svn rev #21827: branches/mkey_migrate/src/ include/ kadmin/dbutil/ lib/kdb/ plugins/kdb/db2/ ...
ghudson@MIT.EDU
ghudson at MIT.EDU
Thu Jan 29 14:07:55 EST 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=21827
Commit By: ghudson
Log Message:
Implement krb5_db_store_master_key_list.
Make "kdb5_util stash" store the full master key list.
Make "kdb5_util stash" use a preexisting stashed key if available.
Changed Files:
U branches/mkey_migrate/src/include/kdb.h
U branches/mkey_migrate/src/kadmin/dbutil/kdb5_stash.c
U branches/mkey_migrate/src/lib/kdb/kdb5.c
U branches/mkey_migrate/src/lib/kdb/kdb_default.c
U branches/mkey_migrate/src/lib/kdb/libkdb5.exports
U branches/mkey_migrate/src/plugins/kdb/db2/db2_exp.c
U branches/mkey_migrate/src/plugins/kdb/ldap/ldap_exp.c
Modified: branches/mkey_migrate/src/include/kdb.h
===================================================================
--- branches/mkey_migrate/src/include/kdb.h 2009-01-29 01:19:01 UTC (rev 21826)
+++ branches/mkey_migrate/src/include/kdb.h 2009-01-29 19:07:52 UTC (rev 21827)
@@ -323,6 +323,11 @@
krb5_kvno kvno,
krb5_keyblock *key,
char *master_pwd);
+krb5_error_code krb5_db_store_master_key_list ( krb5_context kcontext,
+ char *keyfile,
+ krb5_principal mname,
+ krb5_keylist_node *keylist,
+ char *master_pwd);
krb5_error_code krb5_db_fetch_mkey ( krb5_context context,
krb5_principal mname,
krb5_enctype etype,
@@ -545,6 +550,12 @@
krb5_keyblock *key,
char *master_pwd);
+krb5_error_code
+krb5_def_store_mkey_list( krb5_context context,
+ char *keyfile,
+ krb5_principal mname,
+ krb5_keylist_node *keylist,
+ char *master_pwd);
krb5_error_code
krb5_db_def_fetch_mkey( krb5_context context,
@@ -831,6 +842,12 @@
krb5_kvno kvno,
krb5_keylist_node **mkeys_list);
+ krb5_error_code (*store_master_key_list) ( krb5_context kcontext,
+ char *db_arg,
+ krb5_principal mname,
+ krb5_keylist_node *keylist,
+ char *master_pwd);
+
krb5_error_code (*dbe_search_enctype) ( krb5_context kcontext,
krb5_db_entry *dbentp,
krb5_int32 *start,
Modified: branches/mkey_migrate/src/kadmin/dbutil/kdb5_stash.c
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/kdb5_stash.c 2009-01-29 01:19:01 UTC (rev 21826)
+++ branches/mkey_migrate/src/kadmin/dbutil/kdb5_stash.c 2009-01-29 19:07:52 UTC (rev 21827)
@@ -60,6 +60,7 @@
#include "kdb5_util.h"
extern krb5_keyblock master_keyblock;
+extern krb5_keylist_node *master_keylist;
extern krb5_principal master_princ;
extern kadm5_config_params global_params;
@@ -145,36 +146,38 @@
else
mkey_kvno = IGNORE_VNO; /* use whatever krb5_db_fetch_mkey finds */
- /* TRUE here means read the keyboard, but only once */
- retval = krb5_db_fetch_mkey(context, master_princ,
- master_keyblock.enctype,
- TRUE, FALSE, (char *) NULL,
- &mkey_kvno,
- NULL, &master_keyblock);
- if (retval) {
- com_err(progname, retval, "while reading master key");
- (void) krb5_db_fini(context);
- exit_status++; return;
+ if (!valid_master_key) {
+ /* TRUE here means read the keyboard, but only once */
+ retval = krb5_db_fetch_mkey(context, master_princ,
+ master_keyblock.enctype,
+ TRUE, FALSE, (char *) NULL,
+ &mkey_kvno,
+ NULL, &master_keyblock);
+ if (retval) {
