From ef9b79c0dd6bdc5d7b198dc1d681086d84b86b22 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Thu, 25 Oct 2001 20:21:28 +0000 Subject: [PATCH] * kdb_xdr.c (krb5_dbe_search_enctype): Filter out enctypes that aren't in permitted_enctypes. This prevents the KDC from issuing a ticket whose enctype that it won't accept. * keytab.c (krb5_ktkdb_get_entry): For now, coerce enctype of output keyblock in case we got a match on a similar enctype. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13855 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/kdb/ChangeLog | 11 +++++++++++ src/lib/kdb/kdb_xdr.c | 15 +++++++++++++-- src/lib/kdb/keytab.c | 7 +++++++ 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/src/lib/kdb/ChangeLog b/src/lib/kdb/ChangeLog index 62f53135a..06cc18740 100644 --- a/src/lib/kdb/ChangeLog +++ b/src/lib/kdb/ChangeLog @@ -1,3 +1,14 @@ +2001-10-22 Tom Yu + + * kdb_xdr.c (krb5_dbe_search_enctype): Filter out enctypes that + aren't in permitted_enctypes. This prevents the KDC from issuing + a ticket whose enctype that it won't accept. + +2001-10-20 Tom Yu + + * keytab.c (krb5_ktkdb_get_entry): For now, coerce enctype of + output keyblock in case we got a match on a similar enctype. + 2001-10-09 Ken Raeburn * kdb_db2.c, kdb_db2.h, kdb_dbm.c, keytab.c, t_kdb.c: Make diff --git a/src/lib/kdb/kdb_xdr.c b/src/lib/kdb/kdb_xdr.c index 973730f64..b836e250c 100644 --- a/src/lib/kdb/kdb_xdr.c +++ b/src/lib/kdb/kdb_xdr.c @@ -726,6 +726,7 @@ krb5_dbe_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) int i, idx; int maxkvno; krb5_key_data *datap; + krb5_error_code ret; if (kvno == -1 && stype == -1 && ktype == -1) kvno = 0; @@ -743,15 +744,25 @@ krb5_dbe_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) datap = (krb5_key_data *) NULL; for (i = *start; i < dbentp->n_key_data; i++) { krb5_boolean similar; - krb5_error_code ret; krb5_int32 db_stype; + ret = 0; if (dbentp->key_data[i].key_data_ver > 1) { db_stype = dbentp->key_data[i].key_data_type[1]; } else { db_stype = KRB5_KDB_SALTTYPE_NORMAL; } + + /* + * Filter out non-permitted enctypes. + */ + if (!krb5_is_permitted_enctype(kcontext, + dbentp->key_data[i].key_data_type[0])) { + ret = KRB5_KDB_NO_PERMITTED_KEY; + continue; + } + if (ktype >= 0) { if ((ret = krb5_c_enctype_compare(kcontext, (krb5_enctype) ktype, dbentp->key_data[i].key_data_type[0], @@ -778,7 +789,7 @@ krb5_dbe_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) } } if (maxkvno < 0) - return ENOENT; + return ret ? ret : KRB5_KDB_NO_MATCHING_KEY; *kdatap = datap; *start = idx+1; return 0; diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c index 222e2d900..f8077324b 100644 --- a/src/lib/kdb/keytab.c +++ b/src/lib/kdb/keytab.c @@ -131,6 +131,13 @@ krb5_ktkdb_get_entry(context, id, principal, kvno, enctype, entry) if (kerror) goto error; + /* + * Coerce the enctype of the output keyblock in case we got an + * inexact match on the enctype; this behavior will go away when + * the key storage architecture gets redesigned for 1.3. + */ + entry->key.enctype = enctype; + kerror = krb5_copy_principal(context, principal, &entry->principal); if (kerror) goto error; -- 2.26.2