svn rev #21777: branches/mkey_migrate/src/ include/ kadmin/dbutil/ kdc/ lib/kadm5/clnt/ ...
wfiveash@MIT.EDU
wfiveash at MIT.EDU
Thu Jan 22 14:48:41 EST 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=21777
Commit By: wfiveash
Log Message:
Change the name of the krb5_dbe_act_mkey_list function to
krb5_dbe_act_key_list to indicate it is a generic function of use on any
princ. I also modified the process_tgs_req function to use the
master_keylist and look up the proper mkey when decrypting the server
key.
Changed Files:
U branches/mkey_migrate/src/include/kdb.h
U branches/mkey_migrate/src/kadmin/dbutil/kdb5_mkey.c
U branches/mkey_migrate/src/kdc/do_tgs_req.c
U branches/mkey_migrate/src/lib/kadm5/clnt/libkadm5clnt.exports
U branches/mkey_migrate/src/lib/kadm5/srv/libkadm5srv.exports
U branches/mkey_migrate/src/lib/kadm5/srv/server_kdb.c
U branches/mkey_migrate/src/lib/kdb/kdb5.c
U branches/mkey_migrate/src/lib/kdb/kdb_default.c
U branches/mkey_migrate/src/lib/kdb/libkdb5.exports
Modified: branches/mkey_migrate/src/include/kdb.h
===================================================================
--- branches/mkey_migrate/src/include/kdb.h 2009-01-22 19:19:34 UTC (rev 21776)
+++ branches/mkey_migrate/src/include/kdb.h 2009-01-22 19:48:38 UTC (rev 21777)
@@ -376,9 +376,9 @@
krb5_key_data * key_data);
krb5_error_code
-krb5_dbe_fetch_act_mkey_list(krb5_context context,
- krb5_principal mprinc,
- krb5_actkvno_node **act_mkey_list);
+krb5_dbe_fetch_act_key_list(krb5_context context,
+ krb5_principal princ,
+ krb5_actkvno_node **act_key_list);
krb5_error_code
krb5_dbe_find_act_mkey( krb5_context context,
Modified: branches/mkey_migrate/src/kadmin/dbutil/kdb5_mkey.c
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/kdb5_mkey.c 2009-01-22 19:19:34 UTC (rev 21776)
+++ branches/mkey_migrate/src/kadmin/dbutil/kdb5_mkey.c 2009-01-22 19:48:38 UTC (rev 21777)
@@ -204,83 +204,6 @@
memset(mkey_aux_data_head, 0, sizeof(krb5_mkey_aux_node));
mkey_aux_data = &mkey_aux_data_head;
- /* XXX WAF: old, remove before final commit */
-#if 0 /************** Begin IFDEF'ed OUT *******************************/
- for (i = 0; i < old_key_data_count; i++) {
- key_data = &old_key_data[i];
-
- /* decrypt the old key */
- /* XXX WAF: don't need to do this, use the master_keylist instead. */
- memset(&plainkey, 0, sizeof(plainkey));
- retval = krb5_dbekd_decrypt_key_data(util_context, &master_keylist->keyblock,
- key_data, &plainkey, NULL);
- if (retval) {
- com_err(progname, retval, "while decrypting master keys");
- exit_status++;
- return;
- }
-
- /*
- * Create a list of krb5_mkey_aux_node nodes. One node contains the new
- * mkey encrypted by an old mkey and the old mkey's kvno (one node per
- * old mkey).
