char namebuf[1024];
char keysaltbuf[KRB5_KDB_MAX_ALLOWED_KS_LEN + 1];
unsigned int refcnt;
- int nread, ret = 0;
+ int nread, c, ret = 0;
memset(&rec, 0, sizeof(rec));
(*linenop)++;
rec.name = namebuf;
- rec.allowed_keysalts = keysaltbuf;
- nread = fscanf(filep, "%1023s\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t"
- "%u\t%u\t%u\t"
- K5CONST_WIDTH_SCANF_STR(KRB5_KDB_MAX_ALLOWED_KS_LEN)
- "\t%hd", rec.name, &rec.pw_min_life, &rec.pw_max_life,
+ /*
+ * Due to a historical error, iprop dumps use the same version before and
+ * after the 1.11 policy extensions. So we need to accept both 1.8-format
+ * and 1.11-format policy entries. Begin by reading the 1.8 fields.
+ */
+ nread = fscanf(filep, "%1023s\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u",
+ rec.name, &rec.pw_min_life, &rec.pw_max_life,
&rec.pw_min_length, &rec.pw_min_classes,
&rec.pw_history_num, &refcnt, &rec.pw_max_fail,
- &rec.pw_failcnt_interval, &rec.pw_lockout_duration,
- &rec.attributes, &rec.max_life, &rec.max_renewable_life,
- rec.allowed_keysalts, &rec.n_tl_data);
+ &rec.pw_failcnt_interval, &rec.pw_lockout_duration);
if (nread == EOF)
return -1;
- if (nread != 15) {
+ if (nread != 10) {
fprintf(stderr, _("cannot parse policy (%d read)\n"), nread);
return 1;
}
- if (rec.allowed_keysalts && !strcmp(rec.allowed_keysalts, "-"))
- rec.allowed_keysalts = NULL;
+ /* The next character should be a newline (1.8) or a tab (1.11). */
+ c = getc(filep);
+ if (c == EOF)
+ return -1;
+ if (c != '\n') {
+ /* Read the additional 1.11-format fields. */
+ rec.allowed_keysalts = keysaltbuf;
+ nread = fscanf(filep, "%u\t%u\t%u\t"
+ K5CONST_WIDTH_SCANF_STR(KRB5_KDB_MAX_ALLOWED_KS_LEN)
+ "\t%hd", &rec.attributes, &rec.max_life,
+ &rec.max_renewable_life, rec.allowed_keysalts,
+ &rec.n_tl_data);
+ if (nread == EOF)
+ return -1;
+ if (nread != 5) {
+ fprintf(stderr, _("cannot parse policy (%d read)\n"), nread);
+ return 1;
+ }
- /* Get TL data */
- ret = alloc_tl_data(rec.n_tl_data, &rec.tl_data);
- if (ret)
- goto cleanup;
+ if (rec.allowed_keysalts && !strcmp(rec.allowed_keysalts, "-"))
+ rec.allowed_keysalts = NULL;
- ret = process_tl_data(fname, filep, *linenop, rec.tl_data);
- if (ret)
- goto cleanup;
+ /* Get TL data */
+ ret = alloc_tl_data(rec.n_tl_data, &rec.tl_data);
+ if (ret)
+ goto cleanup;
+
+ ret = process_tl_data(fname, filep, *linenop, rec.tl_data);
+ if (ret)
+ goto cleanup;
+ }
ret = krb5_db_create_policy(context, &rec);
if (ret)
dumpfile = os.path.join(realm.testdir, 'dump')
realm.run([kdb5_util, 'dump', dumpfile])
-# Write an additional policy record to the dump.
+# Write additional policy records to the dump. Use the 1.8 format for
+# one of them, to test retroactive compatibility (for issue #8213).
f = open('testdir/dump', 'a')
+f.write('policy compat 0 0 3 4 5 0 '
+ '0 0 0\n')
f.write('policy barney 0 0 1 1 1 0 '
'0 0 0 0 0 0 - 1 '
'2 28 '
- 'fd100f5064625f6372656174696f6e404b5242544553542e434f4d00')
+ 'fd100f5064625f6372656174696f6e404b5242544553542e434f4d00\n')
f.close()
# Destroy and load the database; check that the policies exist.
out = realm.run([kadminl, 'getpols'])
if 'fred\n' not in out or 'barney\n' not in out:
fail('Missing policy after load')
+out = realm.run([kadminl, 'getpol', 'compat'])
+if 'Number of old keys kept: 5' not in out:
+ fail('Policy (1.8 format) has wrong value after load')
out = realm.run([kadminl, 'getpol', 'barney'])
if 'Number of old keys kept: 1' not in out:
fail('Policy has wrong value after load')
if realm.user_princ not in out or realm.host_princ not in out:
fail('Missing principal after load')
out = realm.run([kadminl, 'getpols'])
-if 'fred\n' not in out or 'barney\n' not in out:
+if 'compat\n' not in out or 'fred\n' not in out or 'barney\n' not in out:
fail('Missing policy after second load')
srcdumpdir = os.path.join(srctop, 'tests', 'dumpfiles')
projects / thirdparty / krb5.git / commitdiff
