retval = krb5_db_get_principal(util_context, master_princ, &master_entry,
&nentries, &more);
- if (retval != 0 || nentries != 1) {
- com_err(progname, retval, "while getting master key principal %s", mkey_fullname);
+ if (retval != 0) {
+ com_err(progname, retval,
+ "while getting master key principal %s",
+ mkey_fullname);
+ exit_status++;
+ return;
+ } else if (nentries == 0) {
+ com_err(progname, retval,
+ "principal %s not found in Kerberos database",
+ mkey_fullname);
+ exit_status++;
+ return;
+ } else if (nentries > 1) {
+ com_err(progname, retval,
+ "principal %s has multiple entries in Kerberos database",
+ mkey_fullname);
exit_status++;
return;
}
retval = krb5_db_get_principal(util_context, master_princ, &master_entry,
&nentries, &more);
- if (retval != 0 || nentries != 1) {
- com_err(progname, retval, "while getting master key principal %s", mkey_fullname);
+ if (retval != 0) {
+ com_err(progname, retval,
+ "while getting master key principal %s",
+ mkey_fullname);
+ exit_status++;
+ return;
+ } else if (nentries == 0) {
+ com_err(progname, retval,
+ "principal %s not found in Kerberos database",
+ mkey_fullname);
+ exit_status++;
+ return;
+ } else if (nentries > 1) {
+ com_err(progname, retval,
+ "principal %s has multiple entries in Kerberos database",
+ mkey_fullname);
exit_status++;
return;
}
retval = krb5_db_get_principal(util_context, master_princ, &master_entry,
&nentries, &more);
- if (retval != 0 || nentries != 1) {
- com_err(progname, retval, "while getting master key principal %s", mkey_fullname);
+ if (retval != 0) {
+ com_err(progname, retval,
+ "while getting master key principal %s",
+ mkey_fullname);
+ exit_status++;
+ return;
+ } else if (nentries == 0) {
+ com_err(progname, retval,
+ "principal %s not found in Kerberos database",
+ mkey_fullname);
+ exit_status++;
+ return;
+ } else if (nentries > 1) {
+ com_err(progname, retval,
+ "principal %s has multiple entries in Kerberos database",
+ mkey_fullname);
exit_status++;
return;
}
const char *status;
krb5_key_data *server_key, *client_key;
krb5_keyblock server_keyblock, client_keyblock;
- krb5_keyblock *tmp_mkey;
+ krb5_keyblock *mkey_ptr;
krb5_enctype useenctype;
krb5_boolean update_client = 0;
krb5_data e_data;
goto errout;
}
- if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server, &tmp_mkey))) {
- status = "FINDING_MASTER_KEY";
- goto errout;
+ if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server,
+ &mkey_ptr))) {
+ /* try refreshing master key list */
+ /* XXX it would nice if we had the mkvno here for optimization */
+ if (krb5_db_fetch_mkey_list(kdc_context, master_princ,
+ &master_keyblock, 0, &master_keylist) == 0) {
+ if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist,
+ &server, &mkey_ptr))) {
+ status = "FINDING_MASTER_KEY";
+ goto errout;
+ }
+ } else {
+ status = "FINDING_MASTER_KEY";
+ goto errout;
+ }
}
/* convert server.key into a real key (it may be encrypted
in the database) */
- if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, tmp_mkey,
+ if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr,
/* server_keyblock is later used to generate auth data signatures */
