svn rev #24166: trunk/src/ include/ kadmin/dbutil/ kdc/ lib/kadm5/srv/ lib/kdb/ ...
ghudson@MIT.EDU
ghudson at MIT.EDU
Fri Jul 2 15:09:21 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24166
Commit By: ghudson
Log Message:
ticket: 6749
status: open
Remove verify_master_key from the DAL table, as well as its associated
libkdb5 interface. Callers can (and mostly already do) use
krb5_fetch_mkey_list to verify master keyblocks. Adjust tests/create,
tests/verify, and kdb5_util dump to do so.
Changed Files:
U trunk/src/include/kdb.h
U trunk/src/kadmin/dbutil/dump.c
U trunk/src/kadmin/dbutil/kdb5_util.c
U trunk/src/kdc/main.c
U trunk/src/lib/kadm5/srv/server_kdb.c
U trunk/src/lib/kdb/kdb5.c
U trunk/src/lib/kdb/kdb_default.c
U trunk/src/lib/kdb/libkdb5.exports
U trunk/src/plugins/kdb/db2/db2_exp.c
U trunk/src/plugins/kdb/ldap/ldap_exp.c
U trunk/src/tests/create/kdb5_mkdums.c
U trunk/src/tests/verify/kdb5_verify.c
Modified: trunk/src/include/kdb.h
===================================================================
--- trunk/src/include/kdb.h 2010-07-02 17:58:41 UTC (rev 24165)
+++ trunk/src/include/kdb.h 2010-07-02 19:09:20 UTC (rev 24166)
@@ -476,10 +476,6 @@
krb5_kvno *kvno,
krb5_data *salt,
krb5_keyblock *key);
-krb5_error_code krb5_db_verify_master_key ( krb5_context kcontext,
- krb5_principal mprinc,
- krb5_kvno kvno,
- krb5_keyblock *mkey );
krb5_error_code
krb5_db_fetch_mkey_list( krb5_context context,
krb5_principal mname,
@@ -717,12 +713,6 @@
char *db_args);
krb5_error_code
-krb5_def_verify_master_key( krb5_context context,
- krb5_principal mprinc,
- krb5_kvno kvno,
- krb5_keyblock *mkey);
-
-krb5_error_code
krb5_def_fetch_mkey_list( krb5_context context,
krb5_principal mprinc,
const krb5_keyblock *mkey,
@@ -1163,28 +1153,18 @@
char *db_args);
/*
- * Optional with default: Verify that the keyblock mkey is a valid master
- * key for the realm. This function used to be used by the KDC and
- * kadmind, but is now used only by kdb5_util dump -mkey_convert.
- *
- * The default implementation retrieves the master key principal and
- * attempts to decrypt its key with mkey. This only works for the current
- * master keyblock.
- */
- krb5_error_code (*verify_master_key)(krb5_context kcontext,
- krb5_principal mprinc, krb5_kvno kvno,
- krb5_keyblock *mkey);
-
- /*
* Optional with default: Given a keyblock for some version of the
* database's master key, fetch the decrypted master key values from the
* database and store the list into *mkeys_list. The caller will free
* *mkeys_list using a libkdb5 function which uses the standard free()
* function, so the module must not use a custom allocator.
*
- * The default implementation tries the key against the current master key
- * data and all KRB5_TL_MKEY_AUX values, which contain copies of the master
- * keys encrypted with old master keys.
+ * The caller may not know the version number of the master key it has, in
+ * which case it will pass IGNORE_VNO.
+ *
+ * The default implementation ignores kvno and tries the key against the
+ * current master key data and all KRB5_TL_MKEY_AUX values, which contain
+ * copies of the master keys encrypted with old master keys.
*/
krb5_error_code (*fetch_master_key_list)(krb5_context kcontext,
krb5_principal mname,
Modified: trunk/src/kadmin/dbutil/dump.c
===================================================================
--- trunk/src/kadmin/dbutil/dump.c 2010-07-02 17:58:41 UTC (rev 24165)
+++ trunk/src/kadmin/dbutil/dump.c 2010-07-02 19:09:20 UTC (rev 24166)
@@ -1082,6 +1082,7 @@
kdb_log_context *log_ctx;
char **db_args = 0; /* XXX */
unsigned int ipropx_version = IPROPX_VERSION_0;
+ krb5_keylist_node *mkeys;
/*
* Parse the arguments.
