xref: /titanic_41/usr/src/lib/krb5/kdb/kdb_convert.c (revision 4496171313bed39e96f21bc2f9faf2868e267ae3)

/*
 * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

#pragma ident	"%Z%%M%	%I%	%E% SMI"

/*
 * This file contains api's for conversion of the kdb_incr_update_t
 * struct(s) into krb5_db_entry struct(s) and vice-versa.
 */
#include <sys/types.h>
#include <com_err.h>
#include <locale.h>
#include <errno.h>
#include <iprop_hdr.h>
#include "iprop.h"
#include <k5-int.h>

/* BEGIN CSTYLED */
#define	ULOG_ENTRY_TYPE(upd, i)	((kdb_incr_update_t *)upd)->kdb_update.kdbe_t_val[i]

#define	ULOG_ENTRY(upd, i) ((kdb_incr_update_t *)upd)->kdb_update.kdbe_t_val[i].kdbe_val_t_u

#define	ULOG_ENTRY_KEYVAL(upd, i, j) ((kdb_incr_update_t *)upd)->kdb_update.kdbe_t_val[i].kdbe_val_t_u.av_keydata.av_keydata_val[j]

#define	ULOG_ENTRY_PRINC(upd, i, j) ((kdb_incr_update_t *)upd)->kdb_update.kdbe_t_val[i].kdbe_val_t_u.av_princ.k_components.k_components_val[j]

#define	ULOG_ENTRY_MOD_PRINC(upd, i, j)	((kdb_incr_update_t *)upd)->kdb_update.kdbe_t_val[i].kdbe_val_t_u.av_mod_princ.k_components.k_components_val[j]
/* END CSTYLED */

typedef enum {
	REG_PRINC = 0,
	MOD_PRINC = 1
} princ_type;


/*
 * This routine tracks the krb5_db_entry fields that have been modified
 * (by comparing it to the db_entry currently present in principal.db)
 * in the update.
 */
void
find_changed_attrs(krb5_db_entry *current, krb5_db_entry *new,
				kdbe_attr_type_t *attrs, int *nattrs) {
	int i = 0, j = 0;

	krb5_tl_data *first, *second;

	if (current->attributes != new->attributes)
		attrs[i++] = AT_ATTRFLAGS;

	if (current->max_life != new->max_life)
		attrs[i++] = AT_MAX_LIFE;

	if (current->max_renewable_life != new->max_renewable_life)
		attrs[i++] = AT_MAX_RENEW_LIFE;

	if (current->expiration != new->expiration)
		attrs[i++] = AT_EXP;

	if (current->pw_expiration != new->pw_expiration)
		attrs[i++] = AT_PW_EXP;

	if (current->last_success != new->last_success)
		attrs[i++] = AT_LAST_SUCCESS;

	if (current->last_failed != new->last_failed)
		attrs[i++] = AT_LAST_FAILED;

	if (current->fail_auth_count != new->fail_auth_count)
		attrs[i++] = AT_FAIL_AUTH_COUNT;

	if ((current->princ->type == new->princ->type) &&
	    (current->princ->length == new->princ->length)) {
		if ((current->princ->realm.length ==
			new->princ->realm.length) &&
				strncmp(current->princ->realm.data,
					new->princ->realm.data,
					current->princ->realm.length)) {
			for (j = 0; j < current->princ->length; j++) {
				if ((current->princ->data[j].data != NULL) &&
					(strncmp(current->princ->data[j].data,
					    new->princ->data[j].data,
					    current->princ->data[j].length))) {
					attrs[i++] = AT_PRINC;
					break;
				}
			}
		} else {
			attrs[i++] = AT_PRINC;
		}
	} else {
		attrs[i++] = AT_PRINC;
	}

	if (current->n_key_data == new->n_key_data) {
		/* Assuming key ordering is the same in new & current */
		for (j = 0; j < new->n_key_data; j++) {
			if (current->key_data[j].key_data_kvno !=
			    new->key_data[j].key_data_kvno) {
				attrs[i++] = AT_KEYDATA;
				break;
			}
		}
	} else {
		attrs[i++] = AT_KEYDATA;
	}

	if (current->n_tl_data == new->n_tl_data) {
		/* Assuming we preserve the TL_DATA ordering between updates */
		for (first = current->tl_data, second = new->tl_data;
				first; first = first->tl_data_next,
					second = second->tl_data_next) {
			if ((first->tl_data_length == second->tl_data_length) &&
				(first->tl_data_type == second->tl_data_type)) {
				if ((memcmp((char *)first->tl_data_contents,
					(char *)second->tl_data_contents,
					first->tl_data_length)) != 0) {
					attrs[i++] = AT_TL_DATA;
					break;
				}
			} else {
				attrs[i++] = AT_TL_DATA;
				break;
			}
		}

	} else {
		attrs[i++] = AT_TL_DATA;
	}

	if (current->len != new->len)
		attrs[i++] = AT_LEN;
	/*
	 * Store the no. of (possibly :)) changed attributes
	 */
	*nattrs = i;
}


