svn rev #23073: trunk/src/ include/ include/krb5/ kdc/ lib/kadm5/srv/ lib/kdb/ ...
ghudson@MIT.EDU
ghudson at MIT.EDU
Tue Oct 27 10:24:02 EDT 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=23073
Commit By: ghudson
Log Message:
ticket: 6578
subject: Heimdal DB bridge plugin for KDC back end
Merge Luke's users/lhoward/heimmig branch to trunk. Implements a
KDC back-end plugin which interfaces to a Heimdal HDB plugin.
Changed Files:
U trunk/src/configure.in
U trunk/src/include/kdb_ext.h
U trunk/src/include/krb5/authdata_plugin.h
U trunk/src/kdc/do_as_req.c
U trunk/src/kdc/do_tgs_req.c
U trunk/src/kdc/kdc_authdata.c
U trunk/src/kdc/kdc_util.c
U trunk/src/kdc/kdc_util.h
U trunk/src/kdc/policy.c
U trunk/src/lib/kadm5/srv/svr_principal.c
U trunk/src/lib/kdb/kdb5.c
U trunk/src/lib/kdb/libkdb5.exports
U trunk/src/plugins/authdata/greet_server/greet_auth.c
A trunk/src/plugins/kdb/hdb/
Modified: trunk/src/configure.in
===================================================================
--- trunk/src/configure.in 2009-10-27 12:32:59 UTC (rev 23072)
+++ trunk/src/configure.in 2009-10-27 14:24:01 UTC (rev 23073)
@@ -1096,6 +1096,7 @@
plugins/kdb/db2/libdb2/mpool
plugins/kdb/db2/libdb2/recno
plugins/kdb/db2/libdb2/test
+ plugins/kdb/hdb
plugins/preauth/cksum_body plugins/preauth/encrypted_challenge
plugins/preauth/wpse
plugins/authdata/greet
Modified: trunk/src/include/kdb_ext.h
===================================================================
--- trunk/src/include/kdb_ext.h 2009-10-27 12:32:59 UTC (rev 23072)
+++ trunk/src/include/kdb_ext.h 2009-10-27 14:24:01 UTC (rev 23073)
@@ -98,6 +98,7 @@
krb5_timestamp authtime; /* Authtime of TGT */
krb5_authdata **auth_data; /* Authorization data from TGT */
krb5_keyblock *session_key; /* Reply session key */
+ krb5_keyblock *krbtgt_key; /* Key used to decrypt TGT, valid for TGS-REQ only */
} kdb_sign_auth_data_req;
typedef struct _kdb_sign_auth_data_rep {
@@ -123,6 +124,7 @@
typedef struct _kdb_check_policy_as_rep {
krb5_magic magic;
const char *status;
+ krb5_data e_data;
} kdb_check_policy_as_rep;
typedef struct _kdb_check_policy_tgs_req {
@@ -135,6 +137,7 @@
typedef struct _kdb_check_policy_tgs_rep {
krb5_magic magic;
const char *status;
+ krb5_data e_data;
} kdb_check_policy_tgs_rep;
typedef struct _kdb_audit_as_req {
Modified: trunk/src/include/krb5/authdata_plugin.h
===================================================================
--- trunk/src/include/krb5/authdata_plugin.h 2009-10-27 12:32:59 UTC (rev 23072)
+++ trunk/src/include/krb5/authdata_plugin.h 2009-10-27 14:24:01 UTC (rev 23073)
@@ -152,6 +152,7 @@
struct _krb5_db_entry_new *tgs,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
+ krb5_keyblock *tgs_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_const_principal for_user_princ,
Modified: trunk/src/kdc/do_as_req.c
===================================================================
--- trunk/src/kdc/do_as_req.c 2009-10-27 12:32:59 UTC (rev 23072)
+++ trunk/src/kdc/do_as_req.c 2009-10-27 14:24:01 UTC (rev 23073)
@@ -108,7 +108,7 @@
krb5_enctype useenctype;
krb5_data e_data;
register int i;
- krb5_timestamp until, rtime;
+ krb5_timestamp rtime;
char *cname = 0, *sname = 0;
unsigned int c_flags = 0, s_flags = 0;
krb5_principal_data client_princ;
@@ -265,7 +265,7 @@
authtime = kdc_time; /* for audit_as_request() */
if ((errcode = validate_as_request(request, client, server,
- kdc_time, &status))) {
+ kdc_time, &status, &e_data))) {
if (!status)
status = "UNKNOWN_REASON";
errcode += ERROR_TABLE_BASE_krb5;
@@ -339,14 +339,14 @@
enc_tkt_reply.times.starttime = request->from;
