From 8c1229f85b4b9d82f11f6b56555d2d938e917703 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 6 Jan 2010 23:44:04 +0000 Subject: [PATCH] Make krb5_dbe_def_search_enctype more consistent about when it returns KRB5_KDB_NO_PERMITTED_KEY. Now it will return that error if it sees any non-permitted enctypes which match the search criteria. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23599 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/kdb/kdb_default.c | 50 ++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 27 deletions(-) diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index 0aca60310..4a4cf8739 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -61,6 +61,7 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) int maxkvno; krb5_key_data *datap; krb5_error_code ret; + krb5_boolean saw_non_permitted = FALSE; ret = 0; if (kvno == -1 && stype == -1 && ktype == -1) @@ -88,43 +89,38 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) db_stype = KRB5_KDB_SALTTYPE_NORMAL; } - /* - * Filter out non-permitted enctypes. - */ - if (!krb5_is_permitted_enctype(kcontext, - dbentp->key_data[i].key_data_type[0])) { - if (*start == 0) - ret = KRB5_KDB_NO_PERMITTED_KEY; - continue; - } - - + /* Match this entry against the arguments. */ if (ktype != -1) { if ((ret = krb5_c_enctype_compare(kcontext, (krb5_enctype) ktype, dbentp->key_data[i].key_data_type[0], &similar))) return(ret); + if (!similar) + continue; } + if (stype >= 0 && db_stype != stype) + continue; + if (kvno >= 0 && dbentp->key_data[i].key_data_kvno != kvno) + continue; - if (((ktype == -1) || similar) && - ((db_stype == stype) || (stype < 0))) { - if (kvno >= 0) { - if (kvno == dbentp->key_data[i].key_data_kvno) { - datap = &dbentp->key_data[i]; - idx = i; - maxkvno = kvno; - break; - } - } else { - if (dbentp->key_data[i].key_data_kvno > maxkvno) { - maxkvno = dbentp->key_data[i].key_data_kvno; - datap = &dbentp->key_data[i]; - idx = i; - } - } + /* Filter out non-permitted enctypes. */ + if (!krb5_is_permitted_enctype(kcontext, + dbentp->key_data[i].key_data_type[0])) { + saw_non_permitted = TRUE; + continue; + } + + if (dbentp->key_data[i].key_data_kvno > maxkvno) { + maxkvno = dbentp->key_data[i].key_data_kvno; + datap = &dbentp->key_data[i]; + idx = i; } } + /* If we scanned the whole set of keys and matched only non-permitted + * enctypes, indicate that. */ + if (maxkvno < 0 && *start == 0 && saw_non_permitted) + ret = KRB5_KDB_NO_PERMITTED_KEY; if (maxkvno < 0) return ret ? ret : KRB5_KDB_NO_MATCHING_KEY; *kdatap = datap; -- 2.26.2