diff options
author | Will Fiveash <will.fiveash@oracle.com> | 2009-01-13 01:17:16 +0000 |
---|---|---|
committer | Will Fiveash <will.fiveash@oracle.com> | 2009-01-13 01:17:16 +0000 |
commit | ec9ade5c57cc9275dc103a52d3483fc5fbc6d52e (patch) | |
tree | 6cf5e8bc598099261c9a2385b4423535348b3521 /src | |
parent | 9002edc53df996fd9ab740e6652b8eadf31b8cb3 (diff) | |
download | krb5-ec9ade5c57cc9275dc103a52d3483fc5fbc6d52e.zip krb5-ec9ade5c57cc9275dc103a52d3483fc5fbc6d52e.tar.gz krb5-ec9ade5c57cc9275dc103a52d3483fc5fbc6d52e.tar.bz2 |
Added kdb5_util list_mkeys command, cleaned up some code formatting
(removed hard tabs), added logic to add default actkvno tl_data when
creating a new mkey princ.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mkey_migrate@21739 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
-rw-r--r-- | src/include/kdb.h | 47 | ||||
-rw-r--r-- | src/include/krb5/krb5.hin | 8 | ||||
-rw-r--r-- | src/kadmin/dbutil/kdb5_create.c | 16 | ||||
-rw-r--r-- | src/kadmin/dbutil/kdb5_mkey.c | 656 | ||||
-rw-r--r-- | src/kadmin/dbutil/kdb5_util.c | 3 | ||||
-rw-r--r-- | src/kadmin/dbutil/kdb5_util.h | 1 | ||||
-rw-r--r-- | src/kadmin/server/ovsec_kadmd.c | 2 | ||||
-rw-r--r-- | src/kdc/extern.h | 2 | ||||
-rw-r--r-- | src/lib/kadm5/srv/server_kdb.c | 2 | ||||
-rw-r--r-- | src/lib/kadm5/srv/svr_principal.c | 18 | ||||
-rw-r--r-- | src/lib/kdb/kdb5.c | 465 | ||||
-rw-r--r-- | src/lib/kdb/kdb_default.c | 18 | ||||
-rw-r--r-- | src/lib/kdb/keytab.c | 2 | ||||
-rw-r--r-- | src/lib/kdb/libkdb5.exports | 4 | ||||
-rw-r--r-- | src/lib/krb5/libkrb5.exports | 1 | ||||
-rw-r--r-- | src/plugins/kdb/db2/db2_exp.c | 8 | ||||
-rw-r--r-- | src/plugins/kdb/db2/kdb_db2.c | 4 | ||||
-rw-r--r-- | src/plugins/kdb/db2/kdb_db2.h | 6 |
18 files changed, 710 insertions, 553 deletions
diff --git a/src/include/kdb.h b/src/include/kdb.h index a95676b..f8ebc4a 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -183,33 +183,15 @@ typedef struct __krb5_key_salt_tuple { /* version number for KRB5_TL_MKEY_AUX data */ #define KRB5_TL_MKEY_AUX_VER_1 1 -/* XXX WAF: the indef. struct typedefs below may not be needed so ifdef'ing them - * out for now */ -/* - * Doing this because it this struct should be defined in k5-int.h but this - * header file can't include that one. - */ -#if 0 /************** Begin IFDEF'ed OUT *******************************/ -#ifndef _KRB5_INT_H -struct _krb5_actkvno_node; -typedef struct _krb5_actkvno_node krb5_actkvno_node; -struct _krb5_mkey_aux_node; -typedef struct _krb5_mkey_aux_node krb5_mkey_aux_node; -#endif -#endif /**************** END IFDEF'ed OUT *******************************/ - typedef struct _krb5_actkvno_node { struct _krb5_actkvno_node *next; - krb5_kvno act_kvno; + krb5_kvno act_kvno; krb5_timestamp act_time; } krb5_actkvno_node; typedef struct _krb5_mkey_aux_node { struct _krb5_mkey_aux_node *next; - krb5_kvno mkey_kvno; /* kvno of mkey protecting the latest_mkey */ - /* XXX WAF: maybe krb5_data isn't adequate, the kvno and enctype is needed I - * think. Perhaps krb5_key_data should be used? - */ + krb5_kvno mkey_kvno; /* kvno of mkey protecting the latest_mkey */ krb5_key_data latest_mkey; /* most recent mkey */ } krb5_mkey_aux_node; @@ -317,10 +299,10 @@ krb5_error_code krb5_db_get_mkey ( krb5_context kcontext, krb5_keyblock **key ); krb5_error_code krb5_db_set_mkey_list( krb5_context context, - krb5_keyblock_node * keylist); + krb5_keylist_node * keylist); krb5_error_code krb5_db_get_mkey_list( krb5_context kcontext, - krb5_keyblock_node ** keylist); + krb5_keylist_node ** keylist); krb5_error_code krb5_db_free_master_key ( krb5_context kcontext, krb5_keyblock *key ); @@ -348,11 +330,11 @@ krb5_db_fetch_mkey_list( krb5_context context, krb5_principal mname, const krb5_keyblock * mkey, krb5_kvno mkvno, - krb5_keyblock_node **mkeys_list ); + krb5_keylist_node **mkeys_list ); krb5_error_code krb5_db_free_mkey_list( krb5_context context, - krb5_keyblock_node *mkey_list ); + krb5_keylist_node *mkey_list ); krb5_error_code krb5_dbe_find_enctype( krb5_context kcontext, @@ -400,13 +382,14 @@ krb5_dbe_fetch_act_mkey_list(krb5_context context, krb5_error_code krb5_dbe_find_act_mkey( krb5_context context, - krb5_keyblock_node * mkey_list, + krb5_keylist_node * mkey_list, krb5_actkvno_node * act_mkey_list, + krb5_kvno * act_kvno, krb5_keyblock ** act_mkey); krb5_error_code krb5_dbe_find_mkey( krb5_context context, - krb5_keyblock_node * mkey_list, + krb5_keylist_node * mkey_list, krb5_db_entry * entry, krb5_keyblock ** mkey); @@ -570,20 +553,20 @@ krb5_def_fetch_mkey_list( krb5_context context, krb5_principal mprinc, const krb5_keyblock *mkey, krb5_kvno mkvno, - krb5_keyblock_node **mkeys_list); + krb5_keylist_node **mkeys_list); krb5_error_code kdb_def_set_mkey ( krb5_context kcontext, char *pwd, krb5_keyblock *key ); krb5_error_code kdb_def_set_mkey_list ( krb5_context kcontext, - krb5_keyblock_node *keylist ); + krb5_keylist_node *keylist ); krb5_error_code kdb_def_get_mkey ( krb5_context kcontext, krb5_keyblock **key ); krb5_error_code kdb_def_get_mkey_list ( krb5_context kcontext, - krb5_keyblock_node **keylist ); + krb5_keylist_node **keylist ); krb5_error_code krb5_dbe_def_cpw( krb5_context context, @@ -791,10 +774,10 @@ typedef struct _kdb_vftabl { krb5_keyblock **key); krb5_error_code (*set_master_key_list) ( krb5_context kcontext, - krb5_keyblock_node *keylist); + krb5_keylist_node *keylist); krb5_error_code (*get_master_key_list) ( krb5_context kcontext, - krb5_keyblock_node **keylist); + krb5_keylist_node **keylist); krb5_error_code (*setup_master_key_name) ( krb5_context kcontext, char *keyname, @@ -824,7 +807,7 @@ typedef struct _kdb_vftabl { krb5_principal mname, const krb5_keyblock *key, krb5_kvno kvno, - krb5_keyblock_node **mkeys_list); + krb5_keylist_node **mkeys_list); krb5_error_code (*dbe_search_enctype) ( krb5_context kcontext, krb5_db_entry *dbentp, diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 913cc55..d50457c 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -349,10 +349,10 @@ typedef struct _krb5_keyblock { } krb5_keyblock; typedef struct _krb5_keylist_node { - krb5_keyblock keyblock; - krb5_kvno kvno; - struct _krb5_keylist_node *next; - } krb5_keyblock_node; + krb5_keyblock keyblock; + krb5_kvno kvno; + struct _krb5_keylist_node *next; +} krb5_keylist_node; #ifdef KRB5_OLD_CRYPTO typedef struct _krb5_encrypt_block { diff --git a/src/kadmin/dbutil/kdb5_create.c b/src/kadmin/dbutil/kdb5_create.c index 5d7e0eb..9448a35 100644 --- a/src/kadmin/dbutil/kdb5_create.c +++ b/src/kadmin/dbutil/kdb5_create.c @@ -319,6 +319,9 @@ master key name '%s'\n", com_err(progname, retval, "while adding entries to the database"); exit_status++; return; } + + + /* * Always stash the master key so kadm5_create does not prompt for * it; delete the file below if it was not requested. DO NOT EXIT @@ -418,11 +421,10 @@ add_principal(context, princ, op, pblock) krb5_error_code retval; krb5_db_entry entry; krb5_kvno mkey_kvno; - krb5_timestamp now; struct iterate_args iargs; - int nentries = 1; + krb5_actkvno_node actkvno; memset((char *) &entry, 0, sizeof(entry)); @@ -459,6 +461,16 @@ add_principal(context, princ, op, pblock) &master_keyblock, NULL, mkey_kvno, entry.key_data))) return retval; + /* + * There should always be at least one "active" mkey so creating the + * KRB5_TL_ACTKVNO entry now so the initial mkey is active. + */ + actkvno.next = NULL; + actkvno.act_kvno = mkey_kvno; + actkvno.act_time = now; + if ((retval = krb5_dbe_update_actkvno(context, &entry, &actkvno))) + return retval; + break; case TGT_KEY: iargs.ctx = context; diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c index 679c8b7..2d48966 100644 --- a/src/kadmin/dbutil/kdb5_mkey.c +++ b/src/kadmin/dbutil/kdb5_mkey.c @@ -14,6 +14,7 @@ extern krb5_keyblock master_keyblock; /* current mkey */ extern krb5_principal master_princ; +extern krb5_keylist_node *master_keylist; extern krb5_data master_salt; extern char *mkey_password; extern char *progname; @@ -37,24 +38,24 @@ void kdb5_add_mkey(int argc, char *argv[]) { int optchar; - krb5_error_code retval; - char *mkey_fullname; - char *pw_str = 0; - unsigned int pw_size = 0; - int do_stash = 0, nentries = 0; - int old_key_data_count, i, j; - krb5_boolean more = 0; - krb5_data pwd; - krb5_kvno old_kvno, new_mkey_kvno; - krb5_keyblock new_master_keyblock; - krb5_keyblock