diff options
| author | Will Fiveash <will.fiveash@oracle.com> | 2009-01-27 20:24:37 +0000 |
|---|---|---|
| committer | Will Fiveash <will.fiveash@oracle.com> | 2009-01-27 20:24:37 +0000 |
| commit | f31cbce8a4a982ed4545140e447d417975804bef (patch) | |
| tree | 4abce14ab69445048ab2ed51a18739d52528874d /src/kadmin | |
| parent | c1e6bdf4eba202ad43fb416c884a66a8af24ab5f (diff) | |
| download | krb5-f31cbce8a4a982ed4545140e447d417975804bef.zip krb5-f31cbce8a4a982ed4545140e447d417975804bef.tar.gz krb5-f31cbce8a4a982ed4545140e447d417975804bef.tar.bz2 | |
More review changes:
If I use "kdb5_util dump -mkey_convert" after using the master key rollover
support, does something reasonably sane happen? E.g., process all the old
keys properly, leave just one new master key value in the output database,
reset the mkvno values attached to principals, etc.
Done. Note I may have to update the dump code to deal with the
various mkey input options which I'll do in a follow on commit.
Also note that I removed the locking around the krb5_db2_alloc and
free functions.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mkey_migrate@21807 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kadmin')
| -rw-r--r-- | src/kadmin/dbutil/dump.c | 27 | ||||
| -rw-r--r-- | src/kadmin/dbutil/kdb5_mkey.c | 19 | ||||
| -rw-r--r-- | src/kadmin/dbutil/kdb5_util.h | 3 |
3 files changed, 23 insertions, 26 deletions
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c index f5b6cd6..ab42e9a 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -258,6 +258,8 @@ static const char hashoption[] = "-hash"; static const char ovoption[] = "-ov"; static const char dump_tmptrail[] = "~"; +static krb5_kvno new_mkvno; + /* * Re-encrypt the key_data with the new master key... */ @@ -276,15 +278,20 @@ static krb5_error_code master_key_convert(context, db_entry) is_mkey = krb5_principal_compare(context, master_princ, db_entry->princ); if (is_mkey) { - retval = add_new_mkey(context, db_entry, &new_master_keyblock); + retval = add_new_mkey(context, db_entry, &new_master_keyblock, &new_mkvno); if (retval) return retval; } else { for (i=0; i < db_entry->n_key_data; i++) { + krb5_keyblock *tmp_mkey; + key_data = &db_entry->key_data[i]; if (key_data->key_data_length == 0) continue; - retval = krb5_dbekd_decrypt_key_data(context, &master_keyblock, + retval = krb5_dbe_find_mkey(context, master_keylist, db_entry, &tmp_mkey); + if (retval) + return retval; + retval = krb5_dbekd_decrypt_key_data(context, tmp_mkey, key_data, &v5plainkey, &keysalt); if (retval) @@ -292,17 +299,8 @@ static krb5_error_code master_key_convert(context, db_entry) memset(&new_key_data, 0, sizeof(new_key_data)); - if (is_mkey) { - key_ptr = &new_master_keyblock; - /* override mkey princ's kvno */ - if (global_params.mask & KADM5_CONFIG_KVNO) - kvno = global_params.kvno; - else - kvno = (krb5_kvno) key_data->key_data_kvno; - } else { - key_ptr = &v5plainkey; - kvno = (krb5_kvno) key_data->key_data_kvno; - } + key_ptr = &v5plainkey; + kvno = (krb5_kvno) key_data->key_data_kvno; retval = krb5_dbekd_encrypt_key_data(context, &new_master_keyblock, key_ptr, &keysalt, @@ -318,6 +316,9 @@ static krb5_error_code master_key_convert(context, db_entry) } *key_data = new_key_data; } + retval = krb5_dbe_update_mkvno(context, db_entry, new_mkvno); + if (retval) + return retval; } return 0; } diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c index d127b41..cfe35fe 100644 --- a/src/kadmin/dbutil/kdb5_mkey.c +++ b/src/kadmin/dbutil/kdb5_mkey.c @@ -35,16 +35,13 @@ static char *strdate(krb5_timestamp when) } krb5_error_code -add_new_mkey(krb5_context context, krb5_db_entry *master_entry, krb5_keyblock *new_mkey) +add_new_mkey(krb5_context context, krb5_db_entry *master_entry, krb5_keyblock *new_mkey, krb5_kvno *mkvno) { krb5_error_code retval = 0; int old_key_data_count, i; krb5_kvno old_kvno, new_mkey_kvno; - krb5_keyblock new_mkeyblock; krb5_key_data tmp_key_data, *old_key_data; - krb5_enctype new_master_enctype = ENCTYPE_UNKNOWN; - krb5_mkey_aux_node *mkey_aux_data_head = NULL, **mkey_aux_data, - *cur_mkey_aux_data, *next_mkey_aux_data; + krb5_mkey_aux_node *mkey_aux_data_head = NULL, **mkey_aux_data; krb5_keylist_node *keylist_node; /* First save the old keydata */ @@ -152,6 +149,9 @@ add_new_mkey(krb5_context context, krb5_db_entry *master_entry, krb5_keyblock *n goto clean_n_exit; } + if (mkvno) + *mkvno = new_mkey_kvno; + clean_n_exit: if (mkey_aux_data_head) krb5_dbe_free_mkey_aux_list(context, mkey_aux_data_head); @@ -167,19 +167,14 @@ kdb5_add_mkey(int argc, char *argv[]) char *pw_str = 0; unsigned int pw_size = 0; int do_stash = 0, nentries = 0; - int old_key_data_count, i; krb5_boolean more = 0; krb5_data pwd; - krb5_kvno old_kvno, new_mkey_kvno; + krb5_kvno new_mkey_kvno; krb5_keyblock new_mkeyblock; - krb5_key_data tmp_key_data, *old_key_data; krb5_enctype new_master_enctype = ENCTYPE_UNKNOWN; char *new_mkey_password; krb5_db_entry master_entry; krb5_timestamp now; - krb5_mkey_aux_node *mkey_aux_data_head, **mkey_aux_data, - *cur_mkey_aux_data, *next_mkey_aux_data; - krb5_keylist_node *keylist_node; /* * The command table entry for this command causes open_db_and_mkey() to be @@ -267,7 +262,7 @@ kdb5_add_mkey(int argc, char *argv[]) return; } - retval = add_new_mkey(util_context, &master_entry, &new_mkeyblock); + retval = add_new_mkey(util_context, &master_entry, &new_mkeyblock, NULL); if (retval) { com_err(progname, retval, "adding new master key to master principal"); exit_status++; diff --git a/src/kadmin/dbutil/kdb5_util.h b/src/kadmin/dbutil/kdb5_util.h index dd74654..175d61c 100644 --- a/src/kadmin/dbutil/kdb5_util.h +++ b/src/kadmin/dbutil/kdb5_util.h @@ -88,7 +88,8 @@ extern void update_ok_file (char *file_name); extern int kadm5_create (kadm5_config_params *params); -extern krb5_error_code add_new_mkey(krb5_context, krb5_db_entry *, krb5_keyblock *); +extern krb5_error_code add_new_mkey(krb5_context, krb5_db_entry *, + krb5_keyblock *, krb5_kvno *); void usage (void); |