1*7f2fe78bSCy Schubert /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2*7f2fe78bSCy Schubert /* kadmin/server/auth.c - kadm5_auth pluggable interface consumer */
3*7f2fe78bSCy Schubert /*
4*7f2fe78bSCy Schubert * Copyright (C) 2017 by the Massachusetts Institute of Technology.
5*7f2fe78bSCy Schubert * All rights reserved.
6*7f2fe78bSCy Schubert *
7*7f2fe78bSCy Schubert * Redistribution and use in source and binary forms, with or without
8*7f2fe78bSCy Schubert * modification, are permitted provided that the following conditions
9*7f2fe78bSCy Schubert * are met:
10*7f2fe78bSCy Schubert *
11*7f2fe78bSCy Schubert * * Redistributions of source code must retain the above copyright
12*7f2fe78bSCy Schubert * notice, this list of conditions and the following disclaimer.
13*7f2fe78bSCy Schubert *
14*7f2fe78bSCy Schubert * * Redistributions in binary form must reproduce the above copyright
15*7f2fe78bSCy Schubert * notice, this list of conditions and the following disclaimer in
16*7f2fe78bSCy Schubert * the documentation and/or other materials provided with the
17*7f2fe78bSCy Schubert * distribution.
18*7f2fe78bSCy Schubert *
19*7f2fe78bSCy Schubert * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20*7f2fe78bSCy Schubert * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21*7f2fe78bSCy Schubert * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22*7f2fe78bSCy Schubert * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23*7f2fe78bSCy Schubert * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
24*7f2fe78bSCy Schubert * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
25*7f2fe78bSCy Schubert * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26*7f2fe78bSCy Schubert * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27*7f2fe78bSCy Schubert * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
28*7f2fe78bSCy Schubert * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29*7f2fe78bSCy Schubert * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
30*7f2fe78bSCy Schubert * OF THE POSSIBILITY OF SUCH DAMAGE.
31*7f2fe78bSCy Schubert */
32*7f2fe78bSCy Schubert
33*7f2fe78bSCy Schubert #include "k5-int.h"
34*7f2fe78bSCy Schubert #include <kadm5/admin.h>
35*7f2fe78bSCy Schubert #include <krb5/kadm5_auth_plugin.h>
36*7f2fe78bSCy Schubert #include "auth.h"
37*7f2fe78bSCy Schubert
38*7f2fe78bSCy Schubert typedef struct {
39*7f2fe78bSCy Schubert struct kadm5_auth_vtable_st vt;
40*7f2fe78bSCy Schubert kadm5_auth_moddata data;
41*7f2fe78bSCy Schubert } *auth_handle;
42*7f2fe78bSCy Schubert
43*7f2fe78bSCy Schubert static auth_handle *handles;
44*7f2fe78bSCy Schubert
45*7f2fe78bSCy Schubert void
auth_fini(krb5_context context)46*7f2fe78bSCy Schubert auth_fini(krb5_context context)
47*7f2fe78bSCy Schubert {
48*7f2fe78bSCy Schubert auth_handle *hp, h;
49*7f2fe78bSCy Schubert
50*7f2fe78bSCy Schubert if (handles == NULL)
51*7f2fe78bSCy Schubert return;
52*7f2fe78bSCy Schubert for (hp = handles; *hp != NULL; hp++) {
