read_master_keytab() should always return with *mkey == NULL on
failure. Doing otherwise can result in memory leaks or use of
an uninitialized pointer.
Change-Id: Ice1fd504ca573d73bb51dd3b01770c3f8bc59fd4
Prior to this change hdb_unseal_keys_kvno() could return successfully (0)
if the choice_HDB_extension_data_hist_keys extension was found but the
hist_keys list was empty. As a side effect callers would believe that the
provide hdb_entry keys were unsealed when they weren't. This could cause
the KDC or kadmin to report invalid key size errors.
If the extension is present and the history list is empty attempt to
unseal the provided hdb_entry using hdb_unseal_keys_mkey().
Change-Id: I9218b02bccdbcf22133a9464a677374db53ade85
Before this change Heimdal could read KDBs. Now it can write to
them too.
Heimdal can now also dump HDBs (including KDBs) in MIT format, which
can then be imported with kdb5_util load.
This is intended to help in migrations from MIT to Heimdal by
allowing migrations from Heimdal to MIT so that it is possible
to rollback from Heimdal to MIT should there be any issues. The
idea is to allow a) running Heimdal kdc/kadmind with a KDB, or
b) running Heimdal with an HDB converted from a KDB and then
rollback by dumping the HDB and loading a KDB.
Note that not all TL data types are supported, only two: last
password change and modify-by. This is the minimum necessary.
PKINIT users may need to add support for KRB5_TL_USER_CERTIFICATE,
and for databases with K/M history we may need to add KRB5_TL_MKVNO
support.
Support for additional TL data types can be added in
lib/hdb/hdb-mitdb.c:_hdb_mdb_value2entry() and
lib/hdb/print.c:entry2mit_string_int().
Krb5 admin patches 2nd
This has all the patches needed for krb5_admind to build and pass most tests, that includes:
- more kadm5 API compatibility (including very basic profile functionality)
- multi-kvno support (useful for key rollovers) (a test for this is included in tests/db/check-kdc)
Unfinished:
- password history (currently uses key history, needs to be separated and use digests)
- policies (only default policy allowed)
- mit kdb changes not tested yet
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
key was encrypted with MIT Kerberos (old patch from Johan)
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15826 ec53bebd-3082-4978-b11e-865c3cabbd6b
longer then expected length, its probably longer since the encrypted
data was padded, reported by Aidan Cully <aidan@kublai.com>
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11931 ec53bebd-3082-4978-b11e-865c3cabbd6b
hdb_seal_keys): check that we have the correct master key and that we
manage to decrypt the key properly, returning an error code. fix all
callers to check return value.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9594 ec53bebd-3082-4978-b11e-865c3cabbd6b
