krb5_boolean fromkeyboard,
krb5_boolean twice,
char *db_args,
+ krb5_kvno *kvno,
krb5_data *salt,
krb5_keyblock *key);
krb5_error_code krb5_db_verify_master_key ( krb5_context kcontext,
krb5_principal mprinc,
- krb5_kvno *kvno,
+ krb5_kvno kvno,
krb5_keyblock *mkey );
krb5_error_code
krb5_dbe_find_enctype( krb5_context kcontext,
char *db_args);
krb5_error_code
-krb5_def_verify_master_key( krb5_context context,
+krb5_def_verify_master_key( krb5_context context,
krb5_principal mprinc,
- krb5_kvno *kvno,
+ krb5_kvno kvno,
krb5_keyblock *mkey);
krb5_error_code kdb_def_set_mkey ( krb5_context kcontext,
int i, j;
krb5_key_data new_key_data, *key_data;
krb5_boolean is_mkey;
+ krb5_kvno kvno;
is_mkey = krb5_principal_compare(context, master_princ, db_entry->princ);
return retval;
memset(&new_key_data, 0, sizeof(new_key_data));
- key_ptr = is_mkey ? &new_master_keyblock : &v5plainkey;
+
+ if (is_mkey) {
+ key_ptr = &new_master_keyblock;
+ /* override mkey princ's kvno */
+ if (global_params.mask & KADM5_CONFIG_KVNO)
+ kvno = global_params.kvno;
+ else
+ kvno = (krb5_kvno) key_data->key_data_kvno;
+ } else {
+ key_ptr = &v5plainkey;
+ kvno = (krb5_kvno) key_data->key_data_kvno;
+ }
+
retval = krb5_dbekd_encrypt_key_data(context, &new_master_keyblock,
key_ptr, &keysalt,
- key_data->key_data_kvno,
+ (int) kvno,
&new_key_data);
if (retval)
return retval;
*/
if (mkey_convert) {
if (!valid_master_key) {
+ krb5_kvno mkvno = IGNORE_VNO;
/* TRUE here means read the keyboard, but only once */
retval = krb5_db_fetch_mkey(util_context,
master_princ,
master_keyblock.enctype,
TRUE, FALSE,
- (char *) NULL, 0,
+ (char *) NULL,
+ NULL, NULL,
&master_keyblock);
if (retval) {
com_err(argv[0], retval,
}
retval = krb5_db_verify_master_key(util_context,
master_princ,
- NULL,
+ IGNORE_VNO,
&master_keyblock);
if (retval) {
com_err(argv[0], retval,
new_master_keyblock.enctype = global_params.enctype;
if (new_master_keyblock.enctype == ENCTYPE_UNKNOWN)
new_master_keyblock.enctype = DEFAULT_KDC_ENCTYPE;
- if (!new_mkey_file)
- printf("Please enter new master key....\n");
- if ((retval = krb5_db_fetch_mkey(util_context, master_princ,
- new_master_keyblock.enctype,
- (new_mkey_file == 0) ?
- (krb5_boolean) 1 : 0,
- TRUE,
- new_mkey_file, 0,
- &new_master_keyblock))) {
- com_err(argv[0], retval, "while reading new master key");
- exit(1);
- }
+
+ if (new_mkey_file) {
+ krb5_kvno kt_kvno;
+
+ if (global_params.mask & KADM5_CONFIG_KVNO)
+ kt_kvno = global_params.kvno;
+ else
+ kt_kvno = IGNORE_VNO;
+
+ if ((retval = krb5_db_fetch_mkey(util_context, master_princ,
+ new_master_keyblock.enctype,
+ FALSE,
+ FALSE,
+ new_mkey_file,
+ &kt_kvno,
+ NULL,
+ &new_master_keyblock))) {
+ com_err(argv[0], retval, "while reading new master key");
+ exit(1);
+ }
+ } else {
+ printf("Please enter new master key....\n");
+ if ((retval = krb5_db_fetch_mkey(util_context, master_princ,
+ new_master_keyblock.enctype,
+ TRUE,
+ TRUE,
+ NULL, NULL, NULL,
+ &new_master_keyblock))) {
+ com_err(argv[0], retval, "while reading new master key");
+ exit(1);
+ }
+ }
}
kret = 0;
exit_status++; return;
}
+ if (global_params.mask & KADM5_CONFIG_KVNO)
+ mkey_kvno = global_params.kvno; /* user specified */
+ else
+ mkey_kvno = IGNORE_VNO; /* use whatever krb5_db_fetch_mkey finds */
+
/* TRUE here means read the keyboard, but only once */
retval = krb5_db_fetch_mkey(context, master_princ,
master_keyblock.enctype,
TRUE, FALSE, (char *) NULL,
- 0, &master_keyblock);
+ &mkey_kvno,
+ NULL, &master_keyblock);
if (retval) {
com_err(argv[0], retval, "while reading master key");
(void) krb5_db_fini(context);
exit_status++; return;
}
- if (global_params.mask & KADM5_CONFIG_KVNO)
- mkey_kvno = global_params.kvno; /* user specified */
- else
- mkey_kvno = IGNORE_VNO; /* use whatever krb5_db_verify_master_key finds */
