summaryrefslogtreecommitdiffstats
path: root/src/kdc
diff options
context:
space:
mode:
Diffstat (limited to 'src/kdc')
-rw-r--r--src/kdc/do_as_req.c44
-rw-r--r--src/kdc/do_tgs_req.c23
-rw-r--r--src/kdc/kdc_preauth.c65
-rw-r--r--src/kdc/kdc_util.c24
-rw-r--r--src/kdc/main.c6
5 files changed, 10 insertions, 152 deletions
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index fa98ae3a0d..557ae3dea3 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -115,7 +115,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
const char *status;
krb5_key_data *server_key, *client_key;
krb5_keyblock server_keyblock, client_keyblock;
- krb5_keyblock *mkey_ptr;
krb5_enctype useenctype;
krb5_data e_data;
register int i;
@@ -126,7 +125,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
void *pa_context = NULL;
int did_log = 0;
const char *emsg = 0;
- krb5_keylist_node *tmp_mkey_list;
struct kdc_request_state *state = NULL;
krb5_data encoded_req_body;
krb5_keyblock *as_encrypting_key = NULL;
@@ -461,32 +459,13 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
goto errout;
}
- if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, server,
- &mkey_ptr))) {
- /* try refreshing master key list */
- /* XXX it would nice if we had the mkvno here for optimization */
- if (krb5_db_fetch_mkey_list(kdc_context, master_princ,
- &master_keyblock, 0, &tmp_mkey_list) == 0) {
- krb5_dbe_free_key_list(kdc_context, master_keylist);
- master_keylist = tmp_mkey_list;
- if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist,
- server, &mkey_ptr))) {
- status = "FINDING_MASTER_KEY";
- goto errout;
- }
- } else {
- status = "FINDING_MASTER_KEY";
- goto errout;
- }
- }
-
/*
* Convert server->key into a real key
* (it may be encrypted in the database)
*
* server_keyblock is later used to generate auth data signatures
*/
- if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, mkey_ptr,
+ if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL,
server_key, &server_keyblock,
NULL))) {
status = "DECRYPT_SERVER_KEY";
@@ -514,27 +493,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
goto errout;
}
- if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, client,
- &mkey_ptr))) {
- /* try refreshing master key list */
- /* XXX it would nice if we had the mkvno here for optimization */
- if (krb5_db_fetch_mkey_list(kdc_context, master_princ,
- &master_keyblock, 0, &tmp_mkey_list) == 0) {
- krb5_dbe_free_key_list(kdc_context, master_keylist);
- master_keylist = tmp_mkey_list;
- if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist,
- client, &mkey_ptr))) {
- status = "FINDING_MASTER_KEY";
- goto errout;
- }
- } else {
- status = "FINDING_MASTER_KEY";
- goto errout;
- }
- }
-
/* convert client.key_data into a real key */
- if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, mkey_ptr,
+ if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL,
client_key, &client_keyblock,
NULL))) {
status = "DECRYPT_CLIENT_KEY";
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 2c4514ca20..b424b3edda 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -104,7 +104,6 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
krb5_keyblock session_key;
krb5_timestamp rtime;
krb5_keyblock *reply_key = NULL;
- krb5_keyblock *mkey_ptr;
krb5_key_data *server_key;
char *cname = 0, *sname = 0, *altcname = 0;
krb5_last_req_entry *nolrarray[2], nolrentry;
@@ -625,31 +624,11 @@ tgt_again:
goto cleanup;
}
- if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, server,
- &mkey_ptr))) {
- krb5_keylist_node *tmp_mkey_list;
- /* try refreshing master key list */
- /* XXX it would nice if we had the mkvno here for optimization */
- if (krb5_db_fetch_mkey_list(kdc_context, master_princ,
- &master_keyblock, 0, &tmp_mkey_list) == 0) {
- krb5_dbe_free_key_list(kdc_context, master_keylist);
- master_keylist = tmp_mkey_list;
- if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist,
- server, &mkey_ptr))) {
- status = "FINDING_MASTER_KEY";
- goto cleanup;
- }
- } else {
- status = "FINDING_MASTER_KEY";
- goto cleanup;
- }
- }
-
/*
* Convert server.key into a real key
* (it may be encrypted in the database)
*/
