Talked with MIT people and decided to revert the logic of

krb5_db_def_fetch_mkey_keytab() so that it does use the mkey princ arg to locate the masterkey in the keytab stash.  Also changed the error reporting done by krb5_db_def_fetch_mkey() to call error_message() on the return code of the keytab stash fetch and the old format stash fetch and set the error message to include both of those since this is an ambiguous situation.  And test case 108 in src/kerberos/mit/svn/branches/mkey_keytab/src/lib/kadm5/unit-test/api.2/init-v2.exp was modified to expect KRB5_KDB_CANTREAD_STORED instead of KDB_NOMASTERKEY.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mkey_keytab@20493 dc483132-0cff-0310-8789-dd5450dbe970

4 files changed, 34 insertions, 72 deletions

diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index 9698d2c..bd087af 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -1105,7 +1105,6 @@ dump_db(argc, argv)
      */
     if (mkey_convert) {
 	    if (!valid_master_key) {
-                    krb5_kvno mkvno = IGNORE_VNO;
 		    /* TRUE here means read the keyboard, but only once */
 		    retval = krb5_db_fetch_mkey(util_context,
 						master_princ,
diff --git a/src/kadmin/dbutil/kdb5_stash.c b/src/kadmin/dbutil/kdb5_stash.c
index 1e6d2e5..211710c 100644
--- a/src/kadmin/dbutil/kdb5_stash.c
+++ b/src/kadmin/dbutil/kdb5_stash.c
@@ -160,8 +160,6 @@ kdb5_stash(argc, argv)
 	exit_status++; return; 
     }
 
-
-    /* verify will set mkey_kvno to mkey princ's kvno mkey_kvno if it's IGNORE_VNO */
     retval = krb5_db_verify_master_key(context, master_princ, 
                                        mkey_kvno,
 				       &master_keyblock);
diff --git a/src/lib/kadm5/unit-test/api.2/init-v2.exp b/src/lib/kadm5/unit-test/api.2/init-v2.exp
index ae13847..b41fb09 100644
--- a/src/lib/kadm5/unit-test/api.2/init-v2.exp
+++ b/src/lib/kadm5/unit-test/api.2/init-v2.exp
@@ -147,7 +147,7 @@ proc test108 {} {
 		[config_params {KADM5_CONFIG_MKEY_NAME} does/not/exist] \
 		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
 		server_handle
-    } "KDB_NOMASTERKEY"
+    } "KRB5_KDB_CANTREAD_STORED"
 }
 if {! $RPC} test108
 
diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
index 4d1b975..85267e4 100644
--- a/src/lib/kdb/kdb_default.c
+++ b/src/lib/kdb/kdb_default.c
@@ -300,93 +300,61 @@ krb5_db_def_fetch_mkey_stash( krb5_context   context,
 static krb5_error_code
 krb5_db_def_fetch_mkey_keytab(  krb5_context   context,
                                 const char     *keyfile,
+                                krb5_principal mname,
                                 krb5_keyblock  *key,
                                 krb5_kvno      *kvno)
 {
     krb5_error_code retval = 0;
-    char ktname[MAXPATHLEN + 6]; /* 6 for FILE: + \0 */
     krb5_keytab kt;
     krb5_keytab_entry kt_ent;
-    krb5_kt_cursor cursor = NULL;
-
-    /* memset krb5_kt_free_entry so can be called safely later */
-    memset(&kt_ent, 0, sizeof(kt_ent));
+    krb5_enctype enctype = IGNORE_ENCTYPE;
 
     if ((retval = krb5_kt_resolve(context, keyfile, &kt)) != 0)
         goto errout;
 
-    if ((retval = krb5_kt_get_name(context, kt, ktname, sizeof(ktname))))
-        goto errout;
+    /* override default */
+    if (key->enctype != ENCTYPE_UNKNOWN)
+        enctype = key->enctype;
 
-    if ((retval = krb5_kt_start_seq_get(context, kt, &cursor)))
-        goto errout;
+    if ((retval = krb5_kt_get_entry(context, kt, mname,
+                                    kvno ? *kvno : IGNORE_VNO,
+                                    enctype,
+                                    &kt_ent)) == 0) {
 
-    while ((retval = krb5_kt_next_entry(context, kt, &kt_ent, &cursor)) == 0) {
-
-        if (key->enctype != ENCTYPE_UNKNOWN && key->enctype != kt_ent.key.enctype) {
-            krb5_kt_free_entry(context, &kt_ent);
-            continue;
-        }
-        if (kvno != NULL && *kvno != IGNORE_VNO && *kvno != kt_ent.vno) {
-            krb5_kt_free_entry(context, &kt_ent);
-            continue;
-        }
-        break;
-    }
+        if (key->enctype == ENCTYPE_UNKNOWN)
+            key->enctype = kt_ent.key.enctype;
 
