Skip to content

Commit a23c63e

Browse files
michaelweisermichaelweiser
committed
Implement principal unlocking
... using code taken from MIT Kerberos's kadmin.c that takes care of proper replication of unlock information.
1 parent cc1fd89 commit a23c63e

File tree

1 file changed

+64
-1
lines changed

1 file changed

+64
-1
lines changed

src/PyKAdminPrincipalObject.c

Lines changed: 64 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -285,9 +285,72 @@ static PyObject *PyKAdminPrincipal_reload(PyKAdminPrincipalObject *self) {
285285
return result;
286286
}
287287

288+
/* taken from mit-krb5 kadmin.c - why's it in kadmin.c and not libkadm5
289+
* anyways? */
290+
/* Construct a tl_data element and add it to the tail of *tl_datap. */
291+
static int
292+
add_tl_data(krb5_int16 *n_tl_datap, krb5_tl_data **tl_datap,
293+
krb5_int16 tl_type, krb5_ui_2 len, krb5_octet *contents)
294+
{
295+
krb5_tl_data *tl_data;
296+
krb5_octet *copy;
297+
298+
copy = malloc(len);
299+
tl_data = calloc(1, sizeof(*tl_data));
300+
if (copy == NULL || tl_data == NULL)
301+
return ENOMEM;
302+
memcpy(copy, contents, len);
303+
304+
tl_data->tl_data_type = tl_type;
305+
tl_data->tl_data_length = len;
306+
tl_data->tl_data_contents = copy;
307+
tl_data->tl_data_next = NULL;
308+
309+
for (; *tl_datap != NULL; tl_datap = &(*tl_datap)->tl_data_next);
310+
*tl_datap = tl_data;
311+
(*n_tl_datap)++;
312+
313+
return 0;
314+
}
315+
316+
/* taken from k5-platform.h */
317+
static inline void
318+
store_32_le (unsigned int val, void *vp)
319+
{
320+
unsigned char *p = (unsigned char *) vp;
321+
p[3] = (val >> 24) & 0xff;
322+
p[2] = (val >> 16) & 0xff;
323+
p[1] = (val >> 8) & 0xff;
324+
p[0] = (val ) & 0xff;
325+
}
288326

289327
static PyObject *PyKAdminPrincipal_unlock(PyKAdminPrincipalObject *self) {
290-
return NULL;
328+
krb5_error_code retval;
329+
krb5_timestamp now;
330+
krb5_octet timebuf[4];
331+
332+
/* Zero out the failed auth count. */
333+
self->entry.fail_auth_count = 0;
334+
self->mask |= KADM5_FAIL_AUTH_COUNT;
335+
336+
/* Record the timestamp of this unlock operation so that slave KDCs will
337+
* see it, since fail_auth_count is unreplicated. */
338+
retval = krb5_timeofday(self->kadmin->context, &now);
339+
if (retval) {
340+
PyKAdminError_raise_error(retval, "krb5_timeofday");
341+
return NULL;
342+
}
343+
store_32_le((krb5_int32)now, timebuf);
344+
retval = add_tl_data(&self->entry.n_tl_data, &self->entry.tl_data,
345+
KRB5_TL_LAST_ADMIN_UNLOCK, 4, timebuf);
346+
if (retval) {
347+
PyKAdminError_raise_error(retval, "add_tl_data");
348+
return NULL;
349+
}
350+
351+
self->mask |= KADM5_TL_DATA;
352+
353+
Py_RETURN_TRUE;
291354
}
292355

293356

0 commit comments

Comments
 (0)