svn rev #21824: branches/mkey_migrate/src/ kadmin/dbutil/ lib/kdb/ lib/krb5/error_tables/
wfiveash@MIT.EDU
wfiveash at MIT.EDU
Wed Jan 28 19:08:15 EST 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=21824
Commit By: wfiveash
Log Message:
Fix an issue Ken noted with the kdb5_util dump -mkey_convert logic.
Also tweaked the add_mkey code to call krb5_dbe_update_mkvno to update
the mkvno stored in the K/M princ so the kadmin getprinc will output the
right value.
Changed Files:
U branches/mkey_migrate/src/kadmin/dbutil/dump.c
U branches/mkey_migrate/src/kadmin/dbutil/kdb5_create.c
U branches/mkey_migrate/src/kadmin/dbutil/kdb5_mkey.c
U branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.c
U branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.h
U branches/mkey_migrate/src/lib/kdb/kdb_default.c
U branches/mkey_migrate/src/lib/krb5/error_tables/kdb5_err.et
Modified: branches/mkey_migrate/src/kadmin/dbutil/dump.c
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/dump.c 2009-01-28 23:22:27 UTC (rev 21823)
+++ branches/mkey_migrate/src/kadmin/dbutil/dump.c 2009-01-29 00:08:12 UTC (rev 21824)
@@ -47,6 +47,7 @@
*/
static int mkey_convert;
static krb5_keyblock new_master_keyblock;
+static krb5_kvno new_mkvno;
static int backwards;
static int recursive;
@@ -179,6 +180,7 @@
extern krb5_context util_context;
extern kadm5_config_params global_params;
extern krb5_keylist_node *master_keylist;
+extern krb5_db_entry master_entry;
/* Strings */
@@ -258,8 +260,6 @@
static const char ovoption[] = "-ov";
static const char dump_tmptrail[] = "~";
-static krb5_kvno new_mkvno;
-
/*
* Re-encrypt the key_data with the new master key...
*/
@@ -278,7 +278,7 @@
is_mkey = krb5_principal_compare(context, master_princ, db_entry->princ);
if (is_mkey) {
- retval = add_new_mkey(context, db_entry, &new_master_keyblock, &new_mkvno);
+ retval = add_new_mkey(context, db_entry, &new_master_keyblock, new_mkvno);
if (retval)
return retval;
} else {
@@ -290,7 +290,7 @@
continue;
retval = krb5_dbe_find_mkey(context, master_keylist, db_entry, &tmp_mkey);
if (retval)
- return retval;
+ return retval;
retval = krb5_dbekd_decrypt_key_data(context, tmp_mkey,
key_data, &v5plainkey,
&keysalt);
@@ -1193,6 +1193,11 @@
exit(1);
}
}
+ /*
+ * get new master key vno that will be used to protect princs, used
+ * later on.
+ */
+ new_mkvno = get_next_kvno(util_context, &master_entry);
}
kret = 0;
Modified: branches/mkey_migrate/src/kadmin/dbutil/kdb5_create.c
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/kdb5_create.c 2009-01-28 23:22:27 UTC (rev 21823)
+++ branches/mkey_migrate/src/kadmin/dbutil/kdb5_create.c 2009-01-29 00:08:12 UTC (rev 21824)
@@ -471,6 +471,10 @@
if ((retval = krb5_dbe_update_actkvno(context, &entry, &actkvno)))
return retval;
+ /* so getprinc shows the right kvno */
+ if ((retval = krb5_dbe_update_mkvno(context, &entry, mkey_kvno)))
+ return retval;
+
break;
case TGT_KEY:
iargs.ctx = context;
Modified: branches/mkey_migrate/src/kadmin/dbutil/kdb5_mkey.c
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/kdb5_mkey.c 2009-01-28 23:22:27 UTC (rev 21823)
+++ branches/mkey_migrate/src/kadmin/dbutil/kdb5_mkey.c 2009-01-29 00:08:12 UTC (rev 21824)
@@ -34,19 +34,39 @@
return out;
}
+krb5_kvno
+get_next_kvno(krb5_context context, krb5_db_entry *entry)
+{
+ krb5_kvno new_kvno;
+
+ new_kvno = krb5_db_get_key_data_kvno(context, entry->n_key_data,
+ entry->key_data);
+ new_kvno++;
+ /* deal with wrapping */
+ if (new_kvno == 0)
+ new_kvno = 1; /* knvo must not be 0 as this is special value (IGNORE_VNO) */
+
+ return (new_kvno);
+}
+
krb5_error_code
-add_new_mkey(krb5_context context, krb5_db_entry *master_entry, krb5_keyblock *new_mkey, krb5_kvno *mkvno)
+add_new_mkey(krb5_context context, krb5_db_entry *master_entry,
+ krb5_keyblock *new_mkey, krb5_kvno use_mkvno)
{
krb5_error_code retval = 0;
int old_key_data_count, i;
- krb5_kvno old_kvno, new_mkey_kvno;
+ krb5_kvno new_mkey_kvno;
krb5_key_data tmp_key_data, *old_key_data;
krb5_mkey_aux_node *mkey_aux_data_head = NULL, **mkey_aux_data;
krb5_keylist_node *keylist_node;
- /* First save the old keydata */
- old_kvno = krb5_db_get_key_data_kvno(context, master_entry->n_key_data,
- master_entry->key_data);
+ /* do this before modifying master_entry key_data */
+ new_mkey_kvno = get_next_kvno(context, master_entry);
+ /* verify the requested mkvno if not 0 is the one that would be used here. */
+ if (use_mkvno != 0 && new_mkey_kvno != use_mkvno)
+ return (KRB5_KDB_KVNONOMATCH);
+
+ /* save the old keydata */
old_key_data_count = master_entry->n_key_data;
old_key_data = master_entry->key_data;
@@ -57,7 +77,7 @@
* logic from master_key_convert().
