Changeset 745 for trunk/server/source4/heimdal/lib/hdb

Timestamp:

Nov 27, 2012, 4:43:17 PM (13 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: updated trunk to 3.6.0

Location:

trunk/server

Files:

• . (modified) (1 prop)
• source4/heimdal/lib/hdb/db.c (modified) (1 diff)
• source4/heimdal/lib/hdb/dbinfo.c (modified) (1 diff)
• source4/heimdal/lib/hdb/ext.c (modified) (2 diffs)
• source4/heimdal/lib/hdb/hdb-keytab.c (copied) (copied from vendor/current/source4/heimdal/lib/hdb/hdb-keytab.c )
• source4/heimdal/lib/hdb/hdb.c (modified) (5 diffs)
• source4/heimdal/lib/hdb/hdb.h (modified) (9 diffs)
• source4/heimdal/lib/hdb/hdb_err.et (modified) (1 diff)
• source4/heimdal/lib/hdb/keytab.c (modified) (11 diffs)
• source4/heimdal/lib/hdb/mkey.c (modified) (5 diffs)
• source4/heimdal/lib/hdb/ndbm.c (modified) (8 diffs)

trunk/server/source4/heimdal/lib/hdb/db.c

@@ -319 +319 @@
     (*db)->hdb_open = DB_open;
     (*db)->hdb_close = DB_close;
-    (*db)->hdb_fetch = _hdb_fetch;
+    (*db)->hdb_fetch_kvno = _hdb_fetch_kvno;
     (*db)->hdb_store = _hdb_store;
     (*db)->hdb_remove = _hdb_remove;

trunk/server/source4/heimdal/lib/hdb/dbinfo.c

@@ -103 +103 @@
     databases = NULL;
 
-    db_binding = krb5_config_get(context, NULL, krb5_config_list,
-                                 "kdc",
-                                 "database",
-                                 NULL);
+    db_binding = krb5_config_get_list(context, NULL,
+                                      "kdc",
+                                      "database",
+                                      NULL);
     if (db_binding) {
 

trunk/server/source4/heimdal/lib/hdb/ext.c

@@ -317 +317 @@
         str = pw.data;
         if (str[pw.length - 1] != '\0') {
-            krb5_set_error_message(context, EINVAL, "password malformated");
+            krb5_set_error_message(context, EINVAL, "malformed password");
             return EINVAL;
         }
@@ -333 +333 @@
     ret = krb5_unparse_name(context, entry->principal, &str);
     if (ret == 0) {
-        krb5_set_error_message(context, ENOENT, "no password attributefor %s", str);
+        krb5_set_error_message(context, ENOENT,
+                               "no password attribute for %s", str);
         free(str);
     } else

trunk/server/source4/heimdal/lib/hdb/hdb.c

@@ -3 +3 @@
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -60 +62 @@
  */
 
-
+const int hdb_interface_version = HDB_INTERFACE_VERSION;
 
 static struct hdb_method methods[] = {
@@ -66 +68 @@
     { HDB_INTERFACE_VERSION, "db:",     hdb_db_create},
 #endif
+#if HAVE_DB1
+    { HDB_INTERFACE_VERSION, "mit-db:", hdb_mdb_create},
+#endif
 #if HAVE_NDBM
     { HDB_INTERFACE_VERSION, "ndbm:",   hdb_ndbm_create},
 #endif
+    { HDB_INTERFACE_VERSION, "keytab:", hdb_keytab_create},
 #if defined(OPENLDAP) && !defined(OPENLDAP_MODULE)
     { HDB_INTERFACE_VERSION, "ldap:",   hdb_ldap_create},
@@ -313 +319 @@
         krb5_errx(context, 1, "out of memory");
         