@@ -1185,15 +1186,15 @@
"while reading master key");
exit(1);
}
- retval = krb5_db_verify_master_key(util_context,
- master_princ,
- IGNORE_VNO,
- &master_keyblock);
+ retval = krb5_db_fetch_mkey_list(util_context, master_princ,
+ &master_keyblock, IGNORE_VNO,
+ &mkeys);
if (retval) {
com_err(progname, retval,
"while verifying master key");
exit(1);
}
+ krb5_db_free_mkey_list(util_context, mkeys);
}
new_master_keyblock.enctype = global_params.enctype;
if (new_master_keyblock.enctype == ENCTYPE_UNKNOWN)
Modified: trunk/src/kadmin/dbutil/kdb5_util.c
===================================================================
--- trunk/src/kadmin/dbutil/kdb5_util.c 2010-07-02 17:58:41 UTC (rev 24165)
+++ trunk/src/kadmin/dbutil/kdb5_util.c 2010-07-02 19:09:20 UTC (rev 24166)
@@ -491,16 +491,6 @@
return(0);
}
}
-#if 0 /************** Begin IFDEF'ed OUT *******************************/
- /* krb5_db_fetch_mkey_list will verify the mkey */
- if ((retval = krb5_db_verify_master_key(util_context, master_princ,
- master_kvno, &master_keyblock))) {
- com_err(progname, retval, "while verifying master key");
- exit_status++;
- krb5_free_keyblock_contents(util_context, &master_keyblock);
- return(1);
- }
-#endif /**************** END IFDEF'ed OUT *******************************/
if ((retval = krb5_db_fetch_mkey_list(util_context, master_princ,
&master_keyblock, master_kvno,
Modified: trunk/src/kdc/main.c
===================================================================
--- trunk/src/kdc/main.c 2010-07-02 17:58:41 UTC (rev 24165)
+++ trunk/src/kdc/main.c 2010-07-02 19:09:20 UTC (rev 24166)
@@ -423,23 +423,6 @@
rdp->realm_mpname, realm);
goto whoops;
}
-#if 0 /************** Begin IFDEF'ed OUT *******************************/
- /*
- * Commenting krb5_db_verify_master_key out because it requires the most
- * current mkey which may not be the case here. The call to
- * krb5_db_fetch_mkey_list() will end up verifying that the mkey is viable
- * anyway.
- */
- /* Verify the master key */
- if ((kret = krb5_db_verify_master_key(rdp->realm_context,
- rdp->realm_mprinc,
- IGNORE_VNO,
- &rdp->realm_mkey))) {
- kdc_err(rdp->realm_context, kret,
- "while verifying master key for realm %s", realm);
- goto whoops;
- }
-#endif /**************** END IFDEF'ed OUT *******************************/
if ((kret = krb5_db_fetch_mkey_list(rdp->realm_context, rdp->realm_mprinc,
&rdp->realm_mkey, mkvno, &rdp->mkey_list))) {
Modified: trunk/src/lib/kadm5/srv/server_kdb.c
===================================================================
--- trunk/src/lib/kadm5/srv/server_kdb.c 2010-07-02 17:58:41 UTC (rev 24165)
+++ trunk/src/lib/kadm5/srv/server_kdb.c 2010-07-02 19:09:20 UTC (rev 24166)
@@ -72,18 +72,6 @@
if (ret)
goto done;
-#if 0 /************** Begin IFDEF'ed OUT *******************************/
- /*
- * krb5_db_fetch_mkey_list will verify mkey so don't call
- * krb5_db_verify_master_key()
- */
- if ((ret = krb5_db_verify_master_key(handle->context, master_princ,
- IGNORE_VNO, &master_keyblock))) {
- krb5_db_fini(handle->context);
- return ret;
- }
-#endif /**************** END IFDEF'ed OUT *******************************/
-
if ((ret = krb5_db_fetch_mkey_list(handle->context, master_princ,
&master_keyblock, mkvno, &master_keylist))) {
krb5_db_fini(handle->context);
Modified: trunk/src/lib/kdb/kdb5.c
