adb_ret_t osa_adb_create_db(char *filename, char *lockfile, int magic); osa_adb_ret_t osa_adb_destroy_db(char *filename, char *lockfile, int magic); +osa_adb_ret_t osa_adb_rename_db(char *filefrom, char *lockfrom, + char *fileto, char *lockto, int magic); +osa_adb_ret_t osa_adb_rename_policy_db(kadm5_config_params *fromparams, + kadm5_config_params *toparams); osa_adb_ret_t osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfile, int magic); osa_adb_ret_t osa_adb_fini_db(osa_adb_db_t db, int magic);
--- a/usr/src/lib/krb5/kadm5/adb_err.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/adb_err.h Sat Oct 07 13:37:05 2006 -0700 @@ -17,11 +17,8 @@ * */ +#include <com_err.h> -/* - * adb_err.h: - * This file is automatically generated; please do not edit it. - */ #define OSA_ADB_NOERR (28810240L) #define OSA_ADB_DUP (28810241L) #define OSA_ADB_NOENT (28810242L) @@ -38,5 +35,16 @@ #define OSA_ADB_NOEXCL_PERM (28810253L) #define ERROR_TABLE_BASE_adb (28810240L) +extern const struct error_table et_adb_error_table; + +#if !defined(_WIN32) /* for compatibility with older versions... */ +extern void initialize_adb_error_table (void) /*@modifies internalState@*/; +#else +#define initialize_adb_error_table() +#endif + +#if !defined(_WIN32) +#define init_adb_err_tbl initialize_adb_error_table #define adb_err_base ERROR_TABLE_BASE_adb +#endif
--- a/usr/src/lib/krb5/kadm5/admin.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/admin.h Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -28,12 +28,36 @@ * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING * */ - - +/* + * lib/kadm5/admin.h + * + * Copyright 2001 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/admin.h,v 1.43.2.1 2000/05/19 22:24:14 raeburn Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/admin.h,v 1.54 2004/08/21 02:31:09 tlyu Exp $ */ #include <sys/types.h> @@ -46,14 +70,14 @@ #include <kadm5/adb_err.h> #include <kadm5/chpass_util_strings.h> -#define KADM5_ADMIN_SERVICE_P "kadmin@admin" -#define KADM5_ADMIN_SERVICE "kadmin/admin" -#define KADM5_CHANGEPW_SERVICE_P "kadmin@changepw" -#define KADM5_CHANGEPW_SERVICE "kadmin/changepw" -#define KADM5_HIST_PRINCIPAL "kadmin/history" -#define KADM5_ADMIN_HOST_SERVICE "kadmin" -#define KADM5_CHANGEPW_HOST_SERVICE "changepw" -#define KADM5_KIPROP_HOST_SERVICE "kiprop" +#define KADM5_ADMIN_SERVICE_P "kadmin@admin" +#define KADM5_ADMIN_SERVICE "kadmin/admin" +#define KADM5_CHANGEPW_SERVICE_P "kadmin@changepw" +#define KADM5_CHANGEPW_SERVICE "kadmin/changepw" +#define KADM5_HIST_PRINCIPAL "kadmin/history" +#define KADM5_ADMIN_HOST_SERVICE "kadmin" +#define KADM5_CHANGEPW_HOST_SERVICE "changepw" +#define KADM5_KIPROP_HOST_SERVICE "kiprop" typedef krb5_principal kadm5_princ_t; typedef char *kadm5_policy_t; @@ -61,51 +85,51 @@ typedef int rpc_int32; typedef unsigned int rpc_u_int32; -#define KADM5_PW_FIRST_PROMPT \ - ((char *)error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT)) -#define KADM5_PW_SECOND_PROMPT \ - ((char *)error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT)) +#define KADM5_PW_FIRST_PROMPT \ + (error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT)) +#define KADM5_PW_SECOND_PROMPT \ + (error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT)) /* - * Succsessfull return code + * Successful return code */ -#define KADM5_OK 0 +#define KADM5_OK 0 /* * Field masks */ /* kadm5_principal_ent_t */ -#define KADM5_PRINCIPAL 0x000001 -#define KADM5_PRINC_EXPIRE_TIME 0x000002 -#define KADM5_PW_EXPIRATION 0x000004 -#define KADM5_LAST_PWD_CHANGE 0x000008 -#define KADM5_ATTRIBUTES 0x000010 -#define KADM5_MAX_LIFE 0x000020 -#define KADM5_MOD_TIME 0x000040 -#define KADM5_MOD_NAME 0x000080 -#define KADM5_KVNO 0x000100 -#define KADM5_MKVNO 0x000200 -#define KADM5_AUX_ATTRIBUTES 0x000400 -#define KADM5_POLICY 0x000800 -#define KADM5_POLICY_CLR 0x001000 +#define KADM5_PRINCIPAL 0x000001 +#define KADM5_PRINC_EXPIRE_TIME 0x000002 +#define KADM5_PW_EXPIRATION 0x000004 +#define KADM5_LAST_PWD_CHANGE 0x000008 +#define KADM5_ATTRIBUTES 0x000010 +#define KADM5_MAX_LIFE 0x000020 +#define KADM5_MOD_TIME 0x000040 +#define KADM5_MOD_NAME 0x000080 +#define KADM5_KVNO 0x000100 +#define KADM5_MKVNO 0x000200 +#define KADM5_AUX_ATTRIBUTES 0x000400 +#define KADM5_POLICY 0x000800 +#define KADM5_POLICY_CLR 0x001000 /* version 2 masks */ -#define KADM5_MAX_RLIFE 0x002000 -#define KADM5_LAST_SUCCESS 0x004000 -#define KADM5_LAST_FAILED 0x008000 -#define KADM5_FAIL_AUTH_COUNT 0x010000 -#define KADM5_KEY_DATA 0x020000 -#define KADM5_TL_DATA 0x040000 +#define KADM5_MAX_RLIFE 0x002000 +#define KADM5_LAST_SUCCESS 0x004000 +#define KADM5_LAST_FAILED 0x008000 +#define KADM5_FAIL_AUTH_COUNT 0x010000 +#define KADM5_KEY_DATA 0x020000 +#define KADM5_TL_DATA 0x040000 /* all but KEY_DATA and TL_DATA */ -#define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff +#define KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff /* kadm5_policy_ent_t */ -#define KADM5_PW_MAX_LIFE 0x004000 -#define KADM5_PW_MIN_LIFE 0x008000 -#define KADM5_PW_MIN_LENGTH 0x010000 -#define KADM5_PW_MIN_CLASSES 0x020000 -#define KADM5_PW_HISTORY_NUM 0x040000 -#define KADM5_REF_COUNT 0x080000 +#define KADM5_PW_MAX_LIFE 0x004000 +#define KADM5_PW_MIN_LIFE 0x008000 +#define KADM5_PW_MIN_LENGTH 0x010000 +#define KADM5_PW_MIN_CLASSES 0x020000 +#define KADM5_PW_HISTORY_NUM 0x040000 +#define KADM5_REF_COUNT 0x080000 /* kadm5_config_params */ #define KADM5_CONFIG_REALM 0x0000001 @@ -150,23 +174,23 @@ /* * permission bits */ -#define KADM5_PRIV_GET 0x01 -#define KADM5_PRIV_ADD 0x02 -#define KADM5_PRIV_MODIFY 0x04 -#define KADM5_PRIV_DELETE 0x08 +#define KADM5_PRIV_GET 0x01 +#define KADM5_PRIV_ADD 0x02 +#define KADM5_PRIV_MODIFY 0x04 +#define KADM5_PRIV_DELETE 0x08 /* * API versioning constants */ -#define KADM5_MASK_BITS 0xffffff00 +#define KADM5_MASK_BITS 0xffffff00 -#define KADM5_STRUCT_VERSION_MASK 0x12345600 -#define KADM5_STRUCT_VERSION_1 (KADM5_STRUCT_VERSION_MASK|0x01) -#define KADM5_STRUCT_VERSION KADM5_STRUCT_VERSION_1 +#define KADM5_STRUCT_VERSION_MASK 0x12345600 +#define KADM5_STRUCT_VERSION_1 (KADM5_STRUCT_VERSION_MASK|0x01) +#define KADM5_STRUCT_VERSION KADM5_STRUCT_VERSION_1 -#define KADM5_API_VERSION_MASK 0x12345700 -#define KADM5_API_VERSION_1 (KADM5_API_VERSION_MASK|0x01) -#define KADM5_API_VERSION_2 (KADM5_API_VERSION_MASK|0x02) +#define KADM5_API_VERSION_MASK 0x12345700 +#define KADM5_API_VERSION_1 (KADM5_API_VERSION_MASK|0x01) +#define KADM5_API_VERSION_2 (KADM5_API_VERSION_MASK|0x02) #ifdef KRB5_DNS_LOOKUP /* @@ -192,12 +216,12 @@ /* version 2 fields */ krb5_deltat max_renewable_life; - krb5_timestamp last_success; - krb5_timestamp last_failed; - krb5_kvno fail_auth_count; + krb5_timestamp last_success; + krb5_timestamp last_failed; + krb5_kvno fail_auth_count; krb5_int16 n_key_data; krb5_int16 n_tl_data; - krb5_tl_data *tl_data; + krb5_tl_data *tl_data; krb5_key_data *key_data; } kadm5_principal_ent_rec_v2, *kadm5_principal_ent_t_v2; @@ -216,9 +240,13 @@ long aux_attributes; } kadm5_principal_ent_rec_v1, *kadm5_principal_ent_t_v1; - +#if USE_KADM5_API_VERSION == 1 +typedef struct _kadm5_principal_ent_t_v1 + kadm5_principal_ent_rec, *kadm5_principal_ent_t; +#else typedef struct _kadm5_principal_ent_t_v2 -kadm5_principal_ent_rec, *kadm5_principal_ent_t; + kadm5_principal_ent_rec, *kadm5_principal_ent_t; +#endif typedef struct _kadm5_policy_ent_t { char *policy; @@ -248,33 +276,37 @@ * Data structure returned by kadm5_get_config_params() */ typedef struct _kadm5_config_params { - long mask; - char *realm; - char *profile; - int kadmind_port; - char *admin_server; - char *dbname; - char *admin_dbname; - char *admin_lockfile; - char *admin_keytab; - char *acl_file; - char *dict_file; - int mkey_from_kbd; - char *stash_file; - char *mkey_name; - krb5_enctype enctype; - krb5_deltat max_life; - krb5_deltat max_rlife; - krb5_timestamp expiration; - krb5_flags flags; - krb5_key_salt_tuple *keysalts; - krb5_int32 num_keysalts; - char *kpasswd_server; - int kpasswd_port; - krb5_chgpwd_prot kpasswd_protocol; - bool_t iprop_enabled; - int iprop_ulogsize; - char *iprop_polltime; + long mask; + char * realm; + char * profile; + int kadmind_port; + int kpasswd_port; + + char * admin_server; + + char * dbname; + char * admin_dbname; + char * admin_lockfile; + char * admin_keytab; + char * acl_file; + char * dict_file; + + int mkey_from_kbd; + char * stash_file; + char * mkey_name; + krb5_enctype enctype; + krb5_deltat max_life; + krb5_deltat max_rlife; + krb5_timestamp expiration; + krb5_flags flags; + krb5_key_salt_tuple *keysalts; + krb5_int32 num_keysalts; + char *kpasswd_server; + + krb5_chgpwd_prot kpasswd_protocol; + bool_t iprop_enabled; + int iprop_ulogsize; + char *iprop_polltime; } kadm5_config_params; /*********************************************************************** @@ -287,13 +319,13 @@ * Data structure returned by krb5_read_realm_params() */ typedef struct __krb5_realm_params { - char *realm_profile; - char *realm_dbname; - char *realm_mkey_name; - char *realm_stash_file; - char *realm_kdc_ports; - char *realm_kdc_tcp_ports; - char *realm_acl_file; + char * realm_profile; + char * realm_dbname; + char * realm_mkey_name; + char * realm_stash_file; + char * realm_kdc_ports; + char * realm_kdc_tcp_ports; + char * realm_acl_file; krb5_int32 realm_kadmind_port; krb5_enctype realm_enctype; krb5_deltat realm_max_life; @@ -301,13 +333,14 @@ krb5_timestamp realm_expiration; krb5_flags realm_flags; krb5_key_salt_tuple *realm_keysalts; + unsigned int realm_reject_bad_transit:1; unsigned int realm_kadmind_port_valid:1; unsigned int realm_enctype_valid:1; unsigned int realm_max_life_valid:1; unsigned int realm_max_rlife_valid:1; unsigned int realm_expiration_valid:1; unsigned int realm_flags_valid:1; - unsigned int realm_filler:7; + unsigned int realm_reject_bad_transit_valid:1; krb5_int32 realm_num_keysalts; } krb5_realm_params; @@ -315,52 +348,63 @@ * functions */ - -kadm5_ret_t -kadm5_get_master(krb5_context context, const char *realm, char **master); - kadm5_ret_t kadm5_get_adm_host_srv_name(krb5_context context, - const char *realm, char **host_service_name); + const char *realm, char **host_service_name); kadm5_ret_t kadm5_get_cpw_host_srv_name(krb5_context context, - const char *realm, char **host_service_name); + const char *realm, char **host_service_name); +#if USE_KADM5_API_VERSION > 1 krb5_error_code kadm5_get_config_params(krb5_context context, char *kdcprofile, char *kdcenv, kadm5_config_params *params_in, kadm5_config_params *params_out); -/* SUNWresync121 XXX */ -krb5_error_code kadm5_free_config_params(krb5_context context, - kadm5_config_params *params); +krb5_error_code kadm5_free_config_params(krb5_context context, + kadm5_config_params *params); krb5_error_code kadm5_free_realm_params(krb5_context kcontext, kadm5_config_params *params); +krb5_error_code kadm5_get_admin_service_name(krb5_context, char *, + char *, size_t); +#endif + kadm5_ret_t kadm5_init(char *client_name, char *pass, - char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - void **server_handle); - + char *service_name, +#if USE_KADM5_API_VERSION == 1 + char *realm, +#else + kadm5_config_params *params, +#endif + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + void **server_handle); kadm5_ret_t kadm5_init_with_password(char *client_name, char *pass, char *service_name, +#if USE_KADM5_API_VERSION == 1 + char *realm, +#else kadm5_config_params *params, +#endif krb5_ui_4 struct_version, krb5_ui_4 api_version, void **server_handle); kadm5_ret_t kadm5_init_with_skey(char *client_name, char *keytab, char *service_name, +#if USE_KADM5_API_VERSION == 1 + char *realm, +#else kadm5_config_params *params, +#endif krb5_ui_4 struct_version, krb5_ui_4 api_version, void **server_handle); - +#if USE_KADM5_API_VERSION > 1 kadm5_ret_t kadm5_init_with_creds(char *client_name, krb5_ccache cc, char *service_name, @@ -368,6 +412,9 @@ krb5_ui_4 struct_version, krb5_ui_4 api_version, void **server_handle); +#endif +kadm5_ret_t kadm5_lock(void *server_handle); +kadm5_ret_t kadm5_unlock(void *server_handle); kadm5_ret_t kadm5_flush(void *server_handle); kadm5_ret_t kadm5_destroy(void *server_handle); kadm5_ret_t kadm5_create_principal(void *server_handle, @@ -385,13 +432,17 @@ kadm5_principal_ent_t ent, long mask); kadm5_ret_t kadm5_rename_principal(void *server_handle, - krb5_principal, krb5_principal); - + krb5_principal,krb5_principal); +#if USE_KADM5_API_VERSION == 1 kadm5_ret_t kadm5_get_principal(void *server_handle, - krb5_principal principal, - kadm5_principal_ent_t ent, - long mask); - + krb5_principal principal, + kadm5_principal_ent_t *ent); +#else +kadm5_ret_t kadm5_get_principal(void *server_handle, + krb5_principal principal, + kadm5_principal_ent_t ent, + long mask); +#endif kadm5_ret_t kadm5_chpass_principal(void *server_handle, krb5_principal principal, char *pass); @@ -401,6 +452,11 @@ int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, char *pass); +#if USE_KADM5_API_VERSION == 1 +kadm5_ret_t kadm5_randkey_principal(void *server_handle, + krb5_principal principal, + krb5_keyblock **keyblock); +#else /* * Solaris Kerberos: @@ -415,7 +471,6 @@ krb5_principal principal, krb5_keyblock **keyblocks, int *n_keys); - kadm5_ret_t kadm5_randkey_principal_3(void *server_handle, krb5_principal principal, krb5_boolean keepold, @@ -423,6 +478,7 @@ krb5_key_salt_tuple *ks_tuple, krb5_keyblock **keyblocks, int *n_keys); +#endif kadm5_ret_t kadm5_setv4key_principal(void *server_handle, krb5_principal principal, krb5_keyblock *keyblock); @@ -440,6 +496,12 @@ krb5_keyblock *keyblocks, int n_keys); +kadm5_ret_t kadm5_decrypt_key(void *server_handle, + kadm5_principal_ent_t entry, krb5_int32 + ktype, krb5_int32 stype, krb5_int32 + kvno, krb5_keyblock *keyblock, + krb5_keysalt *keysalt, int *kvnop); + kadm5_ret_t kadm5_create_policy(void *server_handle, kadm5_policy_ent_t ent, long mask); @@ -466,20 +528,24 @@ kadm5_ret_t kadm5_modify_policy_internal(void *server_handle, kadm5_policy_ent_t entry, long mask); - +#if USE_KADM5_API_VERSION == 1 +kadm5_ret_t kadm5_get_policy(void *server_handle, + kadm5_policy_t policy, + kadm5_policy_ent_t *ent); +#else kadm5_ret_t kadm5_get_policy(void *server_handle, kadm5_policy_t policy, kadm5_policy_ent_t ent); - +#endif kadm5_ret_t kadm5_get_privs(void *server_handle, - long *privs); + long *privs); kadm5_ret_t kadm5_chpass_principal_util(void *server_handle, krb5_principal princ, char *new_pw, char **ret_pw, char *msg_ret, - int msg_len); + unsigned int msg_len); kadm5_ret_t kadm5_free_principal_ent(void *server_handle, kadm5_principal_ent_t @@ -495,14 +561,261 @@ char *exp, char ***pols, int *count); - +#if USE_KADM5_API_VERSION > 1 kadm5_ret_t kadm5_free_key_data(void *server_handle, krb5_int16 *n_key_data, krb5_key_data *key_data); +#endif -kadm5_ret_t kadm5_free_name_list(void *server_handle, - char **names, int count); +kadm5_ret_t kadm5_free_name_list(void *server_handle, char **names, + int count); + +#if USE_KADM5_API_VERSION == 1 +/* + * OVSEC_KADM_API_VERSION_1 should be, if possible, compile-time + * compatible with KADM5_API_VERSION_2. Basically, this means we have + * to continue to provide all the old ovsec_kadm function and symbol + * names. + */ + +#define OVSEC_KADM_ACLFILE "/krb5/ovsec_adm.acl" +#define OVSEC_KADM_WORDFILE "/krb5/ovsec_adm.dict" + +#define OVSEC_KADM_ADMIN_SERVICE "ovsec_adm/admin" +#define OVSEC_KADM_CHANGEPW_SERVICE "ovsec_adm/changepw" +#define OVSEC_KADM_HIST_PRINCIPAL "ovsec_adm/history" + +typedef krb5_principal ovsec_kadm_princ_t; +typedef krb5_keyblock ovsec_kadm_keyblock; +typedef char *ovsec_kadm_policy_t; +typedef long ovsec_kadm_ret_t; + +enum ovsec_kadm_salttype { OVSEC_KADM_SALT_V4, OVSEC_KADM_SALT_NORMAL }; +enum ovsec_kadm_saltmod { OVSEC_KADM_MOD_KEEP, OVSEC_KADM_MOD_V4, OVSEC_KADM_MOD_NORMAL }; + +#define OVSEC_KADM_PW_FIRST_PROMPT \ + ((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT)) +#define OVSEC_KADM_PW_SECOND_PROMPT \ + ((char *) error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT)) + +/* + * Successful return code + */ +#define OVSEC_KADM_OK 0 + +/* + * Create/Modify masks + */ +/* principal */ +#define OVSEC_KADM_PRINCIPAL 0x000001 +#define OVSEC_KADM_PRINC_EXPIRE_TIME 0x000002 +#define OVSEC_KADM_PW_EXPIRATION 0x000004 +#define OVSEC_KADM_LAST_PWD_CHANGE 0x000008 +#define OVSEC_KADM_ATTRIBUTES 0x000010 +#define OVSEC_KADM_MAX_LIFE 0x000020 +#define OVSEC_KADM_MOD_TIME 0x000040 +#define OVSEC_KADM_MOD_NAME 0x000080 +#define OVSEC_KADM_KVNO 0x000100 +#define OVSEC_KADM_MKVNO 0x000200 +#define OVSEC_KADM_AUX_ATTRIBUTES 0x000400 +#define OVSEC_KADM_POLICY 0x000800 +#define OVSEC_KADM_POLICY_CLR 0x001000 +/* policy */ +#define OVSEC_KADM_PW_MAX_LIFE 0x004000 +#define OVSEC_KADM_PW_MIN_LIFE 0x008000 +#define OVSEC_KADM_PW_MIN_LENGTH 0x010000 +#define OVSEC_KADM_PW_MIN_CLASSES 0x020000 +#define OVSEC_KADM_PW_HISTORY_NUM 0x040000 +#define OVSEC_KADM_REF_COUNT 0x080000 + +/* + * permission bits + */ +#define OVSEC_KADM_PRIV_GET 0x01 +#define OVSEC_KADM_PRIV_ADD 0x02 +#define OVSEC_KADM_PRIV_MODIFY 0x04 +#define OVSEC_KADM_PRIV_DELETE 0x08 + +/* + * API versioning constants + */ +#define OVSEC_KADM_MASK_BITS 0xffffff00 + +#define OVSEC_KADM_STRUCT_VERSION_MASK 0x12345600 +#define OVSEC_KADM_STRUCT_VERSION_1 (OVSEC_KADM_STRUCT_VERSION_MASK|0x01) +#define OVSEC_KADM_STRUCT_VERSION OVSEC_KADM_STRUCT_VERSION_1 + +#define OVSEC_KADM_API_VERSION_MASK 0x12345700 +#define OVSEC_KADM_API_VERSION_1 (OVSEC_KADM_API_VERSION_MASK|0x01) + + +typedef struct _ovsec_kadm_principal_ent_t { + krb5_principal principal; + krb5_timestamp princ_expire_time; + krb5_timestamp last_pwd_change; + krb5_timestamp pw_expiration; + krb5_deltat max_life; + krb5_principal mod_name; + krb5_timestamp mod_date; + krb5_flags attributes; + krb5_kvno kvno; + krb5_kvno mkvno; + char *policy; + long aux_attributes; +} ovsec_kadm_principal_ent_rec, *ovsec_kadm_principal_ent_t; + +typedef struct _ovsec_kadm_policy_ent_t { + char *policy; + long pw_min_life; + long pw_max_life; + long pw_min_length; + long pw_min_classes; + long pw_history_num; + long policy_refcnt; +} ovsec_kadm_policy_ent_rec, *ovsec_kadm_policy_ent_t; +/* + * functions + */ +ovsec_kadm_ret_t ovsec_kadm_init(char *client_name, char *pass, + char *service_name, char *realm, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + void **server_handle); +ovsec_kadm_ret_t ovsec_kadm_init_with_password(char *client_name, + char *pass, + char *service_name, + char *realm, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + void **server_handle); +ovsec_kadm_ret_t ovsec_kadm_init_with_skey(char *client_name, + char *keytab, + char *service_name, + char *realm, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + void **server_handle); +ovsec_kadm_ret_t ovsec_kadm_flush(void *server_handle); +ovsec_kadm_ret_t ovsec_kadm_destroy(void *server_handle); +ovsec_kadm_ret_t ovsec_kadm_create_principal(void *server_handle, + ovsec_kadm_principal_ent_t ent, + long mask, char *pass); +ovsec_kadm_ret_t ovsec_kadm_delete_principal(void *server_handle, + krb5_principal principal); +ovsec_kadm_ret_t ovsec_kadm_modify_principal(void *server_handle, + ovsec_kadm_principal_ent_t ent, + long mask); +ovsec_kadm_ret_t ovsec_kadm_rename_principal(void *server_handle, + krb5_principal,krb5_principal); +ovsec_kadm_ret_t ovsec_kadm_get_principal(void *server_handle, + krb5_principal principal, + ovsec_kadm_principal_ent_t *ent); +ovsec_kadm_ret_t ovsec_kadm_chpass_principal(void *server_handle, + krb5_principal principal, + char *pass); +ovsec_kadm_ret_t ovsec_kadm_randkey_principal(void *server_handle, + krb5_principal principal, + krb5_keyblock **keyblock); +ovsec_kadm_ret_t ovsec_kadm_create_policy(void *server_handle, + ovsec_kadm_policy_ent_t ent, + long mask); +/* + * ovsec_kadm_create_policy_internal is not part of the supported, + * exposed API. It is available only in the server library, and you + * shouldn't use it unless you know why it's there and how it's + * different from ovsec_kadm_create_policy. + */ +ovsec_kadm_ret_t ovsec_kadm_create_policy_internal(void *server_handle, + ovsec_kadm_policy_ent_t + entry, long mask); +ovsec_kadm_ret_t ovsec_kadm_delete_policy(void *server_handle, + ovsec_kadm_policy_t policy); +ovsec_kadm_ret_t ovsec_kadm_modify_policy(void *server_handle, + ovsec_kadm_policy_ent_t ent, + long mask); +/* + * ovsec_kadm_modify_policy_internal is not part of the supported, + * exposed API. It is available only in the server library, and you + * shouldn't use it unless you know why it's there and how it's + * different from ovsec_kadm_modify_policy. + */ +ovsec_kadm_ret_t ovsec_kadm_modify_policy_internal(void *server_handle, + ovsec_kadm_policy_ent_t + entry, long mask); +ovsec_kadm_ret_t ovsec_kadm_get_policy(void *server_handle, + ovsec_kadm_policy_t policy, + ovsec_kadm_policy_ent_t *ent); +ovsec_kadm_ret_t ovsec_kadm_get_privs(void *server_handle, + long *privs); + +ovsec_kadm_ret_t ovsec_kadm_chpass_principal_util(void *server_handle, + krb5_principal princ, + char *new_pw, + char **ret_pw, + char *msg_ret); + +ovsec_kadm_ret_t ovsec_kadm_free_principal_ent(void *server_handle, + ovsec_kadm_principal_ent_t + ent); +ovsec_kadm_ret_t ovsec_kadm_free_policy_ent(void *server_handle, + ovsec_kadm_policy_ent_t ent); + +ovsec_kadm_ret_t ovsec_kadm_free_name_list(void *server_handle, + char **names, int count); + +ovsec_kadm_ret_t ovsec_kadm_get_principals(void *server_handle, + char *exp, char ***princs, + int *count); + +ovsec_kadm_ret_t ovsec_kadm_get_policies(void *server_handle, + char *exp, char ***pols, + int *count); + +#define OVSEC_KADM_FAILURE KADM5_FAILURE +#define OVSEC_KADM_AUTH_GET KADM5_AUTH_GET +#define OVSEC_KADM_AUTH_ADD KADM5_AUTH_ADD +#define OVSEC_KADM_AUTH_MODIFY KADM5_AUTH_MODIFY +#define OVSEC_KADM_AUTH_DELETE KADM5_AUTH_DELETE +#define OVSEC_KADM_AUTH_INSUFFICIENT KADM5_AUTH_INSUFFICIENT +#define OVSEC_KADM_BAD_DB KADM5_BAD_DB +#define OVSEC_KADM_DUP KADM5_DUP +#define OVSEC_KADM_RPC_ERROR KADM5_RPC_ERROR +#define OVSEC_KADM_NO_SRV KADM5_NO_SRV +#define OVSEC_KADM_BAD_HIST_KEY KADM5_BAD_HIST_KEY +#define OVSEC_KADM_NOT_INIT KADM5_NOT_INIT +#define OVSEC_KADM_UNK_PRINC KADM5_UNK_PRINC +#define OVSEC_KADM_UNK_POLICY KADM5_UNK_POLICY +#define OVSEC_KADM_BAD_MASK KADM5_BAD_MASK +#define OVSEC_KADM_BAD_CLASS KADM5_BAD_CLASS +#define OVSEC_KADM_BAD_LENGTH KADM5_BAD_LENGTH +#define OVSEC_KADM_BAD_POLICY KADM5_BAD_POLICY +#define OVSEC_KADM_BAD_PRINCIPAL KADM5_BAD_PRINCIPAL +#define OVSEC_KADM_BAD_AUX_ATTR KADM5_BAD_AUX_ATTR +#define OVSEC_KADM_BAD_HISTORY KADM5_BAD_HISTORY +#define OVSEC_KADM_BAD_MIN_PASS_LIFE KADM5_BAD_MIN_PASS_LIFE +#define OVSEC_KADM_PASS_Q_TOOSHORT KADM5_PASS_Q_TOOSHORT +#define OVSEC_KADM_PASS_Q_CLASS KADM5_PASS_Q_CLASS +#define OVSEC_KADM_PASS_Q_DICT KADM5_PASS_Q_DICT +#define OVSEC_KADM_PASS_REUSE KADM5_PASS_REUSE +#define OVSEC_KADM_PASS_TOOSOON KADM5_PASS_TOOSOON +#define OVSEC_KADM_POLICY_REF KADM5_POLICY_REF +#define OVSEC_KADM_INIT KADM5_INIT +#define OVSEC_KADM_BAD_PASSWORD KADM5_BAD_PASSWORD +#define OVSEC_KADM_PROTECT_PRINCIPAL KADM5_PROTECT_PRINCIPAL +#define OVSEC_KADM_BAD_SERVER_HANDLE KADM5_BAD_SERVER_HANDLE +#define OVSEC_KADM_BAD_STRUCT_VERSION KADM5_BAD_STRUCT_VERSION +#define OVSEC_KADM_OLD_STRUCT_VERSION KADM5_OLD_STRUCT_VERSION +#define OVSEC_KADM_NEW_STRUCT_VERSION KADM5_NEW_STRUCT_VERSION +#define OVSEC_KADM_BAD_API_VERSION KADM5_BAD_API_VERSION +#define OVSEC_KADM_OLD_LIB_API_VERSION KADM5_OLD_LIB_API_VERSION +#define OVSEC_KADM_OLD_SERVER_API_VERSION KADM5_OLD_SERVER_API_VERSION +#define OVSEC_KADM_NEW_LIB_API_VERSION KADM5_NEW_LIB_API_VERSION +#define OVSEC_KADM_NEW_SERVER_API_VERSION KADM5_NEW_SERVER_API_VERSION +#define OVSEC_KADM_SECURE_PRINC_MISSING KADM5_SECURE_PRINC_MISSING +#define OVSEC_KADM_NO_RENAME_SALT KADM5_NO_RENAME_SALT + +#endif /* USE_KADM5_API_VERSION == 1 */ krb5_chgpwd_prot _kadm5_get_kpasswd_protocol(void *server_handle); kadm5_ret_t kadm5_chpass_principal_v2(void *server_handle,
--- a/usr/src/lib/krb5/kadm5/admin_internal.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/admin_internal.h Sat Oct 07 13:37:05 2006 -0700 @@ -21,7 +21,6 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/admin_internal.h,v 1.13.18.1 2000/05/19 22:24:14 raeburn Exp $ */ #ifndef __KADM5_ADMIN_INTERNAL_H__ @@ -82,18 +81,17 @@ * * Got that? */ -int _kadm5_check_handle(); +#define _KADM5_CHECK_HANDLE(handle) \ +{ int ecode; if ((ecode = _kadm5_check_handle((void *)handle))) return ecode;} -#define _KADM5_CHECK_HANDLE(handle) \ -{ int code; if ((code = _kadm5_check_handle((void *)handle))) return code; } - +int _kadm5_check_handle(void *handle); kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle, void *lhandle, krb5_principal princ, char *new_pw, char **ret_pw, char *msg_ret, - int msg_len); + unsigned int msg_len); /* this is needed by the alt_prof code I stole. The functions maybe shouldn't be named krb5_*, but they are. */
--- a/usr/src/lib/krb5/kadm5/admin_xdr.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/admin_xdr.h Sat Oct 07 13:37:05 2006 -0700 @@ -21,65 +21,61 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/admin_xdr.h,v 1.5 1996/07/22 20:35:33 marc Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/admin_xdr.h,v 1.7 2001/07/25 19:02:29 epeisach Exp $ * - * $Log: admin_xdr.h,v $ - * Revision 1.5 1996/07/22 20:35:33 marc - * this commit includes all the changes on the OV_9510_INTEGRATION and - * OV_MERGE branches. This includes, but is not limited to, the new openvision - * admin system, and major changes to gssapi to add functionality, and bring - * the implementation in line with rfc1964. before committing, the - * code was built and tested for netbsd and solaris. - * - * Revision 1.4.4.1 1996/07/18 03:08:25 marc - * merged in changes from OV_9510_BP to OV_9510_FINAL1 - * - * Revision 1.4.2.1 1996/06/20 02:16:37 marc - * File added to the repository on a branch - * - * Revision 1.4 1996/05/30 16:36:34 bjaspan - * finish updating to kadm5 naming (oops) - * - * Revision 1.3 1996/05/22 00:28:19 bjaspan - * rename to kadm5 - * - * Revision 1.2 1996/05/12 06:30:10 marc - * - fixup includes and data types to match beta6 - * - * Revision 1.1 1993/11/09 04:06:01 shanzer - * Initial revision - * */ #include <kadm5/admin.h> #include "kadm_rpc.h" +bool_t xdr_ui_4(XDR *xdrs, krb5_ui_4 *objp); bool_t xdr_nullstring(XDR *xdrs, char **objp); +bool_t xdr_nulltype(XDR *xdrs, void **objp, xdrproc_t proc); bool_t xdr_krb5_timestamp(XDR *xdrs, krb5_timestamp *objp); bool_t xdr_krb5_kvno(XDR *xdrs, krb5_kvno *objp); bool_t xdr_krb5_deltat(XDR *xdrs, krb5_deltat *objp); bool_t xdr_krb5_flags(XDR *xdrs, krb5_flags *objp); +bool_t xdr_krb5_ui_4(XDR *xdrs, krb5_ui_4 *objp); +bool_t xdr_krb5_int16(XDR *xdrs, krb5_int16 *objp); +bool_t xdr_krb5_ui_2(XDR *xdrs, krb5_ui_2 *objp); +bool_t xdr_krb5_key_data_nocontents(XDR *xdrs, krb5_key_data *objp); +bool_t xdr_krb5_key_salt_tuple(XDR *xdrs, krb5_key_salt_tuple *objp); +bool_t xdr_krb5_tl_data(XDR *xdrs, krb5_tl_data **tl_data_head); bool_t xdr_kadm5_ret_t(XDR *xdrs, kadm5_ret_t *objp); +bool_t xdr_kadm5_principal_ent_rec_v1(XDR *xdrs, kadm5_principal_ent_rec *objp); bool_t xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp); bool_t xdr_kadm5_policy_ent_rec(XDR *xdrs, kadm5_policy_ent_rec *objp); bool_t xdr_kadm5_policy_ent_t(XDR *xdrs, kadm5_policy_ent_t *objp); bool_t xdr_kadm5_principal_ent_t(XDR *xdrs, kadm5_principal_ent_t *objp); bool_t xdr_cprinc_arg(XDR *xdrs, cprinc_arg *objp); +bool_t xdr_cprinc3_arg(XDR *xdrs, cprinc3_arg *objp); +bool_t xdr_generic_ret(XDR *xdrs, generic_ret *objp); bool_t xdr_dprinc_arg(XDR *xdrs, dprinc_arg *objp); bool_t xdr_mprinc_arg(XDR *xdrs, mprinc_arg *objp); bool_t xdr_rprinc_arg(XDR *xdrs, rprinc_arg *objp); bool_t xdr_chpass_arg(XDR *xdrs, chpass_arg *objp); +bool_t xdr_chpass3_arg(XDR *xdrs, chpass3_arg *objp); +bool_t xdr_setv4key_arg(XDR *xdrs, setv4key_arg *objp); +bool_t xdr_setkey_arg(XDR *xdrs, setkey_arg *objp); +bool_t xdr_setkey3_arg(XDR *xdrs, setkey3_arg *objp); bool_t xdr_chrand_arg(XDR *xdrs, chrand_arg *objp); +bool_t xdr_chrand3_arg(XDR *xdrs, chrand3_arg *objp); bool_t xdr_chrand_ret(XDR *xdrs, chrand_ret *objp); bool_t xdr_gprinc_arg(XDR *xdrs, gprinc_arg *objp); -bool_t xdr_gprinc_arg(XDR *xdrs, gprinc_arg *objp); +bool_t xdr_gprinc_ret(XDR *xdrs, gprinc_ret *objp); +bool_t xdr_gprincs_arg(XDR *xdrs, gprincs_arg *objp); +bool_t xdr_gprincs_ret(XDR *xdrs, gprincs_ret *objp); bool_t xdr_cpol_arg(XDR *xdrs, cpol_arg *objp); bool_t xdr_dpol_arg(XDR *xdrs, dpol_arg *objp); bool_t xdr_mpol_arg(XDR *xdrs, mpol_arg *objp); bool_t xdr_gpol_arg(XDR *xdrs, gpol_arg *objp); bool_t xdr_gpol_ret(XDR *xdrs, gpol_ret *objp); +bool_t xdr_gpols_arg(XDR *xdrs, gpols_arg *objp); +bool_t xdr_gpols_ret(XDR *xdrs, gpols_ret *objp); +bool_t xdr_getprivs_ret(XDR *xdrs, getprivs_ret *objp); bool_t xdr_krb5_principal(XDR *xdrs, krb5_principal *objp); bool_t xdr_krb5_octet(XDR *xdrs, krb5_octet *objp); bool_t xdr_krb5_int32(XDR *xdrs, krb5_int32 *objp); bool_t xdr_krb5_enctype(XDR *xdrs, krb5_enctype *objp); +bool_t xdr_krb5_salttype(XDR *xdrs, krb5_int32 *objp); bool_t xdr_krb5_keyblock(XDR *xdrs, krb5_keyblock *objp);
