From: Will Fiveash <will.fiveash@oracle.com>
Date: Tue, 24 Jun 2008 01:44:33 +0000 (+0000)
Subject: fixed a few more bugs, most tests are passing but may have some more work to do
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=40ae536ed7c32a6e6c90dffed3cd75273e079e04;p=thirdparty%2Fkrb5.git

fixed a few more bugs, most tests are passing but may have some more work to do

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mkey_keytab@20464 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c
index f684fdb9b6..64fa0537a6 100644
--- a/src/kadmin/dbutil/kdb5_util.c
+++ b/src/kadmin/dbutil/kdb5_util.c
@@ -381,7 +381,7 @@ static int open_db_and_mkey()
     int nentries;
     krb5_boolean more;
     krb5_data scratch, pwd, seed;
-    krb5_kvno mprinc_kvno, kvno;
+    krb5_kvno kvno;
 
     dbactive = FALSE;
     valid_master_key = 0;
@@ -424,7 +424,10 @@ static int open_db_and_mkey()
     }
 
     /* may be used later */
-    mprinc_kvno = (krb5_kvno) master_entry.key_data->key_data_kvno;
+    if (global_params.mask & KADM5_CONFIG_KVNO)
+        kvno = global_params.kvno; /* user specified */
+    else
+        kvno = (krb5_kvno) master_entry.key_data->key_data_kvno;
 
     krb5_db_free_principal(util_context, &master_entry, nentries);
 
@@ -458,10 +461,6 @@ static int open_db_and_mkey()
 	free(scratch.data);
 	mkey_password = 0;
 
-        if (global_params.mask & KADM5_CONFIG_KVNO)
-            kvno = global_params.kvno; /* user specified */
-        else
-            kvno = mprinc_kvno;
     } else if ((retval = krb5_db_fetch_mkey(util_context, master_princ, 
 					    master_keyblock.enctype,
 					    manual_mkey, FALSE,
diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
index 4a35838108..9bf26e9393 100644
--- a/src/lib/kdb/kdb_default.c
+++ b/src/lib/kdb/kdb_default.c
@@ -285,9 +285,11 @@ krb5_db_def_fetch_mkey_stash( krb5_context   context,
 
     /*
      * Note, the old stash format did not store the kvno and at this point it
-     * can be assumed to be 1 as is the case for the mkey princ.
+     * can be assumed to be 1 as is the case for the mkey princ.  If the kvno is
+     * passed in and isn't ignore_vno just leave it alone as this could cause
+     * verifcation trouble if the mkey princ is using a kvno other than 1.
      */
-    if (kvno)
+    if (kvno && *kvno == IGNORE_VNO)
 	*kvno = 1;
 
  errout:
@@ -378,39 +380,49 @@ krb5_db_def_fetch_mkey( krb5_context   context,
                         char          *db_args)
 {
     krb5_error_code retval_ofs = 0, retval_kt = 0;
-    char defkeyfile[MAXPATHLEN+1];
+    char keyfile[MAXPATHLEN+1];
     krb5_data *realm = krb5_princ_realm(context, mname);
 
     key->magic = KV5M_KEYBLOCK;
-    (void) strcpy(defkeyfile, DEFAULT_KEYFILE_STUB);
-    (void) strncat(defkeyfile, realm->data,
-                    min(sizeof(defkeyfile)-sizeof(DEFAULT_KEYFILE_STUB)-1,
-                    realm->length));
-    defkeyfile[sizeof(defkeyfile) - 1] = '\0';
+
+    if (db_args != NULL) {
+        (void) strncpy(keyfile, db_args, sizeof(keyfile));
+    } else {
+        (void) strcpy(keyfile, DEFAULT_KEYFILE_STUB);
+        (void) strncat(keyfile, realm->data,
+            min(sizeof(keyfile)-sizeof(DEFAULT_KEYFILE_STUB)-1,
+                realm->length));
+    }
+    /* null terminate no matter what */
+    keyfile[sizeof(keyfile) - 1] = '\0';
 
     /* assume the master key is in a keytab */
-    retval_kt = krb5_db_def_fetch_mkey_keytab(context, defkeyfile, mname, key,
+    retval_kt = krb5_db_def_fetch_mkey_keytab(context, keyfile, mname, key,
                                               kvno);
     if (retval_kt != 0) {
         /*
          * If it's not in a keytab, fall back and try getting the mkey from the
          * older stash file format.
          */
-        retval_ofs = krb5_db_def_fetch_mkey_stash(context, defkeyfile, mname,
+        retval_ofs = krb5_db_def_fetch_mkey_stash(context, keyfile, mname,
                                                   key, kvno);
     }
 
     if (retval_kt != 0 && retval_ofs != 0) {
         /*
-         * Error, not able to get mkey from either file format.
-         *
-         * XXX note this masks the underlying error, wonder if there is a better
-         * way to deal with this.
+         * Error, not able to get mkey from either file format.  Note, in order
+         * to try to return a more correct error, the logic below is assuming
+         * that if either of the stash reading functions returned
+         * KRB5_KDB_BADSTORED_MKEY then this is probably the real error.
          */
-        krb5_set_error_message (context, KRB5_KDB_CANTREAD_STORED,
-            "Can not get master key either from keytab (error: %d) or old "
-            "format (error %d).", retval_kt, retval_ofs);
-        return KRB5_KDB_CANTREAD_STORED;
+        if (retval_kt == KRB5_KDB_BADSTORED_MKEY || retval_ofs == KRB5_KDB_BADSTORED_MKEY) {
+            return KRB5_KDB_BADSTORED_MKEY;
+        } else {
+            krb5_set_error_message (context, KRB5_KDB_CANTREAD_STORED,
+                "Can not fetch master key either from keytab (error: %d) or old "
+                "format (error %d).", retval_kt, retval_ofs);
+            return KRB5_KDB_CANTREAD_STORED;
+        }
     } else {
         return 0;
     }