From 229b9a209cabc0f9dbdd630c0753cb565fab99c5 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 10 Jun 2011 14:24:18 -0400 Subject: ipa-pwd-extop: Use the proper mkvno number in keys Setting 0 will work as MIT KDCs assume the current master key when that is found. But it is a legacy compatibility mode and we should instead set the proper mkvno number on keys so changeing master key becomes possible w/o having to do a dump reload and stopping the service. This is especially important in replicated environments. --- daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 3 +-- daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 1 + daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c | 5 +++-- daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c | 3 +-- 4 files changed, 6 insertions(+), 6 deletions(-) (limited to 'daemons/ipa-slapi-plugins') diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index d03579fa1..28b84f43b 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -680,8 +680,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) kset->major_vno = 1; kset->minor_vno = 1; kset->kvno = kvno; - /* we also assum mkvno is 0 */ - kset->mkvno = 0; + kset->mkvno = krbcfg->mkvno; kset->keys = NULL; kset->num_keys = 0; diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h index 75e82d3e2..ed9798829 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h @@ -105,6 +105,7 @@ struct ipapwd_encsalt { struct ipapwd_krbcfg { krb5_context krbctx; char *realm; + int mkvno; krb5_keyblock *kmkey; int num_supp_encsalts; struct ipapwd_encsalt *supp_encsalts; diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c index 9e292b22e..a4b4eb6af 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c @@ -152,7 +152,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) Slapi_Attr *a; Slapi_Value *v; BerElement *be = NULL; - ber_tag_t tag, tmp; + ber_tag_t tag, tvno; ber_int_t ttype; const struct berval *bval; struct berval *mkey = NULL; @@ -219,12 +219,13 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) goto free_and_error; } - tag = ber_scanf(be, "{i{iO}}", &tmp, &ttype, &mkey); + tag = ber_scanf(be, "{i{iO}}", &tvno, &ttype, &mkey); if (tag == LBER_ERROR) { LOG_FATAL("Bad Master key encoding ?!\n"); goto free_and_error; } + config->mkvno = tvno; kmkey->magic = KV5M_KEYBLOCK; kmkey->enctype = ttype; kmkey->length = mkey->bv_len; diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c index 970d26b51..6be02f9f1 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c @@ -298,8 +298,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, kset->minor_vno = 1; /* increment kvno (will be 1 if this is a new entry) */ kset->kvno = kvno + 1; - /* we also assum mkvno is 0 */ - kset->mkvno = 0; + kset->mkvno = krbcfg->mkvno; kset->num_keys = krbcfg->num_pref_encsalts; kset->keys = calloc(kset->num_keys, sizeof(struct ipapwd_krbkey)); -- cgit