+ com_err(progname, retval, "while reading master key");
+ (void) krb5_db_fini(context);
+ exit_status++; return;
+ }
+
+ retval = krb5_db_fetch_mkey_list(context, master_princ,
+ &master_keyblock, mkey_kvno,
+ &master_keylist);
+ if (retval) {
+ com_err(progname, retval, "while getting master key list");
+ (void) krb5_db_fini(context);
+ exit_status++; return;
+ }
+ } else {
+ printf("Using existing stashed keys to update stash file.\n");
}
- retval = krb5_db_verify_master_key(context, master_princ,
- mkey_kvno,
- &master_keyblock);
+ retval = krb5_db_store_master_key_list(context, keyfile, master_princ,
+ master_keylist, NULL);
if (retval) {
- com_err(progname, retval, "while verifying master key");
- (void) krb5_db_fini(context);
- exit_status++; return;
- }
-
- retval = krb5_db_store_master_key(context, keyfile, master_princ,
- mkey_kvno, &master_keyblock, NULL);
- if (retval) {
com_err(progname, errno, "while storing key");
- memset((char *)master_keyblock.contents, 0, master_keyblock.length);
(void) krb5_db_fini(context);
exit_status++; return;
}
- memset((char *)master_keyblock.contents, 0, master_keyblock.length);
retval = krb5_db_fini(context);
if (retval) {
Modified: branches/mkey_migrate/src/lib/kdb/kdb5.c
===================================================================
--- branches/mkey_migrate/src/lib/kdb/kdb5.c 2009-01-29 01:19:01 UTC (rev 21826)
+++ branches/mkey_migrate/src/lib/kdb/kdb5.c 2009-01-29 19:07:52 UTC (rev 21827)
@@ -282,6 +282,10 @@
lib->vftabl.fetch_master_key_list = krb5_def_fetch_mkey_list;
}
+ if (lib->vftabl.store_master_key_list == NULL) {
+ lib->vftabl.store_master_key_list = krb5_def_store_mkey_list;
+ }
+
if (lib->vftabl.dbe_search_enctype == NULL) {
lib->vftabl.dbe_search_enctype = krb5_dbe_def_search_enctype;
}
@@ -1653,6 +1657,41 @@
return status;
}
+krb5_error_code
+krb5_db_store_master_key_list(krb5_context kcontext,
+ char *keyfile,
+ krb5_principal mname,
+ krb5_keylist_node *keylist,
+ char *master_pwd)
+{
+ krb5_error_code status = 0;
+ kdb5_dal_handle *dal_handle;
+
+ if (kcontext->dal_handle == NULL) {
+ status = kdb_setup_lib_handle(kcontext);
+ if (status) {
+ goto clean_n_exit;
+ }
+ }
+
+ dal_handle = kcontext->dal_handle;
+ status = kdb_lock_lib_lock(dal_handle->lib_handle, FALSE);
+ if (status) {
+ goto clean_n_exit;
+ }
+
+ status = dal_handle->lib_handle->vftabl.store_master_key_list(kcontext,
+ keyfile,
+ mname,
+ keylist,
+ master_pwd);
+ get_errmsg(kcontext, status);
+ kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE);
+
+ clean_n_exit:
+ return status;
+}
+
char *krb5_mkey_pwd_prompt1 = KRB5_KDC_MKEY_1;
char *krb5_mkey_pwd_prompt2 = KRB5_KDC_MKEY_2;
Modified: branches/mkey_migrate/src/lib/kdb/kdb_default.c
===================================================================
--- branches/mkey_migrate/src/lib/kdb/kdb_default.c 2009-01-29 01:19:01 UTC (rev 21826)
+++ branches/mkey_migrate/src/lib/kdb/kdb_default.c 2009-01-29 19:07:52 UTC (rev 21827)
@@ -138,12 +138,11 @@
#endif
krb5_error_code
-krb5_def_store_mkey(krb5_context context,
- char *keyfile,
- krb5_principal mname,
- krb5_kvno kvno,
- krb5_keyblock *key,
- char *master_pwd)
+krb5_def_store_mkey_list(krb5_context context,