} else
enc_tkt_reply.times.starttime = kdc_time;
-
- until = (request->till == 0) ? kdc_infinity : request->till;
- enc_tkt_reply.times.endtime =
- min(until,
- min(enc_tkt_reply.times.starttime + client.max_life,
- min(enc_tkt_reply.times.starttime + server.max_life,
- enc_tkt_reply.times.starttime + max_life_for_realm)));
+ kdc_get_ticket_endtime(kdc_context,
+ enc_tkt_reply.times.starttime,
+ kdc_infinity,
+ request->till,
+ &client,
+ &server,
+ &enc_tkt_reply.times.endtime);
if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
!isflagset(client.attributes, KRB5_KDB_DISALLOW_RENEWABLE) &&
@@ -559,6 +559,7 @@
&server,
&client_keyblock,
&server_keyblock,
+ &server_keyblock,
req_pkt,
request,
NULL, /* for_user_princ */
Modified: trunk/src/kdc/do_tgs_req.c
===================================================================
--- trunk/src/kdc/do_tgs_req.c 2009-10-27 12:32:59 UTC (rev 23072)
+++ trunk/src/kdc/do_tgs_req.c 2009-10-27 14:24:01 UTC (rev 23073)
@@ -77,7 +77,7 @@
static krb5_error_code
prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *,krb5_ticket *,int,
- krb5_principal,krb5_data **,const char *);
+ krb5_principal,krb5_data **,const char *, krb5_data *);
static krb5_int32
prep_reprocess_req(krb5_kdc_req *,krb5_principal *);
@@ -88,6 +88,7 @@
krb5_data **response)
{
krb5_keyblock * subkey = 0;
+ krb5_keyblock * tgskey = 0;
krb5_kdc_req *request = 0;
krb5_db_entry server;
krb5_kdc_rep reply;
@@ -103,7 +104,7 @@
krb5_boolean more;
krb5_timestamp kdc_time, authtime=0;
krb5_keyblock session_key;
- krb5_timestamp until, rtime;
+ krb5_timestamp rtime;
krb5_keyblock *reply_key = NULL;
krb5_keyblock *mkey_ptr;
krb5_key_data *server_key;
@@ -129,9 +130,11 @@
struct kdc_request_state *state = NULL;
krb5_pa_data *pa_tgs_req; /*points into request*/
krb5_data scratch;
+ krb5_data e_data; /* backend-provided error data */
reply.padata = 0; /* For cleanup handler */
reply_encpart.enc_padata = 0;
+ e_data.data = NULL;
session_key.contents = NULL;
@@ -147,7 +150,8 @@
return retval;
}
errcode = kdc_process_tgs_req(request, from, pkt, &header_ticket,
- &krbtgt, &k_nprincs, &subkey, &pa_tgs_req);
+ &krbtgt, &k_nprincs, &tgskey,
+ &subkey, &pa_tgs_req);
if (header_ticket && header_ticket->enc_part2 &&
(errcode2 = krb5_unparse_name(kdc_context,
header_ticket->enc_part2->client,
@@ -281,7 +285,7 @@
}
if ((retval = validate_tgs_request(request, server, header_ticket,
- kdc_time, &status))) {
+ kdc_time, &status, &e_data))) {
if (!status)
status = "UNKNOWN_REASON";
errcode = retval + ERROR_TABLE_BASE_krb5;
@@ -540,18 +544,22 @@
} else {
/* not a renew request */
enc_tkt_reply.times.starttime = kdc_time;
- until = (request->till == 0) ? kdc_infinity : request->till;
- enc_tkt_reply.times.endtime =
- min(until, min(enc_tkt_reply.times.starttime + server.max_life,
- min(enc_tkt_reply.times.starttime + max_life_for_realm,
- header_enc_tkt->times.endtime)));
+
+ kdc_get_ticket_endtime(kdc_context,
+ enc_tkt_reply.times.starttime,
+ header_enc_tkt->times.endtime,
+ request->till,
+ &client,
+ &server,
+ &enc_tkt_reply.times.endtime);
+
if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
(enc_tkt_reply.times.endtime < request->till) &&
isflagset(header_enc_tkt->flags, TKT_FLG_RENEWABLE)) {
setflag(request->kdc_options, KDC_OPT_RENEWABLE);
request->rtime =
min(request->till, header_enc_tkt->times.renew_till);
- }
+ }
}
rtime = (request->rtime == 0) ? kdc_infinity : request->rtime;
@@ -716,6 +724,7 @@
subkey != NULL ? subkey :
header_ticket->enc_part2->session,
&encrypting_key, /* U2U or server key */
+ tgskey,
pkt,
request,
s4u_x509_user ?
