aboutsummaryrefslogtreecommitdiff
path: root/src/lib/kdb/kdb5.c
diff options
context:
space:
mode:
authorWill Fiveash <will.fiveash@oracle.com>2009-02-04 22:29:44 +0000
committerWill Fiveash <will.fiveash@oracle.com>2009-02-04 22:29:44 +0000
commit417d118fb34f352c63ee4dba016377f4d91a55ed (patch)
tree6e96e3b35a2c4d8aa5940d04cab37093e225c455 /src/lib/kdb/kdb5.c
parent475b0a3e029cc74fd38c12b176953e17da6fb88b (diff)
downloadkrb5-417d118fb34f352c63ee4dba016377f4d91a55ed.zip
krb5-417d118fb34f352c63ee4dba016377f4d91a55ed.tar.gz
krb5-417d118fb34f352c63ee4dba016377f4d91a55ed.tar.bz2
new multi-masterkey support doesn't work well when system clock is set
back The ticket contains the details. ticket: 6361 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21884 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/kdb/kdb5.c')
-rw-r--r--src/lib/kdb/kdb5.c29
1 files changed, 18 insertions, 11 deletions
diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c
index a7d5154..442c28f 100644
--- a/src/lib/kdb/kdb5.c
+++ b/src/lib/kdb/kdb5.c
@@ -1878,8 +1878,10 @@ krb5_dbe_fetch_act_key_list(krb5_context context,
if (nprinc != 1) {
if (nprinc) {
krb5_db_free_principal(context, &entry, nprinc);
+ return (KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
+ } else {
+ return(KRB5_KDB_NOMASTERKEY);
}
- return(KRB5_KDB_NOMASTERKEY);
} else if (more) {
krb5_db_free_principal(context, &entry, nprinc);
return (KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
@@ -1888,24 +1890,19 @@ krb5_dbe_fetch_act_key_list(krb5_context context,
retval = krb5_dbe_lookup_actkvno(context, &entry, act_key_list);
if (*act_key_list == NULL) {
- krb5_actkvno_node *tmp_actkvno;
- krb5_timestamp now;
+ krb5_actkvno_node *tmp_actkvno;
/*
* for mkey princ entries without KRB5_TL_ACTKVNO data provide a default
*/
- if ((retval = krb5_timeofday(context, &now)))
- return (retval);
-
tmp_actkvno = (krb5_actkvno_node *) malloc(sizeof(krb5_actkvno_node));
if (tmp_actkvno == NULL)
return (ENOMEM);
memset(tmp_actkvno, 0, sizeof(krb5_actkvno_node));
- tmp_actkvno->act_time = now;
+ tmp_actkvno->act_time = 0; /* earliest time possible */
/* use most current key */
tmp_actkvno->act_kvno = entry.key_data[0].key_data_kvno;
-
*act_key_list = tmp_actkvno;
}
@@ -1915,7 +1912,7 @@ krb5_dbe_fetch_act_key_list(krb5_context context,
/*
* Locates the "active" mkey used when encrypting a princ's keys. Note, the
- * caller must not free the output act_mkey.
+ * caller must NOT free the output act_mkey.
*/
krb5_error_code
@@ -1937,10 +1934,20 @@ krb5_dbe_find_act_mkey(krb5_context context,
/*
* The list should be sorted in time, early to later so if the first entry
- * is later than now, this is a problem
+ * is later than now, this is a problem. The fallback in this case is to
+ * return the earlist activation entry.
*/
if (act_mkey_list->act_time > now) {
- return (KRB5_KDB_NOACTMASTERKEY);
+ while (cur_keyblock && cur_keyblock->kvno != act_mkey_list->act_kvno)
+ cur_keyblock = cur_keyblock->next;
+ if (cur_keyblock) {
+ *act_mkey = &cur_keyblock->keyblock;
+ if (act_kvno != NULL)
+ *act_kvno = cur_keyblock->kvno;
+ return (0);
+ } else {
+ return (KRB5_KDB_NOACTMASTERKEY);
+ }
}
/* find the most current entry <= now */
generated by cgit v1.1 at 2024-08-03 05:23:35 +0000