s4:heimdal: import lorikeet-heimdal-200907152325 (commit 2bef9cd5378c01e9c2a74d6221761883bd11a5c5)

10 files changed, 79 insertions, 63 deletions

diff --git a/source4/heimdal/lib/hdb/db.c b/source4/heimdal/lib/hdb/db.c
index 556833d1c4..9de0a04a1f 100644
--- a/source4/heimdal/lib/hdb/db.c
+++ b/source4/heimdal/lib/hdb/db.c
@@ -33,8 +33,6 @@
 
 #include "hdb_locl.h"
 
-RCSID("$Id$");
-
 #if HAVE_DB1
 
 #if defined(HAVE_DB_185_H)
@@ -317,6 +315,7 @@ hdb_db_create(krb5_context context, HDB **db,
     }
     (*db)->hdb_master_key_set = 0;
     (*db)->hdb_openp = 0;
+    (*db)->hdb_capability_flags = HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL;
     (*db)->hdb_open = DB_open;
     (*db)->hdb_close = DB_close;
     (*db)->hdb_fetch = _hdb_fetch;
diff --git a/source4/heimdal/lib/hdb/dbinfo.c b/source4/heimdal/lib/hdb/dbinfo.c
index 7e2961c614..a399ab0a5c 100644
--- a/source4/heimdal/lib/hdb/dbinfo.c
+++ b/source4/heimdal/lib/hdb/dbinfo.c
@@ -33,8 +33,6 @@
 
 #include "hdb_locl.h"
 
-RCSID("$Id$");
-
 struct hdb_dbinfo {
     char *label;
     char *realm;
diff --git a/source4/heimdal/lib/hdb/ext.c b/source4/heimdal/lib/hdb/ext.c
index 9053fd6633..faf0b6bdf2 100644
--- a/source4/heimdal/lib/hdb/ext.c
+++ b/source4/heimdal/lib/hdb/ext.c
@@ -34,8 +34,6 @@
 #include "hdb_locl.h"
 #include <der.h>
 
-RCSID("$Id$");
-
 krb5_error_code
 hdb_entry_check_mandatory(krb5_context context, const hdb_entry *ent)
 {
diff --git a/source4/heimdal/lib/hdb/hdb.asn1 b/source4/heimdal/lib/hdb/hdb.asn1
index c2abd4af73..a72851c9f2 100644
--- a/source4/heimdal/lib/hdb/hdb.asn1
+++ b/source4/heimdal/lib/hdb/hdb.asn1
@@ -45,7 +45,9 @@ HDBFlags ::= BIT STRING {
 	immutable(13),			-- may not be deleted
 	trusted-for-delegation(14),	-- Trusted to print forwardabled tickets
 	allow-kerberos4(15),		-- Allow Kerberos 4 requests
-	allow-digest(16)		-- Allow digest requests
+	allow-digest(16),		-- Allow digest requests
+	locked-out(17)			-- Account is locked out,
+					-- authentication will be denied
 }
 
 GENERATION ::= SEQUENCE {
diff --git a/source4/heimdal/lib/hdb/hdb.c b/source4/heimdal/lib/hdb/hdb.c
index e55b0bed03..9795f8b255 100644
--- a/source4/heimdal/lib/hdb/hdb.c
+++ b/source4/heimdal/lib/hdb/hdb.c
@@ -33,7 +33,6 @@
 
 #include "krb5_locl.h"
 #include "hdb_locl.h"
-RCSID("$Id$");
 
 #ifdef HAVE_DLFCN_H
 #include <dlfcn.h>
diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
index a5e6514e6c..f490dbf2f0 100644
--- a/source4/heimdal/lib/hdb/hdb.h
+++ b/source4/heimdal/lib/hdb/hdb.h
@@ -54,7 +54,15 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 #define HDB_F_GET_ANY		28	/* fetch any of client,server,krbtgt */
 #define HDB_F_CANON		32	/* want canonicalition */
 
+/* hdb_capability_flags */
 #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
+#define HDB_CAP_F_HANDLE_PASSWORDS	2
+#define HDB_CAP_F_PASSWORD_UPDATE_KEYS	4
+
+/* auth status values */
+#define HDB_AUTH_SUCCESS		0
+#define HDB_AUTH_WRONG_PASSWORD		1
+#define HDB_AUTH_INVALID_SIGNATURE	2
 