server_key, &server_keyblock,
NULL))) {
goto errout;
}
- if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &client, &tmp_mkey))) {
- status = "FINDING_MASTER_KEY";
- goto errout;
+ if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &client,
+ &mkey_ptr))) {
+ /* try refreshing master key list */
+ /* XXX it would nice if we had the mkvno here for optimization */
+ if (krb5_db_fetch_mkey_list(kdc_context, master_princ,
+ &master_keyblock, 0, &master_keylist) == 0) {
+ if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist,
+ &client, &mkey_ptr))) {
+ status = "FINDING_MASTER_KEY";
+ goto errout;
+ }
+ } else {
+ status = "FINDING_MASTER_KEY";
+ goto errout;
+ }
}
/* convert client.key_data into a real key */
- if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, tmp_mkey,
+ if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr,
client_key, &client_keyblock,
NULL))) {
status = "DECRYPT_CLIENT_KEY";
krb5_keyblock session_key;
krb5_timestamp until, rtime;
krb5_keyblock encrypting_key;
- krb5_keyblock *tmp_mkey;
+ krb5_keyblock *mkey_ptr;
krb5_key_data *server_key;
char *cname = 0, *sname = 0, *altcname = 0;
krb5_last_req_entry *nolrarray[2], nolrentry;
goto cleanup;
}
- if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server, &tmp_mkey))) {
- status = "FINDING_MASTER_KEY";
- goto cleanup;
+ if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server,
+ &mkey_ptr))) {
+ /* try refreshing master key list */
+ /* XXX it would nice if we had the mkvno here for optimization */
+ if (krb5_db_fetch_mkey_list(kdc_context, master_princ,
+ &master_keyblock, 0, &master_keylist) == 0) {
+ if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist,
+ &server, &mkey_ptr))) {
+ status = "FINDING_MASTER_KEY";
+ goto cleanup;
+ }
+ } else {
+ status = "FINDING_MASTER_KEY";
+ goto cleanup;
+ }
}
/* convert server.key into a real key (it may be encrypted
* in the database) */
if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context,
- tmp_mkey,
+ mkey_ptr,
server_key, &encrypting_key,
NULL))) {
status = "DECRYPT_SERVER_KEY";
int i, k;
krb5_data *ret;
krb5_deltat *delta;
- krb5_keyblock *keys, *tmp_mkey;
+ krb5_keyblock *keys, *mkey_ptr;
krb5_key_data *entry_key;
krb5_error_code error;
ret->data = (char *) keys;
ret->length = sizeof(krb5_keyblock) * (request->nktypes + 1);
memset(ret->data, 0, ret->length);
- if ((error = krb5_dbe_find_mkey(context, master_keylist, entry, &tmp_mkey))) {
- free(ret);
- return (error);
+ if ((error = krb5_dbe_find_mkey(context, master_keylist, entry,
+ &mkey_ptr))) {
+ /* try refreshing the mkey list in case it's been updated */
+ if (krb5_db_fetch_mkey_list(context, master_princ,
+ &master_keyblock, 0,
+ &master_keylist) == 0) {
+ if ((error = krb5_dbe_find_mkey(context, master_keylist, entry,
+ &mkey_ptr))) {
+ free(ret);
+ return (error);
+ }
+ } else {
+ free(ret);
+ return (error);
+ }
}
k = 0;
for (i = 0; i < request->nktypes; i++) {
if (krb5_dbe_find_enctype(context, entry, request->ktype[i],
-1, 0, &entry_key) != 0)
continue;
- if (krb5_dbekd_decrypt_key_data(context, tmp_mkey,
+ if (krb5_dbekd_decrypt_key_data(context, mkey_ptr,
entry_key, &keys[k], NULL) != 0) {
