From e30a561176bd8e146e551875d9d590c3f7797923 Mon Sep 17 00:00:00 2001
From: Ken Raeburn <raeburn@mit.edu>
Date: Thu, 7 Mar 2002 01:54:59 +0000
Subject: [PATCH] 8-bit-kvno workarounds from 1.2.4

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14243 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/kadmin/ktutil/ChangeLog          |  5 +++++
 src/kadmin/ktutil/ktutil_funcs.c     | 15 ++++++++++++---
 src/lib/krb5/keytab/file/ChangeLog   |  8 ++++++++
 src/lib/krb5/keytab/file/ktf_g_ent.c | 26 +++++++++++++++++++++++---
 4 files changed, 48 insertions(+), 6 deletions(-)

diff --git a/src/kadmin/ktutil/ChangeLog b/src/kadmin/ktutil/ChangeLog
index e3b63c3ff..8f4bd7a02 100644
--- a/src/kadmin/ktutil/ChangeLog
+++ b/src/kadmin/ktutil/ChangeLog
@@ -1,3 +1,8 @@
+
+	* ktutil_funcs.c (ktutil_write_srvtab): When keeping only
+	highest-numbered kvno, with some heuristics to deal with
+	wrap-around at 256.
+
 2002-03-02  Sam Hartman  <hartmans@mit.edu>
 
 	* ktutil_funcs.c (ktutil_write_srvtab): Set umask to 077 to avoid
diff --git a/src/kadmin/ktutil/ktutil_funcs.c b/src/kadmin/ktutil/ktutil_funcs.c
index 3d8f0d695..073b03628 100644
--- a/src/kadmin/ktutil/ktutil_funcs.c
+++ b/src/kadmin/ktutil/ktutil_funcs.c
@@ -504,9 +504,18 @@ krb5_error_code ktutil_write_srvtab(context, list, name)
 		lp1 = prev->next;
 	    }
 	    lp1->entry = lp->entry;
-	} else if (lp1->entry->vno < lp->entry->vno)
-	    /* Check if lp->entry is newer kvno; if so, update */
-	    lp1->entry = lp->entry;
+	} else {
+	    /* This heuristic should be roughly the same as in the
+	       keytab-reading code in libkrb5.  */
+	    int offset = 0;
+	    if (lp1->entry->vno > 240 || lp->entry->vno > 240) {
+		offset = 128;
+	    }
+#define M(X) (((X) + offset) % 256)
+	    if (M(lp1->entry->vno) < M(lp->entry->vno))
+		/* Check if lp->entry is newer kvno; if so, update */
+		lp1->entry = lp->entry;
+	}
     }
     umask(0077); /*Changing umask for all of ktutil is OK
 		  * We don't ever write out anything that should use
diff --git a/src/lib/krb5/keytab/file/ChangeLog b/src/lib/krb5/keytab/file/ChangeLog
index 93060ffec..236903792 100644
--- a/src/lib/krb5/keytab/file/ChangeLog
+++ b/src/lib/krb5/keytab/file/ChangeLog
@@ -1,3 +1,11 @@
+2002-03-06  Ken Raeburn  <raeburn@mit.edu>
+
+	* ktf_g_ent.c (krb5_ktfile_get_entry): For non-zero kvno, match
+	only low 8 bits.  For zero kvno, if any kvno in the keytab is over
+	240, assume we're dealing with numbers 128 through (127+256)
+	instead.  This allows for wrapping at 256 while retaining a small
+	set of consecutively numbered prior keys in the keytab.
+
 2001-11-19  Tom Yu  <tlyu@mit.edu>
 
 	* ktf_g_ent.c (krb5_ktfile_get_entry): Coerce enctype for now to
diff --git a/src/lib/krb5/keytab/file/ktf_g_ent.c b/src/lib/krb5/keytab/file/ktf_g_ent.c
index 159c95ca8..905ff6c05 100644
--- a/src/lib/krb5/keytab/file/ktf_g_ent.c
+++ b/src/lib/krb5/keytab/file/ktf_g_ent.c
@@ -45,6 +45,7 @@ krb5_ktfile_get_entry(context, id, principal, kvno, enctype, entry)
     krb5_error_code kerror = 0;
     int found_wrong_kvno = 0;
     krb5_boolean similar;
+    int kvno_offset = 0;
 
     /* Open the keyfile for reading */
     if ((kerror = krb5_ktfileint_openr(context, id)))
@@ -103,9 +104,24 @@ krb5_ktfile_get_entry(context, id, principal, kvno, enctype, entry)
 	    /* if this is the first match, or if the new vno is
 	       bigger, free the current and keep the new.  Otherwise,
 	       free the new. */
-	       
+	    /* A 1.2.x keytab contains only the low 8 bits of the key
+	       version number.  Since it can be much bigger, and thus
+	       the 8-bit value can wrap, we need some heuristics to
+	       figure out the "highest" numbered key if some numbers
+	       close to 255 and some near 0 are used.
+
+	       The heuristic here:
+
+	       If we have any keys with versions over 240, then assume
+	       that all version numbers 0-127 refer to 256+N instead.
+	       Not perfect, but maybe good enough?  */
+
+#define M(VNO) (((VNO) - kvno_offset + 256) % 256)
+
+	    if (new_entry.vno > 240)
+		kvno_offset = 128;
 	    if (! cur_entry.principal ||
-		(new_entry.vno > cur_entry.vno)) {
+		M(new_entry.vno) > M(cur_entry.vno)) {
 		krb5_kt_free_entry(context, &cur_entry);
 		cur_entry = new_entry;
 	    } else {
@@ -116,8 +132,12 @@ krb5_ktfile_get_entry(context, id, principal, kvno, enctype, entry)
 	       be one?), keep the new, and break out.  Otherwise, remember
 	       that we were here so we can return the right error, and
 	       free the new */
+	    /* Yuck.  The krb5-1.2.x keytab format only stores one byte
+	       for the kvno, so we're toast if the kvno requested is
+	       higher than that.  Short-term workaround: only compare
+	       the low 8 bits.  */
 
-	    if (new_entry.vno == kvno) {
+	    if (new_entry.vno == (kvno & 0xff)) {
 		krb5_kt_free_entry(context, &cur_entry);
 		cur_entry = new_entry;
 		break;
-- 
2.26.2