From: Will Fiveash Date: Thu, 22 Jan 2009 19:48:38 +0000 (+0000) Subject: Change the name of the krb5_dbe_act_mkey_list function to X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f505e7a4c7dfff3ac49721e416e9da4498a4e47;p=thirdparty%2Fkrb5.git Change the name of the krb5_dbe_act_mkey_list function to krb5_dbe_act_key_list to indicate it is a generic function of use on any princ. I also modified the process_tgs_req function to use the master_keylist and look up the proper mkey when decrypting the server key. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mkey_migrate@21777 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/include/kdb.h b/src/include/kdb.h index f8ebc4ab1a..31b20b661b 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -376,9 +376,9 @@ krb5_dbekd_encrypt_key_data( krb5_context context, krb5_key_data * key_data); krb5_error_code -krb5_dbe_fetch_act_mkey_list(krb5_context context, - krb5_principal mprinc, - krb5_actkvno_node **act_mkey_list); +krb5_dbe_fetch_act_key_list(krb5_context context, + krb5_principal princ, + krb5_actkvno_node **act_key_list); krb5_error_code krb5_dbe_find_act_mkey( krb5_context context, diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c index ed92c51083..2c4ffb00df 100644 --- a/src/kadmin/dbutil/kdb5_mkey.c +++ b/src/kadmin/dbutil/kdb5_mkey.c @@ -204,83 +204,6 @@ kdb5_add_mkey(int argc, char *argv[]) memset(mkey_aux_data_head, 0, sizeof(krb5_mkey_aux_node)); mkey_aux_data = &mkey_aux_data_head; - /* XXX WAF: old, remove before final commit */ -#if 0 /************** Begin IFDEF'ed OUT *******************************/ - for (i = 0; i < old_key_data_count; i++) { - key_data = &old_key_data[i]; - - /* decrypt the old key */ - /* XXX WAF: don't need to do this, use the master_keylist instead. */ - memset(&plainkey, 0, sizeof(plainkey)); - retval = krb5_dbekd_decrypt_key_data(util_context, &master_keylist->keyblock, - key_data, &plainkey, NULL); - if (retval) { - com_err(progname, retval, "while decrypting master keys"); - exit_status++; - return; - } - - /* - * Create a list of krb5_mkey_aux_node nodes. One node contains the new - * mkey encrypted by an old mkey and the old mkey's kvno (one node per - * old mkey). - */ - - if (*mkey_aux_data == NULL) { - /* *mkey_aux_data points to next field of previous node */ - *mkey_aux_data = (krb5_mkey_aux_node *) malloc(sizeof(krb5_mkey_aux_node)); - if (*mkey_aux_data == NULL) { - com_err(progname, ENOMEM, "while creating mkey_aux_data"); - exit_status++; - return; - } - memset(*mkey_aux_data, 0, sizeof(krb5_mkey_aux_node)); - } - - memset(&tmp_key_data, 0, sizeof(tmp_key_data)); - /* encrypt the new mkey with the older mkey */ - retval = krb5_dbekd_encrypt_key_data(util_context, &plainkey, - &new_master_keyblock, - NULL, /* no keysalt */ - (int) new_mkey_kvno, - &tmp_key_data); - if (retval) { - com_err(progname, retval, "while encrypting master keys"); - exit_status++; - return; - } - - (*mkey_aux_data)->latest_mkey = tmp_key_data; - (*mkey_aux_data)->mkey_kvno = key_data->key_data_kvno; - - mkey_aux_data = &((*mkey_aux_data)->next); - - /* - * Store old key in master_entry keydata, + 1 to avoid overwritting the - * first key_data entry - */ - retval = krb5_dbekd_encrypt_key_data(util_context, &new_master_keyblock, - &plainkey, - NULL, /* no keysalt */ - (int) key_data->key_data_kvno, - &master_entry.key_data[i+1]); - if (retval) { - com_err(progname, retval, "while encrypting master keys"); - exit_status++; - return; - } - - /* free plain text key and old key data entry */ - krb5_free_keyblock_contents(util_context, &plainkey); - for (j = 0; j < key_data->key_data_ver; j++) { - if (key_data->key_data_length[j]) { - /* the key_data contents are encrypted so no clearing first */ - free(key_data->key_data_contents[j]); - } - } - } /* end for (i = 0; i < old_key_data_count; i++) */ -#endif /**************** END IFDEF'ed OUT *******************************/ - for (keylist_node = master_keylist, i = 1; keylist_node != NULL; keylist_node = keylist_node->next, i++) { @@ -473,10 +396,6 @@ kdb5_use_mkey(int argc, char *argv[]) return; } - /* - * determine which nodes to delete and where to insert new act kvno node - */ - /* alloc enough space to hold new and existing key_data */ new_actkvno = (krb5_actkvno_node *) malloc(sizeof(krb5_actkvno_node)); if (new_actkvno == NULL) { @@ -489,6 +408,10 @@ kdb5_use_mkey(int argc, char *argv[]) new_actkvno->act_kvno = use_kvno; new_actkvno->act_time = start_time; + /* + * determine which nodes to delete and where to insert new act kvno node + */ + if (actkvno_list == NULL) { /* new actkvno is the list */ new_actkvno_list_head = new_actkvno; @@ -530,7 +453,7 @@ kdb5_use_mkey(int argc, char *argv[]) } if (trimed && inserted) break; - } /* end for (new_actkvno_list_head = prev_actkvno = ... */ + } } if ((retval = krb5_dbe_update_actkvno(util_context, &master_entry, diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 9c96734e6a..5ca9aeb79c 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -101,6 +101,7 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, krb5_keyblock session_key; krb5_timestamp until, rtime; krb5_keyblock encrypting_key; + krb5_keyblock *tmp_mkey; krb5_key_data *server_key; char *cname = 0, *sname = 0, *altcname = 0; krb5_last_req_entry *nolrarray[2], nolrentry; @@ -546,10 +547,16 @@ tgt_again: status = "FINDING_SERVER_KEY"; goto cleanup; } + + if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server, &tmp_mkey))) { + status = "FINDING_MASTER_KEY"; + goto cleanup; + } + /* convert server.key into a real key (it may be encrypted * in the database) */ if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, - &master_keyblock, + tmp_mkey, server_key, &encrypting_key, NULL))) { status = "DECRYPT_SERVER_KEY"; diff --git a/src/lib/kadm5/clnt/libkadm5clnt.exports b/src/lib/kadm5/clnt/libkadm5clnt.exports index 7f11f320ac..b62ad55383 100644 --- a/src/lib/kadm5/clnt/libkadm5clnt.exports +++ b/src/lib/kadm5/clnt/libkadm5clnt.exports @@ -46,7 +46,6 @@ krb5_aprof_get_string krb5_aprof_getvals krb5_aprof_init krb5_flags_to_string -krb5_free_key_data_contents krb5_free_realm_params krb5_input_flag_to_string krb5_keysalt_is_present diff --git a/src/lib/kadm5/srv/libkadm5srv.exports b/src/lib/kadm5/srv/libkadm5srv.exports index 3296d3bb0f..3aae9cc02f 100644 --- a/src/lib/kadm5/srv/libkadm5srv.exports +++ b/src/lib/kadm5/srv/libkadm5srv.exports @@ -71,7 +71,6 @@ krb5_aprof_getvals krb5_aprof_init krb5_copy_key_data_contents krb5_flags_to_string -krb5_free_key_data_contents krb5_free_realm_params krb5_input_flag_to_string krb5_keysalt_is_present diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c index 164da7963f..43a9890ccf 100644 --- a/src/lib/kadm5/srv/server_kdb.c +++ b/src/lib/kadm5/srv/server_kdb.c @@ -87,8 +87,8 @@ krb5_error_code kdb_init_master(kadm5_server_handle_t handle, return (ret); } - if ((ret = krb5_dbe_fetch_act_mkey_list(handle->context, master_princ, - &active_mkey_list))) { + if ((ret = krb5_dbe_fetch_act_key_list(handle->context, master_princ, + &active_mkey_list))) { krb5_db_fini(handle->context); return (ret); } diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index fdc9784060..b9b95b3a17 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -1890,35 +1890,37 @@ clean_n_exit: #endif /**************** END IFDEF'ed OUT *******************************/ krb5_error_code -krb5_dbe_fetch_act_mkey_list(krb5_context context, - krb5_principal mprinc, - krb5_actkvno_node **act_mkey_list) +krb5_dbe_fetch_act_key_list(krb5_context context, + krb5_principal princ, + krb5_actkvno_node **act_key_list) { krb5_error_code retval = 0; - krb5_db_entry master_entry; + krb5_db_entry entry; int nprinc; krb5_boolean more; - if (act_mkey_list == NULL) + if (act_key_list == NULL) return (EINVAL); nprinc = 1; - if ((retval = krb5_db_get_principal(context, mprinc, - &master_entry, &nprinc, &more))) + if ((retval = krb5_db_get_principal(context, princ, &entry, + &nprinc, &more))) { return (retval); + } if (nprinc != 1) { - if (nprinc) - krb5_db_free_principal(context, &master_entry, nprinc); + if (nprinc) { + krb5_db_free_principal(context, &entry, nprinc); + } return(KRB5_KDB_NOMASTERKEY); } else if (more) { - krb5_db_free_principal(context, &master_entry, nprinc); + krb5_db_free_principal(context, &entry, nprinc); return (KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); } - retval = krb5_dbe_lookup_actkvno(context, &master_entry, act_mkey_list); + retval = krb5_dbe_lookup_actkvno(context, &entry, act_key_list); - if (*act_mkey_list == NULL) { + if (*act_key_list == NULL) { krb5_actkvno_node *tmp_actkvno; krb5_timestamp now; /* @@ -1934,12 +1936,13 @@ krb5_dbe_fetch_act_mkey_list(krb5_context context, memset(tmp_actkvno, 0, sizeof(krb5_actkvno_node)); tmp_actkvno->act_time = now; - tmp_actkvno->act_kvno = master_entry.key_data[0].key_data_kvno; + /* use most current key */ + tmp_actkvno->act_kvno = entry.key_data[0].key_data_kvno; - *act_mkey_list = tmp_actkvno; + *act_key_list = tmp_actkvno; } - krb5_db_free_principal(context, &master_entry, nprinc); + krb5_db_free_principal(context, &entry, nprinc); return retval; } diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index 2d5f3636bb..e96c1386ad 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -372,10 +372,6 @@ errout: return retval; } -/* XXX WAF: I'm now thinking this fucntion should check to see if the fetched - * key matches the latest mkey in the master princ. If it doesn't then the - * latest mkey should be returned by using the mkey_aux tl data. - */ krb5_error_code krb5_db_def_fetch_mkey(krb5_context context, krb5_principal mname, diff --git a/src/lib/kdb/libkdb5.exports b/src/lib/kdb/libkdb5.exports index bf28a1c49f..1687a15bed 100644 --- a/src/lib/kdb/libkdb5.exports +++ b/src/lib/kdb/libkdb5.exports @@ -34,7 +34,7 @@ krb5_dbe_cpw krb5_dbe_create_key_data krb5_dbe_crk krb5_dbe_find_act_mkey -krb5_dbe_fetch_act_mkey_list +krb5_dbe_fetch_act_key_list krb5_dbe_find_enctype krb5_dbe_find_mkey krb5_dbe_lookup_last_pwd_change