--- a/usr/src/lib/krb5/kadm5/alt_prof.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/alt_prof.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -26,7 +26,7 @@ /* * lib/kadm/alt_prof.c * - * Copyright 1995 by the Massachusetts Institute of Technology. + * Copyright 1995,2001 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -41,7 +41,10 @@ * this permission notice appear in supporting documentation, and that * the name of M.I.T. not be used in advertising or publicity pertaining * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. * @@ -69,6 +72,20 @@ "des-cbc-md5:normal " \ "des-cbc-crc:normal" +static krb5_key_salt_tuple *copy_key_salt_tuple(ksalt, len) +krb5_key_salt_tuple *ksalt; +krb5_int32 len; +{ + krb5_key_salt_tuple *knew; + + if((knew = (krb5_key_salt_tuple *) + malloc((len ) * sizeof(krb5_key_salt_tuple)))) { + memcpy(knew, ksalt, len * sizeof(krb5_key_salt_tuple)); + return knew; + } + return 0; +} + /* * krb5_aprof_init() - Initialize alternate profile context. * @@ -82,36 +99,36 @@ */ krb5_error_code krb5_aprof_init(fname, envname, acontextp) -char *fname; -char *envname; -krb5_pointer *acontextp; + char *fname; + char *envname; + krb5_pointer *acontextp; { - krb5_error_code kret; - const char *namelist[2]; - profile_t profile; - - namelist[1] = (char *)NULL; - profile = (profile_t)NULL; - if (envname) { - if ((namelist[0] = getenv(envname))) { - kret = profile_init(namelist, &profile); - if (kret) - return (kret); - *acontextp = (krb5_pointer) profile; - return (0); - } + krb5_error_code kret; + const_profile_filespec_t namelist[2]; + profile_t profile; + + namelist[1] = (profile_filespec_t) NULL; + profile = (profile_t) NULL; + if (envname) { + if ((namelist[0] = getenv(envname))) { + kret = profile_init(namelist, &profile); + if (kret) + return kret; + *acontextp = (krb5_pointer) profile; + return 0; } - profile = (profile_t)NULL; - if (fname) { - kret = profile_init_path(fname, &profile); - if (kret == ENOENT) { - profile = 0; - } else if (kret) - return (kret); - *acontextp = (krb5_pointer) profile; - return (0); - } - return (0); + } + profile = (profile_t) NULL; + if (fname) { + kret = profile_init_path(fname, &profile); + if (kret == ENOENT) { + profile = 0; + } else if (kret) + return kret; + *acontextp = (krb5_pointer) profile; + return 0; + } + return 0; } /* @@ -127,13 +144,71 @@ */ krb5_error_code krb5_aprof_getvals(acontext, hierarchy, retdata) -krb5_pointer acontext; -const char **hierarchy; -char ***retdata; + krb5_pointer acontext; + const char **hierarchy; + char ***retdata; +{ + return(profile_get_values((profile_t) acontext, + hierarchy, + retdata)); +} + +/* + * krb5_aprof_get_boolean() + * + * Parameters: + * acontext - opaque context for alternate profile + * hierarchy - hierarchy of value to retrieve + * retdata - Returned data value + * Returns: + * error codes + */ + +static krb5_error_code +string_to_boolean (const char *string, krb5_boolean *out) { - return (profile_get_values((profile_t)acontext, - hierarchy, - retdata)); + static const char *const yes[] = { "y", "yes", "true", "t", "1", "on" }; + static const char *const no[] = { "n", "no", "false", "f", "nil", "0", "off" }; + int i; + + for (i = 0; i < sizeof(yes)/sizeof(yes[0]); i++) + if (!strcasecmp(string, yes[i])) { + *out = 1; + return 0; + } + for (i = 0; i < sizeof(no)/sizeof(no[0]); i++) + if (!strcasecmp(string, no[i])) { + *out = 0; + return 0; + } + return PROF_BAD_BOOLEAN; +} + +krb5_error_code +krb5_aprof_get_boolean(krb5_pointer acontext, const char **hierarchy, + int uselast, krb5_boolean *retdata) +{ + krb5_error_code kret; + char **values; + char *valp; + int idx; + krb5_boolean val; + + kret = krb5_aprof_getvals (acontext, hierarchy, &values); + if (kret) + return kret; + idx = 0; + if (uselast) { + while (values[idx]) + idx++; + idx--; + } + valp = values[idx]; + kret = string_to_boolean (valp, &val); + if (kret) + return kret; + *retdata = val; + return 0; } /* @@ -153,31 +228,31 @@ */ krb5_error_code krb5_aprof_get_deltat(acontext, hierarchy, uselast, deltatp) -krb5_pointer acontext; -const char **hierarchy; -krb5_boolean uselast; -krb5_deltat *deltatp; + krb5_pointer acontext; + const char **hierarchy; + krb5_boolean uselast; + krb5_deltat *deltatp; { - krb5_error_code kret; - char **values; - char *valp; - int index; + krb5_error_code kret; + char **values; + char *valp; + int idx; - if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) { - index = 0; - if (uselast) { - for (index = 0; values[index]; index++); - index--; - } - valp = values[index]; - kret = krb5_string_to_deltat(valp, deltatp); + if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) { + idx = 0; + if (uselast) { + for (idx=0; values[idx]; idx++); + idx--; + } + valp = values[idx]; + kret = krb5_string_to_deltat(valp, deltatp); - /* Free the string storage */ - for (index = 0; values[index]; index++) - krb5_xfree(values[index]); - krb5_xfree(values); - } - return (kret); + /* Free the string storage */ + for (idx=0; values[idx]; idx++) + krb5_xfree(values[idx]); + krb5_xfree(values); + } + return(kret); } /* @@ -196,31 +271,31 @@ */ krb5_error_code krb5_aprof_get_string(acontext, hierarchy, uselast, stringp) -krb5_pointer acontext; -const char **hierarchy; -krb5_boolean uselast; -char **stringp; + krb5_pointer acontext; + const char **hierarchy; + krb5_boolean uselast; + char **stringp; { - krb5_error_code kret; - char **values; - int index, i; + krb5_error_code kret; + char **values; + int idx, i; - if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) { - index = 0; - if (uselast) { - for (index = 0; values[index]; index++); - index--; - } + if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) { + idx = 0; + if (uselast) { + for (idx=0; values[idx]; idx++); + idx--; + } - *stringp = values[index]; + *stringp = values[idx]; - /* Free the string storage */ - for (i = 0; values[i]; i++) - if (i != index) - krb5_xfree(values[i]); - krb5_xfree(values); - } - return (kret); + /* Free the string storage */ + for (i=0; values[i]; i++) + if (i != idx) + krb5_xfree(values[i]); + krb5_xfree(values); + } + return(kret); } /* @@ -240,31 +315,31 @@ */ krb5_error_code krb5_aprof_get_int32(acontext, hierarchy, uselast, intp) -krb5_pointer acontext; -const char **hierarchy; -krb5_boolean uselast; -krb5_int32 *intp; + krb5_pointer acontext; + const char **hierarchy; + krb5_boolean uselast; + krb5_int32 *intp; { - krb5_error_code kret; - char **values; - int index; + krb5_error_code kret; + char **values; + int idx; - if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) { - index = 0; - if (uselast) { - for (index = 0; values[index]; index++); - index--; - } + if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) { + idx = 0; + if (uselast) { + for (idx=0; values[idx]; idx++); + idx--; + } - if (sscanf(values[index], "%d", intp) != 1) - kret = EINVAL; + if (sscanf(values[idx], "%d", intp) != 1) + kret = EINVAL; - /* Free the string storage */ - for (index = 0; values[index]; index++) - krb5_xfree(values[index]); - krb5_xfree(values); - } - return (kret); + /* Free the string storage */ + for (idx=0; values[idx]; idx++) + krb5_xfree(values[idx]); + krb5_xfree(values); + } + return(kret); } /* @@ -278,10 +353,10 @@ */ krb5_error_code krb5_aprof_finish(acontext) -krb5_pointer acontext; + krb5_pointer acontext; { - profile_release(acontext); - return (0); + profile_release(acontext); + return(0); } /* @@ -292,13 +367,13 @@ * * Arguments: * - * context(r) krb5_context to use - * profile(r) profile file to use - * envname(r) envname that contains a profile name to + * context (r) krb5_context to use + * profile (r) profile file to use + * envname (r) envname that contains a profile name to * override profile - * params_in(r) params structure containing user-supplied + * params_in (r) params structure containing user-supplied * values, or NULL - * params_out(w) params structure to be filled in + * params_out (w) params structure to be filled in * * Effects: * @@ -314,21 +389,21 @@ */ krb5_error_code kadm5_get_config_params(context, kdcprofile, kdcenv, params_in, params_out) -krb5_context context; -char *kdcprofile; -char *kdcenv; -kadm5_config_params *params_in, *params_out; + krb5_context context; + char *kdcprofile; + char *kdcenv; + kadm5_config_params *params_in, *params_out; { - char *filename; - char *envname; - char *lrealm; - krb5_pointer aprofile = 0; - const char *hierarchy[4]; - char *svalue; - krb5_int32 ivalue; - kadm5_config_params params, empty_params; + char *filename; + char *envname; + char *lrealm; + krb5_pointer aprofile = 0; + const char *hierarchy[4]; + char *svalue; + krb5_int32 ivalue; + kadm5_config_params params, empty_params; - krb5_error_code kret = 0; + krb5_error_code kret = 0; krb5_error_code dnsret = 1; #ifdef KRB5_DNS_LOOKUP @@ -337,47 +412,47 @@ krb5_data dns_realm; #endif /* KRB5_DNS_LOOKUP */ - memset((char *)¶ms, 0, sizeof (params)); - memset((char *)&empty_params, 0, sizeof (empty_params)); + memset((char *) ¶ms, 0, sizeof(params)); + memset((char *) &empty_params, 0, sizeof(empty_params)); - if (params_in == NULL) params_in = &empty_params; + if (params_in == NULL) params_in = &empty_params; - if (params_in->mask & KADM5_CONFIG_REALM) { - lrealm = params.realm = strdup(params_in->realm); - if (params.realm) - params.mask |= KADM5_CONFIG_REALM; - } else { - kret = krb5_get_default_realm(context, &lrealm); - if (kret) - goto cleanup; - params.realm = lrealm; - params.mask |= KADM5_CONFIG_REALM; - } - if (params_in->mask & KADM5_CONFIG_PROFILE) { - filename = params.profile = strdup(params_in->profile); - if (params.profile) - params.mask |= KADM5_CONFIG_PROFILE; - envname = NULL; - } else { - /* - * XXX These defaults should to work on both client and - * server. kadm5_get_config_params can be implemented as a - * wrapper function in each library that provides correct - * defaults for NULL values. - */ - filename = (kdcprofile) ? kdcprofile : DEFAULT_KDC_PROFILE; - envname = (kdcenv) ? kdcenv : KDC_PROFILE_ENV; - if (context->profile_secure == TRUE) envname = 0; - } + if (params_in->mask & KADM5_CONFIG_REALM) { + lrealm = params.realm = strdup(params_in->realm); + if (params.realm) + params.mask |= KADM5_CONFIG_REALM; + } else { + kret = krb5_get_default_realm(context, &lrealm); + if (kret) + goto cleanup; + params.realm = lrealm; + params.mask |= KADM5_CONFIG_REALM; + } + if (params_in->mask & KADM5_CONFIG_PROFILE) { + filename = params.profile = strdup(params_in->profile); + if (params.profile) + params.mask |= KADM5_CONFIG_PROFILE; + envname = NULL; + } else { + /* + * XXX These defaults should to work on both client and + * server. kadm5_get_config_params can be implemented as a + * wrapper function in each library that provides correct + * defaults for NULL values. + */ + filename = (kdcprofile) ? kdcprofile : DEFAULT_KDC_PROFILE; + envname = (kdcenv) ? kdcenv : KDC_PROFILE_ENV; + if (context->profile_secure == TRUE) envname = 0; + } - kret = krb5_aprof_init(filename, envname, &aprofile); - if (kret) - goto cleanup; - - /* Initialize realm parameters */ - hierarchy[0] = "realms"; - hierarchy[1] = lrealm; - hierarchy[3] = (char *)NULL; + kret = krb5_aprof_init(filename, envname, &aprofile); + if (kret) + goto cleanup; + + /* Initialize realm parameters */ + hierarchy[0] = "realms"; + hierarchy[1] = lrealm; + hierarchy[3] = (char *) NULL; #ifdef KRB5_DNS_LOOKUP /* @@ -388,17 +463,17 @@ dns_realm.magic = 0; #endif /* KRB5_DNS_LOOKUP */ - /* Get the value for the admin server */ - hierarchy[2] = "admin_server"; - if (params_in->mask & KADM5_CONFIG_ADMIN_SERVER) { - params.admin_server = strdup(params_in->admin_server); - if (params.admin_server) - params.mask |= KADM5_CONFIG_ADMIN_SERVER; - } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - params.admin_server = svalue; - params.mask |= KADM5_CONFIG_ADMIN_SERVER; - } + /* Get the value for the admin server */ + hierarchy[2] = "admin_server"; + if (params_in->mask & KADM5_CONFIG_ADMIN_SERVER) { + params.admin_server = strdup(params_in->admin_server); + if (params.admin_server) + params.mask |= KADM5_CONFIG_ADMIN_SERVER; + } else if (aprofile && + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + params.admin_server = svalue; + params.mask |= KADM5_CONFIG_ADMIN_SERVER; + } #ifdef KRB5_DNS_LOOKUP else if (strcmp(envname, "KRB5_CONFIG") == 0) { /* @@ -421,167 +496,182 @@ } #endif /* KRB5_DNS_LOOKUP */ - if ((params.mask & KADM5_CONFIG_ADMIN_SERVER) && dnsret) { - char *p; - if (p = strchr(params.admin_server, ':')) { - params.kadmind_port = atoi(p+1); - params.mask |= KADM5_CONFIG_KADMIND_PORT; - *p = '\0'; - } - } + if ((params.mask & KADM5_CONFIG_ADMIN_SERVER) && dnsret) { + char *p; + p = strchr(params.admin_server, ':'); + if (p) { + params.kadmind_port = atoi(p+1); + params.mask |= KADM5_CONFIG_KADMIND_PORT; + *p = '\0'; + } + } - /* Get the value for the database */ - hierarchy[2] = "database_name"; - if (params_in->mask & KADM5_CONFIG_DBNAME) { - params.dbname = strdup(params_in->dbname); - if (params.dbname) - params.mask |= KADM5_CONFIG_DBNAME; - } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - params.dbname = svalue; - params.mask |= KADM5_CONFIG_DBNAME; - } else { - params.dbname = strdup(DEFAULT_KDB_FILE); - if (params.dbname) - params.mask |= KADM5_CONFIG_DBNAME; - } + /* Get the value for the database */ + hierarchy[2] = "database_name"; + if (params_in->mask & KADM5_CONFIG_DBNAME) { + params.dbname = strdup(params_in->dbname); + if (params.dbname) + params.mask |= KADM5_CONFIG_DBNAME; + } else if (aprofile && + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + params.dbname = svalue; + params.mask |= KADM5_CONFIG_DBNAME; + } else { + params.dbname = strdup(DEFAULT_KDB_FILE); + if (params.dbname) + params.mask |= KADM5_CONFIG_DBNAME; + } - /* - * admin database name and lockfile are now always derived from dbname - */ - if (params.mask & KADM5_CONFIG_DBNAME) { - params.admin_dbname = (char *)malloc(strlen(params.dbname) - + 7); - if (params.admin_dbname) { - sprintf(params.admin_dbname, "%s.kadm5", - params.dbname); - params.mask |= KADM5_CONFIG_ADBNAME; - } - } + /* + * admin database name and lockfile are now always derived from dbname + */ + if (params.mask & KADM5_CONFIG_DBNAME) { + params.admin_dbname = (char *) malloc(strlen(params.dbname) + 7); + if (params.admin_dbname) { + sprintf(params.admin_dbname, "%s.kadm5", params.dbname); + params.mask |= KADM5_CONFIG_ADBNAME; + } + } - if (params.mask & KADM5_CONFIG_ADBNAME) { - params.admin_lockfile = - (char *)malloc(strlen(params.admin_dbname)+ 6); - if (params.admin_lockfile) { - sprintf(params.admin_lockfile, "%s.lock", - params.admin_dbname); - params.mask |= KADM5_CONFIG_ADB_LOCKFILE; - } - } - - /* Get the value for the admin(policy) database lock file */ - hierarchy[2] = "admin_keytab"; - if (params_in->mask & KADM5_CONFIG_ADMIN_KEYTAB) { - params.admin_keytab = strdup(params_in->admin_keytab); - if (params.admin_keytab) - params.mask |= KADM5_CONFIG_ADMIN_KEYTAB; + if (params.mask & KADM5_CONFIG_ADBNAME) { + params.admin_lockfile = (char *) malloc(strlen(params.admin_dbname) + + 6); + if (params.admin_lockfile) { + sprintf(params.admin_lockfile, "%s.lock", params.admin_dbname); + params.mask |= KADM5_CONFIG_ADB_LOCKFILE; + } + } + + /* Get the value for the admin (policy) database lock file*/ + hierarchy[2] = "admin_keytab"; + if (params_in->mask & KADM5_CONFIG_ADMIN_KEYTAB) { + params.admin_keytab = strdup(params_in->admin_keytab); + if (params.admin_keytab) + params.mask |= KADM5_CONFIG_ADMIN_KEYTAB; + } else if (aprofile && + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + params.mask |= KADM5_CONFIG_ADMIN_KEYTAB; + params.admin_keytab = svalue; + } else if ((params.admin_keytab = (char *) getenv("KRB5_KTNAME"))) { + params.admin_keytab = strdup(params.admin_keytab); + if (params.admin_keytab) + params.mask |= KADM5_CONFIG_ADMIN_KEYTAB; + } else { + params.admin_keytab = strdup(DEFAULT_KADM5_KEYTAB); + if (params.admin_keytab) + params.mask |= KADM5_CONFIG_ADMIN_KEYTAB; + } + + /* Get the name of the acl file */ + hierarchy[2] = "acl_file"; + if (params_in->mask & KADM5_CONFIG_ACL_FILE) { + params.acl_file = strdup(params_in->acl_file); + if (params.acl_file) + params.mask |= KADM5_CONFIG_ACL_FILE; + } else if (aprofile && + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + params.mask |= KADM5_CONFIG_ACL_FILE; + params.acl_file = svalue; + } else { + params.acl_file = strdup(DEFAULT_KADM5_ACL_FILE); + if (params.acl_file) + params.mask |= KADM5_CONFIG_ACL_FILE; + } + + /* Get the name of the dict file */ + hierarchy[2] = "dict_file"; + if (params_in->mask & KADM5_CONFIG_DICT_FILE) { + params.dict_file = strdup(params_in->dict_file); + if (params.dict_file) + params.mask |= KADM5_CONFIG_DICT_FILE; + } else if (aprofile && + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + params.mask |= KADM5_CONFIG_DICT_FILE; + params.dict_file = svalue; + } + + /* Get the value for the kadmind port */ + if (! (params.mask & KADM5_CONFIG_KADMIND_PORT)) { + hierarchy[2] = "kadmind_port"; + if (params_in->mask & KADM5_CONFIG_KADMIND_PORT) { + params.mask |= KADM5_CONFIG_KADMIND_PORT; + params.kadmind_port = params_in->kadmind_port; + } else if (aprofile && + !krb5_aprof_get_int32(aprofile, hierarchy, TRUE, + &ivalue)) { + params.kadmind_port = ivalue; + params.mask |= KADM5_CONFIG_KADMIND_PORT; + } else { + params.kadmind_port = DEFAULT_KADM5_PORT; + params.mask |= KADM5_CONFIG_KADMIND_PORT; + } + } + + /* Get the value for the kpasswd port */ + if (! (params.mask & KADM5_CONFIG_KPASSWD_PORT)) { + hierarchy[2] = "kpasswd_port"; + if (params_in->mask & KADM5_CONFIG_KPASSWD_PORT) { + params.mask |= KADM5_CONFIG_KPASSWD_PORT; + params.kpasswd_port = params_in->kpasswd_port; } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - params.mask |= KADM5_CONFIG_ADMIN_KEYTAB; - params.admin_keytab = svalue; - } else if (params.admin_keytab = (char *)getenv("KRB5_KTNAME")) { - params.admin_keytab = strdup(params.admin_keytab); - if (params.admin_keytab) - params.mask |= KADM5_CONFIG_ADMIN_KEYTAB; - } else { - params.admin_keytab = strdup(DEFAULT_KADM5_KEYTAB); - if (params.admin_keytab) - params.mask |= KADM5_CONFIG_ADMIN_KEYTAB; - } - - /* Get the name of the acl file */ - hierarchy[2] = "acl_file"; - if (params_in->mask & KADM5_CONFIG_ACL_FILE) { - params.acl_file = strdup(params_in->acl_file); - if (params.acl_file) - params.mask |= KADM5_CONFIG_ACL_FILE; - } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - params.mask |= KADM5_CONFIG_ACL_FILE; - params.acl_file = svalue; + !krb5_aprof_get_int32(aprofile, hierarchy, TRUE, + &ivalue)) { + params.kpasswd_port = ivalue; + params.mask |= KADM5_CONFIG_KPASSWD_PORT; } else { - params.acl_file = strdup(DEFAULT_KADM5_ACL_FILE); - if (params.acl_file) - params.mask |= KADM5_CONFIG_ACL_FILE; - } - - /* Get the name of the dict file */ - hierarchy[2] = "dict_file"; - if (params_in->mask & KADM5_CONFIG_DICT_FILE) { - params.dict_file = strdup(params_in->dict_file); - if (params.dict_file) - params.mask |= KADM5_CONFIG_DICT_FILE; - } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - params.mask |= KADM5_CONFIG_DICT_FILE; - params.dict_file = svalue; - } - - /* Get the value for the kadmind port */ - if (! (params.mask & KADM5_CONFIG_KADMIND_PORT)) { - hierarchy[2] = "kadmind_port"; - if (params_in->mask & KADM5_CONFIG_KADMIND_PORT) { - params.mask |= KADM5_CONFIG_KADMIND_PORT; - params.kadmind_port = params_in->kadmind_port; - } else if (aprofile && - !krb5_aprof_get_int32(aprofile, hierarchy, TRUE, - &ivalue)) { - params.kadmind_port = ivalue; - params.mask |= KADM5_CONFIG_KADMIND_PORT; - } else { - params.kadmind_port = DEFAULT_KADM5_PORT; - params.mask |= KADM5_CONFIG_KADMIND_PORT; - } + params.kpasswd_port = DEFAULT_KPASSWD_PORT; + params.mask |= KADM5_CONFIG_KPASSWD_PORT; } - - /* Get the value for the master key name */ - hierarchy[2] = "master_key_name"; - if (params_in->mask & KADM5_CONFIG_MKEY_NAME) { - params.mkey_name = strdup(params_in->mkey_name); - if (params.mkey_name) - params.mask |= KADM5_CONFIG_MKEY_NAME; - } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - params.mask |= KADM5_CONFIG_MKEY_NAME; - params.mkey_name = svalue; - } - - /* Get the value for the master key type */ - hierarchy[2] = "master_key_type"; - if (params_in->mask & KADM5_CONFIG_ENCTYPE) { - params.mask |= KADM5_CONFIG_ENCTYPE; - params.enctype = params_in->enctype; - } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - if (!krb5_string_to_enctype(svalue, ¶ms.enctype)) { - params.mask |= KADM5_CONFIG_ENCTYPE; - krb5_xfree(svalue); - } - } else { - params.mask |= KADM5_CONFIG_ENCTYPE; - params.enctype = DEFAULT_KDC_ENCTYPE; - } - - /* Get the value for mkey_from_kbd */ - if (params_in->mask & KADM5_CONFIG_MKEY_FROM_KBD) { - params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; - params.mkey_from_kbd = params_in->mkey_from_kbd; - } - - /* Get the value for the stashfile */ - hierarchy[2] = "key_stash_file"; - if (params_in->mask & KADM5_CONFIG_STASH_FILE) { - params.stash_file = strdup(params_in->stash_file); - if (params.stash_file) - params.mask |= KADM5_CONFIG_STASH_FILE; - } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - params.mask |= KADM5_CONFIG_STASH_FILE; - params.stash_file = svalue; - } - - /* - * Get the value for maximum ticket lifetime. + } + + /* Get the value for the master key name */ + hierarchy[2] = "master_key_name"; + if (params_in->mask & KADM5_CONFIG_MKEY_NAME) { + params.mkey_name = strdup(params_in->mkey_name); + if (params.mkey_name) + params.mask |= KADM5_CONFIG_MKEY_NAME; + } else if (aprofile && + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + params.mask |= KADM5_CONFIG_MKEY_NAME; + params.mkey_name = svalue; + } + + /* Get the value for the master key type */ + hierarchy[2] = "master_key_type"; + if (params_in->mask & KADM5_CONFIG_ENCTYPE) { + params.mask |= KADM5_CONFIG_ENCTYPE; + params.enctype = params_in->enctype; + } else if (aprofile && + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + if (!krb5_string_to_enctype(svalue, ¶ms.enctype)) { + params.mask |= KADM5_CONFIG_ENCTYPE; + krb5_xfree(svalue); + } + } else { + params.mask |= KADM5_CONFIG_ENCTYPE; + params.enctype = DEFAULT_KDC_ENCTYPE; + } + + /* Get the value for mkey_from_kbd */ + if (params_in->mask & KADM5_CONFIG_MKEY_FROM_KBD) { + params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; + params.mkey_from_kbd = params_in->mkey_from_kbd; + } + + /* Get the value for the stashfile */ + hierarchy[2] = "key_stash_file"; + if (params_in->mask & KADM5_CONFIG_STASH_FILE) { + params.stash_file = strdup(params_in->stash_file); + if (params.stash_file) + params.mask |= KADM5_CONFIG_STASH_FILE; + } else if (aprofile && + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + params.mask |= KADM5_CONFIG_STASH_FILE; + params.stash_file = svalue; + } + + /* + * Get the value for maximum ticket lifetime. * See SEAM documentation or the Bug ID 4184504 * We have changed the logic so that the entries are * created in the database with the maximum duration @@ -589,86 +679,86 @@ * However this wil get negotiated down when * as or tgs request is processed by KDC. */ - hierarchy[2] = "max_life"; - if (params_in->mask & KADM5_CONFIG_MAX_LIFE) { - params.mask |= KADM5_CONFIG_MAX_LIFE; - params.max_life = params_in->max_life; - } else { - params.mask |= KADM5_CONFIG_MAX_LIFE; - params.max_life = KRB5_INT32_MAX; - } - - /* Get the value for maximum renewable ticket lifetime. */ - hierarchy[2] = "max_renewable_life"; - if (params_in->mask & KADM5_CONFIG_MAX_RLIFE) { - params.mask |= KADM5_CONFIG_MAX_RLIFE; - params.max_rlife = params_in->max_rlife; - } else { - params.mask |= KADM5_CONFIG_MAX_RLIFE; - params.max_rlife = KRB5_INT32_MAX; - } - - /* Get the value for the default principal expiration */ - hierarchy[2] = "default_principal_expiration"; - if (params_in->mask & KADM5_CONFIG_EXPIRATION) { - params.mask |= KADM5_CONFIG_EXPIRATION; - params.expiration = params_in->expiration; - } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - if (!krb5_string_to_timestamp(svalue, ¶ms.expiration)) { - params.mask |= KADM5_CONFIG_EXPIRATION; - krb5_xfree(svalue); - } - } else { - params.mask |= KADM5_CONFIG_EXPIRATION; - params.expiration = 0; - } + hierarchy[2] = "max_life"; + if (params_in->mask & KADM5_CONFIG_MAX_LIFE) { + params.mask |= KADM5_CONFIG_MAX_LIFE; + params.max_life = params_in->max_life; + } else { + params.max_life = KRB5_INT32_MAX; + params.mask |= KADM5_CONFIG_MAX_LIFE; + } + + /* Get the value for maximum renewable ticket lifetime. */ + hierarchy[2] = "max_renewable_life"; + if (params_in->mask & KADM5_CONFIG_MAX_RLIFE) { + params.mask |= KADM5_CONFIG_MAX_RLIFE; + params.max_rlife = params_in->max_rlife; + } else { + params.max_rlife = KRB5_INT32_MAX; + params.mask |= KADM5_CONFIG_MAX_RLIFE; + } + + /* Get the value for the default principal expiration */ + hierarchy[2] = "default_principal_expiration"; + if (params_in->mask & KADM5_CONFIG_EXPIRATION) { + params.mask |= KADM5_CONFIG_EXPIRATION; + params.expiration = params_in->expiration; + } else if (aprofile && + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + if (!krb5_string_to_timestamp(svalue, ¶ms.expiration)) { + params.mask |= KADM5_CONFIG_EXPIRATION; + krb5_xfree(svalue); + } + } else { + params.mask |= KADM5_CONFIG_EXPIRATION; + params.expiration = 0; + } + + /* Get the value for the default principal flags */ + hierarchy[2] = "default_principal_flags"; + if (params_in->mask & KADM5_CONFIG_FLAGS) { + params.mask |= KADM5_CONFIG_FLAGS; + params.flags = params_in->flags; + } else if (aprofile && + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + char *sp, *ep, *tp; + + sp = svalue; + params.flags = 0; + while (sp) { + if ((ep = strchr(sp, (int) ',')) || + (ep = strchr(sp, (int) ' ')) || + (ep = strchr(sp, (int) '\t'))) { + /* Fill in trailing whitespace of sp */ + tp = ep - 1; + while (isspace((int) *tp) && (tp > sp)) { + *tp = '\0'; + tp--; + } + *ep = '\0'; + ep++; + /* Skip over trailing whitespace of ep */ + while (isspace((int) *ep) && (*ep)) ep++; + } + /* Convert this flag */ + if (krb5_string_to_flags(sp, + "+", + "-", + ¶ms.flags)) + break; + sp = ep; + } + if (!sp) + params.mask |= KADM5_CONFIG_FLAGS; + krb5_xfree(svalue); + } else { + params.mask |= KADM5_CONFIG_FLAGS; + params.flags = KRB5_KDB_DEF_FLAGS; + } - /* Get the value for the default principal flags */ - hierarchy[2] = "default_principal_flags"; - if (params_in->mask & KADM5_CONFIG_FLAGS) { - params.mask |= KADM5_CONFIG_FLAGS; - params.flags = params_in->flags; - } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - char *sp, *ep, *tp; - - sp = svalue; - params.flags = 0; - while (sp) { - if ((ep = strchr(sp, (int)',')) || - (ep = strchr(sp, (int)' ')) || - (ep = strchr(sp, (int)'\t'))) { - /* Fill in trailing whitespace of sp */ - tp = ep - 1; - while (isspace(*tp) && (tp < sp)) { - *tp = '\0'; - tp--; - } - *ep = '\0'; - ep++; - /* Skip over trailing whitespace of ep */ - while (isspace(*ep) && (*ep)) ep++; - } - /* Convert this flag */ - if (krb5_string_to_flags(sp, - "+", - "-", - ¶ms.flags)) - break; - sp = ep; - } - if (!sp) - params.mask |= KADM5_CONFIG_FLAGS; - krb5_xfree(svalue); - } else { - params.mask |= KADM5_CONFIG_FLAGS; - params.flags = KRB5_KDB_DEF_FLAGS; - } - - /* Get the value for the supported enctype/salttype matrix */ - hierarchy[2] = "supported_enctypes"; - if (params_in->mask & KADM5_CONFIG_ENCTYPES) { + /* Get the value for the supported enctype/salttype matrix */ + hierarchy[2] = "supported_enctypes"; + if (params_in->mask & KADM5_CONFIG_ENCTYPES) { params.mask |= KADM5_CONFIG_ENCTYPES; if (params_in->num_keysalts > 0) { params.keysalts = malloc(params_in->num_keysalts * @@ -680,30 +770,29 @@ (void) memcpy(params.keysalts, params_in->keysalts, (params_in->num_keysalts * sizeof (*params.keysalts))); - params.num_keysalts = params_in->num_keysalts; - } - } else { - svalue = NULL; - if (aprofile) - krb5_aprof_get_string(aprofile, hierarchy, - TRUE, &svalue); - if (svalue == NULL) - svalue = strdup(DEFAULT_ENCTYPE_LIST); + params.num_keysalts = params_in->num_keysalts; + } + } else { + svalue = NULL; + if (aprofile) + krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue); + if (svalue == NULL) + svalue = strdup(DEFAULT_ENCTYPE_LIST); - params.keysalts = NULL; - params.num_keysalts = 0; - krb5_string_to_keysalts(svalue, - ", \t", /* Tuple separators */ - ":.