diff options
| author | Greg Hudson <ghudson@mit.edu> | 2010-01-06 23:44:04 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2010-01-06 23:44:04 +0000 |
| commit | 8c1229f85b4b9d82f11f6b56555d2d938e917703 (patch) | |
| tree | e7f6aee799d1b6fd82cedbd9461512e2b1cfa427 /src/lib | |
| parent | 0a887e71118bde443de718a22f5616f8165f277e (diff) | |
| download | krb5-8c1229f85b4b9d82f11f6b56555d2d938e917703.tar.gz krb5-8c1229f85b4b9d82f11f6b56555d2d938e917703.tar.xz krb5-8c1229f85b4b9d82f11f6b56555d2d938e917703.zip | |
Make krb5_dbe_def_search_enctype more consistent about when it returns
KRB5_KDB_NO_PERMITTED_KEY. Now it will return that error if it sees
any non-permitted enctypes which match the search criteria.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23599 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/kdb/kdb_default.c | 50 |
1 files changed, 23 insertions, 27 deletions
diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index 0aca60310..4a4cf8739 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -61,6 +61,7 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) int maxkvno; krb5_key_data *datap; krb5_error_code ret; + krb5_boolean saw_non_permitted = FALSE; ret = 0; if (kvno == -1 && stype == -1 && ktype == -1) @@ -88,43 +89,38 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) db_stype = KRB5_KDB_SALTTYPE_NORMAL; } - /* - * Filter out non-permitted enctypes. - */ - if (!krb5_is_permitted_enctype(kcontext, - dbentp->key_data[i].key_data_type[0])) { - if (*start == 0) - ret = KRB5_KDB_NO_PERMITTED_KEY; - continue; - } - - + /* Match this entry against the arguments. */ if (ktype != -1) { if ((ret = krb5_c_enctype_compare(kcontext, (krb5_enctype) ktype, dbentp->key_data[i].key_data_type[0], &similar))) return(ret); + if (!similar) + continue; } + if (stype >= 0 && db_stype != stype) + continue; + if (kvno >= 0 && dbentp->key_data[i].key_data_kvno != kvno) + continue; - if (((ktype == -1) || similar) && - ((db_stype == stype) || (stype < 0))) { - if (kvno >= 0) { - if (kvno == dbentp->key_data[i].key_data_kvno) { - datap = &dbentp->key_data[i]; - idx = i; - maxkvno = kvno; - break; - } - } else { - if (dbentp->key_data[i].key_data_kvno > maxkvno) { - maxkvno = dbentp->key_data[i].key_data_kvno; - datap = &dbentp->key_data[i]; - idx = i; - } - } + /* Filter out non-permitted enctypes. */ + if (!krb5_is_permitted_enctype(kcontext, + dbentp->key_data[i].key_data_type[0])) { + saw_non_permitted = TRUE; + continue; + } + + if (dbentp->key_data[i].key_data_kvno > maxkvno) { + maxkvno = dbentp->key_data[i].key_data_kvno; + datap = &dbentp->key_data[i]; + idx = i; } } + /* If we scanned the whole set of keys and matched only non-permitted + * enctypes, indicate that. */ + if (maxkvno < 0 && *start == 0 && saw_non_permitted) + ret = KRB5_KDB_NO_PERMITTED_KEY; if (maxkvno < 0) return ret ? ret : KRB5_KDB_NO_MATCHING_KEY; *kdatap = datap; |