diff options
author | Greg Hudson <ghudson@mit.edu> | 2013-10-24 12:51:18 -0400 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2013-10-29 14:20:03 -0400 |
commit | 8df3a37ddeae3980ae074903c7c5392f2c522a9d (patch) | |
tree | 573d6fb32587e7a3812b2b5e0868be96fc24a110 | |
parent | 5439c61df79b0fefe614e256dfba0c55ec879878 (diff) | |
download | krb5-8df3a37ddeae3980ae074903c7c5392f2c522a9d.zip krb5-8df3a37ddeae3980ae074903c7c5392f2c522a9d.tar.gz krb5-8df3a37ddeae3980ae074903c7c5392f2c522a9d.tar.bz2 |
Correctly activate master keys in pre-1.7 KDBs
Starting with 1.7, databases are created with actkvno tl-data in the
K/M entry which gives the initial master key version an activation
time of 0. A database created before 1.7 will not have this tl-data,
but we should behave in the same way as we do for a more recent
database.
Move the actkvno list synthesis code from krb5_dbe_fetch_act_key_list
to krb5_dbe_lookup_actkvno so it applies to kdb5_util commands as well
as libkadm5. Synthesize the same list as we would have initialized
the KDB with, with an activation time of 0 for the earliest master
key.
(cherry picked from commit ec560fac83912abaa15fb158101c8174497081c5)
ticket: 7745 (new)
version_fixed: 1.10.7
status: resolved
-rw-r--r-- | src/lib/kdb/kdb5.c | 41 |
1 files changed, 19 insertions, 22 deletions
diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index 011c83b..f652fcb 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -1214,26 +1214,6 @@ krb5_dbe_fetch_act_key_list(krb5_context context, krb5_principal princ, return retval; retval = krb5_dbe_lookup_actkvno(context, entry, act_key_list); - - if (*act_key_list == NULL) { - krb5_actkvno_node *tmp_actkvno; - /* - * for mkey princ entries without KRB5_TL_ACTKVNO data provide a default - */ - - tmp_actkvno = (krb5_actkvno_node *) malloc(sizeof(krb5_actkvno_node)); - if (tmp_actkvno == NULL) { - krb5_db_free_principal(context, entry); - return ENOMEM; - } - - memset(tmp_actkvno, 0, sizeof(krb5_actkvno_node)); - tmp_actkvno->act_time = 0; /* earliest time possible */ - /* use most current key */ - tmp_actkvno->act_kvno = entry->key_data[0].key_data_kvno; - *act_key_list = tmp_actkvno; - } - krb5_db_free_principal(context, entry); return retval; } @@ -1831,6 +1811,7 @@ krb5_dbe_lookup_actkvno(krb5_context context, krb5_db_entry *entry, krb5_actkvno_node *head_data = NULL, *new_data = NULL, *prev_data = NULL; unsigned int num_actkvno, i; krb5_octet *next_tuple; + krb5_kvno earliest_kvno; memset(&tl_data, 0, sizeof(tl_data)); tl_data.tl_data_type = KRB5_TL_ACTKVNO; @@ -1839,8 +1820,24 @@ krb5_dbe_lookup_actkvno(krb5_context context, krb5_db_entry *entry, return (code); if (tl_data.tl_data_contents == NULL) { - *actkvno_list = NULL; - return (0); + /* + * If there is no KRB5_TL_ACTKVNO data (likely because the KDB was + * created prior to 1.7), synthesize the list which should have been + * created at KDB initialization, making the earliest master key + * active. + */ + + /* Get the earliest master key version. */ + if (entry->n_key_data == 0) + return KRB5_KDB_NOMASTERKEY; + earliest_kvno = entry->key_data[entry->n_key_data - 1].key_data_kvno; + + head_data = malloc(sizeof(*head_data)); + if (head_data == NULL) + return ENOMEM; + memset(head_data, 0, sizeof(*head_data)); + head_data->act_time = 0; /* earliest time possible */ + head_data->act_kvno = earliest_kvno; } else { /* get version to determine how to parse the data */ krb5_kdb_decode_int16(tl_data.tl_data_contents, version); |