-", /* Key/salt separators */ - 0, /* No duplicates */ - ¶ms.keysalts, - ¶ms.num_keysalts); - if (params.num_keysalts) - params.mask |= KADM5_CONFIG_ENCTYPES; + params.keysalts = NULL; + params.num_keysalts = 0; + krb5_string_to_keysalts(svalue, + ", \t",/* Tuple separators */ + ":.-", /* Key/salt separators */ + 0, /* No duplicates */ + ¶ms.keysalts, + ¶ms.num_keysalts); + if (params.num_keysalts) + params.mask |= KADM5_CONFIG_ENCTYPES; - if (svalue) - krb5_xfree(svalue); - } + if (svalue) + krb5_xfree(svalue); + } hierarchy[2] = "kpasswd_server"; if (params_in->mask & KADM5_CONFIG_KPASSWD_SERVER) { @@ -883,18 +972,18 @@ *params_out = params; cleanup: - if (aprofile) - krb5_aprof_finish(aprofile); - if (kret) { - (void) kadm5_free_config_params(context, ¶ms); - params_out->mask = 0; - } + if (aprofile) + krb5_aprof_finish(aprofile); + if (kret) { + kadm5_free_config_params(context, ¶ms); + params_out->mask = 0; + } #ifdef KRB5_DNS_LOOKUP if (dns_realm.data) free(dns_realm.data); #endif /* KRB5_DNS_LOOKUP */ - return (kret); + return(kret); } /* * kadm5_free_config_params() - Free data allocated by above. @@ -902,10 +991,10 @@ /*ARGSUSED*/ krb5_error_code kadm5_free_config_params(context, params) -krb5_context context; -kadm5_config_params *params; + krb5_context context; + kadm5_config_params *params; { - if (params) { + if (params) { if (params->profile) { krb5_xfree(params->profile); params->profile = NULL; @@ -963,11 +1052,52 @@ return (0); } -/* +krb5_error_code +kadm5_get_admin_service_name(krb5_context ctx, + char *realm_in, + char *admin_name, + size_t maxlen) +{ + krb5_error_code ret; + kadm5_config_params params_in, params_out; + struct hostent *hp; + + memset(¶ms_in, 0, sizeof(params_in)); + memset(¶ms_out, 0, sizeof(params_out)); + + params_in.mask |= KADM5_CONFIG_REALM; + params_in.realm = realm_in; + ret = kadm5_get_config_params(ctx, DEFAULT_PROFILE_PATH, + "KRB5_CONFIG", ¶ms_in, ¶ms_out); + if (ret) + return ret; + + if (!(params_out.mask & KADM5_CONFIG_ADMIN_SERVER)) { + ret = KADM5_MISSING_KRB5_CONF_PARAMS; + goto err_params; + } + + hp = gethostbyname(params_out.admin_server); + if (hp == NULL) { + ret = errno; + goto err_params; + } + if (strlen(hp->h_name) + sizeof("kadmin/") > maxlen) { + ret = ENOMEM; + goto err_params; + } + sprintf(admin_name, "kadmin/%s", hp->h_name); + +err_params: + kadm5_free_config_params(ctx, ¶ms_out); + return ret; +} + +/*********************************************************************** * This is the old krb5_realm_read_params, which I mutated into - * kadm5_get_config_params but which old code(kdb5_* and krb5kdc) + * kadm5_get_config_params but which old code (kdb5_* and krb5kdc) * still uses. - */ + ***********************************************************************/ /* * krb5_read_realm_params() - Read per-realm parameters from KDC @@ -975,154 +1105,161 @@ */ krb5_error_code krb5_read_realm_params(kcontext, realm, kdcprofile, kdcenv, rparamp) -krb5_context kcontext; -char *realm; -char *kdcprofile; -char *kdcenv; -krb5_realm_params **rparamp; + krb5_context kcontext; + char *realm; + char *kdcprofile; + char *kdcenv; + krb5_realm_params **rparamp; { - char *filename; - char *envname; - char *lrealm; - krb5_pointer aprofile = 0; - krb5_realm_params *rparams; - const char *hierarchy[4]; - char *svalue; - krb5_int32 ivalue; - krb5_deltat dtvalue; - - krb5_error_code kret; + char *filename; + char *envname; + char *lrealm; + krb5_pointer aprofile = 0; + krb5_realm_params *rparams; + const char *hierarchy[4]; + char *svalue; + krb5_int32 ivalue; + krb5_boolean bvalue; + krb5_deltat dtvalue; - filename = (kdcprofile) ? kdcprofile : DEFAULT_KDC_PROFILE; - envname = (kdcenv) ? kdcenv : KDC_PROFILE_ENV; - - if (kcontext->profile_secure == TRUE) envname = 0; + krb5_error_code kret; - rparams = (krb5_realm_params *) NULL; - if (realm) - lrealm = strdup(realm); - else { - kret = krb5_get_default_realm(kcontext, &lrealm); - if (kret) - goto cleanup; - } + filename = (kdcprofile) ? kdcprofile : DEFAULT_KDC_PROFILE; + envname = (kdcenv) ? kdcenv : KDC_PROFILE_ENV; - kret = krb5_aprof_init(filename, envname, &aprofile); - if (kret) - goto cleanup; + if (kcontext->profile_secure == TRUE) envname = 0; - rparams = (krb5_realm_params *) malloc(sizeof (krb5_realm_params)); - if (rparams == 0) { - kret = ENOMEM; - goto cleanup; - } + rparams = (krb5_realm_params *) NULL; + if (realm) + lrealm = strdup(realm); + else { + kret = krb5_get_default_realm(kcontext, &lrealm); + if (kret) + goto cleanup; + } - /* Initialize realm parameters */ - memset((char *)rparams, 0, sizeof (krb5_realm_params)); - - /* Get the value for the database */ - hierarchy[0] = "realms"; - hierarchy[1] = lrealm; - hierarchy[2] = "database_name"; - hierarchy[3] = (char *)NULL; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_dbname = svalue; + kret = krb5_aprof_init(filename, envname, &aprofile); + if (kret) + goto cleanup; + + rparams = (krb5_realm_params *) malloc(sizeof(krb5_realm_params)); + if (rparams == 0) { + kret = ENOMEM; + goto cleanup; + } - /* Get the value for the KDC port list */ - hierarchy[2] = "kdc_ports"; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_kdc_ports = svalue; - hierarchy[2] = "kdc_tcp_ports"; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_kdc_tcp_ports = svalue; + /* Initialize realm parameters */ + memset((char *) rparams, 0, sizeof(krb5_realm_params)); - /* Get the name of the acl file */ - hierarchy[2] = "acl_file"; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_acl_file = svalue; - - /* Get the value for the kadmind port */ - hierarchy[2] = "kadmind_port"; - if (!krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) { - rparams->realm_kadmind_port = ivalue; - rparams->realm_kadmind_port_valid = 1; - } + /* Get the value for the database */ + hierarchy[0] = "realms"; + hierarchy[1] = lrealm; + hierarchy[2] = "database_name"; + hierarchy[3] = (char *) NULL; + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) + rparams->realm_dbname = svalue; + + /* Get the value for the KDC port list */ + hierarchy[2] = "kdc_ports"; + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) + rparams->realm_kdc_ports = svalue; + hierarchy[2] = "kdc_tcp_ports"; + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) + rparams->realm_kdc_tcp_ports = svalue; - /* Get the value for the master key name */ - hierarchy[2] = "master_key_name"; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_mkey_name = svalue; - - /* Get the value for the master key type */ - hierarchy[2] = "master_key_type"; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - if (!krb5_string_to_enctype(svalue, &rparams->realm_enctype)) - rparams->realm_enctype_valid = 1; - krb5_xfree(svalue); - } - - /* Get the value for the stashfile */ - hierarchy[2] = "key_stash_file"; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_stash_file = svalue; - - /* Get the value for maximum ticket lifetime. */ - hierarchy[2] = "max_life"; - if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) { - rparams->realm_max_life = dtvalue; - rparams->realm_max_life_valid = 1; - } - - /* Get the value for maximum renewable ticket lifetime. */ - hierarchy[2] = "max_renewable_life"; - if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) { - rparams->realm_max_rlife = dtvalue; - rparams->realm_max_rlife_valid = 1; - } + /* Get the name of the acl file */ + hierarchy[2] = "acl_file"; + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) + rparams->realm_acl_file = svalue; + + /* Get the value for the kadmind port */ + hierarchy[2] = "kadmind_port"; + if (!krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) { + rparams->realm_kadmind_port = ivalue; + rparams->realm_kadmind_port_valid = 1; + } + + /* Get the value for the master key name */ + hierarchy[2] = "master_key_name"; + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) + rparams->realm_mkey_name = svalue; + + /* Get the value for the master key type */ + hierarchy[2] = "master_key_type"; + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + if (!krb5_string_to_enctype(svalue, &rparams->realm_enctype)) + rparams->realm_enctype_valid = 1; + krb5_xfree(svalue); + } + + /* Get the value for the stashfile */ + hierarchy[2] = "key_stash_file"; + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) + rparams->realm_stash_file = svalue; + + /* Get the value for maximum ticket lifetime. */ + hierarchy[2] = "max_life"; + if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) { + rparams->realm_max_life = dtvalue; + rparams->realm_max_life_valid = 1; + } + + /* Get the value for maximum renewable ticket lifetime. */ + hierarchy[2] = "max_renewable_life"; + if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) { + rparams->realm_max_rlife = dtvalue; + rparams->realm_max_rlife_valid = 1; + } + + /* Get the value for the default principal expiration */ + hierarchy[2] = "default_principal_expiration"; + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + if (!krb5_string_to_timestamp(svalue, + &rparams->realm_expiration)) + rparams->realm_expiration_valid = 1; + krb5_xfree(svalue); + } - /* Get the value for the default principal expiration */ - hierarchy[2] = "default_principal_expiration"; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - if (!krb5_string_to_timestamp(svalue, - &rparams->realm_expiration)) - rparams->realm_expiration_valid = 1; - krb5_xfree(svalue); - } + hierarchy[2] = "reject_bad_transit"; + if (!krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) { + rparams->realm_reject_bad_transit = bvalue; + rparams->realm_reject_bad_transit_valid = 1; + } - /* Get the value for the default principal flags */ - hierarchy[2] = "default_principal_flags"; - if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - char *sp, *ep, *tp; + /* Get the value for the default principal flags */ + hierarchy[2] = "default_principal_flags"; + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + char *sp, *ep, *tp; - sp = svalue; - rparams->realm_flags = 0; - while (sp) { - if ((ep = strchr(sp, (int)',')) || - (ep = strchr(sp, (int)' ')) || - (ep = strchr(sp, (int)'\t'))) { - /* Fill in trailing whitespace of sp */ - tp = ep - 1; - while (isspace(*tp) && (tp < sp)) { - *tp = '\0'; - tp--; - } - *ep = '\0'; - ep++; - /* Skip over trailing whitespace of ep */ - while (isspace(*ep) && (*ep)) ep++; - } - /* Convert this flag */ - if (krb5_string_to_flags(sp, - "+", - "-", - &rparams->realm_flags)) - break; - sp = ep; + sp = svalue; + rparams->realm_flags = 0; + while (sp) { + if ((ep = strchr(sp, (int) ',')) || + (ep = strchr(sp, (int) ' ')) || + (ep = strchr(sp, (int) '\t'))) { + /* Fill in trailing whitespace of sp */ + tp = ep - 1; + while (isspace((int) *tp) && (tp < sp)) { + *tp = '\0'; + tp--; } - if (!sp) - rparams->realm_flags_valid = 1; - krb5_xfree(svalue); + *ep = '\0'; + ep++; + /* Skip over trailing whitespace of ep */ + while (isspace((int) *ep) && (*ep)) ep++; + } + /* Convert this flag */ + if (krb5_string_to_flags(sp, + "+", + "-", + &rparams->realm_flags)) + break; + sp = ep; } + if (!sp) + rparams->realm_flags_valid = 1; + krb5_xfree(svalue); + } /* Get the value for the supported enctype/salttype matrix */ /* @@ -1151,44 +1288,47 @@ krb5_xfree(svalue); svalue = NULL; } - cleanup: - if (aprofile) - krb5_aprof_finish(aprofile); - if (lrealm) - free(lrealm); - if (kret) { - if (rparams) - krb5_free_realm_params(kcontext, rparams); - rparams = 0; - } - *rparamp = rparams; - return (kret); + if (aprofile) + krb5_aprof_finish(aprofile); + if (lrealm) + free(lrealm); + if (kret) { + if (rparams) + krb5_free_realm_params(kcontext, rparams); + rparams = 0; + } + *rparamp = rparams; + return(kret); } /* * krb5_free_realm_params() - Free data allocated by above. */ -/*ARGSUSED*/ krb5_error_code krb5_free_realm_params(kcontext, rparams) -krb5_context kcontext; -krb5_realm_params *rparams; + krb5_context kcontext; + krb5_realm_params *rparams; { - if (rparams) { - if (rparams->realm_profile) - krb5_xfree(rparams->realm_profile); - if (rparams->realm_dbname) - krb5_xfree(rparams->realm_dbname); - if (rparams->realm_mkey_name) - krb5_xfree(rparams->realm_mkey_name); - if (rparams->realm_stash_file) - krb5_xfree(rparams->realm_stash_file); - if (rparams->realm_keysalts) - krb5_xfree(rparams->realm_keysalts); - if (rparams->realm_kdc_ports) - krb5_xfree(rparams->realm_kdc_ports); - krb5_xfree(rparams); - } - return (0); + if (rparams) { + if (rparams->realm_profile) + krb5_xfree(rparams->realm_profile); + if (rparams->realm_dbname) + krb5_xfree(rparams->realm_dbname); + if (rparams->realm_mkey_name) + krb5_xfree(rparams->realm_mkey_name); + if (rparams->realm_stash_file) + krb5_xfree(rparams->realm_stash_file); + if (rparams->realm_keysalts) + krb5_xfree(rparams->realm_keysalts); + if (rparams->realm_kdc_ports) + krb5_xfree(rparams->realm_kdc_ports); + if (rparams->realm_kdc_tcp_ports) + krb5_xfree(rparams->realm_kdc_tcp_ports); + if (rparams->realm_acl_file) + krb5_xfree(rparams->realm_acl_file); + krb5_xfree(rparams); + } + return(0); } +
--- a/usr/src/lib/krb5/kadm5/chpass_util.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/chpass_util.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -33,7 +33,9 @@ #include <stdio.h> +#ifdef HAVE_MEMORY_H #include <memory.h> +#endif #include <time.h> #include <locale.h> @@ -49,8 +51,7 @@ /* * Function: kadm5_chpass_principal_util * - * Purpose: Wrapper around chpass_principal. We can read new pw, - * change pw and return useful messages + * Purpose: Wrapper around chpass_principal. We can read new pw, change pw and return useful messages * * Arguments: * @@ -91,7 +92,7 @@ char *new_pw, char **ret_pw, char *msg_ret, - int msg_len) + unsigned int msg_len) { int code, code2; unsigned int pwsize; @@ -99,7 +100,7 @@ char *new_password; kadm5_principal_ent_rec princ_ent; kadm5_policy_ent_rec policy_ent; - krb5_chgpwd_prot passwd_protocol; + krb5_chgpwd_prot passwd_protocol; _KADM5_CHECK_HANDLE(server_handle); @@ -113,8 +114,7 @@ if ((code = (int) krb5_init_context(&context)) == 0) { pwsize = sizeof(buffer); - code = krb5_read_password(context, - KADM5_PW_FIRST_PROMPT, + code = krb5_read_password(context, KADM5_PW_FIRST_PROMPT, KADM5_PW_SECOND_PROMPT, buffer, &pwsize); krb5_free_context(context); @@ -184,7 +184,7 @@ #ifdef ZEROPASSWD if (!ret_pw) - memset(buffer, 0, sizeof (buffer)); + memset(buffer, 0, sizeof(buffer)); /* in case we read a new password */ #endif if (code == KADM5_OK) { @@ -194,15 +194,12 @@ } if ((code != KADM5_PASS_Q_TOOSHORT) && - (code != KADM5_PASS_REUSE) && - (code != KADM5_PASS_Q_CLASS) && - (code != KADM5_PASS_Q_DICT) && - (code != KADM5_PASS_TOOSOON)) { + (code != KADM5_PASS_REUSE) &&(code != KADM5_PASS_Q_CLASS) && + (code != KADM5_PASS_Q_DICT) && (code != KADM5_PASS_TOOSOON)) { /* Can't get more info for other errors */ sprintf(buffer, "%s %s", error_message(code), string_text(CHPASS_UTIL_WHILE_TRYING_TO_CHANGE)); - sprintf(msg_ret, "%s\n%s\n", - string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED), + sprintf(msg_ret, "%s\n%s\n", string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED), buffer); return(code); } @@ -260,8 +257,7 @@ code2 = kadm5_get_policy(lhandle, princ_ent.policy, &policy_ent); if (code2 != 0) { - sprintf(msg_ret, "%s %s\n%s %s\n\n%s\n ", - error_message(code2), + sprintf(msg_ret, "%s %s\n%s %s\n\n%s\n ", error_message(code2), string_text(CHPASS_UTIL_GET_POLICY_INFO), error_message(code), string_text(CHPASS_UTIL_WHILE_TRYING_TO_CHANGE), @@ -271,17 +267,16 @@ } if (code == KADM5_PASS_Q_TOOSHORT) { - sprintf(msg_ret, - string_text(CHPASS_UTIL_PASSWORD_TOO_SHORT), + sprintf(msg_ret, string_text(CHPASS_UTIL_PASSWORD_TOO_SHORT), policy_ent.pw_min_length); (void) kadm5_free_principal_ent(lhandle, &princ_ent); (void) kadm5_free_policy_ent(lhandle, &policy_ent); return(code); } + if (code == KADM5_PASS_Q_CLASS) { - sprintf(msg_ret, - string_text(CHPASS_UTIL_TOO_FEW_CLASSES), + sprintf(msg_ret, string_text(CHPASS_UTIL_TOO_FEW_CLASSES), policy_ent.pw_min_classes); (void) kadm5_free_principal_ent(lhandle, &princ_ent); (void) kadm5_free_policy_ent(lhandle, &policy_ent); @@ -292,26 +287,23 @@ time_t until; char *time_string, *ptr; - until = princ_ent.last_pwd_change + - policy_ent.pw_min_life; + until = princ_ent.last_pwd_change + policy_ent.pw_min_life; time_string = ctime(&until); - if (*(ptr = &time_string[strlen(time_string)-1]) == - '\n') + if (*(ptr = &time_string[strlen(time_string)-1]) == '\n') *ptr = '\0'; - sprintf(msg_ret, - string_text(CHPASS_UTIL_PASSWORD_TOO_SOON), + sprintf(msg_ret, string_text(CHPASS_UTIL_PASSWORD_TOO_SOON), time_string); (void) kadm5_free_principal_ent(lhandle, &princ_ent); (void) kadm5_free_policy_ent(lhandle, &policy_ent); return(code); } else { + /* We should never get here, but just in case ... */ sprintf(buffer, "%s %s", error_message(code), string_text(CHPASS_UTIL_WHILE_TRYING_TO_CHANGE)); - sprintf(msg_ret, "%s\n%s\n", - string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED), + sprintf(msg_ret, "%s\n%s\n", string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED), buffer); (void) kadm5_free_principal_ent(lhandle, &princ_ent); (void) kadm5_free_policy_ent(lhandle, &policy_ent);
--- a/usr/src/lib/krb5/kadm5/chpass_util_strings.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/chpass_util_strings.h Sat Oct 07 13:37:05 2006 -0700 @@ -40,5 +40,16 @@ #define CHPASS_UTIL_WHILE_READING_PASSWORD (-1492553969L) #define ERROR_TABLE_BASE_ovku (-1492553984L) +extern const struct error_table et_ovku_error_table; + +#if !defined(_WIN32) /* for compatibility with older versions... */ +extern void initialize_ovku_error_table (void) /*@modifies internalState@*/; +#else +#define initialize_ovku_error_table() +#endif + +#if !defined(_WIN32) +#define init_ovku_err_tbl initialize_ovku_error_table #define ovku_err_base ERROR_TABLE_BASE_ovku +#endif
--- a/usr/src/lib/krb5/kadm5/clnt/Makefile.com Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/clnt/Makefile.com Sat Oct 07 13:37:05 2006 -0700 @@ -78,7 +78,7 @@ -DHAVE_LIBSOCKET=1 -DHAVE_LIBNSL=1 -DSETRPCENT_TYPE=void \ -DENDRPCENT_TYPE=void -DHAVE_SYS_ERRLIST=1 -DNEED_SYS_ERRLIST=1 \ -DHAVE_SYSLOG_H=1 -DHAVE_OPENLOG=1 -DHAVE_SYSLOG=1 -DHAVE_CLOSELOG=1 \ - -DHAVE_STRFTIME=1 -DHAVE_VSPRINTF=1 + -DHAVE_STRFTIME=1 -DHAVE_VSPRINTF=1 -DUSE_KADM5_API_VERSION=2 CFLAGS += $(CCVERBOSE) -I.. LDLIBS += -lc
--- a/usr/src/lib/krb5/kadm5/clnt/client_init.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/clnt/client_init.c Sat Oct 07 13:37:05 2006 -0700 @@ -42,7 +42,9 @@ #include <stdio.h> #include <netdb.h> +#ifdef HAVE_MEMORY_H #include <memory.h> +#endif #include <string.h> #include <com_err.h> #include <sys/types.h> @@ -55,19 +57,22 @@ #endif #include <libintl.h> +#include <kadm5/admin.h> +#include <kadm5/kadm_rpc.h> +#include "client_internal.h" + #include <syslog.h> #include <gssapi/gssapi.h> #include <gssapi_krb5.h> #include <gssapiP_krb5.h> -#include <kadm5/kadm_rpc.h> #include <rpc/clnt.h> -#include <kadm5/admin.h> -#include "client_internal.h" + #include <iprop_hdr.h> #include "iprop.h" #define ADM_CCACHE "/tmp/ovsec_adm.XXXXXX" +static int old_auth_gssapi = 0; /* connection timeout to kadmind in seconds */ #define KADMIND_CONNECT_TIMEOUT 25 @@ -93,7 +98,7 @@ krb5_ui_4 api_version, void **server_handle) { - return _kadm5_init_any(client_name, INIT_CREDS, NULL, ccache, + return _kadm5_init_any(client_name, INIT_CREDS, NULL, ccache, service_name, params, struct_version, api_version, server_handle); @@ -107,19 +112,19 @@ krb5_ui_4 api_version, void **server_handle) { - return _kadm5_init_any(client_name, INIT_PASS, pass, NULL, + return _kadm5_init_any(client_name, INIT_PASS, pass, NULL, service_name, params, struct_version, api_version, server_handle); } kadm5_ret_t kadm5_init(char *client_name, char *pass, - char *service_name, - kadm5_config_params *params, - krb5_ui_4 struct_version, - krb5_ui_4 api_version, - void **server_handle) + char *service_name, + kadm5_config_params *params, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + void **server_handle) { - return _kadm5_init_any(client_name, INIT_PASS, pass, NULL, + return _kadm5_init_any(client_name, INIT_PASS, pass, NULL, service_name, params, struct_version, api_version, server_handle); } @@ -131,7 +136,7 @@ krb5_ui_4 api_version, void **server_handle) { - return _kadm5_init_any(client_name, INIT_SKEY, keytab, NULL, + return _kadm5_init_any(client_name, INIT_SKEY, keytab, NULL, service_name, params, struct_version, api_version, server_handle); } @@ -579,132 +584,132 @@ krb5_ui_4 api_version, void **server_handle) { - int i; - krb5_creds creds; - krb5_ccache ccache = NULL; - krb5_timestamp now; - OM_uint32 gssstat, minor_stat; - kadm5_server_handle_t handle; - kadm5_config_params params_local; - int code = 0; - krb5_get_init_creds_opt opt; - gss_buffer_desc input_name; - krb5_error_code kret; - krb5_int32 starttime; - char *server = NULL; - krb5_principal serverp = NULL, clientp = NULL; - bool_t cpw = FALSE; + int i; + krb5_creds creds; + krb5_ccache ccache = NULL; + krb5_timestamp now; + OM_uint32 gssstat, minor_stat; + kadm5_server_handle_t handle; + kadm5_config_params params_local; + int code = 0; + krb5_get_init_creds_opt opt; + gss_buffer_desc input_name; + krb5_error_code kret; + krb5_int32 starttime; + char *server = NULL; + krb5_principal serverp = NULL, clientp = NULL; + bool_t cpw = FALSE; ADMIN_LOGO(LOG_ERR, dgettext(TEXT_DOMAIN, "entering kadm5_init_any\n")); - if (! server_handle) { - return (EINVAL); - } + if (! server_handle) { + return EINVAL; + } - if (! (handle = malloc(sizeof(*handle)))) { - return (ENOMEM); - } - if (! (handle->lhandle = malloc(sizeof(*handle)))) { - free(handle); - return (ENOMEM); - } + if (! (handle = malloc(sizeof(*handle)))) { + return ENOMEM; + } + if (! (handle->lhandle = malloc(sizeof(*handle)))) { + free(handle); + return ENOMEM; + } - handle->magic_number = KADM5_SERVER_HANDLE_MAGIC; - handle->struct_version = struct_version; - handle->api_version = api_version; - handle->clnt = 0; - handle->cache_name = 0; - handle->destroy_cache = 0; - *handle->lhandle = *handle; - handle->lhandle->api_version = KADM5_API_VERSION_2; - handle->lhandle->struct_version = KADM5_STRUCT_VERSION; - handle->lhandle->lhandle = handle->lhandle; + handle->magic_number = KADM5_SERVER_HANDLE_MAGIC; + handle->struct_version = struct_version; + handle->api_version = api_version; + handle->clnt = 0; + handle->cache_name = 0; + handle->destroy_cache = 0; + *handle->lhandle = *handle; + handle->lhandle->api_version = KADM5_API_VERSION_2; + handle->lhandle->struct_version = KADM5_STRUCT_VERSION; + handle->lhandle->lhandle = handle->lhandle; - kret = krb5_init_context(&handle->context); + kret = krb5_init_context(&handle->context); if (kret) { free(handle->lhandle); free(handle); return (kret); } - if(service_name == NULL || client_name == NULL) { - krb5_free_context(handle->context); - free(handle->lhandle); - free(handle); - return (EINVAL); - } - memset((char *) &creds, 0, sizeof(creds)); + if(service_name == NULL || client_name == NULL) { + krb5_free_context(handle->context); + free(handle->lhandle); + free(handle); + return EINVAL; + } + memset((char *) &creds, 0, sizeof(creds)); - /* - * Verify the version numbers before proceeding; we can't use - * CHECK_HANDLE because not all fields are set yet. - */ - GENERIC_CHECK_HANDLE(handle, KADM5_OLD_LIB_API_VERSION, + /* + * Verify the version numbers before proceeding; we can't use + * CHECK_HANDLE because not all fields are set yet. + */ + GENERIC_CHECK_HANDLE(handle, KADM5_OLD_LIB_API_VERSION, KADM5_NEW_LIB_API_VERSION); - - /* - * Acquire relevant profile entries. In version 2, merge values - * in params_in with values from profile, based on - * params_in->mask. - * - * In version 1, we've given a realm (which may be NULL) instead - * of params_in. So use that realm, make params_in contain an - * empty mask, and behave like version 2. - */ - memset((char *) ¶ms_local, 0, sizeof(params_local)); - if (api_version == KADM5_API_VERSION_1) { - if (params_in) - params_local.mask = KADM5_CONFIG_REALM; - params_in = ¶ms_local; + + /* + * Acquire relevant profile entries. In version 2, merge values + * in params_in with values from profile, based on + * params_in->mask. + * + * In version 1, we've given a realm (which may be NULL) instead + * of params_in. So use that realm, make params_in contain an + * empty mask, and behave like version 2. + */ + memset((char *) ¶ms_local, 0, sizeof(params_local)); + if (api_version == KADM5_API_VERSION_1) { + if (params_in) + params_local.mask = KADM5_CONFIG_REALM; + params_in = ¶ms_local; } #define ILLEGAL_PARAMS ( \ - KADM5_CONFIG_ACL_FILE | KADM5_CONFIG_ADB_LOCKFILE | \ - KADM5_CONFIG_DBNAME | KADM5_CONFIG_ADBNAME | \ - KADM5_CONFIG_DICT_FILE | KADM5_CONFIG_ADMIN_KEYTAB | \ - KADM5_CONFIG_STASH_FILE | KADM5_CONFIG_MKEY_NAME | \ - KADM5_CONFIG_ENCTYPE | KADM5_CONFIG_MAX_LIFE | \ - KADM5_CONFIG_MAX_RLIFE | KADM5_CONFIG_EXPIRATION | \ - KADM5_CONFIG_FLAGS | KADM5_CONFIG_ENCTYPES | \ - KADM5_CONFIG_MKEY_FROM_KBD) + KADM5_CONFIG_ACL_FILE | KADM5_CONFIG_ADB_LOCKFILE | \ + KADM5_CONFIG_DBNAME | KADM5_CONFIG_ADBNAME | \ + KADM5_CONFIG_DICT_FILE | KADM5_CONFIG_ADMIN_KEYTAB | \ + KADM5_CONFIG_STASH_FILE | KADM5_CONFIG_MKEY_NAME | \ + KADM5_CONFIG_ENCTYPE | KADM5_CONFIG_MAX_LIFE | \ + KADM5_CONFIG_MAX_RLIFE | KADM5_CONFIG_EXPIRATION | \ + KADM5_CONFIG_FLAGS | KADM5_CONFIG_ENCTYPES | \ + KADM5_CONFIG_MKEY_FROM_KBD) - if (params_in && params_in->mask & ILLEGAL_PARAMS) { + if (params_in && params_in->mask & ILLEGAL_PARAMS) { krb5_free_context(handle->context); free(handle->lhandle); - free(handle); + free(handle); ADMIN_LOG(LOG_ERR, dgettext(TEXT_DOMAIN, "bad client parameters, returning %d"), KADM5_BAD_CLIENT_PARAMS); - return (KADM5_BAD_CLIENT_PARAMS); - } + return KADM5_BAD_CLIENT_PARAMS; + } - if ((code = kadm5_get_config_params(handle->context, + if ((code = kadm5_get_config_params(handle->context, DEFAULT_PROFILE_PATH, "KRB5_CONFIG", params_in, &handle->params))) { - krb5_free_context(handle->context); - free(handle->lhandle); - free(handle); + krb5_free_context(handle->context); + free(handle->lhandle); + free(handle); ADMIN_LOG(LOG_ERR, dgettext(TEXT_DOMAIN, "failed to get config_params, return: %d\n"), code); - return(code); - } + return(code); + } #define REQUIRED_PARAMS (KADM5_CONFIG_REALM | \ KADM5_CONFIG_ADMIN_SERVER | \ KADM5_CONFIG_KADMIND_PORT) - if ((handle->params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) { + if ((handle->params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) { (void) kadm5_free_config_params(handle->context, &handle->params); - krb5_free_context(handle->context); + krb5_free_context(handle->context); free(handle->lhandle); - free(handle); + free(handle); ADMIN_LOGO(LOG_ERR, dgettext(TEXT_DOMAIN, "missing config parameters\n")); - return (KADM5_MISSING_CONF_PARAMS); - } + return KADM5_MISSING_KRB5_CONF_PARAMS; + } /* * Acquire a service ticket for service_name@realm in the name of @@ -775,52 +780,61 @@ /* XXX temporarily fix a bug in krb5_cc_get_type */ #undef krb5_cc_get_type #define krb5_cc_get_type(context, cache) ((cache)->ops->prefix) - - if (init_type == INIT_CREDS) { - ccache = ccache_in; - handle->cache_name = (char *) - malloc(strlen(krb5_cc_get_type(handle->context, ccache)) + - strlen(krb5_cc_get_name(handle->context, ccache)) + 