Talked with MIT people and decided to revert the logic of

krb5_db_def_fetch_mkey_keytab() so that it does use the mkey princ arg to locate the masterkey in the keytab stash.  Also changed the error reporting done by krb5_db_def_fetch_mkey() to call error_message() on the return code of the keytab stash fetch and the old format stash fetch and set the error message to include both of those since this is an ambiguous situation.  And test case 108 in src/kerberos/mit/svn/branches/mkey_keytab/src/lib/kadm5/unit-test/api.2/init-v2.exp was modified to expect KRB5_KDB_CANTREAD_STORED instead of KDB_NOMASTERKEY.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mkey_keytab@20493 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index 9698d2c19081f45ab9fd19d78b46f59b7ce07239..bd087afb1ae00d0e65fbfbd82a58501ebf5ab005 100644 (file)
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -1105,7 +1105,6 @@ dump_db(argc, argv)
      */
     if (mkey_convert) {
            if (!valid_master_key) {
-                    krb5_kvno mkvno = IGNORE_VNO;
                    /* TRUE here means read the keyboard, but only once */
                    retval = krb5_db_fetch_mkey(util_context,
                                                master_princ,

diff --git a/src/kadmin/dbutil/kdb5_stash.c b/src/kadmin/dbutil/kdb5_stash.c
index 1e6d2e5cd3c953b7a5a8b010b2cdeffc92da957a..211710c82734b8dddf20d4d1ed8cb1752cd59cb4 100644 (file)
--- a/src/kadmin/dbutil/kdb5_stash.c
+++ b/src/kadmin/dbutil/kdb5_stash.c
@@ -160,8 +160,6 @@ kdb5_stash(argc, argv)
        exit_status++; return; 
     }
 
-
-    /* verify will set mkey_kvno to mkey princ's kvno mkey_kvno if it's IGNORE_VNO */
     retval = krb5_db_verify_master_key(context, master_princ, 
                                        mkey_kvno,
                                       &master_keyblock);

diff --git a/src/lib/kadm5/unit-test/api.2/init-v2.exp b/src/lib/kadm5/unit-test/api.2/init-v2.exp
index ae1384727c14a6100cac2a2db736f9f310b638bd..b41fb091ff7e04e48bbc4874730f86316a6bca55 100644 (file)
--- a/src/lib/kadm5/unit-test/api.2/init-v2.exp
+++ b/src/lib/kadm5/unit-test/api.2/init-v2.exp
@@ -147,7 +147,7 @@ proc test108 {} {
                [config_params {KADM5_CONFIG_MKEY_NAME} does/not/exist] \
                $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
                server_handle
-    } "KDB_NOMASTERKEY"
+    } "KRB5_KDB_CANTREAD_STORED"
 }
 if {! $RPC} test108
 

diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
index 4d1b9758051f648a2cf944d513895339d268b594..85267e468797073501b344cd49a9645a2dff4a28 100644 (file)
--- a/src/lib/kdb/kdb_default.c
+++ b/src/lib/kdb/kdb_default.c
@@ -300,93 +300,61 @@ krb5_db_def_fetch_mkey_stash( krb5_context   context,
 static krb5_error_code
 krb5_db_def_fetch_mkey_keytab(  krb5_context   context,
                                 const char     *keyfile,
+                                krb5_principal mname,
                                 krb5_keyblock  *key,
                                 krb5_kvno      *kvno)
 {
     krb5_error_code retval = 0;
-    char ktname[MAXPATHLEN + 6]; /* 6 for FILE: + \0 */
     krb5_keytab kt;
     krb5_keytab_entry kt_ent;
-    krb5_kt_cursor cursor = NULL;
-
-    /* memset krb5_kt_free_entry so can be called safely later */
-    memset(&kt_ent, 0, sizeof(kt_ent));
+    krb5_enctype enctype = IGNORE_ENCTYPE;
 
     if ((retval = krb5_kt_resolve(context, keyfile, &kt)) != 0)
         goto errout;
 
-    if ((retval = krb5_kt_get_name(context, kt, ktname, sizeof(ktname))))
-        goto errout;
+    /* override default */
+    if (key->enctype != ENCTYPE_UNKNOWN)
+        enctype = key->enctype;
 
-    if ((retval = krb5_kt_start_seq_get(context, kt, &cursor)))
-        goto errout;
+    if ((retval = krb5_kt_get_entry(context, kt, mname,
+                                    kvno ? *kvno : IGNORE_VNO,
+                                    enctype,
+                                    &kt_ent)) == 0) {
 
