#

# This patch cherry-picks Password history in LDAP KDB plugin feature from

# MIT krb5 1.15.

#

# It is 1-1 port of the following changesets:

#    44ad57d8d38efc944f64536354435f5b721c0ee0

#    d7f91ac2f6655e77bb3658c2c8cc6132f958a340

#    b46cce2ea8c0841f7f93db73eefcd180c87a3eae

#    9526953f36b39323ec07448a5f218d27c6f1c76f

#

# Patch source: upstream

#

# When upgrading to MIT krb5 1.15 this patch will be dropped.

#

--- a/src/include/kdb.h

+++ b/src/include/kdb.h

@@ -1,6 +1,6 @@

 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */

 /*

- * Copyright 1990,1991 by the Massachusetts Institute of Technology.

+ * Copyright 1990, 1991, 2016 by the Massachusetts Institute of Technology.

  * All Rights Reserved.

  *

  * Export of this software from the United States of America may

@@ -209,6 +209,8 @@ typedef struct _krb5_db_entry_new {

     krb5_principal        princ;                /* Length, data */

     krb5_tl_data        * tl_data;              /* Linked list */

+

+    /* key_data must be sorted by kvno in descending order. */

     krb5_key_data       * key_data;             /* Array */

 } krb5_db_entry;

@@ -683,6 +685,19 @@ krb5_error_code krb5_db_check_allowed_to

                                                   const krb5_db_entry *server,

                                                   krb5_const_principal proxy);

+/**

+ * Sort an array of @a krb5_key_data keys in descending order by their kvno.

+ * Key data order within a kvno is preserved.

+ *

+ * @param key_data

+ *     The @a krb5_key_data array to sort.  This is sorted in place so the

+ *     array will be modified.

+ * @param key_data_length

+ *     The length of @a key_data.

+ */

+void

+krb5_dbe_sort_key_data(krb5_key_data *key_data, size_t key_data_length);

+

 /* default functions. Should not be directly called */

 /*

  *   Default functions prototype

--- a/src/lib/kadm5/admin.h

+++ b/src/lib/kadm5/admin.h

@@ -113,7 +113,7 @@ typedef long            kadm5_ret_t;

 #define KADM5_RANDKEY_USED      0x100000

 #endif

 #define KADM5_LOAD              0x200000

-#define KADM5_NOKEY             0x400000

+#define KADM5_KEY_HIST          0x400000

 /* all but KEY_DATA, TL_DATA, LOAD */

 #define KADM5_PRINCIPAL_NORMAL_MASK 0x41ffff

--- a/src/lib/kadm5/srv/svr_principal.c

+++ b/src/lib/kadm5/srv/svr_principal.c

@@ -1084,6 +1084,16 @@ check_pw_reuse(krb5_context context,

     return(0);

 }

+static void

+free_history_entry(krb5_context context, osa_pw_hist_ent *hist)

+{

+    int i;

+

+    for (i = 0; i < hist->n_key_data; i++)

+        krb5_free_key_data_contents(context, &hist->key_data[i]);

+    free(hist->key_data);

+}

+

 /*

  * Function: create_history_entry

  *

@@ -1097,7 +1107,7 @@ check_pw_reuse(krb5_context context,

  *      hist_key        (r) history keyblock to encrypt key data with

  *      n_key_data      (r) number of elements in key_data

  *      key_data        (r) keys to add to the history entry

- *      hist            (w) history entry to fill in

+ *      hist_out        (w) history entry to fill in

  *

  * Effects:

  *

@@ -1109,45 +1119,62 @@ check_pw_reuse(krb5_context context,

 static

 int create_history_entry(krb5_context context,

                          krb5_keyblock *hist_key, int n_key_data,

-                         krb5_key_data *key_data, osa_pw_hist_ent *hist)

+                         krb5_key_data *key_data, osa_pw_hist_ent *hist_out)

 {

-    krb5_error_code ret;

+    int i;

