From: Greg Hudson Date: Wed, 21 Mar 2012 16:57:05 +0000 (+0000) Subject: Only store master mey list in DAL handle X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=57a0c5e6c3c3af0eeed0487d56b53311752a8930;p=krb5.git Only store master mey list in DAL handle r24314 (#6778) created a hybrid owernship model for the master key list, with one virtual copy stored in the DAL handle and one provided to the caller of krb5_db_fetch_mkey_list. Replace this with a model where only the DAL handle owns the list, and a caller can get access to an alias pointer with a new function krb5_db_mkey_list_alias(). Functions which previously accepted the master key list as an input parameter now expect to find it in the DAL handle. Patch by Will Fiveash . git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25781 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/include/kdb.h b/src/include/kdb.h index 0f50a83c1..67c403155 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -377,7 +377,6 @@ krb5_error_code krb5_db_store_master_key ( krb5_context kcontext, krb5_error_code krb5_db_store_master_key_list ( krb5_context kcontext, char *keyfile, krb5_principal mname, - krb5_keylist_node *keylist, char *master_pwd); krb5_error_code krb5_db_fetch_mkey ( krb5_context context, krb5_principal mname, @@ -391,15 +390,7 @@ krb5_error_code krb5_db_fetch_mkey ( krb5_context context, krb5_error_code krb5_db_fetch_mkey_list( krb5_context context, krb5_principal mname, - const krb5_keyblock * mkey, - krb5_kvno mkvno, - krb5_keylist_node **mkeys_list ); -/** - * Free a master keylist. - */ -void -krb5_db_free_mkey_list( krb5_context context, - krb5_keylist_node *mkey_list ); + const krb5_keyblock * mkey ); krb5_error_code krb5_dbe_find_enctype( krb5_context kcontext, @@ -451,14 +442,12 @@ krb5_dbe_fetch_act_key_list(krb5_context context, krb5_error_code krb5_dbe_find_act_mkey( krb5_context context, - krb5_keylist_node * mkey_list, krb5_actkvno_node * act_mkey_list, krb5_kvno * act_kvno, krb5_keyblock ** act_mkey); krb5_error_code krb5_dbe_find_mkey( krb5_context context, - krb5_keylist_node * mkey_list, krb5_db_entry * entry, krb5_keyblock ** mkey); @@ -468,11 +457,13 @@ krb5_dbe_lookup_mkvno( krb5_context context, krb5_db_entry * entry, krb5_kvno * mkvno); +krb5_keylist_node * +krb5_db_mkey_list_alias( krb5_context kcontext ); + /* Set *mkvno to mkvno in entry tl_data, or minimum value from mkey_list. */ krb5_error_code krb5_dbe_get_mkvno( krb5_context context, krb5_db_entry * entry, - krb5_keylist_node * mkey_list, krb5_kvno * mkvno); krb5_error_code @@ -698,7 +689,6 @@ krb5_error_code krb5_def_fetch_mkey_list( krb5_context context, krb5_principal mprinc, const krb5_keyblock *mkey, - krb5_kvno mkvno, krb5_keylist_node **mkeys_list); krb5_error_code @@ -1092,7 +1082,6 @@ typedef struct _kdb_vftabl { krb5_error_code (*fetch_master_key_list)(krb5_context kcontext, krb5_principal mname, const krb5_keyblock *key, - krb5_kvno kvno, krb5_keylist_node **mkeys_list); /* diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c index bf8c8e5bf..326635fb1 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -295,7 +295,7 @@ krb5_error_code master_key_convert(context, db_entry) krb5_keyblock *tmp_mkey; key_data = &db_entry->key_data[i]; - retval = krb5_dbe_find_mkey(context, master_keylist, db_entry, &tmp_mkey); + retval = krb5_dbe_find_mkey(context, db_entry, &tmp_mkey); if (retval) return retval; retval = krb5_dbe_decrypt_key_data(context, tmp_mkey, key_data, @@ -1078,7 +1078,6 @@ dump_db(argc, argv) bool_t dump_sno = FALSE; kdb_log_context *log_ctx; unsigned int ipropx_version = IPROPX_VERSION_0; - krb5_keylist_node *mkeys; /* * Parse