int (*func) (krb5_pointer, krb5_db_entry *),
krb5_pointer func_arg );
-krb5_error_code krb5_db_set_mkey_list( krb5_context context,
- krb5_keylist_node * keylist);
-
-krb5_error_code krb5_db_get_mkey_list( krb5_context kcontext,
- krb5_keylist_node ** keylist);
krb5_error_code krb5_db_store_master_key ( krb5_context kcontext,
char *keyfile,
const krb5_keyblock * mkey,
krb5_kvno mkvno,
krb5_keylist_node **mkeys_list );
-
+/**
+ * Free a master keylist.
+ */
void
krb5_db_free_mkey_list( krb5_context context,
krb5_keylist_node *mkey_list );
char **fullname,
krb5_principal *principal);
+/**
+ * Decrypts the key given in @@a key_data. If @a mkey is specified, that
+ * master key is used. If @a mkey is NULL, then all master keys are tried.
+ */
krb5_error_code
krb5_dbe_decrypt_key_data( krb5_context context,
const krb5_keyblock * mkey,
krb5_klog_syslog(LOG_ERR, "Can't set kdb keytab's internal context.");
goto kterr;
}
- /* XXX master_keylist is in guts of lib/kadm5/server_kdb.c */
- ret = krb5_db_set_mkey_list(hctx, master_keylist);
- if (ret) {
- krb5_klog_syslog(LOG_ERR, "Can't set master key list for kdb keytab.");
- goto kterr;
- }
ret = krb5_kt_register(context, &krb5_kt_kdb_ops);
if (ret) {
krb5_klog_syslog(LOG_ERR, "Can't register kdb keytab.");
const char *status;
krb5_key_data *server_key, *client_key;
krb5_keyblock server_keyblock, client_keyblock;
- krb5_keyblock *mkey_ptr;
krb5_enctype useenctype;
krb5_data e_data;
register int i;
void *pa_context = NULL;
int did_log = 0;
const char *emsg = 0;
- krb5_keylist_node *tmp_mkey_list;
struct kdc_request_state *state = NULL;
krb5_data encoded_req_body;
krb5_keyblock *as_encrypting_key = NULL;
goto errout;
}
- if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, server,
- &mkey_ptr))) {
- /* try refreshing master key list */
- /* XXX it would nice if we had the mkvno here for optimization */
- if (krb5_db_fetch_mkey_list(kdc_context, master_princ,
- &master_keyblock, 0, &tmp_mkey_list) == 0) {
- krb5_dbe_free_key_list(kdc_context, master_keylist);
- master_keylist = tmp_mkey_list;
- if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist,
- server, &mkey_ptr))) {
- status = "FINDING_MASTER_KEY";
- goto errout;
- }
- } else {
- status = "FINDING_MASTER_KEY";
- goto errout;
- }
- }
-
/*
* Convert server->key into a real key
* (it may be encrypted in the database)
*
* server_keyblock is later used to generate auth data signatures
*/
- if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, mkey_ptr,
+ if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL,
server_key, &server_keyblock,
NULL))) {
status = "DECRYPT_SERVER_KEY";
goto errout;
}
- if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, client,
- &mkey_ptr))) {
- /* try refreshing master key list */
- /* XXX it would nice if we had the mkvno here for optimization */
- if (krb5_db_fetch_mkey_list(kdc_context, master_princ,
- &master_keyblock, 0, &tmp_mkey_list) == 0) {
- krb5_dbe_free_key_list(kdc_context, master_keylist);
- master_keylist = tmp_mkey_list;
- if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist,
- client, &mkey_ptr))) {
- status = "FINDING_MASTER_KEY";
- goto errout;
- }
- } else {
- status = "FINDING_MASTER_KEY";
- goto errout;
- }
- }
-
/* convert client.key_data into a real key */
- if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, mkey_ptr,
+ if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL,
client_key, &client_keyblock,
NULL))) {
status = "DECRYPT_CLIENT_KEY";
krb5_keyblock session_key;
krb5_timestamp rtime;
krb5_keyblock *reply_key = NULL;
- krb5_keyblock *mkey_ptr;
krb5_key_data *server_key;
char *cname = 0, *sname = 0, *altcname = 0;
krb5_last_req_entry *nolrarray[2], nolrentry;
goto cleanup;
}
- if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, server,
- &mkey_ptr))) {
- krb5_keylist_node *tmp_mkey_list;
- /* try refreshing master key list */
- /* XXX it would nice if we had the mkvno here for optimization */
