aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/kadmin/dbutil/dump.c13
-rw-r--r--src/kadmin/dbutil/kdb5_create.c4
-rw-r--r--src/kadmin/dbutil/kdb5_mkey.c58
-rw-r--r--src/kadmin/dbutil/kdb5_util.c3
-rw-r--r--src/kadmin/dbutil/kdb5_util.h4
-rw-r--r--src/lib/kdb/kdb_default.c5
-rw-r--r--src/lib/krb5/error_tables/kdb5_err.et1
7 files changed, 59 insertions, 29 deletions
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index 69ebec4..d37ea1b 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -47,6 +47,7 @@
*/
static int mkey_convert;
static krb5_keyblock new_master_keyblock;
+static krb5_kvno new_mkvno;
static int backwards;
static int recursive;
@@ -179,6 +180,7 @@ extern int exit_status;
extern krb5_context util_context;
extern kadm5_config_params global_params;
extern krb5_keylist_node *master_keylist;
+extern krb5_db_entry master_entry;
/* Strings */
@@ -258,8 +260,6 @@ static const char hashoption[] = "-hash";
static const char ovoption[] = "-ov";
static const char dump_tmptrail[] = "~";
-static krb5_kvno new_mkvno;
-
/*
* Re-encrypt the key_data with the new master key...
*/
@@ -278,7 +278,7 @@ static krb5_error_code master_key_convert(context, db_entry)
is_mkey = krb5_principal_compare(context, master_princ, db_entry->princ);
if (is_mkey) {
- retval = add_new_mkey(context, db_entry, &new_master_keyblock, &new_mkvno);
+ retval = add_new_mkey(context, db_entry, &new_master_keyblock, new_mkvno);
if (retval)
return retval;
} else {
@@ -290,7 +290,7 @@ static krb5_error_code master_key_convert(context, db_entry)
continue;
retval = krb5_dbe_find_mkey(context, master_keylist, db_entry, &tmp_mkey);
if (retval)
- return retval;
+ return retval;
retval = krb5_dbekd_decrypt_key_data(context, tmp_mkey,
key_data, &v5plainkey,
&keysalt);
@@ -1193,6 +1193,11 @@ dump_db(argc, argv)
exit(1);
}
}
+ /*
+ * get new master key vno that will be used to protect princs, used
+ * later on.
+ */
+ new_mkvno = get_next_kvno(util_context, &master_entry);
}
kret = 0;
diff --git a/src/kadmin/dbutil/kdb5_create.c b/src/kadmin/dbutil/kdb5_create.c
index 9448a35..ebf07b4 100644
--- a/src/kadmin/dbutil/kdb5_create.c
+++ b/src/kadmin/dbutil/kdb5_create.c
@@ -471,6 +471,10 @@ add_principal(context, princ, op, pblock)
if ((retval = krb5_dbe_update_actkvno(context, &entry, &actkvno)))
return retval;
+ /* so getprinc shows the right kvno */
+ if ((retval = krb5_dbe_update_mkvno(context, &entry, mkey_kvno)))
+ return retval;
+
break;
case TGT_KEY:
iargs.ctx = context;
diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c
index e02050d..876e979 100644
--- a/src/kadmin/dbutil/kdb5_mkey.c
+++ b/src/kadmin/dbutil/kdb5_mkey.c
@@ -34,19 +34,39 @@ static char *strdate(krb5_timestamp when)
return out;
}
+krb5_kvno
+get_next_kvno(krb5_context context, krb5_db_entry *entry)
+{
+ krb5_kvno new_kvno;
+
+ new_kvno = krb5_db_get_key_data_kvno(context, entry->n_key_data,
+ entry->key_data);
+ new_kvno++;
+ /* deal with wrapping */
+ if (new_kvno == 0)
+ new_kvno = 1; /* knvo must not be 0 as this is special value (IGNORE_VNO) */
+
+ return (new_kvno);
+}
+
krb5_error_code
-add_new_mkey(krb5_context context, krb5_db_entry *master_entry, krb5_keyblock *new_mkey, krb5_kvno *mkvno)
+add_new_mkey(krb5_context context, krb5_db_entry *master_entry,
+ krb5_keyblock *new_mkey, krb5_kvno use_mkvno)
{
krb5_error_code retval = 0;
int old_key_data_count, i;
- krb5_kvno old_kvno, new_mkey_kvno;
+ krb5_kvno new_mkey_kvno;
krb5_key_data tmp_key_data, *old_key_data;
krb5_mkey_aux_node *mkey_aux_data_head = NULL, **mkey_aux_data;
krb5_keylist_node *keylist_node;
- /* First save the old keydata */
- old_kvno = krb5_db_get_key_data_kvno(context, master_entry->n_key_data,
- master_entry->key_data);
+ /* do this before modifying master_entry key_data */
+ new_mkey_kvno = get_next_kvno(context, master_entry);
+ /* verify the requested mkvno if not 0 is the one that would be used here. */
+ if (use_mkvno != 0 && new_mkey_kvno != use_mkvno)
+ return (KRB5_KDB_KVNONOMATCH);
+
+ /* save the old keydata */
old_key_data_count = master_entry->n_key_data;
old_key_data = master_entry->key_data;
@@ -57,7 +77,7 @@ add_new_mkey(krb5_context context, krb5_db_entry *master_entry, krb5_keyblock *n
* logic from master_key_convert().
