From 17a888de38b276e6fc5ed4420bced0465510ee19 Mon Sep 17 00:00:00 2001 From: Chris Provenzano Date: Thu, 27 Jul 1995 08:44:42 +0000 Subject: [PATCH] Use new kdb format git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6329 dc483132-0cff-0310-8789-dd5450dbe970 --- src/admin/create/ChangeLog | 4 + src/admin/create/kdb5_create.c | 56 +++--- src/admin/edit/ChangeLog | 4 + src/admin/edit/dump.c | 324 +++++++-------------------------- src/admin/edit/kdb5_edit.c | 297 ++++++++++++++---------------- src/admin/edit/kdb5_edit.h | 7 +- src/admin/edit/util.c | 2 +- src/kdc/ChangeLog | 4 + src/kdc/do_as_req.c | 163 +++++++++-------- src/kdc/do_tgs_req.c | 37 ++-- src/kdc/kdc_util.c | 39 ++-- src/kdc/main.c | 61 +++---- src/tests/create/ChangeLog | 2 + src/tests/create/kdb5_mkdums.c | 169 +++++++++-------- src/tests/verify/ChangeLog | 2 + src/tests/verify/kdb5_verify.c | 14 +- 16 files changed, 513 insertions(+), 672 deletions(-) diff --git a/src/admin/create/ChangeLog b/src/admin/create/ChangeLog index 79a305406..3f2447ea6 100644 --- a/src/admin/create/ChangeLog +++ b/src/admin/create/ChangeLog @@ -1,4 +1,8 @@ +Thu Jul 27 02:59:05 1995 Chris Provenzano (proven@mit.edu) + + * kdb5_create.c : Use new kdb format. + Mon Jul 17 14:58:00 EDT 1995 Paul Park (pjpark@mit.edu) * configure.in - Add KADM library. * kdb5_create.c - Add KDC profile reading/handling as a supplement to diff --git a/src/admin/create/kdb5_create.c b/src/admin/create/kdb5_create.c index 07d724130..ef243c6d6 100644 --- a/src/admin/create/kdb5_create.c +++ b/src/admin/create/kdb5_create.c @@ -360,37 +360,51 @@ add_principal(context, princ, op, pblock) enum ap_op op; struct realm_info *pblock; { - krb5_db_entry entry; - krb5_error_code retval; - krb5_encrypted_keyblock ekey; - krb5_keyblock *rkey; - int nentries = 1; + krb5_error_code retval; + krb5_db_entry entry; + krb5_keyblock * rkey; + + krb5_tl_mod_princ mod_princ; + + int nentries = 1; memset((char *) &entry, 0, sizeof(entry)); - entry.principal = princ; - entry.kvno = 1; + + entry.mkvno = 1; + entry.len = KRB5_KDB_V1_BASE_LENGTH; + entry.attributes = pblock->flags; entry.max_life = pblock->max_life; entry.max_renewable_life = pblock->max_rlife; - entry.mkvno = 1; entry.expiration = pblock->expiration; - entry.mod_name = &db_create_princ; - if (retval = krb5_timeofday(context, &entry.mod_date)) - return retval; - entry.attributes = pblock->flags; + if (retval = krb5_copy_principal(context, princ, &entry.princ)) + goto error_out; + + mod_princ.mod_princ = &db_create_princ; + if (retval = krb5_timeofday(context, &mod_princ.mod_date)) + goto error_out; + if (retval = krb5_dbe_encode_mod_princ_data(context, &mod_princ, &entry)) + goto error_out; + + if ((entry.key_data=(krb5_key_data*)malloc(sizeof(krb5_key_data))) == NULL) + goto error_out; + memset((char *) entry.key_data, 0, sizeof(krb5_key_data)); + entry.n_key_data = 1; switch (op) { case MASTER_KEY: entry.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; - if (retval = krb5_kdb_encrypt_key(context, pblock->eblock, - &master_keyblock, &ekey)) + if (retval = krb5_dbekd_encrypt_key_data(context, pblock->eblock, + &master_keyblock, NULL, + 1, entry.key_data)) return retval; break; case RANDOM_KEY: if (retval = krb5_random_key(context, pblock->eblock, pblock->rseed, &rkey)) return retval; - retval = krb5_kdb_encrypt_key(context, pblock->eblock, rkey, &ekey); + retval = krb5_dbekd_encrypt_key_data(context, pblock->eblock, rkey, + NULL, 1, entry.key_data); krb5_free_keyblock(context, rkey); if (retval) return retval; @@ -400,14 +414,10 @@ add_principal(context, princ, op, pblock) default: break; } - entry.key = ekey; - entry.salt_type = KRB5_KDB_SALTTYPE_NORMAL; - entry.salt_length = 0; - entry.salt = 0; - if (retval = krb5_db_put_principal(context, &entry, &nentries)) - return retval; + retval = krb5_db_put_principal(context, &entry, &nentries); - krb5_xfree(ekey.contents); - return 0; +error_out:; + krb5_dbe_free_contents(context, &entry); + return retval; } diff --git a/src/admin/edit/ChangeLog b/src/admin/edit/ChangeLog index 8faff7c7b..ead9c84c0 100644 --- a/src/admin/edit/ChangeLog +++ b/src/admin/edit/ChangeLog @@ -1,4 +1,8 @@ +Thu Jul 27 02:59:05 1995 Chris Provenzano (proven@mit.edu) + + * dump.c kdb5_edit.c kdb5_edit.h util.c : Use new kdb format. + Mon Jul 17 15:00:08 EDT 1995 Paul Park (pjpark@mit.edu) * configure.in - Add KADM library. * dumpv4.c - Change calling sequence to krb5_db_fetch_mkey(). diff --git a/src/admin/edit/dump.c b/src/admin/edit/dump.c index 2f888c450..cbeb5985d 100644 --- a/src/admin/edit/dump.c +++ b/src/admin/edit/dump.c @@ -34,7 +34,7 @@ struct dump_record { FILE *f; }; -static char ld_vers[] = "kdb5_edit load_dump version 2.0\n"; +static char ld_vers[] = "kdb5_edit load_dump version 3.0\n"; krb5_encrypt_block master_encblock; extern char *current_dbname; @@ -46,56 +46,21 @@ void update_ok_file(); krb5_error_code dump_iterator(ptr, entry) - krb5_pointer ptr; - krb5_db_entry *entry; + krb5_pointer ptr; + krb5_db_entry * entry; { - krb5_error_code retval; - struct dump_record *arg = (struct dump_record *) ptr; - char *name=NULL, *mod_name=NULL; - int i; + struct dump_record * arg = (struct dump_record *) ptr; + krb5_error_code retval; + datum content; - if (retval = krb5_unparse_name(edit_context, entry->principal, &name)) { - com_err(arg->comerr_name, retval, "while unparsing principal"); + if (retval = krb5_encode_princ_contents(edit_context, &content, entry)) { + com_err(arg->comerr_name, retval, "while encoding an entry"); exit_status++; return retval; } - if (retval = krb5_unparse_name(edit_context, entry->mod_name, &mod_name)) { - free(name); - com_err(arg->comerr_name, retval, "while unparsing principal"); - exit_status++; - return