krb5_key_data * key_data);
krb5_error_code
-krb5_dbe_fetch_act_mkey_list(krb5_context context,
- krb5_principal mprinc,
- krb5_actkvno_node **act_mkey_list);
+krb5_dbe_fetch_act_key_list(krb5_context context,
+ krb5_principal princ,
+ krb5_actkvno_node **act_key_list);
krb5_error_code
krb5_dbe_find_act_mkey( krb5_context context,
memset(mkey_aux_data_head, 0, sizeof(krb5_mkey_aux_node));
mkey_aux_data = &mkey_aux_data_head;
- /* XXX WAF: old, remove before final commit */
-#if 0 /************** Begin IFDEF'ed OUT *******************************/
- for (i = 0; i < old_key_data_count; i++) {
- key_data = &old_key_data[i];
-
- /* decrypt the old key */
- /* XXX WAF: don't need to do this, use the master_keylist instead. */
- memset(&plainkey, 0, sizeof(plainkey));
- retval = krb5_dbekd_decrypt_key_data(util_context, &master_keylist->keyblock,
- key_data, &plainkey, NULL);
- if (retval) {
- com_err(progname, retval, "while decrypting master keys");
- exit_status++;
- return;
- }
-
- /*
- * Create a list of krb5_mkey_aux_node nodes. One node contains the new
- * mkey encrypted by an old mkey and the old mkey's kvno (one node per
- * old mkey).
- */
-
- if (*mkey_aux_data == NULL) {
- /* *mkey_aux_data points to next field of previous node */
- *mkey_aux_data = (krb5_mkey_aux_node *) malloc(sizeof(krb5_mkey_aux_node));
- if (*mkey_aux_data == NULL) {
- com_err(progname, ENOMEM, "while creating mkey_aux_data");
- exit_status++;
- return;
- }
- memset(*mkey_aux_data, 0, sizeof(krb5_mkey_aux_node));
- }
-
- memset(&tmp_key_data, 0, sizeof(tmp_key_data));
- /* encrypt the new mkey with the older mkey */
- retval = krb5_dbekd_encrypt_key_data(util_context, &plainkey,
- &new_master_keyblock,
- NULL, /* no keysalt */
- (int) new_mkey_kvno,
- &tmp_key_data);
- if (retval) {
- com_err(progname, retval, "while encrypting master keys");
- exit_status++;
- return;
- }
-
- (*mkey_aux_data)->latest_mkey = tmp_key_data;
- (*mkey_aux_data)->mkey_kvno = key_data->key_data_kvno;
-
- mkey_aux_data = &((*mkey_aux_data)->next);
-
- /*
- * Store old key in master_entry keydata, + 1 to avoid overwritting the
- * first key_data entry
- */
- retval = krb5_dbekd_encrypt_key_data(util_context, &new_master_keyblock,
- &plainkey,
- NULL, /* no keysalt */
- (int) key_data->key_data_kvno,
- &master_entry.key_data[i+1]);
- if (retval) {
- com_err(progname, retval, "while encrypting master keys");
- exit_status++;
- return;
- }
-
- /* free plain text key and old key data entry */
- krb5_free_keyblock_contents(util_context, &plainkey);
- for (j = 0; j < key_data->key_data_ver; j++) {
- if (key_data->key_data_length[j]) {
- /* the key_data contents are encrypted so no clearing first */
- free(key_data->key_data_contents[j]);
- }
- }
- } /* end for (i = 0; i < old_key_data_count; i++) */
-#endif /**************** END IFDEF'ed OUT *******************************/
-
for (keylist_node = master_keylist, i = 1; keylist_node != NULL;
keylist_node = keylist_node->next, i++) {
return;
}
- /*
- * determine which nodes to delete and where to insert new act kvno node
- */
-
/* alloc enough space to hold new and existing key_data */
new_actkvno = (krb5_actkvno_node *) malloc(sizeof(krb5_actkvno_node));
if (new_actkvno == NULL) {
new_actkvno->act_kvno = use_kvno;
new_actkvno->act_time = start_time;
+ /*
+ * determine which nodes to delete and where to insert new act kvno node
+ */
+
if (actkvno_list == NULL) {
/* new actkvno is the list */
new_actkvno_list_head = new_actkvno;
}
if (trimed && inserted)
break;
- } /* end for (new_actkvno_list_head = prev_actkvno = ... */
+ }
}
if ((retval = krb5_dbe_update_actkvno(util_context, &master_entry,
