/* version number for KRB5_TL_MKEY_AUX data */
#define KRB5_TL_MKEY_AUX_VER_1 1
-/* XXX WAF: the indef. struct typedefs below may not be needed so ifdef'ing them
- * out for now */
-/*
- * Doing this because it this struct should be defined in k5-int.h but this
- * header file can't include that one.
- */
-#if 0 /************** Begin IFDEF'ed OUT *******************************/
-#ifndef _KRB5_INT_H
-struct _krb5_actkvno_node;
-typedef struct _krb5_actkvno_node krb5_actkvno_node;
-struct _krb5_mkey_aux_node;
-typedef struct _krb5_mkey_aux_node krb5_mkey_aux_node;
-#endif
-#endif /**************** END IFDEF'ed OUT *******************************/
-
typedef struct _krb5_actkvno_node {
struct _krb5_actkvno_node *next;
- krb5_kvno act_kvno;
+ krb5_kvno act_kvno;
krb5_timestamp act_time;
} krb5_actkvno_node;
typedef struct _krb5_mkey_aux_node {
struct _krb5_mkey_aux_node *next;
- krb5_kvno mkey_kvno; /* kvno of mkey protecting the latest_mkey */
- /* XXX WAF: maybe krb5_data isn't adequate, the kvno and enctype is needed I
- * think. Perhaps krb5_key_data should be used?
- */
+ krb5_kvno mkey_kvno; /* kvno of mkey protecting the latest_mkey */
krb5_key_data latest_mkey; /* most recent mkey */
} krb5_mkey_aux_node;
krb5_keyblock **key );
krb5_error_code krb5_db_set_mkey_list( krb5_context context,
- krb5_keyblock_node * keylist);
+ krb5_keylist_node * keylist);
krb5_error_code krb5_db_get_mkey_list( krb5_context kcontext,
- krb5_keyblock_node ** keylist);
+ krb5_keylist_node ** keylist);
krb5_error_code krb5_db_free_master_key ( krb5_context kcontext,
krb5_keyblock *key );
krb5_principal mname,
const krb5_keyblock * mkey,
krb5_kvno mkvno,
- krb5_keyblock_node **mkeys_list );
+ krb5_keylist_node **mkeys_list );
krb5_error_code
krb5_db_free_mkey_list( krb5_context context,
- krb5_keyblock_node *mkey_list );
+ krb5_keylist_node *mkey_list );
krb5_error_code
krb5_dbe_find_enctype( krb5_context kcontext,
krb5_error_code
krb5_dbe_find_act_mkey( krb5_context context,
- krb5_keyblock_node * mkey_list,
+ krb5_keylist_node * mkey_list,
krb5_actkvno_node * act_mkey_list,
+ krb5_kvno * act_kvno,
krb5_keyblock ** act_mkey);
krb5_error_code
krb5_dbe_find_mkey( krb5_context context,
- krb5_keyblock_node * mkey_list,
+ krb5_keylist_node * mkey_list,
krb5_db_entry * entry,
krb5_keyblock ** mkey);
krb5_principal mprinc,
const krb5_keyblock *mkey,
krb5_kvno mkvno,
- krb5_keyblock_node **mkeys_list);
+ krb5_keylist_node **mkeys_list);
krb5_error_code kdb_def_set_mkey ( krb5_context kcontext,
char *pwd,
krb5_keyblock *key );
krb5_error_code kdb_def_set_mkey_list ( krb5_context kcontext,
- krb5_keyblock_node *keylist );
+ krb5_keylist_node *keylist );
krb5_error_code kdb_def_get_mkey ( krb5_context kcontext,
krb5_keyblock **key );
krb5_error_code kdb_def_get_mkey_list ( krb5_context kcontext,
- krb5_keyblock_node **keylist );
+ krb5_keylist_node **keylist );
krb5_error_code
krb5_dbe_def_cpw( krb5_context context,
krb5_keyblock **key);
krb5_error_code (*set_master_key_list) ( krb5_context kcontext,
- krb5_keyblock_node *keylist);
+ krb5_keylist_node *keylist);
krb5_error_code (*get_master_key_list) ( krb5_context kcontext,
- krb5_keyblock_node **keylist);
+ krb5_keylist_node **keylist);
krb5_error_code (*setup_master_key_name) ( krb5_context kcontext,
char *keyname,
krb5_principal mname,
const krb5_keyblock *key,
krb5_kvno kvno,
- krb5_keyblock_node **mkeys_list);
+ krb5_keylist_node **mkeys_list);
krb5_error_code (*dbe_search_enctype) ( krb5_context kcontext,
krb5_db_entry *dbentp,
} krb5_keyblock;
typedef struct _krb5_keylist_node {
- krb5_keyblock keyblock;
- krb5_kvno kvno;
- struct _krb5_keylist_node *next;
- } krb5_keyblock_node;
+ krb5_keyblock keyblock;
+ krb5_kvno kvno;
+ struct _krb5_keylist_node *next;
+} krb5_keylist_node;
#ifdef KRB5_OLD_CRYPTO
typedef struct _krb5_encrypt_block {
com_err(progname, retval, "while adding entries to the database");
exit_status++; return;
}
+
+
+
/*
* Always stash the master key so kadm5_create does not prompt for
* it; delete the file below if it was not requested. DO NOT EXIT
krb5_error_code retval;
krb5_db_entry entry;
krb5_kvno mkey_kvno;
-
krb5_timestamp now;
struct iterate_args iargs;
-
int nentries = 1;
+ krb5_actkvno_node actkvno;
memset((char *) &entry, 0, sizeof(entry));
&master_keyblock, NULL,
mkey_kvno, entry.key_data)))
return retval;
+ /*
+ * There should always be at least one "active" mkey so creating the
+ * KRB5_TL_ACTKVNO entry now so the initial mkey is active.
+ */
+ actkvno.next = NULL;
+ actkvno.act_kvno = mkey_kvno;
+ actkvno.act_time = now;
+ if ((retval = krb5_dbe_update_actkvno(context, &entry, &actkvno)))
+ return retval;
+
break;
case TGT_KEY:
iargs.ctx = context;
extern krb5_keyblock master_keyblock; /* current mkey */
extern krb5_principal master_princ;
+extern krb5_keylist_node *master_keylist;
extern krb5_data master_salt;
extern char *mkey_password;
extern char *progname;
kdb5_add_mkey(int argc, char *argv[])
{
int optchar;
- krb5_error_code retval;
- char *mkey_fullname;
- char *pw_str = 0;
- unsigned int pw_size = 0;
- int do_stash = 0, nentries = 0;
- int old_key_data_count, i, j;
- krb5_boolean more = 0;
- krb5_data pwd;
- krb5_kvno old_kvno, new_mkey_kvno;
- krb5_keyblock new_master_keyblock;
- krb5_keyblock plainkey;
- krb5_key_data tmp_key_data, *old_key_data, *key_data;
- krb5_enctype new_master_enctype = DEFAULT_KDC_ENCTYPE;
- char *new_mkey_password;
- krb5_db_entry master_entry;
- krb5_timestamp now;
+ krb5_error_code retval;
+ char *mkey_fullname;
+ char *pw_str = 0;
+ unsigned int pw_size = 0;
+ int do_stash = 0, nentries = 0;
+ int old_key_data_count, i, j;
+ krb5_boolean more = 0;
+ krb5_data pwd;
+ krb5_kvno old_kvno, new_mkey_kvno;
+ krb5_keyblock new_master_keyblock;
+ krb5_keyblock plainkey;
+ krb5_key_data tmp_key_data, *old_key_data, *key_data;
+ krb5_enctype new_master_enctype = DEFAULT_KDC_ENCTYPE;
+ char *new_mkey_password;
+ krb5_db_entry master_entry;
+ krb5_timestamp now;
krb5_mkey_aux_node *mkey_aux_data_head, **mkey_aux_data,
- *cur_mkey_aux_data, *next_mkey_aux_data;
+ *cur_mkey_aux_data, *next_mkey_aux_data;
/*
* The command table entry for this command causes open_db_and_mkey() to be
*/
while ((optchar = getopt(argc, argv, "k:s")) != -1) {
- switch(optchar) {
- case 'k':
- if (krb5_string_to_enctype(optarg, &new_master_enctype)) {
- com_err(progname, EINVAL, ": %s is an invalid enctype", optarg);
- exit_status++;
- return;
- }
- break;
- case 's':
- do_stash++;
- break;
- case '?':
- default:
- usage();
- return;
- }
- }
-
+ switch(optchar) {
+ case 'k':
+ if (krb5_string_to_enctype(optarg, &new_master_enctype)) {
+ com_err(progname, EINVAL, ": %s is an invalid enctype", optarg);
+ exit_status++;
+ return;
+ }
+ break;
+ case 's':
+ do_stash++;
+ break;
+ case '?':
+ default:
+ usage();
+ return;
+ }
+ }
+
/* assemble & parse the master key name */
if ((retval = krb5_db_setup_mkey_name(util_context,
- global_params.mkey_name,
- global_params.realm,
- &mkey_fullname, &master_princ))) {
- com_err(progname, retval, "while setting up master key name");
- exit_status++;
- return;
+ global_params.mkey_name,
+ global_params.realm,
+ &mkey_fullname, &master_princ))) {
+ com_err(progname, retval, "while setting up master key name");
+ exit_status++;
+ return;
}
- retval = krb5_db_get_principal(util_context, master_princ, &master_entry, &nentries,
- &more);
+ retval = krb5_db_get_principal(util_context, master_princ, &master_entry,
+ &nentries,
+ &more);
if (retval != 0) {
- com_err(progname, retval, "while setting up master key name");
- exit_status++;
- return;
+ com_err(progname, retval, "while setting up master key name");
+ exit_status++;
+ return;
}
printf("Creating new master key for master key principal '%s'\n",
- mkey_fullname);
+ mkey_fullname);
printf("You will be prompted for a new database Master Password.\n");
printf("It is important that you NOT FORGET this password.\n");
pw_size = 1024;
pw_str = malloc(pw_size);
if (pw_str == NULL) {
- com_err(progname, ENOMEM, "while creating new master key");
- exit_status++;
- return;
+ com_err(progname, ENOMEM, "while creating new master key");
+ exit_status++;
+ return;
}
-
+
retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2,
- pw_str, &pw_size);
+ pw_str, &pw_size);
if (retval) {
- com_err(progname, retval, "while reading new master key from keyboard");
- exit_status++;
- return;
+ com_err(progname, retval, "while reading new master key from keyboard");
+ exit_status++;
+ return;
}
new_mkey_password = pw_str;
pwd.length = strlen(new_mkey_password);
retval = krb5_principal2salt(util_context, master_princ, &master_salt);
if (retval) {
- com_err(progname, retval, "while calculating master key salt");
- exit_status++;
- return;
+ com_err(progname, retval, "while calculating master key salt");
+ exit_status++;
+ return;
}
retval = krb5_c_string_to_key(util_context, new_master_enctype,
- &pwd, &master_salt, &new_master_keyblock);
+ &pwd, &master_salt, &new_master_keyblock);
if (retval) {
- com_err(progname, retval, "while transforming master key from password");
- exit_status++;
- return;
+ com_err(progname, retval, "while transforming master key from password");
+ exit_status++;
+ return;
}
/* First save the old keydata */
old_kvno = get_key_data_kvno(util_context, master_entry.n_key_data,
- master_entry.key_data);
+ master_entry.key_data);
old_key_data_count = master_entry.n_key_data;
old_key_data = master_entry.key_data;
* krb5_key_data key_data_contents is a pointer to this key. Using some
* logic from master_key_convert().