retval; - } - fprintf(arg->f, "%d\t%d\t%d\t%d\t%d\t%d\t%s\t%d\t", strlen(name), - strlen(mod_name), entry->key.length, entry->alt_key.length, - entry->salt_length, entry->alt_salt_length, name, - entry->key.keytype); - for (i=0; ikey.length; i++) { - fprintf(arg->f, "%02x", *(entry->key.contents+i)); - } - fprintf(arg->f, - "\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%s\t%u\t%u\t%u\t", - entry->kvno, entry->max_life, entry->max_renewable_life, - entry->mkvno, entry->expiration, entry->pw_expiration, - entry->last_pwd_change, entry->last_success, entry->last_failed, - entry->fail_auth_count, mod_name, entry->mod_date, - entry->attributes, entry->salt_type); - for (i=0; isalt_length; i++) { - fprintf(arg->f, "%02x", *(entry->salt+i)); - } - fprintf(arg->f, "\t%u\t", entry->alt_key.keytype); - for (i=0; ialt_key.length; i++) { - fprintf(arg->f, "%02x", *(entry->alt_key.contents+i)); - } - fprintf(arg->f, "\t%u\t", entry->alt_salt_type); - for (i=0; ialt_salt_length; i++) { - fprintf(arg->f, "%02x", *(entry->alt_salt+i)); - } - for (i=0; i < 8; i++) { - fprintf(arg->f, "\t%u", entry->expansion[i]); - } + fprintf(arg->f, "%d\t", content.dsize); + fwrite(content.dptr, content.dsize, 1, arg->f); fprintf(arg->f, ";\n"); - free(name); - free(mod_name); return 0; } /*ARGSUSED*/ @@ -141,7 +106,7 @@ void dump_db(argc, argv) fputs(ld_vers, f); arg.comerr_name = argv[0]; arg.f = f; - (void) krb5_db_iterate(edit_context, dump_iterator, (krb5_pointer) &arg); + (void)krb5_db_iterate(edit_context, dump_iterator, (krb5_pointer) &arg); if (argc == 2) fclose(f); if (argv[1]) @@ -235,21 +200,21 @@ void load_db(argc, argv) int argc; char **argv; { - FILE *f; - krb5_db_entry entry; - krb5_error_code retval; - int name_len, mod_name_len, key_len, alt_key_len; - int salt_len, alt_salt_len; - int i, one; - char *name, *mod_name; + krb5_error_code retval; + krb5_db_entry entry; + datum contents; + FILE * f; + char * new_dbname; + char buf[64]; /* Must be longer than ld_vers */ + int lineno; + int one; + + int i; int name_ret; - char *new_dbname; int ch; int load_error = 0; - int lineno = 0; int stype; int tmp1, tmp2, tmp3; - char buf[64]; /* Must be longer than ld_vers */ if (argc != 3) { com_err(argv[0], 0, "Usage: %s filename dbname", argv[0]); @@ -301,212 +266,55 @@ void load_db(argc, argv) if (strcmp(buf, ld_vers)) { com_err(argv[0], 0, "Bad dump file version"); load_error++; - goto error_out; } - lineno++; - for (;;) { - int nitems; + for (lineno = 1; load_error == 0; lineno++) { + datum contents; + int nitems; - lineno++; - memset((char *)&entry, 0, sizeof(entry)); - nitems = fscanf(f, "%d\t%d\t%d\t%d\t%d\t%d\t", - &name_len, &mod_name_len, &key_len, - &alt_key_len, &salt_len, &alt_salt_len); - if (nitems == EOF) - break; - if (nitems != 6) { - fprintf(stderr, "Couldn't parse line #%d\n", lineno); - load_error++; - break; - } - if (!(name = malloc(name_len+1))) { - com_err(argv[0], errno, - "While allocating space for name"); - load_error++; - goto cleanup; - } - if (!(mod_name = malloc(mod_name_len+1))) { - com_err(argv[0], errno, - "While allocating space for mod_name"); - load_error++; - goto cleanup; - } - entry.key.length = key_len; - if (key_len) { - if (!(entry.key.contents = (krb5_octet *) - malloc(key_len+1))) { - com_err(argv[0], errno, - "While allocating space for the key"); - load_error++; - goto cleanup; - } - } - entry.alt_key.length = alt_key_len; - if (alt_key_len) { - if (!(entry.alt_key.contents = (krb5_octet *) - malloc(alt_key_len+1))) { - com_err(argv[0], errno, - "While allocating space for alt_key"); - load_error++; - goto cleanup; - } - } - entry.salt_length = salt_len; - if (salt_len) { - if (!(entry.salt = (krb5_octet *) malloc(salt_len+1))) { - com_err(argv[0], errno, - "While allocating space for the salt"); - load_error++; - goto cleanup; - } - } - entry.alt_salt_length = alt_salt_len; - if (alt_salt_len) { - if (!(entry.alt_salt = (krb5_octet *) - malloc(alt_salt_len+1))) { - com_err(argv[0], errno, - "While allocating space for the alt_salt"); - load_error++; - goto cleanup; - } - } - if ((name_ret = read_name(f, name, name_len)) < 0) { - fprintf(stderr, "Couldn't parse line #%d\n", lineno); - load_error++; - break; - } - lineno += name_ret; - if (fscanf(f, "%d\t", &tmp1) != 1) { - fprintf(stderr, "Couldn't parse line #%d\n", lineno); - load_error++; - break; - } - /* keytype is probably a short, but might not be. - To avoid problems with scanf, read into a variable of - known type then copy the value. */ - entry.key.keytype = tmp1; - for (i=0; iprincipal)) - return retval; - newentry->kvno = 1; + newentry->len = KRB5_KDB_V1_BASE_LENGTH; + newentry->mkvno = mblock.mkvno; + newentry->attributes = mblock.flags; newentry->max_life = mblock.max_life; newentry->max_renewable_life = mblock.max_rlife; - newentry->mkvno = mblock.mkvno; newentry->expiration = mblock.expiration; - if (retval = krb5_copy_principal(edit_context, master_princ,&newentry->mod_name)) - goto errout; - - newentry->attributes = mblock.flags; - newentry->salt_type = KRB5_KDB_SALTTYPE_NORMAL; - if (retval = krb5_timeofday(edit_context, &newentry->mod_date)) - goto errout; + if (retval = krb5_copy_principal(edit_context, principal, &newentry->princ)) + return retval; - return 0; + if (retval = krb5_timeofday(edit_context, &mod_princ.mod_date)) + goto create_db_entry_error; -errout: - if (newentry->principal) - krb5_free_principal(edit_context, newentry->principal); - memset(newentry, 0, sizeof(krb5_db_entry)); + if (retval = krb5_copy_principal(edit_context, master_princ, + &mod_princ.mod_princ)) + goto create_db_entry_error; + + retval = krb5_dbe_encode_mod_princ_data(edit_context, &mod_princ, newentry); + krb5_xfree(mod_princ.mod_princ->data); + + if (!retval) + return 0; + +create_db_entry_error: + krb5_dbe_free_contents(edit_context, newentry); + exit_status++; return retval; } @@ -361,58 +368,44 @@ add_key(cmdname, newprinc, principal, key, vno, salt) krb5_const_principal principal; const krb5_keyblock * key; krb5_kvno vno; - struct saltblock * salt; + krb5_keysalt * salt; { - krb5_error_code retval; - krb5_db_entry newentry; + krb5_error_code retval; + krb5_db_entry entry; int one = 1; - memset((char *) &newentry, 0, sizeof(newentry)); - retval = krb5_kdb_encrypt_key(edit_context, &master_encblock, - key, - &newentry.key); - if (retval) { - com_err(cmdname, retval, "while encrypting key for '%s'", newprinc); - exit_status++; - return; - } - newentry.principal = (krb5_principal) principal; - newentry.kvno = vno; - newentry.max_life = mblock.max_life; - newentry.max_renewable_life = mblock.max_rlife; - newentry.mkvno = mblock.mkvno; - newentry.expiration = mblock.expiration; - newentry.mod_name = master_princ; - if (retval = krb5_timeofday(edit_context, &newentry.mod_date)) { - com_err(cmdname, retval, "while fetching date"); - exit_status++; - memset((char *)newentry.key.contents, 0, newentry.key.length); - krb5_xfree(newentry.key.contents); + /* First create a db_entry */ + if (retval = create_db_entry(principal, &entry)) { + com_err(cmdname, retval, "while creating db_entry."); return; } - newentry.attributes = mblock.flags; - if (salt) { - newentry.salt_type = salt->salttype; - newentry.salt_length = salt->saltdata.length; - newentry.salt = (krb5_octet *) salt->saltdata.data; - } else { - newentry.salt_type = KRB5_KDB_SALTTYPE_NORMAL; - newentry.salt_length = 0; - newentry.salt = 0; + + /* Now add the key */ + if (retval = krb5_dbe_create_key_data(edit_context, &entry)) { + com_err(cmdname, retval, "while creating key_data for db_entry."); + goto add_key_error; + } + + if (retval = krb5_dbekd_encrypt_key_data(edit_context, &master_encblock, + key, salt, vno, entry.key_data)) { + com_err(cmdname, retval, "while encrypting key for '%s'", newprinc); + goto add_key_error; } - retval = krb5_db_put_principal(edit_context, &newentry, &one); - memset((char *)newentry.key.contents, 0, newentry.key.length); - krb5_xfree(newentry.key.contents); - if (retval) { + if (retval = krb5_db_put_principal(edit_context, &entry, &one)) { com_err(cmdname, retval, "while storing entry for '%s'\n", newprinc); - exit_status++; - return; + goto add_key_error; } + if (one != 1) { com_err(cmdname, 0, "entry not stored in database (unknown failure)"); - exit_status++; + goto add_key_error; } + +add_key_error: + krb5_dbe_free_contents(edit_context, &entry); + if (retval) + exit_status++; return; } @@ -466,7 +459,7 @@ set_dbname_help(pname, dbname) char *dbname; { krb5_error_code retval; - int nentries; + int nentries, i; krb5_boolean more; krb5_data scratch, pwd; @@ -522,7 +515,9 @@ set_dbname_help(pname, dbname) mblock.expiration = master_entry.expiration; #endif /* notdef */ /* don't set flags, master has some extra restrictions */ - mblock.mkvno = master_entry.kvno; + for (mblock.mkvno = 1, i = 0; i < master_entry.n_key_data; i++) + if (mblock.mkvno < master_entry.key_data[i].key_data_kvno) + mblock.mkvno = master_entry.key_data[i].key_data_kvno; krb5_db_free_principal(edit_context, &master_entry, nentries); if (mkey_password) { @@ -746,15 +741,15 @@ void extract_srvtab(argc, argv) exit_status++; goto cleanmost; } - if (retval = krb5_kdb_decrypt_key(edit_context, &master_encblock, - &dbentry.key, - &newentry.key)) { + if (retval = krb5_dbekd_decrypt_key_data(edit_context, &master_encblock, + &dbentry.key_data[0], + &newentry.key, NULL)) { com_err(argv[0], retval, "while decrypting key for '%s'", pname); exit_status++; goto cleanall; } newentry.principal = princ; - newentry.vno = dbentry.kvno; + newentry.vno = dbentry.key_data[0].key_data_kvno; if (retval = krb5_kt_add_entry(edit_context, ktid, &newentry)) { com_err(argv[0], retval, "while adding key to keytab '%s'", ktname); @@ -866,9 +861,9 @@ void extract_v4_srvtab(argc, argv) exit_status++; goto cleanmost; } - if (retval = krb5_kdb_decrypt_key(edit_context, &master_encblock, - &dbentry.key, - &key)) { + if (retval = krb5_dbekd_decrypt_key_data(edit_context, &master_encblock, + &dbentry.key_data[0], + &key, NULL)) { com_err(argv[0], retval, "while decrypting key for '%s'", pname); exit_status++; goto cleanall; @@ -883,7 +878,8 @@ void extract_v4_srvtab(argc, argv) fwrite(argv[i], strlen(argv[i]) + 1, 1, fout); /* p.name */ fwrite(argv[1], strlen(argv[1]) + 1, 1, fout); /* p.instance */ fwrite(cur_realm, strlen(cur_realm) + 1, 1, fout); /* p.realm */ - fwrite((char *)&dbentry.kvno, sizeof(dbentry.kvno), 1, fout); + fwrite((char *)&dbentry.key_data[0].key_data_kvno, + sizeof(dbentry.key_data[0].key_data_kvno), 1, fout); fwrite((char *)key.contents, 8, 1, fout); printf("'%s' added to V4 srvtab '%s'\n", pname, ktname); memset((char *)key.contents, 0, key.length); @@ -891,8 +887,8 @@ void extract_v4_srvtab(argc, argv) cleanall: krb5_db_free_principal(edit_context, &dbentry, nentries); cleanmost: - free(pname); krb5_free_principal(edit_context, princ); + free(pname); } fclose(fout); return; @@ -913,13 +909,13 @@ check_print(chk_entry) return(check_for_match(search_name, must_be_first[0], chk_entry, num_name_tokens, names)); - if ((krb5_princ_size(edit_context, chk_entry->principal) > 1) && + if ((krb5_princ_size(edit_context, chk_entry->princ) > 1) && (num_name_tokens == 0) && (num_instance_tokens > 0)) return(check_for_match(search_instance, must_be_first[1], chk_entry, num_instance_tokens, instances)); - if ((krb5_princ_size(edit_context, chk_entry->principal) > 1) && + if ((krb5_princ_size(edit_context, chk_entry->princ) > 1) && (num_name_tokens > 0) && (num_instance_tokens > 0)) { check1 = check_for_match(search_name, must_be_first[0], chk_entry, @@ -945,7 +941,7 @@ list_iterator(ptr, entry) struct list_iterator_struct *lis = (struct list_iterator_struct *)ptr; char *name; - if (retval = krb5_unparse_name(edit_context, entry->principal, &name)) { + if (retval = krb5_unparse_name(edit_context, entry->princ, &name)) { com_err(lis->cmdname, retval, "while unparsing principal"); exit_status++; return retval; @@ -1042,8 +1038,8 @@ void delete_entry(argc, argv) } if (princ_exists(argv[0], newprinc) == NO_PRINC) { com_err(argv[0], 0, "principal '%s' is not in the database", argv[1]); - exit_status++; krb5_free_principal(edit_context, newprinc); + exit_status++; return; } printf("Are you sure you want to delete '%s'?