From 962e49c0ef0faf00210a1f88044782f6fa47a779 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 4 Apr 2019 16:14:46 -0400 Subject: [PATCH] Remove kadmin RPC support for setting v4 key ticket: 8794 (new) (cherry picked from commit 752187a441ed0f301f1a8adb1fea843080ac8c97) --- src/kadmin/server/kadm_rpc_svc.c | 7 -- src/kadmin/server/ovsec_kadmd.c | 2 +- src/kadmin/server/server_stubs.c | 50 --------- src/lib/kadm5/admin.h | 3 - src/lib/kadm5/admin_xdr.h | 1 - src/lib/kadm5/clnt/Makefile.in | 2 +- src/lib/kadm5/clnt/client_principal.c | 22 ---- src/lib/kadm5/clnt/client_rpc.c | 8 -- src/lib/kadm5/clnt/libkadm5clnt_mit.exports | 2 - src/lib/kadm5/kadm_rpc.h | 16 +-- src/lib/kadm5/kadm_rpc_xdr.c | 19 ---- src/lib/kadm5/srv/Makefile.in | 2 +- src/lib/kadm5/srv/libkadm5srv_mit.exports | 2 - src/lib/kadm5/srv/svr_principal.c | 118 -------------------- 14 files changed, 6 insertions(+), 248 deletions(-) diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c index 41fc88ac8..d343e2c25 100644 --- a/src/kadmin/server/kadm_rpc_svc.c +++ b/src/kadmin/server/kadm_rpc_svc.c @@ -53,7 +53,6 @@ void kadm_1(rqstp, transp) mpol_arg modify_policy_2_arg; gpol_arg get_policy_2_arg; setkey_arg setkey_principal_2_arg; - setv4key_arg setv4key_principal_2_arg; cprinc3_arg create_principal3_2_arg; chpass3_arg chpass_principal3_2_arg; chrand3_arg chrand_principal3_2_arg; @@ -134,12 +133,6 @@ void kadm_1(rqstp, transp) local = (bool_t (*)()) chpass_principal_2_svc; break; - case SETV4KEY_PRINCIPAL: - xdr_argument = xdr_setv4key_arg; - xdr_result = xdr_generic_ret; - local = (bool_t (*)()) setv4key_principal_2_svc; - break; - case SETKEY_PRINCIPAL: xdr_argument = xdr_setkey_arg; xdr_result = xdr_generic_ret; diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c index 6a6b21401..3737791b6 100644 --- a/src/kadmin/server/ovsec_kadmd.c +++ b/src/kadmin/server/ovsec_kadmd.c @@ -227,7 +227,7 @@ log_badverf(gss_name_t client_name, gss_name_t server_name, {14, "GET_PRINCS"}, {15, "GET_POLS"}, {16, "SETKEY_PRINCIPAL"}, - {17, "SETV4KEY_PRINCIPAL"}, + /* 17 was "SETV4KEY_PRINCIPAL" */ {18, "CREATE_PRINCIPAL3"}, {19, "CHPASS_PRINCIPAL3"}, {20, "CHRAND_PRINCIPAL3"}, diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c index cfef97fec..d5a25e502 100644 --- a/src/kadmin/server/server_stubs.c +++ b/src/kadmin/server/server_stubs.c @@ -893,56 +893,6 @@ exit_func: return TRUE; } -bool_t -setv4key_principal_2_svc(setv4key_arg *arg, generic_ret *ret, - struct svc_req *rqstp) -{ - char *prime_arg = NULL; - gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; - gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; - kadm5_server_handle_t handle; - const char *errmsg = NULL; - - ret->code = stub_setup(arg->api_version, rqstp, arg->princ, &handle, - &ret->api_version, &client_name, &service_name, - &prime_arg); - if (ret->code) - goto exit_func; - - ret->code = check_lockdown_keys(handle, arg->princ); - if (ret->code != KADM5_OK) { - if (ret->code == KADM5_PROTECT_KEYS) { - log_unauth("kadm5_setv4key_principal", prime_arg, &client_name, - &service_name, rqstp); - ret->code = KADM5_AUTH_SETKEY; - } - } else if (!