2); + - if (handle->cache_name == NULL) { - code = ENOMEM; - goto error; - } - sprintf(handle->cache_name, "%s:%s", - krb5_cc_get_type(handle->context, ccache), - krb5_cc_get_name(handle->context, ccache)); - } else { - handle->cache_name = - (char *) malloc(strlen(ADM_CCACHE)+strlen("FILE:")+1); - if (handle->cache_name == NULL) { - code = ENOMEM; - goto error; - } - sprintf(handle->cache_name, "FILE:%s", ADM_CCACHE); - mktemp(handle->cache_name + strlen("FILE:")); + if (init_type == INIT_CREDS) { + ccache = ccache_in; + handle->cache_name = (char *) + malloc(strlen(krb5_cc_get_type(handle->context, ccache)) + + strlen(krb5_cc_get_name(handle->context, ccache)) + 2); + if (handle->cache_name == NULL) { + code = ENOMEM; + goto error; + } + sprintf(handle->cache_name, "%s:%s", + krb5_cc_get_type(handle->context, ccache), + krb5_cc_get_name(handle->context, ccache)); + } else { +#if 0 + handle->cache_name = + (char *) malloc(strlen(ADM_CCACHE)+strlen("FILE:")+1); + if (handle->cache_name == NULL) { + code = ENOMEM; + goto error; + } + sprintf(handle->cache_name, "FILE:%s", ADM_CCACHE); + mktemp(handle->cache_name + strlen("FILE:")); +#endif + { + static int counter = 0; + handle->cache_name = malloc(sizeof("MEMORY:kadm5_") + + 3*sizeof(counter)); + sprintf(handle->cache_name, "MEMORY:kadm5_%u", counter++); + } + + if ((code = krb5_cc_resolve(handle->context, handle->cache_name, + &ccache))) + goto error; + + if ((code = krb5_cc_initialize (handle->context, ccache, + creds.client))) + goto error; - if ((code = krb5_cc_resolve(handle->context, - handle->cache_name, &ccache))) - goto error; - - if ((code = krb5_cc_initialize (handle->context, ccache, - creds.client))) - goto error; - - handle->destroy_cache = 1; - } - handle->lhandle->cache_name = handle->cache_name; + handle->destroy_cache = 1; + } + handle->lhandle->cache_name = handle->cache_name; ADMIN_LOG(LOG_ERR, dgettext(TEXT_DOMAIN, "cache created: %s\n"), handle->cache_name); - - if ((code = krb5_timeofday(handle->context, &now))) - goto error; + + if ((code = krb5_timeofday(handle->context, &now))) + goto error; - /* - * Get a ticket, use the method specified in init_type. - */ - creds.times.starttime = 0; /* start timer at KDC */ - creds.times.endtime = 0; /* endtime will be limited by service */ + /* + * Get a ticket, use the method specified in init_type. + */ + + creds.times.starttime = 0; /* start timer at KDC */ + creds.times.endtime = 0; /* endtime will be limited by service */ memset(&opt, 0, sizeof (opt)); krb5_get_init_creds_opt_init(&opt); @@ -854,19 +868,16 @@ creds.times.starttime, server, &opt); - if (pass) - krb5_kt_close(handle->context, kt); - } - } + if (pass) krb5_kt_close(handle->context, kt); + } + } - /* Improved error messages */ - if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) - code = KADM5_BAD_PASSWORD; + /* Improved error messages */ + if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) code = KADM5_BAD_PASSWORD; + if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) + code = KADM5_SECURE_PRINC_MISSING; - if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) - code = KADM5_SECURE_PRINC_MISSING; - - if (code != 0) { + if (code != 0) { ADMIN_LOGO(LOG_ERR, dgettext(TEXT_DOMAIN, "failed to obtain credentials cache\n")); goto error; @@ -882,8 +893,8 @@ ADMIN_LOGO(LOG_ERR, dgettext(TEXT_DOMAIN, "obtained credentials cache\n")); #ifdef ZEROPASSWD - if (pass != NULL) - memset(pass, 0, strlen(pass)); + if (pass != NULL) + memset(pass, 0, strlen(pass)); #endif if (init_type != INIT_PASS || @@ -903,19 +914,19 @@ goto cleanup; error: - /* - * Note that it is illegal for this code to execute if "handle" - * has not been allocated and initialized. I.e., don't use "goto - * error" before the block of code at the top of the function - * that allocates and initializes "handle". - */ - if (handle->cache_name) + /* + * Note that it is illegal for this code to execute if "handle" + * has not been allocated and initialized. I.e., don't use "goto + * error" before the block of code at the top of the function + * that allocates and initializes "handle". + */ + if (handle->cache_name) free(handle->cache_name); - if (handle->destroy_cache && ccache) + if (handle->destroy_cache && ccache) krb5_cc_destroy(handle->context, ccache); - if(handle->clnt && handle->clnt->cl_auth) + if(handle->clnt && handle->clnt->cl_auth) AUTH_DESTROY(handle->clnt->cl_auth); - if(handle->clnt) + if(handle->clnt) clnt_destroy(handle->clnt); (void) kadm5_free_config_params(handle->context, &handle->params); @@ -935,76 +946,91 @@ if (serverp && serverp != creds.server) krb5_free_principal(handle->context, serverp); - krb5_free_cred_contents(handle->context, &creds); + krb5_free_cred_contents(handle->context, &creds); /* * Dont clean up the handle if the code is OK (code==0) * because it is returned to the caller in the 'server_handle' * ptr. */ - if (code) { + if (code) { krb5_free_context(handle->context); free(handle->lhandle); free(handle); } - return (code); + return code; } kadm5_ret_t kadm5_destroy(void *server_handle) { - krb5_ccache ccache = NULL; - int code = KADM5_OK; - kadm5_server_handle_t handle = + krb5_ccache ccache = NULL; + int code = KADM5_OK; + kadm5_server_handle_t handle = (kadm5_server_handle_t) server_handle; OM_uint32 min_stat; - CHECK_HANDLE(server_handle); - - if (handle->destroy_cache && handle->cache_name) { + CHECK_HANDLE(server_handle); +/* SUNW14resync: + * krb5_cc_resolve() will resolve a ccache with the same data that + * handle->my_cred points to. If the ccache is a MEMORY ccache then + * gss_release_cred() will free that data (it doesn't do this when ccache + * is a FILE ccache). + * if'ed out to avoid the double free. + */ +#if 0 + if (handle->destroy_cache && handle->cache_name) { if ((code = krb5_cc_resolve(handle->context, handle->cache_name, &ccache)) == 0) code = krb5_cc_destroy (handle->context, ccache); - } - if (handle->cache_name) + } +#endif + if (handle->cache_name) free(handle->cache_name); - - if (handle->clnt && handle->clnt->cl_auth) { + if (handle->clnt && handle->clnt->cl_auth) { /* * Since kadm5 doesn't use the default credentials we * must clean this up manually. */ if (handle->my_cred != GSS_C_NO_CREDENTIAL) (void) gss_release_cred(&min_stat, &handle->my_cred); - AUTH_DESTROY(handle->clnt->cl_auth); + AUTH_DESTROY(handle->clnt->cl_auth); } - if (handle->clnt) + if (handle->clnt) clnt_destroy(handle->clnt); - if (handle->lhandle) - free (handle->lhandle); + if (handle->lhandle) + free (handle->lhandle); + + kadm5_free_config_params(handle->context, &handle->params); + krb5_free_context(handle->context); - kadm5_free_config_params(handle->context, &handle->params); - krb5_free_context(handle->context); + handle->magic_number = 0; + free(handle); - handle->magic_number = 0; - free(handle); - - return (code); + return code; +} +/* not supported on client */ +kadm5_ret_t kadm5_lock(void *server_handle) +{ + return EINVAL; } -/*ARGSUSED*/ -kadm5_ret_t -kadm5_flush(void *server_handle) +/* not supported on client */ +kadm5_ret_t kadm5_unlock(void *server_handle) { - return (KADM5_OK); + return EINVAL; } -int -_kadm5_check_handle(void *handle) +kadm5_ret_t kadm5_flush(void *server_handle) { - CHECK_HANDLE(handle); - return (0); + return KADM5_OK; +} + +int _kadm5_check_handle(void *handle) +{ + CHECK_HANDLE(handle); + return 0; } /*
--- a/usr/src/lib/krb5/kadm5/clnt/client_internal.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/clnt/client_internal.h Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -29,9 +29,9 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/clnt/client_internal.h, v 1.1 1996/07/24 22:22:43 tlyu Exp $ - * - * $Log: client_internal.h, v $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/clnt/client_internal.h,v 1.1 1996/07/24 22:22:43 tlyu Exp $ + * + * $Log: client_internal.h,v $ * Revision 1.1 1996/07/24 22:22:43 tlyu * * Makefile.in, configure.in: break out client lib into a * subdirectory @@ -97,31 +97,32 @@ krb5_ui_4 magic_number; krb5_ui_4 struct_version; krb5_ui_4 api_version; - char *cache_name; + char * cache_name; int destroy_cache; - CLIENT *clnt; + CLIENT * clnt; krb5_context context; gss_cred_id_t my_cred; kadm5_config_params params; struct _kadm5_server_handle_t *lhandle; } kadm5_server_handle_rec, *kadm5_server_handle_t; - -#define CLIENT_CHECK_HANDLE(handle) \ +#define CLIENT_CHECK_HANDLE(handle) \ { \ -kadm5_server_handle_t srvr = (kadm5_server_handle_t)handle; \ + kadm5_server_handle_t srvr = \ + (kadm5_server_handle_t) handle; \ + \ if (srvr->params.kpasswd_protocol == KRB5_CHGPWD_RPCSEC && ! srvr->clnt) \ - return (KADM5_BAD_SERVER_HANDLE); \ + return KADM5_BAD_SERVER_HANDLE; \ if (! srvr->cache_name) \ - return (KADM5_BAD_SERVER_HANDLE); \ + return KADM5_BAD_SERVER_HANDLE; \ if (! srvr->lhandle) \ -return (KADM5_BAD_SERVER_HANDLE); \ + return KADM5_BAD_SERVER_HANDLE; \ } -#define CHECK_HANDLE(handle) \ -GENERIC_CHECK_HANDLE(handle, KADM5_OLD_LIB_API_VERSION, \ -KADM5_NEW_LIB_API_VERSION) \ -CLIENT_CHECK_HANDLE(handle) +#define CHECK_HANDLE(handle) \ + GENERIC_CHECK_HANDLE(handle, KADM5_OLD_LIB_API_VERSION, \ + KADM5_NEW_LIB_API_VERSION) \ + CLIENT_CHECK_HANDLE(handle) #ifdef __cplusplus }
--- a/usr/src/lib/krb5/kadm5/clnt/client_principal.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/clnt/client_principal.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -26,19 +26,27 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/clnt/client_principal.c,v 1.8 2000/02/27 22:18:15 tlyu Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/clnt/client_principal.c,v 1.11 2004/06/16 03:11:53 tlyu Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/clnt/client_principal.c,v 1.8 2000/02/27 22:18:15 tlyu Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/clnt/client_principal.c,v 1.11 2004/06/16 03:11:53 tlyu Exp $"; #endif #include <rpc/rpc.h> /* SUNWresync121 XXX */ #include <kadm5/admin.h> #include <kadm5/kadm_rpc.h> +#ifdef HAVE_MEMORY_H #include <memory.h> +#endif #include "client_internal.h" +#ifdef DEBUG /* SUNWresync14 XXX */ +#define eret() clnt_perror(handle->clnt, "null ret"); return KADM5_RPC_ERROR; +#else +#define eret() return KADM5_RPC_ERROR; +#endif + kadm5_ret_t kadm5_create_principal(void *server_handle, kadm5_principal_ent_t princ, long mask, @@ -93,7 +101,7 @@ krb5_free_principal(handle->context, arg.rec.mod_name); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); return r->code; } @@ -154,7 +162,7 @@ krb5_free_principal(handle->context, arg.rec.mod_name); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); return r->code; } @@ -173,7 +181,7 @@ arg.api_version = handle->api_version; r = delete_principal_1(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); return r->code; } @@ -226,7 +234,7 @@ krb5_free_principal(handle->context, arg.rec.mod_name); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); return r->code; } @@ -251,7 +259,7 @@ arg.api_version = handle->api_version; r = get_principal_1(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); if (handle->api_version == KADM5_API_VERSION_1) { kadm5_principal_ent_t_v1 *entp; @@ -291,7 +299,7 @@ arg.api_version = handle->api_version; r = get_princs_1(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); if(r->code == 0) { *count = r->count; *princs = r->princs; @@ -320,7 +328,7 @@ return EINVAL; r = rename_principal_1(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); return r->code; } @@ -342,7 +350,7 @@ return EINVAL; r = chpass_principal_1(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); return r->code; } @@ -369,7 +377,7 @@ return EINVAL; r = chpass_principal3_1(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); return r->code; } @@ -392,7 +400,7 @@ return EINVAL; r = setv4key_principal_1(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); return r->code; } @@ -402,7 +410,6 @@ krb5_keyblock *keyblocks, int n_keys) { - setkey_arg arg; generic_ret *r; kadm5_server_handle_t handle = server_handle; @@ -418,7 +425,7 @@ return EINVAL; r = setkey_principal_1(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); return r->code; } @@ -448,7 +455,7 @@ return EINVAL; r = setkey_principal3_1(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); return r->code; } @@ -527,7 +534,6 @@ { chrand3_arg arg; chrand_ret *r; - krb5_keyblock new; kadm5_server_handle_t handle = server_handle; int i, ret; @@ -549,27 +555,30 @@ return EINVAL; r = chrand_principal3_1(&arg, handle->clnt); if(r == NULL) - return KADM5_RPC_ERROR; + eret(); if (handle->api_version == KADM5_API_VERSION_1) { if (key) krb5_copy_keyblock(handle->context, &r->key, key); - } else if (key && (r->n_keys > 0)) { - *key = (krb5_keyblock *) - malloc(r->n_keys*sizeof(krb5_keyblock)); - if (*key == NULL) - return ENOMEM; - for (i = 0; i < r->n_keys; i++) { - ret = krb5_copy_keyblock_contents(handle->context, - &r->keys[i], - &(*key)[i]); - if (ret) { - free(*key); - *key = NULL; - return ENOMEM; - } - } - if (n_keys) - *n_keys = r->n_keys; + } else { + if (n_keys) + *n_keys = r->n_keys; + if (key) { + if(r->n_keys) { + *key = (krb5_keyblock *) + malloc(r->n_keys*sizeof(krb5_keyblock)); + if (*key == NULL) + return ENOMEM; + for (i = 0; i < r->n_keys; i++) { + ret = krb5_copy_keyblock_contents(handle->context, + &r->keys[i], + &(*key)[i]); + if (ret) { + free(*key); + return ENOMEM; + } + } + } else *key = NULL; + } } return r->code;
--- a/usr/src/lib/krb5/kadm5/clnt/client_rpc.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/clnt/client_rpc.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2003 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -27,7 +27,9 @@ #include <kadm5/kadm_rpc.h> #include <krb5.h> #include <kadm5/admin.h> +#ifdef HAVE_MEMORY_H #include <memory.h> +#endif /* Default timeout can be changed using clnt_control() */ static struct timeval TIMEOUT = { 25, 0 }; @@ -51,7 +53,7 @@ generic_ret * create_principal3_1(argp, clnt) - cprinc_arg *argp; + cprinc3_arg *argp; CLIENT *clnt; { static generic_ret res; @@ -138,7 +140,7 @@ gprincs_ret * get_princs_1(argp, clnt) - gprinc_arg *argp; + gprincs_arg *argp; CLIENT *clnt; { static gprincs_ret res; @@ -172,7 +174,7 @@ generic_ret * chpass_principal3_1(argp, clnt) - chpass_arg *argp; + chpass3_arg *argp; CLIENT *clnt; { static generic_ret res; @@ -229,7 +231,7 @@ generic_ret * setkey_principal3_1(argp, clnt) - setkey_arg *argp; + setkey3_arg *argp; CLIENT *clnt; { static generic_ret res; @@ -265,7 +267,7 @@ chrand_ret * chrand_principal3_1(argp, clnt) - chrand_arg *argp; + chrand3_arg *argp; CLIENT *clnt; { static chrand_ret res; @@ -352,7 +354,7 @@ gpols_ret * get_pols_1(argp, clnt) - gprinc_arg *argp; + gpols_arg *argp; CLIENT *clnt; { static gpols_ret res;
--- a/usr/src/lib/krb5/kadm5/clnt/clnt_chpass_util.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/clnt/clnt_chpass_util.c Sat Oct 07 13:37:05 2006 -0700 @@ -26,7 +26,7 @@ char *new_pw, char **ret_pw, char *msg_ret, - int msg_len) + unsigned int msg_len) { kadm5_server_handle_t handle = server_handle;
--- a/usr/src/lib/krb5/kadm5/clnt/clnt_policy.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/clnt/clnt_policy.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -26,7 +26,7 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/clnt/clnt_policy.c,v 1.2 1998/02/14 02:32:57 tlyu Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/clnt/clnt_policy.c,v 1.4 2004/02/19 01:22:26 raeburn Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) @@ -86,7 +86,6 @@ kadm5_ret_t kadm5_modify_policy(void *server_handle, kadm5_policy_ent_t policy, long mask) - { mpol_arg arg; generic_ret *r; @@ -109,7 +108,6 @@ kadm5_ret_t kadm5_get_policy(void *server_handle, char *name, kadm5_policy_ent_t ent) - { gpol_arg arg; gpol_ret *r;
--- a/usr/src/lib/krb5/kadm5/clnt/mapfile-vers Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/clnt/mapfile-vers Sat Oct 07 13:37:05 2006 -0700 @@ -27,10 +27,14 @@ SUNWprivate_1.1 { global: + _kadm5_get_kpasswd_protocol; + chpass_principal3_1; chpass_principal_1; chpw_error_message; + chrand_principal3_1; chrand_principal_1; create_policy_1; + create_principal3_1; create_principal_1; delete_policy_1; delete_principal_1; @@ -58,11 +62,10 @@ kadm5_free_policy_ent; kadm5_free_principal_ent; kadm5_get_adm_host_srv_name; + kadm5_get_admin_service_name; kadm5_get_config_params; kadm5_get_cpw_host_srv_name; kadm5_get_kiprop_host_srv_name; - _kadm5_get_kpasswd_protocol; - kadm5_get_master; kadm5_get_policies; kadm5_get_policy; kadm5_get_principal; @@ -73,14 +76,18 @@ kadm5_init_with_creds; kadm5_init_with_password; kadm5_init_with_skey; + kadm5_lock; kadm5_modify_policy; kadm5_modify_principal; kadm5_randkey_principal; kadm5_randkey_principal_3; kadm5_randkey_principal_old; kadm5_rename_principal; + kadm5_setkey_principal; kadm5_setkey_principal_3; + kadm5_unlock; krb5_aprof_finish; + krb5_aprof_get_boolean; krb5_aprof_get_deltat; krb5_aprof_get_int32; krb5_aprof_get_string; @@ -104,10 +111,15 @@ modify_policy_1; modify_principal_1; rename_principal_1; + setkey_principal3_1; + setkey_principal_1; + xdr_chpass3_arg; xdr_chpass_arg; + xdr_chrand3_arg; xdr_chrand_arg; xdr_chrand_ret; xdr_cpol_arg; + xdr_cprinc3_arg; xdr_cprinc_arg; xdr_dpol_arg; xdr_dprinc_arg; @@ -129,19 +141,24 @@ xdr_krb5_enctype; xdr_krb5_flags; xdr_krb5_int16; + xdr_krb5_key_data_nocontents; + xdr_krb5_key_salt_tuple; xdr_krb5_keyblock; - xdr_krb5_key_data_nocontents; xdr_krb5_kvno; xdr_krb5_octet; xdr_krb5_principal; + xdr_krb5_salttype; xdr_krb5_timestamp; xdr_krb5_tl_data; + xdr_krb5_ui_2; xdr_krb5_ui_4; xdr_mpol_arg; xdr_mprinc_arg; xdr_nullstring; xdr_nulltype; xdr_rprinc_arg; + xdr_setkey3_arg; + xdr_setkey_arg; xdr_ui_4; local: *;
--- a/usr/src/lib/krb5/kadm5/kadm_err.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/kadm_err.h Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2000-2002 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -81,10 +81,22 @@ #define KADM5_SETKEY_DUP_ENCTYPES (43787571L) #define KADM5_SETV4KEY_INVAL_ENCTYPE (43787572L) #define KADM5_SETKEY3_ETYPE_MISMATCH (43787573L) -#define KADM5_RPC_ERROR_CANTENCODEARGS (43787574L) -#define KADM5_RPC_ERROR_CANTDECODEARGS (43787575L) +#define KADM5_MISSING_KRB5_CONF_PARAMS (43787574L) +#define KADM5_RPC_ERROR_CANTENCODEARGS (43787575L) +#define KADM5_RPC_ERROR_CANTDECODEARGS (43787576L) #define ERROR_TABLE_BASE_ovk (43787520L) +extern const struct error_table et_ovk_error_table; + +#if !defined(_WIN32) /* for compatibility with older versions... */ +extern void initialize_ovk_error_table (void) /*@modifies internalState@*/; +#else +#define initialize_ovk_error_table() +#endif + +#if !defined(_WIN32) +#define init_ovk_err_tbl initialize_ovk_error_table #define ovk_err_base ERROR_TABLE_BASE_ovk +#endif
--- a/usr/src/lib/krb5/kadm5/kadm_rpc.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/kadm_rpc.h Sat Oct 07 13:37:05 2006 -0700 @@ -17,6 +17,8 @@ * */ +#ifndef __KADM_RPC_H__ +#define __KADM_RPC_H__ #include <rpc/types.h> @@ -254,44 +256,99 @@ #define KADM ((krb5_ui_4)2112) #define KADMVERS ((krb5_ui_4)2) #define CREATE_PRINCIPAL ((krb5_ui_4)1) -extern generic_ret *create_principal_1(); +extern generic_ret *create_principal_1_svc(cprinc_arg *arg, + struct svc_req *rqstp); +extern generic_ret *create_principal_1(cprinc_arg *argp, CLIENT *clnt); + #define DELETE_PRINCIPAL ((krb5_ui_4)2) -extern generic_ret *delete_principal_1(); +extern generic_ret *delete_principal_1_svc(dprinc_arg *arg, + struct svc_req *rqstp); +extern generic_ret *delete_principal_1(dprinc_arg *argp, CLIENT *clnt); + #define MODIFY_PRINCIPAL ((krb5_ui_4)3) -extern generic_ret *modify_principal_1(); +extern generic_ret *modify_principal_1_svc(mprinc_arg *arg, + struct svc_req *rqstp); +extern generic_ret *modify_principal_1(mprinc_arg *argp, CLIENT *clnt); + #define RENAME_PRINCIPAL ((krb5_ui_4)4) -extern generic_ret *rename_principal_1(); +extern generic_ret *rename_principal_1_svc(rprinc_arg *arg, + struct svc_req *rqstp); +extern generic_ret *rename_principal_1(rprinc_arg *argp, CLIENT *clnt); + #define GET_PRINCIPAL ((krb5_ui_4)5) -extern gprinc_ret *get_principal_1(); +extern gprinc_ret *get_principal_1_svc(gprinc_arg *arg, struct svc_req *rqstp); +extern gprinc_ret *get_principal_1(gprinc_arg *argp, CLIENT *clnt); + #define CHPASS_PRINCIPAL ((krb5_ui_4)6) -extern generic_ret *chpass_principal_1(); +extern generic_ret *chpass_principal_1_svc(chpass_arg *arg, + struct svc_req *rqstp); +extern generic_ret *chpass_principal_1(chpass_arg *argp, CLIENT *clnt); + #define CHRAND_PRINCIPAL ((krb5_ui_4)7) -extern chrand_ret *chrand_principal_1(); +extern chrand_ret *chrand_principal_1_svc(chrand_arg *arg, + struct svc_req *rqstp); +extern chrand_ret *chrand_principal_1(chrand_arg *argp, CLIENT *clnt); + #define CREATE_POLICY ((krb5_ui_4)8) -extern generic_ret *create_policy_1(); +extern generic_ret *create_policy_1_svc(cpol_arg *arg, struct svc_req *rqstp); +extern generic_ret *create_policy_1(cpol_arg *argp, CLIENT *clnt); + #define DELETE_POLICY ((krb5_ui_4)9) -extern generic_ret *delete_policy_1(); +extern generic_ret *delete_policy_1_svc(dpol_arg *arg, struct svc_req *rqstp); +extern generic_ret *delete_policy_1(dpol_arg *argp, CLIENT *clnt); + #define MODIFY_POLICY ((krb5_ui_4)10) -extern generic_ret *modify_policy_1(); +extern generic_ret *modify_policy_1_svc(mpol_arg *arg, struct svc_req *rqstp); +extern generic_ret *modify_policy_1(mpol_arg *argp, CLIENT *clnt); + #define GET_POLICY ((krb5_ui_4)11) -extern gpol_ret *get_policy_1(); +extern gpol_ret *get_policy_1_svc(gpol_arg *arg, struct svc_req *rqstp); +extern gpol_ret *get_policy_1(gpol_arg *argp, CLIENT *clnt); + #define GET_PRIVS ((krb5_ui_4)12) -extern getprivs_ret *get_privs_1(); +extern getprivs_ret *get_privs_1_svc(krb5_ui_4 *arg, struct svc_req *rqstp); +extern getprivs_ret *get_privs_1(void *argp, CLIENT *clnt); + #define INIT ((krb5_ui_4)13) +extern generic_ret *init_1_svc(krb5_ui_4 *arg, struct svc_req *rqstp); extern generic_ret *init_1(); + #define GET_PRINCS ((krb5_ui_4) 14) -extern gprincs_ret *get_princs_1(); +extern gprincs_ret *get_princs_1_svc(gprincs_arg *arg, struct svc_req *rqstp); +extern gprincs_ret *get_princs_1(gprincs_arg *argp, CLIENT *clnt); + #define GET_POLS ((krb5_ui_4) 15) -extern gpols_ret *get_pols_1(); +extern gpols_ret *get_pols_1_svc(gpols_arg *arg, struct svc_req *rqstp); +extern gpols_ret *get_pols_1(gpols_arg *argp, CLIENT *clnt); + #define SETKEY_PRINCIPAL ((krb5_ui_4) 16) -extern generic_ret *setkey_principal_1(); +extern generic_ret *setkey_principal_1_svc(setkey_arg *arg, + struct svc_req *rqstp); +extern generic_ret *setkey_principal_1(setkey_arg *argp, CLIENT *clnt); + #define SETV4KEY_PRINCIPAL ((krb5_ui_4) 17) -extern generic_ret *setv4key_principal_1(); +extern generic_ret *setv4key_principal_1_svc(setv4key_arg *arg, + struct svc_req *rqstp); +extern generic_ret *setv4key_principal_1(setv4key_arg *argp, CLIENT *clnt); + #define CREATE_PRINCIPAL3 ((krb5_ui_4) 18) -extern generic_ret *create_principal3_1(); +extern generic_ret *create_principal3_1_svc(cprinc3_arg *arg, + struct svc_req *rqstp); +extern generic_ret *create_principal3_1(cprinc3_arg *argp, CLIENT *clnt); + #define CHPASS_PRINCIPAL3 ((krb5_ui_4) 19) -extern generic_ret *chpass_principal3_1(); +extern generic_ret *chpass_principal3_1_svc(chpass3_arg *arg, + struct svc_req *rqstp); +extern generic_ret *chpass_principal3_1(chpass3_arg *argp, CLIENT *clnt); + #define CHRAND_PRINCIPAL3 ((krb5_ui_4) 20) -extern chrand_ret *chrand_principal3_1(); +extern chrand_ret *chrand_principal3_1_svc(chrand3_arg *arg, + struct svc_req *rqstp); +extern chrand_ret *chrand_principal3_1(chrand3_arg *argp, CLIENT *clnt); + #define SETKEY_PRINCIPAL3 ((krb5_ui_4) 21) -extern generic_ret *setkey_principal3_1(); +extern generic_ret *setkey_principal3_1_svc(setkey3_arg *arg, + struct svc_req *rqstp); +extern generic_ret *setkey_principal3_1(setkey3_arg *argp, CLIENT *clnt); + +#endif /* __KADM_RPC_H__ */
--- a/usr/src/lib/krb5/kadm5/kadm_rpc_xdr.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/kadm_rpc_xdr.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -52,7 +52,7 @@ { /* Assumes that krb5_ui_4 and u_int32 are both four bytes long. This should not be a harmful assumption. */ - return xdr_u_int(xdrs, (rpc_u_int32 *) objp); + return xdr_u_int(xdrs, (uint32_t *) objp); } @@ -150,7 +150,7 @@ /* This assumes that int32 and krb5_timestamp are the same size. This shouldn't be a problem, since we've got a unit test which checks for this. */ - if (!xdr_int(xdrs, (rpc_int32 *) objp)) { + if (!xdr_int(xdrs, (int32_t *) objp)) { return (FALSE); } return (TRUE); @@ -181,7 +181,7 @@ /* This assumes that int32 and krb5_deltat are the same size. This shouldn't be a problem, since we've got a unit test which checks for this. */ - if (!xdr_int(xdrs, (rpc_int32 *) objp)) { + if (!xdr_int(xdrs, (int32_t *) objp)) { return (FALSE); } return (TRUE); @@ -193,7 +193,7 @@ /* This assumes that int32 and krb5_flags are the same size. This shouldn't be a problem, since we've got a unit test which checks for this. */ - if (!xdr_int(xdrs, (rpc_int32 *) objp)) { + if (!xdr_int(xdrs, (int32_t *) objp)) { return (FALSE); } return (TRUE); @@ -202,7 +202,7 @@ bool_t xdr_krb5_ui_4(XDR *xdrs, krb5_ui_4 *objp) { - if (!xdr_u_int(xdrs, (rpc_u_int32 *) objp)) { + if (!xdr_u_int(xdrs, (uint32_t *) objp)) { return (FALSE); } return (TRUE); @@ -223,6 +223,30 @@ return(TRUE); } +/* + * Function: xdr_krb5_ui_2 + * + * Purpose: XDR function which serves as a wrapper for xdr_u_int, + * to prevent compiler warnings about type clashes between u_int + * and krb5_ui_2. + */ +bool_t +xdr_krb5_ui_2(XDR *xdrs, krb5_ui_2 *objp) +{ + unsigned int tmp; + + tmp = (unsigned int) *objp; + + if (!xdr_u_int(xdrs, &tmp)) + return(FALSE); + + *objp = (krb5_ui_2) tmp; + + return(TRUE); +} + + + bool_t xdr_krb5_key_data_nocontents(XDR *xdrs, krb5_key_data *objp) { /* @@ -285,7 +309,7 @@ { krb5_tl_data *tl, *tl2; bool_t more; - uint len; + unsigned int len; switch (xdrs->x_op) { case XDR_FREE: @@ -346,10 +370,10 @@ bool_t xdr_kadm5_ret_t(XDR *xdrs, kadm5_ret_t *objp) { - rpc_u_int32 tmp; + uint32_t tmp; if (xdrs->x_op == XDR_ENCODE) - tmp = (rpc_u_int32) *objp; + tmp = (uint32_t) *objp; if (!xdr_u_int(xdrs, &tmp)) return (FALSE); @@ -1021,7 +1045,7 @@ bool_t xdr_krb5_salttype(XDR *xdrs, krb5_int32 *objp) { - if (!xdr_int(xdrs, (rpc_int32 *) objp)) /* SUNWresync121 XXX */ + if (!xdr_int(xdrs, (int32_t *) objp)) /* SUNWresync121 XXX */ return FALSE; return TRUE; }
--- a/usr/src/lib/krb5/kadm5/server_internal.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/server_internal.h Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" @@ -25,7 +25,7 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/server_internal.h,v 1.27 1996/10/21 20:29:58 bjaspan Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/server_internal.h,v 1.31 2001/07/08 12:24:56 epeisach Exp $ */ /* @@ -37,7 +37,9 @@ #ifndef __KADM5_SERVER_INTERNAL_H__ #define __KADM5_SERVER_INTERNAL_H__ +#ifdef HAVE_MEMORY_H #include <memory.h> +#endif #include <stdlib.h> #include "k5-int.h" #include <krb5/kdb.h> @@ -77,11 +79,21 @@ krb5_db_entry *kdb, osa_princ_ent_rec *adb); krb5_error_code kdb_delete_entry(kadm5_server_handle_t handle, krb5_principal name); +krb5_error_code kdb_iter_entry(kadm5_server_handle_t handle, + void (*iter_fct)(void *, krb5_principal), + void *data); int init_dict(kadm5_config_params *); int find_word(const char *word); void destroy_dict(void); +/* XXX this ought to be in libkrb5.a, but isn't */ +kadm5_ret_t krb5_copy_key_data_contents(krb5_context context, + krb5_key_data *from, + krb5_key_data *to); +kadm5_ret_t krb5_free_key_data_contents(krb5_context context, + krb5_key_data *key); + /* * *Warning* * *Warning* This is going to break if we
--- a/usr/src/lib/krb5/kadm5/srv/Makefile.com Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/srv/Makefile.com Sat Oct 07 13:37:05 2006 -0700 @@ -86,7 +86,8 @@ -DENDRPCENT_TYPE=void -DHAVE_SYS_ERRLIST=1 -DNEED_SYS_ERRLIST=1 \ -DHAVE_SYSLOG_H=1 -DHAVE_OPENLOG=1 -DHAVE_SYSLOG=1 -DHAVE_CLOSELOG=1 \ -DHAVE_STEP=1 -DHAVE_RE_COMP=1 -DHAVE_RE_EXEC=1 -DHAVE_REGCOMP=1 \ - -DHAVE_REGEXEC=1 -DHAVE_STRFTIME=1 -DHAVE_VSPRINTF=1 + -DHAVE_REGEXEC=1 -DHAVE_STRFTIME=1 -DHAVE_VSPRINTF=1 \ + -DUSE_KADM5_API_VERSION=2 CFLAGS += $(CCVERBOSE) -I..