*/
- master_entry.key_data = (krb5_key_data *) malloc(sizeof(krb5_key_data) * (old_key_data_count + 1));
+ master_entry.key_data = (krb5_key_data *) malloc(sizeof(krb5_key_data) *
+ (old_key_data_count + 1));
if (master_entry.key_data == NULL) {
- com_err(progname, ENOMEM, "while adding new master key");
- exit_status++;
- return;
+ com_err(progname, ENOMEM, "while adding new master key");
+ exit_status++;
+ return;
}
memset((char *) master_entry.key_data, 0, sizeof(krb5_key_data) * (old_key_data_count + 1));
master_entry.n_key_data = old_key_data_count + 1;
new_mkey_kvno = old_kvno + 1;
/* deal with wrapping? */
if (new_mkey_kvno == 0)
- new_mkey_kvno = 1; /* knvo must not be 0 as this is special value (IGNORE_VNO) */
+ new_mkey_kvno = 1; /* knvo must not be 0 as this is special value (IGNORE_VNO) */
/* Note, mkey does not have salt */
/* add new mkey encrypted with itself to mkey princ entry */
if ((retval = krb5_dbekd_encrypt_key_data(util_context, &new_master_keyblock,
- &new_master_keyblock, NULL,
- (int) new_mkey_kvno, master_entry.key_data))) {
- com_err(progname, retval, "while creating new master key");
- exit_status++;
- return;
+ &new_master_keyblock, NULL,
+ (int) new_mkey_kvno,
+ master_entry.key_data))) {
+ com_err(progname, retval, "while creating new master key");
+ exit_status++;
+ return;
}
/*
*/
mkey_aux_data_head = (krb5_mkey_aux_node *) malloc(sizeof(krb5_mkey_aux_node));
if (mkey_aux_data_head == NULL) {
- com_err(progname, ENOMEM, "while creating mkey_aux_data");
- exit_status++;
- return;
+ com_err(progname, ENOMEM, "while creating mkey_aux_data");
+ exit_status++;
+ return;
}
memset(mkey_aux_data_head, 0, sizeof(krb5_mkey_aux_node));
mkey_aux_data = &mkey_aux_data_head;
for (i = 0; i < old_key_data_count; i++) {
- key_data = &old_key_data[i];
-
- retval = krb5_dbekd_decrypt_key_data(util_context, &master_keyblock,
- key_data, &plainkey, NULL);
- if (retval) {
- com_err(progname, retval, "while decrypting master keys");
- exit_status++;
- return;
- }
-
- /*
- * Create a list of krb5_mkey_aux_node nodes. One node contains the new
- * mkey encrypted by an old mkey and the old mkey's kvno (one node per
- * old mkey).
- */
-
- if (*mkey_aux_data == NULL) {
- /* *mkey_aux_data points to next field of previous node */
- *mkey_aux_data = (krb5_mkey_aux_node *) malloc(sizeof(krb5_mkey_aux_node));
- if (mkey_aux_data == NULL) {
- com_err(progname, ENOMEM, "while creating mkey_aux_data");
- exit_status++;
- return;
- }
- memset(*mkey_aux_data, 0, sizeof(krb5_mkey_aux_node));
- }
-
- /* encrypt the new mkey with the older mkey */
- retval = krb5_dbekd_encrypt_key_data(util_context, &plainkey,
- &new_master_keyblock,
- NULL, /* no keysalt */
- (int) key_data->key_data_kvno,
- &tmp_key_data);
- if (retval) {
- com_err(progname, retval, "while encrypting master keys");
- exit_status++;
- return;
- }
-
- (*mkey_aux_data)->latest_mkey = tmp_key_data;
- (*mkey_aux_data)->mkey_kvno = key_data->key_data_kvno;
-
- mkey_aux_data = &((*mkey_aux_data)->next);
-
- /* Store old key in master_entry keydata, + 1 to skip the first key_data entry */
- retval = krb5_dbekd_encrypt_key_data(util_context, &new_master_keyblock,
- &plainkey, NULL, /* no keysalt */
- (int) key_data->key_data_kvno,
- &master_entry.key_data[i+1]);
- if (retval) {
- com_err(progname, retval, "while encrypting master keys");
- exit_status++;
- return;
- }
-
- /* free plain text key and old key data entry */
- krb5_free_keyblock_contents(util_context, &plainkey);
- for (j = 0; j < key_data->key_data_ver; j++) {
- if (key_data->key_data_length[j]) {
- /* the key_data contents are encrypted so no clearing first */
- free(key_data->key_data_contents[j]);
- }
- }
+ key_data = &old_key_data[i];
+
+ retval = krb5_dbekd_decrypt_key_data(util_context, &master_keyblock,
+ key_data, &plainkey, NULL);
+ if (retval) {
+ com_err(progname, retval, "while decrypting master keys");
+ exit_status++;
+ return;
+ }
+
+ /*
+ * Create a list of krb5_mkey_aux_node nodes. One node contains the new
+ * mkey encrypted by an old mkey and the old mkey's kvno (one node per
+ * old mkey).
