diff options
| author | Greg Hudson <ghudson@mit.edu> | 2012-03-21 16:57:05 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-03-21 16:57:05 +0000 |
| commit | 57a0c5e6c3c3af0eeed0487d56b53311752a8930 (patch) | |
| tree | 887daeb4dcec0cdb6d1885327eacaacdf6ca46e0 /src/kadmin | |
| parent | fd3a2c5a467a42bbb864e1ddc7fc7f5bda93e339 (diff) | |
| download | krb5-57a0c5e6c3c3af0eeed0487d56b53311752a8930.tar.gz krb5-57a0c5e6c3c3af0eeed0487d56b53311752a8930.tar.xz krb5-57a0c5e6c3c3af0eeed0487d56b53311752a8930.zip | |
Only store master mey list in DAL handle
r24314 (#6778) created a hybrid owernship model for the master key
list, with one virtual copy stored in the DAL handle and one provided
to the caller of krb5_db_fetch_mkey_list. Replace this with a model
where only the DAL handle owns the list, and a caller can get access
to an alias pointer with a new function krb5_db_mkey_list_alias().
Functions which previously accepted the master key list as an input
parameter now expect to find it in the DAL handle.
Patch by Will Fiveash <will.fiveash@oracle.com>.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25781 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kadmin')
| -rw-r--r-- | src/kadmin/dbutil/dump.c | 7 | ||||
| -rw-r--r-- | src/kadmin/dbutil/kdb5_mkey.c | 34 | ||||
| -rw-r--r-- | src/kadmin/dbutil/kdb5_stash.c | 6 | ||||
| -rw-r--r-- | src/kadmin/dbutil/kdb5_util.c | 8 | ||||
| -rw-r--r-- | src/kadmin/dbutil/kdb5_util.h | 1 | ||||
| -rw-r--r-- | src/kadmin/server/ovsec_kadmd.c | 2 |
6 files changed, 26 insertions, 32 deletions
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c index bf8c8e5bf0..326635fb10 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -295,7 +295,7 @@ krb5_error_code master_key_convert(context, db_entry) krb5_keyblock *tmp_mkey; key_data = &db_entry->key_data[i]; - retval = krb5_dbe_find_mkey(context, master_keylist, db_entry, &tmp_mkey); + retval = krb5_dbe_find_mkey(context, db_entry, &tmp_mkey); if (retval) return retval; retval = krb5_dbe_decrypt_key_data(context, tmp_mkey, key_data, @@ -1078,7 +1078,6 @@ dump_db(argc, argv) bool_t dump_sno = FALSE; kdb_log_context *log_ctx; unsigned int ipropx_version = IPROPX_VERSION_0; - krb5_keylist_node *mkeys; /* * Parse the arguments. @@ -1182,13 +1181,11 @@ dump_db(argc, argv) exit(1); } retval = krb5_db_fetch_mkey_list(util_context, master_princ, - &master_keyblock, IGNORE_VNO, - &mkeys); + &master_keyblock); if (retval) { com_err(progname, retval, _("while verifying master key")); exit(1); } - krb5_db_free_mkey_list(util_context, mkeys); } new_master_keyblock.enctype = global_params.enctype; if (new_master_keyblock.enctype == ENCTYPE_UNKNOWN) diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c index 3952994106..21f8073d37 100644 --- a/src/kadmin/dbutil/kdb5_mkey.c +++ b/src/kadmin/dbutil/kdb5_mkey.c @@ -32,7 +32,6 @@ extern krb5_keyblock master_keyblock; /* current mkey */ extern krb5_kvno master_kvno; extern krb5_principal master_princ; -extern krb5_keylist_node *master_keylist; extern krb5_data master_salt; extern char *mkey_password; extern char *progname; @@ -77,6 +76,7 @@ add_new_mkey(krb5_context context, krb5_db_entry *master_entry, krb5_key_data tmp_key_data, *old_key_data; krb5_mkey_aux_node *mkey_aux_data_head = NULL, **mkey_aux_data; krb5_keylist_node *keylist_node; + krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(context); /* do this before modifying master_entry key_data */ new_mkey_kvno = get_next_kvno(context, master_entry); @@ -372,6 +372,7 @@ kdb5_use_mkey(int argc, char *argv[]) krb5_db_entry *master_entry; krb5_keylist_node *keylist_node; krb5_boolean inserted = FALSE; + krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context); memset(&master_princ, 0, sizeof(master_princ)); @@ -577,6 +578,7 @@ kdb5_list_mkeys(int argc, char *argv[]) krb5_db_entry *master_entry; krb5_keylist_node *cur_kb_node; krb5_keyblock *act_mkey; + krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context); if (master_keylist == NULL) { com_err(progname, 0, _("master keylist not initialized")); @@ -613,8 +615,8 @@ kdb5_list_mkeys(int argc, char *argv[]) if (actkvno_list == NULL) { act_kvno = master_entry->key_data[0].key_data_kvno; } else { - retval = krb5_dbe_find_act_mkey(util_context, master_keylist, - actkvno_list, &act_kvno, &act_mkey); + retval = krb5_dbe_find_act_mkey(util_context, actkvno_list, &act_kvno, + &act_mkey); if (retval == KRB5_KDB_NOACTMASTERKEY) { /* Maybe we went through a time warp, and the only keys with activation dates have them set in the future? */ @@ -834,7 +836,7 @@ update_princ_encryption_1(void *cb, krb5_db_entry *ent) goto skip; } p->re_match_count++; - retval = krb5_dbe_get_mkvno(util_context, ent, master_keylist, &old_mkvno); + retval = krb5_dbe_get_mkvno(util_context, ent, &old_mkvno); if (retval) { com_err(progname, retval, _("determining master key used for principal '%s'"), pname); @@ -934,6 +936,7 @@ kdb5_update_princ_encryption(int argc, char *argv[]) #endif char *regexp = NULL; krb5_keyblock *tmp_keyblock = NULL; + krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context); while ((optchar = getopt(argc, argv, "fnv")) != -1) { switch (optchar) { @@ -1023,8 +1026,7 @@ kdb5_update_princ_encryption(int argc, char *argv[]) master_entry->n_key_data, master_entry->key_data); - retval = krb5_dbe_find_mkey(util_context, master_keylist, - master_entry, &tmp_keyblock); + retval = krb5_dbe_find_mkey(util_context, master_entry, &tmp_keyblock); if (retval) { com_err(progname, retval, _("retrieving the most recent master key")); exit_status++; @@ -1071,7 +1073,6 @@ kdb5_update_princ_encryption(int argc, char *argv[]) cleanup: free(regexp); memset(&new_master_keyblock, 0, sizeof(new_master_keyblock)); - krb5_free_keyblock(util_context, tmp_keyblock); krb5_free_unparsed_name(util_context, mkey_fullname); krb5_dbe_free_actkvno_list(util_context, actkvno_list); } @@ -1098,7 +1099,7 @@ find_mkvnos_in_use(krb5_pointer ptr, args = (struct purge_args *) ptr; - retval = krb5_dbe_get_mkvno(args->kcontext, entry, master_keylist, &mkvno); + retval = krb5_dbe_get_mkvno(args->kcontext, entry, &mkvno); if (retval) return (retval); @@ -1129,6 +1130,17 @@ kdb5_purge_mkeys(int argc, char *argv[]) krb5_mkey_aux_node *mkey_aux_list = NULL, *mkey_aux_entry, *prev_mkey_aux_entry; krb5_key_data *old_key_data; + /* + * Verify that the master key list has been initialized before doing + * anything else. + */ + if (krb5_db_mkey_list_alias(util_context) == NULL) { + com_err(progname, KRB5_KDB_DBNOTINITED, + _("master keylist not initialized")); + exit_status++; + return; + } + memset(&master_princ, 0, sizeof(master_princ)); memset(&args, 0, sizeof(args)); @@ -1152,12 +1164,6 @@ kdb5_purge_mkeys(int argc, char *argv[]) } } - if (master_keylist == NULL) { - com_err(progname, 0, _("master keylist not initialized")); - exit_status++; - return; - } - /* assemble & parse the master key name */ if ((retval = krb5_db_setup_mkey_name(util_context, global_params.mkey_name, diff --git a/src/kadmin/dbutil/kdb5_stash.c b/src/kadmin/dbutil/kdb5_stash.c index 35592b8082..30ca82c413 100644 --- a/src/kadmin/dbutil/kdb5_stash.c +++ b/src/kadmin/dbutil/kdb5_stash.c @@ -56,7 +56,6 @@ #include "kdb5_util.h" extern krb5_keyblock master_keyblock; -extern krb5_keylist_node *master_keylist; extern krb5_principal master_princ; extern kadm5_config_params global_params; @@ -119,8 +118,7 @@ kdb5_stash(argc, argv) } retval = krb5_db_fetch_mkey_list(util_context, master_princ, - &master_keyblock, mkey_kvno, - &master_keylist); + &master_keyblock); if (retval) { com_err(progname, retval, _("while getting master key list")); exit_status++; return; @@ -130,7 +128,7 @@ kdb5_stash(argc, argv) } retval = krb5_db_store_master_key_list(util_context, keyfile, master_princ, - master_keylist, NULL); + NULL); if (retval) { com_err(progname, errno, _("while storing key")); exit_status++; return; diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c index 70a04e2592..df9c080a05 100644 --- a/src/kadmin/dbutil/kdb5_util.c +++ b/src/kadmin/dbutil/kdb5_util.c @@ -106,7 +106,6 @@ void usage() krb5_keyblock master_keyblock; krb5_kvno master_kvno; /* fetched */ -extern krb5_keylist_node *master_keylist; extern krb5_principal master_princ; krb5_db_entry *master_entry = NULL; int valid_master_key = 0; @@ -485,8 +484,7 @@ static int open_db_and_mkey() } if ((retval = krb5_db_fetch_mkey_list(util_context, master_princ, - &master_keyblock, master_kvno, - &master_keylist))) { + &master_keyblock))) { com_err(progname, retval, "while getting master key list"); com_err(progname, 0, "Warning: proceeding without master key list"); exit_status++; @@ -501,7 +499,6 @@ static int open_db_and_mkey() exit_status++; memset(master_keyblock.contents, 0, master_keyblock.length); krb5_free_keyblock_contents(util_context, &master_keyblock); - krb5_db_free_mkey_list(util_context, master_keylist); return(1); } @@ -532,7 +529,6 @@ quit() if (finished) return 0; - krb5_db_free_mkey_list(util_context, master_keylist); retval = krb5_db_fini(util_context); memset(master_keyblock.contents, 0, master_keyblock.length); finished = TRUE; @@ -605,7 +601,7 @@ add_random_key(argc, argv) free_keysalts = 1; /* Find the mkey used to protect the existing keys */ - ret = krb5_dbe_find_mkey(util_context, master_keylist, dbent, &tmp_mkey); + ret = krb5_dbe_find_mkey(util_context, dbent, &tmp_mkey); if (ret) { com_err(me, ret, _("while finding mkey")); krb5_db_free_principal(util_context, dbent); diff --git a/src/kadmin/dbutil/kdb5_util.h b/src/kadmin/dbutil/kdb5_util.h index a5754c5f67..540b69479b 100644 --- a/src/kadmin/dbutil/kdb5_util.h +++ b/src/kadmin/dbutil/kdb5_util.h @@ -44,7 +44,6 @@ extern krb5_db_entry master_db; extern char **db5util_db_args; extern int db5util_db_args_size; extern krb5_kvno new_mkvno; -extern krb5_keylist_node *master_keylist; extern krb5_keyblock new_master_keyblock; extern int add_db_arg(char *arg); diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c index f38f209f14..6859144cae 100644 --- a/src/kadmin/server/ovsec_kadmd.c +++ b/src/kadmin/server/ovsec_kadmd.c @@ -69,8 +69,6 @@ gss_name_t gss_changepw_name = NULL, gss_oldchangepw_name = NULL; gss_name_t gss_kadmin_name = NULL; void *global_server_handle; -extern krb5_keylist_node *master_keylist; - char *build_princ_name(char *name, char *realm); void log_badauth(OM_uint32 major, OM_uint32 minor, struct sockaddr_in *addr, char *data); |