pull up r23677 from trunk

 ------------------------------------------------------------------------
 r23677 | ghudson | 2010-01-28 20:22:17 -0500 (Thu, 28 Jan 2010) | 14 lines

 ticket: 6652
 subject: Make decryption of master key list more robust
 target_version: 1.8
 tags: pullup

 krb5_def_fetch_mkey_list was incorrectly filtering mkey_aux entries
 when searching the list for an entry which can be decrypted with the
 stashed master key.  This bug was masked in most cases by the mkvno
 heuristic.

 Remove the mkvno heuristic, since performance is not an issue for this
 rarely-performed operation, and remove the incorrect enctype
 comparison in the brute-force search.

ticket: 6652
version_fixed: 1.8
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23711 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
index 4a4cf8739dc736641d2266a1fefec92464b388d4..225a5074e187dc4e4967b261dfb9cf5c2bbbe4b4 100644 (file)
--- a/src/lib/kdb/kdb_default.c
+++ b/src/lib/kdb/kdb_default.c
@@ -542,49 +542,25 @@ krb5_def_fetch_mkey_list(krb5_context        context,
     }
 
     if (!found_key) {
-        /*
-         * Note the mkvno may provide a hint as to which mkey_aux tuple to
-         * decrypt.
-         */
         if ((retval = krb5_dbe_lookup_mkey_aux(context, &master_entry,
                                                &mkey_aux_data_list)))
             goto clean_n_exit;
 
-        /* mkvno may be 0 in some cases like keyboard and should be ignored */
-        if (mkvno != 0) {
-            /* for performance sake, try decrypting with matching kvno */
-            for (aux_data_entry = mkey_aux_data_list; aux_data_entry != NULL;
-                 aux_data_entry = aux_data_entry->next) {
-
-                if (aux_data_entry->mkey_kvno == mkvno) {
-                    if (krb5_dbekd_decrypt_key_data(context, mkey,
-                                                    &aux_data_entry->latest_mkey,
-                                                    &cur_mkey, NULL) == 0) {
-                        found_key = TRUE;
-                        break;
-                    }
-                }
+        for (aux_data_entry = mkey_aux_data_list; aux_data_entry != NULL;
+             aux_data_entry = aux_data_entry->next) {
+
+            if (krb5_dbekd_decrypt_key_data(context, mkey,
+                                             &aux_data_entry->latest_mkey,
+                                             &cur_mkey, NULL) == 0) {
+                found_key = TRUE;
+                break;
             }
         }
-        if (!found_key) {
-            /* given the importance of acquiring the latest mkey, try brute force */
-            for (aux_data_entry = mkey_aux_data_list; aux_data_entry != NULL;
-                 aux_data_entry = aux_data_entry->next) {
-
-                if (mkey->enctype == aux_data_entry->latest_mkey.key_data_type[0] &&
-                    (krb5_dbekd_decrypt_key_data(context, mkey,
-                                                 &aux_data_entry->latest_mkey,
-                                                 &cur_mkey, NULL) == 0)) {
-                    found_key = TRUE;
-                    break;
-                }
-            }
-            if (found_key != TRUE) {
-                krb5_set_error_message (context, KRB5_KDB_BADMASTERKEY,
-                                        "Unable to decrypt latest master key with the provided master key\n");
-                retval = KRB5_KDB_BADMASTERKEY;
-                goto clean_n_exit;
-            }
+        if (found_key != TRUE) {
+            krb5_set_error_message (context, KRB5_KDB_BADMASTERKEY,
+                                    "Unable to decrypt latest master key with the provided master key\n");
+            retval = KRB5_KDB_BADMASTERKEY;
+            goto clean_n_exit;
         }
     }