From b119d362e2e195a61488737511be2ca7b37138b5 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 2 Jul 2010 19:09:20 +0000 Subject: [PATCH] Remove verify_master_key from the DAL table, as well as its associated libkdb5 interface. Callers can (and mostly already do) use krb5_fetch_mkey_list to verify master keyblocks. Adjust tests/create, tests/verify, and kdb5_util dump to do so. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24166 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/kdb.h | 32 ++++-------------- src/kadmin/dbutil/dump.c | 9 +++--- src/kadmin/dbutil/kdb5_util.c | 10 ------ src/kdc/main.c | 17 ---------- src/lib/kadm5/srv/server_kdb.c | 12 ------- src/lib/kdb/kdb5.c | 19 ----------- src/lib/kdb/kdb_default.c | 57 --------------------------------- src/lib/kdb/libkdb5.exports | 1 - src/plugins/kdb/db2/db2_exp.c | 2 +- src/plugins/kdb/ldap/ldap_exp.c | 1 - src/tests/create/kdb5_mkdums.c | 7 ++-- src/tests/verify/kdb5_verify.c | 7 ++-- 12 files changed, 22 insertions(+), 152 deletions(-) diff --git a/src/include/kdb.h b/src/include/kdb.h index a2c496967..856cf0bdf 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -476,10 +476,6 @@ krb5_error_code krb5_db_fetch_mkey ( krb5_context context, krb5_kvno *kvno, krb5_data *salt, krb5_keyblock *key); -krb5_error_code krb5_db_verify_master_key ( krb5_context kcontext, - krb5_principal mprinc, - krb5_kvno kvno, - krb5_keyblock *mkey ); krb5_error_code krb5_db_fetch_mkey_list( krb5_context context, krb5_principal mname, @@ -716,12 +712,6 @@ krb5_db_def_fetch_mkey( krb5_context context, krb5_kvno *kvno, char *db_args); -krb5_error_code -krb5_def_verify_master_key( krb5_context context, - krb5_principal mprinc, - krb5_kvno kvno, - krb5_keyblock *mkey); - krb5_error_code krb5_def_fetch_mkey_list( krb5_context context, krb5_principal mprinc, @@ -1162,19 +1152,6 @@ typedef struct _kdb_vftabl { krb5_keyblock *key, krb5_kvno *kvno, char *db_args); - /* - * Optional with default: Verify that the keyblock mkey is a valid master - * key for the realm. This function used to be used by the KDC and - * kadmind, but is now used only by kdb5_util dump -mkey_convert. - * - * The default implementation retrieves the master key principal and - * attempts to decrypt its key with mkey. This only works for the current - * master keyblock. - */ - krb5_error_code (*verify_master_key)(krb5_context kcontext, - krb5_principal mprinc, krb5_kvno kvno, - krb5_keyblock *mkey); - /* * Optional with default: Given a keyblock for some version of the * database's master key, fetch the decrypted master key values from the @@ -1182,9 +1159,12 @@ typedef struct _kdb_vftabl { * *mkeys_list using a libkdb5 function which uses the standard free() * function, so the module must not use a custom allocator. * - * The default implementation tries the key against the current master key - * data and all KRB5_TL_MKEY_AUX values, which contain copies of the master - * keys encrypted with old master keys. + * The caller may not know the version number of the master key it has, in + * which case it will pass IGNORE_VNO. + * + * The default implementation ignores kvno and tries the key against the + * current master key data and all KRB5_TL_MKEY_AUX values, which contain + * copies of the master keys encrypted with old master keys. */ krb5_error_code (*fetch_master_key_list)(krb5_context kcontext, krb5_principal mname, diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c index 64c63afb1..baebf4c6e 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -1082,6 +1082,7 @@ dump_db(argc, argv) kdb_log_context *log_ctx; char **db_args = 0; /* XXX */ unsigned int ipropx_version = IPROPX_VERSION_0; + krb5_keylist_node *mkeys; /* * Parse the arguments. @@ -1185,15 +1186,15 @@ dump_db(argc, argv) "while reading master key"); exit(1); } - retval = krb5_db_verify_master_key(util_context, - master_princ, - IGNORE_VNO, - &master_keyblock); + retval = krb5_db_fetch_mkey_list(util_context, master_princ, + &master_keyblock, IGNORE_VNO, + &mkeys); if (retval) { com_err(progname, retval, "while verifying master key"); exit(1); } + krb5_db_free_mkey_list(util_context, mkeys); } new_master_keyblock.enctype = global_params.enctype; if (new_master_keyblock.enctype == ENCTYPE_UNKNOWN) diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c index 035a8c0ff..09b0d0704 100644 --- a/src/kadmin/dbutil/kdb5_util.c +++ b/src/kadmin/dbutil/kdb5_util.c @@ -491,16 +491,6 @@ static int open_db_and_mkey() return(0); } } -#if 0 /************** Begin IFDEF'ed OUT *******************************/ - /* krb5_db_fetch_mkey_list will verify the mkey */ - if ((retval = krb5_db_verify_master_key(util_context, master_princ, - master_kvno, &master_keyblock))) { - com_err(progname, retval, "while verifying master key"); - exit_status++; - krb5_free_keyblock_contents(util_context, &master_keyblock); - return(1); - } -#endif /**************** END IFDEF'ed OUT *******************************/ if ((retval = krb5_db_fetch_mkey_list(util_context, master_princ, &master_keyblock, master_kvno, diff --git a/src/kdc/main.c b/src/kdc/main.c index c3270a969..60c48aea6 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -423,23 +423,6 @@ init_realm(kdc_realm_t *rdp, char *realm, char *def_mpname, rdp->realm_mpname, realm); goto whoops; } -#if 0 /************** Begin IFDEF'ed OUT *******************************/ - /* - * Commenting krb5_db_verify_master_key out because it requires the most - * current mkey which may not be the case here. The call to - * krb5_db_fetch_mkey_list() will end up verifying that the mkey is viable - * anyway. - */ - /* Verify the master key */ - if ((kret = krb5_db_verify_master_key(rdp->realm_context, - rdp->realm_mprinc, - IGNORE_VNO, - &rdp->realm_mkey))) { - kdc_err(rdp->realm_context, kret, - "while verifying master key for realm %s", realm); - goto whoops; - } -#endif /**************** END IFDEF'ed OUT *******************************/ if ((kret = krb5_db_fetch_mkey_list(rdp->realm_context, rdp->realm_mprinc, &rdp->realm_mkey, mkvno, &rdp->mkey_list))) { diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c index 768c8f739..d986b626e 100644 --- a/src/lib/kadm5/srv/server_kdb.c +++ b/src/lib/kadm5/srv/server_kdb.c @@ -72,18 +72,6 @@ krb5_error_code kdb_init_master(kadm5_server_handle_t handle, if (ret) goto done; -#if 0 /************** Begin IFDEF'ed OUT *******************************/ - /* - * krb5_db_fetch_mkey_list will verify mkey so don't call - * krb5_db_verify_master_key() - */ - if ((ret = krb5_db_verify_master_key(handle->context, master_princ, - IGNORE_VNO, &master_keyblock))) { - krb5_db_fini(handle->context); - return ret; - } -#endif /**************** END IFDEF'ed OUT *******************************/ - if ((ret = krb5_db_fetch_mkey_list(handle->context, master_princ, &master_keyblock, mkvno, &master_keylist))) { krb5_db_fini(handle->context); diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index f1bd58119..8a1998457 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -252,8 +252,6 @@ kdb_setup_opt_functions(db_library lib) lib->vftabl.get_master_key_list = kdb_def_get_mkey_list; if (lib->vftabl.fetch_master_key == NULL) lib->vftabl.fetch_master_key = krb5_db_def_fetch_mkey; - if (lib->vftabl.verify_master_key == NULL) - lib->vftabl.verify_master_key = krb5_def_verify_master_key; if (lib->vftabl.fetch_master_key_list == NULL) lib->vftabl.fetch_master_key_list = krb5_def_fetch_mkey_list; if (lib->vftabl.store_master_key_list == NULL) @@ -1277,23 +1275,6 @@ clean_n_exit: return retval; } -krb5_error_code -krb5_db_verify_master_key(krb5_context kcontext, - krb5_principal mprinc, - krb5_kvno kvno, - krb5_keyblock * mkey) -{ - krb5_error_code status = 0; - kdb_vftabl *v; - - status = get_vftabl(kcontext, &v); - if (status) - return status; - if (v->verify_master_key == NULL) - return KRB5_KDB_DBTYPE_NOSUP; - return v->verify_master_key(kcontext, mprinc, kvno, mkey); -} - krb5_error_code krb5_dbe_fetch_act_key_list(krb5_context context, krb5_principal princ, diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index e8fe54ff1..d78c13cb1 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -434,63 +434,6 @@ krb5_db_def_fetch_mkey(krb5_context context, return 0; } -/* - * Note, this verifies that the input mkey is currently protecting all the mkeys - */ -krb5_error_code -krb5_def_verify_master_key(krb5_context context, - krb5_principal mprinc, - krb5_kvno kvno, - krb5_keyblock *mkey) -{ - krb5_error_code retval; - krb5_db_entry master_entry; - int nprinc; - krb5_boolean more; - krb5_keyblock tempkey; - - nprinc = 1; - if ((retval = krb5_db_get_principal(context, mprinc, - &master_entry, &nprinc, &more))) - return(retval); - - if (nprinc != 1) { - if (nprinc) - krb5_db_free_principal(context, &master_entry, nprinc); - return(KRB5_KDB_NOMASTERKEY); - } else if (more) { - krb5_db_free_principal(context, &master_entry, nprinc); - return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); - } - - if ((retval = krb5_dbe_decrypt_key_data(context, mkey, - &master_entry.key_data[0], - &tempkey, NULL))) { - krb5_db_free_principal(context, &master_entry, nprinc); - return retval; - } - - if (mkey->length != tempkey.length || - memcmp((char *)mkey->contents, - (char *)tempkey.contents,mkey->length)) { - retval = KRB5_KDB_BADMASTERKEY; - } - - if (kvno != IGNORE_VNO && - kvno != (krb5_kvno) master_entry.key_data->key_data_kvno) { - retval = KRB5_KDB_BADMASTERKEY; - krb5_set_error_message (context, retval, - "User specified mkeyVNO (%u) does not match master key princ's KVNO (%u)", - kvno, master_entry.key_data->key_data_kvno); - } - - zap((char *)tempkey.contents, tempkey.length); - free(tempkey.contents); - krb5_db_free_principal(context, &master_entry, nprinc); - - return retval; -} - krb5_error_code krb5_def_fetch_mkey_list(krb5_context context, krb5_principal mprinc, diff --git a/src/lib/kdb/libkdb5.exports b/src/lib/kdb/libkdb5.exports index c32a8db5e..4111ef0f0 100644 --- a/src/lib/kdb/libkdb5.exports +++ b/src/lib/kdb/libkdb5.exports @@ -27,7 +27,6 @@ krb5_db_setup_mkey_name krb5_db_unlock krb5_db_store_master_key krb5_db_store_master_key_list -krb5_db_verify_master_key krb5_dbe_apw krb5_dbe_ark krb5_dbe_cpw diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c index 87a3bf0f9..aabeb9d03 100644 --- a/src/plugins/kdb/db2/db2_exp.c +++ b/src/plugins/kdb/db2/db2_exp.c @@ -246,7 +246,7 @@ kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_db2, kdb_function_table) = { /* free */ krb5_db2_free, /* set_master_key_list */ wrap_krb5_db2_set_mkey_list, /* get_master_key_list */ wrap_krb5_db2_get_mkey_list, - /* blah blah blah */ 0,0,0,0,0,0,0, + /* blah blah blah */ 0,0,0,0,0,0, /* promote_db */ wrap_krb5_db2_promote_db, 0, 0, /* invoke */ wrap_krb5_db2_invoke diff --git a/src/plugins/kdb/ldap/ldap_exp.c b/src/plugins/kdb/ldap/ldap_exp.c index 4d071dc49..0fb014a89 100644 --- a/src/plugins/kdb/ldap/ldap_exp.c +++ b/src/plugins/kdb/ldap/ldap_exp.c @@ -76,7 +76,6 @@ kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_ldap, kdb_function_table) = { /* get_master_key_list */ krb5_ldap_get_mkey_list, /* store_master_key */ NULL, /* fetch_master_key */ NULL /* krb5_ldap_fetch_mkey */, - /* verify_master_key */ NULL /* krb5_ldap_verify_master_key */, /* fetch_master_key_list */ NULL, /* store_master_key_list */ NULL, /* Search enc type */ NULL, diff --git a/src/tests/create/kdb5_mkdums.c b/src/tests/create/kdb5_mkdums.c index 3179b968e..0d860b909 100644 --- a/src/tests/create/kdb5_mkdums.c +++ b/src/tests/create/kdb5_mkdums.c @@ -336,6 +336,7 @@ set_dbname_help(pname, dbname) krb5_boolean more; krb5_data pwd, scratch; char *args[2]; + krb5_keylist_node *mkeys; /* assemble & parse the master key name */ @@ -392,12 +393,14 @@ set_dbname_help(pname, dbname) /* Done with args */ free(args[0]); - if ((retval = krb5_db_verify_master_key(test_context, master_princ, - IGNORE_VNO, &master_keyblock))){ + if ((retval = krb5_db_fetch_mkey_list(test_context, master_princ, + &master_keyblock, IGNORE_VNO, + &mkeys))){ com_err(pname, retval, "while verifying master key"); (void) krb5_db_fini(test_context); return(1); } + krb5_db_free_mkey_list(test_context, mkeys); nentries = 1; if ((retval = krb5_db_get_principal(test_context, master_princ, &master_entry, &nentries, &more))) { diff --git a/src/tests/verify/kdb5_verify.c b/src/tests/verify/kdb5_verify.c index 2e465f36f..5fdab77c0 100644 --- a/src/tests/verify/kdb5_verify.c +++ b/src/tests/verify/kdb5_verify.c @@ -368,6 +368,7 @@ set_dbname_help(context, pname, dbname) krb5_boolean more; krb5_data pwd, scratch; char *args[2]; + krb5_keylist_node *mkeys; /* assemble & parse the master key name */ @@ -419,12 +420,14 @@ set_dbname_help(context, pname, dbname) com_err(pname, retval, "while initializing database"); return(1); } - if ((retval = krb5_db_verify_master_key(context, master_princ, - IGNORE_VNO, &master_keyblock))) { + if ((retval = krb5_db_fetch_mkey_list(context, master_princ, + &master_keyblock, IGNORE_VNO, + &mkeys))) { com_err(pname, retval, "while verifying master key"); (void) krb5_db_fini(context); return(1); } + krb5_db_free_mkey_list(context, mkeys); nentries = 1; if ((retval = krb5_db_get_principal(context, master_princ, &master_entry, &nentries, &more))) { -- 2.26.2