@@ -974,7 +983,7 @@
retval = prepare_error_tgs(state, request, header_ticket, errcode,
nprincs ? server.princ : NULL,
- response, status);
+ response, status, &e_data);
if (got_err) {
krb5_free_error_message (kdc_context, status);
status = 0;
@@ -1009,10 +1018,13 @@
free(s4u_name);
if (subkey != NULL)
krb5_free_keyblock(kdc_context, subkey);
+ if (tgskey != NULL)
+ krb5_free_keyblock(kdc_context, tgskey);
if (reply.padata)
krb5_free_pa_data(kdc_context, reply.padata);
if (reply_encpart.enc_padata)
krb5_free_pa_data(kdc_context, reply_encpart.enc_padata);
+ krb5_free_data_contents(kdc_context, &e_data);
return retval;
}
@@ -1021,7 +1033,8 @@
prepare_error_tgs (struct kdc_request_state *state,
krb5_kdc_req *request, krb5_ticket *ticket, int error,
krb5_principal canon_server,
- krb5_data **response, const char *status)
+ krb5_data **response, const char *status,
+ krb5_data *e_data)
{
krb5_error errpkt;
krb5_error_code retval = 0;
@@ -1047,8 +1060,7 @@
free(errpkt.text.data);
return ENOMEM;
}
- errpkt.e_data.length = 0;
- errpkt.e_data.data = NULL;
+ errpkt.e_data = *e_data;
if (state)
retval = kdc_fast_handle_error(kdc_context, state, request, NULL, &errpkt);
if (retval) {
Modified: trunk/src/kdc/kdc_authdata.c
===================================================================
--- trunk/src/kdc/kdc_authdata.c 2009-10-27 12:32:59 UTC (rev 23072)
+++ trunk/src/kdc/kdc_authdata.c 2009-10-27 14:24:01 UTC (rev 23073)
@@ -56,6 +56,7 @@
krb5_db_entry *krbtgt,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_const_principal for_user_princ,
@@ -75,6 +76,7 @@
krb5_db_entry *krbtgt,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_const_principal for_user_princ,
@@ -90,6 +92,7 @@
krb5_db_entry *krbtgt,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_const_principal for_user_princ,
@@ -382,6 +385,7 @@
krb5_db_entry *krbtgt,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_const_principal for_user_princ,
@@ -455,6 +459,7 @@
krb5_db_entry *krbtgt,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_const_principal for_user_princ,
@@ -526,6 +531,7 @@
krbtgt,
client_key,
server_key, /* U2U or server key */
+ krbtgt_key,
enc_tkt_reply->times.authtime,
tgs_req ? enc_tkt_request->authorization_data : NULL,
enc_tkt_reply->session,
@@ -562,6 +568,7 @@
krb5_db_entry *krbtgt,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_const_principal for_user_princ,
@@ -586,7 +593,7 @@
case AUTHDATA_SYSTEM_V2:
code = (*asys->handle_authdata.v2)(context, flags,
client, server, krbtgt,
- client_key, server_key,
+ client_key, server_key, krbtgt_key,
req_pkt, request, for_user_princ,
enc_tkt_request,
enc_tkt_reply);
Modified: trunk/src/kdc/kdc_util.c
===================================================================