/*
 * Converts the krb5_principal struct from db2 to ulog format.
 */
krb5_error_code
conv_princ_2ulog(krb5_principal princ, kdb_incr_update_t *upd,
				int cnt, princ_type tp) {
	int i = 0;

	if ((upd == NULL) || !princ)
		return (KRB5KRB_ERR_GENERIC);

	switch (tp) {
	case REG_PRINC:
		ULOG_ENTRY(upd, cnt).av_princ.k_nametype =
				(int32_t)princ->type;

		ULOG_ENTRY(upd, cnt).av_princ.k_realm.utf8str_t_len =
				princ->realm.length;
		ULOG_ENTRY(upd, cnt).av_princ.k_realm.utf8str_t_val =
				(princ->realm.data != NULL) ?
				strdup(princ->realm.data) : NULL;

		ULOG_ENTRY(upd, cnt).av_princ.k_components.k_components_len =
				(uint_t)princ->length;

		ULOG_ENTRY(upd, cnt).av_princ.k_components.k_components_val =
				malloc(princ->length * sizeof (kdbe_data_t));
		if (ULOG_ENTRY(upd, cnt).av_princ.k_components.k_components_val
				== NULL)
			return (ENOMEM);

		for (i = 0; i < princ->length; i++) {
			ULOG_ENTRY_PRINC(upd, cnt, i).k_magic =
				princ->data[i].magic;
			ULOG_ENTRY_PRINC(upd, cnt, i).k_data.utf8str_t_len =
				princ->data[i].length;
			ULOG_ENTRY_PRINC(upd, cnt, i).k_data.utf8str_t_val =
				(princ->data[i].data != NULL) ?
				strdup(princ->data[i].data) : NULL;
		}
		break;

	case MOD_PRINC:
		ULOG_ENTRY(upd, cnt).av_mod_princ.k_nametype =
				(int32_t)princ->type;

		ULOG_ENTRY(upd, cnt).av_mod_princ.k_realm.utf8str_t_len =
				princ->realm.length;

		ULOG_ENTRY(upd, cnt).av_mod_princ.k_realm.utf8str_t_val =
				(princ->realm.data != NULL) ?
				strdup(princ->realm.data) : NULL;

		ULOG_ENTRY(upd, cnt).av_mod_princ.k_components.k_components_len
				= (uint_t)princ->length;

		ULOG_ENTRY(upd, cnt).av_mod_princ.k_components.k_components_val
				= malloc(princ->length * sizeof (kdbe_data_t));
		if (ULOG_ENTRY(upd,
			cnt).av_mod_princ.k_components.k_components_val == NULL)
			return (ENOMEM);

		for (i = 0; i < princ->length; i++) {
			ULOG_ENTRY_MOD_PRINC(upd, cnt, i).k_magic =
				princ->data[i].magic;
			ULOG_ENTRY_MOD_PRINC(upd, cnt, i).k_data.utf8str_t_len
				= princ->data[i].length;
			ULOG_ENTRY_MOD_PRINC(upd, cnt, i).k_data.utf8str_t_val
				= (princ->data[i].data != NULL) ?
				strdup(princ->data[i].data) : NULL;
		}
		break;

	default:
		break;
	}
	return (0);
}

/*
 * Converts the krb5_principal struct from ulog to db2 format.
 */
krb5_error_code
conv_princ_2db(krb5_context context, krb5_principal *dbprinc,
			kdb_incr_update_t *upd,
			int cnt, princ_type tp,
			int princ_exists) {

	int i;
	krb5_principal princ;

	if (upd == NULL)
		return (KRB5KRB_ERR_GENERIC);

	if (princ_exists == 0) {
		princ = NULL;
		princ = (krb5_principal)malloc(sizeof (krb5_principal_data));
		if (princ == NULL) {
			return (ENOMEM);
		}
	} else {
		princ = *dbprinc;
	}

	switch (tp) {
	case REG_PRINC:
		princ->type = (krb5_int32)
			ULOG_ENTRY(upd, cnt).av_princ.k_nametype;
		princ->realm.length = (int)
			ULOG_ENTRY(upd, cnt).av_princ.k_realm.utf8str_t_len;

		if (princ_exists == 0)
			princ->realm.data = NULL;
		princ->realm.data = (char *)realloc(princ->realm.data,
					(princ->realm.length + 1));
		if (princ->realm.data == NULL)
			goto error;
		strlcpy(princ->realm.data,
		(char *)ULOG_ENTRY(upd, cnt).av_princ.k_realm.utf8str_t_val,
		(princ->realm.length + 1));

		princ->length = (krb5_int32)ULOG_ENTRY(upd,
				cnt).av_princ.k_components.k_components_len;

		if (princ_exists == 0)
			princ->data = NULL;
		princ->data = (krb5_data *)realloc(princ->data,
			(princ->length * sizeof (krb5_data)));
		if (princ->data == NULL)
			goto error;

