diff options
| author | Ken Raeburn <raeburn@mit.edu> | 2002-03-07 01:54:59 +0000 |
|---|---|---|
| committer | Ken Raeburn <raeburn@mit.edu> | 2002-03-07 01:54:59 +0000 |
| commit | e30a561176bd8e146e551875d9d590c3f7797923 (patch) | |
| tree | 2dd2c88e18116e8bb4691045e545cb373559eeb6 /src/lib | |
| parent | a77d12efc9c20254e736d4e828b2413901938fc7 (diff) | |
| download | krb5-e30a561176bd8e146e551875d9d590c3f7797923.tar.gz krb5-e30a561176bd8e146e551875d9d590c3f7797923.tar.xz krb5-e30a561176bd8e146e551875d9d590c3f7797923.zip | |
8-bit-kvno workarounds from 1.2.4
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14243 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/krb5/keytab/file/ChangeLog | 8 | ||||
| -rw-r--r-- | src/lib/krb5/keytab/file/ktf_g_ent.c | 26 |
2 files changed, 31 insertions, 3 deletions
diff --git a/src/lib/krb5/keytab/file/ChangeLog b/src/lib/krb5/keytab/file/ChangeLog index 93060ffeca..2369037924 100644 --- a/src/lib/krb5/keytab/file/ChangeLog +++ b/src/lib/krb5/keytab/file/ChangeLog @@ -1,3 +1,11 @@ +2002-03-06 Ken Raeburn <raeburn@mit.edu> + + * ktf_g_ent.c (krb5_ktfile_get_entry): For non-zero kvno, match + only low 8 bits. For zero kvno, if any kvno in the keytab is over + 240, assume we're dealing with numbers 128 through (127+256) + instead. This allows for wrapping at 256 while retaining a small + set of consecutively numbered prior keys in the keytab. + 2001-11-19 Tom Yu <tlyu@mit.edu> * ktf_g_ent.c (krb5_ktfile_get_entry): Coerce enctype for now to diff --git a/src/lib/krb5/keytab/file/ktf_g_ent.c b/src/lib/krb5/keytab/file/ktf_g_ent.c index 159c95ca8f..905ff6c05d 100644 --- a/src/lib/krb5/keytab/file/ktf_g_ent.c +++ b/src/lib/krb5/keytab/file/ktf_g_ent.c @@ -45,6 +45,7 @@ krb5_ktfile_get_entry(context, id, principal, kvno, enctype, entry) krb5_error_code kerror = 0; int found_wrong_kvno = 0; krb5_boolean similar; + int kvno_offset = 0; /* Open the keyfile for reading */ if ((kerror = krb5_ktfileint_openr(context, id))) @@ -103,9 +104,24 @@ krb5_ktfile_get_entry(context, id, principal, kvno, enctype, entry) /* if this is the first match, or if the new vno is bigger, free the current and keep the new. Otherwise, free the new. */ - + /* A 1.2.x keytab contains only the low 8 bits of the key + version number. Since it can be much bigger, and thus + the 8-bit value can wrap, we need some heuristics to + figure out the "highest" numbered key if some numbers + close to 255 and some near 0 are used. + + The heuristic here: + + If we have any keys with versions over 240, then assume + that all version numbers 0-127 refer to 256+N instead. + Not perfect, but maybe good enough? */ + +#define M(VNO) (((VNO) - kvno_offset + 256) % 256) + + if (new_entry.vno > 240) + kvno_offset = 128; if (! cur_entry.principal || - (new_entry.vno > cur_entry.vno)) { + M(new_entry.vno) > M(cur_entry.vno)) { krb5_kt_free_entry(context, &cur_entry); cur_entry = new_entry; } else { @@ -116,8 +132,12 @@ krb5_ktfile_get_entry(context, id, principal, kvno, enctype, entry) be one?), keep the new, and break out. Otherwise, remember that we were here so we can return the right error, and free the new */ + /* Yuck. The krb5-1.2.x keytab format only stores one byte + for the kvno, so we're toast if the kvno requested is + higher than that. Short-term workaround: only compare + the low 8 bits. */ - if (new_entry.vno == kvno) { + if (new_entry.vno == (kvno & 0xff)) { krb5_kt_free_entry(context, &cur_entry); cur_entry = new_entry; break; |