diff options
| author | Sam Hartman <hartmans@mit.edu> | 2010-09-15 17:13:23 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2010-09-15 17:13:23 +0000 |
| commit | a063fe7e5c11900df005bb2875b27f8e284dfdba (patch) | |
| tree | 36fe23e89c05a9727ccbf82059e3582a6938b4f0 /src/lib/kadm5 | |
| parent | 4bcc98813080a3dabb94e31e974a6f74a81b2125 (diff) | |
| download | krb5-a063fe7e5c11900df005bb2875b27f8e284dfdba.tar.gz krb5-a063fe7e5c11900df005bb2875b27f8e284dfdba.tar.xz krb5-a063fe7e5c11900df005bb2875b27f8e284dfdba.zip | |
kdb: store mkey list in context and permit NULL mkey for kdb_dbe_decrypt_key_data
Previously, code needed to run a loop to find the current master key,
possibly fetch a new master key list and try finding the master key
again around each key decryption. This was not universally done;
there are cases where only the current master key was used. In
addition, the correct ideom for decrypting key data is too complicated
and is potentially unavailable to plugins that do not have access to
the master key. Instead, store the master key list in the dal_handle
whenever it is fetched and permit a NULL master key for
krb5_dbe_decrypt_key_data.
* Remove APIs for krb5_db_{get|set}_mkey_list
* krb5_db_fetch_mkey_list: memoize master key list in dal_handle
* krb5_db_free_mkey_list: don't free the memoized list; arrange for it to be freed later
* krb5_dbe_decrypt_key_data: Search for correct master key on NULL argument
* change call sites to take advantage
ticket: 6778
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24314 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/kadm5')
| -rw-r--r-- | src/lib/kadm5/srv/svr_principal.c | 53 |
1 files changed, 16 insertions, 37 deletions
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index dc1640643..c1a955aea 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -38,7 +38,7 @@ extern krb5_keylist_node *master_keylist; extern krb5_actkvno_node *active_mkey_list; extern krb5_db_entry master_db; -static int decrypt_key_data(krb5_context context, krb5_keyblock *mkey, +static int decrypt_key_data(krb5_context context, int n_key_data, krb5_key_data *key_data, krb5_keyblock **keyblocks, int *n_keys); @@ -933,17 +933,16 @@ done: */ static kadm5_ret_t check_pw_reuse(krb5_context context, - krb5_keyblock *mkey, krb5_keyblock *hist_keyblock, int n_new_key_data, krb5_key_data *new_key_data, unsigned int n_pw_hist_data, osa_pw_hist_ent *pw_hist_data) { - int x, y, z; + unsigned int x, y, z; krb5_keyblock newkey, histkey; krb5_error_code ret; for (x = 0; x < n_new_key_data; x++) { - ret = krb5_dbe_decrypt_key_data(context, mkey, &(new_key_data[x]), + ret = krb5_dbe_decrypt_key_data(context, NULL, &(new_key_data[x]), &newkey, NULL); if (ret) return(ret); @@ -996,7 +995,7 @@ check_pw_reuse(krb5_context context, * set to n_key_data. */ static -int create_history_entry(krb5_context context, krb5_keyblock *mkey, +int create_history_entry(krb5_context context, krb5_keyblock *hist_key, int n_key_data, krb5_key_data *key_data, osa_pw_hist_ent *hist) { @@ -1010,7 +1009,7 @@ int create_history_entry(krb5_context context, krb5_keyblock *mkey, memset(hist->key_data, 0, n_key_data*sizeof(krb5_key_data)); for (i = 0; i < n_key_data; i++) { - ret = krb5_dbe_decrypt_key_data(context, mkey, &key_data[i], &key, + ret = krb5_dbe_decrypt_key_data(context, NULL, &key_data[i], &key, &salt); if (ret) return ret; @@ -1394,13 +1393,13 @@ kadm5_chpass_principal_3(void *server_handle, goto done; ret = create_history_entry(handle->context, - act_mkey, &hist_keyblock, + &hist_keyblock, kdb_save->n_key_data, kdb_save->key_data, &hist); if (ret) goto done; - ret = check_pw_reuse(handle->context, act_mkey, &hist_keyblock, + ret = check_pw_reuse(handle->context, &hist_keyblock, kdb->n_key_data, kdb->key_data, 1, &hist); if (ret) @@ -1410,7 +1409,7 @@ kadm5_chpass_principal_3(void *server_handle, /* If hist_kvno has changed since the last password change, we * can't check the history. */ if (adb.admin_history_kvno == hist_kvno) { - ret = check_pw_reuse(handle->context, act_mkey, &hist_keyblock, + ret = check_pw_reuse(handle->context, &hist_keyblock, kdb->n_key_data, kdb->key_data, adb.old_key_len, adb.old_keys); if (ret) @@ -1533,7 +1532,7 @@ kadm5_randkey_principal_3(void *server_handle, if (keepold) return KADM5_PROTECT_PRINCIPAL; ks_tuple = n_ks_tuple ? ks_tuple : handle->params.keysalts, - n_ks_tuple = 1; + n_ks_tuple = 1; } if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) @@ -1598,7 +1597,7 @@ kadm5_randkey_principal_3(void *server_handle, kdb->fail_auth_count = 0; if (keyblocks) { - ret = decrypt_key_data(handle->context, act_mkey, + ret = decrypt_key_data(handle->context, kdb->n_key_data, kdb->key_data, keyblocks, n_keys); if (ret) @@ -2007,7 +2006,6 @@ kadm5_get_principal_keys(void *server_handle /* IN */, osa_princ_ent_rec adb; kadm5_ret_t ret; kadm5_server_handle_t handle = server_handle; - krb5_keyblock *mkey_ptr; if (keyblocks) *keyblocks = NULL; @@ -2021,26 +2019,7 @@ kadm5_get_principal_keys(void *server_handle /* IN */, return(ret); if (keyblocks) { - if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, kdb, - &mkey_ptr))) { - krb5_keylist_node *tmp_mkey_list; - /* try refreshing master key list */ - /* XXX it would nice if we had the mkvno here for optimization */ - if (krb5_db_fetch_mkey_list(handle->context, master_princ, - &master_keyblock, 0, - &tmp_mkey_list) == 0) { - krb5_dbe_free_key_list(handle->context, master_keylist); - master_keylist = tmp_mkey_list; - if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, - kdb, &mkey_ptr))) { - goto done; - } - } else { - goto done; - } - } - - ret = decrypt_key_data(handle->context, mkey_ptr, + ret = decrypt_key_data(handle->context, kdb->n_key_data, kdb->key_data, keyblocks, n_keys); if (ret) @@ -2057,11 +2036,11 @@ done: /* * Allocate an array of n_key_data krb5_keyblocks, fill in each - * element with the results of decrypting the nth key in key_data with - * mkey, and if n_keys is not NULL fill it in with the + * element with the results of decrypting the nth key in key_data, + * and if n_keys is not NULL fill it in with the * number of keys decrypted. */ -static int decrypt_key_data(krb5_context context, krb5_keyblock *mkey, +static int decrypt_key_data(krb5_context context, int n_key_data, krb5_key_data *key_data, krb5_keyblock **keyblocks, int *n_keys) { @@ -2074,7 +2053,7 @@ static int decrypt_key_data(krb5_context context, krb5_keyblock *mkey, memset(keys, 0, n_key_data*sizeof(krb5_keyblock)); for (i = 0; i < n_key_data; i++) { - ret = krb5_dbe_decrypt_key_data(context, mkey, &key_data[i], &keys[i], + ret = krb5_dbe_decrypt_key_data(context, NULL, &key_data[i], &keys[i], NULL); if (ret) { for (; i >= 0; i--) { @@ -2171,7 +2150,7 @@ kadm5_ret_t kadm5_decrypt_key(void *server_handle, } } - if ((ret = krb5_dbe_decrypt_key_data(handle->context, mkey_ptr, key_data, + if ((ret = krb5_dbe_decrypt_key_data(handle->context, NULL, key_data, keyblock, keysalt))) return ret; |