		for (i = 0; i < princ->length; i++) {
			princ->data[i].magic =
				ULOG_ENTRY_PRINC(upd, cnt, i).k_magic;
			princ->data[i].length = (int)
			ULOG_ENTRY_PRINC(upd, cnt, i).k_data.utf8str_t_len;

			if (princ_exists == 0)
				princ->data[i].data = NULL;
			princ->data[i].data = (char *)realloc(
				princ->data[i].data,
				(princ->data[i].length + 1));
			if (princ->data[i].data == NULL)
				goto error;

			strlcpy(princ->data[i].data, (char *)ULOG_ENTRY_PRINC(
				upd, cnt, i).k_data.utf8str_t_val,
				(princ->data[i].length + 1));
		}
		break;

	case MOD_PRINC:
		princ->type = (krb5_int32)
			ULOG_ENTRY(upd, cnt).av_mod_princ.k_nametype;
		princ->realm.length = (int)
			ULOG_ENTRY(upd, cnt).av_mod_princ.k_realm.utf8str_t_len;

		if (princ_exists == 0)
			princ->realm.data = NULL;
		princ->realm.data = (char *)realloc(princ->realm.data,
			(princ->realm.length + 1));
		if (princ->realm.data == NULL)
			goto error;
		strlcpy(princ->realm.data, (char *)ULOG_ENTRY(upd,
				cnt).av_mod_princ.k_realm.utf8str_t_val,
				(princ->realm.length + 1));

		princ->length = (krb5_int32)ULOG_ENTRY(upd,
				cnt).av_mod_princ.k_components.k_components_len;

		if (princ_exists == 0)
			princ->data = NULL;
		princ->data = (krb5_data *)realloc(princ->data,
				(princ->length * sizeof (krb5_data)));
		if (princ->data == NULL)
			goto error;

		for (i = 0; i < princ->length; i++) {
			princ->data[i].magic =
				ULOG_ENTRY_MOD_PRINC(upd, cnt, i).k_magic;
			princ->data[i].length = (int)
			ULOG_ENTRY_MOD_PRINC(upd, cnt, i).k_data.utf8str_t_len;

			if (princ_exists == 0)
				princ->data[i].data = NULL;
			princ->data[i].data = (char *)realloc(
				princ->data[i].data,
				(princ->data[i].length + 1));
			if (princ->data[i].data == NULL)
				goto error;
			strlcpy(princ->data[i].data,
				(char *)ULOG_ENTRY_MOD_PRINC(upd,
					cnt, i).k_data.utf8str_t_val,
					(princ->data[i].length + 1));
		}
		break;

	default:
		break;
	}

	*dbprinc = princ;
	return (0);
error:
	krb5_free_principal(context, princ);
	return (ENOMEM);
}


/*
 * This routine converts one or more krb5 db2 records into update
 * log (ulog) entry format. Space for the update log entries should
 * be allocated prior to invocation of this routine.
 */
krb5_error_code
ulog_conv_2logentry(krb5_context context, krb5_db_entry *entries,
				kdb_incr_update_t *updates,
				int nentries) {
	int i, j, k, cnt, final, nattrs, tmpint, nprincs;
	unsigned int more;
	krb5_principal tmpprinc;
	krb5_tl_data *newtl;
	krb5_db_entry curr;
	krb5_error_code ret;
	kdbe_attr_type_t *attr_types;
	kdb_incr_update_t *upd;
	krb5_db_entry *ent;
	boolean_t kadm_data_yes;

	if ((updates == NULL) || (entries == NULL))
		return (KRB5KRB_ERR_GENERIC);

	upd = updates;
	ent = entries;

	for (k = 0; k < nentries; k++) {
		nprincs = nattrs = tmpint = 0;
		final = -1;
		kadm_data_yes = B_FALSE;
		attr_types = NULL;

		if ((upd->kdb_update.kdbe_t_val = (kdbe_val_t *)
				malloc(MAXENTRY_SIZE)) == NULL) {
			return (ENOMEM);
		}

		/*
		 * Find out which attrs have been modified
		 */
		if ((attr_types = (kdbe_attr_type_t *)malloc(
			    sizeof (kdbe_attr_type_t) * MAXATTRS_SIZE))
					== NULL) {
			return (ENOMEM);
		}

		if ((ret = krb5_db_get_principal(context, ent->princ, &curr,
						&nprincs, &more)))
			return (ret);

		if (nprincs == 0) {
			/*
			 * This is a new entry to the database, hence will
			 * include all the attribute-value pairs
			 *
			 * We leave out the TL_DATA types which we model as
			 * attrs in kdbe_attr_type_t, since listing AT_TL_DATA
			 * encompasses these other types-turned-attributes
			 *
			 * So, we do *NOT* consider AT_MOD_PRINC, AT_MOD_TIME,
			 * AT_MOD_WHERE, AT_PW_LAST_CHANGE, AT_PW_POLICY,
			 * AT_PW_POLICY_SWITCH, AT_PW_HIST_KVNO and AT_PW_HIST,
			 * totalling 8 attrs.
			 */
			while (nattrs < MAXATTRS_SIZE - 8) {
				attr_types[nattrs] = nattrs;
				nattrs++;
			}
		} else {
			find_changed_attrs(&curr, ent, attr_types, &nattrs);

