diff options
Diffstat (limited to 'source4/heimdal/lib/hdb')
-rw-r--r-- | source4/heimdal/lib/hdb/db.c | 12 | ||||
-rw-r--r-- | source4/heimdal/lib/hdb/ext.c | 36 | ||||
-rw-r--r-- | source4/heimdal/lib/hdb/hdb-protos.h | 10 | ||||
-rw-r--r-- | source4/heimdal/lib/hdb/hdb.asn1 | 17 | ||||
-rw-r--r-- | source4/heimdal/lib/hdb/hdb.c | 9 | ||||
-rw-r--r-- | source4/heimdal/lib/hdb/hdb.h | 10 | ||||
-rw-r--r-- | source4/heimdal/lib/hdb/keys.c | 5 | ||||
-rw-r--r-- | source4/heimdal/lib/hdb/keytab.c | 38 |
8 files changed, 93 insertions, 44 deletions
diff --git a/source4/heimdal/lib/hdb/db.c b/source4/heimdal/lib/hdb/db.c index 4b4e6e673d..0bbf6f2210 100644 --- a/source4/heimdal/lib/hdb/db.c +++ b/source4/heimdal/lib/hdb/db.c @@ -33,7 +33,7 @@ #include "hdb_locl.h" -RCSID("$Id: db.c,v 1.35 2005/12/13 11:52:55 lha Exp $"); +RCSID("$Id: db.c,v 1.36 2006/09/12 18:12:37 lha Exp $"); #if HAVE_DB1 @@ -47,7 +47,7 @@ static krb5_error_code DB_close(krb5_context context, HDB *db) { DB *d = (DB*)db->hdb_db; - d->close(d); + (*d->close)(d); return 0; } @@ -95,7 +95,7 @@ DB_seq(krb5_context context, HDB *db, code = db->hdb_lock(context, db, HDB_RLOCK); if(code == -1) return HDB_ERR_DB_INUSE; - code = d->seq(d, &key, &value, flag); + code = (*d->seq)(d, &key, &value, flag); db->hdb_unlock(context, db); /* XXX check value */ if(code == -1) return errno; @@ -172,7 +172,7 @@ DB__get(krb5_context context, HDB *db, krb5_data key, krb5_data *reply) code = db->hdb_lock(context, db, HDB_RLOCK); if(code) return code; - code = d->get(d, &k, &v, 0); + code = (*d->get)(d, &k, &v, 0); db->hdb_unlock(context, db); if(code < 0) return errno; @@ -198,7 +198,7 @@ DB__put(krb5_context context, HDB *db, int replace, code = db->hdb_lock(context, db, HDB_WLOCK); if(code) return code; - code = d->put(d, &k, &v, replace ? 0 : R_NOOVERWRITE); + code = (*d->put)(d, &k, &v, replace ? 0 : R_NOOVERWRITE); db->hdb_unlock(context, db); if(code < 0) return errno; @@ -218,7 +218,7 @@ DB__del(krb5_context context, HDB *db, krb5_data key) code = db->hdb_lock(context, db, HDB_WLOCK); if(code) return code; - code = d->del(d, &k, 0); + code = (*d->del)(d, &k, 0); db->hdb_unlock(context, db); if(code == 1) return HDB_ERR_NOENTRY; diff --git a/source4/heimdal/lib/hdb/ext.c b/source4/heimdal/lib/hdb/ext.c index a8995e4138..141c63a8ac 100644 --- a/source4/heimdal/lib/hdb/ext.c +++ b/source4/heimdal/lib/hdb/ext.c @@ -34,7 +34,7 @@ #include "hdb_locl.h" #include <der.h> -RCSID("$Id: ext.c,v 1.2 2006/04/25 10:20:22 lha Exp $"); +RCSID("$Id: ext.c,v 1.6 2006/10/14 10:13:03 lha Exp $"); krb5_error_code hdb_entry_check_mandatory(krb5_context context, const hdb_entry *ent) @@ -220,6 +220,20 @@ hdb_entry_get_pkinit_acl(const hdb_entry *entry, const HDB_Ext_PKINIT_acl **a) } krb5_error_code +hdb_entry_get_pkinit_hash(const hdb_entry *entry, const HDB_Ext_PKINIT_hash **a) +{ + const HDB_extension *ext; + + ext = hdb_find_extension(entry, choice_HDB_extension_data_pkinit_cert_hash); + if (ext) + *a = &ext->data.u.pkinit_cert_hash; + else + *a = NULL; + + return 0; +} + +krb5_error_code hdb_entry_get_pw_change_time(const hdb_entry *entry, time_t *t) { const HDB_extension *ext; @@ -278,7 +292,7 @@ hdb_entry_get_password(krb5_context context, HDB *db, ext->data.u.password.password.length, &pw); } else { - ret = copy_octet_string(&ext->data.u.password.password, &pw); + ret = der_copy_octet_string(&ext->data.u.password.password, &pw); } if (ret) { krb5_clear_error_string(context); @@ -293,7 +307,7 @@ hdb_entry_get_password(krb5_context context, HDB *db, *p = strdup(str); - free_octet_string(&pw); + der_free_octet_string(&pw); if (*p == NULL) { krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; @@ -364,3 +378,19 @@ hdb_entry_clear_password(krb5_context context, hdb_entry *entry) return hdb_clear_extension(context, entry, choice_HDB_extension_data_password); } + +krb5_error_code +hdb_entry_get_ConstrainedDelegACL(const hdb_entry *entry, + const HDB_Ext_Constrained_delegation_acl **a) +{ + const HDB_extension *ext; + + ext = hdb_find_extension(entry, + choice_HDB_extension_data_allowed_to_delegate_to); + if (ext) + *a = &ext->data.u.allowed_to_delegate_to; + else + *a = NULL; + + return 0; +} diff --git a/source4/heimdal/lib/hdb/hdb-protos.h b/source4/heimdal/lib/hdb/hdb-protos.h index 3cc7d2131a..de0545a037 100644 --- a/source4/heimdal/lib/hdb/hdb-protos.h +++ b/source4/heimdal/lib/hdb/hdb-protos.h @@ -71,6 +71,11 @@ hdb_entry_clear_password ( krb5_context /*context*/, hdb_entry */*entry*/); +krb5_error_code +hdb_entry_get_ConstrainedDelegACL ( + const hdb_entry */*entry*/, + const HDB_Ext_Constrained_delegation_acl **/*a*/); + int hdb_entry_get_password ( krb5_context /*context*/, @@ -84,6 +89,11 @@ hdb_entry_get_pkinit_acl ( const HDB_Ext_PKINIT_acl **/*a*/); krb5_error_code +hdb_entry_get_pkinit_hash ( + const hdb_entry */*entry*/, + const HDB_Ext_PKINIT_hash **/*a*/); + +krb5_error_code hdb_entry_get_pw_change_time ( const hdb_entry */*entry*/, time_t */*t*/); diff --git a/source4/heimdal/lib/hdb/hdb.asn1 b/source4/heimdal/lib/hdb/hdb.asn1 index c8a1a34b4f..c8c276ff6e 100644 --- a/source4/heimdal/lib/hdb/hdb.asn1 +++ b/source4/heimdal/lib/hdb/hdb.asn1 @@ -1,4 +1,4 @@ --- $Id: hdb.asn1,v 1.13 2005/08/11 13:15:44 lha Exp $ +-- $Id: hdb.asn1,v 1.17 2006/08/24 10:45:19 lha Exp $ HDB DEFINITIONS ::= BEGIN @@ -41,7 +41,10 @@ HDBFlags ::= BIT STRING { require-hwauth(10), -- must use hwauth ok-as-delegate(11), -- as in TicketFlags user-to-user(12), -- may use user-to-user auth - immutable(13) -- may not be deleted + immutable(13), -- may not be deleted + trusted-for-delegation(14), -- Trusted to print forwardabled tickets + allow-kerberos4(15), -- Allow Kerberos 4 requests + allow-digest(16) -- Allow digest requests } GENERATION ::= SEQUENCE { @@ -52,10 +55,14 @@ GENERATION ::= SEQUENCE { HDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE { subject[0] UTF8String, - issuer[1] UTF8String + issuer[1] UTF8String OPTIONAL, + anchor[2] UTF8String OPTIONAL } -HDB-Ext-PKINIT-certificate ::= SEQUENCE OF OCTET STRING +HDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE { + digest-type[0] OBJECT IDENTIFIER, + digest[1] OCTET STRING +} HDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal @@ -80,7 +87,7 @@ HDB-extension ::= SEQUENCE { -- be rejected data[1] CHOICE { pkinit-acl[0] HDB-Ext-PKINIT-acl, - pkinit-cert[1] HDB-Ext-PKINIT-certificate, + pkinit-cert-hash[1] HDB-Ext-PKINIT-hash, allowed-to-delegate-to[2] HDB-Ext-Constrained-delegation-acl, -- referral-info[3] HDB-Ext-Referrals, lm-owf[4] HDB-Ext-Lan-Manager-OWF, diff --git a/source4/heimdal/lib/hdb/hdb.c b/source4/heimdal/lib/hdb/hdb.c index 555a0d53f6..d1fa4ffd6a 100644 --- a/source4/heimdal/lib/hdb/hdb.c +++ b/source4/heimdal/lib/hdb/hdb.c @@ -33,7 +33,7 @@ #include "hdb_locl.h" -RCSID("$Id: hdb.c,v 1.61 2006/04/24 20:57:58 lha Exp $"); +RCSID("$Id: hdb.c,v 1.62 2006/10/06 16:47:22 lha Exp $"); #ifdef HAVE_DLFCN_H #include <dlfcn.h> @@ -58,6 +58,9 @@ static struct hdb_method methods[] = { #ifdef _SAMBA_BUILD_ {"ldb:", hdb_ldb_create}, #endif +#ifdef HAVE_LDB /* Used for integrated samba build */ + {"ldb:", hdb_ldb_create}, +#endif {NULL, NULL} }; @@ -262,7 +265,7 @@ find_dynamic_method (krb5_context context, if (prefix == NULL) krb5_errx(context, 1, "out of memory"); - if (asprintf(&path, HDBDIR "/hdb_%s.so", prefix) == -1) + if (asprintf(&path, LIBDIR "/hdb_%s.so", prefix) == -1) krb5_errx(context, 1, "out of memory"); #ifndef RTLD_NOW @@ -398,6 +401,6 @@ hdb_create(krb5_context context, HDB **db, const char *filename) h = find_dynamic_method (context, filename, &residual); #endif if (h == NULL) - krb5_errx(context, 1, "No database support! (hdb_create(%s))", filename); + krb5_errx(context, 1, "No database support for %s", filename); return (*h->create)(context, db, residual); } diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h index d14eea7ddc..69c91d12ad 100644 --- a/source4/heimdal/lib/hdb/hdb.h +++ b/source4/heimdal/lib/hdb/hdb.h @@ -66,17 +66,17 @@ typedef struct hdb_entry_ex { struct hdb_entry_ex *, METHOD_DATA* pa_data_seq, time_t authtime, - EncryptionKey *tgtkey, - EncryptionKey *sessionkey, + const EncryptionKey *tgtkey, + const EncryptionKey *sessionkey, AuthorizationData **out); krb5_error_code (*authz_data_tgs_req)(krb5_context, struct hdb_entry_ex *, krb5_principal client, AuthorizationData *in, time_t authtime, - EncryptionKey *tgtkey, - EncryptionKey *servicekey, - EncryptionKey *sessionkey, + const EncryptionKey *tgtkey, + const EncryptionKey *servicekey, + const EncryptionKey *sessionkey, AuthorizationData **out); } hdb_entry_ex; diff --git a/source4/heimdal/lib/hdb/keys.c b/source4/heimdal/lib/hdb/keys.c