*/
master_entry->key_data = (krb5_key_data *) malloc(sizeof(krb5_key_data) *
- (old_key_data_count + 1));
+ (old_key_data_count + 1));
if (master_entry->key_data == NULL)
return (ENOMEM);
@@ -65,11 +85,6 @@
sizeof(krb5_key_data) * (old_key_data_count + 1));
master_entry->n_key_data = old_key_data_count + 1;
- new_mkey_kvno = old_kvno + 1;
- /* deal with wrapping? */
- if (new_mkey_kvno == 0)
- new_mkey_kvno = 1; /* knvo must not be 0 as this is special value (IGNORE_VNO) */
-
/* Note, mkey does not have salt */
/* add new mkey encrypted with itself to mkey princ entry */
if ((retval = krb5_dbekd_encrypt_key_data(context, new_mkey,
@@ -78,7 +93,11 @@
&master_entry->key_data[0]))) {
return (retval);
}
-
+ /* so getprinc will show the new mkvno */
+ if ((retval = krb5_dbe_update_mkvno(context, master_entry, new_mkey_kvno))) {
+ krb5_free_key_data_contents(context, &master_entry->key_data[0]);
+ return (retval);
+ }
/*
* Need to decrypt old keys with the current mkey which is in the global
* master_keyblock and encrypt those keys with the latest mkey. And while
@@ -149,9 +168,6 @@
goto clean_n_exit;
}
- if (mkvno)
- *mkvno = new_mkey_kvno;
-
clean_n_exit:
if (mkey_aux_data_head)
krb5_dbe_free_mkey_aux_list(context, mkey_aux_data_head);
@@ -222,13 +238,13 @@
exit_status++;
return;
} else if (nentries == 0) {
- com_err(progname, retval,
+ com_err(progname, KRB5_KDB_NOENTRY,
"principal %s not found in Kerberos database",
mkey_fullname);
exit_status++;
return;
} else if (nentries > 1) {
- com_err(progname, retval,
+ com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
"principal %s has multiple entries in Kerberos database",
mkey_fullname);
exit_status++;
@@ -412,13 +428,13 @@
exit_status++;
return;
} else if (nentries == 0) {
- com_err(progname, retval,
+ com_err(progname, KRB5_KDB_NOENTRY,
"principal %s not found in Kerberos database",
mkey_fullname);
exit_status++;
return;
} else if (nentries > 1) {
- com_err(progname, retval,
+ com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
"principal %s has multiple entries in Kerberos database",
mkey_fullname);
exit_status++;
@@ -559,13 +575,13 @@
exit_status++;
return;
} else if (nentries == 0) {
- com_err(progname, retval,
+ com_err(progname, KRB5_KDB_NOENTRY,
"principal %s not found in Kerberos database",
mkey_fullname);
exit_status++;
return;
} else if (nentries > 1) {
- com_err(progname, retval,
+ com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
"principal %s has multiple entries in Kerberos database",
mkey_fullname);
exit_status++;
Modified: branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.c
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.c 2009-01-28 23:22:27 UTC (rev 21823)
+++ branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.c 2009-01-29 00:08:12 UTC (rev 21824)
@@ -442,10 +442,7 @@
kvno = global_params.kvno; /* user specified */
else
kvno = IGNORE_VNO;
- /* kvno = (krb5_kvno) master_entry.key_data->key_data_kvno; */
- krb5_db_free_principal(util_context, &master_entry, nentries);
-
/* the databases are now open, and the master principal exists */
dbactive = TRUE;
Modified: branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.h
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.h 2009-01-28 23:22:27 UTC (rev 21823)
+++ branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.h 2009-01-29 00:08:12 UTC (rev 21824)
@@ -89,7 +89,9 @@
extern int kadm5_create (kadm5_config_params *params);
extern krb5_error_code add_new_mkey(krb5_context, krb5_db_entry *,
- krb5_keyblock *, krb5_kvno *);
+ krb5_keyblock *, krb5_kvno);
+extern krb5_kvno get_next_kvno(krb5_context, krb5_db_entry *);
+
void usage (void);
Modified: branches/mkey_migrate/src/lib/kdb/kdb_default.c
===================================================================
--- branches/mkey_migrate/src/lib/kdb/kdb_default.c 2009-01-28 23:22:27 UTC (rev 21823)
+++ branches/mkey_migrate/src/lib/kdb/kdb_default.c 2009-01-29 00:08:12 UTC (rev 21824)
@@ -25,6 +25,11 @@
*
*/
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+ */
+
#include "k5-int.h"
#include "kdb.h"
#include <string.h>
Modified: branches/mkey_migrate/src/lib/krb5/error_tables/kdb5_err.et
===================================================================
--- branches/mkey_migrate/src/lib/krb5/error_tables/kdb5_err.et 2009-01-28 23:22:27 UTC (rev 21823)
+++ branches/mkey_migrate/src/lib/krb5/error_tables/kdb5_err.et 2009-01-29 00:08:12 UTC (rev 21824)
@@ -58,6 +58,7 @@
ec KRB5_KDB_CANTREAD_STORED, "Cannot find/read stored master key"
ec KRB5_KDB_BADSTORED_MKEY, "Stored master key is corrupted"
ec KRB5_KDB_NOACTMASTERKEY, "Cannot find active master key"
+ec KRB5_KDB_KVNONOMATCH, "KVNO of new master key does not match expected value"
ec KRB5_KDB_CANTLOCK_DB, "Insufficient access to lock database"
More information about the cvs-krb5
mailing list