-    mso = dlsym(dl, symbol);
+    mso = (struct hdb_so_method *) dlsym(dl, symbol);
     if (mso == NULL) {
         krb5_warnx(context, "error finding symbol %s in %s: %s\n",
@@ -410 +416 @@
     *list = buf;
     return 0;
+}
+
+krb5_error_code
+_hdb_keytab2hdb_entry(krb5_context context,
+                      const krb5_keytab_entry *ktentry,
+                      hdb_entry_ex *entry)
+{
+    entry->entry.kvno = ktentry->vno;
+    entry->entry.created_by.time = ktentry->timestamp;
+
+    entry->entry.keys.val = calloc(1, sizeof(entry->entry.keys.val[0]));
+    if (entry->entry.keys.val == NULL)
+        return ENOMEM;
+    entry->entry.keys.len = 1;
+
+    entry->entry.keys.val[0].mkvno = NULL;
+    entry->entry.keys.val[0].salt = NULL;
+    
+    return krb5_copy_keyblock_contents(context,
+                                       &ktentry->keyblock,
+                                       &entry->entry.keys.val[0].key);
 }
 

trunk/server/source4/heimdal/lib/hdb/hdb.h

@@ -37 +37 @@
 #define __HDB_H__
 
+#include <krb5.h>
+
 #include <hdb_err.h>
 
@@ -54 +56 @@
 #define HDB_F_GET_ANY           28      /* fetch any of client,server,krbtgt */
 #define HDB_F_CANON             32      /* want canonicalition */
+#define HDB_F_ADMIN_DATA        64      /* want data that kdc don't use  */
+#define HDB_F_KVNO_SPECIFIED    128     /* we want a particular KVNO */
 
 /* hdb_capability_flags */
@@ -69 +73 @@
 
 typedef struct hdb_master_key_data *hdb_master_key;
+
+/**
+ * hdb_entry_ex is a wrapper structure around the hdb_entry structure
+ * that allows backends to keep a pointer to the backing store, ie in
+ * ->hdb_fetch_kvno(), so that we the kadmin/kpasswd backend gets around to
+ * ->hdb_store(), the backend doesn't need to lookup the entry again.
+ */
 
 typedef struct hdb_entry_ex {
@@ -120 +131 @@
      * Fetch an entry from the backend, flags are what type of entry
      * should be fetch: client, server, krbtgt.
-     */
-    krb5_error_code (*hdb_fetch)(krb5_context, struct HDB*,
-                                 krb5_const_principal, unsigned,
-                                 hdb_entry_ex*);
+     * knvo (if specified and flags HDB_F_KVNO_SPECIFIED set) is the kvno to get
+     */
+    krb5_error_code (*hdb_fetch_kvno)(krb5_context, struct HDB*,
+                                      krb5_const_principal, unsigned, krb5_kvno,
+                                      hdb_entry_ex*);
     /**
      * Store an entry to database
@@ -158 +170 @@
     /**
      * Rename the data base.
+     *
+     * Assume that the database is not hdb_open'ed and not locked.
      */
     krb5_error_code (*hdb_rename)(krb5_context, struct HDB*, const char*);
@@ -194 +208 @@
     krb5_error_code (*hdb_destroy)(krb5_context, struct HDB*);
     /**
+     * Get the list of realms this backend handles.
+     * This call is optional to support. The returned realms are used
+     * for announcing the realms over bonjour. Free returned array
+     * with krb5_free_host_realm().
+     */
+    krb5_error_code (*hdb_get_realms)(krb5_context, struct HDB *, krb5_realm **);
+    /**
      * Change password.
      *
      * Will update keys for the entry when given password.  The new
-     * keys must be written into the entry and and will then later be
+     * keys must be written into the entry and will then later be
      * ->hdb_store() into the database. The backend will still perform
      * all other operations, increasing the kvno, and update
      * modification timestamp.
      * 
-     * The backen need to call _kadm5_set_keys() and perform password
+     * The backend needs to call _kadm5_set_keys() and perform password
      * quality checks.
      */
@@ -218 +239 @@
     krb5_error_code (*hdb_auth_status)(krb5_context, struct HDB *, hdb_entry_ex *, int);
     /**
-     * Check is delegation is allowed.
+     * Check if delegation is allowed.
      */
     krb5_error_code (*hdb_check_constrained_delegation)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
@@ -226 +247 @@
      */
     krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
+
+    /**
+     * Check if s4u2self is allowed from this client to this server
+     */
+    krb5_error_code (*hdb_check_s4u2self)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
 }HDB;
 
