diff options
| author | Sam Hartman <hartmans@mit.edu> | 2010-09-15 17:13:23 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2010-09-15 17:13:23 +0000 |
| commit | a063fe7e5c11900df005bb2875b27f8e284dfdba (patch) | |
| tree | 36fe23e89c05a9727ccbf82059e3582a6938b4f0 /src/include/kdb.h | |
| parent | 4bcc98813080a3dabb94e31e974a6f74a81b2125 (diff) | |
| download | krb5-a063fe7e5c11900df005bb2875b27f8e284dfdba.tar.gz krb5-a063fe7e5c11900df005bb2875b27f8e284dfdba.tar.xz krb5-a063fe7e5c11900df005bb2875b27f8e284dfdba.zip | |
kdb: store mkey list in context and permit NULL mkey for kdb_dbe_decrypt_key_data
Previously, code needed to run a loop to find the current master key,
possibly fetch a new master key list and try finding the master key
again around each key decryption. This was not universally done;
there are cases where only the current master key was used. In
addition, the correct ideom for decrypting key data is too complicated
and is potentially unavailable to plugins that do not have access to
the master key. Instead, store the master key list in the dal_handle
whenever it is fetched and permit a NULL master key for
krb5_dbe_decrypt_key_data.
* Remove APIs for krb5_db_{get|set}_mkey_list
* krb5_db_fetch_mkey_list: memoize master key list in dal_handle
* krb5_db_free_mkey_list: don't free the memoized list; arrange for it to be freed later
* krb5_dbe_decrypt_key_data: Search for correct master key on NULL argument
* change call sites to take advantage
ticket: 6778
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24314 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/include/kdb.h')
| -rw-r--r-- | src/include/kdb.h | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/src/include/kdb.h b/src/include/kdb.h index d401fd544..8b03398e5 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -350,11 +350,6 @@ krb5_error_code krb5_db_iterate ( krb5_context kcontext, int (*func) (krb5_pointer, krb5_db_entry *), krb5_pointer func_arg ); -krb5_error_code krb5_db_set_mkey_list( krb5_context context, - krb5_keylist_node * keylist); - -krb5_error_code krb5_db_get_mkey_list( krb5_context kcontext, - krb5_keylist_node ** keylist); krb5_error_code krb5_db_store_master_key ( krb5_context kcontext, char *keyfile, @@ -382,7 +377,9 @@ krb5_db_fetch_mkey_list( krb5_context context, const krb5_keyblock * mkey, krb5_kvno mkvno, krb5_keylist_node **mkeys_list ); - +/** + * Free a master keylist. + */ void krb5_db_free_mkey_list( krb5_context context, krb5_keylist_node *mkey_list ); @@ -411,6 +408,10 @@ krb5_db_setup_mkey_name ( krb5_context context, char **fullname, krb5_principal *principal); +/** + * Decrypts the key given in @@a key_data. If @a mkey is specified, that + * master key is used. If @a mkey is NULL, then all master keys are tried. + */ krb5_error_code krb5_dbe_decrypt_key_data( krb5_context context, const krb5_keyblock * mkey, |