+    krb5_error_code ret = 0;

     krb5_keyblock key;

     krb5_keysalt salt;

-    int i;

+    krb5_ui_2 kvno;

+    osa_pw_hist_ent hist;

+

+    hist_out->key_data = NULL;

+    hist_out->n_key_data = 0;

+

+    if (n_key_data < 0)

+        return EINVAL;

+

+    memset(&key, 0, sizeof(key));

+    memset(&hist, 0, sizeof(hist));

+

+    if (n_key_data == 0)

+        goto cleanup;

-    hist->key_data = k5calloc(n_key_data, sizeof(krb5_key_data), &ret);

-    if (hist->key_data == NULL)

-        return ret;

+    hist.key_data = k5calloc(n_key_data, sizeof(krb5_key_data), &ret);

+    if (hist.key_data == NULL)

+        goto cleanup;

+

+    /* We only want to store the most recent kvno, and key_data should already

+     * be sorted in descending order by kvno. */

+    kvno = key_data[0].key_data_kvno;

     for (i = 0; i < n_key_data; i++) {

-        ret = krb5_dbe_decrypt_key_data(context, NULL, &key_data[i], &key,

+        if (key_data[i].key_data_kvno < kvno)

+            break;

+        ret = krb5_dbe_decrypt_key_data(context, NULL,

+                                        &key_data[i], &key,

                                         &salt);

         if (ret)

-            return ret;

+            goto cleanup;

         ret = krb5_dbe_encrypt_key_data(context, hist_key, &key, &salt,

                                         key_data[i].key_data_kvno,

-                                        &hist->key_data[i]);

+                                        &hist.key_data[hist.n_key_data]);

         if (ret)

-            return ret;

-

+            goto cleanup;

+        hist.n_key_data++;

         krb5_free_keyblock_contents(context, &key);

         /* krb5_free_keysalt(context, &salt); */

     }

-    hist->n_key_data = n_key_data;

-    return 0;

-}

-

-static

-void free_history_entry(krb5_context context, osa_pw_hist_ent *hist)

-{

-    int i;

-

-    for (i = 0; i < hist->n_key_data; i++)

-        krb5_free_key_data_contents(context, &hist->key_data[i]);

-    free(hist->key_data);

+    *hist_out = hist;

+    hist.n_key_data = 0;

+    hist.key_data = NULL;

+

+cleanup:

+    krb5_free_keyblock_contents(context, &key);

+    free_history_entry(context, &hist);

+    return ret;

 }

 /*

@@ -1526,11 +1553,14 @@ kadm5_chpass_principal_3(void *server_ha

                     goto done;

             }

-            ret = add_to_history(handle->context, hist_kvno, &adb, &pol,

-                                 &hist);

-            if (ret)

-                goto done;

-            hist_added = 1;

+            /* Don't save empty history. */

+            if (hist.n_key_data > 0) {

+                ret = add_to_history(handle->context, hist_kvno, &adb, &pol,

+                                     &hist);

+                if (ret)

+                    goto done;

+                hist_added = 1;

+            }

         }

         if (pol.pw_max_life)

@@ -1582,6 +1612,9 @@ kadm5_chpass_principal_3(void *server_ha

         KADM5_FAIL_AUTH_COUNT;

     /* | KADM5_CPW_FUNCTION */

+    if (hist_added)

+        kdb->mask |= KADM5_KEY_HIST;

+

     ret = k5_kadm5_hook_chpass(handle->context, handle->hook_handles,

                                KADM5_HOOK_STAGE_PRECOMMIT, principal, keepold,

                                new_n_ks_tuple, new_ks_tuple, password);

--- a/src/lib/kdb/kdb5.c

+++ b/src/lib/kdb/kdb5.c

@@ -1,6 +1,7 @@

 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */

 /*

- * Copyright 2006, 2009, 2010 by the Massachusetts Institute of Technology.

+ * Copyright 2006, 2009, 2010, 2016 by the Massachusetts Institute of

+ * Technology.

