[32727] in Kerberos
Re: e-type / kvno processing in 1.8
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Sep 28 15:09:38 2010
From: Greg Hudson <ghudson@mit.edu>
To: Tim Metz <tpmetz@ucdavis.edu>
In-Reply-To: <4CA0EA72.8090503@ucdavis.edu>
Date: Tue, 28 Sep 2010 15:09:24 -0400
Message-ID: <1285700964.20521.895.camel@ray>
Mime-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, 2010-09-27 at 15:03 -0400, Tim Metz wrote:
> At first pass, the problem at least has the appearance that it could be
> related to kvno processing code. More specifically, in versions prior
> to 1.8 if a kvno=0 contained an unsupported encryption type, processing
> would continue to kvno=1 and succeed. Starting with version 1.8, it
> looks like if kvno=0 has an unsupported e-type, processing fails, and
> does not continue on to consult kvno=1.
I think I see what changed here; it's a side effect of the change I made
in r23599 to make krb5_dbe_def_search_enctype more consistent about when
it returns KRB5_KDB_NO_PERMITTED_KEY.
I've checked in the following fix, which is to treat
krb5_c_enctype_compare errors as non-fatal. If the ktype argument is
invalid, no kvno will match and the function will eventually return
KRB5_KDB_NO_MATCHING_KEY, which I think is fine; if the key entry
enctype is invalid, then we'll move on to the next key entry as we used
to do (more by accident than by design, but it's reasonable behavior).
This should eventually get pulled up to the 1.8.4 patch release, but we
don't currently have a plan for when that will go out.
Index: kdb_default.c
===================================================================
--- kdb_default.c (revision 24369)
+++ kdb_default.c (working copy)
@@ -91,12 +91,10 @@
/* Match this entry against the arguments. */
if (ktype != -1) {
- if ((ret = krb5_c_enctype_compare(kcontext, (krb5_enctype) ktype,
- dbentp->key_data[i].key_data_type[0],
- &similar)))
-
- return(ret);
- if (!similar)
+ ret = krb5_c_enctype_compare(kcontext, (krb5_enctype) ktype,
+ dbentp->key_data[i].key_data_type[0],
+ &similar);
+ if (ret != 0 || !similar)
continue;
}
if (stype >= 0 && db_stype != stype)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