 /* key usage for master key */
 #define HDB_KU_MKEY	0x484442
@@ -184,6 +192,34 @@ typedef struct HDB{
      * point for the module.
      */
     krb5_error_code (*hdb_destroy)(krb5_context, struct HDB*);
+    /**
+     * Change password.
+     *
+     * Will update keys for the entry when given password.  The new
+     * keys must be written into the entry and and will then later be
+     * ->hdb_store() into the database. The backend will still perform
+     * all other operations, increasing the kvno, and update
+     * modification timestamp.
+     * 
+     * The backen need to call _kadm5_set_keys() and perform password
+     * quality checks.
+     */
+    krb5_error_code (*hdb_password)(krb5_context, struct HDB*, hdb_entry_ex*, const char *, int);
+
+    /**
+     * Auth feedback
+     *
+     * This is a feedback call that allows backends that provides
+     * lockout functionality to register failure and/or successes.
+     *
+     * In case the entry is locked out, the backend should set the
+     * hdb_entry.flags.locked-out flag.
+     */
+    krb5_error_code (*hdb_auth_status)(krb5_context, struct HDB *, hdb_entry_ex *, int);
+    /**
+     * Check is delegation is allowed.
+     */
+    krb5_error_code (*hdb_check_constrained_delegation)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
 }HDB;
 
 #define HDB_INTERFACE_VERSION	5
diff --git a/source4/heimdal/lib/hdb/keys.c b/source4/heimdal/lib/hdb/keys.c
index 50fe7d7fda..63f254d002 100644
--- a/source4/heimdal/lib/hdb/keys.c
+++ b/source4/heimdal/lib/hdb/keys.c
@@ -34,8 +34,6 @@
 
 #include "hdb_locl.h"
 
-RCSID("$Id$");
-
 /*
  * free all the memory used by (len, keys)
  */
diff --git a/source4/heimdal/lib/hdb/keytab.c b/source4/heimdal/lib/hdb/keytab.c
index 97989a9764..9b36a268cf 100644
--- a/source4/heimdal/lib/hdb/keytab.c
+++ b/source4/heimdal/lib/hdb/keytab.c
@@ -35,8 +35,6 @@
 
 /* keytab backend for HDB databases */
 
-RCSID("$Id$");
-
 struct hdb_data {
     char *dbname;
     char *mkey;
@@ -123,61 +121,43 @@ hdb_get_name(krb5_context context,
     return 0;
 }
 
-static void
-set_config (krb5_context context,
-	    const krb5_config_binding *binding,
-	    const char **dbname,
-	    const char **mkey)
-{
-    *dbname = krb5_config_get_string(context, binding, "dbname", NULL);
-    *mkey   = krb5_config_get_string(context, binding, "mkey_file", NULL);
-}
-
 /*
  * try to figure out the database (`dbname') and master-key (`mkey')
  * that should be used for `principal'.
  */
 
-static void
+static krb5_error_code
 find_db (krb5_context context,
-	 const char **dbname,
-	 const char **mkey,
+	 char **dbname,
+	 char **mkey,
 	 krb5_const_principal principal)
 {
-    const krb5_config_binding *top_bind = NULL;
-    const krb5_config_binding *default_binding = NULL;
-    const krb5_config_binding *db;
     krb5_const_realm realm = krb5_principal_get_realm(context, principal);
+    krb5_error_code ret;
+    struct hdb_dbinfo *head, *dbinfo = NULL;
 
     *dbname = *mkey = NULL;
 