53*7f2fe78bSCy Schubert h = *hp;
54*7f2fe78bSCy Schubert if (h->vt.fini != NULL)
55*7f2fe78bSCy Schubert h->vt.fini(context, h->data);
56*7f2fe78bSCy Schubert free(h);
57*7f2fe78bSCy Schubert }
58*7f2fe78bSCy Schubert free(handles);
59*7f2fe78bSCy Schubert handles = NULL;
60*7f2fe78bSCy Schubert }
61*7f2fe78bSCy Schubert
62*7f2fe78bSCy Schubert krb5_error_code
auth_init(krb5_context context,const char * acl_file)63*7f2fe78bSCy Schubert auth_init(krb5_context context, const char *acl_file)
64*7f2fe78bSCy Schubert {
65*7f2fe78bSCy Schubert krb5_error_code ret;
66*7f2fe78bSCy Schubert krb5_plugin_initvt_fn *modules = NULL, *mod;
67*7f2fe78bSCy Schubert size_t count;
68*7f2fe78bSCy Schubert auth_handle h = NULL;
69*7f2fe78bSCy Schubert const int intf = PLUGIN_INTERFACE_KADM5_AUTH;
70*7f2fe78bSCy Schubert
71*7f2fe78bSCy Schubert ret = k5_plugin_register(context, intf, "acl", kadm5_auth_acl_initvt);
72*7f2fe78bSCy Schubert if (ret)
73*7f2fe78bSCy Schubert goto cleanup;
74*7f2fe78bSCy Schubert ret = k5_plugin_register(context, intf, "self", kadm5_auth_self_initvt);
75*7f2fe78bSCy Schubert if (ret)
76*7f2fe78bSCy Schubert goto cleanup;
77*7f2fe78bSCy Schubert ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_KADM5_AUTH, &modules);
78*7f2fe78bSCy Schubert if (ret)
79*7f2fe78bSCy Schubert goto cleanup;
80*7f2fe78bSCy Schubert
81*7f2fe78bSCy Schubert /* Allocate a large enough list of handles. */
82*7f2fe78bSCy Schubert for (count = 0; modules[count] != NULL; count++);
83*7f2fe78bSCy Schubert handles = k5calloc(count + 1, sizeof(*handles), &ret);
84*7f2fe78bSCy Schubert if (handles == NULL)
85*7f2fe78bSCy Schubert goto cleanup;
86*7f2fe78bSCy Schubert
87*7f2fe78bSCy Schubert /* For each module, allocate a handle, initialize its vtable, and
88*7f2fe78bSCy Schubert * initialize its module data. */
89*7f2fe78bSCy Schubert count = 0;
90*7f2fe78bSCy Schubert for (mod = modules; *mod != NULL; mod++) {
91*7f2fe78bSCy Schubert h = k5alloc(sizeof(*h), &ret);
92*7f2fe78bSCy Schubert if (h == NULL)
93*7f2fe78bSCy Schubert goto cleanup;
94*7f2fe78bSCy Schubert ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&h->vt);
95*7f2fe78bSCy Schubert if (ret) { /* Failed vtable init is non-fatal. */
96*7f2fe78bSCy Schubert TRACE_KADM5_AUTH_VTINIT_FAIL(context, ret);
97*7f2fe78bSCy Schubert free(h);
98*7f2fe78bSCy Schubert h = NULL;
99*7f2fe78bSCy Schubert continue;
100*7f2fe78bSCy Schubert }
101*7f2fe78bSCy Schubert h->data = NULL;
102*7f2fe78bSCy Schubert if (h->vt.init != NULL) {
103*7f2fe78bSCy Schubert ret = h->vt.init(context, acl_file, &h->data);
104*7f2fe78bSCy Schubert if (ret == KRB5_PLUGIN_NO_HANDLE) {
105*7f2fe78bSCy Schubert TRACE_KADM5_AUTH_INIT_SKIP(context, h->vt.name);
106*7f2fe78bSCy Schubert free(h);
107*7f2fe78bSCy Schubert h = NULL;
108*7f2fe78bSCy Schubert continue;
109*7f2fe78bSCy Schubert }
110*7f2fe78bSCy Schubert if (ret) {
