diff options
| author | Will Fiveash <will.fiveash@oracle.com> | 2009-01-30 23:55:14 +0000 |
|---|---|---|
| committer | Will Fiveash <will.fiveash@oracle.com> | 2009-01-30 23:55:14 +0000 |
| commit | e246f7e7b2cddfca9eb744f24e50dd034247a74b (patch) | |
| tree | 97ec348048dab2eec4206fa99df1e18adab77cf1 /src/plugins/kdb | |
| parent | 77b1e1108ca32617fe43825748c68c575e77f010 (diff) | |
| download | krb5-e246f7e7b2cddfca9eb744f24e50dd034247a74b.zip krb5-e246f7e7b2cddfca9eb744f24e50dd034247a74b.tar.gz krb5-e246f7e7b2cddfca9eb744f24e50dd034247a74b.tar.bz2 | |
Master Key Migration Project
Commit for the Master Key Migration Project.
http://k5wiki.kerberos.org/wiki/Projects/Master_Key_Migration
This commit provides the ability to add a new master key (with an
enctype differing from the current master key) to the master key
principal and stash file and then migrate the encryption of existing
principals long term keys to use the new master key. In addition
deletion of master keys is provided.
ticket: 6354
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21844 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins/kdb')
| -rw-r--r-- | src/plugins/kdb/db2/db2_exp.c | 28 | ||||
| -rw-r--r-- | src/plugins/kdb/db2/kdb_db2.c | 42 | ||||
| -rw-r--r-- | src/plugins/kdb/db2/kdb_db2.h | 13 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_exp.c | 4 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c | 27 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 6 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c | 45 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c | 42 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 9 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h | 2 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 18 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h | 1 |
12 files changed, 206 insertions, 31 deletions
diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c index 123d20a..5c81624 100644 --- a/src/plugins/kdb/db2/db2_exp.c +++ b/src/plugins/kdb/db2/db2_exp.c @@ -59,7 +59,7 @@ static char *_csrc = "@(#) %filespec: db2_exp.c~5 % (%full_filespec: db2_exp.c~ locking code into the top and bottom of each referenced function won't do. (We aren't doing recursive locks, currently.) */ -static k5_mutex_t *krb5_db2_mutex; +k5_mutex_t *krb5_db2_mutex; #define WRAP(NAME,TYPE,ARGLIST,ARGNAMES,ERROR_RESULT) \ static TYPE wrap_##NAME ARGLIST \ @@ -178,21 +178,21 @@ WRAP_VOID (krb5_db2_free_policy, ( krb5_context kcontext, osa_policy_ent_t entry ), (kcontext, entry)); -WRAP (krb5_db2_alloc, void *, - ( krb5_context kcontext, - void *ptr, - size_t size ), - (kcontext, ptr, size), NULL); -WRAP_VOID (krb5_db2_free, - ( krb5_context kcontext, void *ptr ), - (kcontext, ptr)); - WRAP_K (krb5_db2_set_master_key_ext, ( krb5_context kcontext, char *pwd, krb5_keyblock *key), (kcontext, pwd, key)); WRAP_K (krb5_db2_db_get_mkey, ( krb5_context context, krb5_keyblock **key), (context, key)); + +WRAP_K (krb5_db2_db_set_mkey_list, + ( krb5_context kcontext, krb5_keylist_node *keylist), + (kcontext, keylist)); + +WRAP_K (krb5_db2_db_get_mkey_list, + ( krb5_context context, krb5_keylist_node **keylist), + (context, keylist)); + WRAP_K (krb5_db2_promote_db, ( krb5_context kcontext, char *conf_section, char **db_args ), (kcontext, conf_section, db_args)); @@ -248,11 +248,13 @@ kdb_vftabl kdb_function_table = { /* db_free_supported_realms */ NULL, /* errcode_2_string */ NULL, /* release_errcode_string */ NULL, - /* db_alloc */ wrap_krb5_db2_alloc, - /* db_free */ wrap_krb5_db2_free, + /* db_alloc */ krb5_db2_alloc, + /* db_free */ krb5_db2_free, /* set_master_key */ wrap_krb5_db2_set_master_key_ext, /* get_master_key */ wrap_krb5_db2_db_get_mkey, - /* blah blah blah */ 0,0,0,0,0,0, + /* set_master_key_list */ wrap_krb5_db2_db_set_mkey_list, + /* get_master_key_list */ wrap_krb5_db2_db_get_mkey_list, + /* blah blah blah */ 0,0,0,0,0,0,0,0, /* promote_db */ wrap_krb5_db2_promote_db, 0,0,0, }; diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c index 704e47d..90c8933 100644 --- a/src/plugins/kdb/db2/kdb_db2.c +++ b/src/plugins/kdb/db2/kdb_db2.c @@ -431,6 +431,37 @@ krb5_db2_db_get_mkey(krb5_context context, krb5_keyblock **key) return 0; } +krb5_error_code +krb5_db2_db_set_mkey_list(krb5_context context, krb5_keylist_node *key_list) +{ + krb5_db2_context *db_ctx; + kdb5_dal_handle *dal_handle; + + if (!k5db2_inited(context)) + return (KRB5_KDB_DBNOTINITED); + + dal_handle = context->dal_handle; + db_ctx = dal_handle->db_context; + db_ctx->db_master_key_list = key_list; + return 0; +} + +krb5_error_code +krb5_db2_db_get_mkey_list(krb5_context context, krb5_keylist_node **key_list) +{ + krb5_db2_context *db_ctx; + kdb5_dal_handle *dal_handle; + + if (!k5db2_inited(context)) + return (KRB5_KDB_DBNOTINITED); + + dal_handle = context->dal_handle; + db_ctx = dal_handle->db_context; + *key_list = db_ctx->db_master_key_list; + + return 0; +} + /* * Set the "name" of the current database to some alternate value. * @@ -1171,8 +1202,19 @@ krb5_db2_db_iterate_ext(krb5_context context, retval = krb5_decode_princ_contents(context, &contdata, &entries); if (retval) break; + retval = k5_mutex_unlock(krb5_db2_mutex); + if (retval) + break; retval = (*func) (func_arg, &entries); krb5_dbe_free_contents(context, &entries); + /* Note: If re-locking fails, the wrapper in db2_exp.c will + still try to unlock it again. That would be a bug. Fix + when integrating the locking better. */ + if (retval) { + (void) k5_mutex_lock(krb5_db2_mutex); + break; + } + retval = k5_mutex_lock(krb5_db2_mutex); if (retval) break; if (!recursive) { diff --git a/src/plugins/kdb/db2/kdb_db2.h b/src/plugins/kdb/db2/kdb_db2.h index d6cb1e8..640c4d6 100644 --- a/src/plugins/kdb/db2/kdb_db2.h +++ b/src/plugins/kdb/db2/kdb_db2.h @@ -42,7 +42,8 @@ typedef struct _krb5_db2_context { int db_locks_held; /* Number of times locked */ int db_lock_mode; /* Last lock mode, e.g. greatest*/ krb5_boolean db_nb_locks; /* [Non]Blocking lock modes */ - krb5_keyblock *db_master_key; /* Master key of database */ + krb5_keyblock *db_master_key; /* Master key of database */ + krb5_keylist_node *db_master_key_list; /* Master key list of database */ osa_adb_policy_t policy_db; krb5_boolean tempdb; } krb5_db2_context; @@ -121,6 +122,13 @@ krb5_db2_db_set_mkey( krb5_context context, krb5_error_code krb5_db2_db_get_mkey( krb5_context context, krb5_keyblock **key); +krb5_error_code +krb5_db2_db_set_mkey_list( krb5_context context, + krb5_keylist_node *keylist); + +krb5_error_code +krb5_db2_db_get_mkey_list( krb5_context context, + krb5_keylist_node **keylist); krb5_error_code krb5_db2_db_put_principal( krb5_context context, @@ -208,4 +216,7 @@ krb5_error_code krb5_db2_delete_policy ( krb5_context kcontext, void krb5_db2_free_policy( krb5_context kcontext, osa_policy_ent_t entry ); +/* Thread-safety wrapper slapped on top of original implementation. */ +extern k5_mutex_t *krb5_db2_mutex; + #endif /* KRB5_KDB_DB2_H */ diff --git a/src/plugins/kdb/ldap/ldap_exp.c b/src/plugins/kdb/ldap/ldap_exp.c index eaeef2a..dcfe93c 100644 --- a/src/plugins/kdb/ldap/ldap_exp.c +++ b/src/plugins/kdb/ldap/ldap_exp.c @@ -78,10 +78,14 @@ kdb_vftabl kdb_function_table = { /* optional functions */ /* set_master_key */ krb5_ldap_set_mkey, /* get_master_key */ krb5_ldap_get_mkey, + /* set_master_key_list */ krb5_ldap_set_mkey_list, + /* get_master_key_list */ krb5_ldap_get_mkey_list, /* setup_master_key_name */ NULL, /* store_master_key */ NULL, /* fetch_master_key */ NULL /* krb5_ldap_fetch_mkey */, /* verify_master_key */ NULL /* krb5_ldap_verify_master_key */, + /* fetch_master_key_list */ NULL, + /* store_master_key_list */ NULL, /* Search enc type */ NULL, /* Change pwd */ NULL diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c index c13d967..60d9e25 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c @@ -2379,6 +2379,8 @@ kdb_ldap_create_principal (context, princ, op, pblock) krb5_ldap_context *ldap_context=NULL; struct iterate_args iargs; krb5_data *pdata; + krb5_timestamp now; + krb5_actkvno_node actkvno; if ((pblock == NULL) || (context == NULL)) { retval = EINVAL; @@ -2425,14 +2427,12 @@ kdb_ldap_create_principal (context, princ, op, pblock) entry.tl_data = tl_data; entry.n_tl_data += 1; /* Set the creator's name */ - { - krb5_timestamp now; - if ((retval = krb5_timeofday(context, &now))) - goto cleanup; - if ((retval = krb5_dbe_update_mod_princ_data_new(context, &entry, - now, &db_create_princ))) - goto cleanup; - } + if ((retval = krb5_timeofday(context, &now))) + goto cleanup; + if ((retval = krb5_dbe_update_mod_princ_data_new(context, &entry, + now, &db_create_princ))) + goto cleanup; + entry.attributes = pblock->flags; entry.max_life = pblock->max_life; entry.max_renewable_life = pblock->max_rlife; @@ -2507,6 +2507,17 @@ kdb_ldap_create_principal (context, princ, op, pblock) if (retval) { goto cleanup; } + /* + * There should always be at least one "active" mkey so creating the + * KRB5_TL_ACTKVNO entry now so the initial mkey is active. + */ + actkvno.next = NULL; + actkvno.act_kvno = kvno; + actkvno.act_time = now; + retval = krb5_dbe_update_actkvno(context, &entry, &actkvno); + if (retval) + goto cleanup; + break; case NULL_KEY: diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h index 74bf4b1..802ab0f 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h @@ -267,6 +267,12 @@ krb5_error_code krb5_ldap_set_mkey(krb5_context, char *, krb5_keyblock *); krb5_error_code +krb5_ldap_get_mkey_list (krb5_context context, krb5_keylist_node **key_list); + +krb5_error_code +krb5_ldap_set_mkey_list(krb5_context, krb5_keylist_node *); + +krb5_error_code krb5_ldap_create(krb5_context , char *, char **); krb5_error_code diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c index d4c6ac8..f8e1d44 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c @@ -148,6 +148,51 @@ krb5_dbe_lookup_last_pwd_change(context, entry, stamp) return(0); } +#if 0 /************** Begin IFDEF'ed OUT *******************************/ +krb5_error_code +krb5_dbe_lookup_mkvno(krb5_context context, + krb5_db_entry *entry, + krb5_kvno *mkvno) +{ + krb5_tl_data tl_data; + krb5_error_code code; + krb5_int16 tmp; + + tl_data.tl_data_type = KRB5_TL_MKVNO; + + if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data))) + return (code); + + /* XXX need to think about this */ + if (tl_data.tl_data_length != 2) { + *mkvno = 0; + return (0); + } + + /* XXX this needs to be the inverse of how this is encoded */ + krb5_kdb_decode_int16(tl_data.tl_data_contents, tmp); + + *mkvno = (krb5_kvno) tmp; + + return (0); +} + +krb5_error_code +krb5_dbe_update_mkvno(krb5_context context, + krb5_db_entry * entry, + krb5_kvno mkvno) +{ + krb5_tl_data tl_data; + krb5_octet buf[2]; /* this is the encoded size of an int16 */ + + tl_data.tl_data_type = KRB5_TL_MKVNO; + tl_data.tl_data_length = sizeof(buf); + krb5_kdb_encode_int16((krb5_int16) mkvno, buf); + tl_data.tl_data_contents = buf; + + return (krb5_dbe_update_tl_data(context, entry, &tl_data)); +} +#endif /**************** END IFDEF'ed OUT *******************************/ /* it seems odd that there's no function to remove a tl_data, but if I need one, I'll add one */ diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c index 9a36419..6da0806 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c @@ -98,3 +98,45 @@ krb5_ldap_set_mkey (context, pwd, key) memcpy(r_params->mkey.contents, key->contents, key->length); return 0; } + +krb5_error_code +krb5_ldap_get_mkey_list (krb5_context context, krb5_keylist_node **key_list) + +{ + kdb5_dal_handle *dal_handle=NULL; + krb5_ldap_context *ldap_context=NULL; + + /* Clear the global error string */ + krb5_clear_error_message(context); + + dal_handle = context->dal_handle; + ldap_context = (krb5_ldap_context *) dal_handle->db_context; + + if (ldap_context == NULL || ldap_context->lrparams == NULL) + return KRB5_KDB_DBNOTINITED; + + *key_list = ldap_context->lrparams->mkey_list; + return 0; +} + +krb5_error_code +krb5_ldap_set_mkey_list(krb5_context context, krb5_keylist_node *key_list) +{ + kdb5_dal_handle *dal_handle=NULL; + krb5_ldap_context *ldap_context=NULL; + krb5_ldap_realm_params *r_params = NULL; + + /* Clear the global error string */ + krb5_clear_error_message(context); + + dal_handle = context->dal_handle; + ldap_context = (krb5_ldap_context *) dal_handle->db_context; + + if (ldap_context == NULL || ldap_context->lrparams == NULL) + return KRB5_KDB_DBNOTINITED; + + r_params = ldap_context->lrparams; + r_params->mkey_list = key_list; + return 0; +} + diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c index 79ca634..f0734de 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c @@ -2059,9 +2059,16 @@ populate_krb5_db_entry (krb5_context context, /* KRBSECRETKEY */ if ((bvalues=ldap_get_values_len(ld, ent, "krbprincipalkey")) != NULL) { + krb5_kvno mkvno = 0; + mask |= KDB_SECRET_KEY_ATTR; - if ((st=krb5_decode_krbsecretkey(context, entry, bvalues, &userinfo_tl_data)) != 0) + if ((st=krb5_decode_krbsecretkey(context, entry, bvalues, &userinfo_tl_data, &mkvno)) != 0) goto cleanup; + if (mkvno != 0) { + /* don't add the tl data if mkvno == 0 */ + if ((st=krb5_dbe_update_mkvno(context, entry, mkvno)) != 0) + goto cleanup; + } } /* LAST PASSWORD CHANGE */ diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h index 18e2acc..502e71c 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h @@ -112,7 +112,7 @@ krb5_ldap_parse_principal_name(char *, char **); krb5_error_code krb5_decode_krbsecretkey(krb5_context, krb5_db_entry *, struct berval **, - krb5_tl_data *); + krb5_tl_data *, krb5_kvno *); krb5_error_code berval2tl_data(struct berval *in, krb5_tl_data **out); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index 561a65d..e52a618 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -345,7 +345,7 @@ asn1_encode_sequence_of_keys (krb5_key_data *key_data, krb5_int16 n_key_data, static krb5_error_code asn1_decode_sequence_of_keys (krb5_data *in, krb5_key_data **out, - krb5_int16 *n_key_data, int *mkvno) + krb5_int16 *n_key_data, krb5_kvno *mkvno) { krb5_error_code err; ldap_seqof_key_data *p; @@ -371,7 +371,7 @@ asn1_decode_sequence_of_keys (krb5_data *in, krb5_key_data **out, /* Decoding ASN.1 encoded key */ static struct berval ** -krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data) { +krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data, krb5_kvno mkvno) { struct berval **ret = NULL; int currkvno; int num_versions = 1; @@ -396,7 +396,7 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data) { if (i == n_key_data - 1 || key_data[i + 1].key_data_kvno != currkvno) { asn1_encode_sequence_of_keys (key_data+last, (krb5_int16) i - last + 1, - 0, /* For now, mkvno == 0*/ + mkvno, &code); ret[j] = malloc (sizeof (struct berval)); if (ret[j] == NULL) { @@ -927,8 +927,12 @@ krb5_ldap_put_principal(context, entries, nentries, db_args) } if (entries->mask & KADM5_KEY_DATA || entries->mask & KADM5_KVNO) { + krb5_kvno mkvno; + + if ((st=krb5_dbe_lookup_mkvno(context, entries, &mkvno)) != 0) + goto cleanup; bersecretkey = krb5_encode_krbsecretkey (entries->key_data, - entries->n_key_data); + entries->n_key_data, mkvno); if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0) @@ -1220,11 +1224,12 @@ cleanup: } krb5_error_code -krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data) +krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data, mkvno) krb5_context context; krb5_db_entry *entries; struct berval **bvalues; krb5_tl_data *userinfo_tl_data; + krb5_kvno *mkvno; { char *user=NULL; int i=0, j=0, noofkeys=0; @@ -1235,7 +1240,6 @@ krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data) goto cleanup; for (i=0; bvalues[i] != NULL; ++i) { - int mkvno; /* Not used currently */ krb5_int16 n_kd; krb5_key_data *kd; krb5_data in; @@ -1248,7 +1252,7 @@ krb5_decode_krbsecretkey(context, entries, bvalues, userinfo_tl_data) st = asn1_decode_sequence_of_keys (&in, &kd, &n_kd, - &mkvno); + mkvno); if (st != 0) { const char *msg = error_message(st); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h index ffe6c36..db17509 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h @@ -68,6 +68,7 @@ typedef struct _krb5_ldap_realm_params { char **passwdservers; krb5_tl_data *tl_data; krb5_keyblock mkey; + krb5_keylist_node *mkey_list; /* all master keys in use for the realm */ long mask; } krb5_ldap_realm_params; |