- if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, mkey_ptr,
+ if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL,
server_key, &encrypting_key,
NULL))) {
status = "DECRYPT_SERVER_KEY";
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 4c413d07e8..503c2313b8 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -711,7 +711,7 @@ get_entry_data(krb5_context context,
int i, k;
krb5_data *ret;
krb5_deltat *delta;
- krb5_keyblock *keys, *mkey_ptr;
+ krb5_keyblock *keys;
krb5_key_data *entry_key;
krb5_error_code error;
struct kdc_request_state *state = request->kdc_state;
@@ -748,32 +748,13 @@ get_entry_data(krb5_context context,
ret->data = (char *) keys;
ret->length = sizeof(krb5_keyblock) * (request->nktypes + 1);
memset(ret->data, 0, ret->length);
- if ((error = krb5_dbe_find_mkey(context, master_keylist, entry,
- &mkey_ptr))) {
- krb5_keylist_node *tmp_mkey_list;
- /* try refreshing the mkey list in case it's been updated */
- if (krb5_db_fetch_mkey_list(context, master_princ,
- &master_keyblock, 0,
- &tmp_mkey_list) == 0) {
- krb5_dbe_free_key_list(context, master_keylist);
- master_keylist = tmp_mkey_list;
- if ((error = krb5_dbe_find_mkey(context, master_keylist, entry,
- &mkey_ptr))) {
- free(ret);
- return (error);
- }
- } else {
- free(ret);
- return (error);
- }
- }
k = 0;
for (i = 0; i < request->nktypes; i++) {
entry_key = NULL;
if (krb5_dbe_find_enctype(context, entry, request->ktype[i],
-1, 0, &entry_key) != 0)
continue;
- if (krb5_dbe_decrypt_key_data(context, mkey_ptr, entry_key,
+ if (krb5_dbe_decrypt_key_data(context, NULL, entry_key,
&keys[k], NULL) != 0) {
if (keys[k].contents != NULL)
krb5_free_keyblock_contents(context, &keys[k]);
@@ -1328,7 +1309,7 @@ return_padata(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
}
key_modified = FALSE;
null_item.contents = NULL;
- null_item.length = NULL;
+ null_item.length = 0;
send_pa = send_pa_list;
*send_pa = 0;
@@ -1430,7 +1411,7 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client,
krb5_data scratch;
krb5_data enc_ts_data;
krb5_enc_data *enc_data = 0;
- krb5_keyblock key, *mkey_ptr;
+ krb5_keyblock key;
krb5_key_data * client_key;
krb5_int32 start;
krb5_timestamp timenow;
@@ -1448,24 +1429,6 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client,
if ((enc_ts_data.data = (char *) malloc(enc_ts_data.length)) == NULL)
goto cleanup;
- if ((retval = krb5_dbe_find_mkey(context, master_keylist, client,
- &mkey_ptr))) {
- krb5_keylist_node *tmp_mkey_list;
- /* try refreshing the mkey list in case it's been updated */
- if (krb5_db_fetch_mkey_list(context, master_princ,
- &master_keyblock, 0,
- &tmp_mkey_list) == 0) {
- krb5_dbe_free_key_list(context, master_keylist);
- master_keylist = tmp_mkey_list;
- if ((retval = krb5_dbe_find_mkey(context, master_keylist, client,
- &mkey_ptr))) {
- goto cleanup;
- }
- } else {
- goto cleanup;
- }
- }
-
start = 0;
decrypt_err = 0;
while (1) {
@@ -1474,7 +1437,7 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client,
-1, 0, &client_key)))
goto cleanup;
- if ((retval = krb5_dbe_decrypt_key_data(context, mkey_ptr, client_key,
+ if ((retval = krb5_dbe_decrypt_key_data(context, NULL, client_key,
&key, NULL)))
goto cleanup;
@@ -2785,22 +2748,6 @@ static krb5_error_code verify_pkinit_request(
goto cleanup;
}
cert_hash_len = strlen(cert_hash);
- if ((krtn = krb5_dbe_find_mkey(context, master_keylist, &entry, &mkey_ptr))) {
- krb5_keylist_node *tmp_mkey_list;
- /* try refreshing the mkey list in case it's been updated */
- if (krb5_db_fetch_mkey_list(context, master_princ,
- &master_keyblock, 0,
- &tmp_mkey_list) == 0) {
- krb5_dbe_free_key_list(context, master_keylist);
- master_keylist = tmp_mkey_list;
- if ((krtn = krb5_dbe_find_mkey(context, master_keylist, &entry,
- &mkey_ptr))) {
- goto cleanup;
- }
- } else {
- goto cleanup;
- }
- }
for(key_dex=0; key_dex<client->n_key_data; key_dex++) {
krb5_key_data *key_data = &client->key_data[key_dex];
kdcPkinitDebug("--- key %u type[0] %u length[0] %u type[1] %u length[1] %u\n",
@@ -2815,7 +2762,7 @@ static krb5_error_code verify_pkinit_request(
* Unfortunately this key is stored encrypted even though it's
* not sensitive...
