krb5/Remove-kadmin-RPC-support-for-setting-v4-key.patch

467 lines
16 KiB
Diff
Raw Normal View History

From a2fc99321c797c1534f6314d17560c622ec93418 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 4 Apr 2019 16:14:46 -0400
Subject: [PATCH] Remove kadmin RPC support for setting v4 key
ticket: 8794 (new)
(cherry picked from commit 752187a441ed0f301f1a8adb1fea843080ac8c97)
---
src/kadmin/server/kadm_rpc_svc.c | 7 --
src/kadmin/server/ovsec_kadmd.c | 2 +-
src/kadmin/server/server_stubs.c | 50 ---------
src/lib/kadm5/admin.h | 3 -
src/lib/kadm5/admin_xdr.h | 1 -
src/lib/kadm5/clnt/Makefile.in | 2 +-
src/lib/kadm5/clnt/client_principal.c | 22 ----
src/lib/kadm5/clnt/client_rpc.c | 8 --
src/lib/kadm5/clnt/libkadm5clnt_mit.exports | 2 -
src/lib/kadm5/kadm_rpc.h | 16 +--
src/lib/kadm5/kadm_rpc_xdr.c | 19 ----
src/lib/kadm5/srv/Makefile.in | 2 +-
src/lib/kadm5/srv/libkadm5srv_mit.exports | 2 -
src/lib/kadm5/srv/svr_principal.c | 118 --------------------
14 files changed, 6 insertions(+), 248 deletions(-)
diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c
index 41fc88ac8..d343e2c25 100644
--- a/src/kadmin/server/kadm_rpc_svc.c
+++ b/src/kadmin/server/kadm_rpc_svc.c
@@ -53,7 +53,6 @@ void kadm_1(rqstp, transp)
mpol_arg modify_policy_2_arg;
gpol_arg get_policy_2_arg;
setkey_arg setkey_principal_2_arg;
- setv4key_arg setv4key_principal_2_arg;
cprinc3_arg create_principal3_2_arg;
chpass3_arg chpass_principal3_2_arg;
chrand3_arg chrand_principal3_2_arg;
@@ -134,12 +133,6 @@ void kadm_1(rqstp, transp)
local = (bool_t (*)()) chpass_principal_2_svc;
break;
- case SETV4KEY_PRINCIPAL:
- xdr_argument = xdr_setv4key_arg;
- xdr_result = xdr_generic_ret;
- local = (bool_t (*)()) setv4key_principal_2_svc;
- break;
-
case SETKEY_PRINCIPAL:
xdr_argument = xdr_setkey_arg;
xdr_result = xdr_generic_ret;
diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c
index 6a6b21401..3737791b6 100644
--- a/src/kadmin/server/ovsec_kadmd.c
+++ b/src/kadmin/server/ovsec_kadmd.c
@@ -227,7 +227,7 @@ log_badverf(gss_name_t client_name, gss_name_t server_name,
{14, "GET_PRINCS"},
{15, "GET_POLS"},
{16, "SETKEY_PRINCIPAL"},
- {17, "SETV4KEY_PRINCIPAL"},
+ /* 17 was "SETV4KEY_PRINCIPAL" */
{18, "CREATE_PRINCIPAL3"},
{19, "CHPASS_PRINCIPAL3"},
{20, "CHRAND_PRINCIPAL3"},
diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c
index cfef97fec..d5a25e502 100644
--- a/src/kadmin/server/server_stubs.c
+++ b/src/kadmin/server/server_stubs.c
@@ -893,56 +893,6 @@ exit_func:
return TRUE;
}
-bool_t
-setv4key_principal_2_svc(setv4key_arg *arg, generic_ret *ret,
- struct svc_req *rqstp)
-{
- char *prime_arg = NULL;
- gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER;
- gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER;
- kadm5_server_handle_t handle;
- const char *errmsg = NULL;
-
- ret->code = stub_setup(arg->api_version, rqstp, arg->princ, &handle,
- &ret->api_version, &client_name, &service_name,
- &prime_arg);
- if (ret->code)
- goto exit_func;
-
- ret->code = check_lockdown_keys(handle, arg->princ);
- if (ret->code != KADM5_OK) {
- if (ret->code == KADM5_PROTECT_KEYS) {
- log_unauth("kadm5_setv4key_principal", prime_arg, &client_name,
- &service_name, rqstp);
- ret->code = KADM5_AUTH_SETKEY;
- }
- } else if (!(CHANGEPW_SERVICE(rqstp)) &&
- stub_auth(handle, OP_SETKEY, arg->princ, NULL, NULL, NULL)) {
- ret->code = kadm5_setv4key_principal(handle, arg->princ,
- arg->keyblock);
- } else {
- log_unauth("kadm5_setv4key_principal", prime_arg,
- &client_name, &service_name, rqstp);
- ret->code = KADM5_AUTH_SETKEY;
- }
-
- if (ret->code != KADM5_AUTH_SETKEY) {
- if (ret->code != 0)
- errmsg = krb5_get_error_message(handle->context, ret->code);
-
- log_done("kadm5_setv4key_principal", prime_arg, errmsg,
- &client_name, &service_name, rqstp);
-
- if (errmsg != NULL)
- krb5_free_error_message(handle->context, errmsg);
- }
-
-exit_func:
- stub_cleanup(handle, prime_arg, &client_name, &service_name);
- return TRUE;
-}
-
-
bool_t
setkey_principal_2_svc(setkey_arg *arg, generic_ret *ret,
struct svc_req *rqstp)
diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h
index b765148b3..7268be44e 100644
--- a/src/lib/kadm5/admin.h
+++ b/src/lib/kadm5/admin.h
@@ -394,9 +394,6 @@ kadm5_ret_t kadm5_randkey_principal_3(void *server_handle,
krb5_key_salt_tuple *ks_tuple,
krb5_keyblock **keyblocks,
int *n_keys);
-kadm5_ret_t kadm5_setv4key_principal(void *server_handle,
- krb5_principal principal,
- krb5_keyblock *keyblock);
kadm5_ret_t kadm5_setkey_principal(void *server_handle,
krb5_principal principal,
diff --git a/src/lib/kadm5/admin_xdr.h b/src/lib/kadm5/admin_xdr.h
index 2d22611e7..9da98451e 100644
--- a/src/lib/kadm5/admin_xdr.h
+++ b/src/lib/kadm5/admin_xdr.h
@@ -37,7 +37,6 @@ bool_t xdr_mprinc_arg(XDR *xdrs, mprinc_arg *objp);
bool_t xdr_rprinc_arg(XDR *xdrs, rprinc_arg *objp);
bool_t xdr_chpass_arg(XDR *xdrs, chpass_arg *objp);
bool_t xdr_chpass3_arg(XDR *xdrs, chpass3_arg *objp);
-bool_t xdr_setv4key_arg(XDR *xdrs, setv4key_arg *objp);
bool_t xdr_setkey_arg(XDR *xdrs, setkey_arg *objp);
bool_t xdr_setkey3_arg(XDR *xdrs, setkey3_arg *objp);
bool_t xdr_setkey4_arg(XDR *xdrs, setkey4_arg *objp);
diff --git a/src/lib/kadm5/clnt/Makefile.in b/src/lib/kadm5/clnt/Makefile.in
index a180e85cd..2bc385afe 100644
--- a/src/lib/kadm5/clnt/Makefile.in
+++ b/src/lib/kadm5/clnt/Makefile.in
@@ -3,7 +3,7 @@ BUILDTOP=$(REL)..$(S)..$(S)..
