diff options
| author | Greg Hudson <ghudson@mit.edu> | 2010-07-02 19:09:20 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2010-07-02 19:09:20 +0000 |
| commit | b119d362e2e195a61488737511be2ca7b37138b5 (patch) | |
| tree | 7645a1671f6d5497f0ef8a82ee4299b2490406d2 /src/lib | |
| parent | 323fa3f74a84ee28115c4df7c7c0ea9b5b231a76 (diff) | |
| download | krb5-b119d362e2e195a61488737511be2ca7b37138b5.zip krb5-b119d362e2e195a61488737511be2ca7b37138b5.tar.gz krb5-b119d362e2e195a61488737511be2ca7b37138b5.tar.bz2 | |
Remove verify_master_key from the DAL table, as well as its associated
libkdb5 interface. Callers can (and mostly already do) use
krb5_fetch_mkey_list to verify master keyblocks. Adjust tests/create,
tests/verify, and kdb5_util dump to do so.
ticket: 6749
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24166 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/kadm5/srv/server_kdb.c | 12 | ||||
| -rw-r--r-- | src/lib/kdb/kdb5.c | 19 | ||||
| -rw-r--r-- | src/lib/kdb/kdb_default.c | 57 | ||||
| -rw-r--r-- | src/lib/kdb/libkdb5.exports | 1 |
4 files changed, 0 insertions, 89 deletions
diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c index 768c8f7..d986b62 100644 --- a/src/lib/kadm5/srv/server_kdb.c +++ b/src/lib/kadm5/srv/server_kdb.c @@ -72,18 +72,6 @@ krb5_error_code kdb_init_master(kadm5_server_handle_t handle, if (ret) goto done; -#if 0 /************** Begin IFDEF'ed OUT *******************************/ - /* - * krb5_db_fetch_mkey_list will verify mkey so don't call - * krb5_db_verify_master_key() - */ - if ((ret = krb5_db_verify_master_key(handle->context, master_princ, - IGNORE_VNO, &master_keyblock))) { - krb5_db_fini(handle->context); - return ret; - } -#endif /**************** END IFDEF'ed OUT *******************************/ - if ((ret = krb5_db_fetch_mkey_list(handle->context, master_princ, &master_keyblock, mkvno, &master_keylist))) { krb5_db_fini(handle->context); diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index f1bd581..8a19984 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -252,8 +252,6 @@ kdb_setup_opt_functions(db_library lib) lib->vftabl.get_master_key_list = kdb_def_get_mkey_list; if (lib->vftabl.fetch_master_key == NULL) lib->vftabl.fetch_master_key = krb5_db_def_fetch_mkey; - if (lib->vftabl.verify_master_key == NULL) - lib->vftabl.verify_master_key = krb5_def_verify_master_key; if (lib->vftabl.fetch_master_key_list == NULL) lib->vftabl.fetch_master_key_list = krb5_def_fetch_mkey_list; if (lib->vftabl.store_master_key_list == NULL) @@ -1278,23 +1276,6 @@ clean_n_exit: } krb5_error_code -krb5_db_verify_master_key(krb5_context kcontext, - krb5_principal mprinc, - krb5_kvno kvno, - krb5_keyblock * mkey) -{ - krb5_error_code status = 0; - kdb_vftabl *v; - - status = get_vftabl(kcontext, &v); - if (status) - return status; - if (v->verify_master_key == NULL) - return KRB5_KDB_DBTYPE_NOSUP; - return v->verify_master_key(kcontext, mprinc, kvno, mkey); -} - -krb5_error_code krb5_dbe_fetch_act_key_list(krb5_context context, krb5_principal princ, krb5_actkvno_node **act_key_list) diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index e8fe54f..d78c13c 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -434,63 +434,6 @@ krb5_db_def_fetch_mkey(krb5_context context, return 0; } -/* - * Note, this verifies that the input mkey is currently protecting all the mkeys - */ -krb5_error_code -krb5_def_verify_master_key(krb5_context context, - krb5_principal mprinc, - krb5_kvno kvno, - krb5_keyblock *mkey) -{ - krb5_error_code retval; - krb5_db_entry master_entry; - int nprinc; - krb5_boolean more; - krb5_keyblock tempkey; - - nprinc = 1; - if ((retval = krb5_db_get_principal(context, mprinc, - &master_entry, &nprinc, &more))) - return(retval); - - if (nprinc != 1) { - if (nprinc) - krb5_db_free_principal(context, &master_entry, nprinc); - return(KRB5_KDB_NOMASTERKEY); - } else if (more) { - krb5_db_free_principal(context, &master_entry, nprinc); - return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); - } - - if ((retval = krb5_dbe_decrypt_key_data(context, mkey, - &master_entry.key_data[0], - &tempkey, NULL))) { - krb5_db_free_principal(context, &master_entry, nprinc); - return retval; - } - - if (mkey->length != tempkey.length || - memcmp((char *)mkey->contents, - (char *)tempkey.contents,mkey->length)) { - retval = KRB5_KDB_BADMASTERKEY; - } - - if (kvno != IGNORE_VNO && - kvno != (krb5_kvno) master_entry.key_data->key_data_kvno) { - retval = KRB5_KDB_BADMASTERKEY; - krb5_set_error_message (context, retval, - "User specified mkeyVNO (%u) does not match master key princ's KVNO (%u)", - kvno, master_entry.key_data->key_data_kvno); - } - - zap((char *)tempkey.contents, tempkey.length); - free(tempkey.contents); - krb5_db_free_principal(context, &master_entry, nprinc); - - return retval; -} - krb5_error_code krb5_def_fetch_mkey_list(krb5_context context, krb5_principal mprinc, diff --git a/src/lib/kdb/libkdb5.exports b/src/lib/kdb/libkdb5.exports index c32a8db..4111ef0 100644 --- a/src/lib/kdb/libkdb5.exports +++ b/src/lib/kdb/libkdb5.exports @@ -27,7 +27,6 @@ krb5_db_setup_mkey_name krb5_db_unlock krb5_db_store_master_key krb5_db_store_master_key_list -krb5_db_verify_master_key krb5_dbe_apw krb5_dbe_ark krb5_dbe_cpw |