From 85a041bab594d7b4e88995c9a7c6f509d8cc19f3 Mon Sep 17 00:00:00 2001 From: =?utf8?q?G=C3=BCnther=20Deschner?= Date: Wed, 7 May 2014 16:52:42 +0200 Subject: [PATCH] s4-kdc: Introduce sdb a KDC backend abstraction Guenther Pair-Programmed-With: Andreas Schneider Signed-off-by: Guenther Deschner Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy --- source4/kdc/sdb.c | 131 ++++++++++++++++++++++++++++++++++++++++++++++ source4/kdc/sdb.h | 126 ++++++++++++++++++++++++++++++++++++++++++++ source4/kdc/wscript_build | 6 +++ 3 files changed, 263 insertions(+) create mode 100644 source4/kdc/sdb.c create mode 100644 source4/kdc/sdb.h diff --git a/source4/kdc/sdb.c b/source4/kdc/sdb.c new file mode 100644 index 00000000000..d7c99520678 --- /dev/null +++ b/source4/kdc/sdb.c @@ -0,0 +1,131 @@ +/* + Unix SMB/CIFS implementation. + + Database Glue between Samba and the KDC + + Copyright (C) Guenther Deschner 2014 + Copyright (C) Andreas Schneider 2014 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "includes.h" +#include "system/kerberos.h" +#include "sdb.h" +#include "lib/krb5_wrap/krb5_samba.h" + +void sdb_free_entry(struct sdb_entry_ex *ent) +{ + struct sdb_key *k; + size_t i; + + if (ent->free_entry) { + (*ent->free_entry)(ent); + } + + for (i = 0; i < ent->entry.keys.len; i++) { + k = &ent->entry.keys.val[i]; + + /* + * Passing NULL as the Kerberos context is intentional here, as + * both Heimdal and MIT libraries don't use the context when + * clearing the keyblocks. + */ + krb5_free_keyblock_contents(NULL, &k->key); + } + + free_sdb_entry(&ent->entry); +} + +static void free_sdb_key(struct sdb_key *k) +{ + if (k == NULL) { + return; + } + + if (k->mkvno) { + free(k->mkvno); + } + + /* keyblock not alloced */ + + if (k->salt) { + kerberos_free_data_contents(NULL, &k->salt->salt); + } + + ZERO_STRUCTP(k); +} + +void free_sdb_entry(struct sdb_entry *s) +{ + unsigned int i; + + /* + * Passing NULL as the Kerberos context is intentional here, as both + * Heimdal and MIT libraries don't use the context when clearing the + * principals. + */ + krb5_free_principal(NULL, s->principal); + + if (s->keys.len) { + for (i=0; i < s->keys.len; i++) { + free_sdb_key(&s->keys.val[i]); + } + free(s->keys.val); + } + krb5_free_principal(NULL, s->created_by.principal); + if (s->modified_by) { + krb5_free_principal(NULL, s->modified_by->principal); + } + SAFE_FREE(s->valid_start); + SAFE_FREE(s->valid_end); + SAFE_FREE(s->pw_end); + if (s->etypes) { + if (s->etypes->len) { + free(s->etypes->val); + } + free(s->etypes); + } + + ZERO_STRUCTP(s); +} + +struct SDBFlags int2SDBFlags(unsigned n) +{ + struct SDBFlags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.initial = (n >> 0) & 1; + flags.forwardable = (n >> 1) & 1; + flags.proxiable = (n >> 2) & 1; + flags.renewable = (n >> 3) & 1; + flags.postdate = (n >> 4) & 1; + flags.server = (n >> 5) & 1; + flags.client = (n >> 6) & 1; + flags.invalid = (n >> 7) & 1; + flags.require_preauth = (n >> 8) & 1; + flags.change_pw = (n >> 9) & 1; + flags.require_hwauth = (n >> 10) & 1; + flags.ok_as_delegate = (n >> 11) & 1; + flags.user_to_user = (n >> 12) & 1; + flags.immutable = (n >> 13) & 1; + flags.trusted_for_delegation = (n >> 14) & 1; + flags.allow_kerberos4 = (n >> 15) & 1; + flags.allow_digest = (n >> 16) & 1; + flags.locked_out = (n >> 17) & 1; + flags.do_not_store = (n >> 31) & 1; + return