diff options
| author | Greg Hudson <ghudson@mit.edu> | 2013-10-23 18:56:20 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2013-10-25 11:36:11 -0400 |
| commit | 74c1420ea4dffc1105247e362decf608440751ae (patch) | |
| tree | ddd0a475e0437bdb8d2797e490d300c1088b510b | |
| parent | f9d6353922393936ab7125d1f04e577857909a99 (diff) | |
| download | krb5-74c1420ea4dffc1105247e362decf608440751ae.tar.gz krb5-74c1420ea4dffc1105247e362decf608440751ae.tar.xz krb5-74c1420ea4dffc1105247e362decf608440751ae.zip | |
Don't cache active master key list in kadmind
"kdb5_util use_mkey" should not require a kadmind restart to take
effect. At the cost of fetching the K/M principal once for each key
change operation, make kadmind use the current active master key list
for each operation.
ticket: 7685
target_version: 1.12
tags: pullup
| -rw-r--r-- | src/lib/kadm5/server_internal.h | 3 | ||||
| -rw-r--r-- | src/lib/kadm5/srv/server_kdb.c | 25 | ||||
| -rw-r--r-- | src/lib/kadm5/srv/svr_principal.c | 16 |
3 files changed, 26 insertions, 18 deletions
diff --git a/src/lib/kadm5/server_internal.h b/src/lib/kadm5/server_internal.h index 220e2b694f..e506e12ea7 100644 --- a/src/lib/kadm5/server_internal.h +++ b/src/lib/kadm5/server_internal.h @@ -78,6 +78,9 @@ kadm5_ret_t passwd_check(kadm5_server_handle_t handle, kadm5_ret_t principal_exists(krb5_principal principal); krb5_error_code kdb_init_master(kadm5_server_handle_t handle, char *r, int from_keyboard); +krb5_error_code kdb_get_active_mkey(kadm5_server_handle_t handle, + krb5_kvno *act_kvno_out, + krb5_keyblock **act_mkey_out); krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, char *r); krb5_error_code kdb_get_hist_key(kadm5_server_handle_t handle, diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c index 8a82237c34..20a8db7b45 100644 --- a/src/lib/kadm5/srv/server_kdb.c +++ b/src/lib/kadm5/srv/server_kdb.c @@ -18,7 +18,6 @@ krb5_principal master_princ; krb5_keyblock master_keyblock; /* local mkey */ -krb5_actkvno_node *active_mkey_list = NULL; krb5_db_entry master_db; krb5_principal hist_princ; @@ -73,12 +72,6 @@ krb5_error_code kdb_init_master(kadm5_server_handle_t handle, return (ret); } - if ((ret = krb5_dbe_fetch_act_key_list(handle->context, master_princ, - &active_mkey_list))) { - krb5_db_fini(handle->context); - return (ret); - } - done: if (r == NULL) free(realm); @@ -86,6 +79,24 @@ done: return(ret); } +/* Fetch the currently active master key version number and keyblock. */ +krb5_error_code +kdb_get_active_mkey(kadm5_server_handle_t handle, krb5_kvno *act_kvno_out, + krb5_keyblock **act_mkey_out) +{ + krb5_error_code ret; + krb5_actkvno_node *active_mkey_list; + + ret = krb5_dbe_fetch_act_key_list(handle->context, master_princ, + &active_mkey_list); + if (ret) + return ret; + ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, + act_kvno_out, act_mkey_out); + krb5_dbe_free_actkvno_list(handle->context, active_mkey_list); + return ret; +} + /* * Function: kdb_init_hist * diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index d6035b0e31..7681636a73 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -25,7 +25,6 @@ extern krb5_principal master_princ; extern krb5_principal hist_princ; extern krb5_keyblock master_keyblock; -extern krb5_actkvno_node *active_mkey_list; extern krb5_db_entry master_db; static int decrypt_key_data(krb5_context context, @@ -512,8 +511,7 @@ kadm5_create_principal_3(void *server_handle, /* initialize the keys */ - ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, &act_kvno, - &act_mkey); + ret = kdb_get_active_mkey(handle, &act_kvno, &act_mkey); if (ret) goto cleanup; @@ -1431,8 +1429,7 @@ kadm5_chpass_principal_3(void *server_handle, principal))) goto done; - ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, &act_kvno, - &act_mkey); + ret = kdb_get_active_mkey(handle, &act_kvno, &act_mkey); if (ret) goto done; @@ -1629,8 +1626,7 @@ kadm5_randkey_principal_3(void *server_handle, new_n_ks_tuple = 1; } - ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, NULL, - &act_mkey); + ret = kdb_get_active_mkey(handle, NULL, &act_mkey); if (ret) goto done; @@ -1779,8 +1775,7 @@ kadm5_setv4key_principal(void *server_handle, keysalt.data.length = 0; keysalt.data.data = NULL; - ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, NULL, - &act_mkey); + ret = kdb_get_active_mkey(handle, NULL, &act_mkey); if (ret) goto done; @@ -2027,8 +2022,7 @@ kadm5_setkey_principal_3(void *server_handle, } memset (&tmp_key_data, 0, sizeof(tmp_key_data)); - ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, NULL, - &act_mkey); + ret = kdb_get_active_mkey(handle, NULL, &act_mkey); if (ret) goto done; |