+ char *keyfile,
+ krb5_principal mname,
+ krb5_keylist_node *keylist,
+ char *master_pwd)
{
krb5_error_code retval = 0;
char defkeyfile[MAXPATHLEN+1];
@@ -204,12 +203,17 @@
if (retval != 0)
goto out;
- memset((char *) &new_entry, 0, sizeof(new_entry));
- new_entry.principal = mname;
- new_entry.key = *key;
- new_entry.vno = kvno;
+ while (keylist && !retval) {
+ memset((char *) &new_entry, 0, sizeof(new_entry));
+ new_entry.principal = mname;
+ new_entry.key = keylist->keyblock;
+ new_entry.vno = keylist->kvno;
- retval = krb5_kt_add_entry(context, kt, &new_entry);
+ retval = krb5_kt_add_entry(context, kt, &new_entry);
+ keylist = keylist->next;
+ }
+ krb5_kt_close(context, kt);
+
if (retval != 0) {
/* delete tmp keyfile if it exists and an error occurrs */
if (stat(keyfile, &stb) >= 0)
@@ -227,12 +231,27 @@
out:
if (tmp_ktname != NULL)
free(tmp_ktname);
- if (kt)
- krb5_kt_close(context, kt);
return retval;
}
+krb5_error_code
+krb5_def_store_mkey(krb5_context context,
+ char *keyfile,
+ krb5_principal mname,
+ krb5_kvno kvno,
+ krb5_keyblock *key,
+ char *master_pwd)
+{
+ krb5_keylist_node list;
+
+ list.kvno = kvno;
+ list.keyblock = *key;
+ list.next = NULL;
+ return krb5_def_store_mkey_list(context, keyfile, mname, &list,
+ master_pwd);
+}
+
static krb5_error_code
krb5_db_def_fetch_mkey_stash(krb5_context context,
const char *keyfile,
Modified: branches/mkey_migrate/src/lib/kdb/libkdb5.exports
===================================================================
--- branches/mkey_migrate/src/lib/kdb/libkdb5.exports 2009-01-29 01:19:01 UTC (rev 21826)
+++ branches/mkey_migrate/src/lib/kdb/libkdb5.exports 2009-01-29 19:07:52 UTC (rev 21827)
@@ -27,6 +27,7 @@
krb5_db_setup_mkey_name
krb5_db_unlock
krb5_db_store_master_key
+krb5_db_store_master_key_list
krb5_db_verify_master_key
krb5_dbe_apw
krb5_dbe_ark
@@ -69,6 +70,7 @@
krb5_db_delete_policy
krb5_db_free_policy
krb5_def_store_mkey
+krb5_def_store_mkey_list
krb5_db_promote
ulog_map
ulog_set_role
Modified: branches/mkey_migrate/src/plugins/kdb/db2/db2_exp.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/db2/db2_exp.c 2009-01-29 01:19:01 UTC (rev 21826)
+++ branches/mkey_migrate/src/plugins/kdb/db2/db2_exp.c 2009-01-29 19:07:52 UTC (rev 21827)
@@ -263,7 +263,7 @@
/* get_master_key */ wrap_krb5_db2_db_get_mkey,
/* set_master_key_list */ wrap_krb5_db2_db_set_mkey_list,
/* get_master_key_list */ wrap_krb5_db2_db_get_mkey_list,
- /* blah blah blah */ 0,0,0,0,0,0,0,
+ /* blah blah blah */ 0,0,0,0,0,0,0,0,
/* promote_db */ wrap_krb5_db2_promote_db,
0,0,0,
};
Modified: branches/mkey_migrate/src/plugins/kdb/ldap/ldap_exp.c
===================================================================
--- branches/mkey_migrate/src/plugins/kdb/ldap/ldap_exp.c 2009-01-29 01:19:01 UTC (rev 21826)
+++ branches/mkey_migrate/src/plugins/kdb/ldap/ldap_exp.c 2009-01-29 19:07:52 UTC (rev 21827)
@@ -85,6 +85,7 @@
/* fetch_master_key */ NULL /* krb5_ldap_fetch_mkey */,
/* verify_master_key */ NULL /* krb5_ldap_verify_master_key */,
/* fetch_master_key_list */ NULL,
+ /* store_master_key_list */ NULL,
/* Search enc type */ NULL,
/* Change pwd */ NULL
More information about the cvs-krb5
mailing list