111*7f2fe78bSCy Schubert TRACE_KADM5_AUTH_INIT_FAIL(context, h->vt.name, ret);
112*7f2fe78bSCy Schubert goto cleanup;
113*7f2fe78bSCy Schubert }
114*7f2fe78bSCy Schubert }
115*7f2fe78bSCy Schubert handles[count++] = h;
116*7f2fe78bSCy Schubert handles[count] = NULL;
117*7f2fe78bSCy Schubert h = NULL;
118*7f2fe78bSCy Schubert }
119*7f2fe78bSCy Schubert
120*7f2fe78bSCy Schubert ret = 0;
121*7f2fe78bSCy Schubert
122*7f2fe78bSCy Schubert cleanup:
123*7f2fe78bSCy Schubert if (ret)
124*7f2fe78bSCy Schubert auth_fini(context);
125*7f2fe78bSCy Schubert free(h);
126*7f2fe78bSCy Schubert k5_plugin_free_modules(context, modules);
127*7f2fe78bSCy Schubert return ret;
128*7f2fe78bSCy Schubert }
129*7f2fe78bSCy Schubert
130*7f2fe78bSCy Schubert /* Invoke the appropriate method from h->vt for opcode, passing client and the
131*7f2fe78bSCy Schubert * correct subset of p1, p2, s1, s2, polent, and mask for the method. */
132*7f2fe78bSCy Schubert static krb5_error_code
call_module(krb5_context context,auth_handle h,int opcode,krb5_const_principal client,krb5_const_principal p1,krb5_const_principal p2,const char * s1,const char * s2,const kadm5_policy_ent_rec * polent,long mask)133*7f2fe78bSCy Schubert call_module(krb5_context context, auth_handle h, int opcode,
134*7f2fe78bSCy Schubert krb5_const_principal client, krb5_const_principal p1,
135*7f2fe78bSCy Schubert krb5_const_principal p2, const char *s1, const char *s2,
136*7f2fe78bSCy Schubert const kadm5_policy_ent_rec *polent, long mask)
137*7f2fe78bSCy Schubert {
138*7f2fe78bSCy Schubert /* addprinc and modprinc are handled through auth_restrict(). */
139*7f2fe78bSCy Schubert assert(opcode != OP_ADDPRINC && opcode != OP_MODPRINC);
140*7f2fe78bSCy Schubert
141*7f2fe78bSCy Schubert if (opcode == OP_SETSTR && h->vt.setstr != NULL)
142*7f2fe78bSCy Schubert return h->vt.setstr(context, h->data, client, p1, s1, s2);
143*7f2fe78bSCy Schubert else if (opcode == OP_CPW && h->vt.cpw != NULL)
144*7f2fe78bSCy Schubert return h->vt.cpw(context, h->data, client, p1);
145*7f2fe78bSCy Schubert else if (opcode == OP_CHRAND && h->vt.chrand != NULL)
146*7f2fe78bSCy Schubert return h->vt.chrand(context, h->data, client, p1);
147*7f2fe78bSCy Schubert else if (opcode == OP_SETKEY && h->vt.setkey != NULL)
148*7f2fe78bSCy Schubert return h->vt.setkey(context, h->data, client, p1);
149*7f2fe78bSCy Schubert else if (opcode == OP_PURGEKEYS && h->vt.purgekeys != NULL)
150*7f2fe78bSCy Schubert return h->vt.purgekeys(context, h->data, client, p1);
151*7f2fe78bSCy Schubert else if (opcode == OP_DELPRINC && h->vt.delprinc != NULL)
152*7f2fe78bSCy Schubert return h->vt.delprinc(context, h->data, client, p1);
153*7f2fe78bSCy Schubert else if (opcode == OP_RENPRINC && h->vt.renprinc != NULL)
154*7f2fe78bSCy Schubert return h->vt.renprinc(context, h->data, client, p1, p2);
155*7f2fe78bSCy Schubert else if (opcode == OP_GETPRINC && h->vt.getprinc != NULL)
156*7f2fe78bSCy Schubert return h->vt.getprinc(context, h->data, client, p1);
