svn rev #25781: trunk/src/ include/ kadmin/dbutil/ kadmin/server/ kdc/ lib/kadm5/srv/ ...
ghudson@MIT.EDU
ghudson at MIT.EDU
Wed Mar 21 12:57:05 EDT 2012
http://src.mit.edu/fisheye/changelog/krb5/?cs=25781
Commit By: ghudson
Log Message:
Only store master mey list in DAL handle
r24314 (#6778) created a hybrid owernship model for the master key
list, with one virtual copy stored in the DAL handle and one provided
to the caller of krb5_db_fetch_mkey_list. Replace this with a model
where only the DAL handle owns the list, and a caller can get access
to an alias pointer with a new function krb5_db_mkey_list_alias().
Functions which previously accepted the master key list as an input
parameter now expect to find it in the DAL handle.
Patch by Will Fiveash <will.fiveash at oracle.com>.
Changed Files:
U trunk/src/include/kdb.h
U trunk/src/kadmin/dbutil/dump.c
U trunk/src/kadmin/dbutil/kdb5_mkey.c
U trunk/src/kadmin/dbutil/kdb5_stash.c
U trunk/src/kadmin/dbutil/kdb5_util.c
U trunk/src/kadmin/dbutil/kdb5_util.h
U trunk/src/kadmin/server/ovsec_kadmd.c
U trunk/src/kdc/extern.h
U trunk/src/kdc/main.c
U trunk/src/lib/kadm5/srv/libkadm5srv_mit.exports
U trunk/src/lib/kadm5/srv/server_kdb.c
U trunk/src/lib/kadm5/srv/svr_principal.c
U trunk/src/lib/kdb/kdb5.c
U trunk/src/lib/kdb/kdb5.h
U trunk/src/lib/kdb/kdb_default.c
U trunk/src/lib/kdb/libkdb5.exports
U trunk/src/tests/create/kdb5_mkdums.c
U trunk/src/tests/verify/kdb5_verify.c
Modified: trunk/src/include/kdb.h
===================================================================
--- trunk/src/include/kdb.h 2012-03-20 17:39:04 UTC (rev 25780)
+++ trunk/src/include/kdb.h 2012-03-21 16:57:05 UTC (rev 25781)
@@ -377,7 +377,6 @@
krb5_error_code krb5_db_store_master_key_list ( krb5_context kcontext,
char *keyfile,
krb5_principal mname,
- krb5_keylist_node *keylist,
char *master_pwd);
krb5_error_code krb5_db_fetch_mkey ( krb5_context context,
krb5_principal mname,
@@ -391,15 +390,7 @@
krb5_error_code
krb5_db_fetch_mkey_list( krb5_context context,
krb5_principal mname,
- const krb5_keyblock * mkey,
- krb5_kvno mkvno,
- krb5_keylist_node **mkeys_list );
-/**
- * Free a master keylist.
- */
-void
-krb5_db_free_mkey_list( krb5_context context,
- krb5_keylist_node *mkey_list );
+ const krb5_keyblock * mkey );
krb5_error_code
krb5_dbe_find_enctype( krb5_context kcontext,
@@ -451,14 +442,12 @@
krb5_error_code
krb5_dbe_find_act_mkey( krb5_context context,
- krb5_keylist_node * mkey_list,
krb5_actkvno_node * act_mkey_list,
krb5_kvno * act_kvno,
krb5_keyblock ** act_mkey);
krb5_error_code
krb5_dbe_find_mkey( krb5_context context,
- krb5_keylist_node * mkey_list,
krb5_db_entry * entry,
krb5_keyblock ** mkey);
@@ -468,11 +457,13 @@
krb5_db_entry * entry,
krb5_kvno * mkvno);
+krb5_keylist_node *
+krb5_db_mkey_list_alias( krb5_context kcontext );
+
/* Set *mkvno to mkvno in entry tl_data, or minimum value from mkey_list. */
krb5_error_code
krb5_dbe_get_mkvno( krb5_context context,
krb5_db_entry * entry,
- krb5_keylist_node * mkey_list,
krb5_kvno * mkvno);
krb5_error_code
@@ -698,7 +689,6 @@
krb5_def_fetch_mkey_list( krb5_context context,
krb5_principal mprinc,
const krb5_keyblock *mkey,
- krb5_kvno mkvno,
krb5_keylist_node **mkeys_list);
krb5_error_code
@@ -1092,7 +1082,6 @@
krb5_error_code (*fetch_master_key_list)(krb5_context kcontext,
krb5_principal mname,
const krb5_keyblock *key,
- krb5_kvno kvno,
krb5_keylist_node **mkeys_list);
/*
Modified: trunk/src/kadmin/dbutil/dump.c
===================================================================
--- trunk/src/kadmin/dbutil/dump.c 2012-03-20 17:39:04 UTC (rev 25780)
+++ trunk/src/kadmin/dbutil/dump.c 2012-03-21 16:57:05 UTC (rev 25781)
@@ -295,7 +295,7 @@
krb5_keyblock *tmp_mkey;
key_data = &db_entry->key_data[i];
- retval = krb5_dbe_find_mkey(context, master_keylist, db_entry, &tmp_mkey);
+ retval = krb5_dbe_find_mkey(context, db_entry, &tmp_mkey);
if (retval)
return retval;
retval = krb5_dbe_decrypt_key_data(context, tmp_mkey, key_data,
@@ -1078,7 +1078,6 @@
bool_t dump_sno = FALSE;
kdb_log_context *log_ctx;
unsigned int ipropx_version = IPROPX_VERSION_0;
- krb5_keylist_node *mkeys;
/*
* Parse the arguments.
