8-bit-kvno workarounds from 1.2.4

author Ken Raeburn <raeburn@mit.edu>

Thu, 7 Mar 2002 01:54:59 +0000 (01:54 +0000)

committer Ken Raeburn <raeburn@mit.edu>

Thu, 7 Mar 2002 01:54:59 +0000 (01:54 +0000)
author Ken Raeburn <raeburn@mit.edu>
Thu, 7 Mar 2002 01:54:59 +0000 (01:54 +0000)
committer Ken Raeburn <raeburn@mit.edu>
Thu, 7 Mar 2002 01:54:59 +0000 (01:54 +0000)
diff --git a/src/kadmin/ktutil/ChangeLog b/src/kadmin/ktutil/ChangeLog

index e3b63c3ff9ef0f4ae65711d9ee360f2cedac38af..8f4bd7a02fc707c17e7db6736c5a8d3a932e7263 100644 (file)
--- a/src/kadmin/ktutil/ChangeLog
+++ b/src/kadmin/ktutil/ChangeLog
@@ -1,3 +1,8 @@
+
+       * ktutil_funcs.c (ktutil_write_srvtab): When keeping only
+       highest-numbered kvno, with some heuristics to deal with
+       wrap-around at 256.
+
  2002-03-02  Sam Hartman  <hartmans@mit.edu>
  
         * ktutil_funcs.c (ktutil_write_srvtab): Set umask to 077 to avoid
diff --git a/src/kadmin/ktutil/ktutil_funcs.c b/src/kadmin/ktutil/ktutil_funcs.c

index 3d8f0d695a2447910d9aa43b34996078a970530c..073b036283dd04e9d04384ae5d0169e7436b5639 100644 (file)
--- a/src/kadmin/ktutil/ktutil_funcs.c
+++ b/src/kadmin/ktutil/ktutil_funcs.c
@@ -504,9 +504,18 @@ krb5_error_code ktutil_write_srvtab(context, list, name)
                 lp1 = prev->next;
             }
             lp1->entry = lp->entry;
-       } else if (lp1->entry->vno < lp->entry->vno)
-           /* Check if lp->entry is newer kvno; if so, update */
-           lp1->entry = lp->entry;
+       } else {
+           /* This heuristic should be roughly the same as in the
+              keytab-reading code in libkrb5.  */
+           int offset = 0;
+           if (lp1->entry->vno > 240 || lp->entry->vno > 240) {
+               offset = 128;
+           }
+#define M(X) (((X) + offset) % 256)
+           if (M(lp1->entry->vno) < M(lp->entry->vno))
+               /* Check if lp->entry is newer kvno; if so, update */
+               lp1->entry = lp->entry;
+       }
      }
      umask(0077); /*Changing umask for all of ktutil is OK
                   * We don't ever write out anything that should use
diff --git a/src/lib/krb5/keytab/file/ChangeLog b/src/lib/krb5/keytab/file/ChangeLog

index 93060ffeca0131ead89245e7b0f7e95b9bcf2f97..2369037924a6114c470aaf224199ca55779ca0b6 100644 (file)
--- a/src/lib/krb5/keytab/file/ChangeLog
+++ b/src/lib/krb5/keytab/file/ChangeLog
@@ -1,3 +1,11 @@
+2002-03-06  Ken Raeburn  <raeburn@mit.edu>
+
+       * ktf_g_ent.c (krb5_ktfile_get_entry): For non-zero kvno, match
+       only low 8 bits.  For zero kvno, if any kvno in the keytab is over
+       240, assume we're dealing with numbers 128 through (127+256)
+       instead.  This allows for wrapping at 256 while retaining a small
+       set of consecutively numbered prior keys in the keytab.
+
  2001-11-19  Tom Yu  <tlyu@mit.edu>
  
         * ktf_g_ent.c (krb5_ktfile_get_entry): Coerce enctype for now to
diff --git a/src/lib/krb5/keytab/file/ktf_g_ent.c b/src/lib/krb5/keytab/file/ktf_g_ent.c

index 159c95ca8fcf0f911cc95b484ab6c503c4d540c9..905ff6c05d3076fa6d39af170822336df0cd60de 100644 (file)
--- a/src/lib/krb5/keytab/file/ktf_g_ent.c
+++ b/src/lib/krb5/keytab/file/ktf_g_ent.c
@@ -45,6 +45,7 @@ krb5_ktfile_get_entry(context, id, principal, kvno, enctype, entry)
      krb5_error_code kerror = 0;
      int found_wrong_kvno = 0;
      krb5_boolean similar;
+    int kvno_offset = 0;
  
      /* Open the keyfile for reading */
      if ((kerror = krb5_ktfileint_openr(context, id)))
@@ -103,9 +104,24 @@ krb5_ktfile_get_entry(context, id, principal, kvno, enctype, entry)
             /* if this is the first match, or if the new vno is
                bigger, free the current and keep the new.  Otherwise,
                free the new. */
-              
+           /* A 1.2.x keytab contains only the low 8 bits of the key
+              version number.  Since it can be much bigger, and thus
+              the 8-bit value can wrap, we need some heuristics to
+              figure out the "highest" numbered key if some numbers
+              close to 255 and some near 0 are used.
+
+              The heuristic here:
+
+              If we have any keys with versions over 240, then assume
+              that all version numbers 0-127 refer to 256+N instead.
+              Not perfect, but maybe good enough?  */
+
+#define M(VNO) (((VNO) - kvno_offset + 256) % 256)
+
+           if (new_entry.vno > 240)
+               kvno_offset = 128;
             if (! cur_entry.principal ||
-               (new_entry.vno > cur_entry.vno)) {
+               M(new_entry.vno) > M(cur_entry.vno)) {
                 krb5_kt_free_entry(context, &cur_entry);
                 cur_entry = new_entry;
             } else {
@@ -116,8 +132,12 @@ krb5_ktfile_get_entry(context, id, principal, kvno, enctype, entry)
                be one?), keep the new, and break out.  Otherwise, remember
                that we were here so we can return the right error, and
                free the new */
+           /* Yuck.  The krb5-1.2.x keytab format only stores one byte
+              for the kvno, so we're toast if the kvno requested is
+              higher than that.  Short-term workaround: only compare
+              the low 8 bits.  */
  
-           if (new_entry.vno == kvno) {
+           if (new_entry.vno == (kvno & 0xff)) {
                 krb5_kt_free_entry(context, &cur_entry);
                 cur_entry = new_entry;
                 break;
author	Ken Raeburn <raeburn@mit.edu>
	Thu, 7 Mar 2002 01:54:59 +0000 (01:54 +0000)
committer	Ken Raeburn <raeburn@mit.edu>
	Thu, 7 Mar 2002 01:54:59 +0000 (01:54 +0000)
src/kadmin/ktutil/ChangeLog		patch \| blob \| history
src/kadmin/ktutil/ktutil_funcs.c		patch \| blob \| history
src/lib/krb5/keytab/file/ChangeLog		patch \| blob \| history
src/lib/krb5/keytab/file/ktf_g_ent.c		patch \| blob \| history