Implement krb5_db_store_master_key_list.

Make "kdb5_util stash" store the full master key list.
Make "kdb5_util stash" use a preexisting stashed key if available.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mkey_migrate@21827 dc483132-0cff-0310-8789-dd5450dbe970

7 files changed, 118 insertions, 37 deletions

diff --git a/src/include/kdb.h b/src/include/kdb.h
index d60a5c5..bcf0bee 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -323,6 +323,11 @@ krb5_error_code krb5_db_store_master_key  ( krb5_context kcontext,
 					    krb5_kvno kvno,
 					    krb5_keyblock *key,
 					    char *master_pwd);
+krb5_error_code krb5_db_store_master_key_list  ( krb5_context kcontext, 
+						 char *keyfile, 
+						 krb5_principal mname,
+						 krb5_keylist_node *keylist,
+						 char *master_pwd);
 krb5_error_code krb5_db_fetch_mkey  ( krb5_context   context,
 				      krb5_principal mname,
 				      krb5_enctype   etype,
@@ -545,6 +550,12 @@ krb5_def_store_mkey( krb5_context context,
 		     krb5_keyblock *key,
 		     char *master_pwd);
 
+krb5_error_code
+krb5_def_store_mkey_list( krb5_context context,
+			  char *keyfile,
+			  krb5_principal mname,
+			  krb5_keylist_node *keylist,
+			  char *master_pwd);
 
 krb5_error_code
 krb5_db_def_fetch_mkey( krb5_context   context,
@@ -831,6 +842,12 @@ typedef struct _kdb_vftabl {
 					      krb5_kvno            kvno,
 					      krb5_keylist_node  **mkeys_list);
 
+    krb5_error_code (*store_master_key_list)  ( krb5_context kcontext, 
+						char *db_arg, 
+						krb5_principal mname,
+						krb5_keylist_node *keylist,
+						char *master_pwd);
+
     krb5_error_code (*dbe_search_enctype) ( krb5_context kcontext, 
 					    krb5_db_entry *dbentp, 
 					    krb5_int32 *start, 
diff --git a/src/kadmin/dbutil/kdb5_stash.c b/src/kadmin/dbutil/kdb5_stash.c
index 3583a32..cdd947a 100644
--- a/src/kadmin/dbutil/kdb5_stash.c
+++ b/src/kadmin/dbutil/kdb5_stash.c
@@ -60,6 +60,7 @@
 #include "kdb5_util.h"
 
 extern krb5_keyblock master_keyblock;
+extern krb5_keylist_node *master_keylist;
 extern krb5_principal master_princ;
 extern kadm5_config_params global_params;
 
@@ -145,36 +146,38 @@ kdb5_stash(argc, argv)
     else
         mkey_kvno = IGNORE_VNO; /* use whatever krb5_db_fetch_mkey finds */
 
-    /* TRUE here means read the keyboard, but only once */
-    retval = krb5_db_fetch_mkey(context, master_princ,
-				master_keyblock.enctype,
-				TRUE, FALSE, (char *) NULL,
-                                &mkey_kvno,
-				NULL, &master_keyblock);
-    if (retval) {
-	com_err(progname, retval, "while reading master key");
-	(void) krb5_db_fini(context);
-	exit_status++; return; 
-    }
+    if (!valid_master_key) {
+	/* TRUE here means read the keyboard, but only once */
+	retval = krb5_db_fetch_mkey(context, master_princ,
+				    master_keyblock.enctype,
+				    TRUE, FALSE, (char *) NULL,
+				    &mkey_kvno,
+				    NULL, &master_keyblock);
+	if (retval) {
+	    com_err(progname, retval, "while reading master key");
+	    (void) krb5_db_fini(context);
+	    exit_status++; return; 
+	}
 
