krb5 commit: Don't cache active master key list in kadmind

Greg Hudson ghudson at MIT.EDU
Fri Oct 25 11:42:15 EDT 2013 

https://github.com/krb5/krb5/commit/74c1420ea4dffc1105247e362decf608440751ae
commit 74c1420ea4dffc1105247e362decf608440751ae
Author: Greg Hudson <ghudson at mit.edu>
Date:   Wed Oct 23 18:56:20 2013 -0400

    Don't cache active master key list in kadmind
    
    "kdb5_util use_mkey" should not require a kadmind restart to take
    effect.  At the cost of fetching the K/M principal once for each key
    change operation, make kadmind use the current active master key list
    for each operation.
    
    ticket: 7685
    target_version: 1.12
    tags: pullup

 src/lib/kadm5/server_internal.h   |    3 +++
 src/lib/kadm5/srv/server_kdb.c    |   25 ++++++++++++++++++-------
 src/lib/kadm5/srv/svr_principal.c |   16 +++++-----------
 3 files changed, 26 insertions(+), 18 deletions(-)

diff --git a/src/lib/kadm5/server_internal.h b/src/lib/kadm5/server_internal.h
index 220e2b6..e506e12 100644
--- a/src/lib/kadm5/server_internal.h
+++ b/src/lib/kadm5/server_internal.h
@@ -78,6 +78,9 @@ kadm5_ret_t    passwd_check(kadm5_server_handle_t handle,
 kadm5_ret_t    principal_exists(krb5_principal principal);
 krb5_error_code     kdb_init_master(kadm5_server_handle_t handle,
                                     char *r, int from_keyboard);
+krb5_error_code     kdb_get_active_mkey(kadm5_server_handle_t handle,
+                                        krb5_kvno *act_kvno_out,
+                                        krb5_keyblock **act_mkey_out);
 krb5_error_code     kdb_init_hist(kadm5_server_handle_t handle,
                                   char *r);
 krb5_error_code     kdb_get_hist_key(kadm5_server_handle_t handle,
diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c
index 8a82237..20a8db7 100644
--- a/src/lib/kadm5/srv/server_kdb.c
+++ b/src/lib/kadm5/srv/server_kdb.c
@@ -18,7 +18,6 @@
 
 krb5_principal      master_princ;
 krb5_keyblock       master_keyblock; /* local mkey */
-krb5_actkvno_node   *active_mkey_list = NULL;
 krb5_db_entry       master_db;
 
 krb5_principal      hist_princ;
@@ -73,12 +72,6 @@ krb5_error_code kdb_init_master(kadm5_server_handle_t handle,
         return (ret);
     }
 
-    if ((ret = krb5_dbe_fetch_act_key_list(handle->context, master_princ,
-                                           &active_mkey_list))) {
-        krb5_db_fini(handle->context);
-        return (ret);
-    }
-
 done:
     if (r == NULL)
         free(realm);
@@ -86,6 +79,24 @@ done:
     return(ret);
 }
 
+/* Fetch the currently active master key version number and keyblock. */
+krb5_error_code
+kdb_get_active_mkey(kadm5_server_handle_t handle, krb5_kvno *act_kvno_out,
+                    krb5_keyblock **act_mkey_out)
+{
+    krb5_error_code ret;
+    krb5_actkvno_node *active_mkey_list;
+
+    ret = krb5_dbe_fetch_act_key_list(handle->context, master_princ,
+                                      &active_mkey_list);
+    if (ret)
+        return ret;
+    ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list,
+                                 act_kvno_out, act_mkey_out);
+    krb5_dbe_free_actkvno_list(handle->context, active_mkey_list);
+    return ret;
+}
+
 /*
  * Function: kdb_init_hist
  *
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index d6035b0..7681636 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -25,7 +25,6 @@
 extern  krb5_principal      master_princ;
 extern  krb5_principal      hist_princ;
 extern  krb5_keyblock       master_keyblock;
-extern  krb5_actkvno_node  *active_mkey_list;
 extern  krb5_db_entry       master_db;
 
 static int decrypt_key_data(krb5_context context,
@@ -512,8 +511,7 @@ kadm5_create_principal_3(void *server_handle,
 
     /* initialize the keys */
 
-    ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, &act_kvno,
-                                 &act_mkey);
+    ret = kdb_get_active_mkey(handle, &act_kvno, &act_mkey);
     if (ret)
         goto cleanup;
 
@@ -1431,8 +1429,7 @@ kadm5_chpass_principal_3(void *server_handle,
                             principal)))
         goto done;
 
-    ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, &act_kvno,
-                                 &act_mkey);
+    ret = kdb_get_active_mkey(handle, &act_kvno, &act_mkey);
     if (ret)
         goto done;
 
@@ -1629,8 +1626,7 @@ kadm5_randkey_principal_3(void *server_handle,
         new_n_ks_tuple = 1;
     }
 
-    ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, NULL,
-                                 &act_mkey);
+    ret = kdb_get_active_mkey(handle, NULL, &act_mkey);
     if (ret)
         goto done;
 
@@ -1779,8 +1775,7 @@ kadm5_setv4key_principal(void *server_handle,
     keysalt.data.length = 0;
     keysalt.data.data = NULL;
 
-    ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, NULL,
-                                 &act_mkey);
+    ret = kdb_get_active_mkey(handle, NULL, &act_mkey);
     if (ret)
         goto done;
 
@@ -2027,8 +2022,7 @@ kadm5_setkey_principal_3(void *server_handle,
         }
         memset (&tmp_key_data, 0, sizeof(tmp_key_data));
 
-        ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, NULL,
-                                     &act_mkey);
+        ret = kdb_get_active_mkey(handle, NULL, &act_mkey);
         if (ret)
             goto done;

More information about the cvs-krb5 mailing list