- if (krb5_db_fetch_mkey_list(kdc_context, master_princ,
- &master_keyblock, 0, &tmp_mkey_list) == 0) {
- krb5_dbe_free_key_list(kdc_context, master_keylist);
- master_keylist = tmp_mkey_list;
- if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist,
- server, &mkey_ptr))) {
- status = "FINDING_MASTER_KEY";
- goto cleanup;
- }
- } else {
- status = "FINDING_MASTER_KEY";
- goto cleanup;
- }
- }
-
/*
* Convert server.key into a real key
* (it may be encrypted in the database)
*/
- if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, mkey_ptr,
+ if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL,
server_key, &encrypting_key,
NULL))) {
status = "DECRYPT_SERVER_KEY";
int i, k;
krb5_data *ret;
krb5_deltat *delta;
- krb5_keyblock *keys, *mkey_ptr;
+ krb5_keyblock *keys;
krb5_key_data *entry_key;
krb5_error_code error;
struct kdc_request_state *state = request->kdc_state;
ret->data = (char *) keys;
ret->length = sizeof(krb5_keyblock) * (request->nktypes + 1);
memset(ret->data, 0, ret->length);
- if ((error = krb5_dbe_find_mkey(context, master_keylist, entry,
- &mkey_ptr))) {
- krb5_keylist_node *tmp_mkey_list;
- /* try refreshing the mkey list in case it's been updated */
- if (krb5_db_fetch_mkey_list(context, master_princ,
- &master_keyblock, 0,
- &tmp_mkey_list) == 0) {
- krb5_dbe_free_key_list(context, master_keylist);
- master_keylist = tmp_mkey_list;
- if ((error = krb5_dbe_find_mkey(context, master_keylist, entry,
- &mkey_ptr))) {
- free(ret);
- return (error);
- }
- } else {
- free(ret);
- return (error);
- }
- }
k = 0;
for (i = 0; i < request->nktypes; i++) {
entry_key = NULL;
if (krb5_dbe_find_enctype(context, entry, request->ktype[i],
-1, 0, &entry_key) != 0)
continue;
- if (krb5_dbe_decrypt_key_data(context, mkey_ptr, entry_key,
+ if (krb5_dbe_decrypt_key_data(context, NULL, entry_key,
&keys[k], NULL) != 0) {
if (keys[k].contents != NULL)
krb5_free_keyblock_contents(context, &keys[k]);
}
key_modified = FALSE;
null_item.contents = NULL;
- null_item.length = NULL;
+ null_item.length = 0;
send_pa = send_pa_list;
*send_pa = 0;
krb5_data scratch;
krb5_data enc_ts_data;
krb5_enc_data *enc_data = 0;
- krb5_keyblock key, *mkey_ptr;
+ krb5_keyblock key;
krb5_key_data * client_key;
krb5_int32 start;
krb5_timestamp timenow;
if ((enc_ts_data.data = (char *) malloc(enc_ts_data.length)) == NULL)
goto cleanup;
- if ((retval = krb5_dbe_find_mkey(context, master_keylist, client,
- &mkey_ptr))) {
- krb5_keylist_node *tmp_mkey_list;
- /* try refreshing the mkey list in case it's been updated */
- if (krb5_db_fetch_mkey_list(context, master_princ,
- &master_keyblock, 0,
- &tmp_mkey_list) == 0) {
- krb5_dbe_free_key_list(context, master_keylist);
- master_keylist = tmp_mkey_list;
- if ((retval = krb5_dbe_find_mkey(context, master_keylist, client,
- &mkey_ptr))) {
- goto cleanup;
- }
- } else {
- goto cleanup;
- }
- }
-
start = 0;
decrypt_err = 0;
while (1) {
-1, 0, &client_key)))
goto cleanup;
- if ((retval = krb5_dbe_decrypt_key_data(context, mkey_ptr, client_key,
+ if ((retval = krb5_dbe_decrypt_key_data(context, NULL, client_key,
&key, NULL)))
goto cleanup;
goto cleanup;
}
cert_hash_len = strlen(cert_hash);
- if ((krtn = krb5_dbe_find_mkey(context, master_keylist, &entry, &mkey_ptr))) {
- krb5_keylist_node *tmp_mkey_list;
- /* try refreshing the mkey list in case it's been updated */
- if (krb5_db_fetch_mkey_list(context, master_princ,
- &master_keyblock, 0,
- &tmp_mkey_list) == 0) {
- krb5_dbe_free_key_list(context, master_keylist);
- master_keylist = tmp_mkey_list;
- if ((krtn = krb5_dbe_find_mkey(context, master_keylist, &entry,
- &mkey_ptr))) {
- goto cleanup;
- }
- } else {
- goto cleanup;
- }
- }
for(key_dex=0; key_dex<client->n_key_data; key_dex++) {
krb5_key_data *key_data = &client->key_data[key_dex];
kdcPkinitDebug("--- key %u type[0] %u length[0] %u type[1] %u length[1] %u\n",
* Unfortunately this key is stored encrypted even though it's
* not sensitive...