the arguments. @@ -1182,13 +1181,11 @@ dump_db(argc, argv) exit(1); } retval = krb5_db_fetch_mkey_list(util_context, master_princ, - &master_keyblock, IGNORE_VNO, - &mkeys); + &master_keyblock); if (retval) { com_err(progname, retval, _("while verifying master key")); exit(1); } - krb5_db_free_mkey_list(util_context, mkeys); } new_master_keyblock.enctype = global_params.enctype; if (new_master_keyblock.enctype == ENCTYPE_UNKNOWN) diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c index 395299410..21f8073d3 100644 --- a/src/kadmin/dbutil/kdb5_mkey.c +++ b/src/kadmin/dbutil/kdb5_mkey.c @@ -32,7 +32,6 @@ extern krb5_keyblock master_keyblock; /* current mkey */ extern krb5_kvno master_kvno; extern krb5_principal master_princ; -extern krb5_keylist_node *master_keylist; extern krb5_data master_salt; extern char *mkey_password; extern char *progname; @@ -77,6 +76,7 @@ add_new_mkey(krb5_context context, krb5_db_entry *master_entry, krb5_key_data tmp_key_data, *old_key_data; krb5_mkey_aux_node *mkey_aux_data_head = NULL, **mkey_aux_data; krb5_keylist_node *keylist_node; + krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(context); /* do this before modifying master_entry key_data */ new_mkey_kvno = get_next_kvno(context, master_entry); @@ -372,6 +372,7 @@ kdb5_use_mkey(int argc, char *argv[]) krb5_db_entry *master_entry; krb5_keylist_node *keylist_node; krb5_boolean inserted = FALSE; + krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context); memset(&master_princ, 0, sizeof(master_princ)); @@ -577,6 +578,7 @@ kdb5_list_mkeys(int argc, char *argv[]) krb5_db_entry *master_entry; krb5_keylist_node *cur_kb_node; krb5_keyblock *act_mkey; + krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context); if (master_keylist == NULL) { com_err(progname, 0, _("master keylist not initialized")); @@ -613,8 +615,8 @@ kdb5_list_mkeys(int argc, char *argv[]) if (actkvno_list == NULL) { act_kvno = master_entry->key_data[0].key_data_kvno; } else { - retval = krb5_dbe_find_act_mkey(util_context, master_keylist, - actkvno_list, &act_kvno, &act_mkey); + retval = krb5_dbe_find_act_mkey(util_context, actkvno_list, &act_kvno, + &act_mkey); if (retval == KRB5_KDB_NOACTMASTERKEY) { /* Maybe we went through a time warp, and the only keys with activation dates have them set in the future? */ @@ -834,7 +836,7 @@ update_princ_encryption_1(void *cb, krb5_db_entry *ent) goto skip; } p->re_match_count++; - retval = krb5_dbe_get_mkvno(util_context, ent, master_keylist, &old_mkvno); + retval = krb5_dbe_get_mkvno(util_context, ent, &old_mkvno); if (retval) { com_err(progname, retval, _("determining master key used for principal '%s'"), pname); @@ -934,6 +936,7 @@ kdb5_update_princ_encryption(int argc, char *argv[]) #endif char *regexp = NULL; krb5_keyblock *tmp_keyblock = NULL; + krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context); while ((optchar = getopt(argc, argv, "fnv")) != -1) { switch (optchar) { @@ -1023,8 +1026,7 @@ kdb5_update_princ_encryption(int argc, char *argv[]) master_entry->n_key_data, master_entry->key_data); - retval = krb5_dbe_find_mkey(util_context, master_keylist, - master_entry, &tmp_keyblock); + retval = krb5_dbe_find_mkey(util_context, master_entry, &tmp_keyblock); if (retval) { com_err(progname, retval, _("retrieving the most recent master key")); exit_status++; @@ -1071,7 +1073,6 @@ kdb5_update_princ_encryption(int argc, char *argv[]) cleanup: free(regexp); memset(&new_master_keyblock, 0, sizeof(new_master_keyblock)); - krb5_free_keyblock(util_context, tmp_keyblock); krb5_free_unparsed_name(util_context, mkey_fullname); krb5_dbe_free_actkvno_list(util_context, actkvno_list); } @@ -1098,7 +1099,7 @@ find_mkvnos_in_use(krb5_pointer ptr, args = (struct purge_args *) ptr; - retval = krb5_dbe_get_mkvno(args->kcontext, entry, master_keylist, &mkvno); + retval = krb5_dbe_get_mkvno(args->kcontext, entry, &mkvno); if (retval) return (retval); @@ -1129,6 +1130,17 @@ kdb5_purge_mkeys(int argc, char *argv[]) krb5_mkey_aux_node *mkey_aux_list = NULL, *mkey_aux_entry, *prev_mkey_aux_entry; krb5_key_data *old_key_data; + /* + * Verify that the master key list has been initialized before doing + * anything else. + */ + if (krb5_db_mkey_list_alias(util_context) == NULL) { + com_err(progname, KRB5_KDB_DBNOTINITED, + _("master keylist not initialized")); + exit_status++; + return; + } + memset(&master_princ, 0, sizeof(master_princ)); memset(&args, 0, sizeof(args)); @@ -1152,12 +1164,6 @@ kdb5_purge_mkeys(int argc, char *argv[]) } } - if (master_keylist == NULL) { - com_err(progname, 0, _("master keylist not initialized")); - exit_status++; - return; - } - /* assemble & parse the master key name */ if ((retval = krb5_db_setup_mkey_name(util_context, global_params.mkey_name, diff --git a/src/kadmin/dbutil/kdb5_stash.c b/src/kadmin/dbutil/kdb5_stash.c index 35592b808..30ca82c41 100644 --- a/src/kadmin/dbutil/kdb5_stash.c +++ b/src/kadmin/dbutil/kdb5_stash.c @@ -56,7 +56,6 @@ #include "kdb5_util.h" extern krb5_keyblock master_keyblock; -extern krb5_keylist_node *master_keylist; extern krb5_principal master_princ; extern kadm5_config_params global_params; @@ -119,8 +118,7 @@ kdb5_stash(argc, argv) } retval = krb5_db_fetch_mkey_list(util_context, master_princ, - &master_keyblock, mkey_kvno, - &master_keylist); + &master_keyblock); if (retval) { com_err(progname, retval, _("while getting master key list")); exit_status++; return; @@ -130,7 +128,7 @@ kdb5_stash(argc, argv) } retval = krb5_db_store_master_key_list(util_context, keyfile, master_princ, - master_keylist, NULL); + NULL); if (retval) { com_err(progname, errno, _("while storing key")); exit_status++; return; diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c index 70a04e259..df9c080a0 100644 --- a/src/kadmin/dbutil/kdb5_util.c +++ b/src/kadmin/dbutil/kdb5_util.c @@ -106,7 +106,6 @@ void usage() krb5_keyblock master_keyblock; krb5_kvno master_kvno; /* fetched */ -extern krb5_keylist_node *master_keylist; extern krb5_principal master_princ; krb5_db_entry *master_entry = NULL; int valid_master_key = 0; @@ -485,8 +484,7 @@ static int open_db_and_mkey() } if ((retval = krb5_db_fetch_mkey_list(util_context, master_princ, - &master_keyblock, master_kvno, - &master_keylist))) { + &master_keyblock))) { com_err(progname, retval, "while getting master key list"); com_err(progname, 0, "Warning: proceeding without master key list"); exit_status++; @@ -501,7 +499,6 @@ static int open_db_and_mkey() exit_status++; memset(master_keyblock.contents, 0, master_keyblock.length); krb5_free_keyblock_contents(util_context, &master_keyblock); - krb5_db_free_mkey_list(util_context, master_keylist); return(1); } @@ -532,7 +529,6 @@ quit() if (finished) return 0; - krb5_db_free_mkey_list(util_context, master_keylist); retval = krb5_db_fini(util_context); memset(master_keyblock.contents, 0, master_keyblock.length); finished = TRUE; @@ -605,7 +601,7 @@ add_random_key(argc, argv) free_keysalts = 1; /* Find the mkey used to protect the existing keys */ - ret = krb5_dbe_find_mkey(util_context, master_keylist, dbent, &tmp_mkey); + ret = krb5_dbe_find_mkey(util_context, dbent, &tmp_mkey); if (ret) { com_err(me, ret, _("while finding mkey")); krb5_db_free_principal(util_context, dbent); diff --git a/src/kadmin/dbutil/kdb5_util.h b/src/kadmin/dbutil/kdb5_util.h