--- a/usr/src/lib/krb5/kadm5/srv/adb_free.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/srv/adb_free.c Sat Oct 07 13:37:05 2006 -0700 @@ -21,9 +21,13 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/srv/adb_free.c,v 1.2 1996/10/18 19:45:49 bjaspan Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_free.c,v 1.3 2000/06/01 02:02:03 tritan Exp $ * * $Log: adb_free.c,v $ + * Revision 1.3 2000/06/01 02:02:03 tritan + * Check for existance of <memory.h>. + * (from Nathan Neulinger <nneul@umr.edu>) + * * Revision 1.2 1996/10/18 19:45:49 bjaspan * * svr_misc_free.c, server_dict.c, adb_policy.c, adb_free.c: * include stdlib.h instead of malloc.h [krb5-admin/35] @@ -68,11 +72,13 @@ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/srv/adb_free.c,v 1.2 1996/10/18 19:45:49 bjaspan Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_free.c,v 1.3 2000/06/01 02:02:03 tritan Exp $"; #endif #include "adb.h" +#ifdef HAVE_MEMORY_H #include <memory.h> +#endif #include <stdlib.h> void
--- a/usr/src/lib/krb5/kadm5/srv/adb_openclose.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/srv/adb_openclose.c Sat Oct 07 13:37:05 2006 -0700 @@ -25,11 +25,11 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_openclose.c,v 1.4.2.1 2000/05/19 22:24:16 raeburn Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_openclose.c,v 1.8 2002/10/08 20:20:29 tlyu Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_openclose.c,v 1.4.2.1 2000/05/19 22:24:16 raeburn Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_openclose.c,v 1.8 2002/10/08 20:20:29 tlyu Exp $"; #endif #include <sys/file.h> @@ -50,15 +50,17 @@ { int lf; DB *db; - HASHINFO info; + BTREEINFO btinfo; - memset(&info, 0, sizeof(info)); - info.hash = NULL; - info.bsize = 256; - info.ffactor = 8; - info.nelem = 25000; - info.lorder = 0; - db = dbopen(filename, O_RDWR | O_CREAT | O_EXCL, 0600, DB_HASH, &info); + memset(&btinfo, 0, sizeof(btinfo)); + btinfo.flags = 0; + btinfo.cachesize = 0; + btinfo.psize = 4096; + btinfo.lorder = 0; + btinfo.minkeypage = 0; + btinfo.compare = NULL; + btinfo.prefix = NULL; + db = dbopen(filename, O_RDWR | O_CREAT | O_EXCL, 0600, DB_BTREE, &btinfo); if (db == NULL) return errno; if (db->close(db) < 0) @@ -94,23 +96,23 @@ ret != EEXIST) return ret; - if (ret = osa_adb_init_db(&fromdb, filefrom, lockfrom, magic)) + if ((ret = osa_adb_init_db(&fromdb, filefrom, lockfrom, magic))) return ret; - if (ret = osa_adb_init_db(&todb, fileto, lockto, magic)) { + if ((ret = osa_adb_init_db(&todb, fileto, lockto, magic))) { (void) osa_adb_fini_db(fromdb, magic); return ret; } - if (ret = osa_adb_get_lock(fromdb, OSA_ADB_PERMANENT)) { + if ((ret = osa_adb_get_lock(fromdb, OSA_ADB_PERMANENT))) { (void) osa_adb_fini_db(fromdb, magic); (void) osa_adb_fini_db(todb, magic); return ret; } - if (ret = osa_adb_get_lock(todb, OSA_ADB_PERMANENT)) { + if ((ret = osa_adb_get_lock(todb, OSA_ADB_PERMANENT))) { (void) osa_adb_fini_db(fromdb, magic); (void) osa_adb_fini_db(todb, magic); return ret; } - if (rename(filefrom, fileto) < 0) { + if ((rename(filefrom, fileto) < 0)) { (void) osa_adb_fini_db(fromdb, magic); (void) osa_adb_fini_db(todb, magic); return errno; @@ -119,7 +121,7 @@ * Do not release the lock on fromdb because it is being renamed * out of existence; no one can ever use it again. */ - if (ret = osa_adb_release_lock(todb)) { + if ((ret = osa_adb_release_lock(todb))) { (void) osa_adb_fini_db(fromdb, magic); (void) osa_adb_fini_db(todb, magic); return ret; @@ -152,6 +154,13 @@ db->info.nelem = 25000; db->info.lorder = 0; + db->btinfo.flags = 0; + db->btinfo.cachesize = 0; + db->btinfo.psize = 4096; + db->btinfo.lorder = 0; + db->btinfo.minkeypage = 0; + db->btinfo.compare = NULL; + db->btinfo.prefix = NULL; /* * A process is allowed to open the same database multiple times * and access it via different handles. If the handles use @@ -201,7 +210,7 @@ /* now initialize lockp->lockinfo if necessary */ if (lockp->lockinfo.lockfile == NULL) { - if (code = krb5_init_context(&lockp->lockinfo.context)) { + if ((code = krb5_init_context(&lockp->lockinfo.context))) { free(db); return((osa_adb_ret_t) code); } @@ -229,6 +238,7 @@ db->lock = &lockp->lockinfo; db->lock->refcnt++; + db->opencnt = 0; db->filename = strdup(filename); db->magic = magic; @@ -330,8 +340,6 @@ if (perm) { if (unlink(db->lock->filename) < 0) { - int ret; - /* somehow we can't delete the file, but we already */ /* have the lock, so release it and return */ @@ -369,9 +377,9 @@ 0600); if ((db->lock->lockfile = fdopen(fd, "w+F")) == NULL) return OSA_ADB_NOLOCKFILE; - } else if (ret = krb5_lock_file(db->lock->context, + } else if ((ret = krb5_lock_file(db->lock->context, fileno(db->lock->lockfile), - KRB5_LOCKMODE_UNLOCK)) + KRB5_LOCKMODE_UNLOCK))) return ret; db->lock->lockmode = 0; @@ -386,22 +394,36 @@ ret = osa_adb_get_lock(db, locktype); if (ret != OSA_ADB_OK) return ret; - - db->db = dbopen(db->filename, O_RDWR, 0600, DB_HASH, &db->info); - if (db->db == NULL) { + if (db->opencnt) + goto open_ok; + + db->db = dbopen(db->filename, O_RDWR, 0600, DB_BTREE, &db->btinfo); + if (db->db != NULL) + goto open_ok; + switch (errno) { +#ifdef EFTYPE + case EFTYPE: +#endif + case EINVAL: + db->db = dbopen(db->filename, O_RDWR, 0600, DB_HASH, &db->info); + if (db->db != NULL) + goto open_ok; + default: (void) osa_adb_release_lock(db); - if(errno == EINVAL) + if (errno == EINVAL) return OSA_ADB_BAD_DB; return errno; } +open_ok: + db->opencnt++; return OSA_ADB_OK; } osa_adb_ret_t osa_adb_close_and_unlock(osa_adb_princ_t db) { - int ret; - - if(db->db->close(db->db) == -1) { + if (--db->opencnt) + return osa_adb_release_lock(db); + if(db->db != NULL && db->db->close(db->db) == -1) { (void) osa_adb_release_lock(db); return OSA_ADB_FAILURE; } @@ -410,4 +432,3 @@ return(osa_adb_release_lock(db)); } -
--- a/usr/src/lib/krb5/kadm5/srv/adb_policy.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/srv/adb_policy.c Sat Oct 07 13:37:05 2006 -0700 @@ -21,11 +21,11 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_policy.c,v 1.4 1996/10/18 19:45:50 bjaspan Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_policy.c,v 1.7 2003/01/05 23:27:59 hartmans Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_policy.c,v 1.4 1996/10/18 19:45:50 bjaspan Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_policy.c,v 1.7 2003/01/05 23:27:59 hartmans Exp $"; #endif #include <sys/file.h> @@ -33,28 +33,27 @@ #include "adb.h" #include <stdlib.h> #include <string.h> +#include <errno.h> -extern int errno; extern caddr_t xdralloc_getdata(XDR *xdrs); extern void xdralloc_create(XDR *xdrs, enum xdr_op op); -extern osa_adb_ret_t osa_adb_rename_db(char *filefrom, char *lockfrom, - char *fileto, char *lockto, int magic); + #define OPENLOCK(db, mode) \ { \ - int ret; \ + int olret; \ if (db == NULL) \ return EINVAL; \ else if (db->magic != OSA_ADB_POLICY_DB_MAGIC) \ return OSA_ADB_DBINIT; \ - else if ((ret = osa_adb_open_and_lock(db, mode)) != OSA_ADB_OK) \ - return ret; \ + else if ((olret = osa_adb_open_and_lock(db, mode)) != OSA_ADB_OK) \ + return olret; \ } #define CLOSELOCK(db) \ { \ - int ret; \ - if ((ret = osa_adb_close_and_unlock(db)) != OSA_ADB_OK) \ - return ret; \ + int cl_ret; \ + if ((cl_ret = osa_adb_close_and_unlock(db)) != OSA_ADB_OK) \ + return cl_ret; \ } osa_adb_ret_t osa_adb_create_policy_db(kadm5_config_params *params) @@ -101,7 +100,7 @@ * * Arguments: * entry (input) pointer to the entry to be added - * <return value> OSA_ADB_OK on sucsess, else error code. + * <return value> OSA_ADB_OK on success, else error code. * * Requires: * entry have a valid name. @@ -176,7 +175,7 @@ * Arguments: * db (input) database handle * name (input) name of policy - * <return value> OSA_ADB_OK on sucsess, or error code. + * <return value> OSA_ADB_OK on success, or error code. * * Requires: * db being valid. @@ -234,7 +233,7 @@ * db (input) db handle * name (input) name of policy * entry (output) policy entry - * <return value> 0 on sucsess, error code on failure. + * <return value> 0 on success, error code on failure. * * Requires: * Effects: @@ -300,7 +299,7 @@ * Arguments: * db (input) db handle * entry (input) policy entry - * <return value> 0 on sucsess error code on failure. + * <return value> 0 on success error code on failure. * * Requires: * [requires] @@ -373,7 +372,7 @@ * db (input) db handle * func (input) fucntion pointer to call * data opaque data type - * <return value> 0 on sucsess error code on failure + * <return value> 0 on success error code on failure * * Requires: * Effects:
--- a/usr/src/lib/krb5/kadm5/srv/adb_xdr.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/srv/adb_xdr.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2002 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -26,7 +26,7 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_xdr.c,v 1.2 1998/02/14 02:31:34 tlyu Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/adb_xdr.c,v 1.4 2001/07/25 19:03:35 epeisach Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) @@ -38,10 +38,9 @@ #include <rpc/rpc.h> /* SUNWresync121 XXX */ #include "adb.h" #include "admin_xdr.h" +#ifdef HAVE_MEMORY_H #include <memory.h> - -extern bool_t -xdr_krb5_int16(XDR *xdrs, krb5_int16 *objp); +#endif bool_t xdr_krb5_key_data(XDR *xdrs, krb5_key_data *objp) @@ -56,9 +55,10 @@ return(FALSE); if (!xdr_krb5_int16(xdrs, &objp->key_data_type[1])) return(FALSE); - if (!xdr_krb5_int16(xdrs, &objp->key_data_length[0])) + /* SUNW14resync */ + if (!xdr_krb5_ui_2(xdrs, (krb5_ui_2 *)&objp->key_data_length[0])) return(FALSE); - if (!xdr_krb5_int16(xdrs, &objp->key_data_length[1])) + if (!xdr_krb5_ui_2(xdrs, (krb5_ui_2 *)&objp->key_data_length[1])) return(FALSE); tmp = (unsigned int) objp->key_data_length[0];
--- a/usr/src/lib/krb5/kadm5/srv/mapfile-vers Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/srv/mapfile-vers Sat Oct 07 13:37:05 2006 -0700 @@ -36,19 +36,12 @@ SUNWprivate_1.1 { global: - acl_check; - acl_finish; - acl_impose_restrictions; - acl_init; + __kadm5_get_priv; + _kadm5_get_kpasswd_protocol; adb_policy_close; adb_policy_init; destroy_dict; find_word; - free_history_entry; - get_either_iter; - get_pols_iter; - get_princs_iter; - glob_to_regexp; handle_chpw; hist_db; hist_encblock; @@ -59,7 +52,6 @@ kadm5_chpass_principal; kadm5_chpass_principal_3; kadm5_chpass_principal_util; - kadm5_chpass_principal_v2; kadm5_create_policy; kadm5_create_policy_internal; kadm5_create_principal; @@ -76,20 +68,18 @@ kadm5_get_adm_host_srv_name; kadm5_get_config_params; kadm5_get_cpw_host_srv_name; - kadm5_get_either; kadm5_get_kiprop_host_srv_name; - _kadm5_get_kpasswd_protocol; kadm5_get_master; kadm5_get_policies; kadm5_get_policy; kadm5_get_principal; kadm5_get_principals; - __kadm5_get_priv; + kadm5_get_privs; kadm5_init; kadm5_init_iprop; kadm5_init_with_creds; kadm5_init_with_password; - kadm5_init_with_skey; + kadm5_lock; kadm5_modify_policy; kadm5_modify_policy_internal; kadm5_modify_principal; @@ -98,6 +88,11 @@ kadm5_rename_principal; kadm5_setkey_principal; kadm5_setkey_principal_3; + kadm5_unlock; + kadm5int_acl_check; + kadm5int_acl_finish; + kadm5int_acl_impose_restrictions; + kadm5int_acl_init;kadm5_init_with_skey; kdb_delete_entry; kdb_free_entry; kdb_get_entry; @@ -106,6 +101,7 @@ kdb_iter_entry; kdb_put_entry; krb5_aprof_finish; + krb5_aprof_get_boolean; krb5_aprof_get_deltat; krb5_aprof_get_int32; krb5_aprof_get_string; @@ -149,9 +145,6 @@ osa_free_policy_ent; osa_free_princ_ent; passwd_check; - xdralloc_create; - xdralloc_getdata; - xdralloc_release; xdr_chpass3_arg; xdr_chpass_arg; xdr_chrand3_arg; @@ -180,14 +173,17 @@ xdr_krb5_enctype; xdr_krb5_flags; xdr_krb5_int16; - xdr_krb5_keyblock; xdr_krb5_key_data; xdr_krb5_key_data_nocontents; + xdr_krb5_key_salt_tuple; + xdr_krb5_keyblock; xdr_krb5_kvno; xdr_krb5_octet; xdr_krb5_principal; + xdr_krb5_salttype; xdr_krb5_timestamp; xdr_krb5_tl_data; + xdr_krb5_ui_2; xdr_krb5_ui_4; xdr_mpol_arg; xdr_mprinc_arg; @@ -200,6 +196,9 @@ xdr_setkey3_arg; xdr_setkey_arg; xdr_ui_4; + xdralloc_create; + xdralloc_getdata; + xdralloc_release; local: *; };
--- a/usr/src/lib/krb5/kadm5/srv/server_acl.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/srv/server_acl.c Sat Oct 07 13:37:05 2006 -0700 @@ -129,11 +129,11 @@ /* - * acl_get_line() - Get a line from the ACL file. + * kadm5int_acl_get_line() - Get a line from the ACL file. * Lines ending with \ are continued on the next line */ static char * -acl_get_line(fp, lnp) +kadm5int_acl_get_line(fp, lnp) FILE *fp; int *lnp; /* caller should set to 1 before first call */ { @@ -190,10 +190,10 @@ } /* - * acl_parse_line() - Parse the contents of an ACL line. + * kadm5int_acl_parse_line() - Parse the contents of an ACL line. */ static aent_t * -acl_parse_line(lp) +kadm5int_acl_parse_line(lp) const char *lp; { static char acle_principal[BUFSIZ]; @@ -205,7 +205,7 @@ int t, found, opok, nmatch; DPRINT(DEBUG_CALLS, acl_debug_level, - ("* acl_parse_line(line=%20s)\n", lp)); + ("* kadm5int_acl_parse_line(line=%20s)\n", lp)); /* * Format is still simple: * entry ::= [<whitespace>] <principal> <whitespace> <opstring> @@ -229,7 +229,7 @@ for (op=acle_ops; *op; op++) { char rop; - rop = (isupper(*op)) ? tolower(*op) : *op; + rop = (isupper((int) *op)) ? tolower((int) *op) : *op; found = 0; for (t=0; acl_op_table[t].ao_op; t++) { if (rop == acl_op_table[t].ao_op) { @@ -272,7 +272,7 @@ char *trailing; trailing = &acle_restrictions[strlen(acle_restrictions)-1]; - while ( isspace(*trailing) ) + while ( isspace((int) *trailing) ) trailing--; trailing[1] = '\0'; acle->ae_restriction_string = strdup(acle_restrictions); @@ -285,12 +285,12 @@ } } DPRINT(DEBUG_CALLS, acl_debug_level, - ("X acl_parse_line() = %x\n", (long) acle)); + ("X kadm5int_acl_parse_line() = %x\n", (long) acle)); return(acle); } /* - * acl_parse_restrictions() - Parse optional restrictions field + * kadm5int_acl_parse_restrictions() - Parse optional restrictions field * * Allowed restrictions are: * [+-]flagname (recognized by krb5_string_to_flags) @@ -304,23 +304,22 @@ * Returns: 0 on success, or system errors */ static krb5_error_code -acl_parse_restrictions(s, rpp) +kadm5int_acl_parse_restrictions(s, rpp) char *s; restriction_t **rpp; { char *sp, *tp, *ap; static const char *delims = "\t\n\f\v\r ,"; - krb5_error_code ret; krb5_deltat dt; krb5_flags flag; krb5_error_code code; DPRINT(DEBUG_CALLS, acl_debug_level, - ("* acl_parse_restrictions(s=%20s, rpp=0x%08x)\n", s, (long)rpp)); + ("* kadm5int_acl_parse_restrictions(s=%20s, rpp=0x%08x)\n", s, (long)rpp)); *rpp = (restriction_t *) NULL; code = 0; - if (s) + if (s) { if (!(sp = strdup(s)) /* Don't munge the original */ || !(*rpp = (restriction_t *) malloc(sizeof(restriction_t)))) { code = ENOMEM; @@ -378,6 +377,7 @@ } } } + } if (sp) free(sp); if (*rpp && code) { @@ -387,19 +387,19 @@ *rpp = (restriction_t *) NULL; } DPRINT(DEBUG_CALLS, acl_debug_level, - ("X acl_parse_restrictions() = %d, mask=0x%08x\n", + ("X kadm5int_acl_parse_restrictions() = %d, mask=0x%08x\n", code, (*rpp) ? (*rpp)->mask : 0)); return code; } /* - * acl_impose_restrictions() - impose restrictions, modifying *recp, *maskp + * kadm5int_acl_impose_restrictions() - impose restrictions, modifying *recp, *maskp * * Returns: 0 on success; * malloc or timeofday errors */ krb5_error_code -acl_impose_restrictions(kcontext, recp, maskp, rp) +kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp) krb5_context kcontext; kadm5_principal_ent_rec *recp; long *maskp; @@ -409,7 +409,7 @@ krb5_int32 now; DPRINT(DEBUG_CALLS, acl_debug_level, - ("* acl_impose_restrictions(..., *maskp=0x%08x, rp=0x%08x)\n", + ("* kadm5int_acl_impose_restrictions(..., *maskp=0x%08x, rp=0x%08x)\n", *maskp, (long)rp)); if (!rp) return 0; @@ -462,20 +462,20 @@ *maskp |= KADM5_MAX_RLIFE; } DPRINT(DEBUG_CALLS, acl_debug_level, - ("X acl_impose_restrictions() = 0, *maskp=0x%08x\n", *maskp)); + ("X kadm5int_acl_impose_restrictions() = 0, *maskp=0x%08x\n", *maskp)); return 0; } /* - * acl_free_entries() - Free all ACL entries. + * kadm5int_acl_free_entries() - Free all ACL entries. */ static void -acl_free_entries() +kadm5int_acl_free_entries() { aent_t *ap; aent_t *np; - DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_free_entries()\n")); + DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_free_entries()\n")); for (ap=acl_list_head; ap; ap = np) { if (ap->ae_name) free(ap->ae_name); @@ -497,14 +497,14 @@ } acl_list_head = acl_list_tail = (aent_t *) NULL; acl_inited = 0; - DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_free_entries()\n")); + DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_free_entries()\n")); } /* - * acl_load_acl_file() - Open and parse the ACL file. + * kadm5int_acl_load_acl_file() - Open and parse the ACL file. */ static int -acl_load_acl_file() +kadm5int_acl_load_acl_file() { FILE *afp; char *alinep; @@ -512,16 +512,17 @@ int alineno; int retval = 1; - DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_load_acl_file()\n")); + DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_load_acl_file()\n")); /* Open the ACL file for read */ - if (afp = fopen(acl_acl_file, "rF")) { + afp = fopen(acl_acl_file, "rF"); + if (afp) { alineno = 1; aentpp = &acl_list_head; /* Get a non-comment line */ - while (alinep = acl_get_line(afp, &alineno)) { + while ((alinep = kadm5int_acl_get_line(afp, &alineno))) { /* Parse it */ - *aentpp = acl_parse_line(alinep); + *aentpp = kadm5int_acl_parse_line(alinep); /* If syntax error, then fall out */ if (!*aentpp) { krb5_klog_syslog(LOG_ERR, ACL_SYN_ERR_MSG, @@ -536,7 +537,8 @@ fclose(afp); if (acl_catchall_entry) { - if (*aentpp = acl_parse_line(acl_catchall_entry)) { + *aentpp = kadm5int_acl_parse_line(acl_catchall_entry); + if (*aentpp) { acl_list_tail = *aentpp; } else { @@ -551,7 +553,7 @@ krb5_klog_syslog(LOG_ERR, ACL_CANTOPEN_MSG, error_message(errno), acl_acl_file); if (acl_catchall_entry && - (acl_list_head = acl_parse_line((char *)acl_catchall_entry))) { + (acl_list_head = kadm5int_acl_parse_line((char *)acl_catchall_entry))) { acl_list_tail = acl_list_head; } else { @@ -563,20 +565,20 @@ } if (!retval) { - acl_free_entries(); + kadm5int_acl_free_entries(); } DPRINT(DEBUG_CALLS, acl_debug_level, - ("X acl_load_acl_file() = %d\n", retval)); + ("X kadm5int_acl_load_acl_file() = %d\n", retval)); return(retval); } /* - * acl_match_data() - See if two data entries match. + * kadm5int_acl_match_data() - See if two data entries match. * * Wildcarding is only supported for a whole component. */ static krb5_boolean -acl_match_data(e1, e2, targetflag, ws) +kadm5int_acl_match_data(e1, e2, targetflag, ws) krb5_data *e1, *e2; int targetflag; wildstate_t *ws; @@ -591,7 +593,7 @@ if (ws && !targetflag) { if (ws->nwild >= 9) { DPRINT(DEBUG_ACL, acl_debug_level, - ("Too many wildcards in ACL entry %s\n", e1->data)); + ("Too many wildcards in ACL entry %s\n", e1->data)); } else ws->backref[ws->nwild++] = e2; @@ -602,7 +604,7 @@ int n = e1->data[1] - '1'; if (n >= ws->nwild) { DPRINT(DEBUG_ACL, acl_debug_level, - ("Too many backrefs in ACL entry %s\n", e1->data)); + ("Too many backrefs in ACL entry %s\n", e1->data)); } else if ((ws->backref[n]->length == e2->length) && (!strncmp(ws->backref[n]->data, e2->data, e2->length))) @@ -619,10 +621,10 @@ } /* - * acl_find_entry() - Find a matching entry. + * kadm5int_acl_find_entry() - Find a matching entry. */ static aent_t * -acl_find_entry(kcontext, principal, dest_princ) +kadm5int_acl_find_entry(kcontext, principal, dest_princ) krb5_context kcontext; krb5_principal principal; krb5_principal dest_princ; @@ -633,7 +635,7 @@ int matchgood; wildstate_t state; - DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_find_entry()\n")); + DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_find_entry()\n")); memset((char *)&state, 0, sizeof state); for (entry=acl_list_head; entry; entry = entry->ae_next) { if (entry->ae_name_bad) @@ -656,12 +658,12 @@ continue; } matchgood = 0; - if (acl_match_data(&entry->ae_principal->realm, + if (kadm5int_acl_match_data(&entry->ae_principal->realm, &principal->realm, 0, (wildstate_t *)0) && (entry->ae_principal->length == principal->length)) { matchgood = 1; for (i=0; i<principal->length; i++) { - if (!acl_match_data(&entry->ae_principal->data[i], + if (!kadm5int_acl_match_data(&entry->ae_principal->data[i], &principal->data[i], 0, &state)) { matchgood = 0; break; @@ -673,46 +675,44 @@ continue; /* We've matched the principal. If we have a target, then try it */ - if (entry->ae_target) { - if (!strcmp(entry->ae_target, "*")) - break; + if (entry->ae_target && strcmp(entry->ae_target, "*")) { if (!entry->ae_target_princ && !entry->ae_target_bad) { kret = krb5_parse_name(kcontext, entry->ae_target, &entry->ae_target_princ); if (kret) entry->ae_target_bad = 1; } - } - if (entry->ae_target_bad) { - DPRINT(DEBUG_ACL, acl_debug_level, - ("Bad target in ACL entry for %s\n", entry->ae_name)); - entry->ae_name_bad = 1; - continue; - } - if (entry->ae_target && !dest_princ) - matchgood = 0; - else if (entry->ae_target && entry->ae_target_princ && dest_princ) { - if (acl_match_data(&entry->ae_target_princ->realm, - &dest_princ->realm, 1, (wildstate_t *)0) && - (entry->ae_target_princ->length == dest_princ->length)) { - for (i=0; i<dest_princ->length; i++) { - if (!acl_match_data(&entry->ae_target_princ->data[i], - &dest_princ->data[i], 1, &state)) { - matchgood = 0; - break; + if (entry->ae_target_bad) { + DPRINT(DEBUG_ACL, acl_debug_level, + ("Bad target in ACL entry for %s\n", entry->ae_name)); + entry->ae_name_bad = 1; + continue; + } + if (!dest_princ) + matchgood = 0; + else if (entry->ae_target_princ && dest_princ) { + if (kadm5int_acl_match_data(&entry->ae_target_princ->realm, + &dest_princ->realm, 1, (wildstate_t *)0) && + (entry->ae_target_princ->length == dest_princ->length)) { + for (i=0; i<dest_princ->length; i++) { + if (!kadm5int_acl_match_data(&entry->ae_target_princ->data[i], + &dest_princ->data[i], 1, &state)) { + matchgood = 0; + break; + } } - } + } + else + matchgood = 0; } - else - matchgood = 0; - } + } if (!matchgood) continue; if (entry->ae_restriction_string && !entry->ae_restriction_bad && !entry->ae_restrictions - && acl_parse_restrictions(entry->ae_restriction_string, + && kadm5int_acl_parse_restrictions(entry->ae_restriction_string, &entry->ae_restrictions)) { DPRINT(DEBUG_ACL, acl_debug_level, ("Bad restrictions in ACL entry for %s\n", entry->ae_name)); @@ -724,15 +724,15 @@ } break; } - DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_find_entry()=%x\n",entry)); + DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_find_entry()=%x\n",entry)); return(entry); } /* - * acl_init() - Initialize ACL context. + * kadm5int_acl_init() - Initialize ACL context. */ krb5_error_code -acl_init(kcontext, debug_level, acl_file) +kadm5int_acl_init(kcontext, debug_level, acl_file) krb5_context kcontext; int debug_level; char *acl_file; @@ -742,30 +742,30 @@ kret = 0; acl_debug_level = debug_level; DPRINT(DEBUG_CALLS, acl_debug_level, - ("* acl_init(afile=%s)\n", + ("* kadm5int_acl_init(afile=%s)\n", ((acl_file) ? acl_file : "(null)"))); acl_acl_file = (acl_file) ? acl_file : (char *) KRB5_DEFAULT_ADMIN_ACL; - acl_inited = acl_load_acl_file(); + acl_inited = kadm5int_acl_load_acl_file(); - DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_init() = %d\n", kret)); + DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_init() = %d\n", kret)); return(kret); } /* - * acl_finish - Terminate ACL context. + * kadm5int_acl_finish - Terminate ACL context. */ void -acl_finish(kcontext, debug_level) +kadm5int_acl_finish(kcontext, debug_level) krb5_context kcontext; int debug_level; { - DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_finish()\n")); - acl_free_entries(); - DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_finish()\n")); + DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_finish()\n")); + kadm5int_acl_free_entries(); + DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_finish()\n")); } /* - * acl_check() - Is this operation permitted for this principal? + * kadm5int_acl_check() - Is this operation permitted for this principal? * this code used not to be based on gssapi. In order * to minimize porting hassles, I've put all the * gssapi hair in this function. This might not be @@ -773,7 +773,7 @@ * solution is, of course, a real authorization service.) */ krb5_boolean -acl_check(kcontext, caller, opmask, principal, restrictions) +kadm5int_acl_check(kcontext, caller, opmask, principal, restrictions) krb5_context kcontext; gss_name_t caller; krb5_int32 opmask; @@ -806,7 +806,9 @@ return(code); retval = 0; - if (aentry = acl_find_entry(kcontext, caller_princ, principal)) { + + aentry = kadm5int_acl_find_entry(kcontext, caller_princ, principal); + if (aentry) { if ((aentry->ae_op_allowed & opmask) == opmask) { retval = 1; if (restrictions) { @@ -828,8 +830,6 @@ kadm5_ret_t kadm5_get_privs(void *server_handle, long *privs) { - kadm5_server_handle_t handle = server_handle; - CHECK_HANDLE(server_handle); /* this is impossible to do with the current interface. For now, @@ -869,7 +869,7 @@ if (k_error) return(retval); - if (aentry = acl_find_entry(handle->context, caller_principal, + if (aentry = kadm5int_acl_find_entry(handle->context, caller_principal, (krb5_principal)NULL)) *privs = aentry->ae_op_allowed; krb5_free_principal(handle->context, caller_principal);
--- a/usr/src/lib/krb5/kadm5/srv/server_acl.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/srv/server_acl.h Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -118,20 +118,20 @@ char *policy; } restriction_t; -krb5_error_code acl_init +krb5_error_code kadm5int_acl_init (krb5_context, int, char *); -void acl_finish +void kadm5int_acl_finish (krb5_context, int); -krb5_boolean acl_check +krb5_boolean kadm5int_acl_check (krb5_context, gss_name_t, krb5_int32, krb5_principal, restriction_t **); -krb5_error_code acl_impose_restrictions +krb5_error_code kadm5int_acl_impose_restrictions (krb5_context, kadm5_principal_ent_rec *, long *,
