From: Will Fiveash Date: Fri, 16 Jan 2009 21:28:38 +0000 (+0000) Subject: Fixed several bugs discovered during initial debugging of KDB X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a39c0f64ec6cb73486a8b05ae8a355fbab57f29;p=thirdparty%2Fkrb5.git Fixed several bugs discovered during initial debugging of KDB creation. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mkey_migrate@21755 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index c9bf7cd7db..633e254274 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -2484,9 +2484,9 @@ krb5_dbe_update_mkey_aux(krb5_context context, * If version of the KRB5_TL_ACTKVNO data is KRB5_TL_ACTKVNO_VER_1 then size of * a actkvno tuple {act_kvno, act_time} entry is: */ -#define ACTKVNO_TUPLE_SIZE sizeof(krb5_int16) + sizeof(krb5_int32) +#define ACTKVNO_TUPLE_SIZE (sizeof(krb5_int16) + sizeof(krb5_int32)) #define act_kvno(cp) (cp) /* return pointer to start of act_kvno data */ -#define act_time(cp) (cp) + sizeof(krb5_int16) /* return pointer to start of act_time data */ +#define act_time(cp) ((cp) + sizeof(krb5_int16)) /* return pointer to start of act_time data */ krb5_error_code krb5_dbe_lookup_actkvno(krb5_context context, @@ -2495,11 +2495,12 @@ krb5_dbe_lookup_actkvno(krb5_context context, { krb5_tl_data tl_data; krb5_error_code code; - krb5_int16 version; + krb5_int16 version, tmp_kvno; krb5_actkvno_node *head_data = NULL, *new_data = NULL, *prev_data = NULL; unsigned int num_actkvno, i; krb5_octet *next_tuple; + memset(&tl_data, 0, sizeof(tl_data)); tl_data.tl_data_type = KRB5_TL_ACTKVNO; if ((code = krb5_dbe_lookup_tl_data(context, entry, &tl_data))) @@ -2526,10 +2527,11 @@ krb5_dbe_lookup_actkvno(krb5_context context, krb5_free_actkvno_list(context, head_data); return (ENOMEM); } - krb5_kdb_decode_int16(act_kvno(next_tuple), new_data->act_kvno); + /* using tmp_kvno to avoid type mismatch */ + krb5_kdb_decode_int16(act_kvno(next_tuple), tmp_kvno); + new_data->act_kvno = (krb5_kvno) tmp_kvno; krb5_kdb_decode_int32(act_time(next_tuple), new_data->act_time); - /* XXX WAF: may be able to deal with list pointers in a better - * way, see add_mkey() */ + new_data->next = NULL; if (prev_data != NULL) prev_data->next = new_data; @@ -2558,15 +2560,16 @@ krb5_dbe_update_actkvno(krb5_context context, const krb5_actkvno_node *actkvno_list) { krb5_error_code retval = 0; - krb5_int16 version; + krb5_int16 version, tmp_kvno; krb5_tl_data new_tl_data; - krb5_octet *nextloc; + unsigned char *nextloc; const krb5_actkvno_node *cur_actkvno; if (actkvno_list == NULL) { return (EINVAL); } + memset(&new_tl_data, 0, sizeof(new_tl_data)); /* allocate initial KRB5_TL_ACTKVNO tl_data entry */ new_tl_data.tl_data_length = sizeof(version); new_tl_data.tl_data_contents = (krb5_octet *) malloc(new_tl_data.tl_data_length); @@ -2574,9 +2577,11 @@ krb5_dbe_update_actkvno(krb5_context context, return (ENOMEM); /* add the current version # for the data format used for KRB5_TL_ACTKVNO */ - krb5_kdb_encode_int16((krb5_ui_2)KRB5_TL_ACTKVNO_VER_1, (unsigned char *)new_tl_data.tl_data_contents); + krb5_kdb_encode_int16((krb5_ui_2)KRB5_TL_ACTKVNO_VER_1, + (unsigned char *)new_tl_data.tl_data_contents); - for (cur_actkvno = actkvno_list; cur_actkvno != NULL; cur_actkvno = cur_actkvno->next) { + for (cur_actkvno = actkvno_list; cur_actkvno != NULL; + cur_actkvno = cur_actkvno->next) { new_tl_data.tl_data_length += ACTKVNO_TUPLE_SIZE; new_tl_data.tl_data_contents = (krb5_octet *) realloc(new_tl_data.tl_data_contents, new_tl_data.tl_data_length); @@ -2588,9 +2593,11 @@ krb5_dbe_update_actkvno(krb5_context context, * next location to store new tuple. */ nextloc = new_tl_data.tl_data_contents + new_tl_data.tl_data_length - ACTKVNO_TUPLE_SIZE; - krb5_kdb_encode_int16((krb5_ui_2)cur_actkvno->act_kvno, (unsigned char *)nextloc); + /* using tmp_kvno to avoid type mismatch issues */ + tmp_kvno = (krb5_int16) cur_actkvno->act_kvno; + krb5_kdb_encode_int16(tmp_kvno, nextloc); nextloc += sizeof(krb5_ui_2); - krb5_kdb_encode_int32((krb5_ui_4)cur_actkvno->act_time, (unsigned char *)nextloc); + krb5_kdb_encode_int32((krb5_ui_4)cur_actkvno->act_time, nextloc); } new_tl_data.tl_data_type = KRB5_TL_ACTKVNO; diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index 32f13dddcb..a5c8ea444b 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -493,8 +493,9 @@ krb5_def_fetch_mkey_list(krb5_context context, krb5_db_entry master_entry; int nprinc; krb5_boolean more, found_key = FALSE; - krb5_keyblock tmp_mkey, tmp_clearkey; - krb5_keylist_node *mkey_list_head, **mkey_list_node; + krb5_keyblock tmp_clearkey; + const krb5_keyblock *current_mkey; + krb5_keylist_node *mkey_list_head = NULL, **mkey_list_node; krb5_key_data *key_data; krb5_mkey_aux_node *mkey_aux_data_list, *aux_data_entry; int i; @@ -502,7 +503,6 @@ krb5_def_fetch_mkey_list(krb5_context context, if (mkeys_list == NULL) return (EINVAL); - memset(&tmp_mkey, 0, sizeof(tmp_mkey)); memset(&tmp_clearkey, 0, sizeof(tmp_clearkey)); nprinc = 1; @@ -523,7 +523,7 @@ krb5_def_fetch_mkey_list(krb5_context context, * Check if the input mkey is the latest key and if it isn't then find the * latest mkey. */ - if ((retval = krb5_dbekd_decrypt_key_data(context, &tmp_mkey, + if ((retval = krb5_dbekd_decrypt_key_data(context, mkey, &master_entry.key_data[0], &tmp_clearkey, NULL)) != 0) { /* @@ -538,7 +538,7 @@ krb5_def_fetch_mkey_list(krb5_context context, aux_data_entry = aux_data_entry->next) { if (aux_data_entry->mkey_kvno == mkvno) { - if (krb5_dbekd_decrypt_key_data(context, &tmp_mkey, &aux_data_entry->latest_mkey, + if (krb5_dbekd_decrypt_key_data(context, mkey, &aux_data_entry->latest_mkey, &tmp_clearkey, NULL) == 0) { found_key = TRUE; break; @@ -550,11 +550,10 @@ krb5_def_fetch_mkey_list(krb5_context context, for (aux_data_entry = mkey_aux_data_list; aux_data_entry != NULL; aux_data_entry = aux_data_entry->next) { - if (krb5_dbekd_decrypt_key_data(context, &tmp_mkey, &aux_data_entry->latest_mkey, + if (krb5_dbekd_decrypt_key_data(context, mkey, &aux_data_entry->latest_mkey, &tmp_clearkey, NULL) == 0) { found_key = TRUE; - /* XXX WAF: should I issue warning about kvno not matching? - */ + /* XXX WAF: should I issue warning about kvno not matching? */ break; } } @@ -565,6 +564,9 @@ krb5_def_fetch_mkey_list(krb5_context context, goto clean_n_exit; } } + current_mkey = &tmp_clearkey; + } else { + current_mkey = mkey; } /* @@ -581,7 +583,10 @@ krb5_def_fetch_mkey_list(krb5_context context, memset(mkey_list_head, 0, sizeof(krb5_keylist_node)); mkey_list_node = &mkey_list_head; - for (i=0; i < master_entry.n_key_data; i++) { + /* XXX WAF: optimize by setting the first mkey_list_node to current mkey and + * if there are any others then do for loop below. */ + + for (i = 0; i < master_entry.n_key_data; i++) { if (*mkey_list_node == NULL) { /* *mkey_list_node points to next field of previous node */ *mkey_list_node = (krb5_keylist_node *) malloc(sizeof(krb5_keylist_node)); @@ -592,12 +597,13 @@ krb5_def_fetch_mkey_list(krb5_context context, memset(*mkey_list_node, 0, sizeof(krb5_keylist_node)); } key_data = &master_entry.key_data[i]; - retval = krb5_dbekd_decrypt_key_data(context, mkey, + retval = krb5_dbekd_decrypt_key_data(context, current_mkey, key_data, &((*mkey_list_node)->keyblock), NULL); if (retval) goto clean_n_exit; + (*mkey_list_node)->kvno = key_data->key_data_kvno; mkey_list_node = &((*mkey_list_node)->next); } @@ -605,11 +611,6 @@ krb5_def_fetch_mkey_list(krb5_context context, clean_n_exit: - if (tmp_mkey.contents) { - memset(tmp_mkey.contents, 0, tmp_mkey.length); - krb5_db_free(context, tmp_mkey.contents); - } - if (tmp_clearkey.contents) { memset(tmp_clearkey.contents, 0, tmp_clearkey.length); krb5_db_free(context, tmp_clearkey.contents);