*/
- krtn = krb5_dbe_decrypt_key_data(context, mkey_ptr, key_data,
+ krtn = krb5_dbe_decrypt_key_data(context, NULL, key_data,
&decrypted_key, NULL);
if(krtn) {
kdcPkinitDebug("verify_pkinit_request: error decrypting cert hash block\n");
krb5_error_code retval;
krb5_boolean similar;
krb5_key_data * server_key;
- krb5_keyblock * mkey_ptr;
krb5_db_entry * server = NULL;
*server_ptr = NULL;
goto errout;
}
- if ((retval = krb5_dbe_find_mkey(kdc_context, master_keylist, server,
- &mkey_ptr))) {
- krb5_keylist_node *tmp_mkey_list;
- /* try refreshing master key list */
- /* XXX it would nice if we had the mkvno here for optimization */
- if (krb5_db_fetch_mkey_list(kdc_context, master_princ,
- &master_keyblock, 0, &tmp_mkey_list) == 0) {
- krb5_dbe_free_key_list(kdc_context, master_keylist);
- master_keylist = tmp_mkey_list;
- retval = krb5_db_set_mkey_list(kdc_context, master_keylist);
- if (retval)
- goto errout;
- if ((retval = krb5_dbe_find_mkey(kdc_context, master_keylist,
- server, &mkey_ptr))) {
- goto errout;
- }
- } else {
- goto errout;
- }
- }
-
retval = krb5_dbe_find_enctype(kdc_context, server,
match_enctype ? ticket->enc_part.enctype : -1,
-1, (krb5_int32)ticket->enc_part.kvno,
goto errout;
}
if ((*key = (krb5_keyblock *)malloc(sizeof **key))) {
- retval = krb5_dbe_decrypt_key_data(kdc_context, mkey_ptr, server_key,
+ retval = krb5_dbe_decrypt_key_data(kdc_context, NULL, server_key,
*key, NULL);
} else
retval = ENOMEM;
goto whoops;
}
- kret = krb5_db_set_mkey_list(rdp->realm_context, rdp->mkey_list);
- if (kret) {
- kdc_err(rdp->realm_context, kret,
- "while setting master key list for realm %s", realm);
- goto whoops;
- }
/* Set up the keytab */
if ((kret = krb5_ktkdb_resolve(rdp->realm_context, NULL,
extern krb5_actkvno_node *active_mkey_list;
extern krb5_db_entry master_db;
-static int decrypt_key_data(krb5_context context, krb5_keyblock *mkey,
+static int decrypt_key_data(krb5_context context,
int n_key_data, krb5_key_data *key_data,
krb5_keyblock **keyblocks, int *n_keys);
*/
static kadm5_ret_t
check_pw_reuse(krb5_context context,
- krb5_keyblock *mkey,
krb5_keyblock *hist_keyblock,
int n_new_key_data, krb5_key_data *new_key_data,
unsigned int n_pw_hist_data, osa_pw_hist_ent *pw_hist_data)
{
- int x, y, z;
+ unsigned int x, y, z;
krb5_keyblock newkey, histkey;
krb5_error_code ret;
for (x = 0; x < n_new_key_data; x++) {
- ret = krb5_dbe_decrypt_key_data(context, mkey, &(new_key_data[x]),
+ ret = krb5_dbe_decrypt_key_data(context, NULL, &(new_key_data[x]),
&newkey, NULL);
if (ret)
return(ret);
* set to n_key_data.