/* verify will set mkey_kvno to mkey princ's kvno mkey_kvno if it's IGNORE_VNO */
retval = krb5_db_verify_master_key(context, master_princ,
- &mkey_kvno,
+ mkey_kvno,
&master_keyblock);
if (retval) {
com_err(argv[0], retval, "while verifying master key");
int nentries;
krb5_boolean more;
krb5_data scratch, pwd, seed;
+ krb5_kvno mprinc_kvno, kvno;
dbactive = FALSE;
valid_master_key = 0;
return(1);
}
+ /* may be used later */
+ mprinc_kvno = (krb5_kvno) master_entry.key_data->key_data_kvno;
+
krb5_db_free_principal(util_context, &master_entry, nentries);
/* the databases are now open, and the master principal exists */
}
/* If no encryption type is set, use the default */
- if (master_keyblock.enctype == ENCTYPE_UNKNOWN) {
+ if (master_keyblock.enctype == ENCTYPE_UNKNOWN)
master_keyblock.enctype = DEFAULT_KDC_ENCTYPE;
- if (!krb5_c_valid_enctype(master_keyblock.enctype))
- com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP,
- "while setting up enctype %d",
- master_keyblock.enctype);
- }
+ if (!krb5_c_valid_enctype(master_keyblock.enctype))
+ com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP,
+ "while setting up enctype %d",
+ master_keyblock.enctype);
retval = krb5_c_string_to_key(util_context, master_keyblock.enctype,
&pwd, &scratch, &master_keyblock);
}
free(scratch.data);
mkey_password = 0;
+
+ if (global_params.mask & KADM5_CONFIG_KVNO)
+ kvno = global_params.kvno; /* user specified */
+ else
+ kvno = mprinc_kvno;
} else if ((retval = krb5_db_fetch_mkey(util_context, master_princ,
master_keyblock.enctype,
manual_mkey, FALSE,
global_params.stash_file,
+ &kvno,
0, &master_keyblock))) {
com_err(progname, retval, "while reading master key");
com_err(progname, 0, "Warning: proceeding without master key");
return(0);
}
if ((retval = krb5_db_verify_master_key(util_context, master_princ,
- NULL, &master_keyblock))) {
+ kvno, &master_keyblock))) {
com_err(progname, retval, "while verifying master key");
exit_status++;
krb5_free_keyblock_contents(util_context, &master_keyblock);
if ((kret = krb5_db_fetch_mkey(rdp->realm_context, rdp->realm_mprinc,
rdp->realm_mkey.enctype, manual,
FALSE, rdp->realm_stash,
- 0, &rdp->realm_mkey))) {
+ NULL, NULL, &rdp->realm_mkey))) {
com_err(progname, kret,
"while fetching master key %s for realm %s",
rdp->realm_mpname, realm);
/* Verify the master key */
if ((kret = krb5_db_verify_master_key(rdp->realm_context,
rdp->realm_mprinc,
- NULL,
+ IGNORE_VNO,
&rdp->realm_mkey))) {
com_err(progname, kret,
"while verifying master key for realm %s", realm);
master_keyblock.enctype, from_kbd,
FALSE /* only prompt once */,
handle->params.stash_file,
+ NULL /* don't care about kvno */,
NULL /* I'm not sure about this,
but it's what the kdc does --marc */,
&master_keyblock);
goto done;
if ((ret = krb5_db_verify_master_key(handle->context, master_princ,
- NULL, &master_keyblock))) {
+ IGNORE_VNO, &master_keyblock))) {
krb5_db_fini(handle->context);
return ret;
}
krb5_error_code
krb5_db_fetch_mkey(krb5_context context,
krb5_principal mname,
- krb5_enctype etype,
- krb5_boolean fromkeyboard,
- krb5_boolean twice,
- char *db_args, krb5_data * salt, krb5_keyblock * key)
+ krb5_enctype etype,
+ krb5_boolean fromkeyboard,
+ krb5_boolean twice,
+ char * db_args,
+ krb5_kvno * kvno,
+ krb5_data * salt,
+ krb5_keyblock * key)
{
krb5_error_code retval;
char password[BUFSIZ];
krb5_data pwd;
unsigned int size = sizeof(password);
- int kvno = IGNORE_VNO;
krb5_keyblock tmp_key;
memset(&tmp_key, 0, sizeof(tmp_key));
retval =
krb5_c_string_to_key(context, etype, &pwd, salt ? salt : &scratch,
key);
+ /*
+ * If a kvno pointer was passed in and it dereferences the IGNORE_VNO
+ * value then it should be assigned the value of the kvno associated
+ * with the current mkey princ key if that princ entry is available
+ * otherwise assign 1 which is the default kvno value for the mkey
+ * princ.