+ */
+
+ if (*mkey_aux_data == NULL) {
+ /* *mkey_aux_data points to next field of previous node */
+ *mkey_aux_data = (krb5_mkey_aux_node *) malloc(sizeof(krb5_mkey_aux_node));
+ if (mkey_aux_data == NULL) {
+ com_err(progname, ENOMEM, "while creating mkey_aux_data");
+ exit_status++;
+ return;
+ }
+ memset(*mkey_aux_data, 0, sizeof(krb5_mkey_aux_node));
+ }
+
+ /* encrypt the new mkey with the older mkey */
+ retval = krb5_dbekd_encrypt_key_data(util_context, &plainkey,
+ &new_master_keyblock,
+ NULL, /* no keysalt */
+ (int) key_data->key_data_kvno,
+ &tmp_key_data);
+ if (retval) {
+ com_err(progname, retval, "while encrypting master keys");
+ exit_status++;
+ return;
+ }
+
+ (*mkey_aux_data)->latest_mkey = tmp_key_data;
+ (*mkey_aux_data)->mkey_kvno = key_data->key_data_kvno;
+
+ mkey_aux_data = &((*mkey_aux_data)->next);
+
+ /* Store old key in master_entry keydata, + 1 to skip the first key_data entry */
+ retval = krb5_dbekd_encrypt_key_data(util_context, &new_master_keyblock,
+ &plainkey,
+ NULL, /* no keysalt */
+ (int) key_data->key_data_kvno,
+ &master_entry.key_data[i+1]);
+ if (retval) {
+ com_err(progname, retval, "while encrypting master keys");
+ exit_status++;
+ return;
+ }
+
+ /* free plain text key and old key data entry */
+ krb5_free_keyblock_contents(util_context, &plainkey);
+ for (j = 0; j < key_data->key_data_ver; j++) {
+ if (key_data->key_data_length[j]) {
+ /* the key_data contents are encrypted so no clearing first */
+ free(key_data->key_data_contents[j]);
+ }
+ }
}
if ((retval = krb5_dbe_update_mkey_aux(util_context, &master_entry,
- mkey_aux_data_head))) {
- com_err(progname, retval, "while updating mkey aux data");
- exit_status++;
- return;
+ mkey_aux_data_head))) {
+ com_err(progname, retval, "while updating mkey aux data");
+ exit_status++;
+ return;
}
if ((retval = krb5_timeofday(util_context, &now))) {
- com_err(progname, retval, "while getting current time");
- exit_status++;
- return;
+ com_err(progname, retval, "while getting current time");
+ exit_status++;
+ return;
}
if ((retval = krb5_dbe_update_mod_princ_data(util_context, &master_entry,
- now, master_princ))) {
- com_err(progname, retval, "while updating the master key principal modification time");
- exit_status++;
- return;
+ now, master_princ))) {
+ com_err(progname, retval, "while updating the master key principal modification time");
+ exit_status++;
+ return;
}
if ((retval = krb5_db_put_principal(util_context, &master_entry, &nentries))) {
- (void) krb5_db_fini(util_context);
- com_err(progname, retval, "while adding master key entry to the database");
- exit_status++;
- return;
+ (void) krb5_db_fini(util_context);
+ com_err(progname, retval, "while adding master key entry to the database");
+ exit_status++;
+ return;
}
if (do_stash) {
- retval = krb5_db_store_master_key(util_context,
- global_params.stash_file,
- master_princ,
- new_mkey_kvno,
- &new_master_keyblock,
- mkey_password);
- if (retval) {
- com_err(progname, errno, "while storing key");
- printf("Warning: couldn't stash master key.\n");
- }
+ retval = krb5_db_store_master_key(util_context,
+ global_params.stash_file,
+ master_princ,
+ new_mkey_kvno,
+ &new_master_keyblock,
+ mkey_password);
+ if (retval) {
+ com_err(progname, errno, "while storing key");
+ printf("Warning: couldn't stash master key.\n");
+ }
}
/* clean up */
(void) krb5_db_fini(util_context);
memset((char *)new_master_keyblock.contents, 0, new_master_keyblock.length);
free(new_master_keyblock.contents);
if (pw_str) {
- memset(pw_str, 0, pw_size);
- free(pw_str);
+ memset(pw_str, 0, pw_size);
+ free(pw_str);
}
free(master_salt.data);
free(mkey_fullname);
for (cur_mkey_aux_data = mkey_aux_data_head; cur_mkey_aux_data != NULL;
- cur_mkey_aux_data = next_mkey_aux_data) {
+ cur_mkey_aux_data = next_mkey_aux_data) {
- next_mkey_aux_data = cur_mkey_aux_data->next;
- krb5_free_key_data_contents(util_context, &(cur_mkey_aux_data->latest_mkey));
- free(cur_mkey_aux_data);
+ next_mkey_aux_data = cur_mkey_aux_data->next;
+ krb5_free_key_data_contents(util_context, &(cur_mkey_aux_data->latest_mkey));
+ free(cur_mkey_aux_data);
}
return;
}
void
kdb5_use_mkey(int argc, char *argv[])
{
- krb5_error_code retval;
- char *mkey_fullname;
- krb5_kvno use_kvno;
- krb5_timestamp now, start_time;
- krb5_actkvno_node *actkvno_list, *new_actkvno_list_head, *new_actkvno, *prev_actkvno, *cur_actkvno;
- krb5_db_entry master_entry;
- int nentries = 0;
- krb5_boolean more = 0;
+ krb5_error_code retval;
+ char *mkey_fullname;
+ krb5_kvno use_kvno;
+ krb5_timestamp now, start_time;
+ krb5_actkvno_node *actkvno_list, *new_actkvno_list_head, *new_actkvno,
+ *prev_actkvno, *cur_actkvno;
+ krb5_db_entry master_entry;
+ int nentries = 0;
+ krb5_boolean more = 0;
if (argc < 1 || argc > 2) {
- /* usage calls exit */
- usage();
+ /* usage calls exit */
+ usage();
}
use_kvno = (int) strtol(argv[0], (char **)NULL, 10);
if (use_kvno == 0) {
- com_err(progname, EINVAL, ": 0 is an invalid KVNO value.");
- exit_status++;
- return;
+ com_err(progname, EINVAL, ": 0 is an invalid KVNO value.");
+ exit_status++;
+ return;
}
if ((retval = krb5_timeofday(util_context, &now))) {
- com_err(progname, retval, "while getting current time.");
- exit_status++;
- return;
+ com_err(progname, retval, "while getting current time.");
+ exit_status++;
+ return;
}
if (argc == 2) {
- start_time = (krb5_timestamp) get_date(argv[0]);
+ start_time = (krb5_timestamp) get_date(argv[0]);
} else {
- start_time = now;
+ start_time = now;
}
/*
/* assemble & parse the master key name */
if ((retval = krb5_db_setup_mkey_name(util_context,
- global_params.mkey_name,
- global_params.realm,
- &mkey_fullname, &master_princ))) {
- com_err(progname, retval, "while setting up master key name");
- exit_status++;
- return;
+ global_params.mkey_name,
+ global_params.realm,
+ &mkey_fullname, &master_princ))) {
+ com_err(progname, retval, "while setting up master key name");
+ exit_status++;
+ return;
}
retval = krb5_db_get_principal(util_context, master_princ, &master_entry, &nentries,
- &more);
+ &more);
if (retval != 0) {
- com_err(progname, retval, "while setting up master key name");
- exit_status++;
- return;
+ com_err(progname, retval, "while setting up master key name");
+ exit_status++;
+ return;
}
/* XXX WAF: verify that the provided kvno is valid */
retval = krb5_dbe_lookup_actkvno(util_context, &master_entry, &actkvno_list);
if (retval != 0) {
- com_err(progname, retval, "while setting up master key name");
- exit_status++;
- return;
+ com_err(progname, retval, "while setting up master key name");
+ exit_status++;
+ return;
}
/*
/* alloc enough space to hold new and existing key_data */
new_actkvno = (krb5_actkvno_node *) malloc(sizeof(krb5_actkvno_node));
if (new_actkvno == NULL) {
- com_err(progname, ENOMEM, "while adding new master key");
- exit_status++;
- return;
+ com_err(progname, ENOMEM, "while adding new master key");
+ exit_status++;
+ return;
}
new_actkvno->act_kvno = use_kvno;
new_actkvno->act_time = start_time;
if (actkvno_list == NULL || new_actkvno->act_time < actkvno_list->act_time) {
- /* insert new actkvno at head of list and link rest following */
- new_actkvno->next = actkvno_list;
- new_actkvno_list_head = new_actkvno;
+ /* insert new actkvno at head of list and link rest following */
+ new_actkvno->next = actkvno_list;
+ new_actkvno_list_head = new_actkvno;
} else {
- for (new_actkvno_list_head = prev_actkvno = cur_actkvno = actkvno_list; cur_actkvno != NULL;
- prev_actkvno = cur_actkvno, cur_actkvno = cur_actkvno->next) {
-
- if (cur_actkvno->act_time <= now) {
- if (new_actkvno->act_time < cur_actkvno->act_time) {
- /*
- * This is a problem as the new actkvno would be skipped and
- * not added to the entries for the mkey princ.
- */
- com_err(progname, EINVAL,
- "Activation time %s is less than a existing currently active kvno %d (activation time %s)",
- strdate(new_actkvno->act_time), cur_actkvno->act_kvno, strdate(cur_actkvno->act_time));
- exit_status++;
- return;
- }
- /*
- * New list head should point to the most current valid node in
- * order to trim out of date entries.
- */
- new_actkvno_list_head = cur_actkvno;
- }
-
- if (new_actkvno->act_time < cur_actkvno->act_time) {
- if (new_actkvno_list_head == cur_actkvno) {
- /*
- * XXX WAF: trying to minimize race condition issue here,
- * maybe there is a better way to do this?
- */
- com_err(progname, EINVAL,
- "Activation time %s is less than an existing currently active kvno %d (activation time %s)",
- strdate(new_actkvno->act_time), cur_actkvno->act_kvno, strdate(cur_actkvno->act_time));
- exit_status++;
- return;
- }
- prev_actkvno->next = new_actkvno;
- new_actkvno->next = cur_actkvno;
- break;
- } else if (cur_actkvno->next == NULL) {
- /* end of line, just add new node to end of list */
- cur_actkvno->next = new_actkvno;
- break;
- }
- } /* end for (new_actkvno_list_head = prev_actkvno = cur_actkvno = actkvno_list */
- }
-
- if ((retval = krb5_dbe_update_actkvno(util_context, &master_entry, new_actkvno_list_head))) {
- com_err(progname, retval, "while updating actkvno data for master principal entry.");
- exit_status++;
- return;
+ for (new_actkvno_list_head = prev_actkvno = cur_actkvno = actkvno_list;
+ cur_actkvno != NULL;
+ prev_actkvno = cur_actkvno, cur_actkvno = cur_actkvno->next) {
+
+ if (cur_actkvno->act_time <= now) {
+ if (new_actkvno->act_time < cur_actkvno->act_time) {
+ /*
+ * This is a problem as the new actkvno would be skipped and
+ * not added to the entries for the mkey princ.