-    retval = krb5_db_verify_master_key(context, master_princ, 
-                                       mkey_kvno,
-				       &master_keyblock);
-    if (retval) {
-	com_err(progname, retval, "while verifying master key");
-	(void) krb5_db_fini(context);
-	exit_status++; return; 
-    }	
+	retval = krb5_db_fetch_mkey_list(context, master_princ,
+					 &master_keyblock, mkey_kvno,
+					 &master_keylist);
+	if (retval) {
+	    com_err(progname, retval, "while getting master key list");
+	    (void) krb5_db_fini(context);
+	    exit_status++; return;
+	}
+    } else {
+	printf("Using existing stashed keys to update stash file.\n");
+    }
 
-    retval = krb5_db_store_master_key(context, keyfile, master_princ, 
-                                      mkey_kvno, &master_keyblock, NULL);
+    retval = krb5_db_store_master_key_list(context, keyfile, master_princ, 
+					   master_keylist, NULL);
     if (retval) {
 	com_err(progname, errno, "while storing key");
-	memset((char *)master_keyblock.contents, 0, master_keyblock.length);
 	(void) krb5_db_fini(context);
 	exit_status++; return; 
     }
-    memset((char *)master_keyblock.contents, 0, master_keyblock.length);
 
     retval = krb5_db_fini(context);
     if (retval) {
diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c
index e3bb509..2941530 100644
--- a/src/lib/kdb/kdb5.c
+++ b/src/lib/kdb/kdb5.c
@@ -282,6 +282,10 @@ kdb_setup_opt_functions(db_library lib)
 	lib->vftabl.fetch_master_key_list = krb5_def_fetch_mkey_list;
     }
 
+    if (lib->vftabl.store_master_key_list == NULL) {
+	lib->vftabl.store_master_key_list = krb5_def_store_mkey_list;
+    }
+
     if (lib->vftabl.dbe_search_enctype == NULL) {
 	lib->vftabl.dbe_search_enctype = krb5_dbe_def_search_enctype;
     }
@@ -1653,6 +1657,41 @@ krb5_db_store_master_key(krb5_context kcontext,
     return status;
 }
 
+krb5_error_code
+krb5_db_store_master_key_list(krb5_context kcontext,
+			      char *keyfile,
+			      krb5_principal mname,
+			      krb5_keylist_node *keylist,
+			      char *master_pwd)
+{
+    krb5_error_code status = 0;
+    kdb5_dal_handle *dal_handle;
+
+    if (kcontext->dal_handle == NULL) {
+	status = kdb_setup_lib_handle(kcontext);
+	if (status) {
+	    goto clean_n_exit;
+	}
+    }
+
+    dal_handle = kcontext->dal_handle;
+    status = kdb_lock_lib_lock(dal_handle->lib_handle, FALSE);
+    if (status) {
+	goto clean_n_exit;
+    }
+
+    status = dal_handle->lib_handle->vftabl.store_master_key_list(kcontext,
+								  keyfile,
+								  mname,
+								  keylist,
+								  master_pwd);
+    get_errmsg(kcontext, status);
+    kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE);
+
+  clean_n_exit:
+    return status;
+}
+
 char   *krb5_mkey_pwd_prompt1 = KRB5_KDC_MKEY_1;
 char   *krb5_mkey_pwd_prompt2 = KRB5_KDC_MKEY_2;
 
diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
index 9ddf5bd..df87916 100644
--- a/src/lib/kdb/kdb_default.c
+++ b/src/lib/kdb/kdb_default.c
@@ -138,12 +138,11 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
 #endif
 
 krb5_error_code
-krb5_def_store_mkey(krb5_context   context,
-                    char           *keyfile,
-                    krb5_principal mname,
-                    krb5_kvno      kvno,
-                    krb5_keyblock  *key,
-                    char           *master_pwd)
+krb5_def_store_mkey_list(krb5_context       context,
+			 char               *keyfile,
+			 krb5_principal     mname,
+			 krb5_keylist_node  *keylist,
+			 char               *master_pwd)
 {
     krb5_error_code retval = 0;
     char defkeyfile[MAXPATHLEN+1];
@@ -204,12 +203,17 @@ krb5_def_store_mkey(krb5_context   context,
     if (retval != 0)
         goto out;
 
