diff options
| author | Sam Hartman <hartmans@mit.edu> | 2010-09-15 17:13:23 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2010-09-15 17:13:23 +0000 |
| commit | a063fe7e5c11900df005bb2875b27f8e284dfdba (patch) | |
| tree | 36fe23e89c05a9727ccbf82059e3582a6938b4f0 /src/kdc | |
| parent | 4bcc98813080a3dabb94e31e974a6f74a81b2125 (diff) | |
| download | krb5-a063fe7e5c11900df005bb2875b27f8e284dfdba.tar.gz krb5-a063fe7e5c11900df005bb2875b27f8e284dfdba.tar.xz krb5-a063fe7e5c11900df005bb2875b27f8e284dfdba.zip | |
kdb: store mkey list in context and permit NULL mkey for kdb_dbe_decrypt_key_data
Previously, code needed to run a loop to find the current master key,
possibly fetch a new master key list and try finding the master key
again around each key decryption. This was not universally done;
there are cases where only the current master key was used. In
addition, the correct ideom for decrypting key data is too complicated
and is potentially unavailable to plugins that do not have access to
the master key. Instead, store the master key list in the dal_handle
whenever it is fetched and permit a NULL master key for
krb5_dbe_decrypt_key_data.
* Remove APIs for krb5_db_{get|set}_mkey_list
* krb5_db_fetch_mkey_list: memoize master key list in dal_handle
* krb5_db_free_mkey_list: don't free the memoized list; arrange for it to be freed later
* krb5_dbe_decrypt_key_data: Search for correct master key on NULL argument
* change call sites to take advantage
ticket: 6778
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24314 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kdc')
| -rw-r--r-- | src/kdc/do_as_req.c | 44 | ||||
| -rw-r--r-- | src/kdc/do_tgs_req.c | 23 | ||||
| -rw-r--r-- | src/kdc/kdc_preauth.c | 65 | ||||
| -rw-r--r-- | src/kdc/kdc_util.c | 24 | ||||
| -rw-r--r-- | src/kdc/main.c | 6 |
5 files changed, 10 insertions, 152 deletions
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index fa98ae3a0..557ae3dea 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -115,7 +115,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, const char *status; krb5_key_data *server_key, *client_key; krb5_keyblock server_keyblock, client_keyblock; - krb5_keyblock *mkey_ptr; krb5_enctype useenctype; krb5_data e_data; register int i; @@ -126,7 +125,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, void *pa_context = NULL; int did_log = 0; const char *emsg = 0; - krb5_keylist_node *tmp_mkey_list; struct kdc_request_state *state = NULL; krb5_data encoded_req_body; krb5_keyblock *as_encrypting_key = NULL; @@ -461,32 +459,13 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } - if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, server, - &mkey_ptr))) { - /* try refreshing master key list */ - /* XXX it would nice if we had the mkvno here for optimization */ - if (krb5_db_fetch_mkey_list(kdc_context, master_princ, - &master_keyblock, 0, &tmp_mkey_list) == 0) { - krb5_dbe_free_key_list(kdc_context, master_keylist); - master_keylist = tmp_mkey_list; - if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, - server, &mkey_ptr))) { - status = "FINDING_MASTER_KEY"; - goto errout; - } - } else { - status = "FINDING_MASTER_KEY"; - goto errout; - } - } - /* * Convert server->key into a real key * (it may be encrypted in the database) * * server_keyblock is later used to generate auth data signatures */ - if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, mkey_ptr, + if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL, server_key, &server_keyblock, NULL))) { status = "DECRYPT_SERVER_KEY"; @@ -514,27 +493,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } - if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, client, - &mkey_ptr))) { - /* try refreshing master key list */ - /* XXX it would nice if we had the mkvno here for optimization */ - if (krb5_db_fetch_mkey_list(kdc_context, master_princ, - &master_keyblock, 0, &tmp_mkey_list) == 0) { - krb5_dbe_free_key_list(kdc_context, master_keylist); - master_keylist = tmp_mkey_list; - if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, - client, &mkey_ptr))) { - status = "FINDING_MASTER_KEY"; - goto errout; - } - } else { - status = "FINDING_MASTER_KEY"; - goto errout; - } - } - /* convert client.key_data into a real key */ - if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, mkey_ptr, + if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL, client_key, &client_keyblock, NULL))) { status = "DECRYPT_CLIENT_KEY"; diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 2c4514ca2..b424b3edd 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -104,7 +104,6 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, krb5_keyblock session_key; krb5_timestamp rtime; krb5_keyblock *reply_key = NULL; - krb5_keyblock *mkey_ptr; krb5_key_data *server_key; char *cname = 0, *sname = 0, *altcname = 0; krb5_last_req_entry *nolrarray[2], nolrentry; @@ -625,31 +624,11 @@ tgt_again: goto cleanup; } - if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, server, - &mkey_ptr))) { - krb5_keylist_node *tmp_mkey_list; - /* try refreshing master key list */ - /* XXX it would nice if we had the mkvno here for optimization */ - if (krb5_db_fetch_mkey_list(kdc_context, master_princ, - &master_keyblock, 0, &tmp_mkey_list) == 0) { - krb5_dbe_free_key_list(kdc_context, master_keylist); - master_keylist = tmp_mkey_list; - if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, - server, &mkey_ptr))) { - status = "FINDING_MASTER_KEY"; - goto cleanup; - } - } else { - status = "FINDING_MASTER_KEY"; - goto cleanup; - } - } - /* * Convert server.key into a real key * (it may be encrypted in the database) */ - if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, mkey_ptr, + if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL, server_key, &encrypting_key, NULL))) { status = "DECRYPT_SERVER_KEY"; diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 4c413d07e..503c2313b 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -711,7 +711,7 @@ get_entry_data(krb5_context context, int i, k; krb5_data *ret; krb5_deltat *delta; - krb5_keyblock *keys, *mkey_ptr; + krb5_keyblock *keys; krb5_key_data *entry_key; krb5_error_code error; struct kdc_request_state *state = request->kdc_state; @@ -748,32 +748,13 @@ get_entry_data(krb5_context context, ret->data = (char *) keys; ret->length = sizeof(krb5_keyblock) * (request->nktypes + 1); memset(ret->data, 0, ret->length); - if ((error = krb5_dbe_find_mkey(context, master_keylist, entry, - &mkey_ptr))) { - krb5_keylist_node *tmp_mkey_list; - /* try refreshing the mkey list in case it's been updated */ - if (krb5_db_fetch_mkey_list(context, master_princ, - &master_keyblock, 0, - &tmp_mkey_list) == 0) { - krb5_dbe_free_key_list(context, master_keylist); - master_keylist = tmp_mkey_list; - if ((error = krb5_dbe_find_mkey(context, master_keylist, entry, - &mkey_ptr))) { - free(ret); - return (error); - } - } else { - free(ret); - return (error); - } - } k = 0; for (i = 0; i < request->nktypes; i++) { entry_key = NULL; if (krb5_dbe_find_enctype(context, entry, request->ktype[i], -1, 0, &entry_key) != 0) continue; - if (krb5_dbe_decrypt_key_data(context, mkey_ptr, entry_key, + if (krb5_dbe_decrypt_key_data(context, NULL, entry_key, &keys[k], NULL) != 0) { if (keys[k].contents != NULL) krb5_free_keyblock_contents(context, &keys[k]); @@ -1328,7 +1309,7 @@ return_padata(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, } key_modified = FALSE; null_item.contents = NULL; - null_item.length = NULL; + null_item.length = 0; send_pa = send_pa_list; *send_pa = 0; @@ -1430,7 +1411,7 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client, krb5_data scratch; krb5_data enc_ts_data; krb5_enc_data *enc_data = 0; - krb5_keyblock key, *mkey_ptr; + krb5_keyblock key; krb5_key_data * client_key; krb5_int32 start; krb5_timestamp timenow; @@ -1448,24 +1429,6 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client, if ((enc_ts_data.data = (char *) malloc(enc_ts_data.length)) == NULL) goto cleanup; - if ((retval = krb5_dbe_find_mkey(context, master_keylist, client, - &mkey_ptr))) { - krb5_keylist_node *tmp_mkey_list; - /* try refreshing the mkey list in case it's been updated */ - if (krb5_db_fetch_mkey_list(context, master_princ, - &master_keyblock, 0, - &tmp_mkey_list) == 0) { - krb5_dbe_free_key_list(context, master_keylist); - master_keylist = tmp_mkey_list; - if ((retval = krb5_dbe_find_mkey(context, master_keylist, client, - &mkey_ptr))) { - goto cleanup; - } - } else { - goto cleanup; - } - } - start = 0; decrypt_err = 0; while (1) { @@ -1474,7 +1437,7 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client, -1, 0, &client_key))) goto cleanup; - if ((retval = krb5_dbe_decrypt_key_data(context, mkey_ptr, client_key, + if ((retval = krb5_dbe_decrypt_key_data(context, NULL, client_key, &key, NULL))) goto cleanup; @@ -2785,22 +2748,6 @@ static krb5_error_code verify_pkinit_request( goto cleanup; } cert_hash_len = strlen(cert_hash); - if ((krtn = krb5_dbe_find_mkey(context, master_keylist, &entry, &mkey_ptr))) { - krb5_keylist_node *tmp_mkey_list; - /* try refreshing the mkey list in case it's been updated */ - if (krb5_db_fetch_mkey_list(context, master_princ, - &master_keyblock, 0, - &tmp_mkey_list) == 0) { - krb5_dbe_free_key_list(context, master_keylist); - master_keylist = tmp_mkey_list; - if ((krtn = krb5_dbe_find_mkey(context, master_keylist, &entry, - &mkey_ptr))) { - goto cleanup; - } - } else { - goto cleanup; - } - } for(key_dex=0; key_dex<client->n_key_data; key_dex++) { krb5_key_data *key_data = &client->key_data[key_dex]; kdcPkinitDebug("--- key %u type[0] %u length[0] %u type[1] %u length[1] %u\n", @@ -2815,7 +2762,7 @@ static krb5_error_code verify_pkinit_request( * Unfortunately this key is stored encrypted even though it's * not sensitive... */ - krtn = krb5_dbe_decrypt_key_data(context, mkey_ptr, key_data, + krtn = krb5_dbe_decrypt_key_data(context, NULL, key_data, &decrypted_key, NULL); if(krtn) { kdcPkinitDebug("verify_pkinit_request: error decrypting cert hash block\n"); diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 61bd7fdd4..7b62b53df 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -454,7 +454,6 @@ kdc_get_server_key(krb5_ticket *ticket, unsigned int flags, krb5_error_code retval; krb5_boolean similar; krb5_key_data * server_key; - krb5_keyblock * mkey_ptr; krb5_db_entry * server = NULL; *server_ptr = NULL; @@ -478,27 +477,6 @@ kdc_get_server_key(krb5_ticket *ticket, unsigned int flags, goto errout; } - if ((retval = krb5_dbe_find_mkey(kdc_context, master_keylist, server, - &mkey_ptr))) { - krb5_keylist_node *tmp_mkey_list; - /* try refreshing master key list */ - /* XXX it would nice if we had the mkvno here for optimization */ - if (krb5_db_fetch_mkey_list(kdc_context, master_princ, - &master_keyblock, 0, &tmp_mkey_list) == 0) { - krb5_dbe_free_key_list(kdc_context, master_keylist); - master_keylist = tmp_mkey_list; - retval = krb5_db_set_mkey_list(kdc_context, master_keylist); - if (retval) - goto errout; - if ((retval = krb5_dbe_find_mkey(kdc_context, master_keylist, - server, &mkey_ptr))) { - goto errout; - } - } else { - goto errout; - } - } - retval = krb5_dbe_find_enctype(kdc_context, server, match_enctype ? ticket->enc_part.enctype : -1, -1, (krb5_int32)ticket->enc_part.kvno, @@ -510,7 +488,7 @@ kdc_get_server_key(krb5_ticket *ticket, unsigned int flags, goto errout; } if ((*key = (krb5_keyblock *)malloc(sizeof **key))) { - retval = krb5_dbe_decrypt_key_data(kdc_context, mkey_ptr, server_key, + retval = krb5_dbe_decrypt_key_data(kdc_context, NULL, server_key, *key, NULL); } else retval = ENOMEM; diff --git a/src/kdc/main.c b/src/kdc/main.c index 60a3dc02e..21c67f8b2 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -431,12 +431,6 @@ init_realm(kdc_realm_t *rdp, char *realm, char *def_mpname, goto whoops; } - kret = krb5_db_set_mkey_list(rdp->realm_context, rdp->mkey_list); - if (kret) { - kdc_err(rdp->realm_context, kret, - "while setting master key list for realm %s", realm); - goto whoops; - } /* Set up the keytab */ if ((kret = krb5_ktkdb_resolve(rdp->realm_context, NULL, |