@@ -1182,13 +1181,11 @@
exit(1);
}
retval = krb5_db_fetch_mkey_list(util_context, master_princ,
- &master_keyblock, IGNORE_VNO,
- &mkeys);
+ &master_keyblock);
if (retval) {
com_err(progname, retval, _("while verifying master key"));
exit(1);
}
- krb5_db_free_mkey_list(util_context, mkeys);
}
new_master_keyblock.enctype = global_params.enctype;
if (new_master_keyblock.enctype == ENCTYPE_UNKNOWN)
Modified: trunk/src/kadmin/dbutil/kdb5_mkey.c
===================================================================
--- trunk/src/kadmin/dbutil/kdb5_mkey.c 2012-03-20 17:39:04 UTC (rev 25780)
+++ trunk/src/kadmin/dbutil/kdb5_mkey.c 2012-03-21 16:57:05 UTC (rev 25781)
@@ -32,7 +32,6 @@
extern krb5_keyblock master_keyblock; /* current mkey */
extern krb5_kvno master_kvno;
extern krb5_principal master_princ;
-extern krb5_keylist_node *master_keylist;
extern krb5_data master_salt;
extern char *mkey_password;
extern char *progname;
@@ -77,6 +76,7 @@
krb5_key_data tmp_key_data, *old_key_data;
krb5_mkey_aux_node *mkey_aux_data_head = NULL, **mkey_aux_data;
krb5_keylist_node *keylist_node;
+ krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(context);
/* do this before modifying master_entry key_data */
new_mkey_kvno = get_next_kvno(context, master_entry);
@@ -372,6 +372,7 @@
krb5_db_entry *master_entry;
krb5_keylist_node *keylist_node;
krb5_boolean inserted = FALSE;
+ krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context);
memset(&master_princ, 0, sizeof(master_princ));
@@ -577,6 +578,7 @@
krb5_db_entry *master_entry;
krb5_keylist_node *cur_kb_node;
krb5_keyblock *act_mkey;
+ krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context);
if (master_keylist == NULL) {
com_err(progname, 0, _("master keylist not initialized"));
@@ -613,8 +615,8 @@
if (actkvno_list == NULL) {
act_kvno = master_entry->key_data[0].key_data_kvno;
} else {
- retval = krb5_dbe_find_act_mkey(util_context, master_keylist,
- actkvno_list, &act_kvno, &act_mkey);
+ retval = krb5_dbe_find_act_mkey(util_context, actkvno_list, &act_kvno,
+ &act_mkey);
if (retval == KRB5_KDB_NOACTMASTERKEY) {
/* Maybe we went through a time warp, and the only keys
with activation dates have them set in the future? */
@@ -834,7 +836,7 @@
goto skip;
}
p->re_match_count++;
- retval = krb5_dbe_get_mkvno(util_context, ent, master_keylist, &old_mkvno);
+ retval = krb5_dbe_get_mkvno(util_context, ent, &old_mkvno);
if (retval) {
com_err(progname, retval,
_("determining master key used for principal '%s'"), pname);
@@ -934,6 +936,7 @@
#endif
char *regexp = NULL;
krb5_keyblock *tmp_keyblock = NULL;
+ krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context);
while ((optchar = getopt(argc, argv, "fnv")) != -1) {
switch (optchar) {
@@ -1023,8 +1026,7 @@
master_entry->n_key_data,
master_entry->key_data);
- retval = krb5_dbe_find_mkey(util_context, master_keylist,
- master_entry, &tmp_keyblock);
+ retval = krb5_dbe_find_mkey(util_context, master_entry, &tmp_keyblock);
if (retval) {
com_err(progname, retval, _("retrieving the most recent master key"));
exit_status++;
@@ -1071,7 +1073,6 @@
cleanup:
free(regexp);
memset(&new_master_keyblock, 0, sizeof(new_master_keyblock));
- krb5_free_keyblock(util_context, tmp_keyblock);
krb5_free_unparsed_name(util_context, mkey_fullname);
krb5_dbe_free_actkvno_list(util_context, actkvno_list);
}
@@ -1098,7 +1099,7 @@
args = (struct purge_args *) ptr;
- retval = krb5_dbe_get_mkvno(args->kcontext, entry, master_keylist, &mkvno);
+ retval = krb5_dbe_get_mkvno(args->kcontext, entry, &mkvno);
if (retval)
return (retval);
@@ -1129,6 +1130,17 @@
krb5_mkey_aux_node *mkey_aux_list = NULL, *mkey_aux_entry, *prev_mkey_aux_entry;
krb5_key_data *old_key_data;
+ /*
+ * Verify that the master key list has been initialized before doing
+ * anything else.
