diff options
author | Greg Hudson <ghudson@mit.edu> | 2009-01-29 19:07:52 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2009-01-29 19:07:52 +0000 |
commit | c4a2a012cd6497b966b9a0a9ec4d4aca4220fd78 (patch) | |
tree | 8bf3cd41f9a3efe15f7972b6f6a743b8dbd8e196 | |
parent | a364635f2b764772ddbb7fca739c58935099a023 (diff) | |
download | krb5-c4a2a012cd6497b966b9a0a9ec4d4aca4220fd78.zip krb5-c4a2a012cd6497b966b9a0a9ec4d4aca4220fd78.tar.gz krb5-c4a2a012cd6497b966b9a0a9ec4d4aca4220fd78.tar.bz2 |
Implement krb5_db_store_master_key_list.
Make "kdb5_util stash" store the full master key list.
Make "kdb5_util stash" use a preexisting stashed key if available.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mkey_migrate@21827 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/include/kdb.h | 17 | ||||
-rw-r--r-- | src/kadmin/dbutil/kdb5_stash.c | 49 | ||||
-rw-r--r-- | src/lib/kdb/kdb5.c | 39 | ||||
-rw-r--r-- | src/lib/kdb/kdb_default.c | 45 | ||||
-rw-r--r-- | src/lib/kdb/libkdb5.exports | 2 | ||||
-rw-r--r-- | src/plugins/kdb/db2/db2_exp.c | 2 | ||||
-rw-r--r-- | src/plugins/kdb/ldap/ldap_exp.c | 1 |
7 files changed, 118 insertions, 37 deletions
diff --git a/src/include/kdb.h b/src/include/kdb.h index d60a5c5..bcf0bee 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -323,6 +323,11 @@ krb5_error_code krb5_db_store_master_key ( krb5_context kcontext, krb5_kvno kvno, krb5_keyblock *key, char *master_pwd); +krb5_error_code krb5_db_store_master_key_list ( krb5_context kcontext, + char *keyfile, + krb5_principal mname, + krb5_keylist_node *keylist, + char *master_pwd); krb5_error_code krb5_db_fetch_mkey ( krb5_context context, krb5_principal mname, krb5_enctype etype, @@ -545,6 +550,12 @@ krb5_def_store_mkey( krb5_context context, krb5_keyblock *key, char *master_pwd); +krb5_error_code +krb5_def_store_mkey_list( krb5_context context, + char *keyfile, + krb5_principal mname, + krb5_keylist_node *keylist, + char *master_pwd); krb5_error_code krb5_db_def_fetch_mkey( krb5_context context, @@ -831,6 +842,12 @@ typedef struct _kdb_vftabl { krb5_kvno kvno, krb5_keylist_node **mkeys_list); + krb5_error_code (*store_master_key_list) ( krb5_context kcontext, + char *db_arg, + krb5_principal mname, + krb5_keylist_node *keylist, + char *master_pwd); + krb5_error_code (*dbe_search_enctype) ( krb5_context kcontext, krb5_db_entry *dbentp, krb5_int32 *start, diff --git a/src/kadmin/dbutil/kdb5_stash.c b/src/kadmin/dbutil/kdb5_stash.c index 3583a32..cdd947a 100644 --- a/src/kadmin/dbutil/kdb5_stash.c +++ b/src/kadmin/dbutil/kdb5_stash.c @@ -60,6 +60,7 @@ #include "kdb5_util.h" extern krb5_keyblock master_keyblock; +extern krb5_keylist_node *master_keylist; extern krb5_principal master_princ; extern kadm5_config_params global_params; @@ -145,36 +146,38 @@ kdb5_stash(argc, argv) else mkey_kvno = IGNORE_VNO; /* use whatever krb5_db_fetch_mkey finds */ - /* TRUE here means read the keyboard, but only once */ - retval = krb5_db_fetch_mkey(context, master_princ, - master_keyblock.enctype, - TRUE, FALSE, (char *) NULL, - &mkey_kvno, - NULL, &master_keyblock); - if (retval) { - com_err(progname, retval, "while reading master key"); - (void) krb5_db_fini(context); - exit_status++; return; - } + if (!valid_master_key) { + /* TRUE here means read the keyboard, but only once */ + retval = krb5_db_fetch_mkey(context, master_princ, + master_keyblock.enctype, + TRUE, FALSE, (char *) NULL, + &mkey_kvno, + NULL, &master_keyblock); + if (retval) { + com_err(progname, retval, "while reading master key"); + (void) krb5_db_fini(context); + exit_status++; return; + } - retval = krb5_db_verify_master_key(context, master_princ, - mkey_kvno, - &master_keyblock); - if (retval) { - com_err(progname, retval, "while verifying master key"); - (void) krb5_db_fini(context); - exit_status++; return; - } + retval = krb5_db_fetch_mkey_list(context, master_princ, + &master_keyblock, mkey_kvno, + &master_keylist); + if (retval) { + com_err(progname, retval, "while getting master key list"); + (void) krb5_db_fini(context); + exit_status++; return; + } + } else { + printf("Using existing stashed keys to update stash file.