diff options
-rw-r--r-- | src/kadmin/dbutil/dump.c | 13 | ||||
-rw-r--r-- | src/kadmin/dbutil/kdb5_create.c | 4 | ||||
-rw-r--r-- | src/kadmin/dbutil/kdb5_mkey.c | 58 | ||||
-rw-r--r-- | src/kadmin/dbutil/kdb5_util.c | 3 | ||||
-rw-r--r-- | src/kadmin/dbutil/kdb5_util.h | 4 | ||||
-rw-r--r-- | src/lib/kdb/kdb_default.c | 5 | ||||
-rw-r--r-- | src/lib/krb5/error_tables/kdb5_err.et | 1 |
7 files changed, 59 insertions, 29 deletions
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c index 69ebec4..d37ea1b 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -47,6 +47,7 @@ */ static int mkey_convert; static krb5_keyblock new_master_keyblock; +static krb5_kvno new_mkvno; static int backwards; static int recursive; @@ -179,6 +180,7 @@ extern int exit_status; extern krb5_context util_context; extern kadm5_config_params global_params; extern krb5_keylist_node *master_keylist; +extern krb5_db_entry master_entry; /* Strings */ @@ -258,8 +260,6 @@ static const char hashoption[] = "-hash"; static const char ovoption[] = "-ov"; static const char dump_tmptrail[] = "~"; -static krb5_kvno new_mkvno; - /* * Re-encrypt the key_data with the new master key... */ @@ -278,7 +278,7 @@ static krb5_error_code master_key_convert(context, db_entry) is_mkey = krb5_principal_compare(context, master_princ, db_entry->princ); if (is_mkey) { - retval = add_new_mkey(context, db_entry, &new_master_keyblock, &new_mkvno); + retval = add_new_mkey(context, db_entry, &new_master_keyblock, new_mkvno); if (retval) return retval; } else { @@ -290,7 +290,7 @@ static krb5_error_code master_key_convert(context, db_entry) continue; retval = krb5_dbe_find_mkey(context, master_keylist, db_entry, &tmp_mkey); if (retval) - return retval; + return retval; retval = krb5_dbekd_decrypt_key_data(context, tmp_mkey, key_data, &v5plainkey, &keysalt); @@ -1193,6 +1193,11 @@ dump_db(argc, argv) exit(1); } } + /* + * get new master key vno that will be used to protect princs, used + * later on. + */ + new_mkvno = get_next_kvno(util_context, &master_entry); } kret = 0; diff --git a/src/kadmin/dbutil/kdb5_create.c b/src/kadmin/dbutil/kdb5_create.c index 9448a35..ebf07b4 100644 --- a/src/kadmin/dbutil/kdb5_create.c +++ b/src/kadmin/dbutil/kdb5_create.c @@ -471,6 +471,10 @@ add_principal(context, princ, op, pblock) if ((retval = krb5_dbe_update_actkvno(context, &entry, &actkvno))) return retval; + /* so getprinc shows the right kvno */ + if ((retval = krb5_dbe_update_mkvno(context, &entry, mkey_kvno))) + return retval; + break; case TGT_KEY: iargs.ctx = context; diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c index e02050d..876e979 100644 --- a/src/kadmin/dbutil/kdb5_mkey.c +++ b/src/kadmin/dbutil/kdb5_mkey.c @@ -34,19 +34,39 @@ static char *strdate(krb5_timestamp when) return out; } +krb5_kvno +get_next_kvno(krb5_context context, krb5_db_entry *entry) +{ + krb5_kvno new_kvno; + + new_kvno = krb5_db_get_key_data_kvno(context, entry->n_key_data, + entry->key_data); + new_kvno++; + /* deal with wrapping */ + if (new_kvno == 0) + new_kvno = 1; /* knvo must not be 0 as this is special value (IGNORE_VNO) */ + + return (new_kvno); +} + krb5_error_code -add_new_mkey(krb5_context context, krb5_db_entry *master_entry, krb5_keyblock *new_mkey, krb5_kvno *mkvno) +add_new_mkey(krb5_context context, krb5_db_entry *master_entry, + krb5_keyblock *new_mkey, krb5_kvno use_mkvno) { krb5_error_code retval = 0; int old_key_data_count, i; - krb5_kvno old_kvno, new_mkey_kvno; + krb5_kvno new_mkey_kvno; krb5_key_data tmp_key_data, *old_key_data; krb5_mkey_aux_node *mkey_aux_data_head = NULL, **mkey_aux_data; krb5_keylist_node *keylist_node; - /* First save the old keydata */ - old_kvno = krb5_db_get_key_data_kvno(context, master_entry->n_key_data, - master_entry->key_data); + /* do this before modifying master_entry key_data */ + new_mkey_kvno = get_next_kvno(context, master_entry); + /* verify the requested mkvno if not 0 is the one that would be used here. */ + if (use_mkvno != 0 && new_mkey_kvno != use_mkvno) + return (KRB5_KDB_KVNONOMATCH); + + /* save the old keydata */ old_key_data_count = master_entry->n_key_data; old_key_data = master_entry->key_data; @@ -57,7 +77,7 @@ add_new_mkey(krb5_context context, krb5_db_entry *master_entry, krb5_keyblock *n * logic from master_key_convert(). */ master_entry->key_data = (krb5_key_data *) malloc(sizeof(krb5_key_data) * - (old_key_data_count + 1)); + (old_key_data_count + 1)); if (master_entry->key_data == NULL) return (ENOMEM); @@ -65,11 +85,6 @@ add_new_mkey(krb5_context context, krb5_db_entry *master_entry, krb5_keyblock *n sizeof(krb5_key_data) * (old_key_data_count + 1)); master_entry->n_key_data = old_key_data_count + 1; - new_mkey_kvno = old_kvno + 1; - /* deal with wrapping? */ - if (new_mkey_kvno == 0) - new_mkey_kvno = 1; /* knvo must not be 0 as this is special value (IGNORE_VNO) */ - /* Note, mkey does not have salt */ /* add new mkey encrypted with itself to mkey princ entry */ if ((retval = krb5_dbekd_encrypt_key_data(context, new_mkey, @@ -78,7 +93,11 @@ add_new_mkey(krb5_context context, krb5_db_entry *master_entry, krb5_keyblock *n &master_entry->key_data[0]))) { return (retval); } - + /* so getprinc will show the new mkvno */ + if ((retval = krb5_dbe_update_mkvno(context, master_entry, new_mkey_kvno))) { + krb5_free_key_data_contents(context, &master_entry->key_data[0]); + return (retval); + } /* * Need to decrypt old keys with the current mkey which is in the global * master_keyblock and encrypt those keys with the latest mkey. And while @@ -149,9 +168,6 @@ add_new_mkey(krb5_context context, krb5_db_entry *master_entry, krb5_keyblock *n goto clean_n_exit; } - if (mkvno) - *mkvno = new_mkey_kvno; - clean_n_exit: if (mkey_aux_data_head) krb5_dbe_free_mkey_aux_list(context, mkey_aux_data_head); @@ -222,13 +238,13 @@ kdb5_add_mkey(int argc, char *argv[]) exit_status++; return; } else if (nentries == 0) { - com_err(progname, retval, + com_err(progname, KRB5_KDB_NOENTRY, "principal %s not found in Kerberos database", mkey_fullname); exit_status++; return; } else if (nentries > 1) { - com_err(progname, retval, + com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, "principal %s has multiple entries in Kerberos database", mkey_fullname); exit_status++; @@ -412,13 +428,13 @@ kdb5_use_mkey(int argc, char *argv[]) exit_status++; return; } else if (nentries == 0) { - com_err(progname, retval, + com_err(progname, KRB5_KDB_NOENTRY, "principal %s not found in Kerberos database", mkey_fullname); exit_status++; return; } else if (nentries > 1) { - com_err(progname, retval, + com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, "principal %s has multiple entries in Kerberos database", mkey_fullname); exit_status++; @@ -559,13 +575,13 @@ kdb5_list_mkeys(int argc, char *argv[]) exit_status++; return; } else if (nentries == 0) { - com_err(progname, retval, + com_err(progname, KRB5_KDB_NOENTRY, "principal %s not found in Kerberos database", mkey_fullname); exit_status++; return; } else if (nentries > 1) { - com_err(progname, retval, + com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, "principal %s has multiple entries in Kerberos database", mkey_fullname); exit_status++; diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c index 086217e..94fc858 100644 --- a/src/kadmin/dbutil/kdb5_util.c +++ b/src/kadmin/dbutil/kdb5_util.c @@ -442,9 +442,6 @@ static int open_db_and_mkey() kvno = global_params.kvno; /* user specified */ else kvno = IGNORE_VNO; - /* kvno = (krb5_kvno) master_entry.key_data->key_data_kvno; */ - - krb5_db_free_principal(util_context, &master_entry, nentries); /* the databases are now open, and the master principal exists */ dbactive = TRUE; diff --git a/src/kadmin/dbutil/kdb5_util.h b/src/kadmin/dbutil/kdb5_util.h index 175d61c..78d283d 100644 --- a/src/kadmin/dbutil/kdb5_util.h +++ b/src/kadmin/dbutil/kdb5_util.h @@ -89,7 +89,9 @@ extern void update_ok_file (char *file_name); extern int kadm5_create (kadm5_config_params *params); extern krb5_error_code add_new_mkey(krb5_context, krb5_db_entry *, - krb5_keyblock *, krb5_kvno *); + krb5_keyblock *, krb5_kvno); + +extern krb5_kvno get_next_kvno(krb5_context, krb5_db_entry *); void usage (void); diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index c02778d..9ddf5bd 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -25,6 +25,11 @@ * */ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. + */ + #include "k5-int.h" #include "kdb.h" #include <string.h> diff --git a/src/lib/krb5/error_tables/kdb5_err.et b/src/lib/krb5/error_tables/kdb5_err.et index ae4c4bf..d0426bd 100644 --- a/src/lib/krb5/error_tables/kdb5_err.et +++ b/src/lib/krb5/error_tables/kdb5_err.et @@ -58,6 +58,7 @@ ec KRB5_KDB_INVALIDKEYSIZE, "Key size in database is invalid" ec KRB5_KDB_CANTREAD_STORED, "Cannot find/read stored master key" ec KRB5_KDB_BADSTORED_MKEY, "Stored master key is corrupted" ec KRB5_KDB_NOACTMASTERKEY, "Cannot find active master key" +ec KRB5_KDB_KVNONOMATCH, "KVNO of new master key does not match expected value" ec KRB5_KDB_CANTLOCK_DB, "Insufficient access to lock database" |