+ */
+ if (krb5_db_mkey_list_alias(util_context) == NULL) {
+ com_err(progname, KRB5_KDB_DBNOTINITED,
+ _("master keylist not initialized"));
+ exit_status++;
+ return;
+ }
+
memset(&master_princ, 0, sizeof(master_princ));
memset(&args, 0, sizeof(args));
@@ -1152,12 +1164,6 @@
}
}
- if (master_keylist == NULL) {
- com_err(progname, 0, _("master keylist not initialized"));
- exit_status++;
- return;
- }
-
/* assemble & parse the master key name */
if ((retval = krb5_db_setup_mkey_name(util_context,
global_params.mkey_name,
Modified: trunk/src/kadmin/dbutil/kdb5_stash.c
===================================================================
--- trunk/src/kadmin/dbutil/kdb5_stash.c 2012-03-20 17:39:04 UTC (rev 25780)
+++ trunk/src/kadmin/dbutil/kdb5_stash.c 2012-03-21 16:57:05 UTC (rev 25781)
@@ -56,7 +56,6 @@
#include "kdb5_util.h"
extern krb5_keyblock master_keyblock;
-extern krb5_keylist_node *master_keylist;
extern krb5_principal master_princ;
extern kadm5_config_params global_params;
@@ -119,8 +118,7 @@
}
retval = krb5_db_fetch_mkey_list(util_context, master_princ,
- &master_keyblock, mkey_kvno,
- &master_keylist);
+ &master_keyblock);
if (retval) {
com_err(progname, retval, _("while getting master key list"));
exit_status++; return;
@@ -130,7 +128,7 @@
}
retval = krb5_db_store_master_key_list(util_context, keyfile, master_princ,
- master_keylist, NULL);
+ NULL);
if (retval) {
com_err(progname, errno, _("while storing key"));
exit_status++; return;
Modified: trunk/src/kadmin/dbutil/kdb5_util.c
===================================================================
--- trunk/src/kadmin/dbutil/kdb5_util.c 2012-03-20 17:39:04 UTC (rev 25780)
+++ trunk/src/kadmin/dbutil/kdb5_util.c 2012-03-21 16:57:05 UTC (rev 25781)
@@ -106,7 +106,6 @@
krb5_keyblock master_keyblock;
krb5_kvno master_kvno; /* fetched */
-extern krb5_keylist_node *master_keylist;
extern krb5_principal master_princ;
krb5_db_entry *master_entry = NULL;
int valid_master_key = 0;
@@ -485,8 +484,7 @@
}
if ((retval = krb5_db_fetch_mkey_list(util_context, master_princ,
- &master_keyblock, master_kvno,
- &master_keylist))) {
+ &master_keyblock))) {
com_err(progname, retval, "while getting master key list");
com_err(progname, 0, "Warning: proceeding without master key list");
exit_status++;
@@ -501,7 +499,6 @@
exit_status++;
memset(master_keyblock.contents, 0, master_keyblock.length);
krb5_free_keyblock_contents(util_context, &master_keyblock);
- krb5_db_free_mkey_list(util_context, master_keylist);
return(1);
}
@@ -532,7 +529,6 @@
if (finished)
return 0;
- krb5_db_free_mkey_list(util_context, master_keylist);
retval = krb5_db_fini(util_context);
memset(master_keyblock.contents, 0, master_keyblock.length);
finished = TRUE;
@@ -605,7 +601,7 @@
free_keysalts = 1;
/* Find the mkey used to protect the existing keys */
- ret = krb5_dbe_find_mkey(util_context, master_keylist, dbent, &tmp_mkey);
+ ret = krb5_dbe_find_mkey(util_context, dbent, &tmp_mkey);
if (ret) {
com_err(me, ret, _("while finding mkey"));
krb5_db_free_principal(util_context, dbent);
Modified: trunk/src/kadmin/dbutil/kdb5_util.h
===================================================================
--- trunk/src/kadmin/dbutil/kdb5_util.h 2012-03-20 17:39:04 UTC (rev 25780)
+++ trunk/src/kadmin/dbutil/kdb5_util.h 2012-03-21 16:57:05 UTC (rev 25781)
@@ -44,7 +44,6 @@
extern char **db5util_db_args;
extern int db5util_db_args_size;
