From 8b8ccf17352b15c70274fdada0294665a1748195 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 29 Jan 2010 01:22:17 +0000 Subject: Make decryption of master key list more robust krb5_def_fetch_mkey_list was incorrectly filtering mkey_aux entries when searching the list for an entry which can be decrypted with the stashed master key. This bug was masked in most cases by the mkvno heuristic. Remove the mkvno heuristic, since performance is not an issue for this rarely-performed operation, and remove the incorrect enctype comparison in the brute-force search. ticket: 6652 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23677 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/kdb/kdb_default.c | 50 ++++++++++++----------------------------------- 1 file changed, 13 insertions(+), 37 deletions(-) (limited to 'src/lib') diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index 4a4cf8739..225a5074e 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -542,49 +542,25 @@ krb5_def_fetch_mkey_list(krb5_context context, } if (!found_key) { - /* - * Note the mkvno may provide a hint as to which mkey_aux tuple to - * decrypt. - */ if ((retval = krb5_dbe_lookup_mkey_aux(context, &master_entry, &mkey_aux_data_list))) goto clean_n_exit; - /* mkvno may be 0 in some cases like keyboard and should be ignored */ - if (mkvno != 0) { - /* for performance sake, try decrypting with matching kvno */ - for (aux_data_entry = mkey_aux_data_list; aux_data_entry != NULL; - aux_data_entry = aux_data_entry->next) { - - if (aux_data_entry->mkey_kvno == mkvno) { - if (krb5_dbekd_decrypt_key_data(context, mkey, - &aux_data_entry->latest_mkey, - &cur_mkey, NULL) == 0) { - found_key = TRUE; - break; - } - } + for (aux_data_entry = mkey_aux_data_list; aux_data_entry != NULL; + aux_data_entry = aux_data_entry->next) { + + if (krb5_dbekd_decrypt_key_data(context, mkey, + &aux_data_entry->latest_mkey, + &cur_mkey, NULL) == 0) { + found_key = TRUE; + break; } } - if (!found_key) { - /* given the importance of acquiring the latest mkey, try brute force */ - for (aux_data_entry = mkey_aux_data_list; aux_data_entry != NULL; - aux_data_entry = aux_data_entry->next) { - - if (mkey->enctype == aux_data_entry->latest_mkey.key_data_type[0] && - (krb5_dbekd_decrypt_key_data(context, mkey, - &aux_data_entry->latest_mkey, - &cur_mkey, NULL) == 0)) { - found_key = TRUE; - break; - } - } - if (found_key != TRUE) { - krb5_set_error_message (context, KRB5_KDB_BADMASTERKEY, - "Unable to decrypt latest master key with the provided master key\n"); - retval = KRB5_KDB_BADMASTERKEY; - goto clean_n_exit; - } + if (found_key != TRUE) { + krb5_set_error_message (context, KRB5_KDB_BADMASTERKEY, + "Unable to decrypt latest master key with the provided master key\n"); + retval = KRB5_KDB_BADMASTERKEY; + goto clean_n_exit; } } -- cgit