svn rev #21824: branches/mkey_migrate/src/ kadmin/dbutil/ lib/kdb/ lib/krb5/error_tables/

wfiveash@MIT.EDU wfiveash at MIT.EDU
Wed Jan 28 19:08:15 EST 2009


http://src.mit.edu/fisheye/changelog/krb5/?cs=21824
Commit By: wfiveash
Log Message:
Fix an issue Ken noted with the kdb5_util dump -mkey_convert logic.

Also tweaked the add_mkey code to call krb5_dbe_update_mkvno to update
the mkvno stored in the K/M princ so the kadmin getprinc will output the
right value.



Changed Files:
U   branches/mkey_migrate/src/kadmin/dbutil/dump.c
U   branches/mkey_migrate/src/kadmin/dbutil/kdb5_create.c
U   branches/mkey_migrate/src/kadmin/dbutil/kdb5_mkey.c
U   branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.c
U   branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.h
U   branches/mkey_migrate/src/lib/kdb/kdb_default.c
U   branches/mkey_migrate/src/lib/krb5/error_tables/kdb5_err.et
Modified: branches/mkey_migrate/src/kadmin/dbutil/dump.c
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/dump.c	2009-01-28 23:22:27 UTC (rev 21823)
+++ branches/mkey_migrate/src/kadmin/dbutil/dump.c	2009-01-29 00:08:12 UTC (rev 21824)
@@ -47,6 +47,7 @@
  */
 static int			mkey_convert;
 static krb5_keyblock		new_master_keyblock;
+static krb5_kvno                new_mkvno;
 
 static int	backwards;
 static int	recursive;
@@ -179,6 +180,7 @@
 extern krb5_context	util_context;
 extern kadm5_config_params global_params;
 extern krb5_keylist_node *master_keylist;
+extern krb5_db_entry      master_entry;
 
 /* Strings */
 
@@ -258,8 +260,6 @@
 static const char ovoption[] = "-ov";
 static const char dump_tmptrail[] = "~";
 
-static krb5_kvno new_mkvno;
-
 /*
  * Re-encrypt the key_data with the new master key...
  */
@@ -278,7 +278,7 @@
     is_mkey = krb5_principal_compare(context, master_princ, db_entry->princ);
 
     if (is_mkey) {
-        retval = add_new_mkey(context, db_entry, &new_master_keyblock, &new_mkvno);
+        retval = add_new_mkey(context, db_entry, &new_master_keyblock, new_mkvno);
         if (retval)
             return retval;
     } else {
@@ -290,7 +290,7 @@
                 continue;
             retval = krb5_dbe_find_mkey(context, master_keylist, db_entry, &tmp_mkey);
             if (retval)
-                    return retval;
+                return retval;
             retval = krb5_dbekd_decrypt_key_data(context, tmp_mkey,
                                                  key_data, &v5plainkey,
                                                  &keysalt);
@@ -1193,6 +1193,11 @@
 			    exit(1);
 		    }
 	    }
+            /*
+             * get new master key vno that will be used to protect princs, used
+             * later on.
+             */
+            new_mkvno = get_next_kvno(util_context, &master_entry);
     }
 
     kret = 0;

Modified: branches/mkey_migrate/src/kadmin/dbutil/kdb5_create.c
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/kdb5_create.c	2009-01-28 23:22:27 UTC (rev 21823)
+++ branches/mkey_migrate/src/kadmin/dbutil/kdb5_create.c	2009-01-29 00:08:12 UTC (rev 21824)
@@ -471,6 +471,10 @@
         if ((retval = krb5_dbe_update_actkvno(context, &entry, &actkvno)))
             return retval;
 
+        /* so getprinc shows the right kvno */
+        if ((retval = krb5_dbe_update_mkvno(context, &entry, mkey_kvno)))
+            return retval;
+
 	break;
     case TGT_KEY:
 	iargs.ctx = context;