(CHANGEPW_SERVICE(rqstp)) && - stub_auth(handle, OP_SETKEY, arg->princ, NULL, NULL, NULL)) { - ret->code = kadm5_setv4key_principal(handle, arg->princ, - arg->keyblock); - } else { - log_unauth("kadm5_setv4key_principal", prime_arg, - &client_name, &service_name, rqstp); - ret->code = KADM5_AUTH_SETKEY; - } - - if (ret->code != KADM5_AUTH_SETKEY) { - if (ret->code != 0) - errmsg = krb5_get_error_message(handle->context, ret->code); - - log_done("kadm5_setv4key_principal", prime_arg, errmsg, - &client_name, &service_name, rqstp); - - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); - } - -exit_func: - stub_cleanup(handle, prime_arg, &client_name, &service_name); - return TRUE; -} - - bool_t setkey_principal_2_svc(setkey_arg *arg, generic_ret *ret, struct svc_req *rqstp) diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h index b765148b3..7268be44e 100644 --- a/src/lib/kadm5/admin.h +++ b/src/lib/kadm5/admin.h @@ -394,9 +394,6 @@ kadm5_ret_t kadm5_randkey_principal_3(void *server_handle, krb5_key_salt_tuple *ks_tuple, krb5_keyblock **keyblocks, int *n_keys); -kadm5_ret_t kadm5_setv4key_principal(void *server_handle, - krb5_principal principal, - krb5_keyblock *keyblock); kadm5_ret_t kadm5_setkey_principal(void *server_handle, krb5_principal principal, diff --git a/src/lib/kadm5/admin_xdr.h b/src/lib/kadm5/admin_xdr.h index 2d22611e7..9da98451e 100644 --- a/src/lib/kadm5/admin_xdr.h +++ b/src/lib/kadm5/admin_xdr.h @@ -37,7 +37,6 @@ bool_t xdr_mprinc_arg(XDR *xdrs, mprinc_arg *objp); bool_t xdr_rprinc_arg(XDR *xdrs, rprinc_arg *objp); bool_t xdr_chpass_arg(XDR *xdrs, chpass_arg *objp); bool_t xdr_chpass3_arg(XDR *xdrs, chpass3_arg *objp); -bool_t xdr_setv4key_arg(XDR *xdrs, setv4key_arg *objp); bool_t xdr_setkey_arg(XDR *xdrs, setkey_arg *objp); bool_t xdr_setkey3_arg(XDR *xdrs, setkey3_arg *objp); bool_t xdr_setkey4_arg(XDR *xdrs, setkey4_arg *objp); diff --git a/src/lib/kadm5/clnt/Makefile.in b/src/lib/kadm5/clnt/Makefile.in index a180e85cd..2bc385afe 100644 --- a/src/lib/kadm5/clnt/Makefile.in +++ b/src/lib/kadm5/clnt/Makefile.in @@ -3,7 +3,7 @@ BUILDTOP=$(REL)..$(S)..$(S).. LOCALINCLUDES = -I$(BUILDTOP)/include/kadm5 LIBBASE=kadm5clnt_mit -LIBMAJOR=11 +LIBMAJOR=12 LIBMINOR=0 STOBJLISTS=../OBJS.ST OBJS.ST SHLIB_EXPDEPS=\ diff --git a/src/lib/kadm5/clnt/client_principal.c b/src/lib/kadm5/clnt/client_principal.c index 18714bf37..96d9d1932 100644 --- a/src/lib/kadm5/clnt/client_principal.c +++ b/src/lib/kadm5/clnt/client_principal.c @@ -273,28 +273,6 @@ kadm5_chpass_principal_3(void *server_handle, return r.code; } -kadm5_ret_t -kadm5_setv4key_principal(void *server_handle, - krb5_principal princ, - krb5_keyblock *keyblock) -{ - setv4key_arg arg; - generic_ret r = { 0, 0 }; - kadm5_server_handle_t handle = server_handle; - - CHECK_HANDLE(server_handle); - - arg.princ = princ; - arg.keyblock = keyblock; - arg.api_version = handle->api_version; - - if(princ == NULL || keyblock == NULL) - return EINVAL; - if (setv4key_principal_2(&arg, &r, handle->clnt)) - eret(); - return r.code; -} - kadm5_ret_t kadm5_setkey_principal(void *server_handle, krb5_principal princ, diff --git a/src/lib/kadm5/clnt/client_rpc.c b/src/lib/kadm5/clnt/client_rpc.c index df5455fd8..d84d158b4 100644 --- a/src/lib/kadm5/clnt/client_rpc.c +++ b/src/lib/kadm5/clnt/client_rpc.c @@ -84,14 +84,6 @@ chpass_principal3_2(chpass3_arg *argp, generic_ret *res, CLIENT *clnt) (xdrproc_t)xdr_generic_ret, (caddr_t)res, TIMEOUT); } -enum clnt_stat -setv4key_principal_2(setv4key_arg *argp, generic_ret *res, CLIENT *clnt) -{ - return clnt_call(clnt, SETV4KEY_PRINCIPAL, - (xdrproc_t)xdr_setv4key_arg, (caddr_t)argp, - (xdrproc_t)xdr_generic_ret, (caddr_t)res, TIMEOUT); -} - enum clnt_stat