*/
- krtn = krb5_dbe_decrypt_key_data(context, mkey_ptr, key_data,
+ krtn = krb5_dbe_decrypt_key_data(context, NULL, key_data,
&decrypted_key, NULL);
if(krtn) {
kdcPkinitDebug("verify_pkinit_request: error decrypting cert hash block\n");
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 61bd7fdd41..7b62b53df5 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -454,7 +454,6 @@ kdc_get_server_key(krb5_ticket *ticket, unsigned int flags,
krb5_error_code retval;
krb5_boolean similar;
krb5_key_data * server_key;
- krb5_keyblock * mkey_ptr;
krb5_db_entry * server = NULL;
*server_ptr = NULL;
@@ -478,27 +477,6 @@ kdc_get_server_key(krb5_ticket *ticket, unsigned int flags,
goto errout;
}
- if ((retval = krb5_dbe_find_mkey(kdc_context, master_keylist, server,
- &mkey_ptr))) {
- krb5_keylist_node *tmp_mkey_list;
- /* try refreshing master key list */
- /* XXX it would nice if we had the mkvno here for optimization */
- if (krb5_db_fetch_mkey_list(kdc_context, master_princ,
- &master_keyblock, 0, &tmp_mkey_list) == 0) {
- krb5_dbe_free_key_list(kdc_context, master_keylist);
- master_keylist = tmp_mkey_list;
- retval = krb5_db_set_mkey_list(kdc_context, master_keylist);
- if (retval)
- goto errout;
- if ((retval = krb5_dbe_find_mkey(kdc_context, master_keylist,
- server, &mkey_ptr))) {
- goto errout;
- }
- } else {
- goto errout;
- }
- }
-
retval = krb5_dbe_find_enctype(kdc_context, server,
match_enctype ? ticket->enc_part.enctype : -1,
-1, (krb5_int32)ticket->enc_part.kvno,
@@ -510,7 +488,7 @@ kdc_get_server_key(krb5_ticket *ticket, unsigned int flags,
goto errout;
}
if ((*key = (krb5_keyblock *)malloc(sizeof **key))) {
- retval = krb5_dbe_decrypt_key_data(kdc_context, mkey_ptr, server_key,
+ retval = krb5_dbe_decrypt_key_data(kdc_context, NULL, server_key,
*key, NULL);
} else
retval = ENOMEM;
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 60a3dc02ec..21c67f8b24 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -431,12 +431,6 @@ init_realm(kdc_realm_t *rdp, char *realm, char *def_mpname,
goto whoops;
}
- kret = krb5_db_set_mkey_list(rdp->realm_context, rdp->mkey_list);
- if (kret) {
- kdc_err(rdp->realm_context, kret,
- "while setting master key list for realm %s", realm);
- goto whoops;
- }
/* Set up the keytab */
if ((kret = krb5_ktkdb_resolve(rdp->realm_context, NULL,
generated by cgit (git 2.34.1) at 2026-02-14 16:53:45 +0000