*/
static
-int create_history_entry(krb5_context context, krb5_keyblock *mkey,
+int create_history_entry(krb5_context context,
krb5_keyblock *hist_key, int n_key_data,
krb5_key_data *key_data, osa_pw_hist_ent *hist)
{
memset(hist->key_data, 0, n_key_data*sizeof(krb5_key_data));
for (i = 0; i < n_key_data; i++) {
- ret = krb5_dbe_decrypt_key_data(context, mkey, &key_data[i], &key,
+ ret = krb5_dbe_decrypt_key_data(context, NULL, &key_data[i], &key,
&salt);
if (ret)
return ret;
goto done;
ret = create_history_entry(handle->context,
- act_mkey, &hist_keyblock,
+ &hist_keyblock,
kdb_save->n_key_data,
kdb_save->key_data, &hist);
if (ret)
goto done;
- ret = check_pw_reuse(handle->context, act_mkey, &hist_keyblock,
+ ret = check_pw_reuse(handle->context, &hist_keyblock,
kdb->n_key_data, kdb->key_data,
1, &hist);
if (ret)
/* If hist_kvno has changed since the last password change, we
* can't check the history. */
if (adb.admin_history_kvno == hist_kvno) {
- ret = check_pw_reuse(handle->context, act_mkey, &hist_keyblock,
+ ret = check_pw_reuse(handle->context, &hist_keyblock,
kdb->n_key_data, kdb->key_data,
adb.old_key_len, adb.old_keys);
if (ret)
if (keepold)
return KADM5_PROTECT_PRINCIPAL;
ks_tuple = n_ks_tuple ? ks_tuple : handle->params.keysalts,
- n_ks_tuple = 1;
+ n_ks_tuple = 1;
}
if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
kdb->fail_auth_count = 0;
if (keyblocks) {
- ret = decrypt_key_data(handle->context, act_mkey,
+ ret = decrypt_key_data(handle->context,
kdb->n_key_data, kdb->key_data,
keyblocks, n_keys);
if (ret)
osa_princ_ent_rec adb;
kadm5_ret_t ret;
kadm5_server_handle_t handle = server_handle;
- krb5_keyblock *mkey_ptr;
if (keyblocks)
*keyblocks = NULL;
return(ret);
if (keyblocks) {
- if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, kdb,
- &mkey_ptr))) {
- krb5_keylist_node *tmp_mkey_list;
- /* try refreshing master key list */
- /* XXX it would nice if we had the mkvno here for optimization */
- if (krb5_db_fetch_mkey_list(handle->context, master_princ,
- &master_keyblock, 0,
- &tmp_mkey_list) == 0) {
- krb5_dbe_free_key_list(handle->context, master_keylist);
- master_keylist = tmp_mkey_list;
- if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist,
- kdb, &mkey_ptr))) {
- goto done;
- }
- } else {
- goto done;
- }
- }
-
- ret = decrypt_key_data(handle->context, mkey_ptr,
+ ret = decrypt_key_data(handle->context,
kdb->n_key_data, kdb->key_data,
keyblocks, n_keys);
if (ret)
/*
* Allocate an array of n_key_data krb5_keyblocks, fill in each
- * element with the results of decrypting the nth key in key_data with
- * mkey, and if n_keys is not NULL fill it in with the
+ * element with the results of decrypting the nth key in key_data,
+ * and if n_keys is not NULL fill it in with the
* number of keys decrypted.