- */
-
- if (*mkey_aux_data == NULL) {
- /* *mkey_aux_data points to next field of previous node */
- *mkey_aux_data = (krb5_mkey_aux_node *) malloc(sizeof(krb5_mkey_aux_node));
- if (*mkey_aux_data == NULL) {
- com_err(progname, ENOMEM, "while creating mkey_aux_data");
- exit_status++;
- return;
- }
- memset(*mkey_aux_data, 0, sizeof(krb5_mkey_aux_node));
- }
-
- memset(&tmp_key_data, 0, sizeof(tmp_key_data));
- /* encrypt the new mkey with the older mkey */
- retval = krb5_dbekd_encrypt_key_data(util_context, &plainkey,
- &new_master_keyblock,
- NULL, /* no keysalt */
- (int) new_mkey_kvno,
- &tmp_key_data);
- if (retval) {
- com_err(progname, retval, "while encrypting master keys");
- exit_status++;
- return;
- }
-
- (*mkey_aux_data)->latest_mkey = tmp_key_data;
- (*mkey_aux_data)->mkey_kvno = key_data->key_data_kvno;
-
- mkey_aux_data = &((*mkey_aux_data)->next);
-
- /*
- * Store old key in master_entry keydata, + 1 to avoid overwritting the
- * first key_data entry
- */
- retval = krb5_dbekd_encrypt_key_data(util_context, &new_master_keyblock,
- &plainkey,
- NULL, /* no keysalt */
- (int) key_data->key_data_kvno,
- &master_entry.key_data[i+1]);
- if (retval) {
- com_err(progname, retval, "while encrypting master keys");
- exit_status++;
- return;
- }
-
- /* free plain text key and old key data entry */
- krb5_free_keyblock_contents(util_context, &plainkey);
- for (j = 0; j < key_data->key_data_ver; j++) {
- if (key_data->key_data_length[j]) {
- /* the key_data contents are encrypted so no clearing first */
- free(key_data->key_data_contents[j]);
- }
- }
- } /* end for (i = 0; i < old_key_data_count; i++) */
-#endif /**************** END IFDEF'ed OUT *******************************/
-
for (keylist_node = master_keylist, i = 1; keylist_node != NULL;
keylist_node = keylist_node->next, i++) {
@@ -473,10 +396,6 @@
return;
}
- /*
- * determine which nodes to delete and where to insert new act kvno node
- */
-
/* alloc enough space to hold new and existing key_data */
new_actkvno = (krb5_actkvno_node *) malloc(sizeof(krb5_actkvno_node));
if (new_actkvno == NULL) {
@@ -489,6 +408,10 @@
new_actkvno->act_kvno = use_kvno;
new_actkvno->act_time = start_time;
+ /*
+ * determine which nodes to delete and where to insert new act kvno node
+ */
+
if (actkvno_list == NULL) {
/* new actkvno is the list */
new_actkvno_list_head = new_actkvno;
@@ -530,7 +453,7 @@
}
if (trimed && inserted)
break;
- } /* end for (new_actkvno_list_head = prev_actkvno = ... */
+ }
}
if ((retval = krb5_dbe_update_actkvno(util_context, &master_entry,
Modified: branches/mkey_migrate/src/kdc/do_tgs_req.c
===================================================================
--- branches/mkey_migrate/src/kdc/do_tgs_req.c 2009-01-22 19:19:34 UTC (rev 21776)
+++ branches/mkey_migrate/src/kdc/do_tgs_req.c 2009-01-22 19:48:38 UTC (rev 21777)
@@ -101,6 +101,7 @@
krb5_keyblock session_key;
krb5_timestamp until, rtime;
krb5_keyblock encrypting_key;
+ krb5_keyblock *tmp_mkey;
krb5_key_data *server_key;
char *cname = 0, *sname = 0, *altcname = 0;
krb5_last_req_entry *nolrarray[2], nolrentry;
@@ -546,10 +547,16 @@
status = "FINDING_SERVER_KEY";
goto cleanup;
}
+
+ if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server, &tmp_mkey))) {
+ status = "FINDING_MASTER_KEY";
+ goto cleanup;
+ }
+
/* convert server.key into a real key (it may be encrypted
* in the database) */
if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context,
- &master_keyblock,
+ tmp_mkey,
server_key, &encrypting_key,
NULL))) {
status = "DECRYPT_SERVER_KEY";
Modified: branches/mkey_migrate/src/lib/kadm5/clnt/libkadm5clnt.exports
===================================================================
--- branches/mkey_migrate/src/lib/kadm5/clnt/libkadm5clnt.exports 2009-01-22 19:19:34 UTC (rev 21776)
+++ branches/mkey_migrate/src/lib/kadm5/clnt/libkadm5clnt.exports 2009-01-22 19:48:38 UTC (rev 21777)
@@ -46,7 +46,6 @@
krb5_aprof_getvals
krb5_aprof_init
krb5_flags_to_string
-krb5_free_key_data_contents
krb5_free_realm_params
krb5_input_flag_to_string
krb5_keysalt_is_present
Modified: branches/mkey_migrate/src/lib/kadm5/srv/libkadm5srv.exports
===================================================================