  * All Rights Reserved.

  *

  * Export of this software from the United States of America may

@@ -758,7 +759,15 @@ krb5_db_get_principal(krb5_context kcont

         return status;

     if (v->get_principal == NULL)

         return KRB5_PLUGIN_OP_NOTSUPP;

-    return v->get_principal(kcontext, search_for, flags, entry);

+    status = v->get_principal(kcontext, search_for, flags, entry);

+    if (status)

+        return status;

+

+    /* Sort the keys in the db entry as some parts of krb5 expect it to be. */

+    if ((*entry)->key_data != NULL)

+        krb5_dbe_sort_key_data((*entry)->key_data, (*entry)->n_key_data);

+

+    return 0;

 }

 void

@@ -948,6 +957,26 @@ krb5_db_delete_principal(krb5_context kc

     return status;

 }

+/*

+ * Use a proxy function for iterate so that we can sort the keys before sending

+ * them to the callback.

+ */

+struct callback_proxy_args {

+    int (*func)(krb5_pointer, krb5_db_entry *);

+    krb5_pointer func_arg;

+};

+

+static int

+sort_entry_callback_proxy(krb5_pointer func_arg, krb5_db_entry *entry)

+{

+    struct callback_proxy_args *args = (struct callback_proxy_args *)func_arg;

+

+    /* Sort the keys in the db entry as some parts of krb5 expect it to be. */

+    if (entry && entry->key_data)

+        krb5_dbe_sort_key_data(entry->key_data, entry->n_key_data);

+    return args->func(args->func_arg, entry);

+}

+

 krb5_error_code

 krb5_db_iterate(krb5_context kcontext, char *match_entry,

                 int (*func)(krb5_pointer, krb5_db_entry *),

@@ -955,13 +984,20 @@ krb5_db_iterate(krb5_context kcontext, c

 {

     krb5_error_code status = 0;

     kdb_vftabl *v;

+    struct callback_proxy_args proxy_args;

     status = get_vftabl(kcontext, &v);

     if (status)

         return status;

     if (v->iterate == NULL)

         return KRB5_PLUGIN_OP_NOTSUPP;

-    return v->iterate(kcontext, match_entry, func, func_arg, iterflags);

+

+    /* Use the proxy function to sort key data before passing entries to

+     * callback. */

+    proxy_args.func = func;

+    proxy_args.func_arg = func_arg;

+    return v->iterate(kcontext, match_entry, sort_entry_callback_proxy,

+                      &proxy_args, iterflags);

 }

 /* Return a read only pointer alias to mkey list.  Do not free this! */

@@ -2570,3 +2606,22 @@ krb5_db_check_allowed_to_delegate(krb5_c

         return KRB5_PLUGIN_OP_NOTSUPP;

     return v->check_allowed_to_delegate(kcontext, client, server, proxy);

 }

+

+void

+krb5_dbe_sort_key_data(krb5_key_data *key_data, size_t key_data_length)

+{

+    size_t i, j;

+    krb5_key_data tmp;

+

+    /* Use insertion sort as a stable sort. */

+    for (i = 1; i < key_data_length; i++) {

+        j = i;

+        while (j > 0 &&

+               key_data[j - 1].key_data_kvno < key_data[j].key_data_kvno) {

+            tmp = key_data[j];

+            key_data[j] = key_data[j - 1];

+            key_data[j - 1] = tmp;

+            j--;

+        }

+    }

+}

--- a/src/lib/kdb/libkdb5.exports

+++ b/src/lib/kdb/libkdb5.exports

@@ -99,3 +99,4 @@ ulog_get_sno_status

 ulog_replay

 ulog_set_last

 xdr_kdb_incr_update_t

+krb5_dbe_sort_key_data

--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c

+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c

@@ -40,6 +40,7 @@

 #include "ldap_pwd_policy.h"

