svn rev #21807: branches/mkey_migrate/src/ kadmin/dbutil/ plugins/kdb/db2/
wfiveash@MIT.EDU
wfiveash at MIT.EDU
Tue Jan 27 15:24:41 EST 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=21807
Commit By: wfiveash
Log Message:
More review changes:
If I use "kdb5_util dump -mkey_convert" after using the master key rollover
support, does something reasonably sane happen? E.g., process all the old
keys properly, leave just one new master key value in the output database,
reset the mkvno values attached to principals, etc.
Done. Note I may have to update the dump code to deal with the
various mkey input options which I'll do in a follow on commit.
Also note that I removed the locking around the krb5_db2_alloc and
free functions.
Changed Files:
U branches/mkey_migrate/src/kadmin/dbutil/dump.c
U branches/mkey_migrate/src/kadmin/dbutil/kdb5_mkey.c
U branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.h
U branches/mkey_migrate/src/plugins/kdb/db2/db2_exp.c
Modified: branches/mkey_migrate/src/kadmin/dbutil/dump.c
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/dump.c 2009-01-27 04:16:26 UTC (rev 21806)
+++ branches/mkey_migrate/src/kadmin/dbutil/dump.c 2009-01-27 20:24:37 UTC (rev 21807)
@@ -258,6 +258,8 @@
static const char ovoption[] = "-ov";
static const char dump_tmptrail[] = "~";
+static krb5_kvno new_mkvno;
+
/*
* Re-encrypt the key_data with the new master key...
*/
@@ -276,15 +278,20 @@
is_mkey = krb5_principal_compare(context, master_princ, db_entry->princ);
if (is_mkey) {
- retval = add_new_mkey(context, db_entry, &new_master_keyblock);
+ retval = add_new_mkey(context, db_entry, &new_master_keyblock, &new_mkvno);
if (retval)
return retval;
} else {
for (i=0; i < db_entry->n_key_data; i++) {
+ krb5_keyblock *tmp_mkey;
+
key_data = &db_entry->key_data[i];
if (key_data->key_data_length == 0)
continue;
- retval = krb5_dbekd_decrypt_key_data(context, &master_keyblock,
+ retval = krb5_dbe_find_mkey(context, master_keylist, db_entry, &tmp_mkey);
+ if (retval)
+ return retval;
+ retval = krb5_dbekd_decrypt_key_data(context, tmp_mkey,
key_data, &v5plainkey,
&keysalt);
if (retval)
@@ -292,17 +299,8 @@
memset(&new_key_data, 0, sizeof(new_key_data));
- if (is_mkey) {
- key_ptr = &new_master_keyblock;
- /* override mkey princ's kvno */
- if (global_params.mask & KADM5_CONFIG_KVNO)
- kvno = global_params.kvno;
- else
- kvno = (krb5_kvno) key_data->key_data_kvno;
- } else {
- key_ptr = &v5plainkey;
- kvno = (krb5_kvno) key_data->key_data_kvno;
- }
+ key_ptr = &v5plainkey;
+ kvno = (krb5_kvno) key_data->key_data_kvno;
retval = krb5_dbekd_encrypt_key_data(context, &new_master_keyblock,
key_ptr, &keysalt,
@@ -318,6 +316,9 @@
}
*key_data = new_key_data;
}
+ retval = krb5_dbe_update_mkvno(context, db_entry, new_mkvno);
+ if (retval)
+ return retval;
}
return 0;
}
Modified: branches/mkey_migrate/src/kadmin/dbutil/kdb5_mkey.c
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/kdb5_mkey.c 2009-01-27 04:16:26 UTC (rev 21806)
+++ branches/mkey_migrate/src/kadmin/dbutil/kdb5_mkey.c 2009-01-27 20:24:37 UTC (rev 21807)