extern krb5_kvno new_mkvno;
-extern krb5_keylist_node *master_keylist;
extern krb5_keyblock new_master_keyblock;
extern int add_db_arg(char *arg);
Modified: trunk/src/kadmin/server/ovsec_kadmd.c
===================================================================
--- trunk/src/kadmin/server/ovsec_kadmd.c 2012-03-20 17:39:04 UTC (rev 25780)
+++ trunk/src/kadmin/server/ovsec_kadmd.c 2012-03-21 16:57:05 UTC (rev 25781)
@@ -69,8 +69,6 @@
gss_name_t gss_kadmin_name = NULL;
void *global_server_handle;
-extern krb5_keylist_node *master_keylist;
-
char *build_princ_name(char *name, char *realm);
void log_badauth(OM_uint32 major, OM_uint32 minor,
struct sockaddr_in *addr, char *data);
Modified: trunk/src/kdc/extern.h
===================================================================
--- trunk/src/kdc/extern.h 2012-03-20 17:39:04 UTC (rev 25780)
+++ trunk/src/kdc/extern.h 2012-03-21 16:57:05 UTC (rev 25781)
@@ -51,10 +51,9 @@
krb5_principal realm_mprinc; /* Master principal for realm */
/*
* Note realm_mkey is mkey read from stash or keyboard and may not be the
- * latest. The mkey_list will have all the mkeys in use.
+ * latest.
*/
krb5_keyblock realm_mkey; /* Master key for this realm */
- krb5_keylist_node * mkey_list; /* list of mkeys in use for this realm */
/*
* TGS per-realm data.
*/
@@ -88,7 +87,6 @@
#define max_life_for_realm kdc_active_realm->realm_maxlife
#define max_renewable_life_for_realm kdc_active_realm->realm_maxrlife
#define master_keyblock kdc_active_realm->realm_mkey
-#define master_keylist kdc_active_realm->mkey_list
#define master_princ kdc_active_realm->realm_mprinc
#define tgs_server kdc_active_realm->realm_tgsprinc
#define reject_bad_transit kdc_active_realm->realm_reject_bad_transit
Modified: trunk/src/kdc/main.c
===================================================================
--- trunk/src/kdc/main.c 2012-03-20 17:39:04 UTC (rev 25780)
+++ trunk/src/kdc/main.c 2012-03-21 16:57:05 UTC (rev 25781)
@@ -179,8 +179,6 @@
memset(rdp->realm_mkey.contents, 0, rdp->realm_mkey.length);
free(rdp->realm_mkey.contents);
}
- if (rdp->mkey_list)
- krb5_dbe_free_key_list(rdp->realm_context, rdp->mkey_list);
krb5_db_fini(rdp->realm_context);
if (rdp->realm_tgsprinc)
krb5_free_principal(rdp->realm_context, rdp->realm_tgsprinc);
@@ -427,7 +425,7 @@
}
if ((kret = krb5_db_fetch_mkey_list(rdp->realm_context, rdp->realm_mprinc,
- &rdp->realm_mkey, mkvno, &rdp->mkey_list))) {
+ &rdp->realm_mkey))) {
kdc_err(rdp->realm_context, kret,
_("while fetching master keys list for realm %s"), realm);
goto whoops;
Modified: trunk/src/lib/kadm5/srv/libkadm5srv_mit.exports
===================================================================
--- trunk/src/lib/kadm5/srv/libkadm5srv_mit.exports 2012-03-20 17:39:04 UTC (rev 25780)
+++ trunk/src/lib/kadm5/srv/libkadm5srv_mit.exports 2012-03-21 16:57:05 UTC (rev 25781)
@@ -84,7 +84,6 @@
krb5_string_to_keysalts
krb5_match_config_pattern
master_db
-master_keylist
master_princ
osa_free_princ_ent
passwd_check
Modified: trunk/src/lib/kadm5/srv/server_kdb.c
===================================================================
--- trunk/src/lib/kadm5/srv/server_kdb.c 2012-03-20 17:39:04 UTC (rev 25780)
+++ trunk/src/lib/kadm5/srv/server_kdb.c 2012-03-21 16:57:05 UTC (rev 25781)
@@ -18,7 +18,6 @@
krb5_principal master_princ;
krb5_keyblock master_keyblock; /* local mkey */