--- trunk/src/kdc/kdc_util.c 2009-10-27 12:32:59 UTC (rev 23072)
+++ trunk/src/kdc/kdc_util.c 2009-10-27 14:24:01 UTC (rev 23073)
@@ -230,6 +230,7 @@
kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from,
krb5_data *pkt, krb5_ticket **ticket,
krb5_db_entry *krbtgt, int *nprincs,
+ krb5_keyblock **tgskey,
krb5_keyblock **subkey,
krb5_pa_data **pa_tgs_req)
{
@@ -243,10 +244,10 @@
krb5_auth_context auth_context = NULL;
krb5_authenticator * authenticator = NULL;
krb5_checksum * his_cksum = NULL;
- krb5_keyblock * key = NULL;
krb5_kvno kvno = 0;
*nprincs = 0;
+ *tgskey = NULL;
tmppa = find_pa_data(request->padata, KRB5_PADATA_AP_REQ);
if (!tmppa)
@@ -289,13 +290,12 @@
#endif
if ((retval = kdc_get_server_key(apreq->ticket, 0, foreign_server,
- krbtgt, nprincs, &key, &kvno)))
+ krbtgt, nprincs, tgskey, &kvno)))
goto cleanup_auth_context;
/*
* We do not use the KDB keytab because other parts of the TGS need the TGT key.
*/
- retval = krb5_auth_con_setuseruserkey(kdc_context, auth_context, key);
- krb5_free_keyblock(kdc_context, key);
+ retval = krb5_auth_con_setuseruserkey(kdc_context, auth_context, *tgskey);
if (retval)
goto cleanup_auth_context;
@@ -411,6 +411,10 @@
krb5_auth_con_free(kdc_context, auth_context);
cleanup:
+ if (retval != 0) {
+ krb5_free_keyblock(kdc_context, *tgskey);
+ *tgskey = NULL;
+ }
krb5_free_ap_req(kdc_context, apreq);
return retval;
}
@@ -932,7 +936,7 @@
int
validate_as_request(register krb5_kdc_req *request, krb5_db_entry client,
krb5_db_entry server, krb5_timestamp kdc_time,
- const char **status)
+ const char **status, krb5_data *e_data)
{
int errcode;
@@ -1042,7 +1046,7 @@
* Check against local policy
*/
errcode = against_local_policy_as(request, client, server,
- kdc_time, status);
+ kdc_time, status, e_data);
if (errcode)
return errcode;
@@ -1225,7 +1229,7 @@
int
validate_tgs_request(register krb5_kdc_req *request, krb5_db_entry server,
krb5_ticket *ticket, krb5_timestamp kdc_time,
- const char **status)
+ const char **status, krb5_data *e_data)
{
int errcode;
int st_idx = 0;
@@ -1458,7 +1462,8 @@
/*
* Check local policy
*/
- errcode = against_local_policy_tgs(request, server, ticket, status);
+ errcode = against_local_policy_tgs(request, server, ticket,
+ status, e_data);
if (errcode)
return errcode;
@@ -1737,6 +1742,7 @@
krb5_db_entry *krbtgt,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
krb5_timestamp authtime,
krb5_authdata **tgs_authdata,
krb5_keyblock *session_key,
@@ -1763,6 +1769,7 @@
req.authtime = authtime;
req.auth_data = tgs_authdata;
req.session_key = session_key;
+ req.krbtgt_key = krbtgt_key;
req_data.data = (void *)&req;
req_data.length = sizeof(req);
@@ -2166,9 +2173,9 @@
* the TGT and that we have a global name service.
