char *match_entry,
int (*func) (krb5_pointer, krb5_db_entry *),
krb5_pointer func_arg );
-krb5_error_code krb5_db_set_master_key_ext ( krb5_context kcontext,
- char *pwd,
- krb5_keyblock *key );
-krb5_error_code krb5_db_set_mkey ( krb5_context context,
- krb5_keyblock *key);
-krb5_error_code krb5_db_get_mkey ( krb5_context kcontext,
- krb5_keyblock **key );
krb5_error_code krb5_db_set_mkey_list( krb5_context context,
krb5_keylist_node * keylist);
krb5_kvno mkvno,
krb5_keylist_node **mkeys_list);
-krb5_error_code kdb_def_set_mkey ( krb5_context kcontext,
- char *pwd,
- krb5_keyblock *key );
-
krb5_error_code kdb_def_set_mkey_list ( krb5_context kcontext,
krb5_keylist_node *keylist );
-krb5_error_code kdb_def_get_mkey ( krb5_context kcontext,
- krb5_keyblock **key );
-
krb5_error_code kdb_def_get_mkey_list ( krb5_context kcontext,
krb5_keylist_node **keylist );
*/
void (*db_free)(krb5_context kcontext, void *ptr);
- /*
- * Optional with default: Inform the module of the master key. The module
- * may remember an alias to the provided memory. This function is called
- * at startup by the KDC and kadmind; both supply a NULL pwd argument. The
- * module should not need to use a remembered master key value, so current
- * modules do nothing with it besides return it from get_master_key, which
- * is never used. The default implementation does nothing.
- */
- krb5_error_code (*set_master_key)(krb5_context kcontext, char *pwd,
- krb5_keyblock *key);
-
- /*
- * Optional with default: Retrieve an alias to the master keyblock as
- * previously set by set_master_key. This function is not used. The
- * default implementation returns success without modifying *key, which
- * would be an invalid implementation if it were ever used.
- */
- krb5_error_code (*get_master_key)(krb5_context kcontext,
- krb5_keyblock **key);
-
/*
* Optional with default: Inform the module of the master key. The module
* may remember an alias to the provided memory. This function is called
exit(1);
}
-extern krb5_keyblock master_keyblock;
+krb5_keyblock master_keyblock;
krb5_kvno master_kvno; /* fetched */
extern krb5_keylist_node *master_keylist;
extern krb5_principal master_princ;
gss_name_t gss_kadmin_name = NULL;
void *global_server_handle;
-extern krb5_keyblock master_keyblock;
extern krb5_keylist_node *master_keylist;
char *build_princ_name(char *name, char *realm);
krb5_klog_syslog(LOG_ERR, "Can't set kdb keytab's internal context.");
goto kterr;
}
- /* XXX master_keyblock is in guts of lib/kadm5/server_kdb.c */
- ret = krb5_db_set_mkey(hctx, &master_keyblock);
- if (ret) {
- krb5_klog_syslog(LOG_ERR, "Can't set master key for kdb keytab.");
- goto kterr;
- }
+ /* XXX master_keylist is in guts of lib/kadm5/server_kdb.c */
ret = krb5_db_set_mkey_list(hctx, master_keylist);
if (ret) {
krb5_klog_syslog(LOG_ERR, "Can't set master key list for kdb keytab.");
goto whoops;
}
- if ((kret = krb5_db_set_mkey(rdp->realm_context, &rdp->realm_mkey))) {
- kdc_err(rdp->realm_context, kret,
- "while setting master key for realm %s", realm);
- goto whoops;
- }
kret = krb5_db_set_mkey_list(rdp->realm_context, rdp->mkey_list);
if (kret) {
kdc_err(rdp->realm_context, kret,
krb5_string_to_keysalts
krb5_match_config_pattern
master_db
-master_keyblock
master_keylist
master_princ
osa_free_princ_ent
static void
kdb_setup_opt_functions(db_library lib)
{
- if (lib->vftabl.set_master_key == NULL)
- lib->vftabl.set_master_key = kdb_def_set_mkey;
if (lib->vftabl.set_master_key_list == NULL)
lib->vftabl.set_master_key_list = kdb_def_set_mkey_list;
- if (lib->vftabl.get_master_key == NULL)
- lib->vftabl.get_master_key = kdb_def_get_mkey;
if (lib->vftabl.get_master_key_list == NULL)
lib->vftabl.get_master_key_list = kdb_def_get_mkey_list;
if (lib->vftabl.fetch_master_key == NULL)
return v->db_iterate(kcontext, match_entry, func, func_arg);
}
-krb5_error_code