LOCALINCLUDES = -I$(BUILDTOP)/include/kadm5
LIBBASE=kadm5clnt_mit
-LIBMAJOR=11
+LIBMAJOR=12
LIBMINOR=0
STOBJLISTS=../OBJS.ST OBJS.ST
SHLIB_EXPDEPS=\
diff --git a/src/lib/kadm5/clnt/client_principal.c b/src/lib/kadm5/clnt/client_principal.c
index 18714bf37..96d9d1932 100644
--- a/src/lib/kadm5/clnt/client_principal.c
+++ b/src/lib/kadm5/clnt/client_principal.c
@@ -273,28 +273,6 @@ kadm5_chpass_principal_3(void *server_handle,
return r.code;
}
-kadm5_ret_t
-kadm5_setv4key_principal(void *server_handle,
- krb5_principal princ,
- krb5_keyblock *keyblock)
-{
- setv4key_arg arg;
- generic_ret r = { 0, 0 };
- kadm5_server_handle_t handle = server_handle;
-
- CHECK_HANDLE(server_handle);
-
- arg.princ = princ;
- arg.keyblock = keyblock;
- arg.api_version = handle->api_version;
-
- if(princ == NULL || keyblock == NULL)
- return EINVAL;
- if (setv4key_principal_2(&arg, &r, handle->clnt))
- eret();
- return r.code;
-}
-
kadm5_ret_t
kadm5_setkey_principal(void *server_handle,
krb5_principal princ,
diff --git a/src/lib/kadm5/clnt/client_rpc.c b/src/lib/kadm5/clnt/client_rpc.c
index df5455fd8..d84d158b4 100644
--- a/src/lib/kadm5/clnt/client_rpc.c
+++ b/src/lib/kadm5/clnt/client_rpc.c
@@ -84,14 +84,6 @@ chpass_principal3_2(chpass3_arg *argp, generic_ret *res, CLIENT *clnt)
(xdrproc_t)xdr_generic_ret, (caddr_t)res, TIMEOUT);
}
-enum clnt_stat
-setv4key_principal_2(setv4key_arg *argp, generic_ret *res, CLIENT *clnt)
-{
- return clnt_call(clnt, SETV4KEY_PRINCIPAL,
- (xdrproc_t)xdr_setv4key_arg, (caddr_t)argp,
- (xdrproc_t)xdr_generic_ret, (caddr_t)res, TIMEOUT);
-}
-
enum clnt_stat
setkey_principal_2(setkey_arg *argp, generic_ret *res, CLIENT *clnt)
{
diff --git a/src/lib/kadm5/clnt/libkadm5clnt_mit.exports b/src/lib/kadm5/clnt/libkadm5clnt_mit.exports
index f122b31ab..e41c8e4f7 100644
--- a/src/lib/kadm5/clnt/libkadm5clnt_mit.exports
+++ b/src/lib/kadm5/clnt/libkadm5clnt_mit.exports
@@ -44,7 +44,6 @@ kadm5_set_string
kadm5_setkey_principal
kadm5_setkey_principal_3
kadm5_setkey_principal_4
-kadm5_setv4key_principal
kadm5_unlock
krb5_aprof_finish
krb5_aprof_get_boolean
@@ -114,6 +113,5 @@ xdr_rprinc_arg
xdr_setkey3_arg
xdr_setkey4_arg
xdr_setkey_arg
-xdr_setv4key_arg
xdr_ui_4
kadm5_init_iprop
diff --git a/src/lib/kadm5/kadm_rpc.h b/src/lib/kadm5/kadm_rpc.h
index 8d7cf3b36..5099c6c14 100644
--- a/src/lib/kadm5/kadm_rpc.h
+++ b/src/lib/kadm5/kadm_rpc.h
@@ -82,13 +82,6 @@ struct chpass3_arg {
};
typedef struct chpass3_arg chpass3_arg;
-struct setv4key_arg {
- krb5_ui_4 api_version;
- krb5_principal princ;
- krb5_keyblock *keyblock;
-};
-typedef struct setv4key_arg setv4key_arg;
-
struct setkey_arg {
krb5_ui_4 api_version;
krb5_principal princ;
@@ -322,11 +315,9 @@ extern enum clnt_stat setkey_principal_2(setkey_arg *, generic_ret *,
