Allow unspecified kvno in keytab entries

In ktutil, make "-k 0" work when creating a keytab entry.  In the
keytab implementations, treat entries with unspecified kvnos as
low-priority matches.

[ghudson@mit.edu: adjusted to current file keytab code; added logic
for other keytab types; wrote commit message]

ticket: 3349

diff --git a/src/kadmin/ktutil/ktutil.c b/src/kadmin/ktutil/ktutil.c
index ef16d37a5693c4d2029704f5904fa724364e48ca..86e3d9b0cb1e725c3d82cb82c89e501edb966565 100644 (file)
--- a/src/kadmin/ktutil/ktutil.c
+++ b/src/kadmin/ktutil/ktutil.c
@@ -140,7 +140,7 @@ void ktutil_add_entry(argc, argv)
     char *princ = NULL;
     char *enctype = NULL;
     krb5_kvno kvno = 0;
-    int use_pass = 0, use_key = 0, i;
+    int use_pass = 0, use_key = 0, use_kvno = 0, i;
 
     for (i = 1; i < argc; i++) {
         if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) {
@@ -149,6 +149,7 @@ void ktutil_add_entry(argc, argv)
         }
         if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) {
             kvno = (krb5_kvno) atoi(argv[++i]);
+            use_kvno++;
             continue;
         }
         if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) {
@@ -165,7 +166,8 @@ void ktutil_add_entry(argc, argv)
         }
     }
 
-    if (argc != 8 || !(princ && kvno && enctype) || (use_pass+use_key != 1)) {
+    if (argc != 8 || !(princ && use_kvno && enctype) ||
+        use_pass + use_key != 1) {
         fprintf(stderr, _("usage: %s (-key | -password) -p principal "
                           "-k kvno -e enctype\n"), argv[0]);
         return;

diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index f6124aff5da6de1af1cac6925d9bb4e55bce3ea1..091f2c43fa3a2af58cc91a3d1b3b1045a523590e 100644 (file)
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -359,7 +359,7 @@ krb5_ktfile_get_entry(krb5_context context, krb5_keytab id,
 
         }
 
-        if (kvno == IGNORE_VNO) {
+        if (kvno == IGNORE_VNO || new_entry.vno == IGNORE_VNO) {
             /* If this entry is more recent (or the first match), free the
              * current and keep the new.  Otherwise, free the new. */
             if (cur_entry.principal == NULL ||

diff --git a/src/lib/krb5/keytab/kt_memory.c b/src/lib/krb5/keytab/kt_memory.c
index e89fdcb4dc99e9a96208a8e83555762f0190efdd..8824adf50826193cd3b1bfcc49f1816d013fba84 100644 (file)
--- a/src/lib/krb5/keytab/kt_memory.c
+++ b/src/lib/krb5/keytab/kt_memory.c
@@ -403,7 +403,7 @@ krb5_mkt_get_entry(krb5_context context, krb5_keytab id,
                 continue;
         }
 
-        if (kvno == IGNORE_VNO) {
+        if (kvno == IGNORE_VNO || entry->vno == IGNORE_VNO) {
             if (match == NULL)
                 match = entry;
             else if (entry->vno > match->vno)

diff --git a/src/lib/krb5/keytab/kt_srvtab.c b/src/lib/krb5/keytab/kt_srvtab.c
index caa0158ecc2b1782daf1e1feb09f0ec09ce04551..bbfaadfc298cb9a7a1500f4c1245117a1e315ad0 100644 (file)
--- a/src/lib/krb5/keytab/kt_srvtab.c
+++ b/src/lib/krb5/keytab/kt_srvtab.c
@@ -205,7 +205,7 @@ krb5_ktsrvtab_get_entry(krb5_context context, krb5_keytab id, krb5_const_princip
     while ((kerror = krb5_ktsrvint_read_entry(context, id, &ent)) == 0) {
         ent.key.enctype = enctype;
         if (krb5_principal_compare(context, principal, ent.principal)) {
-            if (kvno == IGNORE_VNO) {
+            if (kvno == IGNORE_VNO || ent.vno == IGNORE_VNO) {
                 if (!best_entry.principal || (best_entry.vno < ent.vno)) {
                     krb5_kt_free_entry(context, &best_entry);
                     best_entry = ent;