+ */
+ com_err(progname, EINVAL,
+ "Activation time %s is less than a existing currently "
+ "active kvno %d (activation time %s)",
+ strdate(new_actkvno->act_time), cur_actkvno->act_kvno,
+ strdate(cur_actkvno->act_time));
+ exit_status++;
+ return;
+ }
+ /*
+ * New list head should point to the most current valid node in
+ * order to trim out of date entries.
+ */
+ new_actkvno_list_head = cur_actkvno;
+ }
+
+ if (new_actkvno->act_time < cur_actkvno->act_time) {
+ if (new_actkvno_list_head == cur_actkvno) {
+ /*
+ * XXX WAF: trying to minimize race condition issue here,
+ * maybe there is a better way to do this?
+ */
+ com_err(progname, EINVAL,
+ "Activation time %s is less than an existing currently "
+ "active kvno %d (activation time %s)",
+ strdate(new_actkvno->act_time), cur_actkvno->act_kvno,
+ strdate(cur_actkvno->act_time));
+ exit_status++;
+ return;
+ }
+ prev_actkvno->next = new_actkvno;
+ new_actkvno->next = cur_actkvno;
+ break;
+ } else if (cur_actkvno->next == NULL) {
+ /* end of line, just add new node to end of list */
+ cur_actkvno->next = new_actkvno;
+ break;
+ }
+ } /* end for (new_actkvno_list_head = prev_actkvno = ... */
+ }
+
+ if ((retval = krb5_dbe_update_actkvno(util_context, &master_entry,
+ new_actkvno_list_head))) {
+ com_err(progname, retval, "while updating actkvno data for master principal entry.");
+ exit_status++;
+ return;
}
if ((retval = krb5_dbe_update_mod_princ_data(util_context, &master_entry,
- now, master_princ))) {
- com_err(progname, retval, "while updating the master key principal modification time");
- exit_status++;
- return;
+ now, master_princ))) {
+ com_err(progname, retval, "while updating the master key principal modification time");
+ exit_status++;
+ return;
}
if ((retval = krb5_db_put_principal(util_context, &master_entry, &nentries))) {
- (void) krb5_db_fini(util_context);
- com_err(progname, retval, "while adding master key entry to the database");
- exit_status++;
- return;
+ (void) krb5_db_fini(util_context);
+ com_err(progname, retval, "while adding master key entry to the database");
+ exit_status++;
+ return;
}
/* clean up */
free(mkey_fullname);
for (cur_actkvno = actkvno_list; cur_actkvno != NULL;) {
- prev_actkvno = cur_actkvno;
- cur_actkvno = cur_actkvno->next;
- free(prev_actkvno);
+ prev_actkvno = cur_actkvno;
+ cur_actkvno = cur_actkvno->next;
+ free(prev_actkvno);
+ }
+ return;
+}
+
+void
+kdb5_list_mkeys(int argc, char *argv[])
+{
+ krb5_error_code retval;
+ char *mkey_fullname, *output_str = NULL, enctype[BUFSIZ];
+ krb5_kvno act_kvno;
+ krb5_timestamp act_time;
+ krb5_actkvno_node *actkvno_list = NULL, *cur_actkvno, *prev_actkvno;
+ krb5_db_entry master_entry;
+ int nentries = 0;
+ krb5_boolean more = 0;
+ krb5_keylist_node *cur_kb_node;
+ krb5_keyblock *act_mkey;
+
+ /* assemble & parse the master key name */
+ if ((retval = krb5_db_setup_mkey_name(util_context,
+ global_params.mkey_name,
+ global_params.realm,
+ &mkey_fullname, &master_princ))) {
+ com_err(progname, retval, "while setting up master key name");
+ exit_status++;
+ return;
+ }
+
+ retval = krb5_db_get_principal(util_context, master_princ, &master_entry, &nentries,
+ &more);
+ if (retval != 0) {
+ com_err(progname, retval, "while getting master key principal %s", mkey_fullname);
+ exit_status++;
+ return;
+ }
+
+ retval = krb5_dbe_lookup_actkvno(util_context, &master_entry, &actkvno_list);
+ if (retval != 0) {
+ com_err(progname, retval, "while looking up active kvno list");
+ exit_status++;
+ return;
+ }
+ /* XXX WAF: debug code, remove before commit */
+ if (master_keylist == NULL) {
+ com_err(progname, retval, "master_keylist == NULL this is a problem");
+ exit_status++;
+ return;
+ }
+
+ if (actkvno_list == NULL) {
+ act_kvno = master_entry.key_data[0].key_data_kvno;
+ } else {
+ retval = krb5_dbe_find_act_mkey(util_context, master_keylist,
+ actkvno_list, &act_kvno, &act_mkey);
+ if (retval != 0) {
+ com_err(progname, retval, "while setting up master key name");
+ exit_status++;
+ return;
+ }
+ }
+
+ printf("Master keys for Principal: %s\n", mkey_fullname);
+
+ for (cur_kb_node = master_keylist; cur_kb_node != NULL;
+ cur_kb_node = cur_kb_node->next) {
+
+ if (krb5_enctype_to_string(cur_kb_node->keyblock.enctype,
+ enctype, sizeof(enctype))) {
+ com_err(progname, retval, "while getting enctype description");
+ exit_status++;
+ return;
+ }
+
+ if (actkvno_list != NULL) {
+ for (cur_actkvno = actkvno_list; cur_actkvno != NULL;
+ cur_actkvno = cur_actkvno->next) {
+ if (cur_actkvno->act_kvno == cur_kb_node->kvno) {
+ act_time = cur_actkvno->act_time;
+ break;
+ }
+ }
+ } else {
+ /*
+ * mkey princ doesn't have an active knvo list so assume the current
+ * key is active now
+ */
+ if ((retval = krb5_timeofday(util_context, &act_time))) {
+ com_err(progname, retval, "while getting current time");
+ exit_status++;
+ return;
+ }
+ }
+
+ if (cur_kb_node->kvno == act_kvno) {
+ asprintf(&output_str, "KNVO: %d, Enctype: %s, Active on: %s *\n",
+ cur_kb_node->kvno, enctype, strdate(act_time));
+ } else {
+ asprintf(&output_str, "KNVO: %d, Enctype: %s, Active on: %s\n",
+ cur_kb_node->kvno, enctype, strdate(act_time));
+ }
+ }
+
+ /* clean up */
+ (void) krb5_db_fini(util_context);
+ free(mkey_fullname);
+ free(output_str);
+ for (cur_actkvno = actkvno_list; cur_actkvno != NULL;) {
+ prev_actkvno = cur_actkvno;
+ cur_actkvno = cur_actkvno->next;
+ free(prev_actkvno);
}
return;
}
}
extern krb5_keyblock master_keyblock;
-extern krb5_keyblock_node *master_keylist;
+extern krb5_keylist_node *master_keylist;
extern krb5_principal master_princ;
krb5_db_entry master_entry;
int valid_master_key = 0;
{"ark", add_random_key, 1},
{"add_mkey", kdb5_add_mkey, 1}, /* 1 is opendb */
{"use_mkey", kdb5_use_mkey, 1}, /* 1 is opendb */
+ {"list_mkeys", kdb5_list_mkeys, 1}, /* 1 is opendb */
{NULL, NULL, 0},
};
extern void kdb5_stash (int argc, char **argv);
extern void kdb5_add_mkey (int argc, char **argv);
extern void kdb5_use_mkey (int argc, char **argv);
+extern void kdb5_list_mkeys (int argc, char **argv);
extern void update_ok_file (char *file_name);
#define OVSEC_KADM_CHANGEPW_SERVICE "ovsec_adm/changepw"
extern krb5_keyblock master_keyblock;
-extern krb5_keyblock_node *master_keylist;
+extern krb5_keylist_node *master_keylist;
char *build_princ_name(char *name, char *realm);
void log_badauth(OM_uint32 major, OM_uint32 minor,
krb5_context realm_context; /* Context to be used for realm */
krb5_keytab realm_keytab; /* keytab to be used for this realm */
char * realm_profile; /* Profile file for this realm */
- krb5_keyblock_node * mkey_list; /* list of mkeys in use for this realm */
+ krb5_keylist_node * mkey_list; /* list of mkeys in use for this realm */
/*
* Database per-realm data.
