From 32a72f8b65681e8841e34d75811b83de30bf9943 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Fri, 8 Jan 2010 23:42:59 +0000 Subject: [PATCH] pull up r23597, r23599 from trunk ------------------------------------------------------------------------ r23599 | ghudson | 2010-01-06 18:44:04 -0500 (Wed, 06 Jan 2010) | 4 lines Make krb5_dbe_def_search_enctype more consistent about when it returns KRB5_KDB_NO_PERMITTED_KEY. Now it will return that error if it sees any non-permitted enctypes which match the search criteria. ------------------------------------------------------------------------ r23597 | ghudson | 2010-01-06 18:14:14 -0500 (Wed, 06 Jan 2010) | 8 lines ticket: 6622 target_version: 1.8 tags: pullup Don't return KRB5_KDB_NO_PERMITTED_KEY from krb5_dbe_def_search_enctype if we previously returned results (i.e. if *start > 0). ticket: 6622 version_fixed: 1.8 status: resolved git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23615 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/kdb/kdb_default.c | 49 ++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 26 deletions(-) diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index ea24d36fd..4a4cf8739 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -61,6 +61,7 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) int maxkvno; krb5_key_data *datap; krb5_error_code ret; + krb5_boolean saw_non_permitted = FALSE; ret = 0; if (kvno == -1 && stype == -1 && ktype == -1) @@ -88,42 +89,38 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) db_stype = KRB5_KDB_SALTTYPE_NORMAL; } - /* - * Filter out non-permitted enctypes. - */ - if (!krb5_is_permitted_enctype(kcontext, - dbentp->key_data[i].key_data_type[0])) { - ret = KRB5_KDB_NO_PERMITTED_KEY; - continue; - } - - + /* Match this entry against the arguments. */ if (ktype != -1) { if ((ret = krb5_c_enctype_compare(kcontext, (krb5_enctype) ktype, dbentp->key_data[i].key_data_type[0], &similar))) return(ret); + if (!similar) + continue; } + if (stype >= 0 && db_stype != stype) + continue; + if (kvno >= 0 && dbentp->key_data[i].key_data_kvno != kvno) + continue; - if (((ktype == -1) || similar) && - ((db_stype == stype) || (stype < 0))) { - if (kvno >= 0) { - if (kvno == dbentp->key_data[i].key_data_kvno) { - datap = &dbentp->key_data[i]; - idx = i; - maxkvno = kvno; - break; - } - } else { - if (dbentp->key_data[i].key_data_kvno > maxkvno) { - maxkvno = dbentp->key_data[i].key_data_kvno; - datap = &dbentp->key_data[i]; - idx = i; - } - } + /* Filter out non-permitted enctypes. */ + if (!krb5_is_permitted_enctype(kcontext, + dbentp->key_data[i].key_data_type[0])) { + saw_non_permitted = TRUE; + continue; + } + + if (dbentp->key_data[i].key_data_kvno > maxkvno) { + maxkvno = dbentp->key_data[i].key_data_kvno; + datap = &dbentp->key_data[i]; + idx = i; } } + /* If we scanned the whole set of keys and matched only non-permitted + * enctypes, indicate that. */ + if (maxkvno < 0 && *start == 0 && saw_non_permitted) + ret = KRB5_KDB_NO_PERMITTED_KEY; if (maxkvno < 0) return ret ? ret : KRB5_KDB_NO_MATCHING_KEY; *kdatap = datap; -- 2.26.2