diff options
| author | Greg Hudson <ghudson@mit.edu> | 2011-10-24 15:09:32 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2011-10-24 15:09:32 +0000 |
| commit | 7fc21c4a4a6ef8a88567f166eda1fe73784686c7 (patch) | |
| tree | c8767e5031b06fa2ccdef9fd5f6cfb8dd9c95fe4 /src/lib | |
| parent | d8b79bd61501341d9d8a4340c2c7077d302426c4 (diff) | |
| download | krb5-7fc21c4a4a6ef8a88567f166eda1fe73784686c7.tar.gz krb5-7fc21c4a4a6ef8a88567f166eda1fe73784686c7.tar.xz krb5-7fc21c4a4a6ef8a88567f166eda1fe73784686c7.zip | |
Refactor salt computation into libkdb5
Add a new API krb5_dbe_compute_salt() to determine the salt for a key
data entry, and use it in the three places we currently compute salts.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25410 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/kadm5/srv/svr_principal.c | 62 | ||||
| -rw-r--r-- | src/lib/kdb/kdb5.c | 50 | ||||
| -rw-r--r-- | src/lib/kdb/libkdb5.exports | 1 |
3 files changed, 66 insertions, 47 deletions
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index a9d0cdb88..d50007c52 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -725,10 +725,10 @@ kadm5_rename_principal(void *server_handle, { krb5_db_entry *kdb; osa_princ_ent_rec adb; - int ret, i; + krb5_error_code ret; kadm5_server_handle_t handle = server_handle; - krb5_int32 stype; - krb5_data sdata; + krb5_int16 stype, i; + krb5_data *salt = NULL; CHECK_HANDLE(server_handle); @@ -747,52 +747,19 @@ kadm5_rename_principal(void *server_handle, /* Transform salts as necessary. */ for (i = 0; i < kdb->n_key_data; i++) { - sdata = empty_data(); - if (kdb->key_data[i].key_data_ver > 1) - stype = kdb->key_data[i].key_data_type[1]; - else - stype = KRB5_KDB_SALTTYPE_NORMAL; - - /* For salt types which compute a salt from the principal name, compute - * the salt based on the old principal name into sdata. */ - switch (stype) { - case KRB5_KDB_SALTTYPE_NORMAL: - ret = krb5_principal2salt(handle->context, kdb->princ, &sdata); - if (ret) - goto done; - break; - case KRB5_KDB_SALTTYPE_NOREALM: - ret = krb5_principal2salt_norealm(handle->context, kdb->princ, - &sdata); - if (ret) - goto done; - break; - case KRB5_KDB_SALTTYPE_ONLYREALM: - ret = alloc_data(&sdata, kdb->princ->realm.length); - if (ret) - goto done; - memcpy(sdata.data, kdb->princ->realm.data, - kdb->princ->realm.length); - break; - case KRB5_KDB_SALTTYPE_SPECIAL: - case KRB5_KDB_SALTTYPE_V4: - case KRB5_KDB_SALTTYPE_AFS3: - /* Don't compute a new salt. Assume the realm doesn't change for - * V4 and AFS3. */ - break; - default: - /* We don't recognize this salt type. Be conservative. */ + ret = krb5_dbe_compute_salt(handle->context, &kdb->key_data[i], + kdb->princ, &stype, &salt); + if (ret == KRB5_KDB_BAD_SALTTYPE) ret = KADM5_NO_RENAME_SALT; + if (ret) goto done; - } - /* If we computed a salt, store it as an explicit salt. */ - if (sdata.data != NULL) { - kdb->key_data[i].key_data_type[1] = KRB5_KDB_SALTTYPE_SPECIAL; - free(kdb->key_data[i].key_data_contents[1]); - kdb->key_data[i].key_data_contents[1] = (krb5_octet *)sdata.data; - kdb->key_data[i].key_data_length[1] = sdata.length; - kdb->key_data[i].key_data_ver = 2; - } + kdb->key_data[i].key_data_type[1] = KRB5_KDB_SALTTYPE_SPECIAL; + free(kdb->key_data[i].key_data_contents[1]); + kdb->key_data[i].key_data_contents[1] = (krb5_octet *)salt->data; + kdb->key_data[i].key_data_length[1] = salt->length; + kdb->key_data[i].key_data_ver = 2; + free(salt); + salt = NULL; } kadm5_free_principal(handle->context, kdb->princ); @@ -808,6 +775,7 @@ kadm5_rename_principal(void *server_handle, ret = kdb_delete_entry(handle, source); done: + krb5_free_data(handle->context, salt); kdb_free_entry(handle, kdb, &adb); return ret; } diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index 011c83bf3..380c3d69d 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -2234,6 +2234,56 @@ krb5_dbe_update_tl_data(krb5_context context, krb5_db_entry *entry, return (0); } +krb5_error_code +krb5_dbe_compute_salt(krb5_context context, const krb5_key_data *key, + krb5_const_principal princ, krb5_int16 *salttype_out, + krb5_data **salt_out) +{ + krb5_error_code retval; + krb5_int16 stype; + krb5_data *salt, sdata; + + stype = (key->key_data_ver < 2) ? KRB5_KDB_SALTTYPE_NORMAL : + key->key_data_type[1]; + *salttype_out = stype; + *salt_out = NULL; + + /* Place computed salt into sdata, or directly into salt_out and return. */ + switch (stype) { + case KRB5_KDB_SALTTYPE_NORMAL: + retval = krb5_principal2salt(context, princ, &sdata); + if (retval) + return retval; + break; + case KRB5_KDB_SALTTYPE_V4: + sdata = empty_data(); + break; + case KRB5_KDB_SALTTYPE_NOREALM: + retval = krb5_principal2salt_norealm(context, princ, &sdata); + if (retval) + return retval; + break; + case KRB5_KDB_SALTTYPE_AFS3: + case KRB5_KDB_SALTTYPE_ONLYREALM: + return krb5_copy_data(context, &princ->realm, salt_out); + case KRB5_KDB_SALTTYPE_SPECIAL: + sdata = make_data(key->key_data_contents[1], key->key_data_length[1]); + return krb5_copy_data(context, &sdata, salt_out); + default: + return KRB5_KDB_BAD_SALTTYPE; + } + + /* Make a container for sdata. */ + salt = malloc(sizeof(*salt)); + if (salt == NULL) { + free(sdata.data); + return ENOMEM; + } + *salt = sdata; + *salt_out = salt; + return 0; +} + /* change password functions */ krb5_error_code krb5_dbe_cpw(krb5_context kcontext, krb5_keyblock *master_key, diff --git a/src/lib/kdb/libkdb5.exports b/src/lib/kdb/libkdb5.exports index 3ea179a46..e32b7a1d2 100644 --- a/src/lib/kdb/libkdb5.exports +++ b/src/lib/kdb/libkdb5.exports @@ -48,6 +48,7 @@ krb5_dbe_free_strings krb5_dbe_get_mkvno krb5_dbe_get_string krb5_dbe_get_strings +krb5_dbe_compute_salt krb5_dbe_lookup_last_admin_unlock krb5_dbe_lookup_last_pwd_change krb5_dbe_lookup_actkvno |