 #include <time.h>

 #include <ctype.h>

+#include <kadm5/admin.h>

 #ifdef NEED_STRPTIME_PROTO

 extern char *strptime(const char *, const char *, struct tm *);

@@ -1324,6 +1325,22 @@ remove_overlapping_subtrees(char **list,

     *subtcount = count;

 }

+static void

+free_princ_ent_contents(osa_princ_ent_t princ_ent)

+{

+    unsigned int i;

+

+    for (i = 0; i < princ_ent->old_key_len; i++) {

+        k5_free_key_data(princ_ent->old_keys[i].n_key_data,

+                         princ_ent->old_keys[i].key_data);

+        princ_ent->old_keys[i].n_key_data = 0;

+        princ_ent->old_keys[i].key_data = NULL;

+    }

+    free(princ_ent->old_keys);

+    princ_ent->old_keys = NULL;

+    princ_ent->old_key_len = 0;

+}

+

 /*

  * Fill out a krb5_db_entry princ entry struct given a LDAP message containing

  * the results of a principal search of the directory.

@@ -1344,6 +1361,9 @@ populate_krb5_db_entry(krb5_context cont

     char **pnvalues = NULL, **ocvalues = NULL, **a2d2 = NULL;

     struct berval **ber_key_data = NULL, **ber_tl_data = NULL;

     krb5_tl_data userinfo_tl_data = { NULL }, **endp, *tl;

+    osa_princ_ent_rec princ_ent;

+

+    memset(&princ_ent, 0, sizeof(princ_ent));

     ret = krb5_copy_principal(context, princ, &entry->princ);

     if (ret)

@@ -1462,8 +1482,21 @@ populate_krb5_db_entry(krb5_context cont

         ret = krb5_ldap_policydn_to_name(context, pwdpolicydn, &polname);

         if (ret)

             goto cleanup;

+        princ_ent.policy = polname;

+        princ_ent.aux_attributes |= KADM5_POLICY;

+    }

+

+    ber_key_data = ldap_get_values_len(ld, ent, "krbpwdhistory");

+    if (ber_key_data != NULL) {

+        mask |= KDB_PWD_HISTORY_ATTR;

+        ret = krb5_decode_histkey(context, ber_key_data, &princ_ent);

+        if (ret)

+            goto cleanup;

+        ldap_value_free_len(ber_key_data);

+    }

-        ret = krb5_update_tl_kadm_data(context, entry, polname);

+    if (princ_ent.aux_attributes) {

+        ret = krb5_update_tl_kadm_data(context, entry, &princ_ent);

         if (ret)

             goto cleanup;

     }

@@ -1471,8 +1504,7 @@ populate_krb5_db_entry(krb5_context cont

     ber_key_data = ldap_get_values_len(ld, ent, "krbprincipalkey");

     if (ber_key_data != NULL) {

         mask |= KDB_SECRET_KEY_ATTR;

-        ret = krb5_decode_krbsecretkey(context, entry, ber_key_data,

-                                       &userinfo_tl_data, &mkvno);

+        ret = krb5_decode_krbsecretkey(context, entry, ber_key_data, &mkvno);

         if (ret)

             goto cleanup;

         if (mkvno != 0) {

@@ -1578,6 +1610,7 @@ cleanup:

     free(tktpolname);

     free(policydn);

     krb5_free_unparsed_name(context, user);

+    free_princ_ent_contents(&princ_ent);

     return ret;

 }

--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c

+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c

@@ -59,6 +59,7 @@ char     *principal_attributes[] = { "kr

                                      "krbExtraData",

                                      "krbObjectReferences",

                                      "krbAllowedToDelegateTo",

+                                     "krbPwdHistory",

                                      NULL };

 /* Must match KDB_*_ATTR macros in ldap_principal.h.  */

@@ -77,14 +78,38 @@ static char *attributes_set[] = { "krbma

                                   "krbLastFailedAuth",

                                   "krbLoginFailedCount",

                                   "krbLastAdminUnlock",

+                                  "krbPwdHistory",

                                   NULL };