index a5754c5f6..540b69479 100644 --- a/src/kadmin/dbutil/kdb5_util.h +++ b/src/kadmin/dbutil/kdb5_util.h @@ -44,7 +44,6 @@ extern krb5_db_entry master_db; extern char **db5util_db_args; extern int db5util_db_args_size; extern krb5_kvno new_mkvno; -extern krb5_keylist_node *master_keylist; extern krb5_keyblock new_master_keyblock; extern int add_db_arg(char *arg); diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c index f38f209f1..6859144ca 100644 --- a/src/kadmin/server/ovsec_kadmd.c +++ b/src/kadmin/server/ovsec_kadmd.c @@ -69,8 +69,6 @@ gss_name_t gss_changepw_name = NULL, gss_oldchangepw_name = NULL; gss_name_t gss_kadmin_name = NULL; void *global_server_handle; -extern krb5_keylist_node *master_keylist; - char *build_princ_name(char *name, char *realm); void log_badauth(OM_uint32 major, OM_uint32 minor, struct sockaddr_in *addr, char *data); diff --git a/src/kdc/extern.h b/src/kdc/extern.h index f7a2053fc..3866c6c1f 100644 --- a/src/kdc/extern.h +++ b/src/kdc/extern.h @@ -51,10 +51,9 @@ typedef struct __kdc_realm_data { krb5_principal realm_mprinc; /* Master principal for realm */ /* * Note realm_mkey is mkey read from stash or keyboard and may not be the - * latest. The mkey_list will have all the mkeys in use. + * latest. */ krb5_keyblock realm_mkey; /* Master key for this realm */ - krb5_keylist_node * mkey_list; /* list of mkeys in use for this realm */ /* * TGS per-realm data. */ @@ -88,7 +87,6 @@ kdc_realm_t *find_realm_data (char *, krb5_ui_4); #define max_life_for_realm kdc_active_realm->realm_maxlife #define max_renewable_life_for_realm kdc_active_realm->realm_maxrlife #define master_keyblock kdc_active_realm->realm_mkey -#define master_keylist kdc_active_realm->mkey_list #define master_princ kdc_active_realm->realm_mprinc #define tgs_server kdc_active_realm->realm_tgsprinc #define reject_bad_transit kdc_active_realm->realm_reject_bad_transit diff --git a/src/kdc/main.c b/src/kdc/main.c index 8d4df8762..c2c3e4e0e 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -179,8 +179,6 @@ finish_realm(kdc_realm_t *rdp) memset(rdp->realm_mkey.contents, 0, rdp->realm_mkey.length); free(rdp->realm_mkey.contents); } - if (rdp->mkey_list) - krb5_dbe_free_key_list(rdp->realm_context, rdp->mkey_list); krb5_db_fini(rdp->realm_context); if (rdp->realm_tgsprinc) krb5_free_principal(rdp->realm_context, rdp->realm_tgsprinc); @@ -427,7 +425,7 @@ init_realm(kdc_realm_t *rdp, char *realm, char *def_mpname, } if ((kret = krb5_db_fetch_mkey_list(rdp->realm_context, rdp->realm_mprinc, - &rdp->realm_mkey, mkvno, &rdp->mkey_list))) { + &rdp->realm_mkey))) { kdc_err(rdp->realm_context, kret, _("while fetching master keys list for realm %s"), realm); goto whoops; diff --git a/src/lib/kadm5/srv/libkadm5srv_mit.exports b/src/lib/kadm5/srv/libkadm5srv_mit.exports index 44311ee26..e661f30a6 100644 --- a/src/lib/kadm5/srv/libkadm5srv_mit.exports +++ b/src/lib/kadm5/srv/libkadm5srv_mit.exports @@ -84,7 +84,6 @@ krb5_string_to_flags krb5_string_to_keysalts krb5_match_config_pattern master_db -master_keylist master_princ osa_free_princ_ent passwd_check diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c index db7230e24..3860b6b2f 100644 --- a/src/lib/kadm5/srv/server_kdb.c +++ b/src/lib/kadm5/srv/server_kdb.c @@ -18,7 +18,6 @@ krb5_principal master_princ; krb5_keyblock master_keyblock; /* local mkey */ -krb5_keylist_node *master_keylist = NULL; krb5_actkvno_node *active_mkey_list = NULL; krb5_db_entry master_db; @@ -69,7 +68,7 @@ krb5_error_code kdb_init_master(kadm5_server_handle_t handle, goto done; if ((ret = krb5_db_fetch_mkey_list(handle->context, master_princ, - &master_keyblock, mkvno, &master_keylist))) { + &master_keyblock))) { krb5_db_fini(handle->context); return (ret); } @@ -192,7 +191,7 @@ kdb_get_hist_key(kadm5_server_handle_t handle, krb5_keyblock *hist_keyblock, goto done; } - ret = krb5_dbe_find_mkey(handle->context, master_keylist, kdb, &mkey); + ret = krb5_dbe_find_mkey(handle->context, kdb, &mkey); if (ret) goto done; diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index d50007c52..f4715fbb1 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -25,7 +25,6 @@ extern krb5_principal master_princ; extern krb5_principal hist_princ; extern krb5_keyblock master_keyblock; -extern krb5_keylist_node *master_keylist; extern krb5_actkvno_node *active_mkey_list; extern krb5_db_entry master_db; @@ -364,8 +363,8 @@ kadm5_create_principal_3(void *server_handle, /* initialize the keys */ - ret = krb5_dbe_find_act_mkey(handle->context, master_keylist, - active_mkey_list, &act_kvno, &act_mkey); + ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, &act_kvno, + &act_mkey); if (ret) goto cleanup; @@ -869,8 +868,7 @@ kadm5_get_principal(void *server_handle, krb5_principal principal, entry->kvno = kdb->key_data[i].key_data_kvno; if (mask & KADM5_MKVNO) { - ret = krb5_dbe_get_mkvno(handle->context, kdb, master_keylist, - &entry->mkvno); + ret = krb5_dbe_get_mkvno(handle->context, kdb, &entry->mkvno); if (ret) goto done; } @@ -1385,8 +1383,8 @@ kadm5_chpass_principal_3(void *server_handle, principal))) goto done; - ret = krb5_dbe_find_act_mkey(handle->context, master_keylist, - active_mkey_list, &act_kvno, &act_mkey); + ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, &act_kvno, + &act_mkey); if (ret) goto done; @@ -1579,8 +1577,8 @@ kadm5_randkey_principal_3(void *server_handle, if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) return(ret); - ret = krb5_dbe_find_act_mkey(handle->context, master_keylist, - active_mkey_list, NULL, &act_mkey); + ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, NULL, + &act_mkey); if (ret) goto done; @@ -1727,8 +1725,8 @@ kadm5_setv4key_principal(void *server_handle, keysalt.data.length = 0; keysalt.data.data = NULL; - ret = krb5_dbe_find_act_mkey(handle->context, master_keylist, - active_mkey_list, NULL, &act_mkey); + ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, NULL, + &act_mkey); if (ret) goto done; @@ -1931,8 +1929,8 @@ kadm5_setkey_principal_3(void *server_handle, } memset (&tmp_key_data, 0, sizeof(tmp_key_data)); - ret = krb5_dbe_find_act_mkey(handle->context, master_keylist, - active_mkey_list, NULL, &act_mkey); + ret = krb5_dbe_find_act_mkey(handle->context, active_mkey_list, NULL, + &act_mkey); if (ret) goto done; @@ -2178,17 +2176,13 @@ kadm5_ret_t kadm5_decrypt_key(void *server_handle, /* find_mkey only uses this field */ dbent.tl_data = entry->tl_data; - if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, &dbent, - &mkey_ptr))) { - krb5_keylist_node *tmp_mkey_list; + if ((ret = krb5_dbe_find_mkey(handle->context, &dbent, &mkey_ptr))) { /* try refreshing master key list */ /* XXX it would nice if we had the mkvno here for optimization */ if (krb5_db_fetch_mkey_list(handle->context, master_princ, - &master_keyblock, 0, &tmp_mkey_list) == 0) { - krb5_dbe_free_key_list(handle->context, master_keylist); - master_keylist = tmp_mkey_list; - if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, - &dbent, &mkey_ptr))) { + &master_keyblock) == 0) { + if ((ret = krb5_dbe_find_mkey(handle->context, &dbent, + &mkey_ptr))) { return ret; } } else { diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index 380c3d69d..a3c2a5f9c 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -64,6 +64,18 @@ static db_library