157*7f2fe78bSCy Schubert else if (opcode == OP_GETSTRS && h->vt.getstrs != NULL)
158*7f2fe78bSCy Schubert return h->vt.getstrs(context, h->data, client, p1);
159*7f2fe78bSCy Schubert else if (opcode == OP_EXTRACT && h->vt.extract != NULL)
160*7f2fe78bSCy Schubert return h->vt.extract(context, h->data, client, p1);
161*7f2fe78bSCy Schubert else if (opcode == OP_LISTPRINCS && h->vt.listprincs != NULL)
162*7f2fe78bSCy Schubert return h->vt.listprincs(context, h->data, client);
163*7f2fe78bSCy Schubert else if (opcode == OP_ADDPOL && h->vt.addpol != NULL)
164*7f2fe78bSCy Schubert return h->vt.addpol(context, h->data, client, s1, polent, mask);
165*7f2fe78bSCy Schubert else if (opcode == OP_MODPOL && h->vt.modpol != NULL)
166*7f2fe78bSCy Schubert return h->vt.modpol(context, h->data, client, s1, polent, mask);
167*7f2fe78bSCy Schubert else if (opcode == OP_DELPOL && h->vt.delpol != NULL)
168*7f2fe78bSCy Schubert return h->vt.delpol(context, h->data, client, s1);
169*7f2fe78bSCy Schubert else if (opcode == OP_GETPOL && h->vt.getpol != NULL)
170*7f2fe78bSCy Schubert return h->vt.getpol(context, h->data, client, s1, s2);
171*7f2fe78bSCy Schubert else if (opcode == OP_LISTPOLS && h->vt.listpols != NULL)
172*7f2fe78bSCy Schubert return h->vt.listpols(context, h->data, client);
173*7f2fe78bSCy Schubert else if (opcode == OP_IPROP && h->vt.iprop != NULL)
174*7f2fe78bSCy Schubert return h->vt.iprop(context, h->data, client);
175*7f2fe78bSCy Schubert
176*7f2fe78bSCy Schubert return KRB5_PLUGIN_NO_HANDLE;
177*7f2fe78bSCy Schubert }
178*7f2fe78bSCy Schubert
179*7f2fe78bSCy Schubert krb5_boolean
auth(krb5_context context,int opcode,krb5_const_principal client,krb5_const_principal p1,krb5_const_principal p2,const char * s1,const char * s2,const kadm5_policy_ent_rec * polent,long mask)180*7f2fe78bSCy Schubert auth(krb5_context context, int opcode, krb5_const_principal client,
181*7f2fe78bSCy Schubert krb5_const_principal p1, krb5_const_principal p2, const char *s1,
182*7f2fe78bSCy Schubert const char *s2, const kadm5_policy_ent_rec *polent, long mask)
183*7f2fe78bSCy Schubert {
184*7f2fe78bSCy Schubert krb5_error_code ret;
185*7f2fe78bSCy Schubert krb5_boolean authorized = FALSE;
186*7f2fe78bSCy Schubert auth_handle *hp, h;
187*7f2fe78bSCy Schubert
188*7f2fe78bSCy Schubert for (hp = handles; *hp != NULL; hp++) {
189*7f2fe78bSCy Schubert h = *hp;
190*7f2fe78bSCy Schubert
191*7f2fe78bSCy Schubert ret = call_module(context, h, opcode, client, p1, p2, s1, s2,
192*7f2fe78bSCy Schubert polent, mask);
193*7f2fe78bSCy Schubert if (!ret)
194*7f2fe78bSCy Schubert authorized = TRUE;
195*7f2fe78bSCy Schubert else if (ret != KRB5_PLUGIN_NO_HANDLE)
196*7f2fe78bSCy Schubert return FALSE;
197*7f2fe78bSCy Schubert }
198*7f2fe78bSCy Schubert
199*7f2fe78bSCy Schubert return authorized;
200*7f2fe78bSCy Schubert }
201*7f2fe78bSCy Schubert
202*7f2fe78bSCy Schubert /* Impose restrictions, modifying *ent and *mask. */