-krb5_keylist_node *master_keylist = NULL;
krb5_actkvno_node *active_mkey_list = NULL;
krb5_db_entry master_db;
@@ -69,7 +68,7 @@
goto done;
if ((ret = krb5_db_fetch_mkey_list(handle->context, master_princ,
- &master_keyblock, mkvno, &master_keylist))) {
+ &master_keyblock))) {
krb5_db_fini(handle->context);
return (ret);
}
@@ -192,7 +191,7 @@
goto done;
}
- ret = krb5_dbe_find_mkey(handle->context, master_keylist, kdb, &mkey);
+ ret = krb5_dbe_find_mkey(handle->context, kdb, &mkey);
if (ret)
goto done;
Modified: trunk/src/lib/kadm5/srv/svr_principal.c
===================================================================
--- trunk/src/lib/kadm5/srv/svr_principal.c 2012-03-20 17:39:04 UTC (rev 25780)
+++ trunk/src/lib/kadm5/srv/svr_principal.c 2012-03-21 16:57:05 UTC (rev 25781)
@@ -25,7 +25,6 @@
extern krb5_principal master_princ;
extern krb5_principal hist_princ;
extern krb5_keyblock master_keyblock;
-extern krb5_keylist_node *master_keylist;
extern krb5_actkvno_node *active_mkey_list;
extern krb5_db_entry master_db;
@@ -364,8 +363,8 @@
/* initialize the keys */
- ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
- active_mkey_list, &act_kvno, &act_mkey);
+ ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, &act_kvno,
+ &act_mkey);
if (ret)
goto cleanup;
@@ -869,8 +868,7 @@
entry->kvno = kdb->key_data[i].key_data_kvno;
if (mask & KADM5_MKVNO) {
- ret = krb5_dbe_get_mkvno(handle->context, kdb, master_keylist,
- &entry->mkvno);
+ ret = krb5_dbe_get_mkvno(handle->context, kdb, &entry->mkvno);
if (ret)
goto done;
}
@@ -1385,8 +1383,8 @@
principal)))
goto done;
- ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
- active_mkey_list, &act_kvno, &act_mkey);
+ ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, &act_kvno,
+ &act_mkey);
if (ret)
goto done;
@@ -1579,8 +1577,8 @@
if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
return(ret);
- ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
- active_mkey_list, NULL, &act_mkey);
+ ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, NULL,
+ &act_mkey);
if (ret)
goto done;
@@ -1727,8 +1725,8 @@
keysalt.data.length = 0;
keysalt.data.data = NULL;
- ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
- active_mkey_list, NULL, &act_mkey);
+ ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, NULL,
+ &act_mkey);
if (ret)
goto done;
@@ -1931,8 +1929,8 @@
}
memset (&tmp_key_data, 0, sizeof(tmp_key_data));
- ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
- active_mkey_list, NULL, &act_mkey);
+ ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, NULL,
+ &act_mkey);
if (ret)
goto done;
@@ -2178,17 +2176,13 @@
/* find_mkey only uses this field */
dbent.tl_data = entry->tl_data;
- if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, &dbent,
- &mkey_ptr))) {
- krb5_keylist_node *tmp_mkey_list;
+ if ((ret = krb5_dbe_find_mkey(handle->context, &dbent, &mkey_ptr))) {
/* try refreshing master key list */
/* XXX it would nice if we had the mkvno here for optimization */
if (krb5_db_fetch_mkey_list(handle->context, master_princ,
- &master_keyblock, 0, &tmp_mkey_list) == 0) {
- krb5_dbe_free_key_list(handle->context, master_keylist);
- master_keylist = tmp_mkey_list;
- if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist,
- &dbent, &mkey_ptr))) {
+ &master_keyblock) == 0) {
+ if ((ret = krb5_dbe_find_mkey(handle->context, &dbent,
+ &mkey_ptr))) {
return ret;
}
} else {