index d7c2f2c89b..8d4810f5c9 100644 --- a/source4/heimdal/lib/hdb/keys.c +++ b/source4/heimdal/lib/hdb/keys.c @@ -33,7 +33,7 @@ #include "hdb_locl.h" -RCSID("$Id: keys.c,v 1.5 2006/04/25 08:09:38 lha Exp $"); +RCSID("$Id: keys.c,v 1.6 2006/10/22 09:40:12 lha Exp $"); /* * free all the memory used by (len, keys) @@ -334,6 +334,9 @@ hdb_generate_key_set(krb5_context context, krb5_principal principal, *ret_key_set = key_set; out: + if (ktypes != default_keytypes) + krb5_config_free_strings(ktypes); + if (ret) { krb5_warn(context, ret, "failed to parse the [kadmin]default_keys values"); diff --git a/source4/heimdal/lib/hdb/keytab.c b/source4/heimdal/lib/hdb/keytab.c index c87b8eca2c..8f473a68a4 100644 --- a/source4/heimdal/lib/hdb/keytab.c +++ b/source4/heimdal/lib/hdb/keytab.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1999 - 2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -35,7 +35,7 @@ /* keytab backend for HDB databases */ -RCSID("$Id: keytab.c,v 1.11 2006/04/27 11:01:30 lha Exp $"); +RCSID("$Id: keytab.c,v 1.16 2006/10/09 12:36:40 lha Exp $"); struct hdb_data { char *dbname; @@ -59,7 +59,7 @@ hdb_resolve(krb5_context context, const char *name, krb5_keytab id) return ENOMEM; } db = name; - mkey = strrchr(name, ':'); + mkey = strchr(name, ':'); if(mkey == NULL || mkey[1] == '\0') { if(*name == '\0') d->dbname = NULL; @@ -201,6 +201,8 @@ hdb_get_entry(krb5_context context, const char *dbname = d->dbname; const char *mkey = d->mkey; + memset(&ent, 0, sizeof(ent)); + if (dbname == NULL) find_db (context, &dbname, &mkey, principal); @@ -218,26 +220,21 @@ hdb_get_entry(krb5_context context, (*db->hdb_destroy)(context, db); return ret; } - ret = (*db->hdb_fetch)(context, db, principal, HDB_F_DECRYPT|HDB_F_GET_CLIENT|HDB_F_GET_SERVER, &ent); - + ret = (*db->hdb_fetch)(context, db, principal, + HDB_F_DECRYPT| + HDB_F_GET_CLIENT|HDB_F_GET_SERVER|HDB_F_GET_KRBTGT, + &ent); - /* Shutdown the hdb on error */ if(ret == HDB_ERR_NOENTRY) { - (*db->hdb_close)(context, db); - (*db->hdb_destroy)(context, db); - return KRB5_KT_NOTFOUND; - } else if (ret) { - (*db->hdb_close)(context, db); - (*db->hdb_destroy)(context, db); - return ret; - } + ret = KRB5_KT_NOTFOUND; + goto out; + }else if(ret) + goto out; + if(kvno && ent.entry.kvno != kvno) { - /* The order here matters, we must free these in this order - * due to hdb-ldb and Samba4's talloc */ hdb_free_entry(context, &ent); - (*db->hdb_close)(context, db); - (*db->hdb_destroy)(context, db); - return KRB5_KT_NOTFOUND; + ret = KRB5_KT_NOTFOUND; + goto out; } if(enctype == 0) if(ent.entry.keys.len > 0) @@ -254,9 +251,8 @@ hdb_get_entry(krb5_context context, break; } } - /* The order here matters, we must free these in this order - * due to hdb-ldb and Samba4's talloc */ hdb_free_entry(context, &ent); +out: (*db->hdb_close)(context, db); (*db->hdb_destroy)(context, db); return ret; |