--- a/usr/src/lib/krb5/kadm5/srv/server_dict.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/srv/server_dict.c Sat Oct 07 13:37:05 2006 -0700 @@ -21,11 +21,11 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/srv/server_dict.c,v 1.2 1996/10/18 19:45:52 bjaspan Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_dict.c,v 1.7 2003/01/05 23:27:59 hartmans Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/srv/server_dict.c,v 1.2 1996/10/18 19:45:52 bjaspan Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_dict.c,v 1.7 2003/01/05 23:27:59 hartmans Exp $"; #endif #include <sys/types.h> @@ -33,19 +33,23 @@ #include <fcntl.h> #include <sys/stat.h> #include <unistd.h> +#include <errno.h> #include <kadm5/admin.h> #include <stdlib.h> #include <stdio.h> #include <string.h> +#ifdef HAVE_MEMORY_H #include <memory.h> +#endif +#include "adm_proto.h" #include <syslog.h> #include <libintl.h> #include "server_internal.h" static char **word_list = NULL; /* list of word pointers */ static char *word_block = NULL; /* actual word data */ -static int word_count = 0; /* number of words */ -extern int errno; +static unsigned int word_count = 0; /* number of words */ + /* * Function: word_compare @@ -65,7 +69,7 @@ static int word_compare(const void *s1, const void *s2) { - return (strcasecmp(*(char **)s1, *(char **)s2)); + return (strcasecmp(*(const char **)s1, *(const char **)s2)); } /* @@ -75,7 +79,7 @@ * * Arguments: * none - * <return value> KADM5_OK on sucsess errno on failure; + * <return value> KADM5_OK on success errno on failure; * (but success on ENOENT) * * Requires: @@ -106,7 +110,7 @@ if(word_list != NULL && word_block != NULL) return KADM5_OK; if (! (params->mask & KADM5_CONFIG_DICT_FILE)) { - syslog(LOG_INFO, + krb5_klog_syslog(LOG_INFO, dgettext(TEXT_DOMAIN, "No dictionary file specified, continuing " "without one.")); @@ -114,7 +118,7 @@ } if ((fd = open(params->dict_file, O_RDONLY)) == -1) { if (errno == ENOENT) { - syslog(LOG_ERR, + krb5_klog_syslog(LOG_ERR, dgettext(TEXT_DOMAIN, "WARNING! Cannot find dictionary file %s, " "continuing without one."), params->dict_file);
--- a/usr/src/lib/krb5/kadm5/srv/server_init.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/srv/server_init.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -26,12 +26,12 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. * - * $Id: server_init.c,v 1.5 1997/10/13 15:03:13 epeisach Exp $ + * $Id: server_init.c,v 1.8 2002/10/15 15:40:49 epeisach Exp $ * $Source: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_init.c,v $ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_init.c,v 1.5 1997/10/13 15:03:13 epeisach Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_init.c,v 1.8 2002/10/15 15:40:49 epeisach Exp $"; #endif #include <stdio.h> @@ -138,7 +138,8 @@ return ENOMEM; memset(handle, 0, sizeof(*handle)); - if (ret = (int) krb5_init_context(&(handle->context))) { + ret = (int) krb5_init_context(&(handle->context)); + if (ret) { free(handle); return(ret); } @@ -178,11 +179,10 @@ return KADM5_BAD_SERVER_PARAMS; } - if (ret = kadm5_get_config_params(handle->context, - (char *) NULL, - (char *) NULL, - params_in, - &handle->params)) { + ret = kadm5_get_config_params(handle->context, (char *) NULL, + (char *) NULL, params_in, + &handle->params); + if (ret) { krb5_free_context(handle->context); free(handle); return(ret); @@ -195,23 +195,26 @@ KADM5_CONFIG_FLAGS | \ KADM5_CONFIG_MAX_LIFE | KADM5_CONFIG_MAX_RLIFE | \ KADM5_CONFIG_EXPIRATION | KADM5_CONFIG_ENCTYPES) + if ((handle->params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) { krb5_free_context(handle->context); free(handle); return KADM5_MISSING_CONF_PARAMS; } - /* - * Set the db_name based on configuration before calling - * krb5_db_init, so it will get used. - */ - if (ret = krb5_db_set_name(handle->context, - handle->params.dbname)) { + /* + * Set the db_name based on configuration before calling + * krb5_db_init, so it will get used. + */ + + ret = krb5_db_set_name(handle->context, handle->params.dbname); + if (ret) { free(handle); return(ret); } - if (ret = krb5_db_init(handle->context)) { + ret = krb5_db_init(handle->context); + if (ret) { krb5_free_context(handle->context); free(handle); return(ret); @@ -225,69 +228,73 @@ return ret; } - if (! (handle->lhandle = malloc(sizeof(*handle)))) { - krb5_db_fini(handle->context); - krb5_free_context(handle->context); - free(handle); - return ENOMEM; - } - *handle->lhandle = *handle; - handle->lhandle->api_version = KADM5_API_VERSION_2; - handle->lhandle->struct_version = KADM5_STRUCT_VERSION; - handle->lhandle->lhandle = handle->lhandle; - - /* can't check the handle until current_caller is set */ - if (ret = check_handle((void *) handle)) { + if (! (handle->lhandle = malloc(sizeof(*handle)))) { + krb5_db_fini(handle->context); + krb5_free_context(handle->context); free(handle); - return ret; + return ENOMEM; } + *handle->lhandle = *handle; + handle->lhandle->api_version = KADM5_API_VERSION_2; + handle->lhandle->struct_version = KADM5_STRUCT_VERSION; + handle->lhandle->lhandle = handle->lhandle; - /* - * The KADM5_API_VERSION_1 spec said "If pass (or keytab) is NULL - * or an empty string, reads the master password from [the stash - * file]. Otherwise, the non-NULL password is ignored and the - * user is prompted for it via the tty." However, the code was - * implemented the other way: when a non-NULL password was - * provided, the stash file was used. This is somewhat more - * sensible, as then a local or remote client that provides a - * password does not prompt the user. This code maintains the - * previous actual behavior, and not the old spec behavior, - * because that is how the unit tests are written. - * - * In KADM5_API_VERSION_2, this decision is controlled by - * params. - * - * kdb_init_master's third argument is "from_keyboard". - */ - if (ret = kdb_init_master(handle, handle->params.realm, - (handle->api_version == KADM5_API_VERSION_1 ? - ((pass == NULL) || !(strlen(pass))) : - ((handle->params.mask & - KADM5_CONFIG_MKEY_FROM_KBD) && - handle->params.mkey_from_kbd)) - )) { + /* can't check the handle until current_caller is set */ + ret = check_handle((void *) handle); + if (ret) { + free(handle); + return ret; + } + + /* + * The KADM5_API_VERSION_1 spec said "If pass (or keytab) is NULL + * or an empty string, reads the master password from [the stash + * file]. Otherwise, the non-NULL password is ignored and the + * user is prompted for it via the tty." However, the code was + * implemented the other way: when a non-NULL password was + * provided, the stash file was used. This is somewhat more + * sensible, as then a local or remote client that provides a + * password does not prompt the user. This code maintains the + * previous actual behavior, and not the old spec behavior, + * because that is how the unit tests are written. + * + * In KADM5_API_VERSION_2, this decision is controlled by + * params. + * + * kdb_init_master's third argument is "from_keyboard". + */ + ret = kdb_init_master(handle, handle->params.realm, + (handle->api_version == KADM5_API_VERSION_1 ? + ((pass == NULL) || !(strlen(pass))) : + ((handle->params.mask & KADM5_CONFIG_MKEY_FROM_KBD) + && handle->params.mkey_from_kbd) + )); + if (ret) { + krb5_db_fini(handle->context); + krb5_free_context(handle->context); + free(handle); + return ret; + } + + ret = kdb_init_hist(handle, handle->params.realm); + if (ret) { krb5_db_fini(handle->context); krb5_free_context(handle->context); free(handle); return ret; } - if ((ret = kdb_init_hist(handle, handle->params.realm))) { - krb5_db_fini(handle->context); - krb5_free_context(handle->context); - free(handle); - return ret; - } - - if (ret = init_dict(&handle->params)) { - krb5_db_fini(handle->context); + ret = init_dict(&handle->params); + if (ret) { + krb5_db_fini(handle->context); krb5_free_principal(handle->context, handle->current_caller); krb5_free_context(handle->context); free(handle); return ret; } - if (ret = adb_policy_init(handle)) { + ret = adb_policy_init(handle); + if (ret) { krb5_db_fini(handle->context); krb5_free_principal(handle->context, handle->current_caller); krb5_free_context(handle->context); @@ -321,6 +328,38 @@ return KADM5_OK; } +kadm5_ret_t kadm5_lock(void *server_handle) +{ + kadm5_server_handle_t handle = server_handle; + kadm5_ret_t ret; + + CHECK_HANDLE(server_handle); + ret = osa_adb_open_and_lock(handle->policy_db, OSA_ADB_EXCLUSIVE); + if (ret) + return ret; + ret = krb5_db_lock(handle->context, KRB5_LOCKMODE_EXCLUSIVE); + if (ret) + return ret; + + return KADM5_OK; +} + +kadm5_ret_t kadm5_unlock(void *server_handle) +{ + kadm5_server_handle_t handle = server_handle; + kadm5_ret_t ret; + + CHECK_HANDLE(server_handle); + ret = osa_adb_close_and_unlock(handle->policy_db); + if (ret) + return ret; + ret = krb5_db_unlock(handle->context); + if (ret) + return ret; + + return KADM5_OK; +} + kadm5_ret_t kadm5_flush(void *server_handle) { kadm5_server_handle_t handle = server_handle;
--- a/usr/src/lib/krb5/kadm5/srv/server_kdb.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/srv/server_kdb.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" @@ -25,11 +25,11 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_kdb.c,v 1.2 1998/10/30 02:54:39 marc Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_kdb.c,v 1.4 2003/06/13 22:30:59 tlyu Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_kdb.c,v 1.2 1998/10/30 02:54:39 marc Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_kdb.c,v 1.4 2003/06/13 22:30:59 tlyu Exp $"; #endif #include <stdio.h> @@ -59,7 +59,10 @@ { int ret = 0; char *realm; - krb5_keyblock tmk; + krb5_boolean from_kbd = FALSE; + + if (from_keyboard) + from_kbd = TRUE; if (r == NULL) { if ((ret = krb5_get_default_realm(handle->context, &realm))) @@ -73,14 +76,15 @@ realm, NULL, &master_princ))) goto done; - if (ret = krb5_db_fetch_mkey(handle->context, master_princ, - handle->params.enctype, - from_keyboard, - FALSE /* only prompt once */, - handle->params.stash_file, - NULL /* I'm not sure about this, - but it's what the kdc does --marc */, - &handle->master_keyblock)) + + ret = krb5_db_fetch_mkey(handle->context, master_princ, + handle->params.enctype, from_kbd, + FALSE /* only prompt once */, + handle->params.stash_file, + NULL /* I'm not sure about this, + but it's what the kdc does --marc */, + &handle->master_keyblock); + if (ret) goto done; if ((ret = krb5_db_init(handle->context)) != KSUCCESS) @@ -171,11 +175,10 @@ ks[0].ks_enctype = handle->params.enctype; ks[0].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL; ret = kadm5_create_principal_3(handle, &ent, - (KADM5_PRINCIPAL | - KADM5_MAX_LIFE | - KADM5_ATTRIBUTES), + (KADM5_PRINCIPAL | KADM5_MAX_LIFE | + KADM5_ATTRIBUTES), 1, ks, - "to-be-random"); + "to-be-random"); if (ret) goto done; @@ -200,12 +203,12 @@ } ret = krb5_dbe_find_enctype(handle->context, &hist_db, - handle->params.enctype, -1, -1, &key_data); + handle->params.enctype, -1, -1, &key_data); if (ret) goto done; ret = krb5_dbekd_decrypt_key_data(handle->context, - &handle->master_keyblock, key_data, &hist_key, NULL); + &handle->master_keyblock, key_data, &hist_key, NULL); if (ret) goto done; @@ -247,8 +250,9 @@ krb5_tl_data tl_data; XDR xdrs; - if (ret = krb5_db_get_principal(handle->context, principal, kdb, &nprincs, - &more)) + ret = krb5_db_get_principal(handle->context, principal, kdb, &nprincs, + &more); + if (ret) return(ret); if (more) { @@ -357,11 +361,13 @@ krb5_tl_data tl_data; int one; - if (ret = krb5_timeofday(handle->context, &now)) + ret = krb5_timeofday(handle->context, &now); + if (ret) return(ret); - if (ret = krb5_dbe_update_mod_princ_data(handle->context, kdb, now, - handle->current_caller)) + ret = krb5_dbe_update_mod_princ_data(handle->context, kdb, now, + handle->current_caller); + if (ret) return(ret); xdralloc_create(&xdrs, XDR_ENCODE); @@ -382,7 +388,8 @@ one = 1; - if (ret = krb5_db_put_principal(handle->context, kdb, &one)) + ret = krb5_db_put_principal(handle->context, kdb, &one); + if (ret) return(ret); return(0); @@ -424,9 +431,11 @@ id.func = iter_fct; id.data = data; - if (ret = krb5_db_iterate(handle->context, kdb_iter_func, &id)) + ret = krb5_db_iterate(handle->context, kdb_iter_func, &id); + if (ret) return(ret); return(0); } +
--- a/usr/src/lib/krb5/kadm5/srv/server_misc.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/srv/server_misc.c Sat Oct 07 13:37:05 2006 -0700 @@ -21,11 +21,11 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_misc.c,v 1.2 1997/08/07 00:23:11 tlyu Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_misc.c,v 1.4 2001/06/18 18:58:00 epeisach Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_misc.c,v 1.2 1997/08/07 00:23:11 tlyu Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/server_misc.c,v 1.4 2001/06/18 18:58:00 epeisach Exp $"; #endif #include "k5-int.h" @@ -61,6 +61,7 @@ return KADM5_OK; } +#ifdef HESIOD /* stolen from v4sever/kadm_funcs.c */ static char * reverse(str) @@ -81,7 +82,9 @@ return(newstr); } +#endif /* HESIOD */ +#if 0 static int lower(str) char *str; @@ -97,7 +100,9 @@ } return(effect); } +#endif +#ifdef HESIOD static int str_check_gecos(gecos, pwstr) char *gecos; @@ -130,6 +135,7 @@ } return 0; } +#endif /* HESIOD */ /* some of this is stolen from gatekeeper ... */ kadm5_ret_t @@ -153,17 +159,17 @@ return KADM5_PASS_Q_TOOSHORT; s = password; while ((c = *s++)) { - if (islower(c)) { + if (islower((int) c)) { nlower = 1; continue; } - else if (isupper(c)) { + else if (isupper((int) c)) { nupper = 1; continue; - } else if (isdigit(c)) { + } else if (isdigit((int) c)) { ndigit = 1; continue; - } else if (ispunct(c)) { + } else if (ispunct((int) c)) { npunct = 1; continue; } else { @@ -176,13 +182,12 @@ if((find_word(password) == KADM5_OK)) return KADM5_PASS_Q_DICT; else { - char *cp; - int c, n = krb5_princ_size(handle->context, principal); + int i, n = krb5_princ_size(handle->context, principal); cp = krb5_princ_realm(handle->context, principal)->data; if (strcasecmp(cp, password) == 0) return KADM5_PASS_Q_DICT; - for (c = 0; c < n ; c++) { - cp = krb5_princ_component(handle->context, principal, c)->data; + for (i = 0; i < n ; i++) { + cp = krb5_princ_component(handle->context, principal, i)->data; if (strcasecmp(cp, password) == 0) return KADM5_PASS_Q_DICT; #ifdef HESIOD
--- a/usr/src/lib/krb5/kadm5/srv/svr_chpass_util.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/srv/svr_chpass_util.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 1997-2002 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -31,7 +31,7 @@ char *new_pw, char **ret_pw, char *msg_ret, - int msg_len) + unsigned int msg_len) { kadm5_server_handle_t handle = server_handle;
--- a/usr/src/lib/krb5/kadm5/srv/svr_iters.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/srv/svr_iters.c Sat Oct 07 13:37:05 2006 -0700 @@ -21,11 +21,11 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/srv/svr_iters.c,v 1.2 1996/11/07 21:43:14 bjaspan Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_iters.c,v 1.6 2003/01/12 18:17:02 epeisach Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/srv/svr_iters.c,v 1.2 1996/11/07 21:43:14 bjaspan Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_iters.c,v 1.6 2003/01/12 18:17:02 epeisach Exp $"; #endif #if defined(HAVE_COMPILE) && defined(HAVE_STEP) @@ -42,7 +42,6 @@ #include <string.h> #include <kadm5/admin.h> #include "adb.h" -#include <dyn/dyn.h> #ifdef SOLARIS_REGEXPS #include <regexpr.h> #endif @@ -59,7 +58,9 @@ struct iter_data { krb5_context context; - DynObject matches; + char **names; + int n_names, sz_names; + unsigned int malloc_failed; char *exp; #ifdef SOLARIS_REGEXPS char *expbuf; @@ -96,7 +97,7 @@ * other characters are copied * regexp is anchored with ^ and $ */ -kadm5_ret_t glob_to_regexp(char *glob, char *realm, char **regexp) +static kadm5_ret_t glob_to_regexp(char *glob, char *realm, char **regexp) { int append_realm; char *p; @@ -151,26 +152,38 @@ return KADM5_OK; } -void get_either_iter(struct iter_data *data, char *name) +static void get_either_iter(struct iter_data *data, char *name) { - if ( + int match; #ifdef SOLARIS_REGEXPS - (step(name, data->expbuf) != 0) + match = (step(name, data->expbuf) != 0); #endif #ifdef POSIX_REGEXPS - (regexec(&data->preg, name, 0, NULL, 0) == 0) + match = (regexec(&data->preg, name, 0, NULL, 0) == 0); #endif #ifdef BSD_REGEXPS - (re_exec(name) != 0) + match = (re_exec(name) != 0); #endif - ) - { - (void) DynAdd(data->matches, &name); + if (match) { + if (data->n_names == data->sz_names) { + int new_sz = data->sz_names * 2; + char **new_names = realloc(data->names, + new_sz * sizeof(char *)); + if (new_names) { + data->names = new_names; + data->sz_names = new_sz; + } else { + data->malloc_failed = 1; + free(name); + return; + } + } + data->names[data->n_names++] = name; } else free(name); } -void get_pols_iter(void *data, osa_policy_ent_t entry) +static void get_pols_iter(void *data, osa_policy_ent_t entry) { char *name; @@ -179,7 +192,7 @@ get_either_iter(data, name); } -void get_princs_iter(void *data, krb5_principal princ) +static void get_princs_iter(void *data, krb5_principal princ) { struct iter_data *id = (struct iter_data *) data; char *name; @@ -189,15 +202,18 @@ get_either_iter(data, name); } -kadm5_ret_t kadm5_get_either(int princ, +static kadm5_ret_t kadm5_get_either(int princ, void *server_handle, char *exp, char ***princs, int *count) { struct iter_data data; - char *msg, *regexp; - int ret; +#ifdef BSD_REGEXPS + char *msg; +#endif + char *regexp; + int i, ret; kadm5_server_handle_t handle = server_handle; *count = 0; @@ -227,7 +243,11 @@ return EINVAL; } - if ((data.matches = DynCreate(sizeof(char *), -4)) == NULL) { + data.n_names = 0; + data.sz_names = 10; + data.malloc_failed = 0; + data.names = malloc(sizeof(char *) * data.sz_names); + if (data.names == NULL) { free(regexp); return ENOMEM; } @@ -239,16 +259,21 @@ ret = osa_adb_iter_policy(handle->policy_db, get_pols_iter, (void *)&data); } + free(regexp); +#ifdef POSIX_REGEXPS + regfree(&data.preg); +#endif + if (ret == OSA_ADB_OK && data.malloc_failed) + ret = ENOMEM; if (ret != OSA_ADB_OK) { - free(regexp); - DynDestroy(data.matches); + for (i = 0; i < data.n_names; i++) + free(data.names[i]); + free(data.names); return ret; } - (*princs) = (char **) DynArray(data.matches); - *count = DynSize(data.matches); - DynRelease(data.matches); - free(regexp); + *princs = data.names; + *count = data.n_names; return KADM5_OK; }
--- a/usr/src/lib/krb5/kadm5/srv/svr_misc_free.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/srv/svr_misc_free.c Sat Oct 07 13:37:05 2006 -0700 @@ -21,12 +21,12 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/srv/svr_misc_free.c,v 1.2 1996/10/18 19:45:53 bjaspan Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_misc_free.c,v 1.2 1996/10/18 19:45:53 bjaspan Exp $ * */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/srv/svr_misc_free.c,v 1.2 1996/10/18 19:45:53 bjaspan Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_misc_free.c,v 1.2 1996/10/18 19:45:53 bjaspan Exp $"; #endif #include <kadm5/admin.h> #include <stdlib.h>
--- a/usr/src/lib/krb5/kadm5/srv/svr_policy.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/srv/svr_policy.c Sat Oct 07 13:37:05 2006 -0700 @@ -21,11 +21,11 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/srv/svr_policy.c,v 1.1 1996/07/24 22:23:36 tlyu Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_policy.c,v 1.2 2001/06/20 05:01:37 mitchb Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /afs/athena.mit.edu/astaff/project/krbdev/.cvsroot/src/lib/kadm5/srv/svr_policy.c,v 1.1 1996/07/24 22:23:36 tlyu Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_policy.c,v 1.2 2001/06/20 05:01:37 mitchb Exp $"; #endif #include <sys/types.h> @@ -49,7 +49,7 @@ * entry (input) The policy entry to be written out to the DB. * mask (input) Specifies which fields in entry are to ge written out * and which get default values. - * <return value> 0 if sucsessfull otherwise an error code is returned. + * <return value> 0 if successful otherwise an error code is returned. * * Requires: * Entry must be a valid principal entry, and mask have a valid value. @@ -82,14 +82,14 @@ * entry (input) The policy entry to be written out to the DB. * mask (input) Specifies which fields in entry are to ge written out * and which get default values. - * <return value> 0 if sucsessfull otherwise an error code is returned. + * <return value> 0 if successful otherwise an error code is returned. * * Requires: * Entry must be a valid principal entry, and mask have a valid value. * * Effects: * Writes the data to the database, and does a database sync if - * sucsessfull. + * successful. * */
--- a/usr/src/lib/krb5/kadm5/srv/svr_principal.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/srv/svr_principal.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -26,11 +26,11 @@ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * - * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_principal.c,v 1.19 2000/02/27 22:18:16 tlyu Exp $ + * $Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_principal.c,v 1.30.8.1 2004/12/20 21:16:20 tlyu Exp $ */ #if !defined(lint) && !defined(__CODECENTER__) -static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_principal.c,v 1.19 2000/02/27 22:18:16 tlyu Exp $"; +static char *rcsid = "$Header: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_principal.c,v 1.30.8.1 2004/12/20 21:16:20 tlyu Exp $"; #endif #include <sys/types.h> @@ -44,6 +44,9 @@ #include "server_internal.h" #include <stdarg.h> #include <stdlib.h> +#ifdef USE_PASSWORD_SERVER +#include <sys/wait.h> +#endif extern krb5_principal master_princ; extern krb5_principal hist_princ; @@ -56,8 +59,8 @@ krb5_free_key_data_contents(krb5_context context, krb5_key_data *key); static int decrypt_key_data(krb5_context context, - krb5_keyblock *, int n_key_data, krb5_key_data *key_data, - krb5_keyblock **keyblocks, int *n_keys); + krb5_keyblock *, int n_key_data, krb5_key_data *key_data, + krb5_keyblock **keyblocks, int *n_keys); /* * XXX Functions that ought to be in libkrb5.a, but aren't. @@ -135,8 +138,9 @@ * Default to using the new API with the default set of * key/salt combinations. */ - return (kadm5_create_principal_3(server_handle, entry, mask, - 0, NULL, password)); + return + kadm5_create_principal_3(server_handle, entry, mask, + 0, NULL, password); } kadm5_ret_t kadm5_create_principal_3(void *server_handle, @@ -200,8 +204,8 @@ return ret; } } - if (ret = passwd_check(handle, password, (mask & KADM5_POLICY), - &polent, entry->principal)) { + if ((ret = passwd_check(handle, password, (mask & KADM5_POLICY), + &polent, entry->principal))) { if (mask & KADM5_POLICY) (void) kadm5_free_policy_ent(handle->lhandle, &polent); return ret; @@ -211,10 +215,10 @@ * "defaults" for fields that were not specified by the * mask. */ - if (ret = krb5_timeofday(handle->context, &now)) { - if (mask & KADM5_POLICY) - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return ret; + if ((ret = krb5_timeofday(handle->context, &now))) { + if (mask & KADM5_POLICY) + (void) kadm5_free_policy_ent(handle->lhandle, &polent); + return ret; } kdb.magic = KRB5_KDB_MAGIC_NUMBER; @@ -229,7 +233,7 @@ kdb.attributes = handle->params.flags; kdb.attributes |= entry->attributes; } else { - kdb.attributes = handle->params.flags; + kdb.attributes = handle->params.flags; } if ((mask & KADM5_MAX_LIFE)) @@ -265,28 +269,28 @@ to free the entire kdb entry, and that will try to free the principal. */ - if (ret = krb5_copy_principal(handle->context, - entry->principal, &(kdb.princ))) { + if ((ret = krb5_copy_principal(handle->context, + entry->principal, &(kdb.princ)))) { if (mask & KADM5_POLICY) (void) kadm5_free_policy_ent(handle->lhandle, &polent); return(ret); } - if (ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now)) { - krb5_dbe_free_contents(handle->context, &kdb); - if (mask & KADM5_POLICY) + if ((ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now))) { + krb5_dbe_free_contents(handle->context, &kdb); + if (mask & KADM5_POLICY) (void) kadm5_free_policy_ent(handle->lhandle, &polent); - return(ret); + return(ret); } /* initialize the keys */ - if (ret = krb5_dbe_cpw(handle->context, &handle->master_keyblock, - n_ks_tuple?ks_tuple:handle->params.keysalts, - n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, - password, - (mask & KADM5_KVNO)?entry->kvno:1, - FALSE, &kdb)) { + if ((ret = krb5_dbe_cpw(handle->context, &handle->master_keyblock, + n_ks_tuple?ks_tuple:handle->params.keysalts, + n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, + password, + (mask & KADM5_KVNO)?entry->kvno:1, + FALSE, &kdb))) { krb5_dbe_free_contents(handle->context, &kdb); if (mask & KADM5_POLICY) (void) kadm5_free_policy_ent(handle->lhandle, &polent); @@ -383,7 +387,7 @@ if (principal == NULL) return EINVAL; - if (ret = kdb_get_entry(handle, principal, &kdb, &adb)) + if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) return(ret); if ((adb.aux_attributes & KADM5_POLICY)) { @@ -399,9 +403,9 @@ return(ret); } } - if (ret = kadm5_free_policy_ent(handle->lhandle, &polent)) { - kdb_free_entry(handle, &kdb, &adb); - return ret; + if ((ret = kadm5_free_policy_ent(handle->lhandle, &polent))) { + kdb_free_entry(handle, &kdb, &adb); + return ret; } } @@ -420,7 +424,7 @@ kadm5_policy_ent_rec npol, opol; int have_npol = 0, have_opol = 0; krb5_db_entry kdb; - krb5_tl_data *tl_data_orig, *tl_data_tail; + krb5_tl_data *tl_data_orig; osa_princ_ent_rec adb; kadm5_server_handle_t handle = server_handle; @@ -447,7 +451,8 @@ } } - if (ret = kdb_get_entry(handle, entry->principal, &kdb, &adb)) + ret = kdb_get_entry(handle, entry->principal, &kdb, &adb); + if (ret) return(ret); /* @@ -488,6 +493,7 @@ break; default: goto done; + break; } npol.policy_refcnt++; } @@ -501,12 +507,13 @@ /* set pw_max_life based on new policy */ if (npol.pw_max_life) { - if (ret = krb5_dbe_lookup_last_pwd_change(handle->context, &kdb, - &(kdb.pw_expiration))) - goto done; - kdb.pw_expiration += npol.pw_max_life; + ret = krb5_dbe_lookup_last_pwd_change(handle->context, &kdb, + &(kdb.pw_expiration)); + if (ret) + goto done; + kdb.pw_expiration += npol.pw_max_life; } else { - kdb.pw_expiration = 0; + kdb.pw_expiration = 0; } } @@ -519,6 +526,7 @@ case KADM5_UNK_POLICY: ret = KADM5_BAD_DB; goto done; + break; case KADM5_OK: have_opol = 1; if (adb.policy) @@ -530,6 +538,7 @@ break; default: goto done; + break; } } @@ -644,7 +653,8 @@ } krb5_free_principal(handle->context, kdb.princ); - if (ret = krb5_copy_principal(handle->context, target, &kdb.princ)) { + ret = krb5_copy_principal(handle->context, target, &kdb.princ); + if (ret) { kdb.princ = NULL; /* so freeing the dbe doesn't lose */ goto done; } @@ -730,17 +740,19 @@ /* this is a little non-sensical because the function returns two */ /* values that must be checked separately against the mask */ if ((mask & KADM5_MOD_NAME) || (mask & KADM5_MOD_TIME)) { - if (ret = krb5_dbe_lookup_mod_princ_data(handle->context, &kdb, - &(entry->mod_date), - &(entry->mod_name))) { - goto done; - } - if (! (mask & KADM5_MOD_TIME)) - entry->mod_date = 0; - if (! (mask & KADM5_MOD_NAME)) { - krb5_free_principal(handle->context, entry->principal); - entry->principal = NULL; - } + ret = krb5_dbe_lookup_mod_princ_data(handle->context, &kdb, + &(entry->mod_date), + &(entry->mod_name)); + if (ret) { + goto done; + } + + if (! (mask & KADM5_MOD_TIME)) + entry->mod_date = 0; + if (! (mask & KADM5_MOD_NAME)) { + krb5_free_principal(handle->context, entry->principal); + entry->principal = NULL; + } } if (mask & KADM5_ATTRIBUTES) @@ -771,7 +783,7 @@ if (mask & KADM5_FAIL_AUTH_COUNT) entry->fail_auth_count = kdb.fail_auth_count; if (mask & KADM5_TL_DATA) { - krb5_tl_data td, *tl, *tl2; + krb5_tl_data *tl, *tl2; entry->tl_data = NULL; @@ -803,9 +815,10 @@ entry->key_data = NULL; for (i = 0; i < entry->n_key_data; i++) - if (ret = krb5_copy_key_data_contents(handle->context, - &kdb.key_data[i], - &entry->key_data[i])) + ret = krb5_copy_key_data_contents(handle->context, + &kdb.key_data[i], + &entry->key_data[i]); + if (ret) goto done; } } @@ -883,37 +896,38 @@ krb5_keyblock *master_keyblock, krb5_keyblock *hist_keyblock, int n_new_key_data, krb5_key_data *new_key_data, - int n_pw_hist_data, osa_pw_hist_ent *pw_hist_data) + unsigned int n_pw_hist_data, osa_pw_hist_ent *pw_hist_data) { int x, y, z; krb5_keyblock newkey, histkey; krb5_error_code ret; for (x = 0; x < n_new_key_data; x++) { - if (ret = krb5_dbekd_decrypt_key_data(context, - master_keyblock, - &(new_key_data[x]), - &newkey, NULL)) + ret = krb5_dbekd_decrypt_key_data(context, + master_keyblock, + &(new_key_data[x]), + &newkey, NULL); + if (ret) return(ret); for (y = 0; y < n_pw_hist_data; y++) { for (z = 0; z < pw_hist_data[y].n_key_data; z++) { - if (ret = - krb5_dbekd_decrypt_key_data(context, - hist_keyblock, - &pw_hist_data[y].key_data[z], - &histkey, NULL)) - return(ret); - - if ((newkey.length == histkey.length) && - (newkey.enctype == histkey.enctype) && - (memcmp(newkey.contents, histkey.contents, - histkey.length) == 0)) { - krb5_free_keyblock_contents(context, &histkey); - krb5_free_keyblock_contents(context, &newkey); - - return(KADM5_PASS_REUSE); - } - krb5_free_keyblock_contents(context, &histkey); + ret = krb5_dbekd_decrypt_key_data(context, + hist_keyblock, + &pw_hist_data[y].key_data[z], + &histkey, NULL); + if (ret) + return(ret); + + if ((newkey.length == histkey.length) && + (newkey.enctype == histkey.enctype) && + (memcmp(newkey.contents, histkey.contents, + histkey.length) == 0)) { + krb5_free_keyblock_contents(context, &histkey); + krb5_free_keyblock_contents(context, &newkey); + + return(KADM5_PASS_REUSE); + } + krb5_free_keyblock_contents(context, &histkey); } } krb5_free_keyblock_contents(context, &newkey); @@ -958,25 +972,29 @@ memset(hist->key_data, 0, n_key_data*sizeof(krb5_key_data)); for (i = 0; i < n_key_data; i++) { - if (ret = krb5_dbekd_decrypt_key_data(context, - master_keyblock, - &key_data[i], - &key, &salt)) - return ret; - if (ret = krb5_dbekd_encrypt_key_data(context, - &hist_key, - &key, &salt, - key_data[i].key_data_kvno, - &hist->key_data[i])) - return ret; - krb5_free_keyblock_contents(context, &key); - /* krb5_free_keysalt(context, &salt); */ + ret = krb5_dbekd_decrypt_key_data(context, + master_keyblock, + &key_data[i], + &key, &salt); + if (ret) + return ret; + + ret = krb5_dbekd_encrypt_key_data(context, &hist_key, + &key, &salt, + key_data[i].key_data_kvno, + &hist->key_data[i]); + if (ret) + return ret; + + krb5_free_keyblock_contents(context, &key); + /* krb5_free_keysalt(context, &salt); */ } hist->n_key_data = n_key_data; return 0; } +static void free_history_entry(krb5_context context, osa_pw_hist_ent *hist) { int i; @@ -1013,14 +1031,13 @@ * adb->old_key_len). */ #define KADM_MOD(x) (x + adb->old_key_next) % adb->old_key_len -static kadm5_ret_t add_to_history( - krb5_context context, - osa_princ_ent_t adb, - kadm5_policy_ent_t pol, - osa_pw_hist_ent *pw) +static kadm5_ret_t add_to_history(krb5_context context, + osa_princ_ent_t adb, + kadm5_policy_ent_t pol, + osa_pw_hist_ent *pw) { - osa_pw_hist_ent *histp; - int i; + osa_pw_hist_ent *histp; + int i; /* A history of 1 means just check the current password */ if (pol->pw_history_num == 1) @@ -1120,8 +1137,9 @@ * Default to using the new API with the default set of * key/salt combinations. */ - return (kadm5_chpass_principal_3(server_handle, principal, FALSE, - 0, NULL, password)); + return + kadm5_chpass_principal_3(server_handle, principal, FALSE, + 0, NULL, password); } kadm5_ret_t @@ -1134,7 +1152,7 @@ kadm5_policy_ent_rec pol; osa_princ_ent_rec adb; krb5_db_entry kdb, kdb_save; - int ret, ret2, last_pwd, i, hist_added; + int ret, ret2, last_pwd, hist_added; int have_pol = 0; kadm5_server_handle_t handle = server_handle; osa_pw_hist_ent hist; @@ -1169,24 +1187,27 @@ KADM5_POLICY, &pol, principal))) goto done; - if (ret = krb5_dbe_cpw(handle->context, &handle->master_keyblock, - n_ks_tuple?ks_tuple:handle->params.keysalts, - n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, - password, 0 /* increment kvno */, - keepold, &kdb)) + ret = krb5_dbe_cpw(handle->context, &handle->master_keyblock, + n_ks_tuple?ks_tuple:handle->params.keysalts, + n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, + password, 0 /* increment kvno */, + keepold, &kdb); + if (ret) goto done; kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; - if (ret = krb5_timeofday(handle->context, &now)) + ret = krb5_timeofday(handle->context, &now); + if (ret) goto done; if ((adb.aux_attributes & KADM5_POLICY)) { /* the policy was loaded before */ - if (ret = krb5_dbe_lookup_last_pwd_change(handle->context, - &kdb, &last_pwd)) - goto done; + ret = krb5_dbe_lookup_last_pwd_change(handle->context, + &kdb, &last_pwd); + if (ret) + goto done; #if 0 /* @@ -1202,17 +1223,19 @@ } #endif - if (ret = create_history_entry(handle->context, - &handle->master_keyblock, kdb_save.n_key_data, - kdb_save.key_data, &hist)) - goto done; + ret = create_history_entry(handle->context, + &handle->master_keyblock, kdb_save.n_key_data, + kdb_save.key_data, &hist); + if (ret) + goto done; - if (ret = check_pw_reuse(handle->context, - &handle->master_keyblock, - &hist_key, - kdb.n_key_data, kdb.key_data, - 1, &hist)) - goto done; + ret = check_pw_reuse(handle->context, + &handle->master_keyblock, + &hist_key, + kdb.n_key_data, kdb.key_data, + 1, &hist); + if (ret) + goto done; if (pol.pw_history_num > 1) { if (adb.admin_history_kvno != hist_kvno) { @@ -1220,15 +1243,17 @@ goto done; } - if (ret = check_pw_reuse(handle->context, + ret = check_pw_reuse(handle->context, &handle->master_keyblock, &hist_key, - kdb.n_key_data, kdb.key_data, - adb.old_key_len, adb.old_keys)) + kdb.n_key_data, kdb.key_data, + adb.old_key_len, adb.old_keys); + if (ret) goto done; - if (ret = add_to_history(handle->context, &adb, &pol, &hist)) - goto done; + ret = add_to_history(handle->context, &adb, &pol, &hist); + if (ret) + goto done; hist_added = 1; } @@ -1240,7 +1265,8 @@ kdb.pw_expiration = 0; } - if (ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now)) + ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now); + if (ret) goto done; if ((ret = kdb_put_entry(handle, &kdb, &adb))) @@ -1318,16 +1344,18 @@ if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) return(ret); - if (ret = krb5_dbe_crk(handle->context, &handle->master_keyblock, - n_ks_tuple?ks_tuple:handle->params.keysalts, - n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, - keepold, - &kdb)) - goto done; + ret = krb5_dbe_crk(handle->context, &handle->master_keyblock, + n_ks_tuple?ks_tuple:handle->params.keysalts, + n_ks_tuple?n_ks_tuple:handle->params.num_keysalts, + keepold, + &kdb); + if (ret) + goto done; kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; - if (ret = krb5_timeofday(handle->context, &now)) + ret = krb5_timeofday(handle->context, &now); + if (ret) goto done; if ((adb.aux_attributes & KADM5_POLICY)) { @@ -1336,8 +1364,9 @@ goto done; have_pol = 1; - if (ret = krb5_dbe_lookup_last_pwd_change(handle->context, - &kdb, &last_pwd)) + ret = krb5_dbe_lookup_last_pwd_change(handle->context, + &kdb, &last_pwd); + if (ret) goto done; #if 0 @@ -1360,11 +1389,12 @@ goto done; } - if (ret = check_pw_reuse(handle->context, - &handle->master_keyblock, - &hist_key, - kdb.n_key_data, kdb.key_data, - adb.old_key_len, adb.old_keys)) + ret = check_pw_reuse(handle->context, + &handle->master_keyblock, + &hist_key, + kdb.n_key_data, kdb.key_data, + adb.old_key_len, adb.old_keys); + if (ret) goto done; } if (pol.pw_max_life) @@ -1375,28 +1405,31 @@ kdb.pw_expiration = 0; } - if (ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now)) + ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now); + if (ret) goto done; if (keyblocks) { if (handle->api_version == KADM5_API_VERSION_1) { /* Version 1 clients will expect to see a DES_CRC enctype. */ - if (ret = krb5_dbe_find_enctype(handle->context, &kdb, - ENCTYPE_DES_CBC_CRC, - -1, -1, &key_data)) - goto done; - - if (ret = decrypt_key_data(handle->context, + ret = krb5_dbe_find_enctype(handle->context, &kdb, + ENCTYPE_DES_CBC_CRC, + -1, -1, &key_data); + if (ret) + goto done; + + ret = decrypt_key_data(handle->context, &handle->master_keyblock, 1, key_data, - keyblocks, NULL)) - goto done; + keyblocks, NULL); + if (ret) + goto done; } else { - ret = decrypt_key_data(handle->context, - &handle->master_keyblock, - kdb.n_key_data, kdb.key_data, - keyblocks, n_keys); - if (ret) - goto done; + ret = decrypt_key_data(handle->context, + &handle->master_keyblock, + kdb.n_key_data, kdb.key_data, + keyblocks, n_keys); + if (ret) + goto done; } } @@ -1418,8 +1451,10 @@ krb5_keyblock *keyblocks, int n_keys) { - return (kadm5_setkey_principal_3(server_handle, principal, - FALSE, 0, NULL, keyblocks, n_keys)); + return + kadm5_setkey_principal_3(server_handle, principal, + FALSE, 0, NULL, + keyblocks, n_keys); } kadm5_ret_t @@ -1452,21 +1487,22 @@ for (i = 0; i < n_keys; i++) { for (j = i+1; j < n_keys; j++) { - if (ret = krb5_c_enctype_compare(handle->context, - keyblocks[i].enctype, - keyblocks[j].enctype, - &similar)) + if ((ret = krb5_c_enctype_compare(handle->context, + keyblocks[i].enctype, + keyblocks[j].enctype, + &similar))) return(ret); - if (similar) + if (similar) { if (n_ks_tuple) { if (ks_tuple[i].ks_salttype == ks_tuple[j].ks_salttype) return KADM5_SETKEY_DUP_ENCTYPES; } else return KADM5_SETKEY_DUP_ENCTYPES; + } } } - if (n_ks_tuple != n_keys) + if (n_ks_tuple && n_ks_tuple != n_keys) return KADM5_SETKEY3_ETYPE_MISMATCH; if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) @@ -1526,7 +1562,7 @@ /* assert(kdb.n_key_data == n_keys + n_old_keys) */ kdb.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; - if (ret = krb5_timeofday(handle->context, &now)) + if ((ret = krb5_timeofday(handle->context, &now))) goto done; if ((adb.aux_attributes & KADM5_POLICY)) { @@ -1578,8 +1614,8 @@ kdb.pw_expiration = 0; } - if (ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now)) - goto done; + if ((ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now))) + goto done; if ((ret = kdb_put_entry(handle, &kdb, &adb))) goto done; @@ -1600,9 +1636,9 @@ * number of keys decrypted. */ static int decrypt_key_data(krb5_context context, - krb5_keyblock *master_keyblock, - int n_key_data, krb5_key_data *key_data, - krb5_keyblock **keyblocks, int *n_keys) + krb5_keyblock *master_keyblock, + int n_key_data, krb5_key_data *key_data, + krb5_keyblock **keyblocks, int *n_keys) { krb5_keyblock *keys; int ret, i; @@ -1613,8 +1649,11 @@ memset((char *) keys, 0, n_key_data*sizeof(krb5_keyblock)); for (i = 0; i < n_key_data; i++) { - if (ret = krb5_dbekd_decrypt_key_data(context, - master_keyblock, &key_data[i], &keys[i], NULL)) { + ret = krb5_dbekd_decrypt_key_data(context, + master_keyblock, + &key_data[i], + &keys[i], NULL); + if (ret) { memset((char *) keys, 0, n_key_data*sizeof(krb5_keyblock)); free(keys); @@ -1678,13 +1717,13 @@ /* find_enctype only uses these two fields */ dbent.n_key_data = entry->n_key_data; dbent.key_data = entry->key_data; - if (ret = krb5_dbe_find_enctype(handle->context, &dbent, ktype, - stype, kvno, &key_data)) + if ((ret = krb5_dbe_find_enctype(handle->context, &dbent, ktype, + stype, kvno, &key_data))) return ret; - if (ret = krb5_dbekd_decrypt_key_data(handle->context, - &handle->master_keyblock, key_data, - keyblock, keysalt)) + if ((ret = krb5_dbekd_decrypt_key_data(handle->context, + &handle->master_keyblock, key_data, + keyblock, keysalt))) return ret; if (kvnop)
--- a/usr/src/lib/krb5/kadm5/str_conv.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kadm5/str_conv.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -68,6 +68,7 @@ #include "k5-int.h" #include "admin_internal.h" +#include "adm_proto.h" /* * Local data structures. @@ -359,8 +360,9 @@ len = (size_t) *nksaltp; /* Get new keysalt array */ - if (*ksaltp = (krb5_key_salt_tuple *) - malloc((len + 1) * sizeof(krb5_key_salt_tuple))) { + *ksaltp = (krb5_key_salt_tuple *) + malloc((len + 1) * sizeof(krb5_key_salt_tuple)); + if (*ksaltp) { /* Copy old keysalt if appropriate */ if (savep) { @@ -420,8 +422,7 @@ krb5_key_salt_tuple *ksaltlist; krb5_int32 nksalt; krb5_boolean ignoresalt; - krb5_error_code (*iterator) (krb5_key_salt_tuple *, - krb5_pointer); + krb5_error_code (*iterator) (krb5_key_salt_tuple *, krb5_pointer); krb5_pointer arg; { int i; @@ -436,7 +437,8 @@ i, scratch.ks_enctype, scratch.ks_salttype)) { - if (kret = (*iterator)(&scratch, arg)) + kret = (*iterator)(&scratch, arg); + if (kret) break; } }
--- a/usr/src/lib/krb5/kdb/Makefile.com Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kdb/Makefile.com Sat Oct 07 13:37:05 2006 -0700 @@ -76,7 +76,7 @@ # override liblink INS.liblink= -$(RM) $@; $(SYMLINK) $(LIBLINKS)$(VERS) $@ -CPPFLAGS += -DHAVE_CONFIG_H \ +CPPFLAGS += -DHAVE_CONFIG_H -DHAVE_BT_RSEQ \ -I$(KRB5IPROPDIR) \ -I$(SRC)/lib/krb5 \ -I$(SRC)/lib/gss_mechs/mech_krb5/include \
--- a/usr/src/lib/krb5/kdb/encrypt_key.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kdb/encrypt_key.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -78,7 +78,6 @@ krb5_key_data * key_data; { krb5_error_code retval; - krb5_keyblock tmp; krb5_octet * ptr; size_t len; int i; @@ -129,7 +128,7 @@ if (keysalt->type > 0) { key_data->key_data_ver++; key_data->key_data_type[1] = keysalt->type; - if (key_data->key_data_length[1] = keysalt->data.length) { + if ((key_data->key_data_length[1] = keysalt->data.length) != 0) { key_data->key_data_contents[1] = (krb5_octet *)malloc(keysalt->data.length); if (key_data->key_data_contents[1] == NULL) {
--- a/usr/src/lib/krb5/kdb/fetch_mkey.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kdb/fetch_mkey.c Sat Oct 07 13:37:05 2006 -0700 @@ -174,18 +174,20 @@ retval = KRB5_KDB_CANTREAD_STORED; goto errout; } - if (!key->length || key->length < 0) { + if (!key->length || ((int) key->length) < 0) { retval = KRB5_KDB_BADSTORED_MKEY; goto errout; } + if (!(key->contents = (krb5_octet *)malloc(key->length))) { retval = ENOMEM; goto errout; } if (fread((krb5_pointer) key->contents, - sizeof(key->contents[0]), key->length, kf) != key->length) { + sizeof(key->contents[0]), key->length, kf) + != key->length) { retval = KRB5_KDB_CANTREAD_STORED; - memset(key->contents, 0, key->length); + memset(key->contents, 0, key->length); free(key->contents); key->contents = 0; } else
--- a/usr/src/lib/krb5/kdb/kdb_cpw.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kdb/kdb_cpw.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" @@ -86,6 +86,9 @@ { int i, j; + /* If data is NULL, count is always 0 */ + if (data == NULL) return; + for (i = 0; i < count; i++) { for (j = 0; j < data[i].key_data_ver; j++) { if (data[i].key_data_length[j]) { @@ -108,7 +111,6 @@ krb5_principal krbtgt_princ; krb5_keyblock key; krb5_db_entry krbtgt_entry; - krb5_key_data * krbtgt_kdata; krb5_boolean more; int max_kvno, one, i, j; krb5_error_code retval; @@ -168,7 +170,7 @@ if (similar) continue; - if (retval = krb5_dbe_create_key_data(context, db_entry)) + if ((retval = krb5_dbe_create_key_data(context, db_entry))) goto add_key_rnd_err; /* there used to be code here to extract the old key, and derive @@ -282,8 +284,8 @@ /* increment the kvno */ kvno++; - if (retval = add_key_rnd(context, master_key, ks_tuple, - ks_tuple_count, db_entry, kvno)) { + if ((retval = add_key_rnd(context, master_key, ks_tuple, + ks_tuple_count, db_entry, kvno))) { cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data); db_entry->n_key_data = key_data_count; db_entry->key_data = key_data; @@ -291,7 +293,7 @@ /* Copy keys with key_data_kvno == kvno - 1 ( = old kvno ) */ for (i = 0; i < key_data_count; i++) { if (key_data[i].key_data_kvno == (kvno - 1)) { - if (retval = krb5_dbe_create_key_data(context, db_entry)) { + if ((retval = krb5_dbe_create_key_data(context, db_entry))) { cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data); break; @@ -325,10 +327,10 @@ krb5_keysalt key_salt; krb5_keyblock key; krb5_data pwd; - krb5_boolean found; int i, j; retval = 0; + for (i = 0; i < ks_tuple_count; i++) { krb5_boolean similar; @@ -354,15 +356,15 @@ if (j < i) continue; - if (retval = krb5_dbe_create_key_data(context, db_entry)) + if ((retval = krb5_dbe_create_key_data(context, db_entry))) return(retval); /* Convert password string to key using appropriate salt */ switch (key_salt.type = ks_tuple[i].ks_salttype) { case KRB5_KDB_SALTTYPE_ONLYREALM: { krb5_data * saltdata; - if (retval = krb5_copy_data(context, krb5_princ_realm(context, - db_entry->princ), &saltdata)) + if ((retval = krb5_copy_data(context, krb5_princ_realm(context, + db_entry->princ), &saltdata))) return(retval); key_salt.data = *saltdata; @@ -370,13 +372,13 @@ } break; case KRB5_KDB_SALTTYPE_NOREALM: - if (retval=krb5_principal2salt_norealm(context, db_entry->princ, - &key_salt.data)) + if ((retval=krb5_principal2salt_norealm(context, db_entry->princ, + &key_salt.data))) return(retval); break; case KRB5_KDB_SALTTYPE_NORMAL: - if (retval = krb5_principal2salt(context, db_entry->princ, - &key_salt.data)) + if ((retval = krb5_principal2salt(context, db_entry->princ, + &key_salt.data))) return(retval); break; case KRB5_KDB_SALTTYPE_V4: @@ -391,19 +393,20 @@ return(retval); key_salt.data = *saltdata; - key_salt.data.length = -1; /*length actually used below...*/ + key_salt.data.length = SALT_TYPE_AFS_LENGTH; /*length actually used below...*/ krb5_xfree(saltdata); #else /* Why do we do this? Well, the afs_mit_string_to_key needs to use strlen, and the realm is not NULL terminated.... */ - int slen = (*krb5_princ_realm(context,db_entry->princ)).length; + unsigned int slen = + (*krb5_princ_realm(context,db_entry->princ)).length; if(!(key_salt.data.data = (char *) malloc(slen+1))) return ENOMEM; key_salt.data.data[slen] = 0; memcpy((char *)key_salt.data.data, (char *)(*krb5_princ_realm(context,db_entry->princ)).data, slen); - key_salt.data.length = -1; /*length actually used below...*/ + key_salt.data.length = SALT_TYPE_AFS_LENGTH; /*length actually used below...*/ #endif } @@ -424,13 +427,13 @@ return(retval); } - if (key_salt.data.length == -1) + if (key_salt.data.length == SALT_TYPE_AFS_LENGTH) key_salt.data.length = krb5_princ_realm(context, db_entry->princ)->length; - if (retval = krb5_dbekd_encrypt_key_data(context, master_key, &key, + if ((retval = krb5_dbekd_encrypt_key_data(context, master_key, &key, (const krb5_keysalt *)&key_salt, - kvno, &db_entry->key_data[db_entry->n_key_data-1])) { + kvno, &db_entry->key_data[db_entry->n_key_data-1]))) { if (key_salt.data.data) free(key_salt.data.data); @@ -539,8 +542,8 @@ /* increment the kvno */ new_kvno = old_kvno+1; - if (retval = add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, - passwd, db_entry, new_kvno)) { + if ((retval = add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, + passwd, db_entry, new_kvno))) { cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data); db_entry->n_key_data = key_data_count; db_entry->key_data = key_data; @@ -548,7 +551,7 @@ /* Copy keys with key_data_kvno == old_kvno */ for (i = 0; i < key_data_count; i++) { if (key_data[i].key_data_kvno == old_kvno) { - if (retval = krb5_dbe_create_key_data(context, db_entry)) { + if ((retval = krb5_dbe_create_key_data(context, db_entry))) { cleanup_key_data(context, db_entry->n_key_data, db_entry->key_data); break;
--- a/usr/src/lib/krb5/kdb/kdb_db2.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kdb/kdb_db2.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -657,14 +657,16 @@ /* * Destroy the database. Zero's out all of the files, just to be sure. */ -krb5_error_code +static krb5_error_code destroy_file_suffix(dbname, suffix) char *dbname; char *suffix; { char *filename; struct stat statb; - int nb,fd,i,j; + int nb,fd; + unsigned int j; + off_t pos; char buf[BUFSIZ]; char zbuf[BUFSIZ]; int dowrite; @@ -693,8 +695,8 @@ * we're just about to unlink it anyways. */ memset(zbuf, 0, BUFSIZ); - i = 0; - while (i < statb.st_size) { + pos = 0; + while (pos < statb.st_size) { dowrite = 0; nb = read(fd, buf, BUFSIZ); if (nb < 0) { @@ -708,16 +710,18 @@ break; } } + /* For signedness */ + j = nb; if (dowrite) { - lseek(fd, i, SEEK_SET); - nb = write(fd, zbuf, nb); + lseek(fd, pos, SEEK_SET); + nb = write(fd, zbuf, j); if (nb < 0) { int retval = errno; free(filename); return retval; } } - i += nb; + pos += nb; } /* ??? Is fsync really needed? I don't know of any non-networked filesystem which will discard queued writes to disk if a file @@ -898,7 +902,7 @@ DB *db; DBT key, contents; krb5_data keydata, contdata; - int try, dbret; + int trynum, dbret; *more = FALSE; *nentries = 0; @@ -907,7 +911,7 @@ return KRB5_KDB_DBNOTINITED; db_ctx = (krb5_db2_context *) context->db_context; - for (try = 0; try < KRB5_DB2_MAX_RETRY; try++) { + for (trynum = 0; trynum < KRB5_DB2_MAX_RETRY; trynum++) { if ((retval = krb5_db2_db_lock(context, KRB5_LOCKMODE_SHARED))) { if (db_ctx->db_nb_locks) return(retval); @@ -916,7 +920,7 @@ } break; } - if (try == KRB5_DB2_MAX_RETRY) + if (trynum == KRB5_DB2_MAX_RETRY) return KRB5_KDB_DB_INUSE; /* XXX deal with wildcard lookups */ @@ -1181,7 +1185,7 @@ for (i = 0; i < entry.n_key_data; i++) { if (entry.key_data[i].key_data_length[0]) { memset((char *)entry.key_data[i].key_data_contents[0], 0, - entry.key_data[i].key_data_length[0]); + (unsigned) entry.key_data[i].key_data_length[0]); } } @@ -1217,10 +1221,11 @@ } krb5_error_code -krb5_db2_db_iterate (context, func, func_arg) +krb5_db2_db_iterate_ext(context, func, func_arg, backwards, recursive) krb5_context context; krb5_error_code (*func) (krb5_pointer, krb5_db_entry *); krb5_pointer func_arg; + int backwards, recursive; { krb5_db2_context *db_ctx; DB *db; @@ -1229,17 +1234,36 @@ krb5_db_entry entries; krb5_error_code retval; int dbret; - + void *cookie; + + cookie = NULL; if (!k5db2_inited(context)) return KRB5_KDB_DBNOTINITED; db_ctx = (krb5_db2_context *) context->db_context; retval = krb5_db2_db_lock(context, KRB5_LOCKMODE_SHARED); + if (retval) return retval; db = db_ctx->db; - dbret = (*db->seq)(db, &key, &contents, R_FIRST); + if (recursive && db->type != DB_BTREE) { + (void)krb5_db2_db_unlock(context); + return KRB5_KDB_UK_RERROR; /* Not optimal, but close enough. */ + } + + if (!recursive) { + dbret = (*db->seq)(db, &key, &contents, + backwards ? R_LAST : R_FIRST); + } else { +#ifdef HAVE_BT_RSEQ + dbret = bt_rseq(db, &key, &contents, &cookie, + backwards ? R_LAST : R_FIRST); +#else + (void)krb5_db2_db_unlock(context); + return KRB5_KDB_UK_RERROR; /* Not optimal, but close enough. */ +#endif + } while (dbret == 0) { contdata.data = contents.data; contdata.length = contents.size; @@ -1250,7 +1274,18 @@ krb5_dbe_free_contents(context, &entries); if (retval) break; - dbret = (*db->seq)(db, &key, &contents, R_NEXT); + if (!recursive) { + dbret = (*db->seq)(db, &key, &contents, + backwards ? R_PREV : R_NEXT); + } else { +#ifdef HAVE_BT_RSEQ + dbret = bt_rseq(db, &key, &contents, &cookie, + backwards ? R_PREV : R_NEXT); +#else + (void)krb5_db2_db_unlock(context); + return KRB5_KDB_UK_RERROR; /* Not optimal, but close enough. */ +#endif + } } switch (dbret) { case 1: @@ -1264,6 +1299,15 @@ return retval; } +krb5_error_code +krb5_db2_db_iterate(context, func, func_arg) + krb5_context context; + krb5_error_code (*func) (krb5_pointer, krb5_db_entry *); + krb5_pointer func_arg; +{ + return krb5_db2_db_iterate_ext(context, func, func_arg, 0, 0); +} + krb5_boolean krb5_db2_db_set_lockmode(context, mode) krb5_context context; @@ -1407,6 +1451,7 @@ krb5_int32 lockcount; krb5_int32 lockmode; krb5_int32 dbnamelen; + krb5_boolean nb_lock; char *dbname; bp = *buffer; @@ -1444,7 +1489,8 @@ kret = krb5_db_lock(tmpctx, lockmode); if (!kret && lockmode) dbctx->db_locks_held = lockcount; - (void) krb5_db2_db_set_lockmode(tmpctx, nb_lockmode); + nb_lock = nb_lockmode & 0xff; + (void) krb5_db2_db_set_lockmode(tmpctx, nb_lock); } if (dbname) krb5_xfree(dbname);
--- a/usr/src/lib/krb5/kdb/kdb_db2.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kdb/kdb_db2.h Sat Oct 07 13:37:05 2006 -0700 @@ -42,6 +42,7 @@ #define krb5_db2_db_free_principal krb5_db_free_principal #define krb5_db2_db_put_principal krb5_db_put_principal #define krb5_db2_db_delete_principal krb5_db_delete_principal +#define krb5_db2_db_iterate_ext krb5_db_iterate_ext #define krb5_db2_db_iterate krb5_db_iterate #define krb5_db2_db_lock krb5_db_lock #define krb5_db2_db_unlock krb5_db_unlock @@ -105,6 +106,11 @@ (krb5_context, krb5_db_entry *, int * ); +krb5_error_code krb5_db2_db_iterate_ext + (krb5_context, + krb5_error_code (*) (krb5_pointer, + krb5_db_entry *), + krb5_pointer, int, int ); krb5_error_code krb5_db2_db_iterate (krb5_context, krb5_error_code (*) (krb5_pointer,
