From b119d362e2e195a61488737511be2ca7b37138b5 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 2 Jul 2010 19:09:20 +0000
Subject: Remove verify_master_key from the DAL table, as well as its
 associated libkdb5 interface.  Callers can (and mostly already do) use
 krb5_fetch_mkey_list to verify master keyblocks.  Adjust tests/create,
 tests/verify, and kdb5_util dump to do so.

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24166 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/include/kdb.h | 32 ++++++--------------------------
 1 file changed, 6 insertions(+), 26 deletions(-)

(limited to 'src/include')

diff --git a/src/include/kdb.h b/src/include/kdb.h
index a2c496967..856cf0bdf 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -476,10 +476,6 @@ krb5_error_code krb5_db_fetch_mkey  ( krb5_context   context,
                                       krb5_kvno     *kvno,
                                       krb5_data     *salt,
                                       krb5_keyblock *key);
-krb5_error_code krb5_db_verify_master_key ( krb5_context   kcontext,
-                                            krb5_principal mprinc,
-                                            krb5_kvno      kvno,
-                                            krb5_keyblock  *mkey );
 krb5_error_code
 krb5_db_fetch_mkey_list( krb5_context    context,
                          krb5_principal  mname,
@@ -716,12 +712,6 @@ krb5_db_def_fetch_mkey( krb5_context   context,
                         krb5_kvno     *kvno,
                         char          *db_args);
 
-krb5_error_code
-krb5_def_verify_master_key( krb5_context   context,
-                            krb5_principal mprinc,
-                            krb5_kvno      kvno,
-                            krb5_keyblock *mkey);
-
 krb5_error_code
 krb5_def_fetch_mkey_list( krb5_context            context,
                           krb5_principal        mprinc,
@@ -1162,19 +1152,6 @@ typedef struct _kdb_vftabl {
                                         krb5_keyblock *key, krb5_kvno *kvno,
                                         char *db_args);
 
-    /*
-     * Optional with default: Verify that the keyblock mkey is a valid master
-     * key for the realm.  This function used to be used by the KDC and
-     * kadmind, but is now used only by kdb5_util dump -mkey_convert.
-     *
-     * The default implementation retrieves the master key principal and
-     * attempts to decrypt its key with mkey.  This only works for the current
-     * master keyblock.
-     */
-    krb5_error_code (*verify_master_key)(krb5_context kcontext,
-                                         krb5_principal mprinc, krb5_kvno kvno,
-                                         krb5_keyblock *mkey);
-
     /*
      * Optional with default: Given a keyblock for some version of the
      * database's master key, fetch the decrypted master key values from the
@@ -1182,9 +1159,12 @@ typedef struct _kdb_vftabl {
      * *mkeys_list using a libkdb5 function which uses the standard free()
      * function, so the module must not use a custom allocator.
      *
-     * The default implementation tries the key against the current master key
-     * data and all KRB5_TL_MKEY_AUX values, which contain copies of the master
-     * keys encrypted with old master keys.
+     * The caller may not know the version number of the master key it has, in
+     * which case it will pass IGNORE_VNO.
+     *
+     * The default implementation ignores kvno and tries the key against the
+     * current master key data and all KRB5_TL_MKEY_AUX values, which contain
+     * copies of the master keys encrypted with old master keys.
      */
     krb5_error_code (*fetch_master_key_list)(krb5_context kcontext,
                                              krb5_principal mname,
-- 
cgit