setkey_principal_2(setkey_arg *argp, generic_ret *res, CLIENT *clnt) { diff --git a/src/lib/kadm5/clnt/libkadm5clnt_mit.exports b/src/lib/kadm5/clnt/libkadm5clnt_mit.exports index f122b31ab..e41c8e4f7 100644 --- a/src/lib/kadm5/clnt/libkadm5clnt_mit.exports +++ b/src/lib/kadm5/clnt/libkadm5clnt_mit.exports @@ -44,7 +44,6 @@ kadm5_set_string kadm5_setkey_principal kadm5_setkey_principal_3 kadm5_setkey_principal_4 -kadm5_setv4key_principal kadm5_unlock krb5_aprof_finish krb5_aprof_get_boolean @@ -114,6 +113,5 @@ xdr_rprinc_arg xdr_setkey3_arg xdr_setkey4_arg xdr_setkey_arg -xdr_setv4key_arg xdr_ui_4 kadm5_init_iprop diff --git a/src/lib/kadm5/kadm_rpc.h b/src/lib/kadm5/kadm_rpc.h index 8d7cf3b36..5099c6c14 100644 --- a/src/lib/kadm5/kadm_rpc.h +++ b/src/lib/kadm5/kadm_rpc.h @@ -82,13 +82,6 @@ struct chpass3_arg { }; typedef struct chpass3_arg chpass3_arg; -struct setv4key_arg { - krb5_ui_4 api_version; - krb5_principal princ; - krb5_keyblock *keyblock; -}; -typedef struct setv4key_arg setv4key_arg; - struct setkey_arg { krb5_ui_4 api_version; krb5_principal princ; @@ -322,11 +315,9 @@ extern enum clnt_stat setkey_principal_2(setkey_arg *, generic_ret *, CLIENT *); extern bool_t setkey_principal_2_svc(setkey_arg *, generic_ret *, struct svc_req *); -#define SETV4KEY_PRINCIPAL 17 -extern enum clnt_stat setv4key_principal_2(setv4key_arg *, generic_ret *, - CLIENT *); -extern bool_t setv4key_principal_2_svc(setv4key_arg *, generic_ret *, - struct svc_req *); + +/* 17 was SETV4KEY_PRINCIPAL (removed in 1.18). */ + #define CREATE_PRINCIPAL3 18 extern enum clnt_stat create_principal3_2(cprinc3_arg *, generic_ret *, CLIENT *); @@ -380,7 +371,6 @@ extern bool_t xdr_gprincs_arg (); extern bool_t xdr_gprincs_ret (); extern bool_t xdr_chpass_arg (); extern bool_t xdr_chpass3_arg (); -extern bool_t xdr_setv4key_arg (); extern bool_t xdr_setkey_arg (); extern bool_t xdr_setkey3_arg (); extern bool_t xdr_setkey4_arg (); diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c index 2892d4147..745ee857e 100644 --- a/src/lib/kadm5/kadm_rpc_xdr.c +++ b/src/lib/kadm5/kadm_rpc_xdr.c @@ -710,25 +710,6 @@ xdr_chpass3_arg(XDR *xdrs, chpass3_arg *objp) return (TRUE); } -bool_t -xdr_setv4key_arg(XDR *xdrs, setv4key_arg *objp) -{ - unsigned int n_keys = 1; - - if (!xdr_ui_4(xdrs, &objp->api_version)) { - return (FALSE); - } - if (!xdr_krb5_principal(xdrs, &objp->princ)) { - return (FALSE); - } - if (!xdr_array(xdrs, (caddr_t *) &objp->keyblock, - &n_keys, ~0, - sizeof(krb5_keyblock), xdr_krb5_keyblock)) { - return (FALSE); - } - return (TRUE); -} - bool_t xdr_setkey_arg(XDR *xdrs, setkey_arg *objp) { diff --git a/src/lib/kadm5/srv/Makefile.in b/src/lib/kadm5/srv/Makefile.in index 617d65666..89e6097cf 100644 --- a/src/lib/kadm5/srv/Makefile.in +++ b/src/lib/kadm5/srv/Makefile.in @@ -9,7 +9,7 @@ DEFINES = @HESIOD_DEFS@ ##DOSLIBNAME = libkadm5srv.lib LIBBASE=kadm5srv_mit -LIBMAJOR=11 +LIBMAJOR=12 LIBMINOR=0 STOBJLISTS=../OBJS.ST OBJS.ST diff --git a/src/lib/kadm5/srv/libkadm5srv_mit.exports b/src/lib/kadm5/srv/libkadm5srv_mit.exports index 64ad5dd69..e3c04e690 100644 --- a/src/lib/kadm5/srv/libkadm5srv_mit.exports +++ b/src/lib/kadm5/srv/libkadm5srv_mit.exports @@ -45,7 +45,6 @@ kadm5_set_string kadm5_setkey_principal kadm5_setkey_principal_3 kadm5_setkey_principal_4 -kadm5_setv4key_principal kadm5_unlock kdb_delete_entry kdb_free_entry @@ -133,7 +132,6 @@ xdr_rprinc_arg xdr_setkey3_arg xdr_setkey4_arg