diff options
| author | Greg Hudson <ghudson@mit.edu> | 2013-10-24 12:51:18 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2013-10-25 11:36:12 -0400 |
| commit | ec560fac83912abaa15fb158101c8174497081c5 (patch) | |
| tree | f856a161675d836862423520eae35ecd6f1999b4 /src/lib/kdb | |
| parent | 74c1420ea4dffc1105247e362decf608440751ae (diff) | |
| download | krb5-ec560fac83912abaa15fb158101c8174497081c5.tar.gz krb5-ec560fac83912abaa15fb158101c8174497081c5.tar.xz krb5-ec560fac83912abaa15fb158101c8174497081c5.zip | |
Correctly activate master keys in pre-1.7 KDBs
Starting with 1.7, databases are created with actkvno tl-data in the
K/M entry which gives the initial master key version an activation
time of 0. A database created before 1.7 will not have this tl-data,
but we should behave in the same way as we do for a more recent
database.
Move the actkvno list synthesis code from krb5_dbe_fetch_act_key_list
to krb5_dbe_lookup_actkvno so it applies to kdb5_util commands as well
as libkadm5. Synthesize the same list as we would have initialized
the KDB with, with an activation time of 0 for the earliest master
key.
ticket: 7686
target_version: 1.12
tags: pullup
Diffstat (limited to 'src/lib/kdb')
| -rw-r--r-- | src/lib/kdb/kdb5.c | 41 |
1 files changed, 19 insertions, 22 deletions
diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index 1443ec585d..8d6374f58b 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -1202,26 +1202,6 @@ krb5_dbe_fetch_act_key_list(krb5_context context, krb5_principal princ, return retval; retval = krb5_dbe_lookup_actkvno(context, entry, act_key_list); - - if (*act_key_list == NULL) { - krb5_actkvno_node *tmp_actkvno; - /* - * for mkey princ entries without KRB5_TL_ACTKVNO data provide a default - */ - - tmp_actkvno = (krb5_actkvno_node *) malloc(sizeof(krb5_actkvno_node)); - if (tmp_actkvno == NULL) { - krb5_db_free_principal(context, entry); - return ENOMEM; - } - - memset(tmp_actkvno, 0, sizeof(krb5_actkvno_node)); - tmp_actkvno->act_time = 0; /* earliest time possible */ - /* use most current key */ - tmp_actkvno->act_kvno = entry->key_data[0].key_data_kvno; - *act_key_list = tmp_actkvno; - } - krb5_db_free_principal(context, entry); return retval; } @@ -1816,6 +1796,7 @@ krb5_dbe_lookup_actkvno(krb5_context context, krb5_db_entry *entry, krb5_actkvno_node *head_data = NULL, *new_data = NULL, *prev_data = NULL; unsigned int num_actkvno, i; krb5_octet *next_tuple; + krb5_kvno earliest_kvno; memset(&tl_data, 0, sizeof(tl_data)); tl_data.tl_data_type = KRB5_TL_ACTKVNO; @@ -1824,8 +1805,24 @@ krb5_dbe_lookup_actkvno(krb5_context context, krb5_db_entry *entry, return (code); if (tl_data.tl_data_contents == NULL) { - *actkvno_list = NULL; - return (0); + /* + * If there is no KRB5_TL_ACTKVNO data (likely because the KDB was + * created prior to 1.7), synthesize the list which should have been + * created at KDB initialization, making the earliest master key + * active. + */ + + /* Get the earliest master key version. */ + if (entry->n_key_data == 0) + return KRB5_KDB_NOMASTERKEY; + earliest_kvno = entry->key_data[entry->n_key_data - 1].key_data_kvno; + + head_data = malloc(sizeof(*head_data)); + if (head_data == NULL) + return ENOMEM; + memset(head_data, 0, sizeof(*head_data)); + head_data->act_time = 0; /* earliest time possible */ + head_data->act_kvno = earliest_kvno; } else { /* get version to determine how to parse the data */ krb5_kdb_decode_int16(tl_data.tl_data_contents, version); |