*/
krb5_principal master_princ;
krb5_keyblock master_keyblock; /* local mkey */
-krb5_keyblock_node *master_keylist = NULL;
+krb5_keylist_node *master_keylist = NULL;
krb5_actkvno_node *active_mkey_list = NULL;
krb5_db_entry master_db;
#include <sys/types.h>
#include <sys/time.h>
#include <errno.h>
+#include <k5-int.h>
#include <kadm5/admin.h>
#include <kdb.h>
#include <stdio.h>
extern krb5_principal master_princ;
extern krb5_principal hist_princ;
-/* extern krb5_keyblock master_keyblock; */
-extern krb5_keyblock_node *master_keylist;
+extern krb5_keylist_node *master_keylist;
extern krb5_actkvno_node *active_mkey_list;
extern krb5_keyblock hist_key;
extern krb5_db_entry master_db;
unsigned int ret;
kadm5_server_handle_t handle = server_handle;
krb5_keyblock *act_mkey;
+ krb5_kvno act_kvno;
CHECK_HANDLE(server_handle);
/* initialize the keys */
ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
- active_mkey_list, &act_mkey);
+ active_mkey_list, &act_kvno, &act_mkey);
if (ret)
return (ret);
return(ret);
}
- /* XXX WAF: this needs to be changed to use real mkvno */
/* Record the master key VNO used to encrypt this entry's keys */
- ret = krb5_dbe_update_mkvno(handle->context, &kdb, 1);
+ ret = krb5_dbe_update_mkvno(handle->context, &kdb, act_kvno);
if (ret)
{
krb5_db_free_principal(handle->context, &kdb, 1);
goto done;
ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
- active_mkey_list, &act_mkey);
+ active_mkey_list, NULL, &act_mkey);
if (ret)
goto done;
return(ret);
ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
- active_mkey_list, &act_mkey);
+ active_mkey_list, NULL, &act_mkey);
if (ret)
goto done;
keysalt.data.data = NULL;
ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
- active_mkey_list, &act_mkey);
+ active_mkey_list, NULL, &act_mkey);
if (ret)
goto done;
memset (&tmp_key_data, 0, sizeof(tmp_key_data));
ret = krb5_dbe_find_act_mkey(handle->context, master_keylist,
- active_mkey_list, &act_mkey);
+ active_mkey_list, NULL, &act_mkey);
if (ret)
goto done;
krb5_error_code
krb5_db_set_mkey_list(krb5_context kcontext,
- krb5_keyblock_node * keylist)
+ krb5_keylist_node * keylist)
{
krb5_error_code status = 0;
kdb5_dal_handle *dal_handle;
if (kcontext->dal_handle == NULL) {
- status = kdb_setup_lib_handle(kcontext);
- if (status) {
- goto clean_n_exit;
- }
+ status = kdb_setup_lib_handle(kcontext);
+ if (status) {
+ goto clean_n_exit;
+ }
}
dal_handle = kcontext->dal_handle;
status = kdb_lock_lib_lock(dal_handle->lib_handle, FALSE);
if (status) {
- goto clean_n_exit;
+ goto clean_n_exit;
}
status = dal_handle->lib_handle->vftabl.set_master_key_list(kcontext, keylist);
kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE);
- clean_n_exit:
+clean_n_exit:
return status;
}
}
krb5_error_code
-krb5_db_get_mkey_list(krb5_context kcontext, krb5_keyblock_node ** keylist)
+krb5_db_get_mkey_list(krb5_context kcontext, krb5_keylist_node ** keylist)
{
krb5_error_code status = 0;
kdb5_dal_handle *dal_handle;
if (kcontext->dal_handle == NULL) {
- status = kdb_setup_lib_handle(kcontext);
- if (status) {
- goto clean_n_exit;
- }
+ status = kdb_setup_lib_handle(kcontext);
+ if (status) {
+ goto clean_n_exit;
+ }
}
dal_handle = kcontext->dal_handle;
status = kdb_lock_lib_lock(dal_handle->lib_handle, FALSE);
if (status) {
- goto clean_n_exit;
+ goto clean_n_exit;
}
/* Let's use temp key and copy it later to avoid memory problems
get_errmsg(kcontext, status);
kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE);
- clean_n_exit:
+clean_n_exit:
return status;
}
krb5_principal mname,
const krb5_keyblock * mkey,
krb5_kvno mkvno,
- krb5_keyblock_node **mkey_list)
+ krb5_keylist_node **mkey_list)
{
- kdb5_dal_handle *dal_handle;
- krb5_error_code status = 0;
+ kdb5_dal_handle *dal_handle;
+ krb5_error_code status = 0;
- if (context->dal_handle == NULL) {
- status = kdb_setup_lib_handle(context);
- if (status) {
- goto clean_n_exit;
- }
- }
+ if (context->dal_handle == NULL) {
+ status = kdb_setup_lib_handle(context);
+ if (status) {
+ goto clean_n_exit;
+ }
+ }
- dal_handle = context->dal_handle;
- status = kdb_lock_lib_lock(dal_handle->lib_handle, FALSE);
- if (status) {
- goto clean_n_exit;
- }
+ dal_handle = context->dal_handle;
+ status = kdb_lock_lib_lock(dal_handle->lib_handle, FALSE);
+ if (status) {
+ goto clean_n_exit;
+ }
- status = dal_handle->lib_handle->vftabl.fetch_master_key_list(context,
- mname,
- mkey,
- mkvno,
- mkey_list);
- get_errmsg(context, status);
- kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE);
+ status = dal_handle->lib_handle->vftabl.fetch_master_key_list(context,
+ mname,
+ mkey,
+ mkvno,
+ mkey_list);
+ get_errmsg(context, status);
+ kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE);
- if (status) {
- goto clean_n_exit;
- }
+ if (status) {
+ goto clean_n_exit;
+ }
clean_n_exit:
return status;
krb5_error_code
krb5_db_free_mkey_list(krb5_context context,
- krb5_keyblock_node *mkey_list)
+ krb5_keylist_node *mkey_list)
{
- krb5_keyblock_node *cur, *prev;
+ krb5_keylist_node *cur, *prev;
for (cur = mkey_list; cur != NULL;) {
- prev = cur;
- cur = cur->next;
- krb5_free_keyblock_contents(context, &prev->keyblock);
- krb5_xfree(prev);
+ prev = cur;
+ cur = cur->next;
+ krb5_free_keyblock_contents(context, &prev->keyblock);
+ krb5_xfree(prev);
}
return 0;
krb5_error_code
krb5_dbe_fetch_act_mkey_list(krb5_context context,
- krb5_principal mprinc,
- krb5_actkvno_node **act_mkey_list)
+ krb5_principal mprinc,
+ krb5_actkvno_node **act_mkey_list)
{
krb5_error_code retval = 0;
krb5_db_entry master_entry;
krb5_boolean more;
if (act_mkey_list == NULL)
- return (EINVAL);
+ return (EINVAL);
nprinc = 1;
if ((retval = krb5_db_get_principal(context, mprinc,
- &master_entry, &nprinc, &more)))
- return (retval);
-
+ &master_entry, &nprinc, &more)))
+ return (retval);
+
if (nprinc != 1) {
- if (nprinc)
- krb5_db_free_principal(context, &master_entry, nprinc);
- return(KRB5_KDB_NOMASTERKEY);
+ if (nprinc)
+ krb5_db_free_principal(context, &master_entry, nprinc);
+ return(KRB5_KDB_NOMASTERKEY);
} else if (more) {
- krb5_db_free_principal(context, &master_entry, nprinc);
- return (KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
+ krb5_db_free_principal(context, &master_entry, nprinc);
+ return (KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
}
retval = krb5_dbe_lookup_actkvno(context, &master_entry, act_mkey_list);
+ if (*act_mkey_list == NULL) {
+ krb5_actkvno_node *tmp_actkvno;
+ krb5_timestamp now;
+ /*
+ * for mkey princ entries without KRB5_TL_ACTKVNO data provide a default
+ */
+
+ if ((retval = krb5_timeofday(context, &now)))
+ return (retval);
+
+ tmp_actkvno = (krb5_actkvno_node *) malloc(sizeof(krb5_actkvno_node));
+ if (tmp_actkvno == NULL)
+ return (ENOMEM);
+
+ tmp_actkvno->act_time = now;
+ tmp_actkvno->act_kvno = master_entry.key_data[0].key_data_kvno;
+ tmp_actkvno->next = NULL;
+
+ *act_mkey_list = tmp_actkvno;
+ }
+
krb5_db_free_principal(context, &master_entry, nprinc);
return retval;
}
krb5_error_code
krb5_dbe_find_act_mkey(krb5_context context,
- krb5_keyblock_node *mkey_list,
+ krb5_keylist_node *mkey_list,
krb5_actkvno_node *act_mkey_list,
+ krb5_kvno *act_kvno,
krb5_keyblock **act_mkey)
{
- krb5_kvno act_kvno;
+ krb5_kvno tmp_act_kvno;
krb5_error_code retval;
- krb5_keyblock_node *cur_keyblock = mkey_list;
+ krb5_keylist_node *cur_keyblock = mkey_list;
krb5_actkvno_node *prev_actkvno, *cur_actkvno;
krb5_timestamp now;
krb5_boolean found = FALSE;
prev_actkvno = cur_actkvno, cur_actkvno = cur_actkvno->next) {
if (cur_actkvno->act_time == now) {
- act_kvno = cur_actkvno->act_kvno;
+ tmp_act_kvno = cur_actkvno->act_kvno;
found = TRUE;
break;
} else if (cur_actkvno->act_time > now && prev_actkvno->act_time <= now) {
- act_kvno = prev_actkvno->act_kvno;
+ tmp_act_kvno = prev_actkvno->act_kvno;
found = TRUE;
break;
}
* the latest entry.