			krb5_db_free_principal(context, &curr, nprincs);
		}

		for (i = 0; i < nattrs; i++) {
			switch (attr_types[i]) {
			case AT_ATTRFLAGS:
				if (ent->attributes >= 0) {
					ULOG_ENTRY_TYPE(upd, ++final).av_type =
						AT_ATTRFLAGS;
					ULOG_ENTRY(upd, final).av_attrflags =
						(uint32_t)ent->attributes;
				}
				break;

			case AT_MAX_LIFE:
				if (ent->max_life >= 0) {
					ULOG_ENTRY_TYPE(upd, ++final).av_type =
						AT_MAX_LIFE;
					ULOG_ENTRY(upd, final).av_max_life =
						(uint32_t)ent->max_life;
				}
				break;

			case AT_MAX_RENEW_LIFE:
				if (ent->max_renewable_life >= 0) {
					ULOG_ENTRY_TYPE(upd, ++final).av_type =
						AT_MAX_RENEW_LIFE;
					ULOG_ENTRY(upd,
					    final).av_max_renew_life =
					    (uint32_t)ent->max_renewable_life;
				}
				break;

			case AT_EXP:
				if (ent->expiration >= 0) {
					ULOG_ENTRY_TYPE(upd, ++final).av_type =
						AT_EXP;
					ULOG_ENTRY(upd, final).av_exp =
						(uint32_t)ent->expiration;
				}
				break;

			case AT_PW_EXP:
				if (ent->pw_expiration >= 0) {
					ULOG_ENTRY_TYPE(upd, ++final).av_type =
						AT_PW_EXP;
					ULOG_ENTRY(upd, final).av_pw_exp =
						(uint32_t)ent->pw_expiration;
				}
				break;

			case AT_LAST_SUCCESS:
				if (ent->last_success >= 0) {
					ULOG_ENTRY_TYPE(upd, ++final).av_type =
						AT_LAST_SUCCESS;
					ULOG_ENTRY(upd,
						final).av_last_success =
						    (uint32_t)ent->last_success;
				}
				break;

			case AT_LAST_FAILED:
				if (ent->last_failed >= 0) {
					ULOG_ENTRY_TYPE(upd, ++final).av_type =
						AT_LAST_FAILED;
					ULOG_ENTRY(upd,
						final).av_last_failed =
						(uint32_t)ent->last_failed;
				}
				break;

			case AT_FAIL_AUTH_COUNT:
				if (ent->fail_auth_count >= (krb5_kvno)0) {
					ULOG_ENTRY_TYPE(upd, ++final).av_type =
						AT_FAIL_AUTH_COUNT;
					ULOG_ENTRY(upd,
						final).av_fail_auth_count =
						(uint32_t)ent->fail_auth_count;
				}
				break;

			case AT_PRINC:
				if (ent->princ->length > 0) {
					ULOG_ENTRY_TYPE(upd, ++final).av_type =
						AT_PRINC;
					if ((ret = conv_princ_2ulog(ent->princ,
						upd, final, REG_PRINC)))
						return (ret);
				}
				break;

			case AT_KEYDATA:
/* BEGIN CSTYLED */
				if (ent->n_key_data >= 0) {
					ULOG_ENTRY_TYPE(upd, ++final).av_type =
						AT_KEYDATA;
					ULOG_ENTRY(upd, final).av_keydata.av_keydata_len = ent->n_key_data;

					ULOG_ENTRY(upd, final).av_keydata.av_keydata_val = malloc(ent->n_key_data * sizeof (kdbe_key_t));
					if (ULOG_ENTRY(upd, final).av_keydata.av_keydata_val == NULL)
						return (ENOMEM);

					for (j = 0; j < ent->n_key_data; j++) {
						ULOG_ENTRY_KEYVAL(upd, final, j).k_ver = ent->key_data[j].key_data_ver;
						ULOG_ENTRY_KEYVAL(upd, final, j).k_kvno = ent->key_data[j].key_data_kvno;
						ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_len = ent->key_data[j].key_data_ver;
						ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_len = ent->key_data[j].key_data_ver;

						ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_val = malloc(ent->key_data[j].key_data_ver * sizeof(int32_t));
						if (ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_val == NULL)
							return (ENOMEM);

						ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val = malloc(ent->key_data[j].key_data_ver * sizeof(utf8str_t));
						if (ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val == NULL)
							return (ENOMEM);

						for (cnt = 0; cnt < ent->key_data[j].key_data_ver; cnt++) {
							ULOG_ENTRY_KEYVAL(upd, final, j).k_enctype.k_enctype_val[cnt] = ent->key_data[j].key_data_type[cnt];
							ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_len = ent->key_data[j].key_data_length[cnt];
							ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_val = malloc(ent->key_data[j].key_data_length[cnt] * sizeof (char));
							if (ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_val == NULL)
								return (ENOMEM);
							(void) memcpy(ULOG_ENTRY_KEYVAL(upd, final, j).k_contents.k_contents_val[cnt].utf8str_t_val, ent->key_data[j].key_data_contents[cnt], ent->key_data[j].key_data_length[cnt]);
						}
					}
				}
				break;

			case AT_TL_DATA:
				ret = krb5_dbe_lookup_last_pwd_change(context,
								ent, &tmpint);
				if (ret == 0) {
					ULOG_ENTRY_TYPE(upd, ++final).av_type =
						AT_PW_LAST_CHANGE;
					ULOG_ENTRY(upd, final).av_pw_last_change = tmpint;
				}
				tmpint = 0;

				if(!(ret = krb5_dbe_lookup_mod_princ_data(
					context, ent, &tmpint, &tmpprinc))) {

					ULOG_ENTRY_TYPE(upd, ++final).av_type =
						AT_MOD_PRINC;

					ret = conv_princ_2ulog(tmpprinc,
					    upd, final, MOD_PRINC);
					krb5_free_principal(context, tmpprinc);
					if (ret)
						return (ret);
					ULOG_ENTRY_TYPE(upd, ++final).av_type =
						AT_MOD_TIME;
					ULOG_ENTRY(upd, final).av_mod_time =
						tmpint;
				}

				newtl = ent->tl_data;
				while (newtl) {
					switch (newtl->tl_data_type) {
					case KRB5_TL_LAST_PWD_CHANGE:
					case KRB5_TL_MOD_PRINC:
						break;

					case KRB5_TL_KADM_DATA:
					default:
						if (kadm_data_yes == B_FALSE) {
							ULOG_ENTRY_TYPE(upd, ++final).av_type = AT_TL_DATA;
							ULOG_ENTRY(upd, final).av_tldata.av_tldata_len = 0;
							ULOG_ENTRY(upd, final).av_tldata.av_tldata_val = malloc(ent->n_tl_data * sizeof(kdbe_tl_t));

							if (ULOG_ENTRY(upd, final).av_tldata.av_tldata_val == NULL)
								return (ENOMEM);
							kadm_data_yes = B_TRUE;
						}

						tmpint = ULOG_ENTRY(upd, final).av_tldata.av_tldata_len;
						ULOG_ENTRY(upd, final).av_tldata.av_tldata_len++;
						ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_type = newtl->tl_data_type;
						ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_len = newtl->tl_data_length;
						ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val = malloc(newtl->tl_data_length * sizeof (char));
						if (ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val == NULL)
							return (ENOMEM);
						(void) memcpy(ULOG_ENTRY(upd, final).av_tldata.av_tldata_val[tmpint].tl_data.tl_data_val, newtl->tl_data_contents, newtl->tl_data_length);
						break;
					}
					newtl = newtl->tl_data_next;
				}
				break;
/* END CSTYLED */

			case AT_LEN:
				ULOG_ENTRY_TYPE(upd, ++final).av_type =
					AT_LEN;
				ULOG_ENTRY(upd, final).av_len =
					(int16_t)ent->len;
				break;

			default:
				break;
			}

		}

		if (attr_types)
			free(attr_types);

		/*
		 * Update len field in kdb_update
		 */
		upd->kdb_update.kdbe_t_len = ++final;

		/*
		 * Bump up to next struct
		 */
		upd++;
		ent++;
	}
	return (0);
}

/*
 * This routine converts one or more update log (ulog) entries into
 * kerberos db2 records. Required memory should be allocated
 * for the db2 records (pointed to by krb5_db_entry *ent), prior
 * to calling this routine.
 */
krb5_error_code
ulog_conv_2dbentry(krb5_context context, krb5_db_entry *entries,
				kdb_incr_update_t *updates,
				int nentries) {
	int i, j, k, cnt, mod_time, nattrs, nprincs;
	krb5_principal mod_princ = NULL;
	krb5_principal dbprinc;
	char *dbprincstr = NULL;

	krb5_db_entry *ent;
	kdb_incr_update_t *upd;

	krb5_tl_data *newtl = NULL;
	krb5_error_code ret;
	unsigned int more;
	unsigned int prev_n_keys = 0;

	if ((updates == NULL) || (entries == NULL))
		return (KRB5KRB_ERR_GENERIC);

	ent = entries;
	upd = updates;

	for (k = 0; k < nentries; k++) {
		cnt = nprincs = 0;

		/*
		 * If the ulog entry represents a DELETE update,
		 * just skip to the next entry.
		 */
		if (upd->kdb_deleted == TRUE)
			goto next;