-#define HDB_INTERFACE_VERSION   6
+#define HDB_INTERFACE_VERSION   7
 
 struct hdb_so_method {
@@ -246 +272 @@
 };
 
+extern const int hdb_interface_version;
+
 #include <hdb-protos.h>
 

trunk/server/source4/heimdal/lib/hdb/hdb_err.et

@@ -25 +25 @@
 error_code NO_MKEY,             "No correct master key"
 error_code MANDATORY_OPTION,    "Entry contains unknown mandatory extension"
+error_code NO_WRITE_SUPPORT,    "HDB backend doesn't contain write support"
+error_code NOT_FOUND_HERE,      "The secret for this entry is not replicated to this database"
 
 end

trunk/server/source4/heimdal/lib/hdb/keytab.c

@@ -50 +50 @@
 /*
  * the format for HDB keytabs is:
- * HDB:[database:file:mkey]
+ * HDB:[HDBFORMAT:database-specific-data[:mkey=mkey-file]]
  */
 
-static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 hdb_resolve(krb5_context context, const char *name, krb5_keytab id)
 {
@@ -65 +65 @@
     }
     db = name;
-    mkey = strchr(name, ':');
-    if(mkey == NULL || mkey[1] == '\0') {
+    mkey = strstr(name, ":mkey=");
+    if(mkey == NULL || mkey[5] == '\0') {
         if(*name == '\0')
             d->dbname = NULL;
@@ -79 +79 @@
         d->mkey = NULL;
     } else {
-        if((mkey - db) == 0) {
-            d->dbname = NULL;
-        } else {
-            d->dbname = malloc(mkey - db + 1);
-            if(d->dbname == NULL) {
-                free(d);
-                krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
-                return ENOMEM;
-            }
-            memmove(d->dbname, db, mkey - db);
-            d->dbname[mkey - db] = '\0';
+        d->dbname = malloc(mkey - db + 1);
+        if(d->dbname == NULL) {
+            free(d);
+            krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
+            return ENOMEM;
         }
-        d->mkey = strdup(mkey + 1);
+        memmove(d->dbname, db, mkey - db);
+        d->dbname[mkey - db] = '\0';
+
+        d->mkey = strdup(mkey + 5);
         if(d->mkey == NULL) {
             free(d->dbname);
@@ -103 +100 @@
 }
 
-static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 hdb_close(krb5_context context, krb5_keytab id)
 {
@@ -114 +111 @@
 }
 
-static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 hdb_get_name(krb5_context context,
              krb5_keytab id,
@@ -173 +170 @@
  */
 
-static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 hdb_get_entry(krb5_context context,
               krb5_keytab id,
@@ -214 +211 @@
         goto out2;
     }
-    ret = (*db->hdb_fetch)(context, db, principal,
-                           HDB_F_DECRYPT|
-                           HDB_F_GET_CLIENT|HDB_F_GET_SERVER|HDB_F_GET_KRBTGT,
-                           &ent);
+    
+    ret = (*db->hdb_fetch_kvno)(context, db, principal,
+                                HDB_F_DECRYPT|HDB_F_KVNO_SPECIFIED|
+                                HDB_F_GET_CLIENT|HDB_F_GET_SERVER|HDB_F_GET_KRBTGT,
+                                kvno, &ent);
 
     if(ret == HDB_ERR_NOENTRY) {
@@ -260 +258 @@
  */
 
-static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 hdb_start_seq_get(krb5_context context,
                   krb5_keytab id,
@@ -313 +311 @@
 }
 
-static int
+static int KRB5_CALLCONV
 hdb_next_entry(krb5_context context,
                krb5_keytab id,
@@ -395 +393 @@
 
 
-static int
+static int KRB5_CALLCONV
 hdb_end_seq_get(krb5_context context,
                 krb5_keytab id,
@@ -402 +400 @@
     struct hdb_cursor *c = cursor->data;
 