Modified: trunk/src/lib/kdb/kdb5.c
===================================================================
--- trunk/src/lib/kdb/kdb5.c 2012-03-20 17:39:04 UTC (rev 25780)
+++ trunk/src/lib/kdb/kdb5.c 2012-03-21 16:57:05 UTC (rev 25781)
@@ -64,6 +64,18 @@
MAKE_INIT_FUNCTION(kdb_init_lock_list);
MAKE_FINI_FUNCTION(kdb_fini_lock_list);
+static void
+free_mkey_list(krb5_context context, krb5_keylist_node *mkey_list)
+{
+ krb5_keylist_node *cur, *next;
+
+ for (cur = mkey_list; cur != NULL; cur = next) {
+ next = cur->next;
+ krb5_free_keyblock_contents(context, &cur->keyblock);
+ krb5_xfree(cur);
+ }
+}
+
int
kdb_init_lock_list()
{
@@ -569,16 +581,12 @@
kdb_free_lib_handle(krb5_context kcontext)
{
krb5_error_code status = 0;
- krb5_keylist_node *old_keylist = kcontext->dal_handle->master_keylist;
status = kdb_free_library(kcontext->dal_handle->lib_handle);
if (status)
return status;
- /* The dal_handle holds an alias to the most recent mkey_list. */
- if (kcontext->dal_handle->free_keylist) {
- kcontext->dal_handle->master_keylist = NULL; /* Force freeing. */
- krb5_db_free_mkey_list(kcontext, old_keylist);
- }
+
+ free_mkey_list(kcontext, kcontext->dal_handle->master_keylist);
krb5_free_principal(kcontext, kcontext->dal_handle->master_princ);
free(kcontext->dal_handle);
kcontext->dal_handle = NULL;
@@ -1011,10 +1019,16 @@
return v->iterate(kcontext, match_entry, func, func_arg);
}
+/* Return a read only pointer alias to mkey list. Do not free this! */
+krb5_keylist_node *
+krb5_db_mkey_list_alias(krb5_context kcontext)
+{
+ return kcontext->dal_handle->master_keylist;
+}
+
krb5_error_code
krb5_db_fetch_mkey_list(krb5_context context, krb5_principal mname,
- const krb5_keyblock *mkey, krb5_kvno mkvno,
- krb5_keylist_node **mkey_list)
+ const krb5_keyblock *mkey)
{
kdb_vftabl *v;
krb5_error_code status = 0;
@@ -1023,70 +1037,49 @@
status = get_vftabl(context, &v);
if (status)
return status;
+
if (!context->dal_handle->master_princ) {
status = krb5_copy_principal(context, mname,
&context->dal_handle->master_princ);
if (status)
return status;
}
- if (mkey_list == NULL)
- mkey_list = &local_keylist;
- status = v->fetch_master_key_list(context, mname, mkey, mkvno, mkey_list);
+
+ status = v->fetch_master_key_list(context, mname, mkey, &local_keylist);
if (status == 0) {
- /* The dal_handle holds an alias to the most recent master_keylist. */
- krb5_keylist_node *old_keylist = context->dal_handle->master_keylist;
- context->dal_handle->master_keylist = *mkey_list;
- if (context->dal_handle->free_keylist)
- krb5_db_free_mkey_list(context, old_keylist);
- context->dal_handle->free_keylist = (mkey_list == &local_keylist);
+ free_mkey_list(context, context->dal_handle->master_keylist);
+ context->dal_handle->master_keylist = local_keylist;
}
return status;
}
-void
-krb5_db_free_mkey_list(krb5_context context, krb5_keylist_node *mkey_list)
-{
- krb5_keylist_node *cur, *prev;
-
- /*
- * The dal_handle holds onto the most recent master keylist that has been
- * fetched throughout the lifetime of the context; if this function is
- * called on that keylist, then the dal_handle is updated to indicate that
- * the keylist should be freed on next call to krb5_db_fetch_mkey_list() or
- * when the database is closed. Otherwise, the master_keylist is freed.
- * Either way, the caller must not access this master keylist after calling
- * this function.