--- a/usr/src/lib/krb5/kdb/kdb_dbm.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kdb/kdb_dbm.c Sat Oct 07 13:37:05 2006 -0700 @@ -57,11 +57,11 @@ static char default_db_name[] = DEFAULT_KDB_FILE; static char *gen_dbsuffix - PROTOTYPE((char *, char * )); + (char *, char * ); static krb5_error_code krb5_dbm_db_start_update - PROTOTYPE((krb5_context)); + (krb5_context); static krb5_error_code krb5_dbm_db_end_update - PROTOTYPE((krb5_context)); + (krb5_context); krb5_error_code krb5_dbm_db_get_age(krb5_context, char *, time_t *); @@ -358,10 +358,10 @@ } krb5_error_code -krb5_dbm_db_get_mkey(context, eblock) - +krb5_dbm_db_get_mkey(context, db_context, key) krb5_context context; - krb5_encrypt_block **eblock; + krb5_db_context * db_context; + krb5_keyblock **key; { krb5_db_context *db_ctx; @@ -369,7 +369,7 @@ return(KRB5_KDB_DBNOTINITED); db_ctx = context->db_context; - *eblock = db_ctx->db_master_key; + *key = db_ctx->db_master_key; return 0; } @@ -618,7 +618,7 @@ /* * Destroy the database. Zero's out all of the files, just to be sure. */ -krb5_error_code +static krb5_error_code destroy_file_suffix(dbname, suffix) char *dbname; char *suffix; @@ -1141,7 +1141,7 @@ krb5_error_code krb5_dbm_db_iterate (context, func, func_arg) krb5_context context; - krb5_error_code (*func) PROTOTYPE((krb5_pointer, krb5_db_entry *)); + krb5_error_code (*func) (krb5_pointer, krb5_db_entry *); krb5_pointer func_arg; { datum key, contents;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/usr/src/lib/krb5/kdb/kdb_kt.h Sat Oct 07 13:37:05 2006 -0700 @@ -0,0 +1,44 @@ +#pragma ident "%Z%%M% %I% %E% SMI" + +/* + * include/krb5/kdb_kt.h + * + * Copyright 1997 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * KDC keytab definitions. + */ + + +#ifndef KRB5_KDB5_KT_H +#define KRB5_KDB5_KT_H + +#include <krb5/kdb.h> + +extern struct _krb5_kt_ops krb5_kt_kdb_ops; + +krb5_error_code krb5_ktkdb_resolve (krb5_context, const char *, krb5_keytab *); + +krb5_error_code krb5_ktkdb_set_context(krb5_context); + +#endif /* KRB5_KDB5_DBM__ */
--- a/usr/src/lib/krb5/kdb/kdb_xdr.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kdb/kdb_xdr.c Sat Oct 07 13:37:05 2006 -0700 @@ -153,7 +153,7 @@ tl_data.tl_data_type = KRB5_TL_LAST_PWD_CHANGE; - if (code = krb5_dbe_lookup_tl_data(context, entry, &tl_data)) + if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data))) return(code); if (tl_data.tl_data_length != 4) { @@ -183,13 +183,13 @@ krb5_error_code retval = 0; krb5_octet * nextloc = 0; char * unparse_mod_princ = 0; - int unparse_mod_princ_size; + unsigned int unparse_mod_princ_size; if ((retval = krb5_unparse_name(context, mod_princ, &unparse_mod_princ))) return(retval); - unparse_mod_princ_size = (int) strlen(unparse_mod_princ) + 1; + unparse_mod_princ_size = strlen(unparse_mod_princ) + 1; if ((nextloc = (krb5_octet *) malloc(unparse_mod_princ_size + 4)) == NULL) { @@ -227,7 +227,7 @@ tl_data.tl_data_type = KRB5_TL_MOD_PRINC; - if (code = krb5_dbe_lookup_tl_data(context, entry, &tl_data)) + if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data))) return(code); if ((tl_data.tl_data_length < 5) || @@ -239,7 +239,7 @@ /* Mod Princ */ if ((code = krb5_parse_name(context, - (krb5_const char *) (tl_data.tl_data_contents+4), + (const char *) (tl_data.tl_data_contents+4), mod_princ))) return(code); @@ -277,7 +277,8 @@ krb5_data * content; krb5_db_entry * entry; { - int unparse_princ_size, i, j; + int i, j; + unsigned int unparse_princ_size; char * unparse_princ; char * nextloc; krb5_tl_data * tl_data; @@ -340,7 +341,7 @@ /* * Now we go through entry again, this time copying data - * These first entries are always saved regaurdless of version + * These first entries are always saved regardless of version */ nextloc = content->data; @@ -429,7 +430,7 @@ for (j = 0; j < entry->key_data[i].key_data_ver; j++) { krb5_int16 type = entry->key_data[i].key_data_type[j]; - krb5_int16 length = entry->key_data[i].key_data_length[j]; + krb5_ui_2 length = entry->key_data[i].key_data_length[j]; krb5_kdb_encode_int16(type, nextloc); nextloc += 2; @@ -690,7 +691,8 @@ if (entry->key_data[i].key_data_length[j]) { if (entry->key_data[i].key_data_contents[j]) { memset(entry->key_data[i].key_data_contents[j], - 0, entry->key_data[i].key_data_length[j]); + 0, + (unsigned) entry->key_data[i].key_data_length[j]); free (entry->key_data[i].key_data_contents[j]); } } @@ -723,7 +725,7 @@ krb5_int32 kvno; krb5_key_data **kdatap; { - int i, index; + int i, idx; int maxkvno; krb5_key_data *datap; krb5_error_code ret; @@ -762,20 +764,21 @@ ret = KRB5_KDB_NO_PERMITTED_KEY; continue; } + - if (ktype >= 0) { + if (ktype > 0) { if ((ret = krb5_c_enctype_compare(kcontext, (krb5_enctype) ktype, dbentp->key_data[i].key_data_type[0], &similar))) return(ret); } - if (((ktype < 0) || similar) && + if (((ktype <= 0) || similar) && ((db_stype == stype) || (stype < 0))) { if (kvno >= 0) { if (kvno == dbentp->key_data[i].key_data_kvno) { datap = &dbentp->key_data[i]; - index = i; + idx = i; maxkvno = kvno; break; } @@ -783,7 +786,7 @@ if (dbentp->key_data[i].key_data_kvno > maxkvno) { maxkvno = dbentp->key_data[i].key_data_kvno; datap = &dbentp->key_data[i]; - index = i; + idx = i; } } } @@ -791,7 +794,7 @@ if (maxkvno < 0) return ret ? ret : KRB5_KDB_NO_MATCHING_KEY; *kdatap = datap; - *start = index+1; + *start = idx+1; return 0; }
--- a/usr/src/lib/krb5/kdb/keytab.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kdb/keytab.c Sat Oct 07 13:37:05 2006 -0700 @@ -28,6 +28,7 @@ #include <string.h> #include "k5-int.h" +#include "kdb_kt.h" static int is_xrealm_tgt(krb5_context, krb5_const_principal); @@ -37,16 +38,21 @@ krb5_error_code krb5_ktkdb_get_entry (krb5_context, krb5_keytab, krb5_const_principal, krb5_kvno, krb5_enctype, krb5_keytab_entry *); -krb5_error_code krb5_ktkdb_resolve( - krb5_context context, - const char * name, - krb5_keytab * id); +static krb5_error_code +krb5_ktkdb_get_name(krb5_context context, krb5_keytab keytab, + char *name, unsigned int namelen) +{ + if (namelen < sizeof("KDB:")) + return KRB5_KT_NAME_TOOLONG; + strcpy(name, "KDB:"); + return 0; +} krb5_kt_ops krb5_kt_kdb_ops = { 0, "KDB", /* Prefix -- this string should not appear anywhere else! */ krb5_ktkdb_resolve, /* resolve */ - NULL, /* get_name */ + krb5_ktkdb_get_name, /* get_name */ krb5_ktkdb_close, /* close */ krb5_ktkdb_get_entry, /* get */ NULL, /* start_seq_get */ @@ -125,14 +131,16 @@ krb5_db_entry db_entry; krb5_boolean more = 0; int n = 0; - int xrealm_tgt = is_xrealm_tgt(context, principal); - krb5_boolean similar; + int xrealm_tgt; + krb5_boolean similar; if (ktkdb_ctx) context = ktkdb_ctx; else context = in_context; + xrealm_tgt = is_xrealm_tgt(context, principal); + /* Open database */ /* krb5_db_init(context); */ if ((kerror = krb5_db_open_database(context)))
--- a/usr/src/lib/krb5/kdb/mapfile-vers Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kdb/mapfile-vers Sat Oct 07 13:37:05 2006 -0700 @@ -36,34 +36,19 @@ SUNWprivate_1.1 { global: - destroy_file_suffix; krb5_db_close_database; krb5_db_create; krb5_db_delete_principal; krb5_db_destroy; - krb5_dbe_apw; - krb5_dbe_ark; - krb5_dbe_cpw; - krb5_dbe_create_key_data; - krb5_dbe_crk; - krb5_dbe_find_enctype; - krb5_dbe_free_contents; - krb5_dbekd_decrypt_key_data; - krb5_dbekd_encrypt_key_data; - krb5_dbe_lookup_last_pwd_change; - krb5_dbe_lookup_mod_princ_data; - krb5_dbe_lookup_tl_data; - krb5_dbe_search_enctype; - krb5_dbe_update_last_pwd_change; - krb5_dbe_update_mod_princ_data; - krb5_dbe_update_tl_data; krb5_db_fetch_mkey; krb5_db_fini; krb5_db_free_principal; krb5_db_get_age; + krb5_db_get_mkey; krb5_db_get_principal; krb5_db_init; krb5_db_iterate; + krb5_db_iterate_ext; krb5_db_lock; krb5_db_open_database; krb5_db_put_principal; @@ -75,13 +60,32 @@ krb5_db_store_mkey; krb5_db_unlock; krb5_db_verify_master_key; + krb5_dbe_apw; + krb5_dbe_ark; + krb5_dbe_cpw; + krb5_dbe_create_key_data; + krb5_dbe_crk; + krb5_dbe_find_enctype; + krb5_dbe_free_contents; + krb5_dbe_lookup_last_pwd_change; + krb5_dbe_lookup_mod_princ_data; + krb5_dbe_lookup_tl_data; + krb5_dbe_search_enctype; + krb5_dbe_update_last_pwd_change; + krb5_dbe_update_mod_princ_data; + krb5_dbe_update_tl_data; + krb5_dbekd_decrypt_key_data; + krb5_dbekd_encrypt_key_data; krb5_decode_princ_contents; krb5_encode_princ_contents; + krb5_encode_princ_dbkey; krb5_free_princ_contents; + krb5_free_princ_dbkey; + krb5_kt_kdb_ops; krb5_ktkdb_close; krb5_ktkdb_get_entry; - krb5_kt_kdb_ops; krb5_ktkdb_resolve; + krb5_ktkdb_set_context; krb5_mkey_pwd_prompt1; krb5_mkey_pwd_prompt2; krb5_ser_db_context_init;
--- a/usr/src/lib/krb5/kdb/setup_mkey.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kdb/setup_mkey.c Sat Oct 07 13:37:05 2006 -0700 @@ -49,8 +49,8 @@ krb5_principal *principal; { krb5_error_code retval; - int keylen; - int rlen = strlen(realm); + size_t keylen; + size_t rlen = strlen(realm); char *fname; if (!keyname)
--- a/usr/src/lib/krb5/kdb/store_mkey.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/kdb/store_mkey.c Sat Oct 07 13:37:05 2006 -0700 @@ -66,7 +66,7 @@ char defkeyfile[MAXPATHLEN+1]; krb5_data *realm = krb5_princ_realm(context, mname); #if HAVE_UMASK - int oumask; + mode_t oumask; #endif if (!keyfile) { @@ -98,7 +98,8 @@ (fwrite((krb5_pointer) &key->length, sizeof(key->length), 1, kf) != 1) || (fwrite((krb5_pointer) key->contents, - sizeof(key->contents[0]), key->length, kf) != key->length)) { + sizeof(key->contents[0]), (unsigned) key->length, + kf) != key->length)) { retval = errno; (void) fclose(kf); }
--- a/usr/src/lib/krb5/ss/copyright.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/ss/copyright.h Sat Oct 07 13:37:05 2006 -0700 @@ -13,6 +13,9 @@ and that the names of M.I.T. and the M.I.T. S.I.P.B. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. +Furthermore if you modify this software you must label +your software as modified software and not distribute it in such a +fashion that it might be confused with the original M.I.T. software. M.I.T. and the M.I.T. S.I.P.B. make no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
--- a/usr/src/lib/krb5/ss/error.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/ss/error.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,6 +1,6 @@ /* - * Copyright (c) 2000 by Sun Microsystems, Inc. - * All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" @@ -14,25 +14,10 @@ #include <stdio.h> -/* - * I'm assuming that com_err.h includes varargs.h, which it does - * (right now). There really ought to be a way for me to include the - * file without worrying about whether com_err.h includes it or not, - * but varargs.h doesn't define anything that I can use as a flag, and - * gcc will lose if I try to include it twice and redefine stuff. - */ -#if !defined(__STDC__) || !defined(ibm032) || !defined(NeXT) -#define ss_error ss_error_external -#endif - #include "copyright.h" #include "com_err.h" #include "ss_internal.h" -extern void com_err_va (); - -#undef ss_error - char * ss_name(sci_idx) int sci_idx; { @@ -71,26 +56,11 @@ } } -#ifdef HAVE_STDARG_H void ss_error (int sci_idx, long code, const char * fmt, ...) -#else -void ss_error (va_alist) - va_dcl -#endif { register char *whoami; va_list pvar; -#ifndef HAVE_STDARG_H - int sci_idx; - long code; - char * fmt; - va_start (pvar); - sci_idx = va_arg (pvar, int); - code = va_arg (pvar, long); - fmt = va_arg (pvar, char *); -#else va_start (pvar, fmt); -#endif whoami = ss_name (sci_idx); com_err_va (whoami, code, fmt, pvar); free (whoami);
--- a/usr/src/lib/krb5/ss/execute_cmd.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/ss/execute_cmd.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -196,8 +196,7 @@ char *line_ptr; { char **argv; - int argc; - int rc; + int argc, ret; /* flush leading whitespace */ while (line_ptr[0] == ' ' || line_ptr[0] == '\t') @@ -220,9 +219,9 @@ return 0; /* look it up in the request tables, execute if found */ - rc = really_execute_command (sci_idx, argc, &argv); + ret = really_execute_command (sci_idx, argc, &argv); free(argv); - return (rc); + return(ret); }
--- a/usr/src/lib/krb5/ss/help.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/ss/help.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2000-2003 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -13,13 +13,13 @@ #include <sys/param.h> #include <sys/types.h> +#include <errno.h> #include <sys/file.h> #include <fcntl.h> /* just for O_* */ #include <sys/wait.h> #include "ss_internal.h" #include "copyright.h" #include <libintl.h> -#include <errno.h> extern void ss_list_requests(); @@ -63,16 +63,18 @@ return; } for (idx = 0; info->info_dirs[idx] != (char *)NULL; idx++) { - (void) strcpy(buffer, info->info_dirs[idx]); - (void) strcat(buffer, "/"); - (void) strcat(buffer, argv[1]); - (void) strcat(buffer, ".info"); + (void) strncpy(buffer, info->info_dirs[idx], sizeof(buffer) - 1); + buffer[sizeof(buffer) - 1] = '\0'; + (void) strncat(buffer, "/", sizeof(buffer) - 1 - strlen(buffer)); + (void) strncat(buffer, argv[1], sizeof(buffer) - 1 - strlen(buffer)); + (void) strncat(buffer, ".info", sizeof(buffer) - 1 - strlen(buffer)); if ((fd = open(&buffer[0], O_RDONLY)) >= 0) goto got_it; } if ((fd = open(&buffer[0], O_RDONLY)) < 0) { char buf[MAXPATHLEN]; - strcpy(buf, "No info found for "); - strcat(buf, argv[1]); + strncpy(buf, "No info found for ", sizeof(buf) - 1); + buf[sizeof(buf) - 1] = '\0'; + strncat(buf, argv[1], sizeof(buf) - 1 - strlen(buf)); ss_perror(sci_idx, 0, buf); return; }
--- a/usr/src/lib/krb5/ss/invocation.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/ss/invocation.c Sat Oct 07 13:37:05 2006 -0700 @@ -71,7 +71,7 @@ t = ss_info(sci_idx); free(t->prompt); - free((char *)t->rqt_tables); + free(t->rqt_tables); while(t->info_dirs[0] != (char *)NULL) ss_delete_info_dir(sci_idx, t->info_dirs[0], &ignored_code); free((char *)t->info_dirs);
--- a/usr/src/lib/krb5/ss/list_rqs.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/ss/list_rqs.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,6 +1,6 @@ /* - * Copyright (c) 2000 by Sun Microsystems, Inc. - * All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" @@ -32,9 +32,13 @@ void ss_list_requests(argc, argv, sci_idx, info_ptr) int argc; - char **argv; + const char * const *argv; int sci_idx; - pointer info_ptr; +#ifdef __STDC__ + void *info_ptr; +#else + char *info_ptr; +#endif { register ss_request_entry *entry; register char const * const *name; @@ -93,21 +97,22 @@ buffer[0] = '\0'; if (entry->flags & SS_OPT_DONT_LIST) continue; + buffer[sizeof(buffer) - 1] = '\0'; for (name = entry->command_names; *name; name++) { register int len = strlen(*name); - strncat(buffer, *name, len); + strncat(buffer, *name, sizeof(buffer) - 1 - strlen(buffer)); spacing += len + 2; if (name[1]) { - strcat(buffer, ", "); + strncat(buffer, ", ", sizeof(buffer) - 1 - strlen(buffer)); } } if (spacing > 23) { - strcat(buffer, NL); + strncat(buffer, NL, sizeof(buffer) - 1 - strlen(buffer)); fputs(buffer, output); spacing = 0; buffer[0] = '\0'; } - strncat(buffer, twentyfive_spaces, 25-spacing); + strncat(buffer, twentyfive_spaces, strlen(twentyfive_spaces) - spacing); /* * Due to libss not knowing what TEXT_DOMAIN @@ -115,8 +120,8 @@ * messages, we know require the callers (ktutil,kadmin) * to L10N the messages before calling libss. */ - strcat(buffer, entry->info_string); - strcat(buffer, NL); + strncat(buffer, entry->info_string, sizeof(buffer) -1 - strlen(buffer)); + strncat(buffer, NL, sizeof(buffer) - 1 - strlen(buffer)); fputs(buffer, output); } }
--- a/usr/src/lib/krb5/ss/listen.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/ss/listen.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,6 +1,6 @@ /* - * Copyright (c) 2000 by Sun Microsystems, Inc. - * All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" @@ -20,27 +20,21 @@ #include <stdio.h> #include <setjmp.h> #include <signal.h> +#include <termios.h> #include <libintl.h> #include <sys/param.h> -#ifdef BSD -#include <sgtty.h> -#endif static ss_data *current_info; static jmp_buf listen_jmpb; static RETSIGTYPE print_prompt() { -#ifdef BSD - /* put input into a reasonable mode */ - struct sgttyb ttyb; - if (ioctl(fileno(stdin), TIOCGETP, &ttyb) != -1) { - if (ttyb.sg_flags & (CBREAK|RAW)) { - ttyb.sg_flags &= ~(CBREAK|RAW); - (void) ioctl(0, TIOCSETP, &ttyb); - } + struct termios termbuf; + + if (tcgetattr(STDIN_FILENO, &termbuf) == 0) { + termbuf.c_lflag |= ICANON|ISIG|ECHO; + tcsetattr(STDIN_FILENO, TCSANOW, &termbuf); } -#endif (void) fputs(current_info->prompt, stdout); (void) fflush(stdout); } @@ -59,7 +53,7 @@ register ss_data *info; char input[BUFSIZ]; char buffer[BUFSIZ]; - char *end = buffer; + char *volatile end = buffer; int code; jmp_buf old_jmpb; ss_data *old_info = current_info; @@ -175,7 +169,7 @@ void ss_quit(argc, argv, sci_idx, infop) int argc; - char **argv; + char const * const *argv; int sci_idx; pointer infop; {
--- a/usr/src/lib/krb5/ss/mapfile-vers Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/ss/mapfile-vers Sat Oct 07 13:37:05 2006 -0700 @@ -27,7 +27,6 @@ SUNWprivate_1.1 { global: - debugDisplaySS; ss_abort_subsystem; ss_add_info_dir; ss_add_request_table;
--- a/usr/src/lib/krb5/ss/mit-sipb-copyright.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/ss/mit-sipb-copyright.h Sat Oct 07 13:37:05 2006 -0700 @@ -12,6 +12,9 @@ and that the names of M.I.T. and the M.I.T. S.I.P.B. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. +Furthermore if you modify this software you must label +your software as modified software and not distribute it in such a +fashion that it might be confused with the original M.I.T. software. M.I.T. and the M.I.T. S.I.P.B. make no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
--- a/usr/src/lib/krb5/ss/mk_cmds.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/ss/mk_cmds.c Sat Oct 07 13:37:05 2006 -0700 @@ -25,7 +25,7 @@ static const char copyright[] = "Copyright 1987 by MIT Student Information Processing Board"; -extern pointer malloc PROTOTYPE((unsigned)); +extern pointer malloc (unsigned); extern char *last_token; extern FILE *output_file; @@ -68,8 +68,9 @@ p = strrchr(path, '.'); *p = '\0'; q = rindex(path, '/'); - strcpy(c_file, (q) ? q + 1 : path); - strcat(c_file, ".c"); + strncpy(c_file, (q) ? q + 1 : path, sizeof(c_file) - 1); + c_file[sizeof(c_file) - 1] = '\0'; + strncat(c_file, ".c", sizeof(c_file) - 1 - strlen(c_file)); *p = '.'; output_file = fopen(c_file, "w+F");
--- a/usr/src/lib/krb5/ss/pager.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/ss/pager.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -16,11 +16,11 @@ #include "ss_internal.h" #include "copyright.h" +#include <errno.h> #include <stdio.h> #include <sys/types.h> #include <sys/file.h> #include <signal.h> -#include <errno.h> static char MORE[] = "more"; extern char *_ss_pager_name; @@ -43,7 +43,7 @@ if (pipe(filedes) != 0) return(-1); - switch(fork()) { + switch((int) fork()) { case -1: return(-1); case 0: @@ -112,7 +112,7 @@ char buf[80]; register int n; while ((n = read(0, buf, 80)) > 0) - write(1, buf, n); + write(1, buf, (unsigned) n); } exit(errno); }
--- a/usr/src/lib/krb5/ss/parse.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/ss/parse.c Sat Oct 07 13:37:05 2006 -0700 @@ -8,10 +8,7 @@ #include "ss_internal.h" #include "copyright.h" - -/* global indicating if we should be printing debug messages */ -extern int g_displayDebugSS; - +#include <errno.h> enum parse_mode { WHITESPACE, TOKEN, QUOTED_STRING }; @@ -58,9 +55,7 @@ while (1) { #ifdef DEBUG { - if (g_displayDebugSS) - printf ("character `%c', mode %d\n", - *line_ptr, parse_mode); + printf ("character `%c', mode %d\n", *line_ptr, parse_mode); } #endif while (parse_mode == WHITESPACE) { @@ -130,15 +125,13 @@ end_of_line: *argc_ptr = argc; #ifdef DEBUG - - if (g_displayDebugSS) - { - int i; - printf ("argc = %d\n", argc); - for (i = 0; i <= argc; i++) - printf ("\targv[%2d] = `%s'\n", i, - argv[i] ? argv[i] : "<NULL>"); - } + { + int i; + printf ("argc = %d\n", argc); + for (i = 0; i <= argc; i++) + printf ("\targv[%2d] = `%s'\n", i, + argv[i] ? argv[i] : "<NULL>"); + } #endif return(argv); }
--- a/usr/src/lib/krb5/ss/request_tbl.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/ss/request_tbl.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,6 +1,6 @@ /* - * Copyright (c) 2000 by Sun Microsystems, Inc. - * All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" @@ -31,8 +31,8 @@ ; /* size == C subscript of NULL == #elements */ size += 2; /* new element, and NULL */ - info->rqt_tables = (ssrt **)realloc((char *)info->rqt_tables, - (unsigned)size*sizeof(ssrt)); + info->rqt_tables = (ssrt **)realloc(info->rqt_tables, + size*sizeof(ssrt)); if (info->rqt_tables == (ssrt **)NULL) { *code_ptr = errno; return;
--- a/usr/src/lib/krb5/ss/requests.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/ss/requests.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,6 +1,6 @@ /* - * Copyright (c) 2000 by Sun Microsystems, Inc. - * All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" @@ -13,12 +13,11 @@ * For copyright information, see mit-sipb-copyright.h. */ -#include <ss/mit-sipb-copyright.h> #include <stdio.h> #include "ss_internal.h" #include <libintl.h> -#define DECLARE(name) void name(argc,argv,sci_idx)int argc,sci_idx;char **argv; +#define DECLARE(name) void name(argc,argv,sci_idx,info_ptr)int argc,sci_idx;const char * const *argv; pointer info_ptr; /* * ss_self_identify -- assigned by default to the "." request @@ -55,13 +54,3 @@ { ss_perror(sci_idx, SS_ET_UNIMPLEMENTED, ""); } - -int g_displayDebugSS = 0; -/* - * debug message display toggle - */ -void -debugDisplaySS(int onOff) { - - g_displayDebugSS = onOff; -}
--- a/usr/src/lib/krb5/ss/ss.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/ss/ss.h Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2003 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -13,9 +13,8 @@ #ifndef _ss_h #define _ss_h __FILE__ -#include <ss/mit-sipb-copyright.h> +#include <errno.h> #include <ss/ss_err.h> -#include <errno.h> #ifdef __STDC__ #define __SS_CONST const @@ -52,16 +51,24 @@ #define SS_OPT_DONT_SUMMARIZE 0x0002 void ss_help __SS_PROTO; +void ss_list_requests __SS_PROTO; +void ss_quit __SS_PROTO; char *ss_current_request(); -char *ss_name(); -#ifdef __STDC__ +char *ss_name(int); void ss_error (int, long, char const *, ...); void ss_perror (int, long, char const *); -#else -void ss_error (); -void ss_perror (); -#endif -void ss_abort_subsystem(); +int ss_listen (int); +int ss_create_invocation(char *, char *, char *, ss_request_table *, int *); +void ss_delete_invocation(int); +void ss_add_info_dir(int , char *, int *); +void ss_delete_info_dir(int , char *, int *); +int ss_execute_command(int sci_idx, char **); +void ss_abort_subsystem(int, int); +void ss_set_prompt(int, char *); +char *ss_get_prompt(int); +void ss_add_request_table(int, ss_request_table *, int, int *); +void ss_delete_request_table(int, ss_request_table *, int *); +int ss_execute_line (int, char*); extern ss_request_table ss_std_requests; /* toggles the display of debugging messages */
--- a/usr/src/lib/krb5/ss/ss_internal.h Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/ss/ss_internal.h Sat Oct 07 13:37:05 2006 -0700 @@ -15,20 +15,8 @@ #include <stdlib.h> #endif -#ifdef __STDC__ - -#define PROTOTYPE(p) p typedef void * pointer; -#else - -#define const -#define volatile -#define PROTOTYPE(p) () -typedef char * pointer; - -#endif /* not __STDC__ */ - #include <ss/ss.h> #if defined(__GNUC__) @@ -38,13 +26,13 @@ #if defined(vax) #define LOCAL_ALLOC(x) alloca(x) #define LOCAL_FREE(x) -extern pointer alloca PROTOTYPE((unsigned)); +extern pointer alloca (unsigned); #else #if defined(__HIGHC__) /* Barf! */ pragma on(alloca); #define LOCAL_ALLOC(x) alloca(x) #define LOCAL_FREE(x) -extern pointer alloca PROTOTYPE((unsigned)); +extern pointer alloca (unsigned); #else /* no alloca? */ #define LOCAL_ALLOC(x) malloc(x) @@ -103,23 +91,30 @@ (*code_ptr=0,ss_info(sci_idx)->current_request) void ss_unknown_function(); void ss_delete_info_dir(); -int ss_execute_line(); -char **ss_parse(); -ss_abbrev_info *ss_abbrev_initialize PROTOTYPE((char *, int *)); -void ss_page_stdin(); +char **ss_parse (int, char *, int *); +ss_abbrev_info *ss_abbrev_initialize (char *, int *); +void ss_page_stdin (void); +int ss_pager_create (void); +void ss_self_identify __SS_PROTO; +void ss_subsystem_name __SS_PROTO; +void ss_subsystem_version __SS_PROTO; +void ss_unimplemented __SS_PROTO; extern ss_data **_ss_table; extern char *ss_et_msgs[]; #ifndef HAVE_STDLIB_H -extern pointer malloc PROTOTYPE((unsigned)); -extern pointer realloc PROTOTYPE((pointer, unsigned)); -extern pointer calloc PROTOTYPE((unsigned, unsigned)); +extern pointer malloc (unsigned); +extern pointer realloc (pointer, unsigned); +extern pointer calloc (unsigned, unsigned); #endif -#ifdef USE_SIGPROCMASK +#if defined(USE_SIGPROCMASK) && !defined(POSIX_SIGNALS) /* fake sigmask, sigblock, sigsetmask */ #include <signal.h> +#ifdef sigmask +#undef sigmask +#endif #define sigmask(x) (1L<<(x)-1) #define sigsetmask(x) sigprocmask(SIG_SETMASK,&x,NULL) static int _fake_sigstore;
--- a/usr/src/lib/krb5/ss/utils.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/lib/krb5/ss/utils.c Sat Oct 07 13:37:05 2006 -0700 @@ -63,13 +63,12 @@ var_name = generate_cmds_string(cmds); generate_function_definition(func_name); size = 6; /* " { " */ - size += strlen(var_name)+7; /* "quux, " */ - size += strlen(func_name)+7; /* "foo, " */ - size += strlen(info_string)+9; /* "\"Info!\", " */ + size += strlen(var_name)+8; /* "quux, " */ + size += strlen(func_name)+8; /* "foo, " */ + size += strlen(info_string)+8; /* "\"Info!\", " */ sprintf(numbuf, "%d", options); - size += strlen(numbuf); - size += 4; /* " }," + NL */ - string = malloc(size * sizeof(char *)); + size += strlen(numbuf)+5; /* " }," + NL + NUL */ + string = malloc(size); strcpy(string, " { "); strcat(string, var_name); strcat(string, ",\n "); @@ -125,7 +124,7 @@ return(result); } -#ifndef HAS_STRDUP +#ifndef HAVE_STRDUP /* make duplicate of string and return pointer */ char *strdup(s) register char *s;
--- a/usr/src/pkgdefs/SUNWkdcu/prototype_com Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/pkgdefs/SUNWkdcu/prototype_com Sat Oct 07 13:37:05 2006 -0700 @@ -2,9 +2,8 @@ # CDDL HEADER START # # The contents of this file are subject to the terms of the -# Common Development and Distribution License, Version 1.0 only -# (the "License"). You may not use this file except in compliance -# with the License. +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. @@ -20,7 +19,7 @@ # CDDL HEADER END # # -# Copyright 2005 Sun Microsystems, Inc. All rights reserved. +# Copyright 2006 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # #ident "%Z%%M% %I% %E% SMI" @@ -71,6 +70,7 @@ f none usr/lib/krb5/visualrt.jar 444 root bin d none usr/sbin 0755 root bin f none usr/sbin/gkadmin 555 root bin +f none usr/sbin/k5srvutil 555 root bin f none usr/sbin/kadmin 555 root bin f none usr/sbin/kadmin.local 555 root bin f none usr/sbin/kclient 555 root bin
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/init_ctx.c Sat Oct 07 07:01:32 2006 -0700 +++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/init_ctx.c Sat Oct 07 13:37:05 2006 -0700 @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -490,10 +490,7 @@ ctx->prompt_types = 0; ctx->use_conf_ktypes = 0; - /* - * Solaris Kerberos: simplifying config by hard-coding udp_pref_limit - */ - ctx->udp_pref_limit = DEFAULT_UDP_PREF_LIMIT; + ctx->udp_pref_limit = -1; #endif /* !_KERNEL */