-    while ((retval = krb5_kt_next_entry(context, kt, &kt_ent, &cursor)) == 0) {
-
-        if (key->enctype != ENCTYPE_UNKNOWN && key->enctype != kt_ent.key.enctype) {
-            krb5_kt_free_entry(context, &kt_ent);
-            continue;
-        }
-        if (kvno != NULL && *kvno != IGNORE_VNO && *kvno != kt_ent.vno) {
-            krb5_kt_free_entry(context, &kt_ent);
-            continue;
-        }
-        break;
-    }
+        if (key->enctype == ENCTYPE_UNKNOWN)
+            key->enctype = kt_ent.key.enctype;
 
-    if (retval != 0) {
-        if (retval == KRB5_KT_END) {
-            /* didn't find an entry so indicate no key found */
-            (void) krb5_kt_end_seq_get(context, kt, &cursor);
+        if (((int) kt_ent.key.length) < 0) {
             retval = KRB5_KDB_BADSTORED_MKEY;
+            krb5_kt_free_entry(context, &kt_ent);
+            goto errout;
         }
-        goto errout;
-    }
 
-    if ((retval = krb5_kt_end_seq_get(context, kt, &cursor)))
-        goto errout;
+        key->length = kt_ent.key.length;
 
-    if (key->enctype == ENCTYPE_UNKNOWN)
-        key->enctype = kt_ent.key.enctype;
-    else if (kt_ent.key.enctype != key->enctype) {
-        retval = KRB5_KDB_BADSTORED_MKEY;
-        goto errout;
-    }
-
-    if (((int) kt_ent.key.length) < 0) {
-        retval = KRB5_KDB_BADSTORED_MKEY;
-        goto errout;
-    }
-
-    key->length = kt_ent.key.length;
-
-    if (kvno != NULL) {
         /*
          * If a kvno pointer was passed in and it dereferences the
          * IGNORE_VNO value then it should be assigned the value of the kvno
          * found in the keytab otherwise the KNVO specified should be the
          * same as the one returned from the keytab.
          */
-        if (*kvno == IGNORE_VNO) {
-            *kvno = kt_ent.vno;
-        } else if (*kvno != kt_ent.vno) {
-            retval = KRB5_KDB_BADSTORED_MKEY;
+        if (kvno != NULL && *kvno == IGNORE_VNO)
+                *kvno = kt_ent.vno;
+
+        /*
+         * kt_ent will be free'd so need to allocate and copy key contents for
+         * output to caller.
+         */
+        if (!(key->contents = (krb5_octet *)malloc(key->length))) {
+            retval = ENOMEM;
+            krb5_kt_free_entry(context, &kt_ent);
             goto errout;
         }
+        memcpy(key->contents, kt_ent.key.contents, kt_ent.key.length);
+        krb5_kt_free_entry(context, &kt_ent);
     }
 
-    /*
-     * kt_ent will be free'd later so need to allocate and copy key
-     * contents for output to caller.
-     */
-    if (!(key->contents = (krb5_octet *)malloc(key->length))) {
-        retval = ENOMEM;
-        goto errout;
-    }
-    memcpy(key->contents, kt_ent.key.contents, kt_ent.key.length);
-
 errout:
-    krb5_kt_free_entry(context, &kt_ent);
     return retval;
 }
 
@@ -415,7 +383,7 @@ krb5_db_def_fetch_mkey( krb5_context   context,
     keyfile[sizeof(keyfile) - 1] = '\0';
 
     /* assume the master key is in a keytab */
-    retval_kt = krb5_db_def_fetch_mkey_keytab(context, keyfile, key, kvno);
+    retval_kt = krb5_db_def_fetch_mkey_keytab(context, keyfile, mname, key, kvno);
     if (retval_kt != 0) {
         /*
          * If it's not in a keytab, fall back and try getting the mkey from the
@@ -431,14 +399,11 @@ krb5_db_def_fetch_mkey( krb5_context   context,
          * that if either of the stash reading functions returned
          * KRB5_KDB_BADSTORED_MKEY then this is probably the real error.
          */
-        if (retval_kt == KRB5_KDB_BADSTORED_MKEY || retval_ofs == KRB5_KDB_BADSTORED_MKEY) {
-            return KRB5_KDB_BADSTORED_MKEY;
-        } else {
-            krb5_set_error_message (context, KRB5_KDB_CANTREAD_STORED,
-                "Can not fetch master key either from keytab (error: %d) or old "
-                "format (error %d).", retval_kt, retval_ofs);
-            return KRB5_KDB_CANTREAD_STORED;
-        }
+        krb5_set_error_message (context, KRB5_KDB_CANTREAD_STORED,
+            "Can not fetch master key either from keytab (error: %s) or old "
+            "format (error %s).", error_message(retval_kt),
+            error_message(retval_ofs));
+        return KRB5_KDB_CANTREAD_STORED;
     } else {
         return 0;
     }