diff options
| author | Will Fiveash <will.fiveash@oracle.com> | 2009-01-30 23:55:14 +0000 |
|---|---|---|
| committer | Will Fiveash <will.fiveash@oracle.com> | 2009-01-30 23:55:14 +0000 |
| commit | e246f7e7b2cddfca9eb744f24e50dd034247a74b (patch) | |
| tree | 97ec348048dab2eec4206fa99df1e18adab77cf1 /src/kdc/main.c | |
| parent | 77b1e1108ca32617fe43825748c68c575e77f010 (diff) | |
| download | krb5-e246f7e7b2cddfca9eb744f24e50dd034247a74b.tar.gz krb5-e246f7e7b2cddfca9eb744f24e50dd034247a74b.tar.xz krb5-e246f7e7b2cddfca9eb744f24e50dd034247a74b.zip | |
Master Key Migration Project
Commit for the Master Key Migration Project.
http://k5wiki.kerberos.org/wiki/Projects/Master_Key_Migration
This commit provides the ability to add a new master key (with an
enctype differing from the current master key) to the master key
principal and stash file and then migrate the encryption of existing
principals long term keys to use the new master key. In addition
deletion of master keys is provided.
ticket: 6354
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21844 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kdc/main.c')
| -rw-r--r-- | src/kdc/main.c | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/src/kdc/main.c b/src/kdc/main.c index b9334680b..bb4d7584d 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -154,9 +154,12 @@ finish_realm(kdc_realm_t *rdp) if (rdp->realm_mprinc) krb5_free_principal(rdp->realm_context, rdp->realm_mprinc); if (rdp->realm_mkey.length && rdp->realm_mkey.contents) { + /* XXX shouldn't memset be zap for safety? */ memset(rdp->realm_mkey.contents, 0, rdp->realm_mkey.length); free(rdp->realm_mkey.contents); } + if (rdp->mkey_list) + krb5_dbe_free_key_list(rdp->realm_context, rdp->mkey_list); krb5_db_fini(rdp->realm_context); if (rdp->realm_tgsprinc) krb5_free_principal(rdp->realm_context, rdp->realm_tgsprinc); @@ -242,6 +245,7 @@ init_realm(char *progname, kdc_realm_t *rdp, char *realm, krb5_boolean manual; krb5_realm_params *rparams; int kdb_open_flags; + krb5_kvno mkvno = IGNORE_VNO; memset((char *) rdp, 0, sizeof(kdc_realm_t)); if (!realm) { @@ -374,18 +378,25 @@ init_realm(char *progname, kdc_realm_t *rdp, char *realm, } /* - * Get the master key. + * Get the master key (note, may not be the most current mkey). */ if ((kret = krb5_db_fetch_mkey(rdp->realm_context, rdp->realm_mprinc, rdp->realm_mkey.enctype, manual, FALSE, rdp->realm_stash, - NULL, NULL, &rdp->realm_mkey))) { + &mkvno, NULL, &rdp->realm_mkey))) { com_err(progname, kret, "while fetching master key %s for realm %s", rdp->realm_mpname, realm); goto whoops; } +#if 0 /************** Begin IFDEF'ed OUT *******************************/ + /* + * Commenting krb5_db_verify_master_key out because it requires the most + * current mkey which may not be the case here. The call to + * krb5_db_fetch_mkey_list() will end up verifying that the mkey is viable + * anyway. + */ /* Verify the master key */ if ((kret = krb5_db_verify_master_key(rdp->realm_context, rdp->realm_mprinc, @@ -395,6 +406,14 @@ init_realm(char *progname, kdc_realm_t *rdp, char *realm, "while verifying master key for realm %s", realm); goto whoops; } +#endif /**************** END IFDEF'ed OUT *******************************/ + + if ((kret = krb5_db_fetch_mkey_list(rdp->realm_context, rdp->realm_mprinc, + &rdp->realm_mkey, mkvno, &rdp->mkey_list))) { + com_err(progname, kret, + "while fetching master keys list for realm %s", realm); + goto whoops; + } if ((kret = krb5_db_set_mkey(rdp->realm_context, &rdp->realm_mkey))) { com_err(progname, kret, |