*/
if (prev_actkvno->act_time <= now) {
- act_kvno = prev_actkvno->act_kvno;
+ tmp_act_kvno = prev_actkvno->act_kvno;
} else {
/* XXX this shouldn't happen */
return (KRB5_KDB_NOACTMASTERKEY);
}
}
- while (cur_keyblock && cur_keyblock->kvno != act_kvno)
+ while (cur_keyblock && cur_keyblock->kvno != tmp_act_kvno)
cur_keyblock = cur_keyblock->next;
if (cur_keyblock) {
*act_mkey = &cur_keyblock->keyblock;
+ if (act_kvno != NULL)
+ *act_kvno = tmp_act_kvno;
return (0);
} else {
return (KRB5_KDB_NO_MATCHING_KEY);
* free the output key.
*/
krb5_error_code
-krb5_dbe_find_mkey(krb5_context context,
- krb5_keyblock_node *mkey_list,
+krb5_dbe_find_mkey(krb5_context context,
+ krb5_keylist_node *mkey_list,
krb5_db_entry *entry,
krb5_keyblock **mkey)
{
krb5_kvno mkvno;
krb5_error_code retval;
- krb5_keyblock_node *cur_keyblock = mkey_list;
+ krb5_keylist_node *cur_keyblock = mkey_list;
retval = krb5_dbe_lookup_mkvno(context, entry, &mkvno);
if (retval)
- return (retval);
+ return (retval);
while (cur_keyblock && cur_keyblock->kvno != mkvno)
- cur_keyblock = cur_keyblock->next;
+ cur_keyblock = cur_keyblock->next;
if (cur_keyblock) {
- *mkey = &cur_keyblock->keyblock;
- return (0);
+ *mkey = &cur_keyblock->keyblock;
+ return (0);
} else {
- return (KRB5_KDB_NO_MATCHING_KEY);
+ return (KRB5_KDB_NO_MATCHING_KEY);
}
}
krb5_error_code
krb5_dbe_update_mkvno(krb5_context context,
- krb5_db_entry * entry,
- krb5_kvno mkvno)
+ krb5_db_entry * entry,
+ krb5_kvno mkvno)
{
krb5_tl_data tl_data;
- krb5_octet buf[2]; /* this is the encoded size of an int16 */
+ krb5_octet buf[2]; /* this is the encoded size of an int16 */
tl_data.tl_data_type = KRB5_TL_MKVNO;
tl_data.tl_data_length = sizeof(buf);
- /* use standard encoding */
krb5_kdb_encode_int16((krb5_ui_2) mkvno, buf);
tl_data.tl_data_contents = buf;
}
krb5_error_code
-krb5_dbe_lookup_mkey_aux(krb5_context context,
- krb5_db_entry * entry,
- krb5_mkey_aux_node ** mkey_aux_data_list)
+krb5_dbe_lookup_mkey_aux(krb5_context context,
+ krb5_db_entry * entry,
+ krb5_mkey_aux_node ** mkey_aux_data_list)
{
krb5_tl_data tl_data;
krb5_int16 version;
krb5_mkey_aux_node *head_data = NULL, *new_data = NULL,
- *prev_data = NULL;
+ *prev_data = NULL;
krb5_octet *curloc; /* current location pointer */
krb5_error_code code;
tl_data.tl_data_type = KRB5_TL_MKEY_AUX;
if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data)))
- return (code);
+ return (code);
if (tl_data.tl_data_contents == NULL) {
- *mkey_aux_data_list = NULL;
- return (0);
+ *mkey_aux_data_list = NULL;
+ return (0);
} else {
- /* get version to determine how to parse the data */
- krb5_kdb_decode_int16(tl_data.tl_data_contents, version);
- if (version == KRB5_TL_MKEY_AUX_VER_1) {
-
- /* curloc points to first tuple entry in the tl_data_contents */
- curloc = tl_data.tl_data_contents + sizeof(version);
-
- while (curloc != (tl_data.tl_data_contents + tl_data.tl_data_length)) {
- assert(curloc < tl_data.tl_data_contents + tl_data.tl_data_length);
-
- new_data = (krb5_mkey_aux_node *) malloc(sizeof(krb5_mkey_aux_node));
- if (new_data == NULL) {
- krb5_free_mkey_aux_list(context, head_data);
- return (ENOMEM);
- }
- krb5_kdb_decode_int16(curloc, new_data->mkey_kvno);
- curloc += sizeof(krb5_ui_2);
- krb5_kdb_decode_int16(curloc, new_data->latest_mkey.key_data_kvno);
- curloc += sizeof(krb5_ui_2);
- krb5_kdb_decode_int16(curloc, new_data->latest_mkey.key_data_type[0]);
- curloc += sizeof(krb5_ui_2);
- krb5_kdb_decode_int16(curloc, new_data->latest_mkey.key_data_length[0]);
- curloc += sizeof(krb5_ui_2);
-
- new_data->latest_mkey.key_data_contents[0] = (krb5_octet *)
- malloc(new_data->latest_mkey.key_data_length[0]);
-
- if (new_data->latest_mkey.key_data_contents[0] == NULL) {
- krb5_free_mkey_aux_list(context, head_data);
- return (ENOMEM);
- }
- memcpy(new_data->latest_mkey.key_data_contents[0], curloc, new_data->latest_mkey.key_data_length[0]);
-
- new_data->next = NULL;
- if (prev_data != NULL)
- prev_data->next = new_data;
- else
- head_data = new_data;
- prev_data = new_data;
- }
- } else {
- krb5_set_error_message (context, KRB5_KDB_BAD_VERSION,
- "Illegal version number for KRB5_TL_MKEY_AUX %d\n",
- version);
- return (KRB5_KDB_BAD_VERSION);
- }
+ /* get version to determine how to parse the data */
+ krb5_kdb_decode_int16(tl_data.tl_data_contents, version);
+ if (version == KRB5_TL_MKEY_AUX_VER_1) {
+
+ /* curloc points to first tuple entry in the tl_data_contents */
+ curloc = tl_data.tl_data_contents + sizeof(version);
+
+ while (curloc != (tl_data.tl_data_contents + tl_data.tl_data_length)) {
+ assert(curloc < tl_data.tl_data_contents + tl_data.tl_data_length);
+
+ new_data = (krb5_mkey_aux_node *) malloc(sizeof(krb5_mkey_aux_node));
+ if (new_data == NULL) {
+ krb5_free_mkey_aux_list(context, head_data);
+ return (ENOMEM);
+ }
+ krb5_kdb_decode_int16(curloc, new_data->mkey_kvno);
+ curloc += sizeof(krb5_ui_2);
+ krb5_kdb_decode_int16(curloc, new_data->latest_mkey.key_data_kvno);
+ curloc += sizeof(krb5_ui_2);
+ krb5_kdb_decode_int16(curloc, new_data->latest_mkey.key_data_type[0]);
+ curloc += sizeof(krb5_ui_2);
+ krb5_kdb_decode_int16(curloc, new_data->latest_mkey.key_data_length[0]);
+ curloc += sizeof(krb5_ui_2);
+
+ new_data->latest_mkey.key_data_contents[0] = (krb5_octet *)
+ malloc(new_data->latest_mkey.key_data_length[0]);
+
+ if (new_data->latest_mkey.key_data_contents[0] == NULL) {
+ krb5_free_mkey_aux_list(context, head_data);
+ return (ENOMEM);
+ }
+ memcpy(new_data->latest_mkey.key_data_contents[0], curloc,
+ new_data->latest_mkey.key_data_length[0]);
+
+ new_data->next = NULL;
+ if (prev_data != NULL)
+ prev_data->next = new_data;
+ else
+ head_data = new_data;
+ prev_data = new_data;
+ }
+ } else {
+ krb5_set_error_message (context, KRB5_KDB_BAD_VERSION,
+ "Illegal version number for KRB5_TL_MKEY_AUX %d\n",
+ version);
+ return (KRB5_KDB_BAD_VERSION);
+ }
}
*mkey_aux_data_list = head_data;
return (0);
}
krb5_error_code
-krb5_dbe_update_mkey_aux(krb5_context context,
- krb5_db_entry * entry,
- krb5_mkey_aux_node * mkey_aux_data_list)
+krb5_dbe_update_mkey_aux(krb5_context context,
+ krb5_db_entry * entry,
+ krb5_mkey_aux_node * mkey_aux_data_list)
{
krb5_tl_data tl_data;
krb5_int16 version;
* determine out how much space to allocate
*/
tl_data.tl_data_length = sizeof(version); /* version */
- for (aux_data_entry = mkey_aux_data_list; aux_data_entry != NULL; aux_data_entry = aux_data_entry->next) {
- tl_data.tl_data_length += sizeof(krb5_ui_2); /* mkey_kvno */
- tl_data.tl_data_length += sizeof(krb5_ui_2); /* latest_mkey kvno */
- tl_data.tl_data_length += sizeof(krb5_ui_2); /* latest_mkey enctype */
- tl_data.tl_data_length += sizeof(krb5_ui_2); /* latest_mkey length */
- tl_data.tl_data_length += aux_data_entry->latest_mkey.key_data_length[0]; /* mkey data */
+ for (aux_data_entry = mkey_aux_data_list; aux_data_entry != NULL;
+ aux_data_entry = aux_data_entry->next) {
+ tl_data.tl_data_length += sizeof(krb5_ui_2); /* mkey_kvno */
+ tl_data.tl_data_length += sizeof(krb5_ui_2); /* latest_mkey kvno */
+ tl_data.tl_data_length += sizeof(krb5_ui_2); /* latest_mkey enctype */
+ tl_data.tl_data_length += sizeof(krb5_ui_2); /* latest_mkey length */