-    while ((db =
-	    krb5_config_get_next(context,
-				 NULL,
-				 &top_bind,
-				 krb5_config_list,
-				 "kdc",
-				 "database",
-				 NULL)) != NULL) {
-	const char *p;
-	
-	p = krb5_config_get_string (context, db, "realm", NULL);
-	if (p == NULL) {
-	    if(default_binding) {
-		krb5_warnx(context, "WARNING: more than one realm-less "
-			   "database specification");
-		krb5_warnx(context, "WARNING: using the first encountered");
-	    } else
-		default_binding = db;
-	} else if (strcmp (realm, p) == 0) {
-	    set_config (context, db, dbname, mkey);
+    ret = hdb_get_dbinfo(context, &head);
+    if (ret)
+	return ret;
+
+    while ((dbinfo = hdb_dbinfo_get_next(head, dbinfo)) != NULL) {
+	const char *p = hdb_dbinfo_get_realm(context, dbinfo);
+	if (p && strcmp (realm, p) == 0) {
+	    p = hdb_dbinfo_get_dbname(context, dbinfo);
+	    if (p)
+		*dbname = strdup(p);
+	    p = hdb_dbinfo_get_mkey_file(context, dbinfo);
+	    if (p)
+		*mkey = strdup(p);
 	    break;
 	}
     }
-    if (*dbname == NULL && default_binding != NULL)
-	set_config (context, default_binding, dbname, mkey);
+    hdb_free_dbinfo(context, &head);
     if (*dbname == NULL)
-	*dbname = HDB_DEFAULT_DB;
+	*dbname = strdup(HDB_DEFAULT_DB);
+    return 0;
 }
 
 /*
@@ -196,29 +176,35 @@ hdb_get_entry(krb5_context context,
     hdb_entry_ex ent;
     krb5_error_code ret;
     struct hdb_data *d = id->data;
-    int i;
-    HDB *db;
     const char *dbname = d->dbname;
     const char *mkey   = d->mkey;
+    char *fdbname = NULL, *fmkey = NULL;
+    HDB *db;
+    int i;
 
     memset(&ent, 0, sizeof(ent));
 
-    if (dbname == NULL)
-	find_db (context, &dbname, &mkey, principal);
+    if (dbname == NULL) {
+	ret = find_db(context, &fdbname, &fmkey, principal);
+	if (ret)
+	    return ret;
+	dbname = fdbname;
+	mkey = fmkey;
+    }
 
     ret = hdb_create (context, &db, dbname);
     if (ret)
-	return ret;
+	goto out2;
     ret = hdb_set_master_keyfile (context, db, mkey);
     if (ret) {
 	(*db->hdb_destroy)(context, db);
-	return ret;
+	goto out2;
     }
 	
     ret = (*db->hdb_open)(context, db, O_RDONLY, 0);
     if (ret) {
 	(*db->hdb_destroy)(context, db);
-	return ret;
+	goto out2;
     }
     ret = (*db->hdb_fetch)(context, db, principal,
 			   HDB_F_DECRYPT|
@@ -252,9 +238,12 @@ hdb_get_entry(krb5_context context,
 	}
     }
     hdb_free_entry(context, &ent);
-out:
+ out:
     (*db->hdb_close)(context, db);
     (*db->hdb_destroy)(context, db);
+ out2:
+    free(fdbname);
+    free(fmkey);
     return ret;
 }
 
diff --git a/source4/heimdal/lib/hdb/mkey.c b/source4/heimdal/lib/hdb/mkey.c
index 1520c4f7e9..35323cf100 100644
--- a/source4/heimdal/lib/hdb/mkey.c
+++ b/source4/heimdal/lib/hdb/mkey.c
@@ -36,8 +36,6 @@
 #define O_BINARY 0
 #endif
 
-RCSID("$Id$");
-
 struct hdb_master_key_data {
     krb5_keytab_entry keytab;
     krb5_crypto crypto;
diff --git a/source4/heimdal/lib/hdb/ndbm.c b/source4/heimdal/lib/hdb/ndbm.c
index 1e9df81652..d97a98ed6b 100644
--- a/source4/heimdal/lib/hdb/ndbm.c
+++ b/source4/heimdal/lib/hdb/ndbm.c
@@ -33,8 +33,6 @@
 
 #include "hdb_locl.h"
 
-RCSID("$Id$");
-
 #if HAVE_NDBM
 
 #if defined(HAVE_GDBM_NDBM_H)
@@ -348,6 +346,7 @@ hdb_ndbm_create(krb5_context context, HDB **db,
     }
     (*db)->hdb_master_key_set = 0;
     (*db)->hdb_openp = 0;
+    (*db)->hdb_capability_flags = HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL;
     (*db)->hdb_open = NDBM_open;
     (*db)->hdb_close = NDBM_close;
     (*db)->hdb_fetch = _hdb_fetch;