flags; +} diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h new file mode 100644 index 00000000000..e4f2725498c --- /dev/null +++ b/source4/kdc/sdb.h @@ -0,0 +1,126 @@ +/* + Unix SMB/CIFS implementation. + + Database Glue between Samba and the KDC + + Copyright (C) Guenther Deschner 2014 + Copyright (C) Andreas Schneider 2014 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _KDC_SDB_H_ +#define _KDC_SDB_H_ + +struct sdb_salt { + unsigned int type; + krb5_data salt; +}; + +struct sdb_key { + unsigned int *mkvno; + krb5_keyblock key; + struct sdb_salt *salt; +}; + +struct sdb_keys { + unsigned int len; + struct sdb_key *val; +}; + +struct sdb_event { + krb5_principal principal; + time_t time; +}; + +struct SDBFlags { + unsigned int initial:1; + unsigned int forwardable:1; + unsigned int proxiable:1; + unsigned int renewable:1; + unsigned int postdate:1; + unsigned int server:1; + unsigned int client:1; + unsigned int invalid:1; + unsigned int require_preauth:1; + unsigned int change_pw:1; + unsigned int require_hwauth:1; + unsigned int ok_as_delegate:1; + unsigned int user_to_user:1; + unsigned int immutable:1; + unsigned int trusted_for_delegation:1; + unsigned int allow_kerberos4:1; + unsigned int allow_digest:1; + unsigned int locked_out:1; + unsigned int _unused18:1; + unsigned int _unused19:1; + unsigned int _unused20:1; + unsigned int _unused21:1; + unsigned int _unused22:1; + unsigned int _unused23:1; + unsigned int _unused24:1; + unsigned int _unused25:1; + unsigned int _unused26:1; + unsigned int _unused27:1; + unsigned int _unused28:1; + unsigned int _unused29:1; + unsigned int _unused30:1; + unsigned int do_not_store:1; +}; + +struct sdb_entry { + krb5_principal principal; + unsigned int kvno; + struct sdb_keys keys; + struct sdb_event created_by; + struct sdb_event *modified_by; + time_t *valid_start; + time_t *valid_end; + time_t *pw_end; + unsigned int *max_life; + unsigned int *max_renew; + struct SDBFlags flags; + struct sdb_entry_etypes { + unsigned int len; + unsigned int *val; + } *etypes; +}; + +struct sdb_entry_ex { + void *ctx; + struct sdb_entry entry; + void (*free_entry)(struct sdb_entry_ex *); +}; + +#define SDB_ERR_NOENTRY 36150275 +#define SDB_ERR_NOT_FOUND_HERE 36150287 +#define SDB_ERR_WRONG_REALM 36150289 + +#define SDB_F_DECRYPT 1 /* decrypt keys */ +#define SDB_F_GET_CLIENT 4 /* fetch client */ +#define SDB_F_GET_SERVER 8 /* fetch server */ +#define SDB_F_GET_KRBTGT 16 /* fetch krbtgt */ +#define SDB_F_GET_ANY 28 /* fetch any of client,server,krbtgt */ +#define SDB_F_CANON 32 /* want canonicalition */ +#define SDB_F_ADMIN_DATA 64 /* want data that kdc don't use */ +#define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */ +#define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ +#define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ + +void sdb_free_entry(struct sdb_entry_ex *e); +void free_sdb_entry(struct sdb_entry *s); +struct SDBFlags int2SDBFlags(unsigned n); + +#endif /* _KDC_SDB_H_ */ diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build index 20efe003bac..b7006750f71 100755 --- a/source4/kdc/wscript_build +++ b/source4/kdc/wscript_build @@ -58,6 +58,12 @@ bld.SAMBA_SUBSYSTEM('WDC_SAMBA4', enabled=bld.CONFIG_SET('SAMBA4_USES_HEIMDAL') ) +bld.SAMBA_SUBSYSTEM('sdb', + source='sdb.c', + includes=kdc_include, + deps='krb5', + ) + bld.SAMBA_SUBSYSTEM('PAC_GLUE', source='pac-glue.c', -- 2.11.4.GIT