*/
-static int decrypt_key_data(krb5_context context, krb5_keyblock *mkey,
+static int decrypt_key_data(krb5_context context,
int n_key_data, krb5_key_data *key_data,
krb5_keyblock **keyblocks, int *n_keys)
{
memset(keys, 0, n_key_data*sizeof(krb5_keyblock));
for (i = 0; i < n_key_data; i++) {
- ret = krb5_dbe_decrypt_key_data(context, mkey, &key_data[i], &keys[i],
+ ret = krb5_dbe_decrypt_key_data(context, NULL, &key_data[i], &keys[i],
NULL);
if (ret) {
for (; i >= 0; i--) {
}
}
- if ((ret = krb5_dbe_decrypt_key_data(handle->context, mkey_ptr, key_data,
+ if ((ret = krb5_dbe_decrypt_key_data(handle->context, NULL, key_data,
keyblock, keysalt)))
return ret;
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
- * Copyright 2006, 2009 by the Massachusetts Institute of Technology.
+ * Copyright 2006, 2009, 2010 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
kdb_free_lib_handle(krb5_context kcontext)
{
krb5_error_code status = 0;
+ krb5_keylist_node *old_keylist = kcontext->dal_handle->master_keylist;
status = kdb_free_library(kcontext->dal_handle->lib_handle);
if (status)
return status;
-
+ /* The dal_handle holds an alias to the most recent mkey_list*/
+ if (kcontext->dal_handle->free_keylist) {
+ kcontext->dal_handle->master_keylist = NULL; /*force freeing*/
+ krb5_db_free_mkey_list(kcontext, old_keylist);
+ }
+ krb5_free_principal(kcontext, kcontext->dal_handle->master_princ);
free(kcontext->dal_handle);
kcontext->dal_handle = NULL;
return 0;
}
-static krb5_error_code
+static krb5_error_code
get_vftabl(krb5_context kcontext, kdb_vftabl **vftabl_ptr)
{
krb5_error_code status;
return v->iterate(kcontext, match_entry, func, func_arg);
}
-krb5_error_code
-krb5_db_set_mkey_list(krb5_context kcontext,
- krb5_keylist_node * keylist)
-{
- krb5_error_code status = 0;
- kdb_vftabl *v;
-
- status = get_vftabl(kcontext, &v);
- if (status)
- return status;
- if (v->set_master_key_list == NULL)
- return KRB5_PLUGIN_OP_NOTSUPP;
- return v->set_master_key_list(kcontext, keylist);
-}
-
-krb5_error_code
-krb5_db_get_mkey_list(krb5_context kcontext, krb5_keylist_node ** keylist)
-{
- krb5_error_code status = 0;
- kdb_vftabl *v;
-
- status = get_vftabl(kcontext, &v);
- if (status)
- return status;
- if (v->get_master_key_list == NULL)
- return KRB5_PLUGIN_OP_NOTSUPP;
- return v->get_master_key_list(kcontext, keylist);
-}
-
krb5_error_code
krb5_db_fetch_mkey_list(krb5_context context,
krb5_principal mname,
{
kdb_vftabl *v;
krb5_error_code status = 0;
+ krb5_keylist_node *local_keylist;
status = get_vftabl(context, &v);
if (status)
return status;
- return v->fetch_master_key_list(context, mname, mkey, mkvno, mkey_list);
+ if (!context->dal_handle->master_princ) {
+ status = krb5_copy_principal(context, mname, &context->dal_handle->master_princ);
+ if (status)
+ return status;
+ }
+ if (mkey_list == NULL)
+ mkey_list = &local_keylist;
+ status = v->fetch_master_key_list(context, mname, mkey, mkvno, mkey_list);
+ if (status == 0) {
+ /* The dal_handle holds an alias to the most recent master_keylist*/
+ krb5_keylist_node *old_keylist = context->dal_handle->master_keylist;
+ context->dal_handle->master_keylist = *mkey_list;
+ if (context->dal_handle->free_keylist)
+ krb5_db_free_mkey_list(context, old_keylist);
+ context->dal_handle->free_keylist = (mkey_list == &local_keylist);
+ }
+ return status;
}
void
{
krb5_keylist_node *cur, *prev;
+ /*
+ * The dal_handle holds onto the most recent master
+ * keylist that has been fetched throughout the lifetime of the context; if
+ * this function is called on that keylist, then the dal_handle is updated to
+ * indicate that the keylist should be freed on next call to
+ * krb5_db_fetch_mkey_list() or when the database is closed. Otherwise, the
+ * master_keylist is freed. Either way, the caller must not access this master
+ * keylist after calling this function.