+ */
+ if (kvno != NULL && *kvno == IGNORE_VNO) {
+ int nentries = 1;
+ krb5_boolean more;
+ krb5_error_code rc;
+ krb5_db_entry master_entry;
+
+ rc = krb5_db_get_principal(context, mname,
+ &master_entry, &nentries, &more);
+
+ if (rc == 0 && nentries == 1 && more == FALSE)
+ *kvno = (krb5_kvno) master_entry.key_data->key_data_kvno;
+ else
+ *kvno = 1;
+
+ if (rc == 0 && nentries)
+ krb5_db_free_principal(context, &master_entry, nentries);
+ }
if (!salt)
krb5_xfree(scratch.data);
retval = dal_handle->lib_handle->vftabl.fetch_master_key(context,
mname,
&tmp_key,
- &kvno,
+ kvno,
db_args);
get_errmsg(context, retval);
kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE);
krb5_error_code
krb5_db_verify_master_key(krb5_context kcontext,
krb5_principal mprinc,
- krb5_kvno *kvno,
+ krb5_kvno kvno,
krb5_keyblock *mkey)
{
krb5_error_code status = 0;
krb5_error_code (*fetch_master_key) (krb5_context kcontext,
krb5_principal mname,
krb5_keyblock *key,
- int *kvno,
+ krb5_kvno *kvno,
char *db_args);
krb5_error_code (*verify_master_key) (krb5_context kcontext,
krb5_principal mprinc,
- krb5_kvno *kvno,
+ krb5_kvno kvno,
krb5_keyblock *mkey);
krb5_error_code (*dbe_search_enctype) (krb5_context kcontext,
retval = 0;
/*
- * Note, the old stash format did not store the kvno so it was always hard
- * coded to be 0.
+ * Note, the old stash format did not store the kvno and at this point it
+ * can be assumed to be 1 as is the case for the mkey princ.
*/
if (kvno)
- *kvno = 0;
+ *kvno = 1;
errout:
(void) fclose(kf);
if (kvno != NULL) {
/*
- * if a kvno pointer was passed in and it dereferences to
- * IGNORE_VNO then it should be assigned the value of the
- * kvno found in the keytab otherwise the KNVO specified
- * should be the same as the one returned from the keytab.
+ * If a kvno pointer was passed in and it dereferences the
+ * IGNORE_VNO value then it should be assigned the value of the kvno
+ * found in the keytab otherwise the KNVO specified should be the
+ * same as the one returned from the keytab.
*/
if (*kvno == IGNORE_VNO) {
*kvno = kt_ent.vno;
krb5_error_code
krb5_def_verify_master_key( krb5_context context,
krb5_principal mprinc,
- krb5_kvno *kvno,
+ krb5_kvno kvno,
krb5_keyblock *mkey)
{
krb5_error_code retval;
retval = KRB5_KDB_BADMASTERKEY;
}
- if (kvno != NULL) {
- if (*kvno == IGNORE_VNO) {
- /* return value of mkey princs kvno */
- *kvno = master_entry.key_data->key_data_kvno;
- } else if (*kvno != (krb5_kvno) master_entry.key_data->key_data_kvno) {
- retval = KRB5_KDB_BADMASTERKEY;
- krb5_set_error_message (context, retval,
- "User specified mkeyVNO (%u) does not match master key princ's KVNO (%u)",
- *kvno, master_entry.key_data->key_data_kvno);
- }
+ if (kvno != IGNORE_VNO &&
+ kvno != (krb5_kvno) master_entry.key_data->key_data_kvno) {
+ retval = KRB5_KDB_BADMASTERKEY;
+ krb5_set_error_message (context, retval,
+ "User specified mkeyVNO (%u) does not match master key princ's KVNO (%u)",
+ kvno, master_entry.key_data->key_data_kvno);
}
memset((char *)tempkey.contents, 0, tempkey.length);
} else {
if ((retval = krb5_db_fetch_mkey(test_context, master_princ,
master_keyblock.enctype, manual_mkey,
- FALSE, 0, NULL, &master_keyblock))) {
+ FALSE, 0, NULL, NULL,
+ &master_keyblock))) {
com_err(pname, retval, "while reading master key");
return(1);
}
free(args[0]);
if ((retval = krb5_db_verify_master_key(test_context, master_princ,
- NULL, &master_keyblock))){
+ IGNORE_VNO, &master_keyblock))){
com_err(pname, retval, "while verifying master key");
(void) krb5_db_fini(test_context);
return(1);
} else {
if ((retval = krb5_db_fetch_mkey(context, master_princ,
master_keyblock.enctype,
- manual_mkey, FALSE, (char *) NULL, 0,
- &master_keyblock))) {
+ manual_mkey, FALSE, (char *) NULL,
+ NULL, NULL,
+ &master_keyblock))) {
com_err(pname, retval, "while reading master key");
return(1);
}
return(1);
}
if ((retval = krb5_db_verify_master_key(context, master_princ,
- NULL, &master_keyblock))) {
+ IGNORE_VNO, &master_keyblock))) {
com_err(pname, retval, "while verifying master key");
(void) krb5_db_fini(context);
return(1);
projects / thirdparty / krb5.git / commitdiff