===================================================================
--- trunk/src/lib/kdb/kdb5.c 2010-07-02 17:58:41 UTC (rev 24165)
+++ trunk/src/lib/kdb/kdb5.c 2010-07-02 19:09:20 UTC (rev 24166)
@@ -252,8 +252,6 @@
lib->vftabl.get_master_key_list = kdb_def_get_mkey_list;
if (lib->vftabl.fetch_master_key == NULL)
lib->vftabl.fetch_master_key = krb5_db_def_fetch_mkey;
- if (lib->vftabl.verify_master_key == NULL)
- lib->vftabl.verify_master_key = krb5_def_verify_master_key;
if (lib->vftabl.fetch_master_key_list == NULL)
lib->vftabl.fetch_master_key_list = krb5_def_fetch_mkey_list;
if (lib->vftabl.store_master_key_list == NULL)
@@ -1278,23 +1276,6 @@
}
krb5_error_code
-krb5_db_verify_master_key(krb5_context kcontext,
- krb5_principal mprinc,
- krb5_kvno kvno,
- krb5_keyblock * mkey)
-{
- krb5_error_code status = 0;
- kdb_vftabl *v;
-
- status = get_vftabl(kcontext, &v);
- if (status)
- return status;
- if (v->verify_master_key == NULL)
- return KRB5_KDB_DBTYPE_NOSUP;
- return v->verify_master_key(kcontext, mprinc, kvno, mkey);
-}
-
-krb5_error_code
krb5_dbe_fetch_act_key_list(krb5_context context,
krb5_principal princ,
krb5_actkvno_node **act_key_list)
Modified: trunk/src/lib/kdb/kdb_default.c
===================================================================
--- trunk/src/lib/kdb/kdb_default.c 2010-07-02 17:58:41 UTC (rev 24165)
+++ trunk/src/lib/kdb/kdb_default.c 2010-07-02 19:09:20 UTC (rev 24166)
@@ -434,64 +434,7 @@
return 0;
}
-/*
- * Note, this verifies that the input mkey is currently protecting all the mkeys
- */
krb5_error_code
-krb5_def_verify_master_key(krb5_context context,
- krb5_principal mprinc,
- krb5_kvno kvno,
- krb5_keyblock *mkey)
-{
- krb5_error_code retval;
- krb5_db_entry master_entry;
- int nprinc;
- krb5_boolean more;
- krb5_keyblock tempkey;
-
- nprinc = 1;
- if ((retval = krb5_db_get_principal(context, mprinc,
- &master_entry, &nprinc, &more)))
- return(retval);
-
- if (nprinc != 1) {
- if (nprinc)
- krb5_db_free_principal(context, &master_entry, nprinc);
- return(KRB5_KDB_NOMASTERKEY);
- } else if (more) {
- krb5_db_free_principal(context, &master_entry, nprinc);
- return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
- }
-
- if ((retval = krb5_dbe_decrypt_key_data(context, mkey,
- &master_entry.key_data[0],
- &tempkey, NULL))) {
- krb5_db_free_principal(context, &master_entry, nprinc);
- return retval;
- }
-
- if (mkey->length != tempkey.length ||
- memcmp((char *)mkey->contents,
- (char *)tempkey.contents,mkey->length)) {
- retval = KRB5_KDB_BADMASTERKEY;
- }
-
- if (kvno != IGNORE_VNO &&
- kvno != (krb5_kvno) master_entry.key_data->key_data_kvno) {
- retval = KRB5_KDB_BADMASTERKEY;
- krb5_set_error_message (context, retval,
- "User specified mkeyVNO (%u) does not match master key princ's KVNO (%u)",
- kvno, master_entry.key_data->key_data_kvno);
- }
-
- zap((char *)tempkey.contents, tempkey.length);
- free(tempkey.contents);
- krb5_db_free_principal(context, &master_entry, nprinc);
-
- return retval;
-}
-
-krb5_error_code
krb5_def_fetch_mkey_list(krb5_context context,
krb5_principal mprinc,
const krb5_keyblock *mkey,
Modified: trunk/src/lib/kdb/libkdb5.exports
===================================================================
--- trunk/src/lib/kdb/libkdb5.exports 2010-07-02 17:58:41 UTC (rev 24165)
+++ trunk/src/lib/kdb/libkdb5.exports 2010-07-02 19:09:20 UTC (rev 24166)