203*7f2fe78bSCy Schubert static krb5_error_code
impose_restrictions(krb5_context context,const struct kadm5_auth_restrictions * rs,kadm5_principal_ent_t ent,long * mask)204*7f2fe78bSCy Schubert impose_restrictions(krb5_context context,
205*7f2fe78bSCy Schubert const struct kadm5_auth_restrictions *rs,
206*7f2fe78bSCy Schubert kadm5_principal_ent_t ent, long *mask)
207*7f2fe78bSCy Schubert {
208*7f2fe78bSCy Schubert krb5_error_code ret;
209*7f2fe78bSCy Schubert krb5_timestamp now;
210*7f2fe78bSCy Schubert
211*7f2fe78bSCy Schubert if (rs == NULL)
212*7f2fe78bSCy Schubert return 0;
213*7f2fe78bSCy Schubert if (rs->mask & (KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION)) {
214*7f2fe78bSCy Schubert ret = krb5_timeofday(context, &now);
215*7f2fe78bSCy Schubert if (ret)
216*7f2fe78bSCy Schubert return ret;
217*7f2fe78bSCy Schubert }
218*7f2fe78bSCy Schubert
219*7f2fe78bSCy Schubert if (rs->mask & KADM5_ATTRIBUTES) {
220*7f2fe78bSCy Schubert ent->attributes |= rs->require_attrs;
221*7f2fe78bSCy Schubert ent->attributes &= rs->forbid_attrs;
222*7f2fe78bSCy Schubert *mask |= KADM5_ATTRIBUTES;
223*7f2fe78bSCy Schubert }
224*7f2fe78bSCy Schubert if (rs->mask & KADM5_POLICY_CLR) {
225*7f2fe78bSCy Schubert *mask &= ~KADM5_POLICY;
226*7f2fe78bSCy Schubert *mask |= KADM5_POLICY_CLR;
227*7f2fe78bSCy Schubert } else if (rs->mask & KADM5_POLICY) {
228*7f2fe78bSCy Schubert if (ent->policy != NULL && strcmp(ent->policy, rs->policy) != 0) {
229*7f2fe78bSCy Schubert free(ent->policy);
230*7f2fe78bSCy Schubert ent->policy = NULL;
231*7f2fe78bSCy Schubert }
232*7f2fe78bSCy Schubert if (ent->policy == NULL) {
233*7f2fe78bSCy Schubert ent->policy = strdup(rs->policy);
234*7f2fe78bSCy Schubert if (ent->policy == NULL)
235*7f2fe78bSCy Schubert return ENOMEM;
236*7f2fe78bSCy Schubert }
237*7f2fe78bSCy Schubert *mask |= KADM5_POLICY;
238*7f2fe78bSCy Schubert }
239*7f2fe78bSCy Schubert if (rs->mask & KADM5_PRINC_EXPIRE_TIME) {
240*7f2fe78bSCy Schubert if (!(*mask & KADM5_PRINC_EXPIRE_TIME) ||
241*7f2fe78bSCy Schubert ts_after(ent->princ_expire_time, ts_incr(now, rs->princ_lifetime)))
242*7f2fe78bSCy Schubert ent->princ_expire_time = now + rs->princ_lifetime;
243*7f2fe78bSCy Schubert *mask |= KADM5_PRINC_EXPIRE_TIME;
244*7f2fe78bSCy Schubert }
245*7f2fe78bSCy Schubert if (rs->mask & KADM5_PW_EXPIRATION) {
246*7f2fe78bSCy Schubert if (!(*mask & KADM5_PW_EXPIRATION) ||
247*7f2fe78bSCy Schubert ts_after(ent->pw_expiration, ts_incr(now, rs->pw_lifetime)))
248*7f2fe78bSCy Schubert ent->pw_expiration = now + rs->pw_lifetime;
249*7f2fe78bSCy Schubert *mask |= KADM5_PW_EXPIRATION;
250*7f2fe78bSCy Schubert }
251*7f2fe78bSCy Schubert if (rs->mask & KADM5_MAX_LIFE) {
252*7f2fe78bSCy Schubert if (!(*mask & KADM5_MAX_LIFE) || ent->max_life > rs->max_life)
253*7f2fe78bSCy Schubert ent->max_life = rs->max_life;
254*7f2fe78bSCy Schubert *mask |= KADM5_MAX_LIFE;
255*7f2fe78bSCy Schubert }
256*7f2fe78bSCy Schubert if (rs->mask & KADM5_MAX_RLIFE) {