--- branches/mkey_migrate/src/lib/kadm5/srv/libkadm5srv.exports 2009-01-22 19:19:34 UTC (rev 21776)
+++ branches/mkey_migrate/src/lib/kadm5/srv/libkadm5srv.exports 2009-01-22 19:48:38 UTC (rev 21777)
@@ -71,7 +71,6 @@
krb5_aprof_init
krb5_copy_key_data_contents
krb5_flags_to_string
-krb5_free_key_data_contents
krb5_free_realm_params
krb5_input_flag_to_string
krb5_keysalt_is_present
Modified: branches/mkey_migrate/src/lib/kadm5/srv/server_kdb.c
===================================================================
--- branches/mkey_migrate/src/lib/kadm5/srv/server_kdb.c 2009-01-22 19:19:34 UTC (rev 21776)
+++ branches/mkey_migrate/src/lib/kadm5/srv/server_kdb.c 2009-01-22 19:48:38 UTC (rev 21777)
@@ -87,8 +87,8 @@
return (ret);
}
- if ((ret = krb5_dbe_fetch_act_mkey_list(handle->context, master_princ,
- &active_mkey_list))) {
+ if ((ret = krb5_dbe_fetch_act_key_list(handle->context, master_princ,
+ &active_mkey_list))) {
krb5_db_fini(handle->context);
return (ret);
}
Modified: branches/mkey_migrate/src/lib/kdb/kdb5.c
===================================================================
--- branches/mkey_migrate/src/lib/kdb/kdb5.c 2009-01-22 19:19:34 UTC (rev 21776)
+++ branches/mkey_migrate/src/lib/kdb/kdb5.c 2009-01-22 19:48:38 UTC (rev 21777)
@@ -1890,35 +1890,37 @@
#endif /**************** END IFDEF'ed OUT *******************************/
krb5_error_code
-krb5_dbe_fetch_act_mkey_list(krb5_context context,
- krb5_principal mprinc,
- krb5_actkvno_node **act_mkey_list)
+krb5_dbe_fetch_act_key_list(krb5_context context,
+ krb5_principal princ,
+ krb5_actkvno_node **act_key_list)
{
krb5_error_code retval = 0;
- krb5_db_entry master_entry;
+ krb5_db_entry entry;
int nprinc;
krb5_boolean more;
- if (act_mkey_list == NULL)
+ if (act_key_list == NULL)
return (EINVAL);
nprinc = 1;
- if ((retval = krb5_db_get_principal(context, mprinc,
- &master_entry, &nprinc, &more)))
+ if ((retval = krb5_db_get_principal(context, princ, &entry,
+ &nprinc, &more))) {
return (retval);
+ }
if (nprinc != 1) {
- if (nprinc)
- krb5_db_free_principal(context, &master_entry, nprinc);
+ if (nprinc) {
+ krb5_db_free_principal(context, &entry, nprinc);
+ }
return(KRB5_KDB_NOMASTERKEY);
} else if (more) {
- krb5_db_free_principal(context, &master_entry, nprinc);
+ krb5_db_free_principal(context, &entry, nprinc);
return (KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
}
- retval = krb5_dbe_lookup_actkvno(context, &master_entry, act_mkey_list);
+ retval = krb5_dbe_lookup_actkvno(context, &entry, act_key_list);
- if (*act_mkey_list == NULL) {
+ if (*act_key_list == NULL) {
krb5_actkvno_node *tmp_actkvno;
krb5_timestamp now;
/*
@@ -1934,12 +1936,13 @@
memset(tmp_actkvno, 0, sizeof(krb5_actkvno_node));
tmp_actkvno->act_time = now;
- tmp_actkvno->act_kvno = master_entry.key_data[0].key_data_kvno;
+ /* use most current key */
+ tmp_actkvno->act_kvno = entry.key_data[0].key_data_kvno;
- *act_mkey_list = tmp_actkvno;
+ *act_key_list = tmp_actkvno;
}
- krb5_db_free_principal(context, &master_entry, nprinc);
+ krb5_db_free_principal(context, &entry, nprinc);
return retval;
}
Modified: branches/mkey_migrate/src/lib/kdb/kdb_default.c
===================================================================
--- branches/mkey_migrate/src/lib/kdb/kdb_default.c 2009-01-22 19:19:34 UTC (rev 21776)
+++ branches/mkey_migrate/src/lib/kdb/kdb_default.c 2009-01-22 19:48:38 UTC (rev 21777)
@@ -372,10 +372,6 @@
return retval;
}
-/* XXX WAF: I'm now thinking this fucntion should check to see if the fetched
- * key matches the latest mkey in the master princ. If it doesn't then the
- * latest mkey should be returned by using the mkey_aux tl data.
- */
krb5_error_code
krb5_db_def_fetch_mkey(krb5_context context,
krb5_principal mname,
Modified: branches/mkey_migrate/src/lib/kdb/libkdb5.exports
===================================================================
--- branches/mkey_migrate/src/lib/kdb/libkdb5.exports 2009-01-22 19:19:34 UTC (rev 21776)
+++ branches/mkey_migrate/src/lib/kdb/libkdb5.exports 2009-01-22 19:48:38 UTC (rev 21777)
@@ -34,7 +34,7 @@
krb5_dbe_create_key_data
krb5_dbe_crk
krb5_dbe_find_act_mkey
-krb5_dbe_fetch_act_mkey_list
+krb5_dbe_fetch_act_key_list
krb5_dbe_find_enctype
krb5_dbe_find_mkey
krb5_dbe_lookup_last_pwd_change
More information about the cvs-krb5
mailing list