xdr_setkey_arg -xdr_setv4key_arg xdr_sstring_arg xdr_ui_4 kadm5_init_iprop diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index 9ab2c5a74..48cac0c11 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -1645,124 +1645,6 @@ done: return ret; } -/* - * kadm5_setv4key_principal: - * - * Set only ONE key of the principal, removing all others. This key - * must have the DES_CBC_CRC enctype and is entered as having the - * krb4 salttype. This is to enable things like kadmind4 to work. - */ -kadm5_ret_t -kadm5_setv4key_principal(void *server_handle, - krb5_principal principal, - krb5_keyblock *keyblock) -{ - krb5_db_entry *kdb; - osa_princ_ent_rec adb; - krb5_timestamp now; - kadm5_policy_ent_rec pol; - krb5_keysalt keysalt; - int i, kvno, ret; - krb5_boolean have_pol = FALSE; - kadm5_server_handle_t handle = server_handle; - krb5_key_data tmp_key_data; - krb5_keyblock *act_mkey; - - memset( &tmp_key_data, 0, sizeof(tmp_key_data)); - - CHECK_HANDLE(server_handle); - - krb5_clear_error_message(handle->context); - - if (principal == NULL || keyblock == NULL) - return EINVAL; - if (hist_princ && /* this will be NULL when initializing the databse */ - ((krb5_principal_compare(handle->context, - principal, hist_princ)) == TRUE)) - return KADM5_PROTECT_PRINCIPAL; - - if (keyblock->enctype != ENCTYPE_DES_CBC_CRC) - return KADM5_SETV4KEY_INVAL_ENCTYPE; - - if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) - return(ret); - - for (kvno = 0, i=0; in_key_data; i++) - if (kdb->key_data[i].key_data_kvno > kvno) - kvno = kdb->key_data[i].key_data_kvno; - - if (kdb->key_data != NULL) - cleanup_key_data(handle->context, kdb->n_key_data, kdb->key_data); - - kdb->key_data = calloc(1, sizeof(krb5_key_data)); - if (kdb->key_data == NULL) - return ENOMEM; - kdb->n_key_data = 1; - keysalt.type = KRB5_KDB_SALTTYPE_V4; - /* XXX data.magic? */ - keysalt.data.length = 0; - keysalt.data.data = NULL; - - ret = kdb_get_active_mkey(handle, NULL, &act_mkey); - if (ret) - goto done; - - /* use tmp_key_data as temporary location and reallocate later */ - ret = krb5_dbe_encrypt_key_data(handle->context, act_mkey, keyblock, - &keysalt, kvno + 1, kdb->key_data); - if (ret) { - goto done; - } - - kdb->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE; - - ret = krb5_timeofday(handle->context, &now); - if (ret) - goto done; - - if ((adb.aux_attributes & KADM5_POLICY)) { - ret = get_policy(handle, adb.policy, &pol, &have_pol); - if (ret) - goto done; - } - if (have_pol) { - if (pol.pw_max_life) - kdb->pw_expiration = ts_incr(now, pol.pw_max_life); - else - kdb->pw_expiration = 0; - } else { - kdb->pw_expiration = 0; - } - - ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now); - if (ret) - goto done; - - /* unlock principal on this KDC */ - kdb->fail_auth_count = 0; - - /* key data changed, let the database provider know */ - kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT; - - if ((ret = kdb_put_entry(handle, kdb, &adb))) - goto done; - - ret = KADM5_OK; -done: - for (i = 0; i < tmp_key_data.key_data_ver; i++) { - if (tmp_key_data.key_data_contents[i]) { - memset (tmp_key_data.key_data_contents[i], 0, tmp_key_data.key_data_length[i]); - free (tmp_key_data.key_data_contents[i]); - } - } - - kdb_free_entry(handle, kdb, &adb); - if (have_pol) - kadm5_free_policy_ent(handle->lhandle, &pol); - - return ret; -} - kadm5_ret_t kadm5_setkey_principal(void *server_handle, krb5_principal principal,