plainkey; - krb5_key_data tmp_key_data, *old_key_data, *key_data; - krb5_enctype new_master_enctype = DEFAULT_KDC_ENCTYPE; - char *new_mkey_password; - krb5_db_entry master_entry; - krb5_timestamp now; + krb5_error_code retval; + char *mkey_fullname; + char *pw_str = 0; + unsigned int pw_size = 0; + int do_stash = 0, nentries = 0; + int old_key_data_count, i, j; + krb5_boolean more = 0; + krb5_data pwd; + krb5_kvno old_kvno, new_mkey_kvno; + krb5_keyblock new_master_keyblock; + krb5_keyblock plainkey; + krb5_key_data tmp_key_data, *old_key_data, *key_data; + krb5_enctype new_master_enctype = DEFAULT_KDC_ENCTYPE; + char *new_mkey_password; + krb5_db_entry master_entry; + krb5_timestamp now; krb5_mkey_aux_node *mkey_aux_data_head, **mkey_aux_data, - *cur_mkey_aux_data, *next_mkey_aux_data; + *cur_mkey_aux_data, *next_mkey_aux_data; /* * The command table entry for this command causes open_db_and_mkey() to be @@ -62,44 +63,45 @@ kdb5_add_mkey(int argc, char *argv[]) */ while ((optchar = getopt(argc, argv, "k:s")) != -1) { - switch(optchar) { - case 'k': - if (krb5_string_to_enctype(optarg, &new_master_enctype)) { - com_err(progname, EINVAL, ": %s is an invalid enctype", optarg); - exit_status++; - return; - } - break; - case 's': - do_stash++; - break; - case '?': - default: - usage(); - return; - } - } - + switch(optchar) { + case 'k': + if (krb5_string_to_enctype(optarg, &new_master_enctype)) { + com_err(progname, EINVAL, ": %s is an invalid enctype", optarg); + exit_status++; + return; + } + break; + case 's': + do_stash++; + break; + case '?': + default: + usage(); + return; + } + } + /* assemble & parse the master key name */ if ((retval = krb5_db_setup_mkey_name(util_context, - global_params.mkey_name, - global_params.realm, - &mkey_fullname, &master_princ))) { - com_err(progname, retval, "while setting up master key name"); - exit_status++; - return; + global_params.mkey_name, + global_params.realm, + &mkey_fullname, &master_princ))) { + com_err(progname, retval, "while setting up master key name"); + exit_status++; + return; } - retval = krb5_db_get_principal(util_context, master_princ, &master_entry, &nentries, - &more); + retval = krb5_db_get_principal(util_context, master_princ, &master_entry, + &nentries, + &more); if (retval != 0) { - com_err(progname, retval, "while setting up master key name"); - exit_status++; - return; + com_err(progname, retval, "while setting up master key name"); + exit_status++; + return; } printf("Creating new master key for master key principal '%s'\n", - mkey_fullname); + mkey_fullname); printf("You will be prompted for a new database Master Password.\n"); printf("It is important that you NOT FORGET this password.\n"); @@ -108,17 +110,17 @@ kdb5_add_mkey(int argc, char *argv[]) pw_size = 1024; pw_str = malloc(pw_size); if (pw_str == NULL) { - com_err(progname, ENOMEM, "while creating new master key"); - exit_status++; - return; + com_err(progname, ENOMEM, "while creating new master key"); + exit_status++; + return; } - + retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2, - pw_str, &pw_size); + pw_str, &pw_size); if (retval) { - com_err(progname, retval, "while reading new master key from keyboard"); - exit_status++; - return; + com_err(progname, retval, "while reading new master key from keyboard"); + exit_status++; + return; } new_mkey_password = pw_str; @@ -126,22 +128,22 @@ kdb5_add_mkey(int argc, char *argv[]) pwd.length = strlen(new_mkey_password); retval = krb5_principal2salt(util_context, master_princ, &master_salt); if (retval) { - com_err(progname, retval, "while calculating master key salt"); - exit_status++; - return; + com_err(progname, retval, "while calculating master key salt"); + exit_status++; + return; } retval = krb5_c_string_to_key(util_context, new_master_enctype, - &pwd, &master_salt, &new_master_keyblock); + &pwd, &master_salt, &new_master_keyblock); if (retval) { - com_err(progname, retval, "while transforming master key from password"); - exit_status++; - return; + com_err(progname, retval, "while transforming master key from password"); + exit_status++; + return; } /* First save the old keydata */ old_kvno = get_key_data_kvno(util_context, master_entry.n_key_data, - master_entry.key_data); + master_entry.key_data); old_key_data_count = master_entry.n_key_data; old_key_data = master_entry.key_data; @@ -151,11 +153,12 @@ kdb5_add_mkey(int argc, char *argv[]) * krb5_key_data key_data_contents is a pointer to this key. Using some * logic from master_key_convert(). */ - master_entry.key_data = (krb5_key_data *) malloc(sizeof(krb5_key_data) * (old_key_data_count + 1)); + master_entry.key_data = (krb5_key_data *) malloc(sizeof(krb5_key_data) * + (old_key_data_count + 1)); if (master_entry.key_data == NULL) { - com_err(progname, ENOMEM, "while adding new master key"); - exit_status++; - return; + com_err(progname, ENOMEM, "while adding new master key"); + exit_status++; + return; } memset((char *) master_entry.key_data, 0, sizeof(krb5_key_data) * (old_key_data_count + 1)); master_entry.n_key_data = old_key_data_count + 1; @@ -163,16 +166,17 @@ kdb5_add_mkey(int argc, char *argv[]) new_mkey_kvno = old_kvno + 1; /* deal with wrapping? */ if (new_mkey_kvno == 0) - new_mkey_kvno = 1; /* knvo must not be 0 as this is special value (IGNORE_VNO) */ + new_mkey_kvno = 1; /* knvo must not be 0 as this is special value (IGNORE_VNO) */ /* Note, mkey does not have salt */ /* add new mkey encrypted with itself to mkey princ entry */ if ((retval = krb5_dbekd_encrypt_key_data(util_context, &new_master_keyblock, - &new_master_keyblock, NULL, - (int) new_mkey_kvno, master_entry.key_data))) { - com_err(progname, retval, "while creating new master key"); - exit_status++; - return; + &new_master_keyblock, NULL, + (int) new_mkey_kvno, + master_entry.key_data))) { + com_err(progname, retval, "while creating new master key"); + exit_status++; + return; } /* @@ -186,117 +190,118 @@ kdb5_add_mkey(int argc, char *argv[]) */ mkey_aux_data_head = (krb5_mkey_aux_node *) malloc(sizeof(krb5_mkey_aux_node)); if (mkey_aux_data_head == NULL) { - com_err(progname, ENOMEM, "while creating mkey_aux_data"); - exit_status++; - return; + com_err(progname, ENOMEM, "while creating mkey_aux_data"); + exit_status++; + return; } memset(mkey_aux_data_head, 0, sizeof(krb5_mkey_aux_node)); mkey_aux_data = &mkey_aux_data_head; for (i = 0; i < old_key_data_count; i++) { - key_data = &old_key_data[i]; - - retval = krb5_dbekd_decrypt_key_data(util_context, &master_keyblock, - key_data, &plainkey, NULL); - if (retval) { - com_err(progname, retval, "while decrypting master keys"); - exit_status++; - return; - } - - /* - * Create a list of krb5_mkey_aux_node nodes. One node contains the new - * mkey encrypted by an old mkey and the old mkey's kvno (one node per - * old mkey). - */ - - if (*mkey_aux_data == NULL) { - /* *mkey_aux_data points to next field of previous node */ - *mkey_aux_data = (krb5_mkey_aux_node *) malloc(sizeof(krb5_mkey_aux_node)); - if (mkey_aux_data == NULL) { - com_err(progname, ENOMEM, "while creating mkey_aux_data"); - exit_status++; - return; - } - memset(*mkey_aux_data, 0, sizeof(krb5_mkey_aux_node)); - } - - /* encrypt the new mkey with the older mkey */ - retval = krb5_dbekd_encrypt_key_data(util_context, &plainkey, - &new_master_keyblock, - NULL, /* no keysalt */ - (int) key_data->key_data_kvno, - &tmp_key_data); - if (retval) { - com_err(progname, retval, "while encrypting master keys"); - exit_status++; - return; - } - - (*mkey_aux_data)->latest_mkey = tmp_key_data; - (*mkey_aux_data)->mkey_kvno = key_data->key_data_kvno; - - mkey_aux_data = &((*mkey_aux_data)->next); - - /* Store old key in master_entry keydata, + 1 to skip the first key_data entry */ - retval = krb5_dbekd_encrypt_key_data(util_context, &new_master_keyblock, - &plainkey, NULL, /* no keysalt */ - (int) key_data->key_data_kvno, - &master_entry.key_data[i+1]); - if (retval) { - com_err(progname, retval, "while encrypting master keys"); - exit_status++; - return; - } - - /* free plain text key and old key data entry */ - krb5_free_keyblock_contents(util_context, &plainkey); - for (j = 0; j < key_data->key_data_ver; j++) { - if (key_data->key_data_length[j]) { - /* the key_data contents are encrypted so no clearing first */ - free(key_data->key_data_contents[j]); - } - } + key_data = &old_key_data[i]; + + retval = krb5_dbekd_decrypt_key_data(util_context, &master_keyblock, + key_data, &plainkey, NULL); + if (retval) { + com_err(progname, retval, "while decrypting master keys"); + exit_status++; + return; + } + + /* + * Create a list of krb5_mkey_aux_node nodes. One node contains the new + * mkey encrypted by an old mkey and the old mkey's kvno (one node per + * old mkey). + */ + + if (*mkey_aux_data == NULL) { + /* *mkey_aux_data points to next field of previous node */ + *mkey_aux_data = (krb5_mkey_aux_node *) malloc(sizeof(krb5_mkey_aux_node)); + if (mkey_aux_data == NULL) { + com_err(progname, ENOMEM, "while creating mkey_aux_data"); + exit_status++; + return; + } + memset(*mkey_aux_data, 0, sizeof(krb5_mkey_aux_node)); + } + + /* encrypt the new mkey with the older mkey */ + retval = krb5_dbekd_encrypt_key_data(util_context, &plainkey, + &new_master_keyblock, + NULL, /* no keysalt */ + (int) key_data->key_data_kvno, + &tmp_key_data); + if (retval) { + com_err(progname, retval, "while encrypting master keys"); + exit_status++; + return; + } + + (*mkey_aux_data)->latest_mkey = tmp_key_data; + (*mkey_aux_data)->mkey_kvno = key_data->key_data_kvno; + + mkey_aux_data = &((*mkey_aux_data)->next); + + /* Store old key in master_entry keydata, + 1 to skip the first key_data entry */ + retval = krb5_dbekd_encrypt_key_data(util_context, &new_master_keyblock, + &plainkey, + NULL, /* no keysalt */ + (int) key_data->key_data_kvno, + &master_entry.key_data[i+1]); + if (retval) { + com_err(progname, retval, "while encrypting master keys"); + exit_status++; + return; + } + + /* free plain text key and old key data entry */ + krb5_free_keyblock_contents(util_context, &plainkey); + for (j = 0; j < key_data->key_data_ver; j++) { + if (key_data->key_data_length[j]) { + /* the key_data contents are encrypted so no clearing first */ + free(key_data->key_data_contents[j]); + } + } } if ((retval = krb5_dbe_update_mkey_aux(util_context, &master_entry, - mkey_aux_data_head))) { - com_err(progname, retval, "while updating mkey aux data"); - exit_status++; - return; + mkey_aux_data_head))) { + com_err(progname, retval, "while updating mkey aux data"); + exit_status++; + return; } if ((retval = krb5_timeofday(util_context, &now))) { - com_err(progname, retval, "while getting current time"); - exit_status++; - return; + com_err(progname, retval, "while getting current time"); + exit_status++; + return; } if ((retval = krb5_dbe_update_mod_princ_data(util_context, &master_entry, - now, master_princ))) { - com_err(progname, retval, "while updating the master key principal modification time"); - exit_status++; - return; + now, master_princ))) { + com_err(progname, retval, "while updating the master key principal modification time"); + exit_status++; + return; } if ((retval = krb5_db_put_principal(util_context, &master_entry, &nentries))) { - (void) krb5_db_fini(util_context); - com_err(progname, retval, "while adding master key entry to the database"); - exit_status++; - return; + (void) krb5_db_fini(util_context); + com_err(progname, retval, "while adding master key entry to the database"); + exit_status++; + return; } if (do_stash) { - retval = krb5_db_store_master_key(util_context, - global_params.stash_file, - master_princ, - new_mkey_kvno, - &new_master_keyblock, - mkey_password); - if (retval) { - com_err(progname, errno, "while storing key"); - printf("Warning: couldn't stash master key.\n"); - } + retval = krb5_db_store_master_key(util_context, + global_params.stash_file, + master_princ, + new_mkey_kvno, + &new_master_keyblock, + mkey_password); + if (retval) { + com_err(progname, errno, "while storing key"); + printf("Warning: couldn't stash master key.\n"); + } } /* clean up */ (void) krb5_db_fini(util_context); @@ -305,17 +310,17 @@ kdb5_add_mkey(int argc, char *argv[]) memset((char *)new_master_keyblock.contents, 0, new_master_keyblock.length); free(new_master_keyblock.contents); if (pw_str) { - memset(pw_str, 0, pw_size); - free(pw_str); + memset(pw_str, 0, pw_size); + free(pw_str); } free(master_salt.data); free(mkey_fullname); for (cur_mkey_aux_data = mkey_aux_data_head; cur_mkey_aux_data != NULL; - cur_mkey_aux_data = next_mkey_aux_data) { + cur_mkey_aux_data = next_mkey_aux_data) { - next_mkey_aux_data = cur_mkey_aux_data->next; - krb5_free_key_data_contents(util_context, &(cur_mkey_aux_data->latest_mkey)); - free(cur_mkey_aux_data); + next_mkey_aux_data = cur_mkey_aux_data->next; + krb5_free_key_data_contents(util_context, &(cur_mkey_aux_data->latest_mkey)); + free(cur_mkey_aux_data); } return; } @@ -323,37 +328,38 @@ kdb5_add_mkey(int argc, char *argv[]) void kdb5_use_mkey(int argc, char *argv[]) { - krb5_error_code retval; - char *mkey_fullname; - krb5_kvno use_kvno; - krb5_timestamp now, start_time; - krb5_actkvno_node *actkvno_list, *new_actkvno_list_head, *new_actkvno, *prev_actkvno, *cur_actkvno; - krb5_db_entry master_entry; - int nentries = 0; - krb5_boolean more = 0; + krb5_error_code retval; + char *mkey_fullname; + krb5_kvno use_kvno; + krb5_timestamp now, start_time; + krb5_actkvno_node *actkvno_list, *new_actkvno_list_head, *new_actkvno, + *prev_actkvno, *cur_actkvno; + krb5_db_entry master_entry; + int nentries = 0; + krb5_boolean more = 0; if (argc < 1 || argc > 2) { - /* usage calls exit */ - usage(); + /* usage calls exit */ + usage(); } use_kvno = (int) strtol(argv[0], (char **)NULL, 10); if (use_kvno == 0) { - com_err(progname, EINVAL, ": 0 is an invalid KVNO value."); - exit_status++; - return; + com_err(progname, EINVAL, ": 0 is an invalid KVNO value."); + exit_status++; + return; } if ((retval = krb5_timeofday(util_context, &now))) { - com_err(progname, retval, "while getting current time."); - exit_status++; - return; + com_err(progname, retval, "while getting current time."); + exit_status++; + return; } if (argc == 2) { - start_time = (krb5_timestamp) get_date(argv[0]); + start_time = (krb5_timestamp) get_date(argv[0]); } else { - start_time = now; + start_time = now; } /* @@ -369,29 +375,29 @@ kdb5_use_mkey(int argc, char *argv[]) /* assemble & parse the master key name */ if ((retval = krb5_db_setup_mkey_name(util_context, - global_params.mkey_name, - global_params.realm, - &mkey_fullname, &master_princ))) { - com_err(progname, retval, "while setting up master key name"); - exit_status++; - return; + global_params.mkey_name, + global_params.realm, + &mkey_fullname, &master_princ))) { + com_err(progname, retval, "while setting up master key name"); + exit_status++; + return; } retval = krb5_db_get_principal(util_context, master_princ, &master_entry, &nentries, - &more); + &more); if (retval != 0) { - com_err(progname, retval, "while setting up master key name"); - exit_status++; - return; + com_err(progname, retval, "while setting up master key name"); + exit_status++; + return; } /* XXX WAF: verify that the provided kvno is valid */ retval = krb5_dbe_lookup_actkvno(util_context, &master_entry, &actkvno_list); if (retval != 0) { - com_err(progname, retval, "while setting up master key name"); - exit_status++; - return; + com_err(progname, retval, "while setting up master key name"); + exit_status++; + return; } /* @@ -401,82 +407,88 @@ kdb5_use_mkey(int argc, char *argv[]) /* alloc enough space to hold new and existing key_data */ new_actkvno = (krb5_actkvno_node *) malloc(sizeof(krb5_actkvno_node)); if (new_actkvno == NULL) { - com_err(progname, ENOMEM, "while adding new master key"); - exit_status++; - return; + com_err(progname, ENOMEM, "while adding new master key"); + exit_status++; + return; } new_actkvno->act_kvno = use_kvno; new_actkvno->act_time = start_time; if (actkvno_list == NULL || new_actkvno->act_time < actkvno_list->act_time) { - /* insert new actkvno at head of list and link rest following */ - new_actkvno->next = actkvno_list; - new_actkvno_list_head = new_actkvno; + /* insert new actkvno at head of list and link rest following */ + new_actkvno->next = actkvno_list; + new_actkvno_list_head = new_actkvno; } else { - for (new_actkvno_list_head = prev_actkvno = cur_actkvno = actkvno_list; cur_actkvno != NULL; - prev_actkvno = cur_actkvno, cur_actkvno = cur_actkvno->next) { - - if (cur_actkvno->act_time <= now) { - if (new_actkvno->act_time < cur_actkvno->act_time) { - /* - * This is a problem as the new actkvno would be skipped and - * not added