diff options
| author | Tom Yu <tlyu@mit.edu> | 2010-10-08 03:57:28 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2010-10-08 03:57:28 +0000 |
| commit | 1cc59c12550c828d487c622990d83481e8bbb6c5 (patch) | |
| tree | a22d50f4041bfa23ad1001bfa6164626602885ac /src/lib/kadm5/srv | |
| parent | bd7b3a76ef6ca5485ec8a8b2de4a2a5170356f84 (diff) | |
| download | krb5-1cc59c12550c828d487c622990d83481e8bbb6c5.tar.gz krb5-1cc59c12550c828d487c622990d83481e8bbb6c5.tar.xz krb5-1cc59c12550c828d487c622990d83481e8bbb6c5.zip | |
Add a kadm5 RPC for purging old keys from the KDB (e.g., from
change_password -keepold), and add a kadmin CLI command for it.
Keeping ticket open because an automated test needs to be added.
Long-term future work includes start/expire dates on keys, or
not-yet-valid flags.
ticket: 1219
status: open
target_version: 1.9
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24442 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/kadm5/srv')
| -rw-r--r-- | src/lib/kadm5/srv/libkadm5srv_mit.exports | 2 | ||||
| -rw-r--r-- | src/lib/kadm5/srv/svr_principal.c | 62 |
2 files changed, 64 insertions, 0 deletions
diff --git a/src/lib/kadm5/srv/libkadm5srv_mit.exports b/src/lib/kadm5/srv/libkadm5srv_mit.exports index 345957a13..49a1b8803 100644 --- a/src/lib/kadm5/srv/libkadm5srv_mit.exports +++ b/src/lib/kadm5/srv/libkadm5srv_mit.exports @@ -43,6 +43,7 @@ kadm5_lock kadm5_modify_policy kadm5_modify_policy_internal kadm5_modify_principal +kadm5_purgekeys kadm5_randkey_principal kadm5_randkey_principal_3 kadm5_rename_principal @@ -129,6 +130,7 @@ xdr_nullstring xdr_nulltype xdr_osa_princ_ent_rec xdr_osa_pw_hist_ent +xdr_purgekeys_arg xdr_rprinc_arg xdr_setkey3_arg xdr_setkey_arg diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index e50c92237..696362ac6 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -2219,3 +2219,65 @@ kadm5_ret_t kadm5_decrypt_key(void *server_handle, return KADM5_OK; } + +kadm5_ret_t +kadm5_purgekeys(void *server_handle, + krb5_principal principal, + int keepkvno) +{ + kadm5_server_handle_t handle = server_handle; + kadm5_ret_t ret; + krb5_db_entry *kdb; + osa_princ_ent_rec adb; + krb5_key_data *old_keydata; + int n_old_keydata; + int i, j, k; + + CHECK_HANDLE(server_handle); + + if (principal == NULL) + return EINVAL; + + ret = kdb_get_entry(handle, principal, &kdb, &adb); + if (ret) + return(ret); + + if (keepkvno <= 0) { + keepkvno = krb5_db_get_key_data_kvno(handle->context, kdb->n_key_data, + kdb->key_data); + } + + old_keydata = kdb->key_data; + n_old_keydata = kdb->n_key_data; + kdb->n_key_data = 0; + kdb->key_data = krb5_db_alloc(handle->context, NULL, + n_old_keydata * sizeof(krb5_key_data)); + if (kdb->key_data == NULL) { + ret = ENOMEM; + goto done; + } + memset(kdb->key_data, 0, n_old_keydata * sizeof(krb5_key_data)); + for (i = 0, j = 0; i < n_old_keydata; i++) { + if (old_keydata[i].key_data_kvno < keepkvno) + continue; + + /* Alias the key_data_contents pointers; we null them out in the + * source array immediately after. */ + kdb->key_data[j] = old_keydata[i]; + for (k = 0; k < old_keydata[i].key_data_ver; k++) { + old_keydata[i].key_data_contents[k] = NULL; + } + j++; + } + kdb->n_key_data = j; + cleanup_key_data(handle->context, n_old_keydata, old_keydata); + + kdb->mask = KADM5_KEY_DATA; + ret = kdb_put_entry(handle, kdb, &adb); + if (ret) + goto done; + +done: + kdb_free_entry(handle, kdb, &adb); + return ret; +} |