Masterkey Keytab Stash

This ticket is to track code changes for the Masterkey Keytab Stash project.  The Krb Consortium page is:
http://k5wiki.kerberos.org/wiki/Projects/Masterkey_Keytab_Stash

ticket: new

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mkey_keytab@20475 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/kadmin/dbutil/kdb5_stash.c b/src/kadmin/dbutil/kdb5_stash.c
index 18c35c011d58a6f2f71a5ab59fdc460c5dc152ff..1e6d2e5cd3c953b7a5a8b010b2cdeffc92da957a 100644 (file)
--- a/src/kadmin/dbutil/kdb5_stash.c
+++ b/src/kadmin/dbutil/kdb5_stash.c
@@ -172,8 +172,7 @@ kdb5_stash(argc, argv)
     }  
 
     retval = krb5_db_store_master_key(context, keyfile, master_princ, 
-                                     mkey_kvno, &master_keyblock,
-                                     NULL);
+                                      mkey_kvno, &master_keyblock, NULL);
     if (retval) {
        com_err(argv[0], errno, "while storing key");
        memset((char *)master_keyblock.contents, 0, master_keyblock.length);

diff --git a/src/kadmin/dbutil/kdb5_util.M b/src/kadmin/dbutil/kdb5_util.M
index 6e0fd4736939d8b4eca0fcb5fb24f56e1cb268c3..2e624421c2279c330c5d6d0761fb16689c7fd5cb 100644 (file)
--- a/src/kadmin/dbutil/kdb5_util.M
+++ b/src/kadmin/dbutil/kdb5_util.M
@@ -61,7 +61,7 @@ that given in
 .TP
 \fB\-kv\fP\ \fImkeyVNO\fP
 Specifies the version number of the master key in the database; the default is
-0.
+1.  Note that 0 is not allowed.
 .TP
 \fB\-M\fP\ \fImkeyname\fP
 principal name for the master key in the database; the default is

diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c
index 5a55e22b73c26f16d16f3b108e74a23e59658458..64bc7ef316aa048ea0df52d64eaa2259ff4d8442 100644 (file)
--- a/src/lib/kadm5/alt_prof.c
+++ b/src/lib/kadm5/alt_prof.c
@@ -405,7 +405,7 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config,
     }
 
     if (params_in->mask & KADM5_CONFIG_KVNO) {
-       params.kvno = params_in->kvno;
+        params.kvno = params_in->kvno;
         params.mask |= KADM5_CONFIG_KVNO;
     }
     /*

diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c
index bbca07175d9f46bf8f88ed202552b2e647efa152..7a137500ee050ae4aedb0a3ccf1f100ea851b49d 100644 (file)
--- a/src/lib/kdb/kdb5.c
+++ b/src/lib/kdb/kdb5.c
@@ -1249,15 +1249,15 @@ char   *krb5_mkey_pwd_prompt1 = KRB5_KDC_MKEY_1;
 char   *krb5_mkey_pwd_prompt2 = KRB5_KDC_MKEY_2;
 
 krb5_error_code
-krb5_db_fetch_mkey(krb5_context context,
-                  krb5_principal mname,
-                  krb5_enctype  etype,
-                  krb5_boolean  fromkeyboard,
-                  krb5_boolean  twice,
-                  char          * db_args,
-                   krb5_kvno     * kvno,
-                   krb5_data     * salt,
-                   krb5_keyblock * key)
+krb5_db_fetch_mkey( krb5_context    context,
+                    krb5_principal  mname,
+                    krb5_enctype    etype,
+                    krb5_boolean    fromkeyboard,
+                    krb5_boolean    twice,
+                    char          * db_args,
+                    krb5_kvno     * kvno,
+                    krb5_data     * salt,
+                    krb5_keyblock * key)
 {
     krb5_error_code retval;
     char    password[BUFSIZ];
@@ -1365,10 +1365,10 @@ krb5_db_fetch_mkey(krb5_context context,
 }
 
 krb5_error_code
-krb5_db_verify_master_key(krb5_context   kcontext,
-                         krb5_principal mprinc,
-                         krb5_kvno      kvno,
-                          krb5_keyblock  *mkey)
+krb5_db_verify_master_key(  krb5_context     kcontext,
+                            krb5_principal   mprinc,
+                            krb5_kvno        kvno,
+                            krb5_keyblock  * mkey)
 {
     krb5_error_code status = 0;
     kdb5_dal_handle *dal_handle;
@@ -1387,8 +1387,8 @@ krb5_db_verify_master_key(krb5_context   kcontext,
     }
 
     status = dal_handle->lib_handle->vftabl.verify_master_key(kcontext,
-                                                             mprinc,
-                                                             kvno,
+                                                              mprinc,
+                                                              kvno,
                                                               mkey);
     get_errmsg(kcontext, status);
     kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE);

diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
index 7de9aca548c6eec0ca85e585886957a5c3c1a6a0..2d265a0e7b2001199e71f35728c553db213fd03e 100644 (file)
--- a/src/lib/kdb/kdb_default.c
+++ b/src/lib/kdb/kdb_default.c
@@ -180,6 +180,7 @@ krb5_def_store_mkey(krb5_context   context,
             "Could not create temp keytab file name.");
         goto out;
     }
+
     if (mktemp(tmp_ktname) == NULL) {
         retval = errno;
         krb5_set_error_message (context, retval,
@@ -321,15 +322,19 @@ krb5_db_def_fetch_mkey_keytab(  krb5_context   context,
         goto errout;
 
     while ((retval = krb5_kt_next_entry(context, kt, &kt_ent, &cursor)) == 0) {
-        if (key->enctype != ENCTYPE_UNKNOWN && key->enctype != kt_ent.key.enctype)
-            continue;
-        if (kvno != NULL && *kvno != IGNORE_VNO && *kvno != kt_ent.vno)
+
+        if ((key->enctype != ENCTYPE_UNKNOWN && key->enctype != kt_ent.key.enctype) ||
+            (kvno != NULL && *kvno != IGNORE_VNO && *kvno != kt_ent.vno)) {
+
+            krb5_kt_free_entry(context, &kt_ent);
             continue;
+        }
         break;
     }
 
     if (retval != 0) {
         if (retval == KRB5_KT_END) {
+            /* didn't find an entry so indicate no key found */
             (void) krb5_kt_end_seq_get(context, kt, &cursor);
             retval = KRB5_KDB_BADSTORED_MKEY;
         }

diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M
index 75afded0f8aea7e580a807f1808482acd30ac705..484c4ce886bae0f8ad35e00038154de080fa18a7 100644 (file)
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M
@@ -49,7 +49,7 @@ that given in
 .TP
 \fB\-kv\fP\ \fImkeyVNO\fP
 Specifies the version number of the master key in the database; the default is
-0.
+1. Note that 0 is not allowed.
 .TP
 \fB\-m\fP
 Specifies that the master database password should be read from the TTY