-krb5_db_set_master_key_ext(krb5_context kcontext,
- char *pwd, krb5_keyblock * key)
-{
- krb5_error_code status = 0;
- kdb_vftabl *v;
-
- status = get_vftabl(kcontext, &v);
- if (status)
- return status;
- return v->set_master_key(kcontext, pwd, key);
-}
-
-krb5_error_code
-krb5_db_set_mkey(krb5_context context, krb5_keyblock * key)
-{
- return krb5_db_set_master_key_ext(context, NULL, key);
-}
-
krb5_error_code
krb5_db_set_mkey_list(krb5_context kcontext,
krb5_keylist_node * keylist)
return v->set_master_key_list(kcontext, keylist);
}
-krb5_error_code
-krb5_db_get_mkey(krb5_context kcontext, krb5_keyblock ** key)
-{
- krb5_error_code status = 0;
- kdb_vftabl *v;
-
- status = get_vftabl(kcontext, &v);
- if (status)
- return status;
- return v->get_master_key(kcontext, key);
-}
-
krb5_error_code
krb5_db_get_mkey_list(krb5_context kcontext, krb5_keylist_node ** keylist)
{
return retval;
}
-krb5_error_code kdb_def_set_mkey ( krb5_context kcontext,
- char *pwd,
- krb5_keyblock *key )
-{
- /* printf("default set master key\n"); */
- return 0;
-}
-
-krb5_error_code kdb_def_get_mkey ( krb5_context kcontext,
- krb5_keyblock **key )
-{
- /* printf("default get master key\n"); */
- return 0;
-}
-
krb5_error_code kdb_def_set_mkey_list ( krb5_context kcontext,
krb5_keylist_node *keylist )
{
krb5_db_free_principal
krb5_db_get_age
krb5_db_get_key_data_kvno
-krb5_db_get_mkey
krb5_db_get_mkey_list
krb5_db_get_context
krb5_db_get_principal
krb5_db_lock
krb5_db_put_principal
krb5_db_set_context
-krb5_db_set_mkey
krb5_db_set_mkey_list
krb5_db_setup_mkey_name
krb5_db_unlock
( krb5_context kcontext, osa_policy_ent_t entry ),
(kcontext, entry));
-WRAP_K (krb5_db2_set_master_key_ext,
- ( krb5_context kcontext, char *pwd, krb5_keyblock *key),
- (kcontext, pwd, key));
-WRAP_K (krb5_db2_db_get_mkey,
- ( krb5_context context, krb5_keyblock **key),
- (context, key));
-
WRAP_K (krb5_db2_db_set_mkey_list,
( krb5_context kcontext, krb5_keylist_node *keylist),
(kcontext, keylist));
/* db_free_policy */ wrap_krb5_db2_free_policy,
/* db_alloc */ krb5_db2_alloc,
/* db_free */ krb5_db2_free,
- /* set_master_key */ wrap_krb5_db2_set_master_key_ext,
- /* get_master_key */ wrap_krb5_db2_db_get_mkey,
/* set_master_key_list */ wrap_krb5_db2_db_set_mkey_list,
/* get_master_key_list */ wrap_krb5_db2_db_get_mkey_list,
/* blah blah blah */ 0,0,0,0,0,0,0,0,
return retval;
}
-/*
- * Set/Get the master key associated with the database
- */
-krb5_error_code
-krb5_db2_db_set_mkey(krb5_context context, krb5_keyblock *key)
-{
- krb5_db2_context *db_ctx;
-
- if (!k5db2_inited(context))
- return (KRB5_KDB_DBNOTINITED);
-
- db_ctx = context->dal_handle->db_context;
- db_ctx->db_master_key = key;
- return 0;
-}
-
-krb5_error_code
-krb5_db2_db_get_mkey(krb5_context context, krb5_keyblock **key)
-{
- krb5_db2_context *db_ctx;
-
- if (!k5db2_inited(context))
- return (KRB5_KDB_DBNOTINITED);
-
- db_ctx = context->dal_handle->db_context;
- *key = db_ctx->db_master_key;
-
- return 0;
-}
-
krb5_error_code
krb5_db2_db_set_mkey_list(krb5_context context, krb5_keylist_node *key_list)
{
return destroy_db(context, db_ctx->db_name);
}
-krb5_error_code
-krb5_db2_set_master_key_ext(krb5_context context,
- char *pwd, krb5_keyblock * key)
-{
- return krb5_db2_db_set_mkey(context, key);
-}
-
void *
krb5_db2_alloc(krb5_context context, void *ptr, size_t size)
{
int db_locks_held; /* Number of times locked */
int db_lock_mode; /* Last lock mode, e.g. greatest*/
krb5_boolean db_nb_locks; /* [Non]Blocking lock modes */
- krb5_keyblock *db_master_key; /* Master key of database */
krb5_keylist_node *db_master_key_list; /* Master key list of database */
osa_adb_policy_t policy_db;
krb5_boolean tempdb;
krb5_error_code krb5_db2_db_open_database(krb5_context);
krb5_error_code krb5_db2_db_close_database(krb5_context);
-krb5_error_code
-krb5_db2_set_master_key_ext(krb5_context kcontext, char *pwd,
- krb5_keyblock *key);
-