-    if (retval != 0) {
-        if (retval == KRB5_KT_END) {
-            /* didn't find an entry so indicate no key found */
-            (void) krb5_kt_end_seq_get(context, kt, &cursor);
+        if (((int) kt_ent.key.length) < 0) {
             retval = KRB5_KDB_BADSTORED_MKEY;
+            krb5_kt_free_entry(context, &kt_ent);
+            goto errout;
         }
-        goto errout;
-    }
 
-    if ((retval = krb5_kt_end_seq_get(context, kt, &cursor)))
-        goto errout;
+        key->length = kt_ent.key.length;
 
-    if (key->enctype == ENCTYPE_UNKNOWN)
-        key->enctype = kt_ent.key.enctype;
-    else if (kt_ent.key.enctype != key->enctype) {
-        retval = KRB5_KDB_BADSTORED_MKEY;
-        goto errout;
-    }
-
-    if (((int) kt_ent.key.length) < 0) {
-        retval = KRB5_KDB_BADSTORED_MKEY;
-        goto errout;
-    }
-
-    key->length = kt_ent.key.length;
-
-    if (kvno != NULL) {
         /*
          * If a kvno pointer was passed in and it dereferences the
          * IGNORE_VNO value then it should be assigned the value of the kvno
          * found in the keytab otherwise the KNVO specified should be the
          * same as the one returned from the keytab.
          */
-        if (*kvno == IGNORE_VNO) {
-            *kvno = kt_ent.vno;
-        } else if (*kvno != kt_ent.vno) {
-            retval = KRB5_KDB_BADSTORED_MKEY;
+        if (kvno != NULL && *kvno == IGNORE_VNO)
+                *kvno = kt_ent.vno;
+
+        /*
+         * kt_ent will be free'd so need to allocate and copy key contents for
+         * output to caller.
+         */
+        if (!(key->contents = (krb5_octet *)malloc(key->length))) {
+            retval = ENOMEM;
+            krb5_kt_free_entry(context, &kt_ent);
             goto errout;
         }
+        memcpy(key->contents, kt_ent.key.contents, kt_ent.key.length);
+        krb5_kt_free_entry(context, &kt_ent);
     }
 
-    /*
-     * kt_ent will be free'd later so need to allocate and copy key
-     * contents for output to caller.
-     */
-    if (!(key->contents = (krb5_octet *)malloc(key->length))) {
-        retval = ENOMEM;
-        goto errout;
-    }
-    memcpy(key->contents, kt_ent.key.contents, kt_ent.key.length);
-
 errout:
-    krb5_kt_free_entry(context, &kt_ent);
     return retval;
 }
 
@@ -415,7 +383,7 @@ krb5_db_def_fetch_mkey( krb5_context   context,
     keyfile[sizeof(keyfile) - 1] = '\0';
 
     /* assume the master key is in a keytab */
-    retval_kt = krb5_db_def_fetch_mkey_keytab(context, keyfile, key, kvno);
+    retval_kt = krb5_db_def_fetch_mkey_keytab(context, keyfile, mname, key, kvno);
     if (retval_kt != 0) {
         /*
          * If it's not in a keytab, fall back and try getting the mkey from the
@@ -431,14 +399,11 @@ krb5_db_def_fetch_mkey( krb5_context   context,
          * that if either of the stash reading functions returned
          * KRB5_KDB_BADSTORED_MKEY then this is probably the real error.
          */
-        if (retval_kt == KRB5_KDB_BADSTORED_MKEY || retval_ofs == KRB5_KDB_BADSTORED_MKEY) {
-            return KRB5_KDB_BADSTORED_MKEY;
-        } else {
-            krb5_set_error_message (context, KRB5_KDB_CANTREAD_STORED,
-                "Can not fetch master key either from keytab (error: %d) or old "
-                "format (error %d).", retval_kt, retval_ofs);
-            return KRB5_KDB_CANTREAD_STORED;
-        }
+        krb5_set_error_message (context, KRB5_KDB_CANTREAD_STORED,
+            "Can not fetch master key either from keytab (error: %s) or old "
+            "format (error %s).", error_message(retval_kt),
+            error_message(retval_ofs));
+        return KRB5_KDB_CANTREAD_STORED;
     } else {
         return 0;
     }