- */
- if (context && context->dal_handle->master_keylist == mkey_list) {
- context->dal_handle->free_keylist = 1;
- return;
- }
- for (cur = mkey_list; cur != NULL;) {
- prev = cur;
- cur = cur->next;
- krb5_free_keyblock_contents(context, &prev->keyblock);
- krb5_xfree(prev);
- }
-}
-
krb5_error_code
krb5_db_store_master_key(krb5_context kcontext, char *keyfile,
krb5_principal mname, krb5_kvno kvno,
krb5_keyblock * key, char *master_pwd)
{
+ krb5_error_code status = 0;
+ kdb_vftabl *v;
krb5_keylist_node list;
+ status = get_vftabl(kcontext, &v);
+ if (status)
+ return status;
+
+ if (v->store_master_key_list == NULL)
+ return KRB5_KDB_DBTYPE_NOSUP;
+
list.kvno = kvno;
list.keyblock = *key;
list.next = NULL;
- return krb5_db_store_master_key_list(kcontext, keyfile, mname, &list,
- master_pwd);
+
+ return v->store_master_key_list(kcontext, keyfile, mname,
+ &list, master_pwd);
}
krb5_error_code
krb5_db_store_master_key_list(krb5_context kcontext, char *keyfile,
- krb5_principal mname, krb5_keylist_node *keylist,
- char *master_pwd)
+ krb5_principal mname, char *master_pwd)
{
krb5_error_code status = 0;
kdb_vftabl *v;
@@ -1094,9 +1087,15 @@
status = get_vftabl(kcontext, &v);
if (status)
return status;
+
if (v->store_master_key_list == NULL)
- return KRB5_PLUGIN_OP_NOTSUPP;
- return v->store_master_key_list(kcontext, keyfile, mname, keylist,
+ return KRB5_KDB_DBTYPE_NOSUP;
+
+ if (kcontext->dal_handle->master_keylist == NULL)
+ return KRB5_KDB_DBNOTINITED;
+
+ return v->store_master_key_list(kcontext, keyfile, mname,
+ kcontext->dal_handle->master_keylist,
master_pwd);
}
@@ -1244,13 +1243,12 @@
*/
krb5_error_code
-krb5_dbe_find_act_mkey(krb5_context context, krb5_keylist_node *mkey_list,
- krb5_actkvno_node *act_mkey_list, krb5_kvno *act_kvno,
- krb5_keyblock **act_mkey)
+krb5_dbe_find_act_mkey(krb5_context context, krb5_actkvno_node *act_mkey_list,
+ krb5_kvno *act_kvno, krb5_keyblock **act_mkey)
{
krb5_kvno tmp_act_kvno;
krb5_error_code retval;
- krb5_keylist_node *cur_keyblock = mkey_list;
+ krb5_keylist_node *cur_keyblock = context->dal_handle->master_keylist;
krb5_actkvno_node *prev_actkvno, *cur_actkvno;
krb5_timestamp now;
krb5_boolean found = FALSE;
@@ -1261,6 +1259,9 @@
return 0;
}
+ if (!cur_keyblock)
+ return KRB5_KDB_DBNOTINITED;
+
if ((retval = krb5_timeofday(context, &now)))
return (retval);
@@ -1327,14 +1328,17 @@
* free the output key.
*/
krb5_error_code
-krb5_dbe_find_mkey(krb5_context context, krb5_keylist_node *mkey_list,
- krb5_db_entry *entry, krb5_keyblock **mkey)
+krb5_dbe_find_mkey(krb5_context context, krb5_db_entry *entry,
+ krb5_keyblock **mkey)
{
krb5_kvno mkvno;
krb5_error_code retval;
- krb5_keylist_node *cur_keyblock = mkey_list;
+ krb5_keylist_node *cur_keyblock = context->dal_handle->master_keylist;
- retval = krb5_dbe_get_mkvno(context, entry, mkey_list, &mkvno);
+ if (!cur_keyblock)
+ return KRB5_KDB_DBNOTINITED;
+
+ retval = krb5_dbe_get_mkvno(context, entry, &mkvno);
if (retval)
return (retval);
@@ -1614,13 +1618,14 @@
krb5_error_code
krb5_dbe_get_mkvno(krb5_context context, krb5_db_entry *entry,
- krb5_keylist_node *mkey_list, krb5_kvno *mkvno)
+ krb5_kvno *mkvno)
{
krb5_error_code code;
krb5_kvno kvno;
+ krb5_keylist_node *mkey_list = context->dal_handle->master_keylist;
if (mkey_list == NULL)
- return EINVAL;
+ return KRB5_KDB_DBNOTINITED;
/* Output the value from entry tl_data if present. */
code = krb5_dbe_lookup_mkvno(context, entry, &kvno);
@@ -2432,13 +2437,12 @@
{
krb5_error_code status = 0;
kdb_vftabl *v;
- krb5_keylist_node *n = kcontext->dal_handle->master_keylist;
krb5_keyblock *cur_mkey;
status = get_vftabl(kcontext, &v);
if (status)
return status;
- if (mkey || !n)
+ if (mkey || kcontext->dal_handle->master_keylist == NULL)