+

+static void

+k5_free_key_data_contents(krb5_key_data *key)

+{

+    int16_t i;

+

+    for (i = 0; i < key->key_data_ver; i++) {

+        zapfree(key->key_data_contents[i], key->key_data_length[i]);

+        key->key_data_contents[i] = NULL;

+    }

+}

+

+void

+k5_free_key_data(krb5_int16 n_key_data, krb5_key_data *key_data)

+{

+    int16_t i;

+

+    if (key_data == NULL)

+        return;

+    for (i = 0; i < n_key_data; i++)

+        k5_free_key_data_contents(&key_data[i]);

+    free(key_data);

+}

+

 void

 krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry)

 {

     krb5_tl_data        *tl_data_next=NULL;

     krb5_tl_data        *tl_data=NULL;

-    int i, j;

     if (entry->e_data)

         free(entry->e_data);

@@ -96,24 +121,7 @@ krb5_dbe_free_contents(krb5_context cont

             free(tl_data->tl_data_contents);

         free(tl_data);

     }

-    if (entry->key_data) {

-        for (i = 0; i < entry->n_key_data; i++) {

-            for (j = 0; j < entry->key_data[i].key_data_ver; j++) {

-                if (entry->key_data[i].key_data_length[j]) {

-                    if (entry->key_data[i].key_data_contents[j]) {

-                        memset(entry->key_data[i].key_data_contents[j],

-                               0,

-                               (unsigned) entry->key_data[i].key_data_length[j]);

-                        free (entry->key_data[i].key_data_contents[j]);

-                    }

-                }

-                entry->key_data[i].key_data_contents[j] = NULL;

-                entry->key_data[i].key_data_length[j] = 0;

-                entry->key_data[i].key_data_type[j] = 0;

-            }

-        }

-        free(entry->key_data);

-    }

+    k5_free_key_data(entry->n_key_data, entry->key_data);

     memset(entry, 0, sizeof(*entry));

     return;

 }

--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h

+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h

@@ -32,6 +32,7 @@

 #define _LDAP_PRINCIPAL_H 1

 #include "ldap_tkt_policy.h"

+#include "princ_xdr.h"

 #define  KEYHEADER  12

@@ -82,6 +83,7 @@

 #define KDB_LAST_FAILED_ATTR                 0x001000

 #define KDB_FAIL_AUTH_COUNT_ATTR             0x002000

 #define KDB_LAST_ADMIN_UNLOCK_ATTR           0x004000

+#define KDB_PWD_HISTORY_ATTR                 0x008000

 /*

  * This is a private contract between krb5_ldap_lockout_audit()

@@ -112,6 +114,12 @@ krb5_ldap_iterate(krb5_context, char *,

                   krb5_pointer, krb5_flags);

 void

+k5_free_key_data(krb5_int16 n_key_data, krb5_key_data *key_data);

+

+void

+krb5_dbe_free_contents(krb5_context context, krb5_db_entry *entry);

+

+void

 krb5_dbe_free_contents(krb5_context, krb5_db_entry *);

 krb5_error_code

@@ -121,8 +129,11 @@ krb5_error_code

 krb5_ldap_parse_principal_name(char *, char **);

 krb5_error_code

+krb5_decode_histkey(krb5_context, struct berval **, osa_princ_ent_rec *);

+

+krb5_error_code

 krb5_decode_krbsecretkey(krb5_context, krb5_db_entry *, struct berval **,

-                         krb5_tl_data *, krb5_kvno *);

+                         krb5_kvno *);

 krb5_error_code

 berval2tl_data(struct berval *in, krb5_tl_data **out);

--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c

+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c

@@ -1,6 +1,35 @@

 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */

 /* plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c */

 /*

+ * Copyright (C) 2016 by the Massachusetts Institute of Technology.

+ * All rights reserved.

+ *

+ * Redistribution and use in source and binary forms, with or without