\nType 'yes' to confirm:", @@ -1077,16 +1073,18 @@ void delete_entry(argc, argv) */ void enter_rnd_key(argc, argv, change) - int argc; - char **argv; - int change; + int argc; + char ** argv; + int change; { - krb5_error_code retval; - krb5_keyblock *tempkey; - krb5_principal newprinc; - int nprincs = 1; - krb5_db_entry entry; - krb5_boolean more; + krb5_error_code retval; + krb5_keyblock * tempkey; + krb5_principal newprinc; + krb5_key_data * key_data; + krb5_db_entry entry; + krb5_boolean more; + int nprincs = 1; + int vno; if (argc < 2) { com_err(argv[0], 0, "Too few arguments"); @@ -1127,14 +1125,23 @@ enter_rnd_key(argc, argv, change) } if (!change) { - retval = create_db_entry(newprinc, &entry); - if (retval) { + if (retval = create_db_entry(newprinc, &entry)) { com_err(argv[0], retval, "While creating new db entry."); exit_status++; goto errout; } + if (retval = krb5_dbe_create_key_data(edit_context, &entry)) { + com_err(argv[0], retval, "While creating key_data for db_entry."); + exit_status++; + goto errout; + } nprincs = 1; + vno = 1; + } else { + vno = entry.key_data[0].key_data_kvno++; } + /* For now we only set the first key_data */ + key_data = entry.key_data; if (retval = krb5_random_key(edit_context, &master_encblock, master_random, &tempkey)) { @@ -1143,33 +1150,9 @@ enter_rnd_key(argc, argv, change) return; } - /* - * Free the old key, if it exists. Also nuke the alternative key, - * and associated salting information, since it all doesn't apply - * for random keys. - */ - if (entry.key.contents) { - memset((char *)entry.key.contents, 0, entry.key.length); - krb5_xfree(entry.key.contents); - } - if (entry.alt_key.contents) { - memset((char *)entry.alt_key.contents, 0, entry.alt_key.length); - krb5_xfree(entry.alt_key.contents); - entry.alt_key.contents = 0; - } - if (entry.salt) { - krb5_xfree(entry.salt); - entry.salt = 0; - } - if (entry.alt_salt) { - krb5_xfree(entry.alt_salt); - entry.alt_salt = 0; - } - entry.salt_type = entry.alt_salt_type = 0; - entry.salt_length = entry.alt_salt_length = 0; - - retval = krb5_kdb_encrypt_key(edit_context, &master_encblock, - tempkey, &entry.key); + /* Encoding over an old key_data will free old key contents */ + retval = krb5_dbekd_encrypt_key_data(edit_context, &master_encblock, + tempkey, NULL, vno, key_data); krb5_free_keyblock(edit_context, tempkey); if (retval) { com_err(argv[0], retval, "while encrypting key for '%s'", argv[1]); @@ -1398,8 +1381,8 @@ enter_pwd_key(cmdname, newprinc, princ, string_princ, vno, salttype) char password[BUFSIZ]; int pwsize = sizeof(password); krb5_keyblock tempkey; + krb5_keysalt salt; krb5_data pwd; - struct saltblock salt; if (retval = krb5_read_password(edit_context, krb5_default_pwd_prompt1, krb5_default_pwd_prompt2, @@ -1411,11 +1394,9 @@ enter_pwd_key(cmdname, newprinc, princ, string_princ, vno, salttype) pwd.data = password; pwd.length = pwsize; - salt.salttype = salttype; - - switch (salttype) { + switch (salt.type = salttype) { case KRB5_KDB_SALTTYPE_NORMAL: - if (retval = krb5_principal2salt(edit_context,string_princ,&salt.saltdata)) { + if (retval = krb5_principal2salt(edit_context,string_princ,&salt.data)){ com_err(cmdname, retval, "while converting principal to salt for '%s'", newprinc); exit_status++; @@ -1423,31 +1404,30 @@ enter_pwd_key(cmdname, newprinc, princ, string_princ, vno, salttype) } break; case KRB5_KDB_SALTTYPE_V4: - salt.saltdata.data = 0; - salt.saltdata.length = 0; + salt.data.length = 0; + salt.data.data = 0; break; - case KRB5_KDB_SALTTYPE_NOREALM: + case KRB5_KDB_SALTTYPE_NOREALM: if (retval = krb5_principal2salt_norealm(edit_context, string_princ, - &salt.saltdata)) { + &salt.data)) { com_err(cmdname, retval, "while converting principal to salt for '%s'", newprinc); exit_status++; return; } break; - case KRB5_KDB_SALTTYPE_ONLYREALM: - { - krb5_data *foo; + case KRB5_KDB_SALTTYPE_ONLYREALM: { + krb5_data * saltdata; if (retval = krb5_copy_data(edit_context, - krb5_princ_realm(edit_context, string_princ), - &foo)) { + krb5_princ_realm(edit_context,string_princ), + &saltdata)) { com_err(cmdname, retval, "while converting principal to salt for '%s'", newprinc); exit_status++; return; } - salt.saltdata = *foo; - krb5_xfree(foo); + salt.data = *saltdata; + krb5_xfree(saltdata); break; } default: @@ -1457,19 +1437,21 @@ enter_pwd_key(cmdname, newprinc, princ, string_princ, vno, salttype) } retval = krb5_string_to_key(edit_context, &master_encblock, master_keyblock.keytype, &tempkey, - &pwd, &salt.saltdata); + &pwd, &salt.data); memset(password, 0, sizeof(password)); /* erase it */ if (retval) { com_err(cmdname, retval, "while converting password to key for '%s'", newprinc); + if (salt.data.data) + krb5_xfree(salt.data.data); exit_status++; - krb5_xfree(salt.saltdata.data); return; } add_key(cmdname, newprinc, princ, &tempkey, ++vno, - (salttype == KRB5_KDB_SALTTYPE_NORMAL) ? 