to the entries for the mkey princ. - */ - com_err(progname, EINVAL, - "Activation time %s is less than a existing currently active kvno %d (activation time %s)", - strdate(new_actkvno->act_time), cur_actkvno->act_kvno, strdate(cur_actkvno->act_time)); - exit_status++; - return; - } - /* - * New list head should point to the most current valid node in - * order to trim out of date entries. - */ - new_actkvno_list_head = cur_actkvno; - } - - if (new_actkvno->act_time < cur_actkvno->act_time) { - if (new_actkvno_list_head == cur_actkvno) { - /* - * XXX WAF: trying to minimize race condition issue here, - * maybe there is a better way to do this? - */ - com_err(progname, EINVAL, - "Activation time %s is less than an existing currently active kvno %d (activation time %s)", - strdate(new_actkvno->act_time), cur_actkvno->act_kvno, strdate(cur_actkvno->act_time)); - exit_status++; - return; - } - prev_actkvno->next = new_actkvno; - new_actkvno->next = cur_actkvno; - break; - } else if (cur_actkvno->next == NULL) { - /* end of line, just add new node to end of list */ - cur_actkvno->next = new_actkvno; - break; - } - } /* end for (new_actkvno_list_head = prev_actkvno = cur_actkvno = actkvno_list */ - } - - if ((retval = krb5_dbe_update_actkvno(util_context, &master_entry, new_actkvno_list_head))) { - com_err(progname, retval, "while updating actkvno data for master principal entry."); - exit_status++; - return; + for (new_actkvno_list_head = prev_actkvno = cur_actkvno = actkvno_list; + cur_actkvno != NULL; + prev_actkvno = cur_actkvno, cur_actkvno = cur_actkvno->next) { + + if (cur_actkvno->act_time <= now) { + if (new_actkvno->act_time < cur_actkvno->act_time) { + /* + * This is a problem as the new actkvno would be skipped and + * not added to the entries for the mkey princ. + */ + com_err(progname, EINVAL, + "Activation time %s is less than a existing currently " + "active kvno %d (activation time %s)", + strdate(new_actkvno->act_time), cur_actkvno->act_kvno, + strdate(cur_actkvno->act_time)); + exit_status++; + return; + } + /* + * New list head should point to the most current valid node in + * order to trim out of date entries. + */ + new_actkvno_list_head = cur_actkvno; + } + + if (new_actkvno->act_time < cur_actkvno->act_time) { + if (new_actkvno_list_head == cur_actkvno) { + /* + * XXX WAF: trying to minimize race condition issue here, + * maybe there is a better way to do this? + */ + com_err(progname, EINVAL, + "Activation time %s is less than an existing currently " + "active kvno %d (activation time %s)", + strdate(new_actkvno->act_time), cur_actkvno->act_kvno, + strdate(cur_actkvno->act_time)); + exit_status++; + return; + } + prev_actkvno->next = new_actkvno; + new_actkvno->next = cur_actkvno; + break; + } else if (cur_actkvno->next == NULL) { + /* end of line, just add new node to end of list */ + cur_actkvno->next = new_actkvno; + break; + } + } /* end for (new_actkvno_list_head = prev_actkvno = ... */ + } + + if ((retval = krb5_dbe_update_actkvno(util_context, &master_entry, + new_actkvno_list_head))) { + com_err(progname, retval, "while updating actkvno data for master principal entry."); + exit_status++; + return; } if ((retval = krb5_dbe_update_mod_princ_data(util_context, &master_entry, - now, master_princ))) { - com_err(progname, retval, "while updating the master key principal modification time"); - exit_status++; - return; + now, master_princ))) { + com_err(progname, retval, "while updating the master key principal modification time"); + exit_status++; + return; } if ((retval = krb5_db_put_principal(util_context, &master_entry, &nentries))) { - (void) krb5_db_fini(util_context); - com_err(progname, retval, "while adding master key entry to the database"); - exit_status++; - return; + (void) krb5_db_fini(util_context); + com_err(progname, retval, "while adding master key entry to the database"); + exit_status++; + return; } /* clean up */ @@ -484,9 +496,119 @@ kdb5_use_mkey(int argc, char *argv[]) free(mkey_fullname); for (cur_actkvno = actkvno_list; cur_actkvno != NULL;) { - prev_actkvno = cur_actkvno; - cur_actkvno = cur_actkvno->next; - free(prev_actkvno); + prev_actkvno = cur_actkvno; + cur_actkvno = cur_actkvno->next; + free(prev_actkvno); + } + return; +} + +void +kdb5_list_mkeys(int argc, char *argv[]) +{ + krb5_error_code retval; + char *mkey_fullname, *output_str = NULL, enctype[BUFSIZ]; + krb5_kvno act_kvno; + krb5_timestamp act_time; + krb5_actkvno_node *actkvno_list = NULL, *cur_actkvno, *prev_actkvno; + krb5_db_entry master_entry; + int nentries = 0; + krb5_boolean more = 0; + krb5_keylist_node *cur_kb_node; + krb5_keyblock *act_mkey; + + /* assemble & parse the master key name */ + if ((retval = krb5_db_setup_mkey_name(util_context, + global_params.mkey_name, + global_params.realm, + &mkey_fullname, &master_princ))) { + com_err(progname, retval, "while setting up master key name"); + exit_status++; + return; + } + + retval = krb5_db_get_principal(util_context, master_princ, &master_entry, &nentries, + &more); + if (retval != 0) { + com_err(progname, retval, "while getting master key principal %s", mkey_fullname); + exit_status++; + return; + } + + retval = krb5_dbe_lookup_actkvno(util_context, &master_entry, &actkvno_list); + if (retval != 0) { + com_err(progname, retval, "while looking up active kvno list"); + exit_status++; + return; + } + /* XXX WAF: debug code, remove before commit */ + if (master_keylist == NULL) { + com_err(progname, retval, "master_keylist == NULL this is a problem"); + exit_status++; + return; + } + + if (actkvno_list == NULL) { + act_kvno = master_entry.key_data[0].key_data_kvno; + } else { + retval = krb5_dbe_find_act_mkey(util_context, master_keylist, + actkvno_list, &act_kvno, &act_mkey); + if (retval != 0) { + com_err(progname, retval, "while setting up master key name"); + exit_status++; + return; + } + } + + printf("Master keys for Principal: %s\n", mkey_fullname); + + for (cur_kb_node = master_keylist; cur_kb_node != NULL; + cur_kb_node = cur_kb_node->next) { + + if (krb5_enctype_to_string(cur_kb_node->keyblock.enctype, + enctype, sizeof(enctype))) { + com_err(progname, retval, "while getting enctype description"); + exit_status++; + return; + } + + if (actkvno_list != NULL) { + for (cur_actkvno = actkvno_list; cur_actkvno != NULL; + cur_actkvno = cur_actkvno->next) { + if (cur_actkvno->act_kvno == cur_kb_node->kvno) { + act_time = cur_actkvno->act_time; + break; + } + } + } else { + /* + * mkey princ doesn't have an active knvo list so assume the current + * key is active now + */ + if ((retval = krb5_timeofday(util_context, &act_time))) { + com_err(progname, retval, "while getting current time"); + exit_status++; + return; + } + } + + if (cur_kb_node->kvno == act_kvno) { + asprintf(&output_str, "KNVO: %d, Enctype: %s, Active on: %s *\n", + cur_kb_node->kvno, enctype, strdate(act_time)); + } else { + asprintf(&output_str, "KNVO: %d, Enctype: %s, Active on: %s\n", + cur_kb_node->kvno, enctype, strdate(act_time)); + } + } + + /* clean up */ + (void) krb5_db_fini(util_context); + free(mkey_fullname); + free(output_str); + for (cur_actkvno = actkvno_list; cur_actkvno != NULL;) { + prev_actkvno = cur_actkvno; + cur_actkvno = cur_actkvno->next; + free(prev_actkvno); } return; } diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c index 1373310..ee6513a 100644 --- a/src/kadmin/dbutil/kdb5_util.c +++ b/src/kadmin/dbutil/kdb5_util.c @@ -96,7 +96,7 @@ void usage() } extern krb5_keyblock master_keyblock; -extern krb5_keyblock_node *master_keylist; +extern krb5_keylist_node *master_keylist; extern krb5_principal master_princ; krb5_db_entry master_entry; int valid_master_key = 0; @@ -124,6 +124,7 @@ struct _cmd_table { {"ark", add_random_key, 1}, {"add_mkey", kdb5_add_mkey, 1}, /* 1 is opendb */ {"use_mkey", kdb5_use_mkey, 1}, /* 1 is opendb */ + {"list_mkeys", kdb5_list_mkeys, 1}, /* 1 is opendb */ {NULL, NULL, 0}, }; diff --git a/src/kadmin/dbutil/kdb5_util.h b/src/kadmin/dbutil/kdb5_util.h index cd0ae25..cc69c90 100644 --- a/src/kadmin/dbutil/kdb5_util.h +++ b/src/kadmin/dbutil/kdb5_util.h @@ -82,6 +82,7 @@ extern void kdb5_destroy (int argc, char **argv); extern void kdb5_stash (int argc, char **argv); extern void kdb5_add_mkey (int argc, char **argv); extern void kdb5_use_mkey (int argc, char **argv); +extern void kdb5_list_mkeys (int argc, char **argv); extern void update_ok_file (char *file_name); diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c index c36cb6e..81e7475 100644 --- a/src/kadmin/server/ovsec_kadmd.c +++ b/src/kadmin/server/ovsec_kadmd.c @@ -98,7 +98,7 @@ void *global_server_handle; #define OVSEC_KADM_CHANGEPW_SERVICE "ovsec_adm/changepw" extern krb5_keyblock master_keyblock; -extern krb5_keyblock_node *master_keylist; +extern krb5_keylist_node *master_keylist; char *build_princ_name(char *name, char *realm); void log_badauth(OM_uint32 major, OM_uint32 minor, diff --git a/src/kdc/extern.h b/src/kdc/extern.h index 5727fbe..d79e1aa 100644 --- a/src/kdc/extern.h +++ b/src/kdc/extern.h @@ -41,7 +41,7 @@ typedef struct __kdc_realm_data { krb5_context realm_context; /* Context to be used for realm */ krb5_keytab realm_keytab; /* keytab to be used for this realm */ char * realm_profile; /* Profile file for this realm */ - krb5_keyblock_node * mkey_list; /* list of mkeys in use for this realm */ + krb5_keylist_node * mkey_list; /* list of mkeys in use for this realm */ /* * Database per-realm data. */ diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c index 63c098b..70403ce 100644 --- a/src/lib/kadm5/srv/server_kdb.c +++ b/src/lib/kadm5/srv/server_kdb.c @@ -16,7 +16,7 @@ static char *rcsid = "$Header$"; krb5_principal master_princ; krb5_keyblock master_keyblock; /* local mkey */ -krb5_keyblock_node *master_keylist = NULL; +krb5_keylist_node *master_keylist = NULL; krb5_actkvno_node *active_mkey_list = NULL; krb5_db_entry master_db; diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index 2ab499f..f21b6f5 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -11,6 +11,7 @@ static char *rcsid = "$Header$"; #include <sys/types.h> #include <sys/time.h> #include <errno.h> +#include <k5-int.h> #include <kadm5/admin.h> #include <kdb.h> #include <stdio.h> @@ -26,8 +27,7 @@ static char *rcsid = "$Header$"; extern krb5_principal master_princ; extern krb5_principal hist_princ; -/* extern krb5_keyblock master_keyblock; */ -extern krb5_keyblock_node *master_keylist; +extern krb5_keylist_node *master_keylist; extern krb5_actkvno_node *active_mkey_list; extern krb5_keyblock hist_key; extern krb5_db_entry master_db; @@ -201,6 +201,7 @@ kadm5_create_principal_3(void *server_handle, unsigned int ret; kadm5_server_handle_t handle = server_handle; krb5_keyblock *act_mkey; + krb5_kvno act_kvno; CHECK_HANDLE(server_handle); @@ -344,7 +345,7 @@ kadm5_create_principal_3(void *server_handle, /* initialize the keys */ ret = krb5_dbe_find_act_mkey(handle->context, master_keylist, - active_mkey_list, &act_mkey); + active_mkey_list, &act_kvno, &act_mkey); if (ret) return (ret); @@ -360,9 +361,8 @@ kadm5_create_principal_3(void *server_handle, return(ret); } - /* XXX WAF: this needs to be changed to use real mkvno */ /* Record the master key VNO used to encrypt this entry's keys */ - ret = krb5_dbe_update_mkvno(handle->context, &kdb, 1); + ret = krb5_dbe_update_mkvno(handle->context, &kdb, act_kvno); if (ret) { krb5_db_free_principal(handle->context, &kdb, 1); @@ -1362,7 +1362,7 @@ kadm5_chpass_principal_3(void *server_handle, goto done; ret = krb5_dbe_find_act_mkey(handle->context, master_keylist, - active_mkey_list, &act_mkey); + active_mkey_list, NULL, &act_mkey); if (ret) goto done; @@ -1541,7 +1541,7 @@ kadm5_randkey_principal_3(void *server_handle, return(ret); ret = krb5_dbe_find_act_mkey(handle->context, master_keylist, - active_mkey_list, &act_mkey); + active_mkey_list, NULL, &act_mkey); if (ret) goto done; @@ -1707,7 +1707,7 @@ kadm5_setv4key_principal(void *server_handle, keysalt.data.data = NULL; ret = krb5_dbe_find_act_mkey(handle->context, master_keylist, - active_mkey_list, &act_mkey); + active_mkey_list, NULL, &act_mkey); if (ret) goto done; @@ -1926,7 +1926,7 @@ kadm5_setkey_principal_3(void *server_handle, memset (&tmp_key_data, 0, sizeof(tmp_key_data)); ret = krb5_dbe_find_act_mkey(handle->context, master_keylist, - active_mkey_list, &act_mkey); + active_mkey_list, NULL, &act_mkey); if (ret) goto done; diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index f5e9e5c..c9bf7cd 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -1441,22 +1441,22 @@ krb5_db_set_mkey(krb5_context context, krb5_keyblock * key) krb5_error_code krb5_db_set_mkey_list(krb5_context kcontext, - krb5_keyblock_node * keylist) + krb5_keylist_node * keylist) { krb5_error_code status = 0; kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); - if (status) { - goto clean_n_exit; - } + status = kdb_setup_lib_handle(kcontext); + if (status) { + goto clean_n_exit; + } } dal_handle = kcontext->dal_handle; status = kdb_lock_lib_lock(dal_handle->lib_handle, FALSE); if (status) { - goto clean_n_exit; + goto clean_n_exit; } status = dal_handle->lib_handle->vftabl.set_master_key_list(kcontext, keylist); @@ -1464,7 +1464,7 @@ krb5_db_set_mkey_list(krb5_context kcontext, kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE); - clean_n_exit: +clean_n_exit: return status; } @@ -1498,22 +1498,22 @@ krb5_db_get_mkey(krb5_context kcontext, krb5_keyblock ** key) } krb5_error_code -krb5_db_get_mkey_list(krb5_context kcontext, krb5_keyblock_node ** keylist) +krb5_db_get_mkey_list(krb5_context kcontext, krb5_keylist_node ** keylist) { krb5_error_code status = 0; kdb5_dal_handle *dal_handle; if (kcontext->dal_handle == NULL) { - status = kdb_setup_lib_handle(kcontext); - if (status) { - goto clean_n_exit; - } + status = kdb_setup_lib_handle(kcontext); + if (status) { + goto clean_n_exit; + } } dal_handle = kcontext->dal_handle; status = kdb_lock_lib_lock(dal_handle->lib_handle, FALSE); if (status) { - goto clean_n_exit; + goto clean_n_exit; } /* Let's use temp key and copy it later to avoid memory problems @@ -1522,7 +1522,7 @@ krb5_db_get_mkey_list(krb5_context kcontext, krb5_keyblock_node ** keylist) get_errmsg(kcontext, status); kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE); - clean_n_exit: +clean_n_exit: return status; } @@ -1531,35 +1531,35 @@ krb5_db_fetch_mkey_list(krb5_context context, krb5_principal mname, const krb5_keyblock * mkey, krb5_kvno mkvno, - krb5_keyblock_node **mkey_list) + krb5_keylist_node **mkey_list) { - kdb5_dal_handle *dal_handle; - krb5_error_code status = 0; + kdb5_dal_handle *dal_handle; + krb5_error_code status = 0; - if (context->dal_handle == NULL) { - status = kdb_setup_lib_handle(context); - if (status) { - goto clean_n_exit; - } - } + if (context->dal_handle == NULL) { + status = kdb_setup_lib_handle(context); + if (status) { + goto clean_n_exit; + } + } - dal_handle = context->dal_handle; - status = kdb_lock_lib_lock(dal_handle->lib_handle, FALSE); - if (status) { - goto clean_n_exit; - } + dal_handle = context->dal_handle; + status = kdb_lock_lib_lock(dal_handle->lib_handle, FALSE); + if (status) { + goto clean_n_exit; + } - status = dal_handle->lib_handle->vftabl.fetch_master_key_list(context, - mname, - mkey, - mkvno, - mkey_list); - get_errmsg(context, status); - kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE); + status = dal_handle->lib_handle->vftabl.fetch_master_key_list(context, + mname, + mkey, + mkvno, + mkey_list); + get_errmsg(context, status); + kdb_unlock_lib_lock(dal_handle->lib_handle, FALSE); - if (status) { - goto clean_n_exit; - } + if (status) { + goto clean_n_exit; + } clean_n_exit: return status; @@ -1567,15 +1567,15 @@ clean_n_exit: krb5_error_code krb5_db_free_mkey_list(krb5_context context, - krb5_keyblock_node *mkey_list) + krb5_keylist_node *mkey_list) { - krb5_keyblock_node *cur, *prev; + krb5_keylist_node *cur, *prev; for (cur = mkey_list; cur != NULL;) { - prev = cur; - cur = cur->next; - krb5_free_keyblock_contents(context, &prev->keyblock); - krb5_xfree(prev); + prev = cur; + cur = cur->next; + krb5_free_keyblock_contents(context, &prev->keyblock); + krb5_xfree(prev); } return 0; @@ -1889,8 +1889,8 @@ clean_n_exit: krb5_error_code krb5_dbe_fetch_act_mkey_list(krb5_context context, - krb5_principal mprinc, - krb5_actkvno_node **act_mkey_list) + krb5_principal mprinc, + krb5_actkvno_node **act_mkey_list) { krb5_error_code retval = 0; krb5_db_entry master_entry; @@ -1898,24 +1898,45 @@ krb5_dbe_fetch_act_mkey_list(krb5_context context, krb5_boolean more; if (act_mkey_list == NULL) - return (EINVAL); + return (EINVAL); nprinc = 1; if ((retval = krb5_db_get_principal(context, mprinc, - &master_entry, &nprinc, &more))) - return (retval); - + &master_entry, &nprinc, &more))) + return (retval); + if (nprinc != 1) { - if (nprinc) - krb5_db_free_principal(context, &master_entry, nprinc); - return(KRB5_KDB_NOMASTERKEY); + if (nprinc) + krb5_db_free_principal(context, &master_entry, nprinc); + return(KRB5_KDB_NOMASTERKEY); } else if (more) { - krb5_db_free_principal(context, &master_entry, nprinc); - return (KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); + krb5_db_free_principal(context, &master_entry, nprinc); + return (KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); } retval = krb5_dbe_lookup_actkvno(context, &master_entry, act_mkey_list); + if (*act_mkey_list == NULL) { + krb5_actkvno_node *tmp_actkvno; + krb5_timestamp now; + /* + * for mkey princ entries without KRB5_TL_ACTKVNO data provide a default + */ + + if ((retval = krb5_timeofday(context, &now))) + return (retval); + + tmp_actkvno = (krb5_actkvno_node *) malloc(sizeof(krb5_actkvno_node)); + if (tmp_actkvno == NULL) + return (ENOMEM); + + tmp_actkvno->act_time = now; + tmp_actkvno->act_kvno = master_entry.key_data[0].key_data_kvno; + tmp_actkvno->next = NULL; + + *act_mkey_list = tmp_actkvno; + } + krb5_db_free_principal(context, &master_entry, nprinc); return retval; } @@ -1927,13 +1948,14 @@ krb5_dbe_fetch_act_mkey_list(krb5_context context, krb5_error_code krb5_dbe_find_act_mkey(krb5_context context, - krb5_keyblock_node *mkey_list, + krb5_keylist_node *mkey_list, krb5_actkvno_node *act_mkey_list, + krb5_kvno *act_kvno, krb5_keyblock **act_mkey) { - krb5_kvno act_kvno; + krb5_kvno tmp_act_kvno; krb5_error_code retval; - krb5_keyblock_node *cur_keyblock = mkey_list; + krb5_keylist_node *cur_keyblock = mkey_list; krb5_actkvno_node *prev_actkvno, *cur_actkvno; krb5_timestamp now; krb5_boolean found = FALSE; @@ -1954,11 +1976,11 @@ krb5_dbe_find_act_mkey(krb5_context context, prev_actkvno = cur_actkvno, cur_actkvno = cur_actkvno->next) { if (cur_actkvno->act_time == now) { - act_kvno = cur_actkvno->act_kvno; + tmp_act_kvno = cur_actkvno->act_kvno; found = TRUE; break; } else if (cur_actkvno->act_time > now && prev_actkvno->act_time <= now) { - act_kvno = prev_actkvno->act_kvno; + tmp_act_kvno = prev_actkvno->act_kvno; found = TRUE; break; } @@ -1970,18 +1992,20 @@ krb5_dbe_find_act_mkey(krb5_context context, * the latest entry. */ if (prev_actkvno->act_time <= now) { - act_kvno = prev_actkvno->act_kvno; + tmp_act_kvno = prev_actkvno->act_kvno; } else { /* XXX this shouldn't happen */ return (KRB5_KDB_NOACTMASTERKEY); } } - while (cur_keyblock && cur_keyblock->kvno != act_kvno) + while (cur_keyblock && cur_keyblock->kvno != tmp_act_kvno) cur_keyblock = cur_keyblock->next; if (cur_keyblock) { *act_mkey = &cur_keyblock->keyblock; + if (act_kvno != NULL) + *act_kvno = tmp_act_kvno; return (0); } else { return (KRB5_KDB_NO_MATCHING_KEY); @@ -1993,27 +2017,27 @@ krb5_dbe_find_act_mkey(krb5_context context, * free the output key. */ krb5_error_code -krb5_dbe_find_mkey(krb5_context context, - krb5_keyblock_node *mkey_list, +krb5_dbe_find_mkey(krb5_context context, + krb5_keylist_node *mkey_list, krb5_db_entry *entry, krb5_keyblock **mkey) { krb5_kvno mkvno; krb5_error_code retval; - krb5_keyblock_node *cur_keyblock = mkey_list; + krb5_keylist_node *cur_keyblock = mkey_list; retval = krb5_dbe_lookup_mkvno(context, entry, &mkvno); if (retval) - return (retval); + return (retval); while (cur_keyblock && cur_keyblock->kvno != mkvno) - cur_keyblock = cur_keyblock->next; + cur_keyblock = cur_keyblock->next; if (cur_keyblock) { - *mkey = &cur_keyblock->keyblock; - return (0); + *mkey = &cur_keyblock->keyblock; + return (0); } else { - return (KRB5_KDB_NO_MATCHING_KEY); + return (KRB5_KDB_NO_MATCHING_KEY); } } @@ -2307,15 +2331,14 @@ krb5_dbe_lookup_mkvno(krb5_context context, krb5_error_code krb5_dbe_update_mkvno(krb5_context context, - krb5_db_entry * entry, - krb5_kvno mkvno) + krb5_db_entry * entry, + krb5_kvno mkvno) { krb5_tl_data tl_data; - krb5_octet buf[2]; /* this is the encoded size of an int16 */ + krb5_octet buf[2]; /* this is the encoded size of an int16 */ tl_data.tl_data_type = KRB5_TL_MKVNO; tl_data.tl_data_length = sizeof(buf); - /* use standard encoding */ krb5_kdb_encode_int16((krb5_ui_2) mkvno, buf); tl_data.tl_data_contents = buf; @@ -2323,80 +2346,81 @@ krb5_dbe_update_mkvno(krb5_context context, } krb5_error_code -krb5_dbe_lookup_mkey_aux(krb5_context context, - krb5_db_entry * entry, - krb5_mkey_aux_node ** mkey_aux_data_list) +krb5_dbe_lookup_mkey_aux(krb5_context context, + krb5_db_entry * entry, + krb5_mkey_aux_node ** mkey_aux_data_list) { krb5_tl_data tl_data; krb5_int16 version; krb5_mkey_aux_node *head_data = NULL, *new_data = NULL, - *prev_data = NULL; + *prev_data = NULL; krb5_octet *curloc; /* current location pointer */ krb5_error_code code; tl_data.tl_data_type = KRB5_TL_MKEY_AUX; if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data))) - return (code); + return (code); if (tl_data.tl_data_contents == NULL) { - *mkey_aux_data_list = NULL; - return (0); + *mkey_aux_data_list = NULL; + return (0); } else { - /* get version to determine how to parse the data */ - krb5_kdb_decode_int16(tl_data.tl_data_contents, version); - if (version == KRB5_TL_MKEY_AUX_VER_1) { - - /* curloc points to first tuple entry in the tl_data_contents */ - curloc = tl_data.tl_data_contents + sizeof(version); - - while (curloc != (tl_data.tl_data_contents + tl_data.tl_data_length)) { - assert(curloc < tl_data.tl_data_contents + tl_data.tl_data_length); - - new_data = (krb5_mkey_aux_node *) malloc(sizeof(krb5_mkey_aux_node)); - if (new_data == NULL) { - krb5_free_mkey_aux_list(context, head_data); - return (ENOMEM); - } - krb5_kdb_decode_int16(curloc, new_data->mkey_kvno); - curloc += sizeof(krb5_ui_2); - krb5_kdb_decode_int16(curloc, new_data->latest_mkey.key_data_kvno); - curloc += sizeof(krb5_ui_2); - krb5_kdb_decode_int16(curloc, new_data->latest_mkey.key_data_type[0]); - curloc += sizeof(krb5_ui_2); - krb5_kdb_decode_int16(curloc, new_data->latest_mkey.key_data_length[0]); - curloc += sizeof(krb5_ui_2); - - new_data->latest_mkey.key_data_contents[0] = (krb5_octet *) - malloc(new_data->latest_mkey.key_data_length[0]); - - if (new_data->latest_mkey.key_data_contents[0] == NULL) { - krb5_free_mkey_aux_list(context, head_data); - return (ENOMEM); - } - memcpy(new_data->latest_mkey.key_data_contents[0], curloc, new_data->latest_mkey.key_data_length[0]); - - new_data->next = NULL; - if (prev_data != NULL) - prev_data->next = new_data; - else - head_data = new_data; - prev_data = new_data; - } - } else { - krb5_set_error_message (context, KRB5_KDB_BAD_VERSION, - "Illegal version number for KRB5_TL_MKEY_AUX %d\n", - version); - return (KRB5_KDB_BAD_VERSION); - } + /* get version to determine how to parse the data */ + krb5_kdb_decode_int16(tl_data.tl_data_contents, version); + if (version == KRB5_TL_MKEY_AUX_VER_1) { + + /* curloc points to first tuple entry in the tl_data_contents */ + curloc = tl_data.tl_data_contents + sizeof(version); + + while (curloc != (tl_data.tl_data_contents + tl_data.tl_data_length)) { + assert(curloc < tl_data.tl_data_contents + tl_data.tl_data_length); + + new_data = (krb5_mkey_aux_node *) malloc(sizeof(krb5_mkey_aux_node)); + if (new_data == NULL) { + krb5_free_mkey_aux_list(context, head_data); + return (ENOMEM); + } + krb5_kdb_decode_int16(curloc, new_data->mkey_kvno); + curloc += sizeof(krb5_ui_2); + krb5_kdb_decode_int16(curloc, new_data->latest_mkey.key_data_kvno); + curloc += sizeof(krb5_ui_2); + krb5_kdb_decode_int16(curloc, new_data->latest_mkey.key_data_type[0]); + curloc += sizeof(krb5_ui_2); + krb5_kdb_decode_int16(curloc, new_data->latest_mkey.key_data_length[0]); + curloc += sizeof(krb5_ui_2); + + new_data->latest_mkey.key_data_contents[0] = (krb5_octet *) + malloc(new_data->latest_mkey.key_data_length[0]); + + if (new_data->latest_mkey.key_data_contents[0] == NULL) { + krb5_free_mkey_aux_list(context, head_data); + return (ENOMEM); + } + memcpy(new_data->latest_mkey.key_data_contents[0], curloc, + new_data->latest_mkey.key_data_length[0]); + + new_data->next = NULL; + if (prev_data != NULL) + prev_data->next = new_data; + else + head_data = new_data; + prev_data = new_data; + } + } else { + krb5_set_error_message (context, KRB5_KDB_BAD_VERSION, + "Illegal version number