*/
flags = 0;
- switch (krb5_princ_type(kdc_context, request->server)) {
+ switch (krb5_princ_type(context, request->server)) {
case KRB5_NT_SRV_HST: /* (1) */
- if (krb5_princ_size(kdc_context, request->server) == 2)
+ if (krb5_princ_size(context, request->server) == 2)
flags |= KRB5_PRINCIPAL_COMPARE_IGNORE_REALM;
break;
case KRB5_NT_ENTERPRISE_PRINCIPAL: /* (2) */
@@ -2204,9 +2211,11 @@
*/
if (is_local_principal((*s4u_x509_user)->user_id.user)) {
krb5_db_entry no_server;
+ krb5_data e_data;
+ e_data.data = NULL;
*nprincs = 1;
- code = krb5_db_get_principal_ext(kdc_context,
+ code = krb5_db_get_principal_ext(context,
(*s4u_x509_user)->user_id.user,
KRB5_KDB_FLAG_INCLUDE_PAC,
princ, nprincs, &more);
@@ -2227,8 +2236,9 @@
memset(&no_server, 0, sizeof(no_server));
code = validate_as_request(request, *princ,
- no_server, kdc_time, status);
+ no_server, kdc_time, status, &e_data);
if (code) {
+ krb5_free_data_contents(context, &e_data);
return code;
}
}
@@ -2613,3 +2623,36 @@
return 0;
}
+void
+kdc_get_ticket_endtime(krb5_context context,
+ krb5_timestamp starttime,
+ krb5_timestamp endtime,
+ krb5_timestamp till,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_timestamp *out_endtime)
+{
+ krb5_timestamp until, life;
+
+ if (till == 0)
+ till = kdc_infinity;
+
+ until = min(till, endtime);
+
+ /* check for underflow */
+ life = (until < starttime) ? 0 : until - starttime;
+
+ if (client->max_life != 0)
+ life = min(life, client->max_life);
+ if (server->max_life != 0)
+ life = min(life, server->max_life);
+ if (max_life_for_realm != 0)
+ life = min(life, max_life_for_realm);
+
+ /* check for overflow */
+ if (starttime > kdc_infinity - life)
+ *out_endtime = kdc_infinity;
+ else
+ *out_endtime = starttime + life;
+}
+
Modified: trunk/src/kdc/kdc_util.h
===================================================================
--- trunk/src/kdc/kdc_util.h 2009-10-27 12:32:59 UTC (rev 23072)
+++ trunk/src/kdc/kdc_util.h 2009-10-27 14:24:01 UTC (rev 23073)
@@ -66,7 +66,8 @@
krb5_ticket **,
krb5_db_entry *krbtgt,
int *nprincs,
- krb5_keyblock **, krb5_pa_data **pa_tgs_req);
+ krb5_keyblock **, krb5_keyblock **,
+ krb5_pa_data **pa_tgs_req);
krb5_error_code kdc_get_server_key (krb5_ticket *, unsigned int,
krb5_boolean match_enctype,
@@ -75,7 +76,7 @@
int validate_as_request (krb5_kdc_req *, krb5_db_entry,
krb5_db_entry, krb5_timestamp,
- const char **);
+ const char **, krb5_data *);
int validate_forwardable(krb5_kdc_req *, krb5_db_entry,
krb5_db_entry, krb5_timestamp,
@@ -83,7 +84,7 @@
int validate_tgs_request (krb5_kdc_req *, krb5_db_entry,
krb5_ticket *, krb5_timestamp,
- const char **);
+ const char **, krb5_data *);
int fetch_asn1_field (unsigned char *, unsigned int, unsigned int,
krb5_data *);
@@ -144,10 +145,11 @@
/* policy.c */
int against_local_policy_as (krb5_kdc_req *, krb5_db_entry,
krb5_db_entry, krb5_timestamp,
- const char **);
+ const char **, krb5_data *);
int against_local_policy_tgs (krb5_kdc_req *, krb5_db_entry,
- krb5_ticket *, const char **);
+ krb5_ticket *, const char **,
+ krb5_data *);
/* kdc_preauth.c */
krb5_boolean enctype_requires_etype_info_2(krb5_enctype enctype);
@@ -197,6 +199,7 @@
krb5_db_entry *krbtgt,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_const_principal for_user_princ,
@@ -236,6 +239,7 @@
krb5_db_entry *krbtgt,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
krb5_timestamp authtime,