+    if (!c->next)
+        hdb_free_entry(context, &c->hdb_entry);
+
     (c->db->hdb_close)(context, c->db);
     (c->db->hdb_destroy)(context, c->db);
-
-    if (!c->next)
-        hdb_free_entry(context, &c->hdb_entry);
 
     free(c);

trunk/server/source4/heimdal/lib/hdb/mkey.c

@@ -147 +147 @@
 static krb5_error_code
 read_master_mit(krb5_context context, const char *filename,
-                hdb_master_key *mkey)
+                int byteorder, hdb_master_key *mkey)
 {
     int fd;
@@ -167 +167 @@
         return errno;
     }
-    krb5_storage_set_flags(sp, KRB5_STORAGE_HOST_BYTEORDER);
+    krb5_storage_set_flags(sp, byteorder);
     /* could possibly use ret_keyblock here, but do it with more
        checks for now */
@@ -174 +174 @@
         if (ret)
             goto out;
-        if((htons(enctype) & 0xff00) == 0x3000) {
-            ret = HEIM_ERR_BAD_MKEY;
-            krb5_set_error_message(context, ret, "unknown keytype in %s: "
-                                   "%#x, expected %#x",
-                                   filename, htons(enctype), 0x3000);
-            goto out;
-        }
+        ret = krb5_enctype_valid(context, enctype);
+        if (ret)
+           goto out;
         key.keytype = enctype;
         ret = krb5_ret_data(sp, &key.keyvalue);
@@ -186 +182 @@
             goto out;
     }
-    ret = hdb_process_master_key(context, 0, &key, 0, mkey);
+    ret = hdb_process_master_key(context, 1, &key, 0, mkey);
     krb5_free_keyblock_contents(context, &key);
   out:
@@ -331 +327 @@
         ret = read_master_keytab(context, filename, mkey);
     } else {
-        ret = read_master_mit(context, filename, mkey);
+      /*
+       * Check both LittleEndian and BigEndian since they key file
+       * might be moved from a machine with diffrent byte order, or
+       * its running on MacOS X that always uses BE master keys.
+       */
+      ret = read_master_mit(context, filename, KRB5_STORAGE_BYTEORDER_LE, mkey);
+      if (ret)
+          ret = read_master_mit(context, filename, KRB5_STORAGE_BYTEORDER_BE, mkey);
     }
     return ret;

trunk/server/source4/heimdal/lib/hdb/ndbm.c

@@ -38 +38 @@
 #if defined(HAVE_GDBM_NDBM_H)
 #include <gdbm/ndbm.h>
+#define WRITE_SUPPORT 1
 #elif defined(HAVE_NDBM_H)
 #include <ndbm.h>
 #elif defined(HAVE_DBM_H)
+#define WRITE_SUPPORT 1
 #include <dbm.h>
 #endif
@@ -132 +134 @@
 
 static krb5_error_code
+open_lock_file(krb5_context context, const char *db_name, int *fd)
+{
+    char *lock_file;
+
+    /* lock old and new databases */
+    asprintf(&lock_file, "%s.lock", db_name);
+    if(lock_file == NULL) {
+        krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
+        return ENOMEM;
+    }
+
+    *fd = open(lock_file, O_RDWR | O_CREAT, 0600);
+    free(lock_file);
+    if(*fd < 0) {
+        int ret = errno;
+        krb5_set_error_message(context, ret, "open(%s): %s", lock_file,
+                               strerror(ret));
+        return ret;
+    }
+    return 0;
+}
+
+
+static krb5_error_code
 NDBM_rename(krb5_context context, HDB *db, const char *new_name)
 {
-    /* XXX this function will break */
-    struct ndbm_db *d = db->hdb_db;
-
     int ret;
     char *old_dir, *old_pag, *new_dir, *new_pag;
-    char *new_lock;
-    int lock_fd;
+    int old_lock_fd, new_lock_fd;
 