+ tl_data.tl_data_length +=
+ aux_data_entry->latest_mkey.key_data_length[0]; /* mkey data */
}
tl_data.tl_data_contents = (krb5_octet *) malloc(tl_data.tl_data_length);
if (tl_data.tl_data_contents == NULL) {
- return (ENOMEM);
+ return (ENOMEM);
}
nextloc = tl_data.tl_data_contents;
/* version */
- krb5_kdb_encode_int16((krb5_ui_2)KRB5_TL_MKEY_AUX_VER_1, (unsigned char *)nextloc);
+ krb5_kdb_encode_int16((krb5_ui_2)KRB5_TL_MKEY_AUX_VER_1,
+ (unsigned char *)nextloc);
nextloc += sizeof(krb5_ui_2);
- for (aux_data_entry = mkey_aux_data_list; aux_data_entry != NULL; aux_data_entry = aux_data_entry->next) {
- krb5_kdb_encode_int16((krb5_ui_2)aux_data_entry->mkey_kvno, (unsigned char *)nextloc);
- nextloc += sizeof(krb5_ui_2);
- krb5_kdb_encode_int16((krb5_ui_2)aux_data_entry->latest_mkey.key_data_kvno, (unsigned char *)nextloc);
- nextloc += sizeof(krb5_ui_2);
- krb5_kdb_encode_int16((krb5_ui_2)aux_data_entry->latest_mkey.key_data_type[0], (unsigned char *)nextloc);
- nextloc += sizeof(krb5_ui_2);
- krb5_kdb_encode_int16((krb5_ui_2)aux_data_entry->latest_mkey.key_data_length[0], (unsigned char *)nextloc);
- nextloc += sizeof(krb5_ui_2);
-
- if (aux_data_entry->latest_mkey.key_data_length[0] > 0) {
- memcpy(nextloc, aux_data_entry->latest_mkey.key_data_contents[0],
- aux_data_entry->latest_mkey.key_data_length[0]);
- nextloc += aux_data_entry->latest_mkey.key_data_length[0];
- }
+
+ for (aux_data_entry = mkey_aux_data_list; aux_data_entry != NULL;
+ aux_data_entry = aux_data_entry->next) {
+
+ krb5_kdb_encode_int16((krb5_ui_2)aux_data_entry->mkey_kvno,
+ (unsigned char *)nextloc);
+ nextloc += sizeof(krb5_ui_2);
+ krb5_kdb_encode_int16((krb5_ui_2)aux_data_entry->latest_mkey.key_data_kvno,
+ (unsigned char *)nextloc);
+ nextloc += sizeof(krb5_ui_2);
+ krb5_kdb_encode_int16((krb5_ui_2)aux_data_entry->latest_mkey.key_data_type[0],
+ (unsigned char *)nextloc);
+ nextloc += sizeof(krb5_ui_2);
+ krb5_kdb_encode_int16((krb5_ui_2)aux_data_entry->latest_mkey.key_data_length[0],
+ (unsigned char *)nextloc);
+ nextloc += sizeof(krb5_ui_2);
+
+ if (aux_data_entry->latest_mkey.key_data_length[0] > 0) {
+ memcpy(nextloc, aux_data_entry->latest_mkey.key_data_contents[0],
+ aux_data_entry->latest_mkey.key_data_length[0]);
+ nextloc += aux_data_entry->latest_mkey.key_data_length[0];
+ }
}
return (krb5_dbe_update_tl_data(context, entry, &tl_data));
krb5_error_code
krb5_dbe_lookup_actkvno(krb5_context context,
- krb5_db_entry *entry,
- krb5_actkvno_node **actkvno_list)
+ krb5_db_entry *entry,
+ krb5_actkvno_node **actkvno_list)
{
krb5_tl_data tl_data;
krb5_error_code code;
tl_data.tl_data_type = KRB5_TL_ACTKVNO;
if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data)))
- return (code);
+ return (code);
if (tl_data.tl_data_contents == NULL) {
- *actkvno_list = NULL;
- return (0);
+ *actkvno_list = NULL;
+ return (0);
} else {
- /* get version to determine how to parse the data */
- krb5_kdb_decode_int16(tl_data.tl_data_contents, version);
- if (version == KRB5_TL_ACTKVNO_VER_1) {
- /*
- * Find number of tuple entries, remembering to account for version
- * field.
- */
- num_actkvno = (tl_data.tl_data_length - sizeof(version)) / ACTKVNO_TUPLE_SIZE;
- prev_data = NULL;
- /* next_tuple points to first tuple entry in the tl_data_contents */
- next_tuple = tl_data.tl_data_contents + sizeof(version);
- for (i = 0; i < num_actkvno; i++) {
- new_data = (krb5_actkvno_node *) malloc(sizeof(krb5_actkvno_node));
- if (new_data == NULL) {
- krb5_free_actkvno_list(context, head_data);
- return (ENOMEM);
- }
- krb5_kdb_decode_int16(act_kvno(next_tuple), new_data->act_kvno);
- krb5_kdb_decode_int32(act_time(next_tuple), new_data->act_time);
- /* XXX WAF: may be able to deal with list pointers in a better
- * way, see add_mkey() */
- new_data->next = NULL;
- if (prev_data != NULL)
- prev_data->next = new_data;
- else
- head_data = new_data;
- prev_data = new_data;
- next_tuple += ACTKVNO_TUPLE_SIZE;
- }
- } else {
- krb5_set_error_message (context, KRB5_KDB_BAD_VERSION,
- "Illegal version number for KRB5_TL_ACTKVNO %d\n",
- version);
- return (KRB5_KDB_BAD_VERSION);
- }
+ /* get version to determine how to parse the data */
+ krb5_kdb_decode_int16(tl_data.tl_data_contents, version);
+ if (version == KRB5_TL_ACTKVNO_VER_1) {
+ /*
+ * Find number of tuple entries, remembering to account for version
+ * field.
+ */
+ num_actkvno = (tl_data.tl_data_length - sizeof(version)) / ACTKVNO_TUPLE_SIZE;
+ prev_data = NULL;
+ /* next_tuple points to first tuple entry in the tl_data_contents */
+ next_tuple = tl_data.tl_data_contents + sizeof(version);
+ for (i = 0; i < num_actkvno; i++) {
+ new_data = (krb5_actkvno_node *) malloc(sizeof(krb5_actkvno_node));
+ if (new_data == NULL) {
+ krb5_free_actkvno_list(context, head_data);
+ return (ENOMEM);
+ }
+ krb5_kdb_decode_int16(act_kvno(next_tuple), new_data->act_kvno);
+ krb5_kdb_decode_int32(act_time(next_tuple), new_data->act_time);
+ /* XXX WAF: may be able to deal with list pointers in a better
+ * way, see add_mkey() */
+ new_data->next = NULL;
+ if (prev_data != NULL)
+ prev_data->next = new_data;
+ else
+ head_data = new_data;
+ prev_data = new_data;
+ next_tuple += ACTKVNO_TUPLE_SIZE;
+ }
+ } else {
+ krb5_set_error_message (context, KRB5_KDB_BAD_VERSION,
+ "Illegal version number for KRB5_TL_ACTKVNO %d\n",
+ version);
+ return (KRB5_KDB_BAD_VERSION);
+ }
}
*actkvno_list = head_data;
return (0);
}
+/*
+ * Add KRB5_TL_ACTKVNO TL data entries to krb5_db_entry *entry
+ */
krb5_error_code
krb5_dbe_update_actkvno(krb5_context context,
- krb5_db_entry *entry,
- const krb5_actkvno_node *actkvno_list)
+ krb5_db_entry *entry,
+ const krb5_actkvno_node *actkvno_list)
{
krb5_error_code retval = 0;
krb5_int16 version;
krb5_octet *nextloc;
const krb5_actkvno_node *cur_actkvno;
- /* XXX WAF: should kvno be verified that it exists for the princ entry? */
- /* No, this should be handed by functions higher in the stack verifying the user data */
-
if (actkvno_list == NULL) {
- return (EINVAL);
+ return (EINVAL);
}
/* allocate initial KRB5_TL_ACTKVNO tl_data entry */
new_tl_data.tl_data_length = sizeof(version);
new_tl_data.tl_data_contents = (krb5_octet *) malloc(new_tl_data.tl_data_length);
- if (new_tl_data.tl_data_contents == NULL) {
- return (ENOMEM);
- }
+ if (new_tl_data.tl_data_contents == NULL)
+ return (ENOMEM);
+
+ /* add the current version # for the data format used for KRB5_TL_ACTKVNO */
krb5_kdb_encode_int16((krb5_ui_2)KRB5_TL_ACTKVNO_VER_1, (unsigned char *)new_tl_data.tl_data_contents);
for (cur_actkvno = actkvno_list; cur_actkvno != NULL; cur_actkvno = cur_actkvno->next) {
- new_tl_data.tl_data_length += ACTKVNO_TUPLE_SIZE;
- new_tl_data.tl_data_contents = (krb5_octet *) realloc(new_tl_data.tl_data_contents, new_tl_data.tl_data_length);
- if (new_tl_data.tl_data_contents == NULL) {
- return (ENOMEM);
- }
+ new_tl_data.tl_data_length += ACTKVNO_TUPLE_SIZE;
+ new_tl_data.tl_data_contents = (krb5_octet *) realloc(new_tl_data.tl_data_contents,
+ new_tl_data.tl_data_length);
+ if (new_tl_data.tl_data_contents == NULL)
+ return (ENOMEM);
- /*
- * using realloc so tl_data_contents is required to correctly calculate
- * next location to store new tuple.