krb5_authdata **tgs_authdata,
krb5_keyblock *session_key,
@@ -296,8 +300,15 @@
krb5_const_principal client,
krb5_db_entry *server,
krb5_db_entry *krbtgt);
+void
+kdc_get_ticket_endtime(krb5_context context,
+ krb5_timestamp now,
+ krb5_timestamp endtime,
+ krb5_timestamp till,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_timestamp *out_endtime);
-
void
log_as_req(const krb5_fulladdr *from,
krb5_kdc_req *request, krb5_kdc_rep *reply,
Modified: trunk/src/kdc/policy.c
===================================================================
--- trunk/src/kdc/policy.c 2009-10-27 12:32:59 UTC (rev 23072)
+++ trunk/src/kdc/policy.c 2009-10-27 14:24:01 UTC (rev 23073)
@@ -60,7 +60,7 @@
int
against_local_policy_as(register krb5_kdc_req *request, krb5_db_entry client,
krb5_db_entry server, krb5_timestamp kdc_time,
- const char **status)
+ const char **status, krb5_data *e_data)
{
krb5_error_code code;
kdb_check_policy_as_req req;
@@ -98,6 +98,7 @@
return 0;
*status = rep.status;
+ *e_data = rep.e_data;
if (code != 0) {
code -= ERROR_TABLE_BASE_krb5;
@@ -113,7 +114,8 @@
*/
krb5_error_code
against_local_policy_tgs(register krb5_kdc_req *request, krb5_db_entry server,
- krb5_ticket *ticket, const char **status)
+ krb5_ticket *ticket, const char **status,
+ krb5_data *e_data)
{
krb5_error_code code;
kdb_check_policy_tgs_req req;
@@ -154,6 +156,7 @@
return 0;
*status = rep.status;
+ *e_data = rep.e_data;
if (code != 0) {
code -= ERROR_TABLE_BASE_krb5;
Modified: trunk/src/lib/kadm5/srv/svr_principal.c
===================================================================
--- trunk/src/lib/kadm5/srv/svr_principal.c 2009-10-27 12:32:59 UTC (rev 23072)
+++ trunk/src/lib/kadm5/srv/svr_principal.c 2009-10-27 14:24:01 UTC (rev 23073)
@@ -899,8 +899,10 @@
ret = KADM5_OK;
done:
- if (ret && entry->principal)
+ if (ret && entry->principal) {
krb5_free_principal(handle->context, entry->principal);
+ entry->principal = NULL;
+ }
kdb_free_entry(handle, &kdb, &adb);
return ret;
Modified: trunk/src/lib/kdb/kdb5.c
===================================================================
--- trunk/src/lib/kdb/kdb5.c 2009-10-27 12:32:59 UTC (rev 23072)
+++ trunk/src/lib/kdb/kdb5.c 2009-10-27 14:24:01 UTC (rev 23073)
@@ -624,6 +624,7 @@
status = get_vftabl(kcontext, &v);
if (status)
goto clean_n_exit;
+ assert(v->init_module != NULL);
status = v->init_module(kcontext, section, db_args, mode);
get_errmsg(kcontext, status);
@@ -659,6 +660,10 @@
status = get_vftabl(kcontext, &v);
if (status)
goto clean_n_exit;
+ if (v->db_create == NULL) {
+ status = KRB5_KDB_DBTYPE_NOSUP;
+ goto clean_n_exit;
+ }
status = v->db_create(kcontext, section, db_args);
get_errmsg(kcontext, status);
@@ -679,6 +684,7 @@
return 0;
v = &kcontext->dal_handle->lib_handle->vftabl;
+ assert(v->fini_module != NULL);
status = v->fini_module(kcontext);
get_errmsg(kcontext, status);
@@ -707,6 +713,10 @@
status = get_vftabl(kcontext, &v);
if (status)
goto clean_n_exit;
+ if (v->db_destroy == NULL) {
+ status = KRB5_KDB_DBTYPE_NOSUP;
+ goto clean_n_exit;
+ }
status = v->db_destroy(kcontext, section, db_args);
get_errmsg(kcontext, status);
@@ -725,6 +735,8 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
+ if (v->db_get_age == NULL)
+ return KRB5_KDB_DBTYPE_NOSUP;
status = v->db_get_age(kcontext, db_name, t);
get_errmsg(kcontext, status);
return status;
@@ -739,6 +751,8 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
