Ticket History #7686: Master key rollover mishandles databases created prior to 1.7

# Thu Aug 01 12:17:13 2013 ghudson@mit.edu (Greg Hudson) - Ticket created

Subject:

kdb5_util add_mkey should ensure master key activation times list exists

Download (untitled) / with headers
text/plain 1.1KiB

The master key activation times list is a tl-data value on the K/M entry
containing {kvno, time} tuples, and determines which master key is
considered "active" for the purpose of encrypting new keys.

This list is currently written by the kdb5_util create, use_mkey, and
purge_mkeys commands. If a KDB was created before 1.7, the list will
not exist in the K/M entry unless someone has run use_mkey.

In the absence of this list, we have some not-very-optimal fallbacks:

* kadmin/kadmin.local will synthesize a list which assumes that the most
recent mkvno is active.

* kdb5_util list_mkeys will display the current time as the "active on"
time for all master keys, and will assume that the most recent mkvno is
active.

As a result, if you run "kdb5_util add_mkey" on an old KDB, the new
master key becomes active immediately (although kadmind will not
recognize this until it restarts; see #7685), before you have had a
chance to propagate the new master key to slave KDCs.

kdb5_util add_mkey should ensure that the master key activation times
list exists, so that we get consistent behavior with old and new KDBs.

# Fri Oct 25 11:42:17 2013 ghudson@mit.edu (Greg Hudson) - Given to ghudson@mit.edu (Greg Hudson)

# Fri Oct 25 11:42:17 2013 ghudson@mit.edu (Greg Hudson) - Target_Version 1.12 added

# Fri Oct 25 11:42:17 2013 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'review'

# Fri Oct 25 11:42:17 2013 ghudson@mit.edu (Greg Hudson) - Tags pullup added

# Fri Oct 25 11:42:17 2013 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 912B

Correctly activate master keys in pre-1.7 KDBs

Starting with 1.7, databases are created with actkvno tl-data in the
K/M entry which gives the initial master key version an activation
time of 0. A database created before 1.7 will not have this tl-data,
but we should behave in the same way as we do for a more recent
database.

Move the actkvno list synthesis code from krb5_dbe_fetch_act_key_list
to krb5_dbe_lookup_actkvno so it applies to kdb5_util commands as well
as libkadm5. Synthesize the same list as we would have initialized
the KDB with, with an activation time of 0 for the earliest master
key.

https://github.com/krb5/krb5/commit/ec560fac83912abaa15fb158101c8174497081c5
Author: Greg Hudson <ghudson@mit.edu>
Commit: ec560fac83912abaa15fb158101c8174497081c5
Branch: master
src/lib/kdb/kdb5.c | 41 +++++++++++++++++++----------------------
1 files changed, 19 insertions(+), 22 deletions(-)

# Fri Oct 25 14:54:33 2013 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'

# Fri Oct 25 14:54:33 2013 tlyu (Taylor Yu) - Version_Fixed 1.12 added

# Fri Oct 25 14:54:33 2013 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 1018B

Correctly activate master keys in pre-1.7 KDBs

Starting with 1.7, databases are created with actkvno tl-data in the
K/M entry which gives the initial master key version an activation
time of 0. A database created before 1.7 will not have this tl-data,
but we should behave in the same way as we do for a more recent
database.

Move the actkvno list synthesis code from krb5_dbe_fetch_act_key_list
to krb5_dbe_lookup_actkvno so it applies to kdb5_util commands as well
as libkadm5. Synthesize the same list as we would have initialized
the KDB with, with an activation time of 0 for the earliest master
key.

(cherry picked from commit ec560fac83912abaa15fb158101c8174497081c5)

https://github.com/krb5/krb5/commit/2c9170e862d95f542a59e6cf2379c7d2174fdeac
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 2c9170e862d95f542a59e6cf2379c7d2174fdeac
Branch: krb5-1.12
src/lib/kdb/kdb5.c | 41 +++++++++++++++++++----------------------
1 files changed, 19 insertions(+), 22 deletions(-)

# Fri Oct 25 16:48:47 2013 ghudson@mit.edu (Greg Hudson) - Subject changed from 'kdb5_util add_mkey should ensure master key activation times list exists' to 'Master key rollover mishandles databases created prior to 1.7'

# Fri Oct 25 16:52:01 2013 ghudson@mit.edu (Greg Hudson) - Comments added

Download (untitled) / with headers
text/plain 315B

Contrary to the initial description of this ticket, I did not change
add_mkey to instantiate the master key activation list. Instead, I
changed the fallback list to emulate what would be in the list if the DB
had been created after 1.7, and made the fallback list apply to all cases
instead of just in kadmind.

# Wed Dec 16 18:03:01 2015 tlyu (Taylor Yu) - CustomField pullup deleted