*/
master_entry->key_data = (krb5_key_data *) malloc(sizeof(krb5_key_data) *
- (old_key_data_count + 1));
+ (old_key_data_count + 1));
if (master_entry->key_data == NULL)
return (ENOMEM);
@@ -65,11 +85,6 @@ add_new_mkey(krb5_context context, krb5_db_entry *master_entry, krb5_keyblock *n
sizeof(krb5_key_data) * (old_key_data_count + 1));
master_entry->n_key_data = old_key_data_count + 1;
- new_mkey_kvno = old_kvno + 1;
- /* deal with wrapping? */
- if (new_mkey_kvno == 0)
- new_mkey_kvno = 1; /* knvo must not be 0 as this is special value (IGNORE_VNO) */
-
/* Note, mkey does not have salt */
/* add new mkey encrypted with itself to mkey princ entry */
if ((retval = krb5_dbekd_encrypt_key_data(context, new_mkey,
@@ -78,7 +93,11 @@ add_new_mkey(krb5_context context, krb5_db_entry *master_entry, krb5_keyblock *n
&master_entry->key_data[0]))) {
return (retval);
}
-
+ /* so getprinc will show the new mkvno */
+ if ((retval = krb5_dbe_update_mkvno(context, master_entry, new_mkey_kvno))) {
+ krb5_free_key_data_contents(context, &master_entry->key_data[0]);
+ return (retval);
+ }
/*
* Need to decrypt old keys with the current mkey which is in the global
* master_keyblock and encrypt those keys with the latest mkey. And while
@@ -149,9 +168,6 @@ add_new_mkey(krb5_context context, krb5_db_entry *master_entry, krb5_keyblock *n
goto clean_n_exit;
}
- if (mkvno)
- *mkvno = new_mkey_kvno;
-
clean_n_exit:
if (mkey_aux_data_head)
krb5_dbe_free_mkey_aux_list(context, mkey_aux_data_head);
@@ -222,13 +238,13 @@ kdb5_add_mkey(int argc, char *argv[])
exit_status++;
return;
} else if (nentries == 0) {
- com_err(progname, retval,
+ com_err(progname, KRB5_KDB_NOENTRY,
"principal %s not found in Kerberos database",
mkey_fullname);
exit_status++;
return;
} else if (nentries > 1) {
- com_err(progname, retval,
+ com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
"principal %s has multiple entries in Kerberos database",
mkey_fullname);
exit_status++;
@@ -412,13 +428,13 @@ kdb5_use_mkey(int argc, char *argv[])
exit_status++;
return;
} else if (nentries == 0) {
- com_err(progname, retval,
+ com_err(progname, KRB5_KDB_NOENTRY,
"principal %s not found in Kerberos database",
mkey_fullname);
exit_status++;
return;
} else if (nentries > 1) {
- com_err(progname, retval,
+ com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
"principal %s has multiple entries in Kerberos database",
mkey_fullname);
exit_status++;
@@ -559,13 +575,13 @@ kdb5_list_mkeys(int argc, char *argv[])
exit_status++;
return;
} else if (nentries == 0) {
- com_err(progname, retval,
+ com_err(progname, KRB5_KDB_NOENTRY,
"principal %s not found in Kerberos database",
mkey_fullname);
exit_status++;
return;
} else if (nentries > 1) {
- com_err(progname, retval,
+ com_err(progname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
"principal %s has multiple entries in Kerberos database",
mkey_fullname);
exit_status++;
diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c
index 086217e..94fc858 100644
--- a/src/kadmin/dbutil/kdb5_util.c
+++ b/src/kadmin/dbutil/kdb5_util.c
@@ -442,9 +442,6 @@ static int open_db_and_mkey()
kvno = global_params.kvno; /* user specified */
else
kvno = IGNORE_VNO;
- /* kvno = (krb5_kvno) master_entry.key_data->key_data_kvno; */
-
- krb5_db_free_principal(util_context, &master_entry, nentries);
/* the databases are now open, and the master principal exists */
dbactive = TRUE;
diff --git a/src/kadmin/dbutil/kdb5_util.h b/src/kadmin/dbutil/kdb5_util.h
index 175d61c..78d283d 100644
--- a/src/kadmin/dbutil/kdb5_util.h
+++ b/src/kadmin/dbutil/kdb5_util.h
@@ -89,7 +89,9 @@ extern void update_ok_file (char *file_name);
extern int kadm5_create (kadm5_config_params *params);
extern krb5_error_code add_new_mkey(krb5_context, krb5_db_entry *,
- krb5_keyblock *, krb5_kvno *);
+ krb5_keyblock *, krb5_kvno);
+
+extern krb5_kvno get_next_kvno(krb5_context, krb5_db_entry *);
void usage (void);
diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
index c02778d..9ddf5bd 100644
--- a/src/lib/kdb/kdb_default.c
+++ b/src/lib/kdb/kdb_default.c
@@ -25,6 +25,11 @@
*
*/
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+ */
+
#include "k5-int.h"
#include "kdb.h"
#include <string.h>
diff --git a/src/lib/krb5/error_tables/kdb5_err.et b/src/lib/krb5/error_tables/kdb5_err.et
index ae4c4bf..d0426bd 100644
--- a/src/lib/krb5/error_tables/kdb5_err.et
+++ b/src/lib/krb5/error_tables/kdb5_err.et
@@ -58,6 +58,7 @@ ec KRB5_KDB_INVALIDKEYSIZE, "Key size in database is invalid"
ec KRB5_KDB_CANTREAD_STORED, "Cannot find/read stored master key"
ec KRB5_KDB_BADSTORED_MKEY, "Stored master key is corrupted"
ec KRB5_KDB_NOACTMASTERKEY, "Cannot find active master key"
+ec KRB5_KDB_KVNONOMATCH, "KVNO of new master key does not match expected value"
ec KRB5_KDB_CANTLOCK_DB, "Insufficient access to lock database"
generated by cgit v1.1 at 2024-07-09 03:29:42 +0000