+ if (v->db_set_option == NULL)
+ return KRB5_KDB_DBTYPE_NOSUP;
status = v->db_set_option(kcontext, option, value);
get_errmsg(kcontext, status);
return status;
@@ -753,6 +767,8 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
+ if (v->db_lock == NULL)
+ return KRB5_KDB_DBTYPE_NOSUP;
status = v->db_lock(kcontext, lock_mode);
get_errmsg(kcontext, status);
return status;
@@ -767,6 +783,8 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
+ if (v->db_unlock == NULL)
+ return KRB5_KDB_DBTYPE_NOSUP;
status = v->db_unlock(kcontext);
get_errmsg(kcontext, status);
return status;
@@ -784,6 +802,8 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
+ if (v->db_get_principal == NULL)
+ return KRB5_KDB_DBTYPE_NOSUP;
status = v->db_get_principal(kcontext, search_for, 0, entries, nentries,
more);
get_errmsg(kcontext, status);
@@ -803,8 +823,12 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
- return v->db_get_principal(kcontext, search_for, flags, entries, nentries,
- more);
+ if (v->db_get_principal == NULL)
+ return KRB5_KDB_DBTYPE_NOSUP;
+ status = v->db_get_principal(kcontext, search_for,
+ flags, entries, nentries, more);
+ get_errmsg(kcontext, status);
+ return status;
}
krb5_error_code
@@ -816,6 +840,8 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
+ if (v->db_free_principal == NULL)
+ return KRB5_KDB_DBTYPE_NOSUP;
status = v->db_free_principal(kcontext, entry, count);
get_errmsg(kcontext, status);
return status;
@@ -912,6 +938,8 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
+ if (v->db_put_principal == NULL)
+ return KRB5_KDB_DBTYPE_NOSUP;
status = extract_db_args_from_tl_data(kcontext, &entries->tl_data,
&entries->n_tl_data,
&db_args);
@@ -982,6 +1010,11 @@
}
}
+ if (v->db_put_principal == NULL) {
+ status = KRB5_KDB_DBTYPE_NOSUP;
+ goto err_lock;
+ }
+
status = v->db_put_principal(kcontext, entries, nentries, db_args);
get_errmsg(kcontext, status);
if (status == 0 && fupd) {
@@ -1015,6 +1048,8 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
+ if (v->db_delete_principal == NULL)
+ return KRB5_KDB_DBTYPE_NOSUP;
status = v->db_delete_principal(kcontext, search_for, nentries);
get_errmsg(kcontext, status);
return status;
@@ -1062,6 +1097,9 @@
free(princ_name);
}
+ if (v->db_delete_principal == NULL)
+ return KRB5_KDB_DBTYPE_NOSUP;
+
status = v->db_delete_principal(kcontext, search_for, nentries);
get_errmsg(kcontext, status);
@@ -1089,6 +1127,8 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
+ if (v->db_iterate == NULL)
+ return 0;
status = v->db_iterate(kcontext, match_entry, func, func_arg);
get_errmsg(kcontext, status);
return status;
@@ -1103,6 +1143,8 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
+ if (v->db_supported_realms == NULL)
+ return KRB5_KDB_DBTYPE_NOSUP;
status = v->db_supported_realms(kcontext, realms);
get_errmsg(kcontext, status);
return status;
@@ -1117,6 +1159,8 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
+ if (v->db_free_supported_realms == NULL)
+ return KRB5_KDB_DBTYPE_NOSUP;
status = v->db_free_supported_realms(kcontext, realms);
get_errmsg(kcontext, status);
return status;
@@ -1181,6 +1225,8 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
+ if (v->get_master_key_list == NULL)
+ return KRB5_KDB_DBTYPE_NOSUP;
status = v->get_master_key_list(kcontext, keylist);
get_errmsg(kcontext, status);
return status;