-krb5_error_code
-krb5_db2_db_set_mkey(krb5_context context, krb5_keyblock *key);
-
-krb5_error_code
-krb5_db2_db_get_mkey(krb5_context context, krb5_keyblock **key);
-
krb5_error_code
krb5_db2_db_set_mkey_list(krb5_context context, krb5_keylist_node *keylist);
/* db_alloc */ krb5_ldap_alloc,
/* db_free */ krb5_ldap_free,
/* optional functions */
- /* set_master_key */ krb5_ldap_set_mkey,
- /* get_master_key */ krb5_ldap_get_mkey,
/* set_master_key_list */ krb5_ldap_set_mkey_list,
/* get_master_key_list */ krb5_ldap_get_mkey_list,
/* setup_master_key_name */ NULL,
static void print_realm_params(krb5_ldap_realm_params *rparams, int mask);
static int kdb_ldap_create_principal (krb5_context context, krb5_principal
- princ, enum ap_op op, struct realm_info *pblock);
+ princ, enum ap_op op,
+ struct realm_info *pblock,
+ const krb5_keyblock *master_keyblock);
static char *strdur(time_t duration);
mkey_password = pw_str;
}
- rparams->mkey.enctype = global_params.enctype;
- /* We are sure that 'mkey_password' is a regular string ... */
- rparams->mkey.length = strlen(mkey_password) + 1;
- rparams->mkey.contents = (krb5_octet *)strdup(mkey_password);
- if (rparams->mkey.contents == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
-
rparams->realm_name = strdup(global_params.realm);
if (rparams->realm_name == NULL) {
retval = ENOMEM;
goto err_nomsg;
}
- retval = krb5_c_string_to_key(util_context, rparams->mkey.enctype,
+ retval = krb5_c_string_to_key(util_context, global_params.enctype,
&pwd, &master_salt, &master_keyblock);
if (master_salt.data)
}
- rblock.key = &master_keyblock;
- ldap_context->lrparams->mkey = master_keyblock;
- ldap_context->lrparams->mkey.contents = (krb5_octet *) malloc
- (master_keyblock.length);
- if (ldap_context->lrparams->mkey.contents == NULL) {
- retval = ENOMEM;
- goto cleanup;
- }
- memcpy (ldap_context->lrparams->mkey.contents, master_keyblock.contents,
- master_keyblock.length);
-
/* Create special principals inside the realm subtree */
{
char princ_name[MAX_PRINC_SIZE];
/* Create 'K/M' ... */
rblock.flags |= KRB5_KDB_DISALLOW_ALL_TIX;
- if ((retval = kdb_ldap_create_principal(util_context, master_princ, MASTER_KEY, &rblock))) {
+ if ((retval = kdb_ldap_create_principal(util_context, master_princ,
+ MASTER_KEY, &rblock,
+ &master_keyblock))) {
com_err(progname, retval, "while adding entries to the database");
goto err_nomsg;
}
/* Create 'krbtgt' ... */
rblock.flags = 0; /* reset the flags */
- if ((retval = kdb_ldap_create_principal(util_context, &tgt_princ, TGT_KEY, &rblock))) {
+ if ((retval = kdb_ldap_create_principal(util_context, &tgt_princ,
+ TGT_KEY, &rblock,
+ &master_keyblock))) {
com_err(progname, retval, "while adding entries to the database");
goto err_nomsg;
}
}
rblock.max_life = ADMIN_LIFETIME;
rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
- if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
+ if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY,
+ &rblock, &master_keyblock))) {
krb5_free_principal(util_context, p);
com_err(progname, retval, "while adding entries to the database");
goto err_nomsg;
rblock.max_life = CHANGEPW_LIFETIME;
rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED |
KRB5_KDB_PWCHANGE_SERVICE;
- if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
+ if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY,
+ &rblock, &master_keyblock))) {
krb5_free_principal(util_context, p);
com_err(progname, retval, "while adding entries to the database");
goto err_nomsg;
}
rblock.max_life = global_params.max_life;
rblock.flags = 0;
- if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
+ if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY,
+ &rblock, &master_keyblock))) {
krb5_free_principal(util_context, p);
com_err(progname, retval, "while adding entries to the database");
goto err_nomsg;
rblock.max_life = ADMIN_LIFETIME;
rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
- if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) {
+ if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY,
+ &rblock, &master_keyblock))) {
krb5_free_principal(util_context, p);
com_err(progname, retval, "while adding entries to the database");
goto err_nomsg;
*/
static int
kdb_ldap_create_principal(krb5_context context, krb5_principal princ,
- enum ap_op op, struct realm_info *pblock)
+ enum ap_op op, struct realm_info *pblock,
+ const krb5_keyblock *master_keyblock)
{
int retval=0, currlen=0, princtype = 2 /* Service Principal */;
unsigned char *curr=NULL;
goto cleanup;
}
kvno = 1; /* New key is getting set */
- retval = krb5_dbekd_encrypt_key_data(context,
- &ldap_context->lrparams->mkey,
+ retval = krb5_dbekd_encrypt_key_data(context, master_keyblock,
&key, NULL, kvno,
&entry.key_data[entry.n_key_data - 1]);
krb5_free_keyblock_contents(context, &key);
entry.n_key_data++;
kvno = 1; /* New key is getting set */
retval = krb5_dbekd_encrypt_key_data(context, pblock->key,
- &ldap_context->lrparams->mkey,
- NULL, kvno,
+ master_keyblock, NULL, kvno,
&entry.key_data[entry.n_key_data - 1]);
if (retval) {
goto cleanup;
void
krb5_ldap_free( krb5_context kcontext, void *ptr );
-krb5_error_code
-krb5_ldap_get_mkey(krb5_context, krb5_keyblock **);
-
-krb5_error_code
-krb5_ldap_set_mkey(krb5_context, char *, krb5_keyblock *);
krb5_error_code
krb5_ldap_get_mkey_list (krb5_context context, krb5_keylist_node **key_list);
#include "ldap_main.h"
#include "kdb_ldap.h"
-/*
- * get the master key from the database specific context
- */
-
-krb5_error_code
-krb5_ldap_get_mkey(krb5_context context, krb5_keyblock **key)
-{
- kdb5_dal_handle *dal_handle=NULL;
- krb5_ldap_context *ldap_context=NULL;
-
- /* Clear the global error string */
- krb5_clear_error_message(context);
-
- dal_handle = context->dal_handle;
- ldap_context = (krb5_ldap_context *) dal_handle->db_context;
-
- if (ldap_context == NULL || ldap_context->lrparams == NULL)
- return KRB5_KDB_DBNOTINITED;
-
- *key = &ldap_context->lrparams->mkey;
- return 0;
-}
-
-
-/*
- * set the master key into the database specific context
- */
-
-krb5_error_code
-krb5_ldap_set_mkey(krb5_context context, char *pwd, krb5_keyblock *key)
-{
- kdb5_dal_handle *dal_handle=NULL;
- krb5_ldap_context *ldap_context=NULL;
- krb5_ldap_realm_params *r_params = NULL;
-
- /* Clear the global error string */
- krb5_clear_error_message(context);
-
- dal_handle = context->dal_handle;
- ldap_context = (krb5_ldap_context *) dal_handle->db_context;
-
- if (ldap_context == NULL || ldap_context->lrparams == NULL)
- return KRB5_KDB_DBNOTINITED;
-
- r_params = ldap_context->lrparams;
-
- if (r_params->mkey.contents) {
- free (r_params->mkey.contents);
- r_params->mkey.contents=NULL;
- }
-
- r_params->mkey.magic = key->magic;
- r_params->mkey.enctype = key->enctype;
- r_params->mkey.length = key->length;
- r_params->mkey.contents = malloc(key->length);
- if (r_params->mkey.contents == NULL)
- return ENOMEM;
-
- memcpy(r_params->mkey.contents, key->contents, key->length);
- return 0;
-}
-
krb5_error_code
krb5_ldap_get_mkey_list(krb5_context context, krb5_keylist_node **key_list)
{
krb5_xfree(rparams->tl_data);
}
- if (rparams->mkey.contents) {
- memset(rparams->mkey.contents, 0, rparams->mkey.length);
- krb5_xfree(rparams->mkey.contents);
- }
-
krb5_xfree(rparams);
}
return;
char **adminservers;
char **passwdservers;
krb5_tl_data *tl_data;
- krb5_keyblock mkey;
krb5_keylist_node *mkey_list; /* all master keys in use for the realm */
long mask;
} krb5_ldap_realm_params;
krb5_ldap_free_krbcontainer_params
krb5_ldap_alloc
krb5_ldap_free
-krb5_ldap_set_mkey
-krb5_ldap_get_mkey
disjoint_members
krb5_ldap_delete_realm_1
krb5_ldap_lock
krb5_ldap_unlock
-krb5_ldap_errcode_2_string
-krb5_ldap_release_errcode_string
krb5_ldap_create
krb5_ldap_set_mkey_list
krb5_ldap_get_mkey_list