		/*
		 * Store the no. of changed attributes in nattrs
		 */
		nattrs = upd->kdb_update.kdbe_t_len;

		dbprincstr = malloc((upd->kdb_princ_name.utf8str_t_len + 1)
					* sizeof (char));
		if (dbprincstr == NULL)
			return (ENOMEM);
		strlcpy(dbprincstr, (char *)upd->kdb_princ_name.utf8str_t_val,
				(upd->kdb_princ_name.utf8str_t_len + 1));

		ret = krb5_parse_name(context, dbprincstr, &dbprinc);
		free(dbprincstr);
		if (ret)
			return (ret);

		ret = krb5_db_get_principal(context, dbprinc, ent, &nprincs,
		    &more);
		krb5_free_principal(context, dbprinc);
		if (ret)
			return (ret);

		/*
		 * Set ent->n_tl_data = 0 initially, if this is an ADD update
		 */
		if (nprincs == 0)
			ent->n_tl_data = 0;

		for (i = 0; i < nattrs; i++) {
			switch (ULOG_ENTRY_TYPE(upd, i).av_type) {
			case AT_ATTRFLAGS:
				ent->attributes = (krb5_flags)
					ULOG_ENTRY(upd, i).av_attrflags;
				break;

			case AT_MAX_LIFE:
				ent->max_life = (krb5_deltat)
					ULOG_ENTRY(upd, i).av_max_life;
				break;

			case AT_MAX_RENEW_LIFE:
				ent->max_renewable_life = (krb5_deltat)
					ULOG_ENTRY(upd, i).av_max_renew_life;
				break;

			case AT_EXP:
				ent->expiration = (krb5_timestamp)
					ULOG_ENTRY(upd, i).av_exp;
				break;

			case AT_PW_EXP:
				ent->pw_expiration = (krb5_timestamp)
					ULOG_ENTRY(upd, i).av_pw_exp;
				break;

			case AT_LAST_SUCCESS:
				ent->last_success = (krb5_timestamp)
					ULOG_ENTRY(upd, i).av_last_success;
				break;

			case AT_LAST_FAILED:
				ent->last_failed = (krb5_timestamp)
					ULOG_ENTRY(upd, i).av_last_failed;
				break;

			case AT_FAIL_AUTH_COUNT:
				ent->fail_auth_count = (krb5_kvno)
					ULOG_ENTRY(upd, i).av_fail_auth_count;
				break;

			case AT_PRINC:
				if ((ret = conv_princ_2db(context,
						&(ent->princ), upd,
						i, REG_PRINC, nprincs)))
					return (ret);
				break;

			case AT_KEYDATA:

				if (nprincs != 0)
					prev_n_keys = ent->n_key_data;

				ent->n_key_data = (krb5_int16)ULOG_ENTRY(upd,
					i).av_keydata.av_keydata_len;
				if (nprincs == 0)
					ent->key_data = NULL;

				ent->key_data = (krb5_key_data *)realloc(
					ent->key_data,
					(ent->n_key_data *
						sizeof (krb5_key_data)));
				if (ent->key_data == NULL)
					return (ENOMEM);

/* BEGIN CSTYLED */
				for (j = 0; j < ent->n_key_data; j++) {
					ent->key_data[j].key_data_ver = (krb5_int16)ULOG_ENTRY_KEYVAL(upd, i, j).k_ver;
					ent->key_data[j].key_data_kvno = (krb5_int16)ULOG_ENTRY_KEYVAL(upd, i, j).k_kvno;

					for (cnt = 0; cnt < ent->key_data[j].key_data_ver; cnt++) {
						ent->key_data[j].key_data_type[cnt] =  (krb5_int16)ULOG_ENTRY_KEYVAL(upd, i, j).k_enctype.k_enctype_val[cnt];
						ent->key_data[j].key_data_length[cnt] = (krb5_int16)ULOG_ENTRY_KEYVAL(upd, i, j).k_contents.k_contents_val[cnt].utf8str_t_len;
						if ((nprincs == 0) || (j >= prev_n_keys))
							ent->key_data[j].key_data_contents[cnt] = NULL;

						ent->key_data[j].key_data_contents[cnt] = (krb5_octet *)realloc(ent->key_data[j].key_data_contents[cnt], ent->key_data[j].key_data_length[cnt]);
						if (ent->key_data[j].key_data_contents[cnt] == NULL)
								return (ENOMEM);