257*7f2fe78bSCy Schubert if (!(*mask & KADM5_MAX_RLIFE) ||
258*7f2fe78bSCy Schubert ent->max_renewable_life > rs->max_renewable_life)
259*7f2fe78bSCy Schubert ent->max_renewable_life = rs->max_renewable_life;
260*7f2fe78bSCy Schubert *mask |= KADM5_MAX_RLIFE;
261*7f2fe78bSCy Schubert }
262*7f2fe78bSCy Schubert return 0;
263*7f2fe78bSCy Schubert }
264*7f2fe78bSCy Schubert
265*7f2fe78bSCy Schubert krb5_boolean
auth_restrict(krb5_context context,int opcode,krb5_const_principal client,kadm5_principal_ent_t ent,long * mask)266*7f2fe78bSCy Schubert auth_restrict(krb5_context context, int opcode, krb5_const_principal client,
267*7f2fe78bSCy Schubert kadm5_principal_ent_t ent, long *mask)
268*7f2fe78bSCy Schubert {
269*7f2fe78bSCy Schubert auth_handle *hp, h;
270*7f2fe78bSCy Schubert krb5_boolean authorized = FALSE;
271*7f2fe78bSCy Schubert krb5_error_code ret, rs_ret;
272*7f2fe78bSCy Schubert krb5_const_principal target = ent->principal;
273*7f2fe78bSCy Schubert struct kadm5_auth_restrictions *rs;
274*7f2fe78bSCy Schubert
275*7f2fe78bSCy Schubert assert(opcode == OP_ADDPRINC || opcode == OP_MODPRINC);
276*7f2fe78bSCy Schubert for (hp = handles; *hp != NULL; hp++) {
277*7f2fe78bSCy Schubert h = *hp;
278*7f2fe78bSCy Schubert
279*7f2fe78bSCy Schubert ret = KRB5_PLUGIN_NO_HANDLE;
280*7f2fe78bSCy Schubert rs = NULL;
281*7f2fe78bSCy Schubert if (opcode == OP_ADDPRINC && h->vt.addprinc != NULL) {
282*7f2fe78bSCy Schubert ret = h->vt.addprinc(context, h->data, client, target, ent, *mask,
283*7f2fe78bSCy Schubert &rs);
284*7f2fe78bSCy Schubert } else if (opcode == OP_MODPRINC && h->vt.modprinc != NULL) {
285*7f2fe78bSCy Schubert ret = h->vt.modprinc(context, h->data, client, target, ent, *mask,
286*7f2fe78bSCy Schubert &rs);
287*7f2fe78bSCy Schubert }
288*7f2fe78bSCy Schubert if (rs != NULL) {
289*7f2fe78bSCy Schubert rs_ret = impose_restrictions(context, rs, ent, mask);
290*7f2fe78bSCy Schubert if (h->vt.free_restrictions != NULL)
291*7f2fe78bSCy Schubert h->vt.free_restrictions(context, h->data, rs);
292*7f2fe78bSCy Schubert if (rs_ret)
293*7f2fe78bSCy Schubert return FALSE;
294*7f2fe78bSCy Schubert }
295*7f2fe78bSCy Schubert if (!ret)
296*7f2fe78bSCy Schubert authorized = TRUE;
297*7f2fe78bSCy Schubert else if (ret != KRB5_PLUGIN_NO_HANDLE)
298*7f2fe78bSCy Schubert return FALSE;
299*7f2fe78bSCy Schubert }
300*7f2fe78bSCy Schubert
301*7f2fe78bSCy Schubert return authorized;
302*7f2fe78bSCy Schubert }
303*7f2fe78bSCy Schubert
304*7f2fe78bSCy Schubert void
auth_end(krb5_context context)305*7f2fe78bSCy Schubert auth_end(krb5_context context)
306*7f2fe78bSCy Schubert {
307*7f2fe78bSCy Schubert auth_handle *hp, h;
308*7f2fe78bSCy Schubert
309*7f2fe78bSCy Schubert for (hp = handles; *hp != NULL; hp++) {
310*7f2fe78bSCy Schubert h = *hp;
311*7f2fe78bSCy Schubert if (h->vt.end != NULL)
312*7f2fe78bSCy Schubert h->vt.end(context, h->data);
313*7f2fe78bSCy Schubert }
314*7f2fe78bSCy Schubert }
315