CLIENT *);
extern bool_t setkey_principal_2_svc(setkey_arg *, generic_ret *,
struct svc_req *);
-#define SETV4KEY_PRINCIPAL 17
-extern enum clnt_stat setv4key_principal_2(setv4key_arg *, generic_ret *,
- CLIENT *);
-extern bool_t setv4key_principal_2_svc(setv4key_arg *, generic_ret *,
- struct svc_req *);
+
+/* 17 was SETV4KEY_PRINCIPAL (removed in 1.18). */
+
#define CREATE_PRINCIPAL3 18
extern enum clnt_stat create_principal3_2(cprinc3_arg *, generic_ret *,
CLIENT *);
@@ -380,7 +371,6 @@ extern bool_t xdr_gprincs_arg ();
extern bool_t xdr_gprincs_ret ();
extern bool_t xdr_chpass_arg ();
extern bool_t xdr_chpass3_arg ();
-extern bool_t xdr_setv4key_arg ();
extern bool_t xdr_setkey_arg ();
extern bool_t xdr_setkey3_arg ();
extern bool_t xdr_setkey4_arg ();
diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
index 2892d4147..745ee857e 100644
--- a/src/lib/kadm5/kadm_rpc_xdr.c
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
@@ -710,25 +710,6 @@ xdr_chpass3_arg(XDR *xdrs, chpass3_arg *objp)
return (TRUE);
}
-bool_t
-xdr_setv4key_arg(XDR *xdrs, setv4key_arg *objp)
-{
- unsigned int n_keys = 1;
-
- if (!xdr_ui_4(xdrs, &objp->api_version)) {
- return (FALSE);
- }
- if (!xdr_krb5_principal(xdrs, &objp->princ)) {
- return (FALSE);
- }
- if (!xdr_array(xdrs, (caddr_t *) &objp->keyblock,
- &n_keys, ~0,
- sizeof(krb5_keyblock), xdr_krb5_keyblock)) {
- return (FALSE);
- }
- return (TRUE);
-}
-
bool_t
xdr_setkey_arg(XDR *xdrs, setkey_arg *objp)
{
diff --git a/src/lib/kadm5/srv/Makefile.in b/src/lib/kadm5/srv/Makefile.in
index 617d65666..89e6097cf 100644
--- a/src/lib/kadm5/srv/Makefile.in
+++ b/src/lib/kadm5/srv/Makefile.in
@@ -9,7 +9,7 @@ DEFINES = @HESIOD_DEFS@
##DOSLIBNAME = libkadm5srv.lib
LIBBASE=kadm5srv_mit
-LIBMAJOR=11
+LIBMAJOR=12
LIBMINOR=0
STOBJLISTS=../OBJS.ST OBJS.ST
diff --git a/src/lib/kadm5/srv/libkadm5srv_mit.exports b/src/lib/kadm5/srv/libkadm5srv_mit.exports
index 64ad5dd69..e3c04e690 100644
--- a/src/lib/kadm5/srv/libkadm5srv_mit.exports
+++ b/src/lib/kadm5/srv/libkadm5srv_mit.exports
@@ -45,7 +45,6 @@ kadm5_set_string
kadm5_setkey_principal
kadm5_setkey_principal_3
kadm5_setkey_principal_4
-kadm5_setv4key_principal
kadm5_unlock
kdb_delete_entry
kdb_free_entry
@@ -133,7 +132,6 @@ xdr_rprinc_arg
xdr_setkey3_arg
xdr_setkey4_arg
xdr_setkey_arg
-xdr_setv4key_arg
xdr_sstring_arg
xdr_ui_4
kadm5_init_iprop
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 9ab2c5a74..48cac0c11 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -1645,124 +1645,6 @@ done:
return ret;
}
-/*
- * kadm5_setv4key_principal:
- *
- * Set only ONE key of the principal, removing all others. This key
- * must have the DES_CBC_CRC enctype and is entered as having the
- * krb4 salttype. This is to enable things like kadmind4 to work.