@@ -35,16 +35,13 @@
}
krb5_error_code
-add_new_mkey(krb5_context context, krb5_db_entry *master_entry, krb5_keyblock *new_mkey)
+add_new_mkey(krb5_context context, krb5_db_entry *master_entry, krb5_keyblock *new_mkey, krb5_kvno *mkvno)
{
krb5_error_code retval = 0;
int old_key_data_count, i;
krb5_kvno old_kvno, new_mkey_kvno;
- krb5_keyblock new_mkeyblock;
krb5_key_data tmp_key_data, *old_key_data;
- krb5_enctype new_master_enctype = ENCTYPE_UNKNOWN;
- krb5_mkey_aux_node *mkey_aux_data_head = NULL, **mkey_aux_data,
- *cur_mkey_aux_data, *next_mkey_aux_data;
+ krb5_mkey_aux_node *mkey_aux_data_head = NULL, **mkey_aux_data;
krb5_keylist_node *keylist_node;
/* First save the old keydata */
@@ -152,6 +149,9 @@
goto clean_n_exit;
}
+ if (mkvno)
+ *mkvno = new_mkey_kvno;
+
clean_n_exit:
if (mkey_aux_data_head)
krb5_dbe_free_mkey_aux_list(context, mkey_aux_data_head);
@@ -167,19 +167,14 @@
char *pw_str = 0;
unsigned int pw_size = 0;
int do_stash = 0, nentries = 0;
- int old_key_data_count, i;
krb5_boolean more = 0;
krb5_data pwd;
- krb5_kvno old_kvno, new_mkey_kvno;
+ krb5_kvno new_mkey_kvno;
krb5_keyblock new_mkeyblock;
- krb5_key_data tmp_key_data, *old_key_data;
krb5_enctype new_master_enctype = ENCTYPE_UNKNOWN;
char *new_mkey_password;
krb5_db_entry master_entry;
krb5_timestamp now;
- krb5_mkey_aux_node *mkey_aux_data_head, **mkey_aux_data,
- *cur_mkey_aux_data, *next_mkey_aux_data;
- krb5_keylist_node *keylist_node;
/*
* The command table entry for this command causes open_db_and_mkey() to be
@@ -267,7 +262,7 @@
return;
}
- retval = add_new_mkey(util_context, &master_entry, &new_mkeyblock);
+ retval = add_new_mkey(util_context, &master_entry, &new_mkeyblock, NULL);
if (retval) {
com_err(progname, retval, "adding new master key to master principal");
exit_status++;
Modified: branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.h
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.h 2009-01-27 04:16:26 UTC (rev 21806)
+++ branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.h 2009-01-27 20:24:37 UTC (rev 21807)
@@ -88,7 +88,8 @@
extern int kadm5_create (kadm5_config_params *params);
-extern krb5_error_code add_new_mkey(krb5_context, krb5_db_entry *, krb5_keyblock *);
+extern krb5_error_code add_new_mkey(krb5_context, krb5_db_entry *,
+ krb5_keyblock *, krb5_kvno *);
void usage (void);
Modified: branches/mkey_migrate/src/plugins/kdb/db2/db2_exp.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/db2/db2_exp.c 2009-01-27 04:16:26 UTC (rev 21806)
+++ branches/mkey_migrate/src/plugins/kdb/db2/db2_exp.c 2009-01-27 20:24:37 UTC (rev 21807)
@@ -257,8 +257,8 @@
/* db_free_supported_realms */ NULL,
/* errcode_2_string */ NULL,
/* release_errcode_string */ NULL,
- /* db_alloc */ wrap_krb5_db2_alloc,
- /* db_free */ wrap_krb5_db2_free,
+ /* db_alloc */ krb5_db2_alloc,
+ /* db_free */ krb5_db2_free,
/* set_master_key */ wrap_krb5_db2_set_master_key_ext,
/* get_master_key */ wrap_krb5_db2_db_get_mkey,
/* set_master_key_list */ wrap_krb5_db2_db_set_mkey_list,
More information about the cvs-krb5
mailing list