0 : &salt); - krb5_xfree(salt.saltdata.data); + (salttype == KRB5_KDB_SALTTYPE_NORMAL) ? NULL : &salt); memset((char *)tempkey.contents, 0, tempkey.length); + if (salt.data.data) + krb5_xfree(salt.data.data); krb5_xfree(tempkey.contents); return; } @@ -1505,7 +1487,6 @@ void show_principal(argc, argv) krb5_boolean more; krb5_error_code retval; char *pr_name = 0; - char *pr_mod = 0; time_t tmp_date; int i; static char *prflags[32] = { @@ -1562,20 +1543,14 @@ void show_principal(argc, argv) goto errout; } - if (retval = krb5_unparse_name(edit_context, entry.principal, &pr_name)) { + if (retval = krb5_unparse_name(edit_context, entry.princ, &pr_name)) { com_err(argv[0], retval, "while unparsing principal"); exit_status++; goto errout; } - if (retval = krb5_unparse_name(edit_context, entry.mod_name, &pr_mod)) { - com_err(argv[0], retval, "while unparsing 'modified by' principal"); - exit_status++; - goto errout; - } - printf("Name: %s\n", pr_name); - printf("Key version: %d\n", entry.kvno); +/* printf("Key version: %d\n", entry.kvno); */ printf("Maximum life: %s\n", strdur(entry.max_life)); printf("Maximum renewable life: %s\n", strdur(entry.max_renewable_life)); printf("Master key version: %d\n", entry.mkvno); @@ -1583,15 +1558,15 @@ void show_principal(argc, argv) printf("Expiration: %s", ctime(&tmp_date)); tmp_date = (time_t) entry.pw_expiration; printf("Password expiration: %s", ctime(&tmp_date)); - tmp_date = (time_t) entry.last_pwd_change; + /* tmp_date = (time_t) entry.last_pwd_change; */ printf("Last password change: %s", ctime(&tmp_date)); tmp_date = (time_t) entry.last_success; printf("Last successful password: %s", ctime(&tmp_date)); tmp_date = (time_t) entry.last_failed; printf("Last failed password attempt: %s", ctime(&tmp_date)); printf("Failed password attempts: %d\n", entry.fail_auth_count); - tmp_date = (time_t) entry.mod_date; - printf("Last modified by %s on %s", pr_mod, ctime(&tmp_date)); +/* tmp_date = (time_t) entry.mod_date; */ +/* printf("Last modified by %s on %s", pr_mod, ctime(&tmp_date)); */ printf("Attributes:"); for (i = 0; i < 32; i++) { if (entry.attributes & (krb5_flags) 1 << i) @@ -1601,8 +1576,8 @@ void show_principal(argc, argv) printf("UNKNOWN_0x%08X", (krb5_flags) 1 << i); } printf("\n"); - printf("Salt: %d\n", entry.salt_type); - printf("Alt salt: %d\n", entry.salt_type); + /* printf("Salt: %d\n", entry.salt_type); + printf("Alt salt: %d\n", entry.salt_type); */ if (!nprincs) { com_err(argv[0], 0, "Principal '%s' does not exist", argv[1]); @@ -1650,6 +1625,7 @@ int parse_princ_args(argc, argv, entry, pass, randkey, caller) *randkey = 0; for (i = 1; i < argc - 1; i++) { attrib_set = 0; +/* if (strlen(argv[i]) == 5 && !strcmp("-kvno", argv[i])) { if (++i > argc - 2) @@ -1659,6 +1635,7 @@ int parse_princ_args(argc, argv, entry, pass, randkey, caller) continue; } } +*/ if (strlen(argv[i]) == 8 && !strcmp("-maxlife", argv[i])) { if (++i > argc - 2) @@ -1728,7 +1705,7 @@ int parse_princ_args(argc, argv, entry, pass, randkey, caller) fprintf(stderr, "%s: parser lost count!\n", caller); return -1; } - retval = krb5_parse_name(edit_context, argv[i], &entry->principal); + retval = krb5_parse_name(edit_context, argv[i], &entry->princ); if (retval) { com_err(caller, retval, "while parsing principal"); return -1; @@ -1741,6 +1718,7 @@ void modent(argc, argv) char *argv[]; { krb5_db_entry entry, oldentry; + krb5_tl_mod_princ mod_princ; krb5_principal kprinc; krb5_error_code retval; krb5_boolean more; @@ -1781,26 +1759,33 @@ void modent(argc, argv) "modify_principal"); if (retval) { fprintf(stderr, "modify_principal: bad arguments\n"); - krb5_free_principal(edit_context, entry.principal); + krb5_free_principal(edit_context, entry.princ); free(canon); return; } if (randkey) { fprintf(stderr, "modify_principal: -randkey not allowed\n"); - krb5_free_principal(edit_context, entry.principal); + krb5_free_principal(edit_context, entry.princ); free(canon); return; } - entry.mod_name = master_princ; - if (retval = krb5_timeofday(edit_context, &entry.mod_date)) { + mod_princ.mod_princ = master_princ; + if (retval = krb5_timeofday(edit_context, &mod_princ.mod_date)) { com_err(argv[0], retval, "while fetching date"); - krb5_free_principal(edit_context, entry.principal); + krb5_free_principal(edit_context, entry.princ); + exit_status++; + free(canon); + return; + } + if (retval=krb5_dbe_encode_mod_princ_data(edit_context,&mod_princ,&entry)) { + com_err(argv[0], retval, "while setting mod_prince and mod_date"); + krb5_free_principal(edit_context, entry.princ); exit_status++; free(canon); return; } retval = krb5_db_put_principal(edit_context, &entry, &one); - krb5_free_principal(edit_context, entry.principal); + krb5_free_principal(edit_context, entry.princ); if (retval) { com_err("modify_principal", retval, "while modifying \"%s\".", canon); diff --git a/src/admin/edit/kdb5_edit.h b/src/admin/edit/kdb5_edit.h index 64658932c..e0d90ff95 100644 --- a/src/admin/edit/kdb5_edit.h +++ b/src/admin/edit/kdb5_edit.h @@ -36,15 +36,10 @@ struct mblock { krb5_kvno mkvno; }; -struct saltblock { - int salttype; - krb5_data saltdata; -}; - void add_key PROTOTYPE((char const *, char const *, krb5_const_principal, const krb5_keyblock *, - krb5_kvno, struct saltblock *)); + krb5_kvno, krb5_keysalt *)); void enter_pwd_key PROTOTYPE((char *, char *, krb5_const_principal, krb5_const_principal, krb5_kvno, int)); diff --git a/src/admin/edit/util.c b/src/admin/edit/util.c index 3a23c9a84..78de2cd6f 100644 --- a/src/admin/edit/util.c +++ b/src/admin/edit/util.c @@ -129,7 +129,7 @@ int type; char *found3; char *local_entry; - local_entry = chk_entry->principal->data[type].data; + local_entry = chk_entry->princ->data[type].data; token1[0] = token2[0] = token3[0] = '\0'; diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index dce96117f..235e3a405 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,4 +1,8 @@ +Thu Jul 27 02:59:05 