- */
-kadm5_ret_t
-kadm5_setv4key_principal(void *server_handle,
- krb5_principal principal,
- krb5_keyblock *keyblock)
-{
- krb5_db_entry *kdb;
- osa_princ_ent_rec adb;
- krb5_timestamp now;
- kadm5_policy_ent_rec pol;
- krb5_keysalt keysalt;
- int i, kvno, ret;
- krb5_boolean have_pol = FALSE;
- kadm5_server_handle_t handle = server_handle;
- krb5_key_data tmp_key_data;
- krb5_keyblock *act_mkey;
-
- memset( &tmp_key_data, 0, sizeof(tmp_key_data));
-
- CHECK_HANDLE(server_handle);
-
- krb5_clear_error_message(handle->context);
-
- if (principal == NULL || keyblock == NULL)
- return EINVAL;
- if (hist_princ && /* this will be NULL when initializing the databse */
- ((krb5_principal_compare(handle->context,
- principal, hist_princ)) == TRUE))
- return KADM5_PROTECT_PRINCIPAL;
-
- if (keyblock->enctype != ENCTYPE_DES_CBC_CRC)
- return KADM5_SETV4KEY_INVAL_ENCTYPE;
-
- if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
- return(ret);
-
- for (kvno = 0, i=0; i<kdb->n_key_data; i++)
- if (kdb->key_data[i].key_data_kvno > kvno)
- kvno = kdb->key_data[i].key_data_kvno;
-
- if (kdb->key_data != NULL)
- cleanup_key_data(handle->context, kdb->n_key_data, kdb->key_data);
-
- kdb->key_data = calloc(1, sizeof(krb5_key_data));
- if (kdb->key_data == NULL)
- return ENOMEM;
- kdb->n_key_data = 1;
- keysalt.type = KRB5_KDB_SALTTYPE_V4;
- /* XXX data.magic? */
- keysalt.data.length = 0;
- keysalt.data.data = NULL;
-
- ret = kdb_get_active_mkey(handle, NULL, &act_mkey);
- if (ret)
- goto done;
-
- /* use tmp_key_data as temporary location and reallocate later */
- ret = krb5_dbe_encrypt_key_data(handle->context, act_mkey, keyblock,
- &keysalt, kvno + 1, kdb->key_data);
- if (ret) {
- goto done;
- }
-
- kdb->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
-
- ret = krb5_timeofday(handle->context, &now);
- if (ret)
- goto done;
-
- if ((adb.aux_attributes & KADM5_POLICY)) {
- ret = get_policy(handle, adb.policy, &pol, &have_pol);
- if (ret)
- goto done;
- }
- if (have_pol) {
- if (pol.pw_max_life)
- kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
- else
- kdb->pw_expiration = 0;
- } else {
- kdb->pw_expiration = 0;
- }
-
- ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now);
- if (ret)
- goto done;
-
- /* unlock principal on this KDC */
- kdb->fail_auth_count = 0;
-
- /* key data changed, let the database provider know */
- kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT;
-
- if ((ret = kdb_put_entry(handle, kdb, &adb)))
- goto done;
-
- ret = KADM5_OK;
-done:
- for (i = 0; i < tmp_key_data.key_data_ver; i++) {
- if (tmp_key_data.key_data_contents[i]) {
- memset (tmp_key_data.key_data_contents[i], 0, tmp_key_data.key_data_length[i]);
- free (tmp_key_data.key_data_contents[i]);
- }
- }
-
- kdb_free_entry(handle, kdb, &adb);
- if (have_pol)
- kadm5_free_policy_ent(handle->lhandle, &pol);
-
- return ret;
-}
-
kadm5_ret_t
kadm5_setkey_principal(void *server_handle,
krb5_principal principal,