if (keys[k].contents != NULL)
krb5_free_keyblock_contents(context, &keys[k]);
krb5_data scratch;
krb5_data enc_ts_data;
krb5_enc_data *enc_data = 0;
- krb5_keyblock key, *tmp_mkey;
+ krb5_keyblock key, *mkey_ptr;
krb5_key_data * client_key;
krb5_int32 start;
krb5_timestamp timenow;
if ((enc_ts_data.data = (char *) malloc(enc_ts_data.length)) == NULL)
goto cleanup;
- if ((retval = krb5_dbe_find_mkey(context, master_keylist, client, &tmp_mkey)))
- goto cleanup;
+ if ((retval = krb5_dbe_find_mkey(context, master_keylist, client,
+ &mkey_ptr))) {
+ /* try refreshing the mkey list in case it's been updated */
+ if (krb5_db_fetch_mkey_list(context, master_princ,
+ &master_keyblock, 0,
+ &master_keylist) == 0) {
+ if ((retval = krb5_dbe_find_mkey(context, master_keylist, client,
+ &mkey_ptr))) {
+ goto cleanup;
+ }
+ } else {
+ goto cleanup;
+ }
+ }
start = 0;
decrypt_err = 0;
-1, 0, &client_key)))
goto cleanup;
- if ((retval = krb5_dbekd_decrypt_key_data(context, tmp_mkey,
+ if ((retval = krb5_dbekd_decrypt_key_data(context, mkey_ptr,
client_key, &key, NULL)))
goto cleanup;
krb5_sam_challenge sc;
krb5_predicted_sam_response psr;
krb5_data * scratch;
- krb5_keyblock encrypting_key, *tmp_mkey;
+ krb5_keyblock encrypting_key, *mkey_ptr;
char response[9];
char inputblock[8];
krb5_data predict_response;
if (sc.sam_type) {
/* so use assoc to get the key out! */
{
- if ((retval = krb5_dbe_find_mkey(kdc_context, master_keylist, &assoc, &tmp_mkey)))
- return (retval);
+ if ((retval = krb5_dbe_find_mkey(context, master_keylist, &assoc,
+ &mkey_ptr))) {
+ /* try refreshing the mkey list in case it's been updated */
+ if (krb5_db_fetch_mkey_list(context, master_princ,
+ &master_keyblock, 0,
+ &master_keylist) == 0) {
+ if ((retval = krb5_dbe_find_mkey(context, master_keylist, &assoc,
+ &mkey_ptr))) {
+ return (retval);
+ }
+ } else {
+ return (retval);
+ }
+ }
/* here's what do_tgs_req does */
retval = krb5_dbe_find_enctype(kdc_context, &assoc,
}
/* convert server.key into a real key */
retval = krb5_dbekd_decrypt_key_data(kdc_context,
- tmp_mkey,
+ mkey_ptr,
assoc_key, &encrypting_key,
NULL);
if (retval) {
unsigned cert_hash_len;
unsigned key_dex;
unsigned cert_match = 0;
- krb5_keyblock decrypted_key, *tmp_mkey;
+ krb5_keyblock decrypted_key, *mkey_ptr;
/* the data we get from the AS-REQ */
krb5_timestamp client_ctime = 0;
goto cleanup;
}
cert_hash_len = strlen(cert_hash);
- if ((krtn = krb5_dbe_find_mkey(context, master_keylist, &entry, &tmp_mkey)))
- goto cleanup;
+ if ((krtn = krb5_dbe_find_mkey(context, master_keylist, &entry, &mkey_ptr))) {
+ /* try refreshing the mkey list in case it's been updated */
+ if (krb5_db_fetch_mkey_list(context, master_princ,
+ &master_keyblock, 0,
+ &master_keylist) == 0) {
+ if ((krtn = krb5_dbe_find_mkey(context, master_keylist, &entry,
+ &mkey_ptr))) {
+ goto cleanup;
+ }
+ } else {
+ goto cleanup;
+ }
+ }
for(key_dex=0; key_dex<client->n_key_data; key_dex++) {
krb5_key_data *key_data = &client->key_data[key_dex];
kdcPkinitDebug("--- key %u type[0] %u length[0] %u type[1] %u length[1] %u\n",
* Unfortunately this key is stored encrypted even though it's
* not sensitive...