1995 Chris Provenzano (proven@mit.edu) + + * do_as_req.c do_tgs_req.c kdc_util.c main.c : Use new kdb format. + Mon Jul 17 15:13:09 EDT 1995 Paul Park (pjpark@mit.edu) * main.c - Gut KDC profile handling logic and move it to lib/kadm/ alt_prof.c because it's now used by admin and kadmin programs. diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index be7155763..de0fc9e50 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -63,39 +63,25 @@ check_padata (client, src_addr, padata, pa_id, flags) of padata. */ int *flags; { - krb5_encrypted_keyblock *enckey; - krb5_keyblock tmpkey; krb5_error_code retval; - - enckey = &(client->key); - /* Extract client key/alt_key from master key */ - - retval = krb5_kdb_decrypt_key(kdc_context,&master_encblock,enckey,&tmpkey); - if (retval) { - krb5_klog_syslog( LOG_ERR, "AS_REQ: Unable to extract client key: %s", - error_message(retval)); - return retval; - } - retval = krb5_verify_padata(kdc_context, *padata,client->principal, - src_addr, &tmpkey, pa_id, flags); - memset((char *)tmpkey.contents, 0, tmpkey.length); - krb5_xfree(tmpkey.contents); - if (retval && client->alt_key.length) { - /* - * If we failed, try again with the alternative key - */ - enckey = &(client->alt_key); - /* Extract client key/alt_key from master key */ - if ((retval = krb5_kdb_decrypt_key(kdc_context,&master_encblock, - enckey,&tmpkey))) { - krb5_klog_syslog( LOG_ERR, "AS_REQ: Unable to extract client alt_key: %s", - error_message(retval)); + krb5_keyblock tmpkey; + int i; + + /* Extract a client key from master key */ + for (i = 0; i < client->n_key_data; i++) { + if (retval = krb5_dbekd_decrypt_key_data(kdc_context, &master_encblock, + &client->key_data[i], + &tmpkey, NULL)) { + krb5_klog_syslog(LOG_ERR,"AS_REQ: Unable to extract client key: %s", + error_message(retval)); return retval; } - retval = krb5_verify_padata(kdc_context, *padata,client->principal, + retval = krb5_verify_padata(kdc_context, *padata, client->princ, src_addr, &tmpkey, pa_id, flags); - memset((char *)tmpkey.contents, 0, tmpkey.length); - krb5_xfree(tmpkey.contents); + memset((char *)tmpkey.contents, 0, tmpkey.length); + krb5_xfree(tmpkey.contents); + if (!retval) + break; } return retval; } @@ -127,6 +113,7 @@ krb5_data **response; /* filled in with a response packet */ static krb5_principal cpw = 0; char *status; krb5_encrypt_block eblock; + int ok_key = 0; register int i; @@ -229,31 +216,51 @@ krb5_data **response; /* filled in with a response packet */ goto errout; } - for (i = 0; i < request->netypes; i++) { - krb5_keytype ok_keytype; + { /* Get a key that fits the kvno and keytype */ + int max_kvno = 0; + + /* + * First find latest key unless a kvno is specified in which + * case we should only look for those keys. + * + * Note: specifing a kvno isn't defined yet + */ + for (i = 0; i < server.n_key_data; i++) { + if (max_kvno < server.key_data[i].key_data_kvno) { + max_kvno = server.key_data[i].key_data_kvno; + } + } + + /* This will change when the etype == keytype */ + for (i = 0; i < request->netypes; i++) { + krb5_keytype ok_keytype; + int j; - if (!valid_etype(request->etype[i])) - continue; + if (!valid_etype(request->etype[i])) + continue; - if (request->etype[i] == ETYPE_DES_CBC_MD5 && - !isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5)) - continue; + if (request->etype[i] == ETYPE_DES_CBC_MD5 && + !isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5)) + continue; - ok_keytype = krb5_csarray[request->etype[i]]->system->proto_keytype; + ok_keytype = krb5_csarray[request->etype[i]]->system->proto_keytype; - if (server.key.keytype == ok_keytype || - server.alt_key.keytype == ok_keytype) - break; + for (ok_key = 0; ok_key < server.n_key_data; ok_key++) { + if ((server.key_data[ok_key].key_data_kvno = max_kvno) && + (server.key_data[ok_key].key_data_type[0] == ok_keytype)) { + goto got_a_key; + } + } + } } - if (i == request->netypes) { - /* unsupported etype */ - - krb5_klog_syslog(LOG_INFO, "AS_REQ: BAD ENCRYPTION TYPE: host %s, %s for %s", - fromstring, cname, sname); - retval = prepare_error_as(request, KDC_ERR_ETYPE_NOSUPP, response); - goto errout; - } + /* unsupported etype */ + krb5_klog_syslog(LOG_INFO,"AS_REQ: BAD ENCRYPTION TYPE: host %s, %s for %s", + fromstring, cname, sname); + retval = prepare_error_as(request, KDC_ERR_ETYPE_NOSUPP, response); + goto errout; + +got_a_key:; useetype = request->etype[i]; krb5_use_cstype(kdc_context, &eblock, useetype); @@ -261,8 +268,8 @@ krb5_data **response; /* filled in with a response packet */ krb5_csarray[useetype]->random_sequence, &session_key))) { /* random key failed */ - krb5_klog_syslog(LOG_INFO, "AS_REQ: RANDOM KEY FAILED: host %s, %s for %s", - fromstring, cname, sname); + krb5_klog_syslog(LOG_INFO,"AS_REQ: RANDOM KEY FAILED: host %s, %s for %s", + fromstring, cname, sname); goto errout; } @@ -406,21 +413,27 @@ krb5_data **response; /* filled in with a response packet */ /* convert server.key into a real key (it may be encrypted in the database) */ - if ((retval = krb5_kdb_decrypt_key(kdc_context, &master_encblock, - &server.key, &encrypting_key))) + if ((retval = krb5_dbekd_decrypt_key_data(kdc_context, &master_encblock, + &server.key_data[ok_key], + &encrypting_key, NULL))) goto errout; - retval = krb5_encrypt_tkt_part(kdc_context, &eblock, &encrypting_key, &ticket_reply); + retval = krb5_encrypt_tkt_part(kdc_context, &eblock, &encrypting_key, + &ticket_reply); memset((char *)encrypting_key.contents, 0, encrypting_key.length); krb5_xfree(encrypting_key.contents); if (retval) goto errout; - ticket_reply.enc_part.kvno = server.kvno; + ticket_reply.enc_part.kvno = server.key_data[i].key_data_kvno; /* Start assembling the response */ reply.msg_type = KRB5_AS_REP; reply.padata = 0; - if (client.salt_type != KRB5_KDB_SALTTYPE_NORMAL) { + /* + * XXX If the client principal has more than one key we have a problem + * -- proven + */ + if (client.key_data[0].key_data_ver > 1) { padat_tmp[0] = &padat_local; padat_tmp[1] = 0; @@ -429,7 +442,7 @@ krb5_data **response; /* filled in with a response packet */ /* WARNING: sharing substructure here, but it's not a real problem, since nothing below will "pull out the rug" */ - switch (client.salt_type) { + switch (client.key_data[0].key_data_type[1]) { krb5_data *data_foo; case KRB5_KDB_SALTTYPE_V4: /* send an empty (V4) salt */ @@ -441,17 +454,17 @@ krb5_data **response; /* filled in with a response packet */ request->client, &salt_data))) goto errout; - padat_tmp[0]->length = salt_data.length; padat_tmp[0]->contents = (krb5_octet *)salt_data.data; + padat_tmp[0]->length = salt_data.length; break; case KRB5_KDB_SALTTYPE_ONLYREALM: data_foo = krb5_princ_realm(kdc_context, request->client); - padat_tmp[0]->length = data_foo->length; padat_tmp[0]->contents = (krb5_octet *)data_foo->data; + padat_tmp[0]->length = data_foo->length; break; case KRB5_KDB_SALTTYPE_SPECIAL: - padat_tmp[0]->length = client.salt_length; - padat_tmp[0]->contents = client.salt; + padat_tmp[0]->contents = client.key_data[0].key_data_contents[1]; + padat_tmp[0]->length = client.key_data[0].key_data_length[1]; break; } reply.padata = padat_tmp; @@ -479,36 +492,34 @@ krb5_data **response; /* filled in with a response packet */ /* now encode/encrypt the response */ - /* convert client.key into a real key (it may be encrypted - in the database) */ - if ((retval = krb5_kdb_decrypt_key(kdc_context, &master_encblock, - &client.key, &encrypting_key))) - goto errout; reply.enc_part.etype = useetype; - reply.enc_part.kvno = client.kvno; + reply.enc_part.kvno = client.key_data[0].key_data_kvno; + + /* convert client.key_data into a real key */ + if ((retval = krb5_dbekd_decrypt_key_data(kdc_context, &master_encblock, + &client.key_data[0], + &encrypting_key, NULL))) + goto errout; + retval = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP, &reply_encpart, &eblock, &encrypting_key, &reply, response); memset((char *)encrypting_key.contents, 0, encrypting_key.length); krb5_xfree(encrypting_key.contents); if (retval) { - krb5_klog_syslog(LOG_INFO, "AS_REQ: ENCODE_KDC_REP: host %s, %s for %s (%s)", - fromstring, cname, sname, error_message(retval)); + krb5_klog_syslog(LOG_INFO, + "AS_REQ: ENCODE_KDC_REP: host %s, %s for %s (%s)", + fromstring, cname, sname, error_message(retval)); goto errout; } /* these parts are left on as a courtesy from krb5_encode_kdc_rep so we can use them in raw form if needed. But, we don't... */ - memset(reply.enc_part.ciphertext.data, 0, - reply.enc_part.ciphertext.length); + memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length); free(reply.enc_part.ciphertext.data); - if (is_secondary) - krb5_klog_syslog(LOG_INFO, "AS_REQ; ISSUE: authtime %d, host %s, %s for %s", - authtime, fromstring, cname, sname); - else - krb5_klog_syslog(LOG_INFO, "AS_REQ: ISSUE: authtime %d, host %s, %s for %s", - authtime, fromstring, cname, sname); + krb5_klog_syslog(LOG_INFO, "AS_REQ; ISSUE: authtime %d, host %s, %s for %s", + authtime, fromstring, cname, sname); errout: if (cname) diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index f25e709dd..7afd45136 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -87,6 +87,7 @@ krb5_data **response; /* filled in with a response packet */ int errcode, errcode2; register int i; int firstpass = 1; + int ok_key_data = 0; char *status = 0; char secondary_ch; @@ -227,21 +228,21 @@ tgt_again: ok_keytype = krb5_csarray[request->etype[i]]->system->proto_keytype; - if (server.key.keytype == ok_keytype || - server.alt_key.keytype == ok_keytype) - break; + for (ok_key_data = 0; ok_key_data < server.n_key_data; ok_key_data++) + if (server.key_data[ok_key_data].key_data_type[0] == ok_keytype) + goto got_a_key; } - if (i == request->netypes) { - /* unsupported etype */ - status = "BAD_ENCRYPTION_TYPE"; - errcode = KRB5KDC_ERR_ETYPE_NOSUPP; - goto cleanup; - } + /* unsupported etype */ + errcode = KRB5KDC_ERR_ETYPE_NOSUPP; + status = "BAD_ENCRYPTION_TYPE"; + goto cleanup; + +got_a_key:; useetype = request->etype[i]; krb5_use_cstype(kdc_context, &eblock, useetype); - - retval = krb5_random_key(kdc_context, &eblock, krb5_csarray[useetype]->random_sequence, + retval = krb5_random_key(kdc_context, &eblock, + krb5_csarray[useetype]->random_sequence, &session_key); if (retval) { /* random key failed */ @@ -427,11 +428,7 @@ tgt_again: goto cleanup; } /* scratch now has the authorization data, so we decode it */ -#ifdef KRB5_USE_ISODE - retval = decode_krb5_authdata(&scratch, request->unenc_authdata); -#else retval = decode_krb5_authdata(&scratch, &(request->unenc_authdata)); -#endif free(scratch.data); if (retval) { status = "AUTH_DECODE"; @@ -550,16 +547,18 @@ tgt_again: } else { /* convert server.key into a real key (it may be encrypted in the database) */ - if ((retval = krb5_kdb_decrypt_key(kdc_context, &master_encblock, - &server.key, &encrypting_key))) { + if ((retval = krb5_dbekd_decrypt_key_data(kdc_context, &master_encblock, + &server.key_data[ok_key_data], + &encrypting_key, NULL))) { status = "CONV_KEY"; goto cleanup; } - ticket_reply.enc_part.kvno = server.kvno; + ticket_reply.enc_part.kvno = server.key_data[ok_key_data].key_data_kvno; ticket_reply.enc_part.etype = useetype; krb5_use_cstype(kdc_context, &eblock, ticket_reply.enc_part.etype); - retval = krb5_encrypt_tkt_part(kdc_context, &eblock, &encrypting_key, &ticket_reply); + retval = krb5_encrypt_tkt_part(kdc_context, &eblock, &encrypting_key, + &ticket_reply); memset((char *)encrypting_key.contents, 