Modified: branches/mkey_migrate/src/kadmin/dbutil/kdb5_mkey.c
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/kdb5_mkey.c	2009-01-28 23:22:27 UTC (rev 21823)
+++ branches/mkey_migrate/src/kadmin/dbutil/kdb5_mkey.c	2009-01-29 00:08:12 UTC (rev 21824)
@@ -34,19 +34,39 @@
     return out;
 }
 
+krb5_kvno
+get_next_kvno(krb5_context context, krb5_db_entry *entry)
+{
+    krb5_kvno new_kvno;
+
+    new_kvno = krb5_db_get_key_data_kvno(context, entry->n_key_data,
+                                         entry->key_data);
+    new_kvno++;
+    /* deal with wrapping */
+    if (new_kvno == 0)
+        new_kvno = 1; /* knvo must not be 0 as this is special value (IGNORE_VNO) */
+
+    return (new_kvno);
+}
+
 krb5_error_code
-add_new_mkey(krb5_context context, krb5_db_entry *master_entry, krb5_keyblock *new_mkey, krb5_kvno *mkvno)
+add_new_mkey(krb5_context context, krb5_db_entry *master_entry,
+             krb5_keyblock *new_mkey, krb5_kvno use_mkvno)
 {
     krb5_error_code retval = 0;
     int old_key_data_count, i;
-    krb5_kvno old_kvno, new_mkey_kvno;
+    krb5_kvno new_mkey_kvno;
     krb5_key_data tmp_key_data, *old_key_data;
     krb5_mkey_aux_node  *mkey_aux_data_head = NULL, **mkey_aux_data;
     krb5_keylist_node  *keylist_node;
 
-    /* First save the old keydata */
-    old_kvno = krb5_db_get_key_data_kvno(context, master_entry->n_key_data,
-					 master_entry->key_data);
+    /* do this before modifying master_entry key_data */
+    new_mkey_kvno = get_next_kvno(context, master_entry);
+    /* verify the requested mkvno if not 0 is the one that would be used here. */
+    if (use_mkvno != 0 && new_mkey_kvno != use_mkvno)
+        return (KRB5_KDB_KVNONOMATCH);
+
+    /* save the old keydata */
     old_key_data_count = master_entry->n_key_data;
     old_key_data = master_entry->key_data;
 
@@ -57,7 +77,7 @@
      * logic from master_key_convert().
      */
     master_entry->key_data = (krb5_key_data *) malloc(sizeof(krb5_key_data) *
-                                                     (old_key_data_count + 1));
+                                                      (old_key_data_count + 1));
     if (master_entry->key_data == NULL)
         return (ENOMEM);
 
@@ -65,11 +85,6 @@
            sizeof(krb5_key_data) * (old_key_data_count + 1));
     master_entry->n_key_data = old_key_data_count + 1;
 
-    new_mkey_kvno = old_kvno + 1;
-    /* deal with wrapping? */
-    if (new_mkey_kvno == 0)
-        new_mkey_kvno = 1; /* knvo must not be 0 as this is special value (IGNORE_VNO) */
-
     /* Note, mkey does not have salt */
     /* add new mkey encrypted with itself to mkey princ entry */
     if ((retval = krb5_dbekd_encrypt_key_data(context, new_mkey,
@@ -78,7 +93,11 @@
                                               &master_entry->key_data[0]))) {
         return (retval);
     }
-
+    /* so getprinc will show the new mkvno */
+    if ((retval = krb5_dbe_update_mkvno(context, master_entry, new_mkey_kvno))) {
+        krb5_free_key_data_contents(context, &master_entry->key_data[0]);
+        return (retval);
+    }
     /*
      * Need to decrypt old keys with the current mkey which is in the global
      * master_keyblock and encrypt those keys with the latest mkey.  And while
@@ -149,9 +168,6 @@
         goto clean_n_exit;
     }
 
