diff options
author | Will Fiveash <will.fiveash@oracle.com> | 2009-02-04 22:29:44 +0000 |
---|---|---|
committer | Will Fiveash <will.fiveash@oracle.com> | 2009-02-04 22:29:44 +0000 |
commit | 417d118fb34f352c63ee4dba016377f4d91a55ed (patch) | |
tree | 6e96e3b35a2c4d8aa5940d04cab37093e225c455 /src/lib/kdb | |
parent | 475b0a3e029cc74fd38c12b176953e17da6fb88b (diff) | |
download | krb5-417d118fb34f352c63ee4dba016377f4d91a55ed.tar.gz krb5-417d118fb34f352c63ee4dba016377f4d91a55ed.tar.xz krb5-417d118fb34f352c63ee4dba016377f4d91a55ed.zip |
new multi-masterkey support doesn't work well when system clock is set
back
The ticket contains the details.
ticket: 6361
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21884 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/kdb')
-rw-r--r-- | src/lib/kdb/kdb5.c | 29 |
1 files changed, 18 insertions, 11 deletions
diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index a7d5154cbc..442c28f27a 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -1878,8 +1878,10 @@ krb5_dbe_fetch_act_key_list(krb5_context context, if (nprinc != 1) { if (nprinc) { krb5_db_free_principal(context, &entry, nprinc); + return (KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); + } else { + return(KRB5_KDB_NOMASTERKEY); } - return(KRB5_KDB_NOMASTERKEY); } else if (more) { krb5_db_free_principal(context, &entry, nprinc); return (KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); @@ -1888,24 +1890,19 @@ krb5_dbe_fetch_act_key_list(krb5_context context, retval = krb5_dbe_lookup_actkvno(context, &entry, act_key_list); if (*act_key_list == NULL) { - krb5_actkvno_node *tmp_actkvno; - krb5_timestamp now; + krb5_actkvno_node *tmp_actkvno; /* * for mkey princ entries without KRB5_TL_ACTKVNO data provide a default */ - if ((retval = krb5_timeofday(context, &now))) - return (retval); - tmp_actkvno = (krb5_actkvno_node *) malloc(sizeof(krb5_actkvno_node)); if (tmp_actkvno == NULL) return (ENOMEM); memset(tmp_actkvno, 0, sizeof(krb5_actkvno_node)); - tmp_actkvno->act_time = now; + tmp_actkvno->act_time = 0; /* earliest time possible */ /* use most current key */ tmp_actkvno->act_kvno = entry.key_data[0].key_data_kvno; - *act_key_list = tmp_actkvno; } @@ -1915,7 +1912,7 @@ krb5_dbe_fetch_act_key_list(krb5_context context, /* * Locates the "active" mkey used when encrypting a princ's keys. Note, the - * caller must not free the output act_mkey. + * caller must NOT free the output act_mkey. */ krb5_error_code @@ -1937,10 +1934,20 @@ krb5_dbe_find_act_mkey(krb5_context context, /* * The list should be sorted in time, early to later so if the first entry - * is later than now, this is a problem + * is later than now, this is a problem. The fallback in this case is to + * return the earlist activation entry. */ if (act_mkey_list->act_time > now) { - return (KRB5_KDB_NOACTMASTERKEY); + while (cur_keyblock && cur_keyblock->kvno != act_mkey_list->act_kvno) + cur_keyblock = cur_keyblock->next; + if (cur_keyblock) { + *act_mkey = &cur_keyblock->keyblock; + if (act_kvno != NULL) + *act_kvno = cur_keyblock->kvno; + return (0); + } else { + return (KRB5_KDB_NOACTMASTERKEY); + } } /* find the most current entry <= now */ |