for KRB5_TL_MKEY_AUX %d\n", + version); + return (KRB5_KDB_BAD_VERSION); + } } *mkey_aux_data_list = head_data; return (0); } krb5_error_code -krb5_dbe_update_mkey_aux(krb5_context context, - krb5_db_entry * entry, - krb5_mkey_aux_node * mkey_aux_data_list) +krb5_dbe_update_mkey_aux(krb5_context context, + krb5_db_entry * entry, + krb5_mkey_aux_node * mkey_aux_data_list) { krb5_tl_data tl_data; krb5_int16 version; @@ -2408,38 +2432,48 @@ krb5_dbe_update_mkey_aux(krb5_context context, * determine out how much space to allocate */ tl_data.tl_data_length = sizeof(version); /* version */ - for (aux_data_entry = mkey_aux_data_list; aux_data_entry != NULL; aux_data_entry = aux_data_entry->next) { - tl_data.tl_data_length += sizeof(krb5_ui_2); /* mkey_kvno */ - tl_data.tl_data_length += sizeof(krb5_ui_2); /* latest_mkey kvno */ - tl_data.tl_data_length += sizeof(krb5_ui_2); /* latest_mkey enctype */ - tl_data.tl_data_length += sizeof(krb5_ui_2); /* latest_mkey length */ - tl_data.tl_data_length += aux_data_entry->latest_mkey.key_data_length[0]; /* mkey data */ + for (aux_data_entry = mkey_aux_data_list; aux_data_entry != NULL; + aux_data_entry = aux_data_entry->next) { + tl_data.tl_data_length += sizeof(krb5_ui_2); /* mkey_kvno */ + tl_data.tl_data_length += sizeof(krb5_ui_2); /* latest_mkey kvno */ + tl_data.tl_data_length += sizeof(krb5_ui_2); /* latest_mkey enctype */ + tl_data.tl_data_length += sizeof(krb5_ui_2); /* latest_mkey length */ + tl_data.tl_data_length += + aux_data_entry->latest_mkey.key_data_length[0]; /* mkey data */ } tl_data.tl_data_contents = (krb5_octet *) malloc(tl_data.tl_data_length); if (tl_data.tl_data_contents == NULL) { - return (ENOMEM); + return (ENOMEM); } nextloc = tl_data.tl_data_contents; /* version */ - krb5_kdb_encode_int16((krb5_ui_2)KRB5_TL_MKEY_AUX_VER_1, (unsigned char *)nextloc); + krb5_kdb_encode_int16((krb5_ui_2)KRB5_TL_MKEY_AUX_VER_1, + (unsigned char *)nextloc); nextloc += sizeof(krb5_ui_2); - for (aux_data_entry = mkey_aux_data_list; aux_data_entry != NULL; aux_data_entry = aux_data_entry->next) { - krb5_kdb_encode_int16((krb5_ui_2)aux_data_entry->mkey_kvno, (unsigned char *)nextloc); - nextloc += sizeof(krb5_ui_2); - krb5_kdb_encode_int16((krb5_ui_2)aux_data_entry->latest_mkey.key_data_kvno, (unsigned char *)nextloc); - nextloc += sizeof(krb5_ui_2); - krb5_kdb_encode_int16((krb5_ui_2)aux_data_entry->latest_mkey.key_data_type[0], (unsigned char *)nextloc); - nextloc += sizeof(krb5_ui_2); - krb5_kdb_encode_int16((krb5_ui_2)aux_data_entry->latest_mkey.key_data_length[0], (unsigned char *)nextloc); - nextloc += sizeof(krb5_ui_2); - - if (aux_data_entry->latest_mkey.key_data_length[0] > 0) { - memcpy(nextloc, aux_data_entry->latest_mkey.key_data_contents[0], - aux_data_entry->latest_mkey.key_data_length[0]); - nextloc += aux_data_entry->latest_mkey.key_data_length[0]; - } + + for (aux_data_entry = mkey_aux_data_list; aux_data_entry != NULL; + aux_data_entry = aux_data_entry->next) { + + krb5_kdb_encode_int16((krb5_ui_2)aux_data_entry->mkey_kvno, + (unsigned char *)nextloc); + nextloc += sizeof(krb5_ui_2); + krb5_kdb_encode_int16((krb5_ui_2)aux_data_entry->latest_mkey.key_data_kvno, + (unsigned char *)nextloc); + nextloc += sizeof(krb5_ui_2); + krb5_kdb_encode_int16((krb5_ui_2)aux_data_entry->latest_mkey.key_data_type[0], + (unsigned char *)nextloc); + nextloc += sizeof(krb5_ui_2); + krb5_kdb_encode_int16((krb5_ui_2)aux_data_entry->latest_mkey.key_data_length[0], + (unsigned char *)nextloc); + nextloc += sizeof(krb5_ui_2); + + if (aux_data_entry->latest_mkey.key_data_length[0] > 0) { + memcpy(nextloc, aux_data_entry->latest_mkey.key_data_contents[0], + aux_data_entry->latest_mkey.key_data_length[0]); + nextloc += aux_data_entry->latest_mkey.key_data_length[0]; + } } return (krb5_dbe_update_tl_data(context, entry, &tl_data)); @@ -2456,8 +2490,8 @@ krb5_dbe_update_mkey_aux(krb5_context context, krb5_error_code krb5_dbe_lookup_actkvno(krb5_context context, - krb5_db_entry *entry, - krb5_actkvno_node **actkvno_list) + krb5_db_entry *entry, + krb5_actkvno_node **actkvno_list) { krb5_tl_data tl_data; krb5_error_code code; @@ -2469,56 +2503,59 @@ krb5_dbe_lookup_actkvno(krb5_context context, tl_data.tl_data_type = KRB5_TL_ACTKVNO; if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data))) - return (code); + return (code); if (tl_data.tl_data_contents == NULL) { - *actkvno_list = NULL; - return (0); + *actkvno_list = NULL; + return (0); } else { - /* get version to determine how to parse the data */ - krb5_kdb_decode_int16(tl_data.tl_data_contents, version); - if (version == KRB5_TL_ACTKVNO_VER_1) { - /* - * Find number of tuple entries, remembering to account for version - * field. - */ - num_actkvno = (tl_data.tl_data_length - sizeof(version)) / ACTKVNO_TUPLE_SIZE; - prev_data = NULL; - /* next_tuple points to first tuple entry in the tl_data_contents */ - next_tuple = tl_data.tl_data_contents + sizeof(version); - for (i = 0; i < num_actkvno; i++) { - new_data = (krb5_actkvno_node *) malloc(sizeof(krb5_actkvno_node)); - if (new_data == NULL) { - krb5_free_actkvno_list(context, head_data); - return (ENOMEM); - } - krb5_kdb_decode_int16(act_kvno(next_tuple), new_data->act_kvno); - krb5_kdb_decode_int32(act_time(next_tuple), new_data->act_time); - /* XXX WAF: may be able to deal with list pointers in a better - * way, see add_mkey() */ - new_data->next = NULL; - if (prev_data != NULL) - prev_data->next = new_data; - else - head_data = new_data; - prev_data = new_data; - next_tuple += ACTKVNO_TUPLE_SIZE; - } - } else { - krb5_set_error_message (context, KRB5_KDB_BAD_VERSION, - "Illegal version number for KRB5_TL_ACTKVNO %d\n", - version); - return (KRB5_KDB_BAD_VERSION); - } + /* get version to determine how to parse the data */ + krb5_kdb_decode_int16(tl_data.tl_data_contents, version); + if (version == KRB5_TL_ACTKVNO_VER_1) { + /* + * Find number of tuple entries, remembering to account for version + * field. + */ + num_actkvno = (tl_data.tl_data_length - sizeof(version)) / ACTKVNO_TUPLE_SIZE; + prev_data = NULL; + /* next_tuple points to first tuple entry in the tl_data_contents */ + next_tuple = tl_data.tl_data_contents + sizeof(version); + for (i = 0; i < num_actkvno; i++) { + new_data = (krb5_actkvno_node *) malloc(sizeof(krb5_actkvno_node)); + if (new_data == NULL) { + krb5_free_actkvno_list(context, head_data); + return (ENOMEM); + } + krb5_kdb_decode_int16(act_kvno(next_tuple), new_data->act_kvno); + krb5_kdb_decode_int32(act_time(next_tuple), new_data->act_time); + /* XXX WAF: may be able to deal with list pointers in a better + * way, see add_mkey() */ + new_data->next = NULL; + if (prev_data != NULL) + prev_data->next = new_data; + else + head_data = new_data; + prev_data = new_data; + next_tuple += ACTKVNO_TUPLE_SIZE; + } + } else { + krb5_set_error_message (context, KRB5_KDB_BAD_VERSION, + "Illegal version number for KRB5_TL_ACTKVNO %d\n", + version); + return (KRB5_KDB_BAD_VERSION); + } } *actkvno_list = head_data; return (0); } +/* + * Add KRB5_TL_ACTKVNO TL data entries to krb5_db_entry *entry + */ krb5_error_code krb5_dbe_update_actkvno(krb5_context context, - krb5_db_entry *entry, - const krb5_actkvno_node *actkvno_list) + krb5_db_entry *entry, + const krb5_actkvno_node *actkvno_list) { krb5_error_code retval = 0; krb5_int16 version; @@ -2526,36 +2563,34 @@ krb5_dbe_update_actkvno(krb5_context context, krb5_octet *nextloc; const krb5_actkvno_node *cur_actkvno; - /* XXX WAF: should kvno be verified that it exists for the princ entry? */ - /* No, this should be handed by functions higher in the stack verifying the user data */ - if (actkvno_list == NULL) { - return (EINVAL); + return (EINVAL); } /* allocate initial KRB5_TL_ACTKVNO tl_data entry */ new_tl_data.tl_data_length = sizeof(version); new_tl_data.tl_data_contents = (krb5_octet *) malloc(new_tl_data.tl_data_length); - if (new_tl_data.tl_data_contents == NULL) { - return (ENOMEM); - } + if (new_tl_data.tl_data_contents == NULL) + return (ENOMEM); + + /* add the current version # for the data format used for KRB5_TL_ACTKVNO */ krb5_kdb_encode_int16((krb5_ui_2)KRB5_TL_ACTKVNO_VER_1, (unsigned char *)new_tl_data.tl_data_contents); for (cur_actkvno = actkvno_list; cur_actkvno != NULL; cur_actkvno = cur_actkvno->next) { - new_tl_data.tl_data_length += ACTKVNO_TUPLE_SIZE; - new_tl_data.tl_data_contents = (krb5_octet *) realloc(new_tl_data.tl_data_contents, new_tl_data.tl_data_length); - if (new_tl_data.tl_data_contents == NULL) { - return (ENOMEM); - } + new_tl_data.tl_data_length += ACTKVNO_TUPLE_SIZE; + new_tl_data.tl_data_contents = (krb5_octet *) realloc(new_tl_data.tl_data_contents, + new_tl_data.tl_data_length); + if (new_tl_data.tl_data_contents == NULL) + return (ENOMEM); - /* - * using realloc so tl_data_contents is required to correctly calculate - * next location to store new tuple. - */ - nextloc = new_tl_data.tl_data_contents + new_tl_data.tl_data_length - ACTKVNO_TUPLE_SIZE; - krb5_kdb_encode_int16((krb5_ui_2)cur_actkvno->act_kvno, (unsigned char *)nextloc); - nextloc += sizeof(krb5_ui_2); - krb5_kdb_encode_int32((krb5_ui_4)cur_actkvno->act_time, (unsigned char *)nextloc); + /* + * Using realloc so tl_data_contents is required to correctly calculate + * next location to store new tuple. + */ + nextloc = new_tl_data.tl_data_contents + new_tl_data.tl_data_length - ACTKVNO_TUPLE_SIZE; + krb5_kdb_encode_int16((krb5_ui_2)cur_actkvno->act_kvno, (unsigned char *)nextloc); + nextloc += sizeof(krb5_ui_2); + krb5_kdb_encode_int32((krb5_ui_4)cur_actkvno->act_time, (unsigned char *)nextloc); } new_tl_data.tl_data_type = KRB5_TL_ACTKVNO; diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index 161f6ea..32f13dd 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -487,14 +487,14 @@ krb5_def_fetch_mkey_list(krb5_context context, krb5_principal mprinc, const krb5_keyblock *mkey, krb5_kvno mkvno, - krb5_keyblock_node **mkeys_list) + krb5_keylist_node **mkeys_list) { krb5_error_code retval; krb5_db_entry master_entry; int nprinc; krb5_boolean more, found_key = FALSE; krb5_keyblock tmp_mkey, tmp_clearkey; - krb5_keyblock_node *mkey_list_head, **mkey_list_node; + krb5_keylist_node *mkey_list_head, **mkey_list_node; krb5_key_data *key_data; krb5_mkey_aux_node *mkey_aux_data_list, *aux_data_entry; int i; @@ -572,24 +572,24 @@ krb5_def_fetch_mkey_list(krb5_context context, * create a mkey list for the mkeys field in kdc_realm_t. */ - mkey_list_head = (krb5_keyblock_node *) malloc(sizeof(krb5_keyblock_node)); + mkey_list_head = (krb5_keylist_node *) malloc(sizeof(krb5_keylist_node)); if (mkey_list_head == NULL) { retval = ENOMEM; goto clean_n_exit; } - memset(mkey_list_head, 0, sizeof(krb5_keyblock_node)); + memset(mkey_list_head, 0, sizeof(krb5_keylist_node)); mkey_list_node = &mkey_list_head; for (i=0; i < master_entry.n_key_data; i++) { if (*mkey_list_node == NULL) { /* *mkey_list_node points to next field of previous node */ - *mkey_list_node = (krb5_keyblock_node *) malloc(sizeof(krb5_keyblock_node)); + *mkey_list_node = (krb5_keylist_node *) malloc(sizeof(krb5_keylist_node)); if (*mkey_list_node == NULL) { retval = ENOMEM; goto clean_n_exit; } - memset(*mkey_list_node, 0, sizeof(krb5_keyblock_node)); + memset(*mkey_list_node, 0, sizeof(krb5_keylist_node)); } key_data = &master_entry.key_data[i]; retval = krb5_dbekd_decrypt_key_data(context, mkey, @@ -617,7 +617,7 @@ clean_n_exit: krb5_db_free_principal(context, &master_entry, nprinc); if (retval != 0) { - krb5_keyblock_node *cur_node, *next_node; + krb5_keylist_node *cur_node, *next_node; for (cur_node = mkey_list_head; cur_node != NULL; cur_node = next_node) { next_node = cur_node->next; @@ -645,14 +645,14 @@ krb5_error_code kdb_def_get_mkey ( krb5_context kcontext, } krb5_error_code kdb_def_set_mkey_list ( krb5_context kcontext, - krb5_keyblock_node *keylist ) + krb5_keylist_node *keylist ) { /* printf("default set master key\n"); */ return 0; } krb5_error_code kdb_def_get_mkey_list ( krb5_context kcontext, - krb5_keyblock_node **keylist ) + krb5_keylist_node **keylist ) { /* printf("default get master key\n"); */ return 0; diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c index 413a2e8..7b241a1 100644 --- a/src/lib/kdb/keytab.c +++ b/src/lib/kdb/keytab.c @@ -123,7 +123,7 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry) krb5_keytab_entry * entry; { krb5_context context; - krb5_keyblock_node * master_keylist; + krb5_keylist_node * master_keylist; krb5_keyblock * master_key; krb5_error_code kerror = 0; krb5_key_data * key_data; diff --git a/src/lib/kdb/libkdb5.exports b/src/lib/kdb/libkdb5.exports index b83797d..bf28a1c 100644 --- a/src/lib/kdb/libkdb5.exports +++ b/src/lib/kdb/libkdb5.exports @@ -6,7 +6,6 @@ krb5_db_free krb5_db_create krb5_db_delete_principal krb5_db_destroy -krb5_db_fetch_latest_mkey krb5_db_fetch_mkey krb5_db_fetch_mkey_list krb5_db_free_mkey_list @@ -14,6 +13,7 @@ krb5_db_fini krb5_db_free_principal krb5_db_get_age krb5_db_get_mkey +krb5_db_get_mkey_list krb5_db_get_context krb5_db_get_principal krb5_db_get_principal_ext @@ -23,6 +23,7 @@ krb5_db_lock krb5_db_put_principal krb5_db_set_context krb5_db_set_mkey +krb5_db_set_mkey_list krb5_db_setup_mkey_name krb5_db_unlock krb5_db_store_master_key @@ -32,6 +33,7 @@ krb5_dbe_ark krb5_dbe_cpw krb5_dbe_create_key_data krb5_dbe_crk +krb5_dbe_find_act_mkey krb5_dbe_fetch_act_mkey_list krb5_dbe_find_enctype krb5_dbe_find_mkey diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index ad560c0..30c198d 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -221,6 +221,7 @@ krb5_free_etype_info krb5_free_host_realm krb5_free_kdc_rep krb5_free_kdc_req +krb5_free_key_data_contents krb5_free_keyblock krb5_free_keyblock_contents krb5_free_keytab_entry_contents diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c index 0457fd5..95b51f7 100644 --- a/src/plugins/kdb/db2/db2_exp.c +++ b/src/plugins/kdb/db2/db2_exp.c @@ -194,12 +194,12 @@ WRAP_K (krb5_db2_db_get_mkey, ( krb5_context context, krb5_keyblock **key), (context, key)); -WRAP_K (krb5_db2_set_master_key_list, - ( krb5_context kcontext, krb5_keyblock_node *keylist), +WRAP_K (krb5_db2_db_set_mkey_list, + ( krb5_context kcontext, krb5_keylist_node *keylist), (kcontext, keylist)); WRAP_K (krb5_db2_db_get_mkey_list, - ( krb5_context context, krb5_keyblock_node **keylist), + ( krb5_context context, krb5_keylist_node **keylist), (context, keylist)); WRAP_K (krb5_db2_promote_db, @@ -261,7 +261,7 @@ kdb_vftabl kdb_function_table = { /* db_free */ wrap_krb5_db2_free, /* set_master_key */ wrap_krb5_db2_set_master_key_ext, /* get_master_key */ wrap_krb5_db2_db_get_mkey, - /* set_master_key_list */ wrap_krb5_db2_set_master_key_list, + /* set_master_key_list */ wrap_krb5_db2_db_set_mkey_list, /* get_master_key_list */ wrap_krb5_db2_db_get_mkey_list, /* blah blah blah */ 0,0,0,0,0,0,0, /* promote_db */ wrap_krb5_db2_promote_db, diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c index 1627315..80fd8f2 100644 --- a/src/plugins/kdb/db2/kdb_db2.c +++ b/src/plugins/kdb/db2/kdb_db2.c @@ -432,7 +432,7 @@ krb5_db2_db_get_mkey(krb5_context context, krb5_keyblock **key) } krb5_error_code -krb5_db2_db_set_mkey_list(krb5_context context, krb5_keyblock_node *key_list) +krb5_db2_db_set_mkey_list(krb5_context context, krb5_keylist_node *key_list) { krb5_db2_context *db_ctx; kdb5_dal_handle *dal_handle; @@ -447,7 +447,7 @@ krb5_db2_db_set_mkey_list(krb5_context context, krb5_keyblock_node *key_list) } krb5_error_code -krb5_db2_db_get_mkey_list(krb5_context context, krb5_keyblock_node **key_list) +krb5_db2_db_get_mkey_list(krb5_context context, krb5_keylist_node **key_list) { krb5_db2_context *db_ctx; kdb5_dal_handle *dal_handle; diff --git a/src/plugins/kdb/db2/kdb_db2.h b/src/plugins/kdb/db2/kdb_db2.h index 39e2e08..07a764f 100644 --- a/src/plugins/kdb/db2/kdb_db2.h +++ b/src/plugins/kdb/db2/kdb_db2.h @@ -43,7 +43,7 @@ typedef struct _krb5_db2_context { int db_lock_mode; /* Last lock mode, e.g. greatest*/ krb5_boolean db_nb_locks; /* [Non]Blocking lock modes */ krb5_keyblock *db_master_key; /* Master key of database */ - krb5_keyblock_node *db_master_key_list; /* Master key list of database */ + krb5_keylist_node *db_master_key_list; /* Master key list of database */ osa_adb_policy_t policy_db; krb5_boolean tempdb; } krb5_db2_context; @@ -124,11 +124,11 @@ krb5_db2_db_get_mkey( krb5_context context, krb5_keyblock **key); krb5_error_code krb5_db2_db_set_mkey_list( krb5_context context, - krb5_keyblock_node *keylist); + krb5_keylist_node *keylist); krb5_error_code krb5_db2_db_get_mkey_list( krb5_context context, - krb5_keyblock_node **keylist); + krb5_keylist_node **keylist); krb5_error_code krb5_db2_db_put_principal( krb5_context context, |