Master Key Migration Project

Commit for the Master Key Migration Project. http://k5wiki.kerberos.org/wiki/Projects/Master_Key_Migration This commit provides the ability to add a new master key (with an enctype differing from the current master key) to the master key principal and stash file and then migrate the encryption of existing principals long term keys to use the new master key. In addition deletion of master keys is provided. ticket: 6354 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21844 dc483132-0cff-0310-8789-dd5450dbe970
author: Will Fiveash <will.fiveash@oracle.com> 2009-01-30 23:55:14 +0000
committer: Will Fiveash <will.fiveash@oracle.com> 2009-01-30 23:55:14 +0000
commit: e246f7e7b2cddfca9eb744f24e50dd034247a74b (patch)
tree: 97ec348048dab2eec4206fa99df1e18adab77cf1 /src/plugins/kdb/db2
parent: 77b1e1108ca32617fe43825748c68c575e77f010 (diff)
download: krb5-e246f7e7b2cddfca9eb744f24e50dd034247a74b.zip
krb5-e246f7e7b2cddfca9eb744f24e50dd034247a74b.tar.gz
krb5-e246f7e7b2cddfca9eb744f24e50dd034247a74b.tar.bz2
3 files changed, 69 insertions, 14 deletions
diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c
index 123d20a..5c81624 100644
--- a/src/plugins/kdb/db2/db2_exp.c
+++ b/src/plugins/kdb/db2/db2_exp.c
@@ -59,7 +59,7 @@ static char *_csrc = "@(#) %filespec: db2_exp.c~5 %  (%full_filespec: db2_exp.c~
    locking code into the top and bottom of each referenced function
    won't do.  (We aren't doing recursive locks, currently.)  */
 
-static k5_mutex_t *krb5_db2_mutex;
+k5_mutex_t *krb5_db2_mutex;
 
 #define WRAP(NAME,TYPE,ARGLIST,ARGNAMES,ERROR_RESULT)	\
 	static TYPE wrap_##NAME ARGLIST			\
@@ -178,21 +178,21 @@ WRAP_VOID (krb5_db2_free_policy,
 	   ( krb5_context kcontext, osa_policy_ent_t entry ),
 	   (kcontext, entry));
 
-WRAP (krb5_db2_alloc, void *,
-      ( krb5_context kcontext,  
-	void *ptr, 
-	size_t size ),
-      (kcontext, ptr, size), NULL);
-WRAP_VOID (krb5_db2_free,
-	   ( krb5_context kcontext, void *ptr ),
-	   (kcontext, ptr));
-
 WRAP_K (krb5_db2_set_master_key_ext,
 	( krb5_context kcontext, char *pwd, krb5_keyblock *key),
 	(kcontext, pwd, key));
 WRAP_K (krb5_db2_db_get_mkey,
 	( krb5_context context, krb5_keyblock **key),
 	(context, key));
+
+WRAP_K (krb5_db2_db_set_mkey_list,
+	( krb5_context kcontext, krb5_keylist_node *keylist),
+	(kcontext, keylist));
+
+WRAP_K (krb5_db2_db_get_mkey_list,
+	( krb5_context context, krb5_keylist_node **keylist),
+	(context, keylist));
+
 WRAP_K (krb5_db2_promote_db,
 	( krb5_context kcontext, char *conf_section, char **db_args ),
 	(kcontext, conf_section, db_args));
@@ -248,11 +248,13 @@ kdb_vftabl kdb_function_table = {
   /* db_free_supported_realms */	       NULL,
   /* errcode_2_string */                       NULL,
   /* release_errcode_string */		       NULL,
-  /* db_alloc */                               wrap_krb5_db2_alloc,
-  /* db_free */                                wrap_krb5_db2_free,
+  /* db_alloc */                               krb5_db2_alloc,
+  /* db_free */                                krb5_db2_free,
   /* set_master_key */			       wrap_krb5_db2_set_master_key_ext,
   /* get_master_key */			       wrap_krb5_db2_db_get_mkey,
-  /* blah blah blah */ 0,0,0,0,0,0,
+  /* set_master_key_list */		       wrap_krb5_db2_db_set_mkey_list,
+  /* get_master_key_list */	    	       wrap_krb5_db2_db_get_mkey_list,
+  /* blah blah blah */ 0,0,0,0,0,0,0,0,
   /* promote_db */			       wrap_krb5_db2_promote_db,
   0,0,0,
 };
diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
index 704e47d..90c8933 100644
--- a/src/plugins/kdb/db2/kdb_db2.c
+++ b/src/plugins/kdb/db2/kdb_db2.c
@@ -431,6 +431,37 @@ krb5_db2_db_get_mkey(krb5_context context, krb5_keyblock **key)
     return 0;
 }
 