*/
- krtn = krb5_dbekd_decrypt_key_data(context, tmp_mkey,
+ krtn = krb5_dbekd_decrypt_key_data(context, mkey_ptr,
key_data, &decrypted_key, NULL);
if(krtn) {
kdcPkinitDebug("verify_pkinit_request: error decrypting cert hash block\n");
krb5_error_code retval;
krb5_boolean more, similar;
krb5_key_data * server_key;
- krb5_keyblock * tmp_mkey;
+ krb5_keyblock * mkey_ptr;
*nprincs = 1;
goto errout;
}
- retval = krb5_dbe_find_mkey(kdc_context, master_keylist, server, &tmp_mkey);
- if (retval)
- goto errout;
+ if ((retval = krb5_dbe_find_mkey(kdc_context, master_keylist, server,
+ &mkey_ptr))) {
+ /* try refreshing master key list */
+ /* XXX it would nice if we had the mkvno here for optimization */
+ if (krb5_db_fetch_mkey_list(kdc_context, master_princ,
+ &master_keyblock, 0, &master_keylist) == 0) {
+ if ((retval = krb5_dbe_find_mkey(kdc_context, master_keylist,
+ server, &mkey_ptr))) {
+ goto errout;
+ }
+ } else {
+ goto errout;
+ }
+ }
retval = krb5_dbe_find_enctype(kdc_context, server,
match_enctype ? ticket->enc_part.enctype : -1,
goto errout;
}
if ((*key = (krb5_keyblock *)malloc(sizeof **key))) {
- retval = krb5_dbekd_decrypt_key_data(kdc_context, tmp_mkey,
+ retval = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr,
server_key,
*key, NULL);
} else
if (ret)
goto done;
- ret = krb5_dbe_find_mkey(handle->context, master_keylist, &hist_db, &tmp_mkey);
+ ret = krb5_dbe_find_mkey(handle->context, master_keylist, &hist_db,
+ &tmp_mkey);
if (ret)
goto done;
extern krb5_principal master_princ;
extern krb5_principal hist_princ;
+extern krb5_keyblock master_keyblock;
extern krb5_keylist_node *master_keylist;
-extern krb5_actkvno_node *active_mkey_list;
+extern krb5_actkvno_node *active_mkey_list;
extern krb5_keyblock hist_key;
extern krb5_db_entry master_db;
extern krb5_db_entry hist_db;
krb5_key_data *key_data;
kadm5_ret_t ret;
kadm5_server_handle_t handle = server_handle;
- krb5_keyblock *tmp_mkey;
+ krb5_keyblock *mkey_ptr;
if (keyblocks)
*keyblocks = NULL;
return(ret);
if (keyblocks) {
- ret = krb5_dbe_find_mkey(handle->context, master_keylist, &kdb, &tmp_mkey);
- if (ret)
- goto done;
+ if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, &kdb,
+ &mkey_ptr))) {
+ /* try refreshing master key list */
+ /* XXX it would nice if we had the mkvno here for optimization */
+ if (krb5_db_fetch_mkey_list(handle->context, master_princ,
+ &master_keyblock, 0,
+ &master_keylist) == 0) {
+ if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist,
+ &kdb, &mkey_ptr))) {
+ goto done;
+ }
+ } else {
+ goto done;
+ }
+ }
+
if (handle->api_version == KADM5_API_VERSION_1) {
/* Version 1 clients will expect to see a DES_CRC enctype. */
if ((ret = krb5_dbe_find_enctype(handle->context, &kdb,
-1, -1, &key_data)))
goto done;
- if ((ret = decrypt_key_data(handle->context, tmp_mkey, 1, key_data,
+ if ((ret = decrypt_key_data(handle->context, mkey_ptr, 1, key_data,
keyblocks, NULL)))
goto done;
} else {
- ret = decrypt_key_data(handle->context, tmp_mkey,
+ ret = decrypt_key_data(handle->context, mkey_ptr,
kdb.n_key_data, kdb.key_data,
keyblocks, n_keys);
if (ret)
kadm5_server_handle_t handle = server_handle;
krb5_db_entry dbent;
krb5_key_data *key_data;
- krb5_keyblock *tmp_mkey;
+ krb5_keyblock *mkey_ptr;
int ret;
CHECK_HANDLE(server_handle);
/* find_mkey only uses this field */
dbent.tl_data = entry->tl_data;
- ret = krb5_dbe_find_mkey(handle->context, master_keylist, &dbent, &tmp_mkey);
- if (ret)
- return (ret);
+ if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, &dbent,
+ &mkey_ptr))) {
+ /* try refreshing master key list */