						(void) memset(ent->key_data[j].key_data_contents[cnt], 0, (ent->key_data[j].key_data_length[cnt] * sizeof (krb5_octet)));
						(void) memcpy(ent->key_data[j].key_data_contents[cnt], ULOG_ENTRY_KEYVAL(upd, i, j).k_contents.k_contents_val[cnt].utf8str_t_val, ent->key_data[j].key_data_length[cnt]);
					}
				}
				break;

			case AT_TL_DATA:
				cnt = ULOG_ENTRY(upd, i).av_tldata.av_tldata_len;
				newtl = malloc(cnt * sizeof (krb5_tl_data));
				(void) memset(newtl, 0, (cnt * sizeof (krb5_tl_data)));
				if (newtl == NULL)
					return (ENOMEM);

				for (j = 0; j < cnt; j++){
					newtl[j].tl_data_type = (krb5_int16)ULOG_ENTRY(upd, i).av_tldata.av_tldata_val[j].tl_type;
					newtl[j].tl_data_length = (krb5_int16)ULOG_ENTRY(upd, i).av_tldata.av_tldata_val[j].tl_data.tl_data_len;
					newtl[j].tl_data_contents = NULL;
					newtl[j].tl_data_contents = malloc(newtl[j].tl_data_length * sizeof (krb5_octet));
					if (newtl[j].tl_data_contents == NULL)
						return (ENOMEM);

					(void) memset(newtl[j].tl_data_contents, 0, (newtl[j].tl_data_length * sizeof (krb5_octet)));
					(void) memcpy(newtl[j].tl_data_contents, ULOG_ENTRY(upd, i).av_tldata.av_tldata_val[j].tl_data.tl_data_val, newtl[j].tl_data_length);
					newtl[j].tl_data_next = NULL;
					if (j > 0)
						newtl[j - 1].tl_data_next =
								&newtl[j];
				}

				if ((ret = krb5_dbe_update_tl_data(context,
								ent, newtl)))
					return (ret);
				for (j = 0; j < cnt; j++)
					if (newtl[j].tl_data_contents) {
						free(newtl[j].tl_data_contents);
						newtl[j].tl_data_contents = NULL;
					}
				if (newtl) {
					free(newtl);
					newtl = NULL;
				}
				break;
/* END CSTYLED */

			case AT_PW_LAST_CHANGE:
				if ((ret = krb5_dbe_update_last_pwd_change(
					context, ent,
					ULOG_ENTRY(upd, i).av_pw_last_change)))
						return (ret);
				break;

			case AT_MOD_PRINC:
				if ((ret = conv_princ_2db(context,
						&mod_princ, upd,
						i, MOD_PRINC, 0)))
					return (ret);
				break;

			case AT_MOD_TIME:
				mod_time = ULOG_ENTRY(upd, i).av_mod_time;
				break;

			case AT_LEN:
				ent->len = (krb5_int16)
						ULOG_ENTRY(upd, i).av_len;
				break;

			default:
				break;
			}

		}

		/*
		 * process mod_princ_data request
		 */
		if (mod_time && mod_princ) {
			ret = krb5_dbe_update_mod_princ_data(context, ent,
			    mod_time, mod_princ);
			krb5_free_principal(context, mod_princ);
			if (ret)
				return (ret);
		}

next:
		/*
		 * Bump up to next struct
		 */
		upd++;
		ent++;
	}
	return (0);
}



/*
 * This routine frees up memory associated with the bunched ulog entries.
 */
void
ulog_free_entries(kdb_incr_update_t *updates, int no_of_updates) {

	kdb_incr_update_t *upd;
	int i, j, k, cnt;

	if (updates == NULL)
		return;

	upd = updates;

	/*
	 * Loop thru each ulog entry
	 */
	for (cnt = 0; cnt < no_of_updates; cnt++) {

		/*
		 * ulog entry - kdb_princ_name
		 */
		if (upd->kdb_princ_name.utf8str_t_val)
			free(upd->kdb_princ_name.utf8str_t_val);

/* BEGIN CSTYLED */

		/*
		 * ulog entry - kdb_kdcs_seen_by
		 */
		if (upd->kdb_kdcs_seen_by.kdb_kdcs_seen_by_val) {
			for (i = 0; i < upd->kdb_kdcs_seen_by.kdb_kdcs_seen_by_len; i++) {
				if (upd->kdb_kdcs_seen_by.kdb_kdcs_seen_by_val[i].utf8str_t_val)
					free(upd->kdb_kdcs_seen_by.kdb_kdcs_seen_by_val[i].utf8str_t_val);
			}
			if (upd->kdb_kdcs_seen_by.kdb_kdcs_seen_by_val)
				free(upd->kdb_kdcs_seen_by.kdb_kdcs_seen_by_val);
		}

		/*
		 * ulog entry - kdb_futures
		 */
		if (upd->kdb_futures.kdb_futures_val)
			free(upd->kdb_futures.kdb_futures_val);

		/*
		 * ulog entry - kdb_update
		 */
		if(upd->kdb_update.kdbe_t_val) {
			/*
			 * Loop thru all the attributes and free up stuff
			 */
			for (i = 0; i < upd->kdb_update.kdbe_t_len; i++) {