+krb5_error_code
+krb5_db2_db_set_mkey_list(krb5_context context, krb5_keylist_node *key_list)
+{
+    krb5_db2_context *db_ctx;
+    kdb5_dal_handle *dal_handle;
+
+    if (!k5db2_inited(context))
+	return (KRB5_KDB_DBNOTINITED);
+
+    dal_handle = context->dal_handle;
+    db_ctx = dal_handle->db_context;
+    db_ctx->db_master_key_list = key_list;
+    return 0;
+}
+
+krb5_error_code
+krb5_db2_db_get_mkey_list(krb5_context context, krb5_keylist_node **key_list)
+{
+    krb5_db2_context *db_ctx;
+    kdb5_dal_handle *dal_handle;
+
+    if (!k5db2_inited(context))
+	return (KRB5_KDB_DBNOTINITED);
+
+    dal_handle = context->dal_handle;
+    db_ctx = dal_handle->db_context;
+    *key_list = db_ctx->db_master_key_list;
+
+    return 0;
+}
+
 /*
  * Set the "name" of the current database to some alternate value.
  *
@@ -1171,8 +1202,19 @@ krb5_db2_db_iterate_ext(krb5_context context,
 	retval = krb5_decode_princ_contents(context, &contdata, &entries);
 	if (retval)
 	    break;
+	retval = k5_mutex_unlock(krb5_db2_mutex);
+	if (retval)
+	    break;
 	retval = (*func) (func_arg, &entries);
 	krb5_dbe_free_contents(context, &entries);
+	/* Note: If re-locking fails, the wrapper in db2_exp.c will
+	   still try to unlock it again.  That would be a bug.  Fix
+	   when integrating the locking better.  */
+	if (retval) {
+	    (void) k5_mutex_lock(krb5_db2_mutex);
+	    break;
+	}
+	retval = k5_mutex_lock(krb5_db2_mutex);
 	if (retval)
 	    break;
 	if (!recursive) {
diff --git a/src/plugins/kdb/db2/kdb_db2.h b/src/plugins/kdb/db2/kdb_db2.h
index d6cb1e8..640c4d6 100644
--- a/src/plugins/kdb/db2/kdb_db2.h
+++ b/src/plugins/kdb/db2/kdb_db2.h
@@ -42,7 +42,8 @@ typedef struct _krb5_db2_context {
     int                 db_locks_held;  /* Number of times locked       */
     int                 db_lock_mode;   /* Last lock mode, e.g. greatest*/
     krb5_boolean        db_nb_locks;    /* [Non]Blocking lock modes     */
-    krb5_keyblock      *db_master_key;  /* Master key of database       */
+    krb5_keyblock      *db_master_key; /* Master key of database */
+    krb5_keylist_node *db_master_key_list;  /* Master key list of database */
     osa_adb_policy_t    policy_db;
     krb5_boolean tempdb;
 } krb5_db2_context;
@@ -121,6 +122,13 @@ krb5_db2_db_set_mkey( krb5_context context,
 krb5_error_code
 krb5_db2_db_get_mkey( krb5_context context,
 		      krb5_keyblock **key);
+krb5_error_code
+krb5_db2_db_set_mkey_list( krb5_context context,
+		      krb5_keylist_node *keylist);
+
+krb5_error_code
+krb5_db2_db_get_mkey_list( krb5_context context,
+		      krb5_keylist_node **keylist);
 
 krb5_error_code
 krb5_db2_db_put_principal( krb5_context context,
@@ -208,4 +216,7 @@ krb5_error_code krb5_db2_delete_policy ( krb5_context kcontext,
 void krb5_db2_free_policy( krb5_context kcontext,
 			   osa_policy_ent_t entry );
 
+/* Thread-safety wrapper slapped on top of original implementation.  */
+extern k5_mutex_t *krb5_db2_mutex;
+
 #endif /* KRB5_KDB_DB2_H */
author	Will Fiveash <will.fiveash@oracle.com>	2009-01-30 23:55:14 +0000
committer	Will Fiveash <will.fiveash@oracle.com>	2009-01-30 23:55:14 +0000
commit	e246f7e7b2cddfca9eb744f24e50dd034247a74b (patch)
tree	97ec348048dab2eec4206fa99df1e18adab77cf1 /src/plugins/kdb/db2
parent	77b1e1108ca32617fe43825748c68c575e77f010 (diff)
download	krb5-e246f7e7b2cddfca9eb744f24e50dd034247a74b.zip krb5-e246f7e7b2cddfca9eb744f24e50dd034247a74b.tar.gz krb5-e246f7e7b2cddfca9eb744f24e50dd034247a74b.tar.bz2