0, encrypting_key.length); krb5_xfree(encrypting_key.contents); diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index b044443b8..7edb14d3a 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -306,7 +306,7 @@ cleanup_authenticator: krb5_free_authenticator(kdc_context, authenticator); cleanup_auth_context: - /* We do not want the fre of the auth_context to close the rcache */ + /* We do not want the free of the auth_context to close the rcache */ (void) krb5_auth_con_setrcache(kdc_context, auth_context, 0); krb5_auth_con_free(kdc_context, auth_context); @@ -317,18 +317,19 @@ cleanup: krb5_error_code kdc_get_server_key(ticket, key, kvno) -krb5_ticket *ticket; -krb5_keyblock **key; -krb5_kvno *kvno; + krb5_ticket * ticket; + krb5_keyblock ** key; + krb5_kvno * kvno; { - krb5_error_code retval; - int nprincs; - krb5_db_entry server; - krb5_boolean more; + krb5_error_code retval; + krb5_db_entry server; + krb5_boolean more; + int nprincs, i, last_i; if (krb5_principal_compare(kdc_context, tgs_server, ticket->server)) { + retval = krb5_copy_keyblock(kdc_context, &tgs_key, key); *kvno = tgs_kvno; - return krb5_copy_keyblock(kdc_context, &tgs_key, key); + return retval; } else { nprincs = 1; @@ -345,20 +346,28 @@ krb5_kvno *kvno; krb5_db_free_principal(kdc_context, &server, nprincs); if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) { - krb5_klog_syslog(LOG_ERR, "TGS_REQ: UNKNOWN SERVER: server='%s'", + krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'", sname); free(sname); } return(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN); } - /* convert server.key into a real key (it may be encrypted - in the database) */ + /* + * Get the latest version of the server key_data and + * convert the key into a real key (it may be encrypted in the database) + */ + for (*kvno = last_i = i = 0; i < server.n_key_data; i++) { + if (*kvno < server.key_data[i].key_data_kvno) { + *kvno = server.key_data[i].key_data_kvno; + last_i = i; + } + } if ((*key = (krb5_keyblock *)malloc(sizeof **key))) { - retval = krb5_kdb_decrypt_key(kdc_context, &master_encblock, - &server.key, *key); + retval = krb5_dbekd_decrypt_key_data(kdc_context, &master_encblock, + &server.key_data[last_i], + *key, NULL); } else retval = ENOMEM; - *kvno = server.kvno; krb5_db_free_principal(kdc_context, &server, nprincs); return retval; } diff --git a/src/kdc/main.c b/src/kdc/main.c index b006d8fdc..0d14c8ebf 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -361,6 +361,7 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname, krb5_boolean db_inited; krb5_int32 ibuf; krb5_enctype etype; + int i, keyno; krb5_realm_params *rparams; kret = EINVAL; @@ -369,7 +370,6 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname, if (realm) { rdp->realm_name = realm; if (!(kret = krb5_init_context(&rdp->realm_context))) { - (void) krb5_read_realm_params(rdp->realm_context, rdp->realm_name, (char *) NULL, @@ -410,6 +410,7 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname, "kdc", def_port, KDC_PORTNAME); + /* Handle KDC secondary port */ if (rparams && rparams->realm_kdc_sport_valid) rdp->realm_sport = rparams->realm_kdc_sport; @@ -543,12 +544,15 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname, com_err(progname, kret, "while fetching master entry for realm %s", realm); goto whoops; - } - else { - rdp->realm_mkvno = db_entry.kvno; - krb5_db_free_principal(rdp->realm_context, - &db_entry, - num2get); + } else { + /* Get the most recent mkvno */ + for (rdp->realm_mkvno = i = 0; i < db_entry.n_key_data; i++) { + if (rdp->realm_mkvno < db_entry.key_data[i].key_data_kvno) { + rdp->realm_mkvno = db_entry.key_data[i].key_data_kvno; + keyno = i; + } + } + krb5_db_free_principal(rdp->realm_context, &db_entry, num2get); } /* Now preprocess the master key */ @@ -595,13 +599,12 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname, com_err(progname, kret, "while fetching TGS entry for realm %s", realm); goto whoops; - } - else { - if (!(kret = krb5_kdb_decrypt_key(rdp->realm_context, - &rdp->realm_encblock, - &db_entry.key, - &rdp->realm_tgskey))) { - rdp->realm_tgskvno = db_entry.kvno; + } else { + if (!(kret = krb5_dbekd_decrypt_key_data(rdp->realm_context, + &rdp->realm_encblock, + &db_entry.key_data[keyno], + &rdp->realm_tgskey, NULL))){ + rdp->realm_tgskvno = db_entry.key_data[keyno].key_data_kvno; } krb5_db_free_principal(rdp->realm_context, &db_entry, @@ -710,16 +713,9 @@ initialize_realms(kcontext, argc, argv) case 'r': /* realm name for db */ if (!find_realm_data(optarg, (krb5_ui_4) strlen(optarg))) { if (rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t))) { - if (retval = init_realm(argv[0], - rdatap, - optarg, - db_name, - mkey_name, - mkeytype, - pport, - sport, - kdc_etype, - manual)) { + if (retval = init_realm(argv[0], rdatap, optarg, db_name, + mkey_name, mkeytype, pport, sport, + kdc_etype, manual)) { fprintf(stderr,"%s: cannot initialize realm %s\n", argv[0], optarg); exit(1); @@ -774,16 +770,8 @@ initialize_realms(kcontext, argc, argv) exit(1); } if (rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t))) { - if (retval = init_realm(argv[0], - rdatap, - lrealm, - db_name, - mkey_name, - mkeytype, - pport, - sport, - kdc_etype, - manual)) { + if (retval = init_realm(argv[0], rdatap, lrealm, db_name, mkey_name, + mkeytype, pport, sport, kdc_etype, manual)){ fprintf(stderr,"%s: cannot initialize realm %s\n", argv[0], lrealm); exit(1); @@ -797,8 +785,7 @@ initialize_realms(kcontext, argc, argv) * Now handle the replay cache. */ if (retval = kdc_initialize_rcache(kcontext, rcname)) { - com_err(argv[0], retval, - "while initializing KDC replay cache"); + com_err(argv[0], retval, "while initializing KDC replay cache"); exit(1); } @@ -813,7 +800,7 @@ finish_realms(prog) { int i; - for (i=0; i