return v->decrypt_key_data(kcontext, mkey, key_data, dbkey, keysalt);
status = decrypt_iterator(kcontext, key_data, dbkey, keysalt);
if (status == 0)
@@ -2448,7 +2452,7 @@
cur_mkey = &kcontext->dal_handle->master_keylist->keyblock;
if (krb5_db_fetch_mkey_list(kcontext,
kcontext->dal_handle->master_princ,
- cur_mkey, -1, NULL) == 0)
+ cur_mkey) == 0)
return decrypt_iterator(kcontext, key_data, dbkey, keysalt);
}
return status;
Modified: trunk/src/lib/kdb/kdb5.h
===================================================================
--- trunk/src/lib/kdb/kdb5.h 2012-03-20 17:39:04 UTC (rev 25780)
+++ trunk/src/lib/kdb/kdb5.h 2012-03-21 16:57:05 UTC (rev 25781)
@@ -31,7 +31,6 @@
void *db_context;
db_library lib_handle;
krb5_keylist_node *master_keylist;
- krb5_boolean free_keylist;
krb5_principal master_princ;
};
/* typedef kdb5_dal_handle is in k5-int.h now */
Modified: trunk/src/lib/kdb/kdb_default.c
===================================================================
--- trunk/src/lib/kdb/kdb_default.c 2012-03-20 17:39:04 UTC (rev 25780)
+++ trunk/src/lib/kdb/kdb_default.c 2012-03-21 16:57:05 UTC (rev 25781)
@@ -418,7 +418,6 @@
krb5_def_fetch_mkey_list(krb5_context context,
krb5_principal mprinc,
const krb5_keyblock *mkey,
- krb5_kvno mkvno,
krb5_keylist_node **mkeys_list)
{
krb5_error_code retval;
Modified: trunk/src/lib/kdb/libkdb5.exports
===================================================================
--- trunk/src/lib/kdb/libkdb5.exports 2012-03-20 17:39:04 UTC (rev 25780)
+++ trunk/src/lib/kdb/libkdb5.exports 2012-03-21 16:57:05 UTC (rev 25781)
@@ -13,7 +13,6 @@
krb5_db_destroy
krb5_db_fetch_mkey
krb5_db_fetch_mkey_list
-krb5_db_free_mkey_list
krb5_db_fini
krb5_db_free_principal
krb5_db_get_age
@@ -22,6 +21,7 @@
krb5_db_get_principal
krb5_db_iterate
krb5_db_lock
+krb5_db_mkey_list_alias
krb5_db_put_principal
krb5_db_refresh_config
krb5_db_set_context
Modified: trunk/src/tests/create/kdb5_mkdums.c
===================================================================
--- trunk/src/tests/create/kdb5_mkdums.c 2012-03-20 17:39:04 UTC (rev 25780)
+++ trunk/src/tests/create/kdb5_mkdums.c 2012-03-21 16:57:05 UTC (rev 25781)
@@ -327,7 +327,6 @@
krb5_error_code retval;
krb5_data pwd, scratch;
char *args[2];
- krb5_keylist_node *mkeys;
krb5_db_entry *master_entry;
/* assemble & parse the master key name */
@@ -386,13 +385,11 @@
free(args[0]);
if ((retval = krb5_db_fetch_mkey_list(test_context, master_princ,
- &master_keyblock, IGNORE_VNO,
- &mkeys))){
+ &master_keyblock))){
com_err(pname, retval, "while verifying master key");
(void) krb5_db_fini(test_context);
return(1);
}
- krb5_db_free_mkey_list(test_context, mkeys);
if ((retval = krb5_db_get_principal(test_context, master_princ, 0,
&master_entry))) {
com_err(pname, retval, "while retrieving master entry");
Modified: trunk/src/tests/verify/kdb5_verify.c
===================================================================
--- trunk/src/tests/verify/kdb5_verify.c 2012-03-20 17:39:04 UTC (rev 25780)
+++ trunk/src/tests/verify/kdb5_verify.c 2012-03-21 16:57:05 UTC (rev 25781)
@@ -353,7 +353,6 @@
krb5_error_code retval;
krb5_data pwd, scratch;
char *args[2];
- krb5_keylist_node *mkeys;
krb5_db_entry *master_entry;
/* assemble & parse the master key name */
@@ -407,13 +406,11 @@
return(1);
}
if ((retval = krb5_db_fetch_mkey_list(context, master_princ,
- &master_keyblock, IGNORE_VNO,
- &mkeys))) {
+ &master_keyblock))) {
com_err(pname, retval, "while verifying master key");
(void) krb5_db_fini(context);
return(1);
}
- krb5_db_free_mkey_list(context, mkeys);
if ((retval = krb5_db_get_principal(context, master_princ, 0,
&master_entry))) {
com_err(pname, retval, "while retrieving master entry");
More information about the cvs-krb5
mailing list