\n"); + } - retval = krb5_db_store_master_key(context, keyfile, master_princ, - mkey_kvno, &master_keyblock, NULL); + retval = krb5_db_store_master_key_list(context, keyfile, master_princ, + master_keylist, NULL); if (retval) { com_err(progname, errno, "while storing key"); - memset((char *)master_keyblock.contents, 0, master_keyblock.length); (void) krb5_db_fini(context); exit_status++; return; } - memset((char *)master_keyblock.contents, 0, master_keyblock.length); retval = krb5_db_fini(context); if (retval) { diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index e3bb509..2941530 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -282,6 +282,10 @@ kdb_setup_opt_functions(db_library lib) lib->vftabl.fetch_master_key_list = krb5_def_fetch_mkey_list; } + if (lib->vftabl.store_master_key_list == NULL) { + lib->vftabl.store_master_key_list = krb5_def_store_mkey_list; + } + if (lib->vftabl.dbe_search_enctype == NULL) { lib->vftabl.dbe_search_enctype = krb5_dbe_def_search_enctype; } @@ -1653,6 +1657,41 @@ krb5_db_store_master_key(krb5_context kcontext, return status; } +krb5_error_code +krb5_db_store_master_key_list(krb5_context kcontext, + char *keyfile, + krb5_principal mname, + krb5_keylist_node *keylist, + char *master_pwd) +{ + krb5_error_code status = 0; + kdb5_dal_handle *dal_handle; + + if (kcontext->dal_handle == NULL) { + status = kdb_setup_lib_handle(kcontext); + if (status) { + goto clean_n_exit; + } + } + + dal_handle = kcontext->dal_handle; + status = kdb_lock_lib_lock(dal_handle->lib_handle, FALSE); + if (status) { + goto clean_n_exit; + } + + status = dal_handle->lib_handle->vftabl.store_master_key_list(kcontext, + keyfile, + mname, + keylist, + master_pwd); + get_errmsg(kcontext, status); + kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE); + + clean_n_exit: + return status; +} + char *krb5_mkey_pwd_prompt1 = KRB5_KDC_MKEY_1; char *krb5_mkey_pwd_prompt2 = KRB5_KDC_MKEY_2; diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index 9ddf5bd..df87916 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -138,12 +138,11 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) #endif krb5_error_code -krb5_def_store_mkey(krb5_context context, - char *keyfile, - krb5_principal mname, - krb5_kvno kvno, - krb5_keyblock *key, - char *master_pwd) +krb5_def_store_mkey_list(krb5_context context, + char *keyfile, + krb5_principal mname, + krb5_keylist_node *keylist, + char *master_pwd) { krb5_error_code retval = 0; char defkeyfile[MAXPATHLEN+1]; @@ -204,12 +203,17 @@ krb5_def_store_mkey(krb5_context context, if (retval != 0) goto out; - memset((char *) &new_entry, 0, sizeof(new_entry)); - new_entry.principal = mname; - new_entry.key = *key; - new_entry.vno = kvno; + while (keylist && !retval) { + memset((char *) &new_entry, 0, sizeof(new_entry)); + new_entry.principal = mname; + new_entry.key = keylist->keyblock; + new_entry.vno = keylist->kvno; + + retval = krb5_kt_add_entry(context, kt, &new_entry); + keylist = keylist->next; + } + krb5_kt_close(context, kt); - retval = krb5_kt_add_entry(context, kt, &new_entry); if (retval != 0) { /* delete tmp keyfile if it exists and an error occurrs */ if (stat(keyfile, &stb) >= 0) @@ -227,12 +231,27 @@ krb5_def_store_mkey(krb5_context context, out: if (tmp_ktname != NULL) free(tmp_ktname); - if (kt) - krb5_kt_close(context, kt); return retval; } +krb5_error_code +krb5_def_store_mkey(krb5_context context, + char *keyfile, + krb5_principal mname, + krb5_kvno kvno, + krb5_keyblock *key, + char *master_pwd) +{ + krb5_keylist_node list; + + list.kvno = kvno; + list.keyblock = *key; + list.next = NULL; + return krb5_def_store_mkey_list(context, keyfile, mname, &list, + master_pwd); +} + static krb5_error_code krb5_db_def_fetch_mkey_stash(krb5_context context, const char *keyfile, diff --git a/src/lib/kdb/libkdb5.exports b/src/lib/kdb/libkdb5.exports index 3cc0816..07349f4 100644 --- a/src/lib/kdb/libkdb5.exports +++ b/src/lib/kdb/libkdb5.exports @@ -27,6 +27,7 @@ krb5_db_set_mkey_list krb5_db_setup_mkey_name krb5_db_unlock krb5_db_store_master_key +krb5_db_store_master_key_list krb5_db_verify_master_key krb5_dbe_apw krb5_dbe_ark @@ -69,6 +70,7 @@ krb5_db_iter_policy krb5_db_delete_policy krb5_db_free_policy krb5_def_store_mkey +krb5_def_store_mkey_list krb5_db_promote ulog_map ulog_set_role diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c index 90073e7..d9aa7bf 100644 --- a/src/plugins/kdb/db2/db2_exp.c +++ b/src/plugins/kdb/db2/db2_exp.c @@ -263,7 +263,7 @@ kdb_vftabl kdb_function_table = { /* get_master_key */ wrap_krb5_db2_db_get_mkey, /* set_master_key_list */ wrap_krb5_db2_db_set_mkey_list, /* get_master_key_list */ wrap_krb5_db2_db_get_mkey_list, - /* blah blah blah */ 0,0,0,0,0,0,0, + /* blah blah blah */ 0,0,0,0,0,0,0,0, /* promote_db */ wrap_krb5_db2_promote_db, 0,0,0, }; diff --git a/src/plugins/kdb/ldap/ldap_exp.c b/src/plugins/kdb/ldap/ldap_exp.c index 2292f55..dcfe93c 100644 --- a/src/plugins/kdb/ldap/ldap_exp.c +++ b/src/plugins/kdb/ldap/ldap_exp.c @@ -85,6 +85,7 @@ kdb_vftabl kdb_function_table = { /* fetch_master_key */ NULL /* krb5_ldap_fetch_mkey */, /* verify_master_key */ NULL /* krb5_ldap_verify_master_key */, /* fetch_master_key_list */ NULL, + /* store_master_key_list */ NULL, /* Search enc type */ NULL, /* Change pwd */ NULL |