     /* lock old and new databases */
-    ret = db->hdb_lock(context, db, HDB_WLOCK);
-    if(ret)
-        return ret;
-    asprintf(&new_lock, "%s.lock", new_name);
-    if(new_lock == NULL) {
-        db->hdb_unlock(context, db);
-        krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
-        return ENOMEM;
-    }
-    lock_fd = open(new_lock, O_RDWR | O_CREAT, 0600);
-    if(lock_fd < 0) {
-        ret = errno;
-        db->hdb_unlock(context, db);
-        krb5_set_error_message(context, ret, "open(%s): %s", new_lock,
-                               strerror(ret));
-        free(new_lock);
-        return ret;
-    }
-    free(new_lock);
-    ret = hdb_lock(lock_fd, HDB_WLOCK);
+    ret = open_lock_file(context, db->hdb_name, &old_lock_fd);
+    if (ret)
+        return ret;
+
+    ret = hdb_lock(old_lock_fd, HDB_WLOCK);
     if(ret) {
-        db->hdb_unlock(context, db);
-        close(lock_fd);
+        close(old_lock_fd);
+        return ret;
+    }
+
+    ret = open_lock_file(context, new_name, &new_lock_fd);
+    if (ret) {
+        hdb_unlock(old_lock_fd);
+        close(old_lock_fd);
+        return ret;
+    }
+
+    ret = hdb_lock(new_lock_fd, HDB_WLOCK);
+    if(ret) {
+        hdb_unlock(old_lock_fd);
+        close(old_lock_fd);
+        close(new_lock_fd);
         return ret;
     }
@@ -175 +196 @@
 
     ret = rename(old_dir, new_dir) || rename(old_pag, new_pag);
+    if (ret) {
+        ret = errno;
+        if (ret == 0)
+            ret = EPERM;
+        krb5_set_error_message(context, ret, "rename: %s", strerror(ret));
+    }
+
     free(old_dir);
     free(old_pag);
     free(new_dir);
     free(new_pag);
-    hdb_unlock(lock_fd);
-    db->hdb_unlock(context, db);
-
-    if(ret) {
-        ret = errno;
-        close(lock_fd);
-        krb5_set_error_message(context, ret, "rename: %s", strerror(ret));
-        return ret;
-    }
-
-    close(d->lock_fd);
-    d->lock_fd = lock_fd;
+
+    hdb_unlock(new_lock_fd);
+    hdb_unlock(old_lock_fd);
+    close(new_lock_fd);
+    close(old_lock_fd);
+
+    if(ret)
+        return ret;
 
     free(db->hdb_name);
@@ -222 +246 @@
         krb5_data key, krb5_data value)
 {
+#ifdef WRITE_SUPPORT
     struct ndbm_db *d = (struct ndbm_db *)db->hdb_db;
     datum k, v;
@@ -241 +266 @@
         return code;
     return 0;
+#else
+    return HDB_ERR_NO_WRITE_SUPPORT;
+#endif
 }
 
@@ -278 +306 @@
     krb5_error_code ret;
     struct ndbm_db *d = malloc(sizeof(*d));
-    char *lock_file;
 
     if(d == NULL) {
@@ -284 +311 @@
         return ENOMEM;
     }
-    asprintf(&lock_file, "%s.lock", (char*)db->hdb_name);
-    if(lock_file == NULL) {
-        free(d);
-        krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
-        return ENOMEM;
-    }
+
     d->db = dbm_open((char*)db->hdb_name, flags, mode);
     if(d->db == NULL){
         ret = errno;
         free(d);
-        free(lock_file);
         krb5_set_error_message(context, ret, "dbm_open(%s): %s", db->hdb_name,
                                strerror(ret));
         return ret;
     }
-    d->lock_fd = open(lock_file, O_RDWR | O_CREAT, 0600);
-    if(d->lock_fd < 0){
+
+    ret = open_lock_file(context, db->hdb_name, &d->lock_fd);
+    if (ret) {
         ret = errno;
         dbm_close(d->db);
         free(d);
-        krb5_set_error_message(context, ret, "open(%s): %s", lock_file,
+        krb5_set_error_message(context, ret, "open(lock file): %s",
                                strerror(ret));
-        free(lock_file);
-        return ret;
-    }
-    free(lock_file);
+        return ret;
+    }
+
     db->hdb_db = d;
     if((flags & O_ACCMODE) == O_RDONLY)
@@ -350 +371 @@
     (*db)->hdb_open = NDBM_open;
     (*db)->hdb_close = NDBM_close;
-    (*db)->hdb_fetch = _hdb_fetch;
+    (*db)->hdb_fetch_kvno = _hdb_fetch_kvno;
     (*db)->hdb_store = _hdb_store;
     (*db)->hdb_remove = _hdb_remove;