@@ -1233,6 +1279,8 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
+ if (v->store_master_key == NULL)
+ return KRB5_KDB_DBTYPE_NOSUP;
status = v->store_master_key(kcontext, keyfile, mname, kvno, key,
master_pwd);
get_errmsg(kcontext, status);
@@ -1252,6 +1300,8 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
+ if (v->store_master_key_list == NULL)
+ return KRB5_KDB_DBTYPE_NOSUP;
status = v->store_master_key_list(kcontext, keyfile, mname, keylist,
master_pwd);
get_errmsg(kcontext, status);
@@ -1379,6 +1429,8 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
+ if (v->verify_master_key == NULL)
+ return KRB5_KDB_DBTYPE_NOSUP;
status = v->verify_master_key(kcontext, mprinc, kvno, mkey);
get_errmsg(kcontext, status);
return status;
@@ -1457,6 +1509,12 @@
krb5_timestamp now;
krb5_boolean found = FALSE;
+ if (act_mkey_list == NULL) {
+ *act_kvno = 0;
+ *act_mkey = NULL;
+ return 0;
+ }
+
if ((retval = krb5_timeofday(context, &now)))
return (retval);
@@ -2261,6 +2319,8 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
+ if (v->db_create_policy == NULL)
+ return KRB5_KDB_DBTYPE_NOSUP;
status = v->db_create_policy(kcontext, policy);
get_errmsg(kcontext, status);
return status;
@@ -2276,6 +2336,8 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
+ if (v->db_get_policy == NULL)
+ return KRB5_KDB_DBTYPE_NOSUP;
status = v->db_get_policy(kcontext, name, policy, cnt);
get_errmsg(kcontext, status);
return status;
@@ -2290,6 +2352,8 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
+ if (v->db_put_policy == NULL)
+ return KRB5_KDB_DBTYPE_NOSUP;
status = v->db_put_policy(kcontext, policy);
get_errmsg(kcontext, status);
return status;
@@ -2305,6 +2369,8 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
+ if (v->db_iter_policy == NULL)
+ return 0;
status = v->db_iter_policy(kcontext, match_entry, func, data);
get_errmsg(kcontext, status);
return status;
@@ -2319,6 +2385,8 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
+ if (v->db_delete_policy == NULL)
+ return KRB5_KDB_DBTYPE_NOSUP;
status = v->db_delete_policy(kcontext, policy);
get_errmsg(kcontext, status);
return status;
@@ -2331,7 +2399,7 @@
kdb_vftabl *v;
status = get_vftabl(kcontext, &v);
- if (status)
+ if (status || v->db_free_policy == NULL)
return;
v->db_free_policy(kcontext, policy);
get_errmsg(kcontext, status);
Modified: trunk/src/lib/kdb/libkdb5.exports
===================================================================
--- trunk/src/lib/kdb/libkdb5.exports 2009-10-27 12:32:59 UTC (rev 23072)
+++ trunk/src/lib/kdb/libkdb5.exports 2009-10-27 14:24:01 UTC (rev 23073)
@@ -56,6 +56,8 @@
krb5_dbe_update_mkvno
krb5_dbe_update_mod_princ_data
krb5_dbe_update_tl_data
+krb5_dbekd_def_encrypt_key_data
+krb5_dbekd_def_decrypt_key_data
krb5_dbekd_decrypt_key_data
krb5_dbekd_encrypt_key_data
krb5_kt_kdb_ops
Modified: trunk/src/plugins/authdata/greet_server/greet_auth.c
===================================================================
--- trunk/src/plugins/authdata/greet_server/greet_auth.c 2009-10-27 12:32:59 UTC (rev 23072)
+++ trunk/src/plugins/authdata/greet_server/greet_auth.c 2009-10-27 14:24:01 UTC (rev 23073)
@@ -155,6 +155,7 @@
krb5_db_entry *tgs,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_const_principal for_user_princ,
Copied: trunk/src/plugins/kdb/hdb (from rev 23072, users/lhoward/heimmig/src/plugins/kdb/hdb)
More information about the cvs-krb5
mailing list