-    if (mkvno)
-        *mkvno = new_mkey_kvno;
-
 clean_n_exit:
     if (mkey_aux_data_head)
         krb5_dbe_free_mkey_aux_list(context, mkey_aux_data_head);
@@ -222,13 +238,13 @@
         exit_status++;
         return;
     } else if (nentries == 0) {
-        com_err(progname, retval,
+        com_err(progname, KRB5_KDB_NOENTRY,
                 "principal %s not found in Kerberos database",
                 mkey_fullname);
         exit_status++;
         return;
     } else if (nentries > 1) {
-        com_err(progname, retval,
+        com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
                 "principal %s has multiple entries in Kerberos database",
                 mkey_fullname);
         exit_status++;
@@ -412,13 +428,13 @@
         exit_status++;
         return;
     } else if (nentries == 0) {
-        com_err(progname, retval,
+        com_err(progname, KRB5_KDB_NOENTRY,
                 "principal %s not found in Kerberos database",
                 mkey_fullname);
         exit_status++;
         return;
     } else if (nentries > 1) {
-        com_err(progname, retval,
+        com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
                 "principal %s has multiple entries in Kerberos database",
                 mkey_fullname);
         exit_status++;
@@ -559,13 +575,13 @@
         exit_status++;
         return;
     } else if (nentries == 0) {
-        com_err(progname, retval,
+        com_err(progname, KRB5_KDB_NOENTRY,
                 "principal %s not found in Kerberos database",
                 mkey_fullname);
         exit_status++;
         return;
     } else if (nentries > 1) {
-        com_err(progname, retval,
+        com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
                 "principal %s has multiple entries in Kerberos database",
                 mkey_fullname);
         exit_status++;

Modified: branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.c
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.c	2009-01-28 23:22:27 UTC (rev 21823)
+++ branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.c	2009-01-29 00:08:12 UTC (rev 21824)
@@ -442,10 +442,7 @@
         kvno = global_params.kvno; /* user specified */
     else
         kvno = IGNORE_VNO;
-        /* kvno = (krb5_kvno) master_entry.key_data->key_data_kvno; */
 
-    krb5_db_free_principal(util_context, &master_entry, nentries);
-
     /* the databases are now open, and the master principal exists */
     dbactive = TRUE;
     

Modified: branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.h
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.h	2009-01-28 23:22:27 UTC (rev 21823)
+++ branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.h	2009-01-29 00:08:12 UTC (rev 21824)
@@ -89,7 +89,9 @@
 extern int kadm5_create (kadm5_config_params *params);
 
 extern krb5_error_code add_new_mkey(krb5_context, krb5_db_entry *,
-                                    krb5_keyblock *, krb5_kvno *);
+                                    krb5_keyblock *, krb5_kvno);
 
+extern krb5_kvno get_next_kvno(krb5_context, krb5_db_entry *);
+
 void usage (void);
 

Modified: branches/mkey_migrate/src/lib/kdb/kdb_default.c
===================================================================
--- branches/mkey_migrate/src/lib/kdb/kdb_default.c	2009-01-28 23:22:27 UTC (rev 21823)
+++ branches/mkey_migrate/src/lib/kdb/kdb_default.c	2009-01-29 00:08:12 UTC (rev 21824)
@@ -25,6 +25,11 @@
  * 
  */
 
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
 #include "k5-int.h"
 #include "kdb.h"
 #include <string.h>

Modified: branches/mkey_migrate/src/lib/krb5/error_tables/kdb5_err.et
===================================================================
--- branches/mkey_migrate/src/lib/krb5/error_tables/kdb5_err.et	2009-01-28 23:22:27 UTC (rev 21823)
+++ branches/mkey_migrate/src/lib/krb5/error_tables/kdb5_err.et	2009-01-29 00:08:12 UTC (rev 21824)
@@ -58,6 +58,7 @@
 ec KRB5_KDB_CANTREAD_STORED,	"Cannot find/read stored master key"
 ec KRB5_KDB_BADSTORED_MKEY,	"Stored master key is corrupted"
 ec KRB5_KDB_NOACTMASTERKEY,	"Cannot find active master key"
+ec KRB5_KDB_KVNONOMATCH,	"KVNO of new master key does not match expected value"
 
 ec KRB5_KDB_CANTLOCK_DB,	"Insufficient access to lock database"
 




More information about the cvs-krb5 mailing list