+ */
+ if (context&& context->dal_handle->master_keylist == mkey_list) {
+ context->dal_handle->free_keylist = 1;
+ return;
+ }
for (cur = mkey_list; cur != NULL;) {
prev = cur;
cur = cur->next;
return status;
}
+static krb5_error_code
+decrypt_iterator(krb5_context kcontext,
+ const krb5_key_data * key_data,
+ krb5_keyblock * dbkey,
+ krb5_keysalt * keysalt)
+{
+ krb5_error_code status = 0;
+ kdb_vftabl *v;
+ krb5_keylist_node *n = kcontext->dal_handle->master_keylist;
+ status = get_vftabl(kcontext, &v);
+ if (status)
+ return status;
+ for (;n; n = n->next) {
+ krb5_clear_error_message(kcontext);
+ status= v->decrypt_key_data(kcontext, &n->keyblock, key_data, dbkey, keysalt);
+ if (status == 0)
+ return 0;
+ }
+ return status;
+}
+
krb5_error_code
krb5_dbe_decrypt_key_data( krb5_context kcontext,
const krb5_keyblock * mkey,
{
krb5_error_code status = 0;
kdb_vftabl *v;
-
+ krb5_keylist_node *n = kcontext->dal_handle->master_keylist;
status = get_vftabl(kcontext, &v);
if (status)
return status;
- return v->decrypt_key_data(kcontext, mkey, key_data, dbkey, keysalt);
+ if (mkey ||!n)
+ return v->decrypt_key_data(kcontext, mkey, key_data, dbkey, keysalt);
+ status = decrypt_iterator(kcontext, key_data, dbkey, keysalt);
+ if (status == 0)
+ return 0;
+ if (kcontext->dal_handle->master_keylist) {
+ /* Try reloading master keys*/
+ krb5_keyblock *cur_mkey = &kcontext->dal_handle->master_keylist->keyblock;
+ if (krb5_db_fetch_mkey_list(kcontext, kcontext->dal_handle->master_princ,
+ cur_mkey, -1, NULL) == 0) {
+ return decrypt_iterator(kcontext, key_data, dbkey, keysalt);
+ }
+ }
+ return status;
}
krb5_error_code
extent. */
void *db_context;
db_library lib_handle;
+ krb5_keylist_node *master_keylist;
+ krb5_boolean free_keylist;
+ krb5_principal master_princ;
};
/* typedef kdb5_dal_handle is in k5-int.h now */
krb5_keytab_entry * entry;
{
krb5_context context;
- krb5_keylist_node * master_keylist;
- krb5_keyblock * master_key;
krb5_error_code kerror = 0;
krb5_key_data * key_data;
krb5_db_entry * db_entry;
}
/* match key */
- kerror = krb5_db_get_mkey_list(context, &master_keylist);
- if (kerror)
- goto error;
-
- kerror = krb5_dbe_find_mkey(context, master_keylist, db_entry, &master_key);
- if (kerror)
- goto error;
-
/* For cross realm tgts, we match whatever enctype is provided;
* for other principals, we only match the first enctype that is
* found. Since the TGS and AS code do the same thing, then we
goto error;
- kerror = krb5_dbe_decrypt_key_data(context, master_key, key_data,
+ kerror = krb5_dbe_decrypt_key_data(context, NULL, key_data,
&entry->key, NULL);
if (kerror)
goto error;
krb5_db_free_principal
krb5_db_get_age
krb5_db_get_key_data_kvno
-krb5_db_get_mkey_list
krb5_db_get_context
krb5_db_get_principal
krb5_db_iterate
krb5_db_put_principal
krb5_db_refresh_config
krb5_db_set_context
-krb5_db_set_mkey_list
krb5_db_setup_mkey_name
krb5_db_sign_authdata
krb5_db_unlock
}
krb5_free_principal(context, princ);
- if ((retval = krb5_dbe_decrypt_key_data(context, &master_keyblock,
+ if ((retval = krb5_dbe_decrypt_key_data(context, NULL,
kdbe->key_data, &db_key, NULL))) {
com_err(progname, retval, "while decrypting key for '%s'", princ_name);
goto errout;