- */
- nextloc = new_tl_data.tl_data_contents + new_tl_data.tl_data_length - ACTKVNO_TUPLE_SIZE;
- krb5_kdb_encode_int16((krb5_ui_2)cur_actkvno->act_kvno, (unsigned char *)nextloc);
- nextloc += sizeof(krb5_ui_2);
- krb5_kdb_encode_int32((krb5_ui_4)cur_actkvno->act_time, (unsigned char *)nextloc);
+ /*
+ * Using realloc so tl_data_contents is required to correctly calculate
+ * next location to store new tuple.
+ */
+ nextloc = new_tl_data.tl_data_contents + new_tl_data.tl_data_length - ACTKVNO_TUPLE_SIZE;
+ krb5_kdb_encode_int16((krb5_ui_2)cur_actkvno->act_kvno, (unsigned char *)nextloc);
+ nextloc += sizeof(krb5_ui_2);
+ krb5_kdb_encode_int32((krb5_ui_4)cur_actkvno->act_time, (unsigned char *)nextloc);
}
new_tl_data.tl_data_type = KRB5_TL_ACTKVNO;
krb5_principal mprinc,
const krb5_keyblock *mkey,
krb5_kvno mkvno,
- krb5_keyblock_node **mkeys_list)
+ krb5_keylist_node **mkeys_list)
{
krb5_error_code retval;
krb5_db_entry master_entry;
int nprinc;
krb5_boolean more, found_key = FALSE;
krb5_keyblock tmp_mkey, tmp_clearkey;
- krb5_keyblock_node *mkey_list_head, **mkey_list_node;
+ krb5_keylist_node *mkey_list_head, **mkey_list_node;
krb5_key_data *key_data;
krb5_mkey_aux_node *mkey_aux_data_list, *aux_data_entry;
int i;
* create a mkey list for the mkeys field in kdc_realm_t.
*/
- mkey_list_head = (krb5_keyblock_node *) malloc(sizeof(krb5_keyblock_node));
+ mkey_list_head = (krb5_keylist_node *) malloc(sizeof(krb5_keylist_node));
if (mkey_list_head == NULL) {
retval = ENOMEM;
goto clean_n_exit;
}
- memset(mkey_list_head, 0, sizeof(krb5_keyblock_node));
+ memset(mkey_list_head, 0, sizeof(krb5_keylist_node));
mkey_list_node = &mkey_list_head;
for (i=0; i < master_entry.n_key_data; i++) {
if (*mkey_list_node == NULL) {
/* *mkey_list_node points to next field of previous node */
- *mkey_list_node = (krb5_keyblock_node *) malloc(sizeof(krb5_keyblock_node));
+ *mkey_list_node = (krb5_keylist_node *) malloc(sizeof(krb5_keylist_node));
if (*mkey_list_node == NULL) {
retval = ENOMEM;
goto clean_n_exit;
}
- memset(*mkey_list_node, 0, sizeof(krb5_keyblock_node));
+ memset(*mkey_list_node, 0, sizeof(krb5_keylist_node));
}
key_data = &master_entry.key_data[i];
retval = krb5_dbekd_decrypt_key_data(context, mkey,
krb5_db_free_principal(context, &master_entry, nprinc);
if (retval != 0) {
- krb5_keyblock_node *cur_node, *next_node;
+ krb5_keylist_node *cur_node, *next_node;
for (cur_node = mkey_list_head; cur_node != NULL; cur_node = next_node) {
next_node = cur_node->next;
}
krb5_error_code kdb_def_set_mkey_list ( krb5_context kcontext,
- krb5_keyblock_node *keylist )
+ krb5_keylist_node *keylist )
{
/* printf("default set master key\n"); */
return 0;
}
krb5_error_code kdb_def_get_mkey_list ( krb5_context kcontext,
- krb5_keyblock_node **keylist )
+ krb5_keylist_node **keylist )
{
/* printf("default get master key\n"); */
return 0;
krb5_keytab_entry * entry;
{
krb5_context context;
- krb5_keyblock_node * master_keylist;
+ krb5_keylist_node * master_keylist;
krb5_keyblock * master_key;
krb5_error_code kerror = 0;
krb5_key_data * key_data;
krb5_db_create
krb5_db_delete_principal
krb5_db_destroy
-krb5_db_fetch_latest_mkey
krb5_db_fetch_mkey
krb5_db_fetch_mkey_list
krb5_db_free_mkey_list
krb5_db_free_principal
krb5_db_get_age
krb5_db_get_mkey
+krb5_db_get_mkey_list
krb5_db_get_context
krb5_db_get_principal
krb5_db_get_principal_ext
krb5_db_put_principal
krb5_db_set_context
krb5_db_set_mkey
+krb5_db_set_mkey_list
krb5_db_setup_mkey_name
krb5_db_unlock
krb5_db_store_master_key
krb5_dbe_cpw
krb5_dbe_create_key_data
krb5_dbe_crk
+krb5_dbe_find_act_mkey
krb5_dbe_fetch_act_mkey_list
krb5_dbe_find_enctype
krb5_dbe_find_mkey
krb5_free_host_realm
krb5_free_kdc_rep
krb5_free_kdc_req
+krb5_free_key_data_contents
krb5_free_keyblock
krb5_free_keyblock_contents
krb5_free_keytab_entry_contents
( krb5_context context, krb5_keyblock **key),
(context, key));
-WRAP_K (krb5_db2_set_master_key_list,
- ( krb5_context kcontext, krb5_keyblock_node *keylist),
+WRAP_K (krb5_db2_db_set_mkey_list,
+ ( krb5_context kcontext, krb5_keylist_node *keylist),
(kcontext, keylist));
WRAP_K (krb5_db2_db_get_mkey_list,
- ( krb5_context context, krb5_keyblock_node **keylist),
+ ( krb5_context context, krb5_keylist_node **keylist),
(context, keylist));
WRAP_K (krb5_db2_promote_db,
/* db_free */ wrap_krb5_db2_free,
/* set_master_key */ wrap_krb5_db2_set_master_key_ext,
/* get_master_key */ wrap_krb5_db2_db_get_mkey,
- /* set_master_key_list */ wrap_krb5_db2_set_master_key_list,
+ /* set_master_key_list */ wrap_krb5_db2_db_set_mkey_list,
/* get_master_key_list */ wrap_krb5_db2_db_get_mkey_list,
/* blah blah blah */ 0,0,0,0,0,0,0,
/* promote_db */ wrap_krb5_db2_promote_db,
}
krb5_error_code
-krb5_db2_db_set_mkey_list(krb5_context context, krb5_keyblock_node *key_list)
+krb5_db2_db_set_mkey_list(krb5_context context, krb5_keylist_node *key_list)
{
krb5_db2_context *db_ctx;
kdb5_dal_handle *dal_handle;
}
krb5_error_code
-krb5_db2_db_get_mkey_list(krb5_context context, krb5_keyblock_node **key_list)
+krb5_db2_db_get_mkey_list(krb5_context context, krb5_keylist_node **key_list)
{
krb5_db2_context *db_ctx;
kdb5_dal_handle *dal_handle;
int db_lock_mode; /* Last lock mode, e.g. greatest*/
krb5_boolean db_nb_locks; /* [Non]Blocking lock modes */
krb5_keyblock *db_master_key; /* Master key of database */
- krb5_keyblock_node *db_master_key_list; /* Master key list of database */
+ krb5_keylist_node *db_master_key_list; /* Master key list of database */
osa_adb_policy_t policy_db;
krb5_boolean tempdb;
} krb5_db2_context;
krb5_keyblock **key);
krb5_error_code
krb5_db2_db_set_mkey_list( krb5_context context,
- krb5_keyblock_node *keylist);
+ krb5_keylist_node *keylist);
krb5_error_code
krb5_db2_db_get_mkey_list( krb5_context context,
- krb5_keyblock_node **keylist);
+ krb5_keylist_node **keylist);
krb5_error_code
krb5_db2_db_put_principal( krb5_context context,
projects / thirdparty / krb5.git / commitdiff