lib_list; MAKE_INIT_FUNCTION(kdb_init_lock_list); MAKE_FINI_FUNCTION(kdb_fini_lock_list); +static void +free_mkey_list(krb5_context context, krb5_keylist_node *mkey_list) +{ + krb5_keylist_node *cur, *next; + + for (cur = mkey_list; cur != NULL; cur = next) { + next = cur->next; + krb5_free_keyblock_contents(context, &cur->keyblock); + krb5_xfree(cur); + } +} + int kdb_init_lock_list() { @@ -569,16 +581,12 @@ static krb5_error_code kdb_free_lib_handle(krb5_context kcontext) { krb5_error_code status = 0; - krb5_keylist_node *old_keylist = kcontext->dal_handle->master_keylist; status = kdb_free_library(kcontext->dal_handle->lib_handle); if (status) return status; - /* The dal_handle holds an alias to the most recent mkey_list. */ - if (kcontext->dal_handle->free_keylist) { - kcontext->dal_handle->master_keylist = NULL; /* Force freeing. */ - krb5_db_free_mkey_list(kcontext, old_keylist); - } + + free_mkey_list(kcontext, kcontext->dal_handle->master_keylist); krb5_free_principal(kcontext, kcontext->dal_handle->master_princ); free(kcontext->dal_handle); kcontext->dal_handle = NULL; @@ -1011,10 +1019,16 @@ krb5_db_iterate(krb5_context kcontext, char *match_entry, return v->iterate(kcontext, match_entry, func, func_arg); } +/* Return a read only pointer alias to mkey list. Do not free this! */ +krb5_keylist_node * +krb5_db_mkey_list_alias(krb5_context kcontext) +{ + return kcontext->dal_handle->master_keylist; +} + krb5_error_code krb5_db_fetch_mkey_list(krb5_context context, krb5_principal mname, - const krb5_keyblock *mkey, krb5_kvno mkvno, - krb5_keylist_node **mkey_list) + const krb5_keyblock *mkey) { kdb_vftabl *v; krb5_error_code status = 0; @@ -1023,70 +1037,49 @@ krb5_db_fetch_mkey_list(krb5_context context, krb5_principal mname, status = get_vftabl(context, &v); if (status) return status; + if (!context->dal_handle->master_princ) { status = krb5_copy_principal(context, mname, &context->dal_handle->master_princ); if (status) return status; } - if (mkey_list == NULL) - mkey_list = &local_keylist; - status = v->fetch_master_key_list(context, mname, mkey, mkvno, mkey_list); + + status = v->fetch_master_key_list(context, mname, mkey, &local_keylist); if (status == 0) { - /* The dal_handle holds an alias to the most recent master_keylist. */ - krb5_keylist_node *old_keylist = context->dal_handle->master_keylist; - context->dal_handle->master_keylist = *mkey_list; - if (context->dal_handle->free_keylist) - krb5_db_free_mkey_list(context, old_keylist); - context->dal_handle->free_keylist = (mkey_list == &local_keylist); + free_mkey_list(context, context->dal_handle->master_keylist); + context->dal_handle->master_keylist = local_keylist; } return status; } -void -krb5_db_free_mkey_list(krb5_context context, krb5_keylist_node *mkey_list) -{ - krb5_keylist_node *cur, *prev; - - /* - * The dal_handle holds onto the most recent master keylist that has been - * fetched throughout the lifetime of the context; if this function is - * called on that keylist, then the dal_handle is updated to indicate that - * the keylist should be freed on next call to krb5_db_fetch_mkey_list() or - * when the database is closed. Otherwise, the master_keylist is freed. - * Either way, the caller must not access this master keylist after calling - * this function. - */ - if (context && context->dal_handle->master_keylist == mkey_list) { - context->dal_handle->free_keylist = 1; - return; - } - for (cur = mkey_list; cur != NULL;) { - prev = cur; - cur = cur->next; - krb5_free_keyblock_contents(context, &prev->keyblock); - krb5_xfree(prev); - } -} - krb5_error_code krb5_db_store_master_key(krb5_context kcontext, char *keyfile, krb5_principal