diff options
author | Will Fiveash <will.fiveash@oracle.com> | 2009-01-30 23:55:14 +0000 |
---|---|---|
committer | Will Fiveash <will.fiveash@oracle.com> | 2009-01-30 23:55:14 +0000 |
commit | e246f7e7b2cddfca9eb744f24e50dd034247a74b (patch) | |
tree | 97ec348048dab2eec4206fa99df1e18adab77cf1 /src/plugins/kdb/db2 | |
parent | 77b1e1108ca32617fe43825748c68c575e77f010 (diff) | |
download | krb5-e246f7e7b2cddfca9eb744f24e50dd034247a74b.zip krb5-e246f7e7b2cddfca9eb744f24e50dd034247a74b.tar.gz krb5-e246f7e7b2cddfca9eb744f24e50dd034247a74b.tar.bz2 |
Master Key Migration Project
Commit for the Master Key Migration Project.
http://k5wiki.kerberos.org/wiki/Projects/Master_Key_Migration
This commit provides the ability to add a new master key (with an
enctype differing from the current master key) to the master key
principal and stash file and then migrate the encryption of existing
principals long term keys to use the new master key. In addition
deletion of master keys is provided.
ticket: 6354
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21844 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins/kdb/db2')
-rw-r--r-- | src/plugins/kdb/db2/db2_exp.c | 28 | ||||
-rw-r--r-- | src/plugins/kdb/db2/kdb_db2.c | 42 | ||||
-rw-r--r-- | src/plugins/kdb/db2/kdb_db2.h | 13 |
3 files changed, 69 insertions, 14 deletions
diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c index 123d20a..5c81624 100644 --- a/src/plugins/kdb/db2/db2_exp.c +++ b/src/plugins/kdb/db2/db2_exp.c @@ -59,7 +59,7 @@ static char *_csrc = "@(#) %filespec: db2_exp.c~5 % (%full_filespec: db2_exp.c~ locking code into the top and bottom of each referenced function won't do. (We aren't doing recursive locks, currently.) */ -static k5_mutex_t *krb5_db2_mutex; +k5_mutex_t *krb5_db2_mutex; #define WRAP(NAME,TYPE,ARGLIST,ARGNAMES,ERROR_RESULT) \ static TYPE wrap_##NAME ARGLIST \ @@ -178,21 +178,21 @@ WRAP_VOID (krb5_db2_free_policy, ( krb5_context kcontext, osa_policy_ent_t entry ), (kcontext, entry)); -WRAP (krb5_db2_alloc, void *, - ( krb5_context kcontext, - void *ptr, - size_t size ), - (kcontext, ptr, size), NULL); -WRAP_VOID (krb5_db2_free, - ( krb5_context kcontext, void *ptr ), - (kcontext, ptr)); - WRAP_K (krb5_db2_set_master_key_ext, ( krb5_context kcontext, char *pwd, krb5_keyblock *key), (kcontext, pwd, key)); WRAP_K (krb5_db2_db_get_mkey, ( krb5_context context, krb5_keyblock **key), (context, key)); + +WRAP_K (krb5_db2_db_set_mkey_list, + ( krb5_context kcontext, krb5_keylist_node *keylist), + (kcontext, keylist)); + +WRAP_K (krb5_db2_db_get_mkey_list, + ( krb5_context context, krb5_keylist_node **keylist), + (context, keylist)); + WRAP_K (krb5_db2_promote_db, ( krb5_context kcontext, char *conf_section, char **db_args ), (kcontext, conf_section, db_args)); @@ -248,11 +248,13 @@ kdb_vftabl kdb_function_table = { /* db_free_supported_realms */ NULL, /* errcode_2_string */ NULL, /* release_errcode_string */ NULL, - /* db_alloc */ wrap_krb5_db2_alloc, - /* db_free */ wrap_krb5_db2_free, + /* db_alloc */ krb5_db2_alloc, + /* db_free */ krb5_db2_free, /* set_master_key */ wrap_krb5_db2_set_master_key_ext, /* get_master_key */ wrap_krb5_db2_db_get_mkey, - /* blah blah blah */ 0,0,0,0,0,0, + /* set_master_key_list */ wrap_krb5_db2_db_set_mkey_list, + /* get_master_key_list */ wrap_krb5_db2_db_get_mkey_list, + /* blah blah blah */ 0,0,0,0,0,0,0,0, /* promote_db */ wrap_krb5_db2_promote_db, 0,0,0, }; diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c index 704e47d..90c8933 100644 --- a/src/plugins/kdb/db2/kdb_db2.c +++ b/src/plugins/kdb/db2/kdb_db2.c @@ -431,6 +431,37 @@ krb5_db2_db_get_mkey(krb5_context context, krb5_keyblock **key) return 0; } +krb5_error_code +krb5_db2_db_set_mkey_list(krb5_context context, krb5_keylist_node *key_list) +{ + krb5_db2_context *db_ctx; + kdb5_dal_handle *dal_handle; + + if (!k5db2_inited(context)) + return (KRB5_KDB_DBNOTINITED); + + dal_handle = context->dal_handle; + db_ctx = dal_handle->db_context; + db_ctx->db_master_key_list = key_list; + return 0; +} + +krb5_error_code +krb5_db2_db_get_mkey_list(krb5_context context, krb5_keylist_node **key_list) +{ + krb5_db2_context *db_ctx; + kdb5_dal_handle *dal_handle; + + if (!k5db2_inited(context)) + return (KRB5_KDB_DBNOTINITED); + + dal_handle = context->dal_handle; + db_ctx = dal_handle->db_context; + *key_list = db_ctx->db_master_key_list; + + return 0; +} + /* * Set the "name" of the current database to some alternate value. * @@ -1171,8 +1202,19 @@ krb5_db2_db_iterate_ext(krb5_context context, retval = krb5_decode_princ_contents(context, &contdata, &entries); if (retval) break; + retval = k5_mutex_unlock(krb5_db2_mutex); + if (retval) + break; retval = (*func) (func_arg, &entries); krb5_dbe_free_contents(context, &entries); + /* Note: If re-locking fails, the wrapper in db2_exp.c will + still try to unlock it again. That would be a bug. Fix + when integrating the locking better. */ + if (retval) { + (void) k5_mutex_lock(krb5_db2_mutex); + break; + } + retval = k5_mutex_lock(krb5_db2_mutex); if (retval) break; if (!recursive) { diff --git a/src/plugins/kdb/db2/kdb_db2.h b/src/plugins/kdb/db2/kdb_db2.h index d6cb1e8..640c4d6 100644 --- a/src/plugins/kdb/db2/kdb_db2.h +++ b/src/plugins/kdb/db2/kdb_db2.h @@ -42,7 +42,8 @@ typedef struct _krb5_db2_context { int db_locks_held; /* Number of times locked */ int db_lock_mode; /* Last lock mode, e.g. greatest*/ krb5_boolean db_nb_locks; /* [Non]Blocking lock modes */ - krb5_keyblock *db_master_key; /* Master key of database */ + krb5_keyblock *db_master_key; /* Master key of database */ + krb5_keylist_node *db_master_key_list; /* Master key list of database */ osa_adb_policy_t policy_db; krb5_boolean tempdb; } krb5_db2_context; @@ -121,6 +122,13 @@ krb5_db2_db_set_mkey( krb5_context context, krb5_error_code krb5_db2_db_get_mkey( krb5_context context, krb5_keyblock **key); +krb5_error_code +krb5_db2_db_set_mkey_list( krb5_context context, + krb5_keylist_node *keylist); + +krb5_error_code +krb5_db2_db_get_mkey_list( krb5_context context, + krb5_keylist_node **keylist); krb5_error_code krb5_db2_db_put_principal( krb5_context context, @@ -208,4 +216,7 @@ krb5_error_code krb5_db2_delete_policy ( krb5_context kcontext, void krb5_db2_free_policy( krb5_context kcontext, osa_policy_ent_t entry ); +/* Thread-safety wrapper slapped on top of original implementation. */ +extern k5_mutex_t *krb5_db2_mutex; + #endif /* KRB5_KDB_DB2_H */ |