+ /* XXX it would nice if we had the mkvno here for optimization */
+ if (krb5_db_fetch_mkey_list(handle->context, master_princ,
+ &master_keyblock, 0, &master_keylist) == 0) {
+ if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist,
+ &dbent, &mkey_ptr))) {
+ return ret;
+ }
+ } else {
+ return ret;
+ }
+ }
if ((ret = krb5_dbekd_decrypt_key_data(handle->context,
- tmp_mkey, key_data,
+ mkey_ptr, key_data,
keyblock, keysalt)))
return ret;
}
void
-krb5_dbe_free_key_list(krb5_context context, krb5_keylist_node *key_list)
+krb5_dbe_free_key_list(krb5_context context, krb5_keylist_node *val)
{
- krb5_keylist_node *cur_node, *next_node;
+ krb5_keylist_node *temp = val, *prev;
- for (cur_node = key_list; cur_node != NULL; cur_node = next_node) {
- next_node = cur_node->next;
- krb5_free_keyblock_contents(context, &(cur_node->keyblock));
- krb5_xfree(cur_node);
+ while (temp != NULL) {
+ prev = temp;
+ temp = temp->next;
+ krb5_free_keyblock_contents(context, &(prev->keyblock));
+ krb5_xfree(prev);
}
- return;
}
void
krb5_dbe_free_actkvno_list(krb5_context context, krb5_actkvno_node *val)
{
- krb5_actkvno_node *temp, *prev;
+ krb5_actkvno_node *temp = val, *prev;
- for (temp = val; temp != NULL;) {
+ while (temp != NULL) {
prev = temp;
temp = temp->next;
krb5_xfree(prev);
void
krb5_dbe_free_mkey_aux_list(krb5_context context, krb5_mkey_aux_node *val)
{
- krb5_mkey_aux_node *temp, *prev;
+ krb5_mkey_aux_node *temp = val, *prev;
- for (temp = val; temp != NULL;) {
+ while (temp != NULL) {
prev = temp;
temp = temp->next;
krb5_dbe_free_key_data_contents(context, &prev->latest_mkey);
* free the output key.
*/
krb5_error_code
-krb5_dbe_find_mkey(krb5_context context,
- krb5_keylist_node *mkey_list,
- krb5_db_entry *entry,
- krb5_keyblock **mkey)
+krb5_dbe_find_mkey(krb5_context context,
+ krb5_keylist_node * mkey_list,
+ krb5_db_entry * entry,
+ krb5_keyblock ** mkey)
{
krb5_kvno mkvno;
krb5_error_code retval;
prev_data = new_data;
}
} else {
- krb5_set_error_message (context, KRB5_KDB_BAD_VERSION,
- "Illegal version number for KRB5_TL_MKEY_AUX %d\n",
- version);
+ krb5_set_error_message(context, KRB5_KDB_BAD_VERSION,
+ "Illegal version number for KRB5_TL_MKEY_AUX %d\n",
+ version);
return (KRB5_KDB_BAD_VERSION);
}
}
nprinc = 1;
if ((retval = krb5_db_get_principal(context, mprinc,
- &master_entry, &nprinc, &more)))
+ &master_entry, &nprinc, &more)))
return (retval);
if (nprinc != 1) {
* Note the mkvno may provide a hint as to which mkey_aux tuple to
* decrypt.
*/
- if ((retval = krb5_dbe_lookup_mkey_aux(context, &master_entry, &mkey_aux_data_list)))
+ if ((retval = krb5_dbe_lookup_mkey_aux(context, &master_entry,
+ &mkey_aux_data_list)))
goto clean_n_exit;
/* mkvno may be 0 in some cases like keyboard and should be ignored */
aux_data_entry = aux_data_entry->next) {
if (aux_data_entry->mkey_kvno == mkvno) {
- if (krb5_dbekd_decrypt_key_data(context, mkey, &aux_data_entry->latest_mkey,
+ if (krb5_dbekd_decrypt_key_data(context, mkey,
+ &aux_data_entry->latest_mkey,
&cur_mkey, NULL) == 0) {
found_key = TRUE;
break;
aux_data_entry = aux_data_entry->next) {
if (mkey->enctype == aux_data_entry->latest_mkey.key_data_type[0] &&
- (krb5_dbekd_decrypt_key_data(context, mkey, &aux_data_entry->latest_mkey,
- &cur_mkey, NULL) == 0)) {
+ (krb5_dbekd_decrypt_key_data(context, mkey,
+ &aux_data_entry->latest_mkey,
+ &cur_mkey, NULL) == 0)) {
found_key = TRUE;
break;
}
*mkeys_list = mkey_list_head;
clean_n_exit:
-
krb5_db_free_principal(context, &master_entry, nprinc);
-
if (retval != 0)
krb5_dbe_free_key_list(context, mkey_list_head);
-
return retval;
}
projects / thirdparty / krb5.git / commitdiff