@@ -27,7 +27,6 @@
krb5_db_unlock
krb5_db_store_master_key
krb5_db_store_master_key_list
-krb5_db_verify_master_key
krb5_dbe_apw
krb5_dbe_ark
krb5_dbe_cpw
Modified: trunk/src/plugins/kdb/db2/db2_exp.c
===================================================================
--- trunk/src/plugins/kdb/db2/db2_exp.c 2010-07-02 17:58:41 UTC (rev 24165)
+++ trunk/src/plugins/kdb/db2/db2_exp.c 2010-07-02 19:09:20 UTC (rev 24166)
@@ -246,7 +246,7 @@
/* free */ krb5_db2_free,
/* set_master_key_list */ wrap_krb5_db2_set_mkey_list,
/* get_master_key_list */ wrap_krb5_db2_get_mkey_list,
- /* blah blah blah */ 0,0,0,0,0,0,0,
+ /* blah blah blah */ 0,0,0,0,0,0,
/* promote_db */ wrap_krb5_db2_promote_db,
0, 0,
/* invoke */ wrap_krb5_db2_invoke
Modified: trunk/src/plugins/kdb/ldap/ldap_exp.c
===================================================================
--- trunk/src/plugins/kdb/ldap/ldap_exp.c 2010-07-02 17:58:41 UTC (rev 24165)
+++ trunk/src/plugins/kdb/ldap/ldap_exp.c 2010-07-02 19:09:20 UTC (rev 24166)
@@ -76,7 +76,6 @@
/* get_master_key_list */ krb5_ldap_get_mkey_list,
/* store_master_key */ NULL,
/* fetch_master_key */ NULL /* krb5_ldap_fetch_mkey */,
- /* verify_master_key */ NULL /* krb5_ldap_verify_master_key */,
/* fetch_master_key_list */ NULL,
/* store_master_key_list */ NULL,
/* Search enc type */ NULL,
Modified: trunk/src/tests/create/kdb5_mkdums.c
===================================================================
--- trunk/src/tests/create/kdb5_mkdums.c 2010-07-02 17:58:41 UTC (rev 24165)
+++ trunk/src/tests/create/kdb5_mkdums.c 2010-07-02 19:09:20 UTC (rev 24166)
@@ -336,6 +336,7 @@
krb5_boolean more;
krb5_data pwd, scratch;
char *args[2];
+ krb5_keylist_node *mkeys;
/* assemble & parse the master key name */
@@ -392,12 +393,14 @@
/* Done with args */
free(args[0]);
- if ((retval = krb5_db_verify_master_key(test_context, master_princ,
- IGNORE_VNO, &master_keyblock))){
+ if ((retval = krb5_db_fetch_mkey_list(test_context, master_princ,
+ &master_keyblock, IGNORE_VNO,
+ &mkeys))){
com_err(pname, retval, "while verifying master key");
(void) krb5_db_fini(test_context);
return(1);
}
+ krb5_db_free_mkey_list(test_context, mkeys);
nentries = 1;
if ((retval = krb5_db_get_principal(test_context, master_princ,
&master_entry, &nentries, &more))) {
Modified: trunk/src/tests/verify/kdb5_verify.c
===================================================================
--- trunk/src/tests/verify/kdb5_verify.c 2010-07-02 17:58:41 UTC (rev 24165)
+++ trunk/src/tests/verify/kdb5_verify.c 2010-07-02 19:09:20 UTC (rev 24166)
@@ -368,6 +368,7 @@
krb5_boolean more;
krb5_data pwd, scratch;
char *args[2];
+ krb5_keylist_node *mkeys;
/* assemble & parse the master key name */
@@ -419,12 +420,14 @@
com_err(pname, retval, "while initializing database");
return(1);
}
- if ((retval = krb5_db_verify_master_key(context, master_princ,
- IGNORE_VNO, &master_keyblock))) {
+ if ((retval = krb5_db_fetch_mkey_list(context, master_princ,
+ &master_keyblock, IGNORE_VNO,
+ &mkeys))) {
com_err(pname, retval, "while verifying master key");
(void) krb5_db_fini(context);
return(1);
}
+ krb5_db_free_mkey_list(context, mkeys);
nentries = 1;
if ((retval = krb5_db_get_principal(context, master_princ, &master_entry,
&nentries, &more))) {
More information about the cvs-krb5
mailing list