* kdb_xdr.c (krb5_dbe_search_enctype): Filter out enctypes that

	aren't in permitted_enctypes.  This prevents the KDC from issuing
	a ticket whose enctype that it won't accept.

	* keytab.c (krb5_ktkdb_get_entry): For now, coerce enctype of
	output keyblock in case we got a match on a similar enctype.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13855 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/kdb/ChangeLog b/src/lib/kdb/ChangeLog
index 62f53135ae5d30f6c3dff948a41e160116d7a0b7..06cc187407dde38052c40aacde9607b1cd323ecb 100644 (file)
--- a/src/lib/kdb/ChangeLog
+++ b/src/lib/kdb/ChangeLog
@@ -1,3 +1,14 @@
+2001-10-22  Tom Yu  <tlyu@mit.edu>
+
+       * kdb_xdr.c (krb5_dbe_search_enctype): Filter out enctypes that
+       aren't in permitted_enctypes.  This prevents the KDC from issuing
+       a ticket whose enctype that it won't accept.
+
+2001-10-20  Tom Yu  <tlyu@mit.edu>
+
+       * keytab.c (krb5_ktkdb_get_entry): For now, coerce enctype of
+       output keyblock in case we got a match on a similar enctype.
+
 2001-10-09  Ken Raeburn  <raeburn@mit.edu>
 
        * kdb_db2.c, kdb_db2.h, kdb_dbm.c, keytab.c, t_kdb.c: Make

diff --git a/src/lib/kdb/kdb_xdr.c b/src/lib/kdb/kdb_xdr.c
index 973730f64844cb5cc824ea6439da5dcedde888e1..b836e250c0938bd455c850037e554e437c4c7e51 100644 (file)
--- a/src/lib/kdb/kdb_xdr.c
+++ b/src/lib/kdb/kdb_xdr.c
@@ -726,6 +726,7 @@ krb5_dbe_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
     int                        i, idx;
     int                        maxkvno;
     krb5_key_data      *datap;
+    krb5_error_code    ret;
 
     if (kvno == -1 && stype == -1 && ktype == -1)
        kvno = 0;
@@ -743,15 +744,25 @@ krb5_dbe_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
     datap = (krb5_key_data *) NULL;
     for (i = *start; i < dbentp->n_key_data; i++) {
         krb5_boolean    similar;
-       krb5_error_code ret;
         krb5_int32      db_stype;
 
+       ret = 0;
        if (dbentp->key_data[i].key_data_ver > 1) {
            db_stype = dbentp->key_data[i].key_data_type[1];
        } else {
            db_stype = KRB5_KDB_SALTTYPE_NORMAL;
        }
+
+       /*
+        * Filter out non-permitted enctypes.
+        */
+       if (!krb5_is_permitted_enctype(kcontext,
+                                      dbentp->key_data[i].key_data_type[0])) {
+           ret = KRB5_KDB_NO_PERMITTED_KEY;
+           continue;
+       }
        
+
        if (ktype >= 0) {
            if ((ret = krb5_c_enctype_compare(kcontext, (krb5_enctype) ktype,
                                              dbentp->key_data[i].key_data_type[0],
@@ -778,7 +789,7 @@ krb5_dbe_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
        }
     }
     if (maxkvno < 0)
-       return ENOENT;
+       return ret ? ret : KRB5_KDB_NO_MATCHING_KEY;
     *kdatap = datap;
     *start = idx+1;
     return 0;

diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c
index 222e2d90085f78ec35d18f375b2c3fa6623594bb..f8077324b9cc411c5b2aabd585abc87793ddba3e 100644 (file)
--- a/src/lib/kdb/keytab.c
+++ b/src/lib/kdb/keytab.c
@@ -131,6 +131,13 @@ krb5_ktkdb_get_entry(context, id, principal, kvno, enctype, entry)
     if (kerror)
        goto error;
 
+    /*
+     * Coerce the enctype of the output keyblock in case we got an
+     * inexact match on the enctype; this behavior will go away when
+     * the key storage architecture gets redesigned for 1.3.
+     */
+    entry->key.enctype = enctype;
+
     kerror = krb5_copy_principal(context, principal, &entry->principal);
     if (kerror)
        goto error;