-    memset((char *) &new_entry, 0, sizeof(new_entry));
-    new_entry.principal = mname;
-    new_entry.key = *key;
-    new_entry.vno = kvno;
+    while (keylist && !retval) {
+        memset((char *) &new_entry, 0, sizeof(new_entry));
+        new_entry.principal = mname;
+        new_entry.key = keylist->keyblock;
+        new_entry.vno = keylist->kvno;
+
+        retval = krb5_kt_add_entry(context, kt, &new_entry);
+        keylist = keylist->next;
+    }
+    krb5_kt_close(context, kt);
 
-    retval = krb5_kt_add_entry(context, kt, &new_entry);
     if (retval != 0) {
         /* delete tmp keyfile if it exists and an error occurrs */
         if (stat(keyfile, &stb) >= 0)
@@ -227,12 +231,27 @@ krb5_def_store_mkey(krb5_context   context,
 out:
     if (tmp_ktname != NULL)
         free(tmp_ktname);
-    if (kt)
-	krb5_kt_close(context, kt);
 
     return retval;
 }
 
+krb5_error_code
+krb5_def_store_mkey(krb5_context   context,
+                    char           *keyfile,
+                    krb5_principal mname,
+                    krb5_kvno      kvno,
+                    krb5_keyblock  *key,
+                    char           *master_pwd)
+{
+    krb5_keylist_node list;
+
+    list.kvno = kvno;
+    list.keyblock = *key;
+    list.next = NULL;
+    return krb5_def_store_mkey_list(context, keyfile, mname, &list,
+				    master_pwd);
+}
+
 static krb5_error_code
 krb5_db_def_fetch_mkey_stash(krb5_context   context,
 			     const char *keyfile,
diff --git a/src/lib/kdb/libkdb5.exports b/src/lib/kdb/libkdb5.exports
index 3cc0816..07349f4 100644
--- a/src/lib/kdb/libkdb5.exports
+++ b/src/lib/kdb/libkdb5.exports
@@ -27,6 +27,7 @@ krb5_db_set_mkey_list
 krb5_db_setup_mkey_name
 krb5_db_unlock
 krb5_db_store_master_key
+krb5_db_store_master_key_list
 krb5_db_verify_master_key
 krb5_dbe_apw
 krb5_dbe_ark
@@ -69,6 +70,7 @@ krb5_db_iter_policy
 krb5_db_delete_policy
 krb5_db_free_policy
 krb5_def_store_mkey
+krb5_def_store_mkey_list
 krb5_db_promote
 ulog_map
 ulog_set_role
diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c
index 90073e7..d9aa7bf 100644
--- a/src/plugins/kdb/db2/db2_exp.c
+++ b/src/plugins/kdb/db2/db2_exp.c
@@ -263,7 +263,7 @@ kdb_vftabl kdb_function_table = {
   /* get_master_key */			       wrap_krb5_db2_db_get_mkey,
   /* set_master_key_list */		       wrap_krb5_db2_db_set_mkey_list,
   /* get_master_key_list */	    	       wrap_krb5_db2_db_get_mkey_list,
-  /* blah blah blah */ 0,0,0,0,0,0,0,
+  /* blah blah blah */ 0,0,0,0,0,0,0,0,
   /* promote_db */			       wrap_krb5_db2_promote_db,
   0,0,0,
 };
diff --git a/src/plugins/kdb/ldap/ldap_exp.c b/src/plugins/kdb/ldap/ldap_exp.c
index 2292f55..dcfe93c 100644
--- a/src/plugins/kdb/ldap/ldap_exp.c
+++ b/src/plugins/kdb/ldap/ldap_exp.c
@@ -85,6 +85,7 @@ kdb_vftabl kdb_function_table = {
   /* fetch_master_key */		       NULL /* krb5_ldap_fetch_mkey */,
   /* verify_master_key */		       NULL /* krb5_ldap_verify_master_key */,
   /* fetch_master_key_list */		       NULL,
+  /* store_master_key_list */		       NULL,
   /* Search enc type */                        NULL,
   /* Change pwd   */                           NULL