krb5_keyblock session_key;
krb5_timestamp until, rtime;
krb5_keyblock encrypting_key;
+ krb5_keyblock *tmp_mkey;
krb5_key_data *server_key;
char *cname = 0, *sname = 0, *altcname = 0;
krb5_last_req_entry *nolrarray[2], nolrentry;
status = "FINDING_SERVER_KEY";
goto cleanup;
}
+
+ if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server, &tmp_mkey))) {
+ status = "FINDING_MASTER_KEY";
+ goto cleanup;
+ }
+
/* convert server.key into a real key (it may be encrypted
* in the database) */
if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context,
- &master_keyblock,
+ tmp_mkey,
server_key, &encrypting_key,
NULL))) {
status = "DECRYPT_SERVER_KEY";
krb5_aprof_getvals
krb5_aprof_init
krb5_flags_to_string
-krb5_free_key_data_contents
krb5_free_realm_params
krb5_input_flag_to_string
krb5_keysalt_is_present
krb5_aprof_init
krb5_copy_key_data_contents
krb5_flags_to_string
-krb5_free_key_data_contents
krb5_free_realm_params
krb5_input_flag_to_string
krb5_keysalt_is_present
return (ret);
}
- if ((ret = krb5_dbe_fetch_act_mkey_list(handle->context, master_princ,
- &active_mkey_list))) {
+ if ((ret = krb5_dbe_fetch_act_key_list(handle->context, master_princ,
+ &active_mkey_list))) {
krb5_db_fini(handle->context);
return (ret);
}
#endif /**************** END IFDEF'ed OUT *******************************/
krb5_error_code
-krb5_dbe_fetch_act_mkey_list(krb5_context context,
- krb5_principal mprinc,
- krb5_actkvno_node **act_mkey_list)
+krb5_dbe_fetch_act_key_list(krb5_context context,
+ krb5_principal princ,
+ krb5_actkvno_node **act_key_list)
{
krb5_error_code retval = 0;
- krb5_db_entry master_entry;
+ krb5_db_entry entry;
int nprinc;
krb5_boolean more;
- if (act_mkey_list == NULL)
+ if (act_key_list == NULL)
return (EINVAL);
nprinc = 1;
- if ((retval = krb5_db_get_principal(context, mprinc,
- &master_entry, &nprinc, &more)))
+ if ((retval = krb5_db_get_principal(context, princ, &entry,
+ &nprinc, &more))) {
return (retval);
+ }
if (nprinc != 1) {
- if (nprinc)
- krb5_db_free_principal(context, &master_entry, nprinc);
+ if (nprinc) {
+ krb5_db_free_principal(context, &entry, nprinc);
+ }
return(KRB5_KDB_NOMASTERKEY);
} else if (more) {
- krb5_db_free_principal(context, &master_entry, nprinc);
+ krb5_db_free_principal(context, &entry, nprinc);
return (KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
}
- retval = krb5_dbe_lookup_actkvno(context, &master_entry, act_mkey_list);
+ retval = krb5_dbe_lookup_actkvno(context, &entry, act_key_list);
- if (*act_mkey_list == NULL) {
+ if (*act_key_list == NULL) {
krb5_actkvno_node *tmp_actkvno;
krb5_timestamp now;
/*
memset(tmp_actkvno, 0, sizeof(krb5_actkvno_node));
tmp_actkvno->act_time = now;
- tmp_actkvno->act_kvno = master_entry.key_data[0].key_data_kvno;
+ /* use most current key */
+ tmp_actkvno->act_kvno = entry.key_data[0].key_data_kvno;
- *act_mkey_list = tmp_actkvno;
+ *act_key_list = tmp_actkvno;
}
- krb5_db_free_principal(context, &master_entry, nprinc);
+ krb5_db_free_principal(context, &entry, nprinc);
return retval;
}
return retval;
}
-/* XXX WAF: I'm now thinking this fucntion should check to see if the fetched
- * key matches the latest mkey in the master princ. If it doesn't then the
- * latest mkey should be returned by using the mkey_aux tl data.
- */
krb5_error_code
krb5_db_def_fetch_mkey(krb5_context context,
krb5_principal mname,
krb5_dbe_create_key_data
krb5_dbe_crk
krb5_dbe_find_act_mkey
-krb5_dbe_fetch_act_mkey_list
+krb5_dbe_fetch_act_key_list
krb5_dbe_find_enctype
krb5_dbe_find_mkey
krb5_dbe_lookup_last_pwd_change
projects / thirdparty / krb5.git / commitdiff
