diff options
author | Greg Hudson <ghudson@mit.edu> | 2010-07-02 19:09:20 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2010-07-02 19:09:20 +0000 |
commit | b119d362e2e195a61488737511be2ca7b37138b5 (patch) | |
tree | 7645a1671f6d5497f0ef8a82ee4299b2490406d2 /src/include/kdb.h | |
parent | 323fa3f74a84ee28115c4df7c7c0ea9b5b231a76 (diff) | |
download | krb5-b119d362e2e195a61488737511be2ca7b37138b5.tar.gz krb5-b119d362e2e195a61488737511be2ca7b37138b5.tar.xz krb5-b119d362e2e195a61488737511be2ca7b37138b5.zip |
Remove verify_master_key from the DAL table, as well as its associated
libkdb5 interface. Callers can (and mostly already do) use
krb5_fetch_mkey_list to verify master keyblocks. Adjust tests/create,
tests/verify, and kdb5_util dump to do so.
ticket: 6749
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24166 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/include/kdb.h')
-rw-r--r-- | src/include/kdb.h | 32 |
1 files changed, 6 insertions, 26 deletions
diff --git a/src/include/kdb.h b/src/include/kdb.h index a2c496967c..856cf0bdf6 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -476,10 +476,6 @@ krb5_error_code krb5_db_fetch_mkey ( krb5_context context, krb5_kvno *kvno, krb5_data *salt, krb5_keyblock *key); -krb5_error_code krb5_db_verify_master_key ( krb5_context kcontext, - krb5_principal mprinc, - krb5_kvno kvno, - krb5_keyblock *mkey ); krb5_error_code krb5_db_fetch_mkey_list( krb5_context context, krb5_principal mname, @@ -717,12 +713,6 @@ krb5_db_def_fetch_mkey( krb5_context context, char *db_args); krb5_error_code -krb5_def_verify_master_key( krb5_context context, - krb5_principal mprinc, - krb5_kvno kvno, - krb5_keyblock *mkey); - -krb5_error_code krb5_def_fetch_mkey_list( krb5_context context, krb5_principal mprinc, const krb5_keyblock *mkey, @@ -1163,28 +1153,18 @@ typedef struct _kdb_vftabl { char *db_args); /* - * Optional with default: Verify that the keyblock mkey is a valid master - * key for the realm. This function used to be used by the KDC and - * kadmind, but is now used only by kdb5_util dump -mkey_convert. - * - * The default implementation retrieves the master key principal and - * attempts to decrypt its key with mkey. This only works for the current - * master keyblock. - */ - krb5_error_code (*verify_master_key)(krb5_context kcontext, - krb5_principal mprinc, krb5_kvno kvno, - krb5_keyblock *mkey); - - /* * Optional with default: Given a keyblock for some version of the * database's master key, fetch the decrypted master key values from the * database and store the list into *mkeys_list. The caller will free * *mkeys_list using a libkdb5 function which uses the standard free() * function, so the module must not use a custom allocator. * - * The default implementation tries the key against the current master key - * data and all KRB5_TL_MKEY_AUX values, which contain copies of the master - * keys encrypted with old master keys. + * The caller may not know the version number of the master key it has, in + * which case it will pass IGNORE_VNO. + * + * The default implementation ignores kvno and tries the key against the + * current master key data and all KRB5_TL_MKEY_AUX values, which contain + * copies of the master keys encrypted with old master keys. */ krb5_error_code (*fetch_master_key_list)(krb5_context kcontext, krb5_principal mname, |