mname, krb5_kvno kvno, krb5_keyblock * key, char *master_pwd) { + krb5_error_code status = 0; + kdb_vftabl *v; krb5_keylist_node list; + status = get_vftabl(kcontext, &v); + if (status) + return status; + + if (v->store_master_key_list == NULL) + return KRB5_KDB_DBTYPE_NOSUP; + list.kvno = kvno; list.keyblock = *key; list.next = NULL; - return krb5_db_store_master_key_list(kcontext, keyfile, mname, &list, - master_pwd); + + return v->store_master_key_list(kcontext, keyfile, mname, + &list, master_pwd); } krb5_error_code krb5_db_store_master_key_list(krb5_context kcontext, char *keyfile, - krb5_principal mname, krb5_keylist_node *keylist, - char *master_pwd) + krb5_principal mname, char *master_pwd) { krb5_error_code status = 0; kdb_vftabl *v; @@ -1094,9 +1087,15 @@ krb5_db_store_master_key_list(krb5_context kcontext, char *keyfile, status = get_vftabl(kcontext, &v); if (status) return status; + if (v->store_master_key_list == NULL) - return KRB5_PLUGIN_OP_NOTSUPP; - return v->store_master_key_list(kcontext, keyfile, mname, keylist, + return KRB5_KDB_DBTYPE_NOSUP; + + if (kcontext->dal_handle->master_keylist == NULL) + return KRB5_KDB_DBNOTINITED; + + return v->store_master_key_list(kcontext, keyfile, mname, + kcontext->dal_handle->master_keylist, master_pwd); } @@ -1244,13 +1243,12 @@ krb5_dbe_fetch_act_key_list(krb5_context context, krb5_principal princ, */ krb5_error_code -krb5_dbe_find_act_mkey(krb5_context context, krb5_keylist_node *mkey_list, - krb5_actkvno_node *act_mkey_list, krb5_kvno *act_kvno, - krb5_keyblock **act_mkey) +krb5_dbe_find_act_mkey(krb5_context context, krb5_actkvno_node *act_mkey_list, + krb5_kvno *act_kvno, krb5_keyblock **act_mkey) { krb5_kvno tmp_act_kvno; krb5_error_code retval; - krb5_keylist_node *cur_keyblock = mkey_list; + krb5_keylist_node *cur_keyblock = context->dal_handle->master_keylist; krb5_actkvno_node *prev_actkvno, *cur_actkvno; krb5_timestamp now; krb5_boolean found = FALSE; @@ -1261,6 +1259,9 @@ krb5_dbe_find_act_mkey(krb5_context context, krb5_keylist_node *mkey_list, return 0; } + if (!cur_keyblock) + return KRB5_KDB_DBNOTINITED; + if ((retval = krb5_timeofday(context, &now))) return (retval); @@ -1327,14 +1328,17 @@ krb5_dbe_find_act_mkey(krb5_context context, krb5_keylist_node *mkey_list, * free the output key. */ krb5_error_code -krb5_dbe_find_mkey(krb5_context context, krb5_keylist_node *mkey_list, - krb5_db_entry *entry, krb5_keyblock **mkey) +krb5_dbe_find_mkey(krb5_context context, krb5_db_entry *entry, + krb5_keyblock **mkey) { krb5_kvno mkvno; krb5_error_code retval; - krb5_keylist_node *cur_keyblock = mkey_list; + krb5_keylist_node *cur_keyblock = context->dal_handle->master_keylist; - retval = krb5_dbe_get_mkvno(context, entry, mkey_list, &mkvno); + if (!cur_keyblock) + return KRB5_KDB_DBNOTINITED; + + retval = krb5_dbe_get_mkvno(context, entry, &mkvno); if (retval) return (retval); @@ -1614,13 +1618,14 @@ krb5_dbe_lookup_mkvno(krb5_context context, krb5_db_entry *entry, krb5_error_code krb5_dbe_get_mkvno(krb5_context context, krb5_db_entry *entry, - krb5_keylist_node *mkey_list, krb5_kvno *mkvno) + krb5_kvno *mkvno) { krb5_error_code code; krb5_kvno kvno; + krb5_keylist_node *mkey_list = context->dal_handle->master_keylist; if (mkey_list == NULL) - return EINVAL; + return KRB5_KDB_DBNOTINITED; /* Output the value from entry tl_data if present. */ code = krb5_dbe_lookup_mkvno(context, entry, &kvno); @@ -2432,13 +2437,12 @@ krb5_dbe_decrypt_key_data(krb5_context kcontext, const krb5_keyblock *mkey, { krb5_error_code status = 0; kdb_vftabl *v; - krb5_keylist_node *n = kcontext->dal_handle->master_keylist; krb5_keyblock *cur_mkey; status = get_vftabl(kcontext, &v); if (status) return status; - if (mkey || !n) + if (mkey || kcontext->dal_handle->master_keylist == NULL) return v->decrypt_key_data(kcontext, mkey, key_data, dbkey, keysalt); status = decrypt_iterator(kcontext, key_data, dbkey, keysalt); if (status == 0) @@ -2448,7 +2452,7 @@ krb5_dbe_decrypt_key_data(krb5_context kcontext, const krb5_keyblock *mkey, cur_mkey = &kcontext->dal_handle->master_keylist->keyblock; if (krb5_db_fetch_mkey_list(kcontext, kcontext->dal_handle->master_princ, - cur_mkey, -1, NULL) == 0) + cur_mkey) == 0) return decrypt_iterator(kcontext, key_data, dbkey, keysalt); } return status; diff --git a/src/lib/kdb/kdb5.h b/src/lib/kdb/kdb5.h index 6d5c0a6cd..33bc49cca 100644 --- a/src/lib/kdb/kdb5.h +++ b/src/lib/kdb/kdb5.h @@ -31,7 +31,6 @@ struct _kdb5_dal_handle void *db_context; db_library lib_handle; krb5_keylist_node *master_keylist; - krb5_boolean free_keylist; krb5_principal master_princ; }; /* typedef kdb5_dal_handle is in k5-int.h now */ diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index c4bf92e50..cdb9dccb2 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -418,7 +418,6 @@ krb5_error_code krb5_def_fetch_mkey_list(krb5_context context, krb5_principal mprinc, const krb5_keyblock *mkey, - krb5_kvno mkvno, krb5_keylist_node **mkeys_list) { krb5_error_code retval; diff --git a/src/lib/kdb/libkdb5.exports b/src/lib/kdb/libkdb5.exports index e32b7a1d2..0e58262b2 100644 --- a/src/lib/kdb/libkdb5.exports +++ b/src/lib/kdb/libkdb5.exports @@ -13,7 +13,6 @@ krb5_db_delete_principal krb5_db_destroy krb5_db_fetch_mkey krb5_db_fetch_mkey_list -krb5_db_free_mkey_list krb5_db_fini krb5_db_free_principal krb5_db_get_age @@ -22,6 +21,7 @@ krb5_db_get_context krb5_db_get_principal krb5_db_iterate krb5_db_lock +krb5_db_mkey_list_alias krb5_db_put_principal krb5_db_refresh_config krb5_db_set_context diff --git a/src/tests/create/kdb5_mkdums.c b/src/tests/create/kdb5_mkdums.c index 5a042a91f..13609918f 100644 --- a/src/tests/create/kdb5_mkdums.c +++ b/src/tests/create/kdb5_mkdums.c @@ -327,7 +327,6 @@ set_dbname_help(pname, dbname) krb5_error_code retval; krb5_data pwd, scratch; char *args[2]; - krb5_keylist_node *mkeys; krb5_db_entry *master_entry; /* assemble & parse the master key name */ @@ -386,13 +385,11 @@ set_dbname_help(pname, dbname) free(args[0]); if ((retval = krb5_db_fetch_mkey_list(test_context, master_princ, - &master_keyblock, IGNORE_VNO, - &mkeys))){ + &master_keyblock))){ com_err(pname, retval, "while verifying master key"); (void) krb5_db_fini(test_context); return(1); } - krb5_db_free_mkey_list(test_context, mkeys); if ((retval = krb5_db_get_principal(test_context, master_princ, 0, &master_entry))) { com_err(pname, retval, "while retrieving master entry"); diff --git a/src/tests/verify/kdb5_verify.c b/src/tests/verify/kdb5_verify.c index b82a86aec..e29c8bc1f 100644 --- a/src/tests/verify/kdb5_verify.c +++ b/src/tests/verify/kdb5_verify.c @@ -353,7 +353,6 @@ set_dbname_help(context, pname, dbname) krb5_error_code retval; krb5_data pwd, scratch; char *args[2]; - krb5_keylist_node *mkeys; krb5_db_entry *master_entry; /* assemble & parse the master key name */ @@ -407,13 +406,11 @@ set_dbname_help(context, pname, dbname) return(1); } if ((retval = krb5_db_fetch_mkey_list(context, master_princ, - &master_keyblock, IGNORE_VNO, - &mkeys))) { + &master_keyblock))) { com_err(pname, retval, "while verifying master key"); (void) krb5_db_fini(context); return(1); } - krb5_db_free_mkey_list(context, mkeys); if ((retval = krb5_db_get_principal(context, master_princ, 0, &master_entry))) { com_err(pname, retval, "while retrieving master entry");