				/*
				 * Free av_key_data
				 */
				if ((ULOG_ENTRY_TYPE(upd, i).av_type == AT_KEYDATA) && ULOG_ENTRY(upd, i).av_keydata.av_keydata_val) {

					for (j = 0; j < ULOG_ENTRY(upd, i).av_keydata.av_keydata_len; j++) {
						if (ULOG_ENTRY_KEYVAL(upd, i, j).k_enctype.k_enctype_val)
							free(ULOG_ENTRY_KEYVAL(upd, i, j).k_enctype.k_enctype_val);
						if (ULOG_ENTRY_KEYVAL(upd, i, j).k_contents.k_contents_val) {
							for (k = 0; k < ULOG_ENTRY_KEYVAL(upd, i, j).k_ver; k++) {
							if (ULOG_ENTRY_KEYVAL(upd, i, j).k_contents.k_contents_val[k].utf8str_t_val)
									free(ULOG_ENTRY_KEYVAL(upd, i, j).k_contents.k_contents_val[k].utf8str_t_val);
							}
							free(ULOG_ENTRY_KEYVAL(upd, i, j).k_contents.k_contents_val);
						}
					}
					free(ULOG_ENTRY(upd, i).av_keydata.av_keydata_val);
				}


				/*
				 * Free av_tl_data
				 */
				if ((ULOG_ENTRY_TYPE(upd, i).av_type == AT_TL_DATA) && ULOG_ENTRY(upd, i).av_tldata.av_tldata_val) {
					for (j = 0; j < ULOG_ENTRY(upd, i).av_tldata.av_tldata_len; j++) {
						if (ULOG_ENTRY(upd, i).av_tldata.av_tldata_val[j].tl_data.tl_data_val)
							free(ULOG_ENTRY(upd, i).av_tldata.av_tldata_val[j].tl_data.tl_data_val);
					}
					free(ULOG_ENTRY(upd, i).av_tldata.av_tldata_val);
				}

				/*
				 * Free av_princ
				 */
				if (ULOG_ENTRY_TYPE(upd, i).av_type == AT_PRINC) {
					if (ULOG_ENTRY(upd, i).av_princ.k_realm.utf8str_t_val)
						free(ULOG_ENTRY(upd, i).av_princ.k_realm.utf8str_t_val);
					if (ULOG_ENTRY(upd, i).av_princ.k_components.k_components_val) {
						for (j = 0; j < ULOG_ENTRY(upd, i).av_princ.k_components.k_components_len; j++) {
							if (ULOG_ENTRY_PRINC(upd, i, j).k_data.utf8str_t_val)
								free(ULOG_ENTRY_PRINC(upd, i, j).k_data.utf8str_t_val);
						}
						free(ULOG_ENTRY(upd, i).av_princ.k_components.k_components_val);
					}
				}

				/*
				 * Free av_mod_princ
				 */
				if (ULOG_ENTRY_TYPE(upd, i).av_type == AT_MOD_PRINC) {
					if (ULOG_ENTRY(upd, i).av_mod_princ.k_realm.utf8str_t_val)
						free(ULOG_ENTRY(upd, i).av_mod_princ.k_realm.utf8str_t_val);
					if (ULOG_ENTRY(upd, i).av_mod_princ.k_components.k_components_val) {
						for (j = 0; j < ULOG_ENTRY(upd, i).av_mod_princ.k_components.k_components_len; j++) {
							if (ULOG_ENTRY_MOD_PRINC(upd, i, j).k_data.utf8str_t_val)
								free(ULOG_ENTRY_MOD_PRINC(upd, i, j).k_data.utf8str_t_val);
						}
						free(ULOG_ENTRY(upd, i).av_mod_princ.k_components.k_components_val);
					}
				}

				/*
				 * Free av_mod_where
				 */
				if ((ULOG_ENTRY_TYPE(upd, i).av_type == AT_MOD_WHERE) && ULOG_ENTRY(upd, i).av_mod_where.utf8str_t_val)
					free(ULOG_ENTRY(upd, i).av_mod_where.utf8str_t_val);

				/*
				 * Free av_pw_policy
				 */
				if ((ULOG_ENTRY_TYPE(upd, i).av_type == AT_PW_POLICY) && ULOG_ENTRY(upd, i).av_pw_policy.utf8str_t_val)
					free(ULOG_ENTRY(upd, i).av_pw_policy.utf8str_t_val);

				/*
				 * XXX: Free av_pw_hist
				 *
				 * For now, we just free the pointer
				 * to av_pw_hist_val, since we arent
				 * populating this union member in
				 * the conv api function(s) anyways.
				 */
				if ((ULOG_ENTRY_TYPE(upd, i).av_type == AT_PW_HIST) && ULOG_ENTRY(upd, i).av_pw_hist.av_pw_hist_val)
					free(ULOG_ENTRY(upd, i).av_pw_hist.av_pw_hist_val);

			 }

			/*
			 * Free up the pointer to kdbe_t_val
			 */
			if (upd->kdb_update.kdbe_t_val)
				free(upd->kdb_update.kdbe_t_val);
		}

/* END CSTYLED */

		/*
		 * Bump up to next struct
		 */
		upd++;
	}


	/*
	 * Finally, free up the pointer to the bunched ulog entries
	 */
	if (updates)
		free(updates);
}