From: Will Fiveash <will.fiveash@oracle.com>
Date: Wed, 25 Jun 2008 23:04:44 +0000 (+0000)
Subject: Masterkey Keytab Stash
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9a00975069789cd2788422499e884f0603097a3d;p=thirdparty%2Fkrb5.git

Masterkey Keytab Stash

This ticket is to track code changes for the Masterkey Keytab Stash project.  The Krb Consortium page is:
http://k5wiki.kerberos.org/wiki/Projects/Masterkey_Keytab_Stash

ticket: new

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mkey_keytab@20475 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/kadmin/dbutil/kdb5_stash.c b/src/kadmin/dbutil/kdb5_stash.c
index 18c35c011d..1e6d2e5cd3 100644
--- a/src/kadmin/dbutil/kdb5_stash.c
+++ b/src/kadmin/dbutil/kdb5_stash.c
@@ -172,8 +172,7 @@ kdb5_stash(argc, argv)
     }	
 
     retval = krb5_db_store_master_key(context, keyfile, master_princ, 
-				      mkey_kvno, &master_keyblock,
-				      NULL);
+                                      mkey_kvno, &master_keyblock, NULL);
     if (retval) {
 	com_err(argv[0], errno, "while storing key");
 	memset((char *)master_keyblock.contents, 0, master_keyblock.length);
diff --git a/src/kadmin/dbutil/kdb5_util.M b/src/kadmin/dbutil/kdb5_util.M
index 6e0fd47369..2e624421c2 100644
--- a/src/kadmin/dbutil/kdb5_util.M
+++ b/src/kadmin/dbutil/kdb5_util.M
@@ -61,7 +61,7 @@ that given in
 .TP
 \fB\-kv\fP\ \fImkeyVNO\fP
 Specifies the version number of the master key in the database; the default is
-0.
+1.  Note that 0 is not allowed.
 .TP
 \fB\-M\fP\ \fImkeyname\fP
 principal name for the master key in the database; the default is
diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c
index 5a55e22b73..64bc7ef316 100644
--- a/src/lib/kadm5/alt_prof.c
+++ b/src/lib/kadm5/alt_prof.c
@@ -405,7 +405,7 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config,
     }
 
     if (params_in->mask & KADM5_CONFIG_KVNO) {
-	params.kvno = params_in->kvno;
+        params.kvno = params_in->kvno;
         params.mask |= KADM5_CONFIG_KVNO;
     }
     /*
diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c
index bbca07175d..7a137500ee 100644
--- a/src/lib/kdb/kdb5.c
+++ b/src/lib/kdb/kdb5.c
@@ -1249,15 +1249,15 @@ char   *krb5_mkey_pwd_prompt1 = KRB5_KDC_MKEY_1;
 char   *krb5_mkey_pwd_prompt2 = KRB5_KDC_MKEY_2;
 
 krb5_error_code
-krb5_db_fetch_mkey(krb5_context context,
-		   krb5_principal mname,
-		   krb5_enctype  etype,
-		   krb5_boolean  fromkeyboard,
-		   krb5_boolean  twice,
-		   char          * db_args,
-                   krb5_kvno     * kvno,
-                   krb5_data     * salt,
-                   krb5_keyblock * key)
+krb5_db_fetch_mkey( krb5_context    context,
+                    krb5_principal  mname,
+                    krb5_enctype    etype,
+                    krb5_boolean    fromkeyboard,
+                    krb5_boolean    twice,
+                    char          * db_args,
+                    krb5_kvno     * kvno,
+                    krb5_data     * salt,
+                    krb5_keyblock * key)
 {
     krb5_error_code retval;
     char    password[BUFSIZ];
@@ -1365,10 +1365,10 @@ krb5_db_fetch_mkey(krb5_context context,
 }
 
 krb5_error_code
-krb5_db_verify_master_key(krb5_context   kcontext,
-			  krb5_principal mprinc,
-			  krb5_kvno      kvno,
-                          krb5_keyblock  *mkey)
+krb5_db_verify_master_key(  krb5_context     kcontext,
+                            krb5_principal   mprinc,
+                            krb5_kvno        kvno,
+                            krb5_keyblock  * mkey)
 {
     krb5_error_code status = 0;
     kdb5_dal_handle *dal_handle;
@@ -1387,8 +1387,8 @@ krb5_db_verify_master_key(krb5_context   kcontext,
     }
 
     status = dal_handle->lib_handle->vftabl.verify_master_key(kcontext,
-							      mprinc,
-							      kvno,
+                                                              mprinc,
+                                                              kvno,
                                                               mkey);
     get_errmsg(kcontext, status);
     kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE);
diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
index 7de9aca548..2d265a0e7b 100644
--- a/src/lib/kdb/kdb_default.c
+++ b/src/lib/kdb/kdb_default.c
@@ -180,6 +180,7 @@ krb5_def_store_mkey(krb5_context   context,
             "Could not create temp keytab file name.");
         goto out;
     }
+
     if (mktemp(tmp_ktname) == NULL) {
         retval = errno;
         krb5_set_error_message (context, retval,
@@ -321,15 +322,19 @@ krb5_db_def_fetch_mkey_keytab(  krb5_context   context,
         goto errout;
 
     while ((retval = krb5_kt_next_entry(context, kt, &kt_ent, &cursor)) == 0) {
-        if (key->enctype != ENCTYPE_UNKNOWN && key->enctype != kt_ent.key.enctype)
-            continue;
-        if (kvno != NULL && *kvno != IGNORE_VNO && *kvno != kt_ent.vno)
+
+        if ((key->enctype != ENCTYPE_UNKNOWN && key->enctype != kt_ent.key.enctype) ||
+            (kvno != NULL && *kvno != IGNORE_VNO && *kvno != kt_ent.vno)) {
+
+            krb5_kt_free_entry(context, &kt_ent);
             continue;
+        }
         break;
     }
 
     if (retval != 0) {
         if (retval == KRB5_KT_END) {
+            /* didn't find an entry so indicate no key found */
             (void) krb5_kt_end_seq_get(context, kt, &cursor);
             retval = KRB5_KDB_BADSTORED_MKEY;
         }
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M
index 75afded0f8..484c4ce886 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M
@@ -49,7 +49,7 @@ that given in
 .TP
 \fB\-kv\fP\ \fImkeyVNO\fP
 Specifies the version number of the master key in the database; the default is
-0.
+1. Note that 0 is not allowed.
 .TP
 \fB\-m\fP
 Specifies that the master database password should be read from the TTY