From: Will Fiveash <will.fiveash@oracle.com>
Date: Tue, 27 Jan 2009 23:31:19 +0000 (+0000)
Subject: Modified the ldap plugin so the mkvno slot in the krbprincipalkey
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f958d1f2fe50ecc1102f6286a045bb99f4098010;p=thirdparty%2Fkrb5.git

Modified the ldap plugin so the mkvno slot in the krbprincipalkey
attribute is used.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mkey_migrate@21811 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c
index cfe35fe2bc..0c0daec546 100644
--- a/src/kadmin/dbutil/kdb5_mkey.c
+++ b/src/kadmin/dbutil/kdb5_mkey.c
@@ -185,7 +185,7 @@ kdb5_add_mkey(int argc, char *argv[])
         switch(optchar) {
         case 'e':
             if (krb5_string_to_enctype(optarg, &new_master_enctype)) {
-                com_err(progname, EINVAL, ": %s is an invalid enctype", optarg);
+                com_err(progname, EINVAL, "%s is an invalid enctype", optarg);
                 exit_status++;
                 return;
             }
@@ -338,7 +338,7 @@ kdb5_use_mkey(int argc, char *argv[])
 
     use_kvno = atoi(argv[1]);
     if (use_kvno == 0) {
-        com_err(progname, EINVAL, ": 0 is an invalid KVNO value.");
+        com_err(progname, EINVAL, "0 is an invalid KVNO value");
         exit_status++;
         return;
     } else {
@@ -351,14 +351,14 @@ kdb5_use_mkey(int argc, char *argv[])
             }
         }
         if (!found) {
-            com_err(progname, EINVAL, ": %d is an invalid KVNO value.", use_kvno);
+            com_err(progname, EINVAL, "%d is an invalid KVNO value", use_kvno);
             exit_status++;
             return;
         }
     }
 
     if ((retval = krb5_timeofday(util_context, &now))) {
-        com_err(progname, retval, "while getting current time.");
+        com_err(progname, retval, "while getting current time");
         exit_status++;
         return;
     }
@@ -466,7 +466,7 @@ kdb5_use_mkey(int argc, char *argv[])
 
     if ((retval = krb5_dbe_update_actkvno(util_context, &master_entry,
                                           new_actkvno_list_head))) {
-        com_err(progname, retval, "while updating actkvno data for master principal entry.");
+        com_err(progname, retval, "while updating actkvno data for master principal entry");
         exit_status++;
         return;
     }
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c
index 1c93a8cdb1..f8e1d4415e 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c
@@ -148,7 +148,7 @@ krb5_dbe_lookup_last_pwd_change(context, entry, stamp)
 
     return(0);
 }
-
+#if 0 /************** Begin IFDEF'ed OUT *******************************/
 krb5_error_code
 krb5_dbe_lookup_mkvno(krb5_context context,
 		      krb5_db_entry *entry,
@@ -192,6 +192,7 @@ krb5_dbe_update_mkvno(krb5_context    context,
 
     return (krb5_dbe_update_tl_data(context, entry, &tl_data));
 }
+#endif /**************** END IFDEF'ed OUT *******************************/
 
 /* it seems odd that there's no function to remove a tl_data, but if
    I need one, I'll add one */
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
index 79ca63472f..f0734deb2a 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -2059,9 +2059,16 @@ populate_krb5_db_entry (krb5_context context,
 
     /* KRBSECRETKEY */
     if ((bvalues=ldap_get_values_len(ld, ent, "krbprincipalkey")) != NULL) {
+        krb5_kvno mkvno = 0;
+
 	mask |= KDB_SECRET_KEY_ATTR;
-	if ((st=krb5_decode_krbsecretkey(context, entry, bvalues, &userinfo_tl_data)) != 0)
+	if ((st=krb5_decode_krbsecretkey(context, entry, bvalues, &userinfo_tl_data, &mkvno)) != 0)
 	    goto cleanup;
+        if (mkvno != 0) {
+            /* don't add the tl data if mkvno == 0 */
+            if ((st=krb5_dbe_update_mkvno(context, entry, mkvno)) != 0)
+                goto cleanup;
+        }
     }
 
     /* LAST PASSWORD CHANGE */
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h
index 18e2acc060..502e71ccd5 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h
@@ -112,7 +112,7 @@ krb5_ldap_parse_principal_name(char *, char **);
 
 krb5_error_code
 krb5_decode_krbsecretkey(krb5_context, krb5_db_entry *, struct berval **,
-    krb5_tl_data *);
+                        krb5_tl_data *, krb5_kvno *);
 
 krb5_error_code
 berval2tl_data(struct berval *in, krb5_tl_data **out);
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 561a65d99b..f7d19e0ccc 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -371,7 +371,7 @@ asn1_decode_sequence_of_keys (krb5_data *in, krb5_key_data **out,
 
 /* Decoding ASN.1 encoded key */
 static struct berval **
-krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data) {
+krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data, krb5_kvno mkvno) {
     struct berval **ret = NULL;
     int currkvno;
     int num_versions = 1;
@@ -396,7 +396,7 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data) {
 	if (i == n_key_data - 1 || key_data[i + 1].key_data_kvno != currkvno) {
 	    asn1_encode_sequence_of_keys (key_data+last,
 					  (krb5_int16) i - last + 1,
-					  0, /* For now, mkvno == 0*/
+					  mkvno,
 					  &code);
 	    ret[j] = malloc (sizeof (struct berval));
 	    if (ret[j] == NULL) {
@@ -927,8 +927,12 @@ krb5_ldap_put_principal(context, entries, nentries, db_args)
 	}
 
 	if (entries->mask & KADM5_KEY_DATA || entries->mask & KADM5_KVNO) {
+            krb5_kvno mkvno;
+
+            if ((st=krb5_dbe_lookup_mkvno(context, entries, &mkvno)) != 0)
+                goto cleanup;
 	    bersecretkey = krb5_encode_krbsecretkey (entries->key_data,
-						     entries->n_key_data);
+						     entries->n_key_data, mkvno);
 
 	    if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
 					      LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0)
@@ -1220,11 +1224,12 @@ cleanup:
 }
 
 krb5_error_code
-krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data)
+krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data, mkvno)
     krb5_context                context;
     krb5_db_entry               *entries;
     struct berval               **bvalues;
     krb5_tl_data                *userinfo_tl_data;
+    krb5_kvno                   *mkvno;
 {
     char                        *user=NULL;
     int                         i=0, j=0, noofkeys=0;
@@ -1235,7 +1240,6 @@ krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data)
 	goto cleanup;
 
     for (i=0; bvalues[i] != NULL; ++i) {
-	int mkvno; /* Not used currently */
 	krb5_int16 n_kd;
 	krb5_key_data *kd;
 	krb5_data in;
@@ -1248,7 +1252,7 @@ krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data)
 	st = asn1_decode_sequence_of_keys (&in,
 					   &kd,
 					   &n_kd,
-					   &mkvno);
+					   mkvno);
 
 	if (st != 0) {
 	    const char *msg = error_message(st);