diff options
| author | Tom Yu <tlyu@mit.edu> | 2001-10-25 20:21:28 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2001-10-25 20:21:28 +0000 |
| commit | ef9b79c0dd6bdc5d7b198dc1d681086d84b86b22 (patch) | |
| tree | 359a8135d6b288d5453137c439039c1c23d80a7a /src | |
| parent | d675c39d18b2403ba09756483c0fbcdcc6f67596 (diff) | |
| download | krb5-ef9b79c0dd6bdc5d7b198dc1d681086d84b86b22.tar.gz krb5-ef9b79c0dd6bdc5d7b198dc1d681086d84b86b22.tar.xz krb5-ef9b79c0dd6bdc5d7b198dc1d681086d84b86b22.zip | |
* kdb_xdr.c (krb5_dbe_search_enctype): Filter out enctypes that
aren't in permitted_enctypes. This prevents the KDC from issuing
a ticket whose enctype that it won't accept.
* keytab.c (krb5_ktkdb_get_entry): For now, coerce enctype of
output keyblock in case we got a match on a similar enctype.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13855 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/kdb/ChangeLog | 11 | ||||
| -rw-r--r-- | src/lib/kdb/kdb_xdr.c | 15 | ||||
| -rw-r--r-- | src/lib/kdb/keytab.c | 7 |
3 files changed, 31 insertions, 2 deletions
diff --git a/src/lib/kdb/ChangeLog b/src/lib/kdb/ChangeLog index 62f53135a..06cc18740 100644 --- a/src/lib/kdb/ChangeLog +++ b/src/lib/kdb/ChangeLog @@ -1,3 +1,14 @@ +2001-10-22 Tom Yu <tlyu@mit.edu> + + * kdb_xdr.c (krb5_dbe_search_enctype): Filter out enctypes that + aren't in permitted_enctypes. This prevents the KDC from issuing + a ticket whose enctype that it won't accept. + +2001-10-20 Tom Yu <tlyu@mit.edu> + + * keytab.c (krb5_ktkdb_get_entry): For now, coerce enctype of + output keyblock in case we got a match on a similar enctype. + 2001-10-09 Ken Raeburn <raeburn@mit.edu> * kdb_db2.c, kdb_db2.h, kdb_dbm.c, keytab.c, t_kdb.c: Make diff --git a/src/lib/kdb/kdb_xdr.c b/src/lib/kdb/kdb_xdr.c index 973730f64..b836e250c 100644 --- a/src/lib/kdb/kdb_xdr.c +++ b/src/lib/kdb/kdb_xdr.c @@ -726,6 +726,7 @@ krb5_dbe_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) int i, idx; int maxkvno; krb5_key_data *datap; + krb5_error_code ret; if (kvno == -1 && stype == -1 && ktype == -1) kvno = 0; @@ -743,15 +744,25 @@ krb5_dbe_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) datap = (krb5_key_data *) NULL; for (i = *start; i < dbentp->n_key_data; i++) { krb5_boolean similar; - krb5_error_code ret; krb5_int32 db_stype; + ret = 0; if (dbentp->key_data[i].key_data_ver > 1) { db_stype = dbentp->key_data[i].key_data_type[1]; } else { db_stype = KRB5_KDB_SALTTYPE_NORMAL; } + + /* + * Filter out non-permitted enctypes. + */ + if (!krb5_is_permitted_enctype(kcontext, + dbentp->key_data[i].key_data_type[0])) { + ret = KRB5_KDB_NO_PERMITTED_KEY; + continue; + } + if (ktype >= 0) { if ((ret = krb5_c_enctype_compare(kcontext, (krb5_enctype) ktype, dbentp->key_data[i].key_data_type[0], @@ -778,7 +789,7 @@ krb5_dbe_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) } } if (maxkvno < 0) - return ENOENT; + return ret ? ret : KRB5_KDB_NO_MATCHING_KEY; *kdatap = datap; *start = idx+1; return 0; diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c index 222e2d900..f8077324b 100644 --- a/src/lib/kdb/keytab.c +++ b/src/lib/kdb/keytab.c @@ -131,6 +131,13 @@ krb5_ktkdb_get_entry(context, id, principal, kvno, enctype, entry) if (kerror) goto error; + /* + * Coerce the enctype of the output keyblock in case we got an + * inexact match on the enctype; this behavior will go away when + * the key storage architecture gets redesigned for 1.3. + */ + entry->key.enctype = enctype; + kerror = krb5_copy_principal(context, principal, &entry->principal); if (kerror) goto error; |