From: Will Fiveash Date: Wed, 28 Jan 2009 20:15:53 +0000 (+0000) Subject: Add code to refetch master key list if the matching mkey to decrypt a X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=51049b194ad6d4c6ef088d9c277b59129888c1a9;p=thirdparty%2Fkrb5.git Add code to refetch master key list if the matching mkey to decrypt a princ isn't found on the current mkey list. This is useful if the mkey princ has a new key but the running krb5kdc/kamind was started prior to that. Fix another issue related to nentries and krb5_db_get_principal() in kdb5_mkey.c. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mkey_migrate@21821 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c index 4eab100c35..e02050d6aa 100644 --- a/src/kadmin/dbutil/kdb5_mkey.c +++ b/src/kadmin/dbutil/kdb5_mkey.c @@ -215,8 +215,22 @@ kdb5_add_mkey(int argc, char *argv[]) retval = krb5_db_get_principal(util_context, master_princ, &master_entry, &nentries, &more); - if (retval != 0 || nentries != 1) { - com_err(progname, retval, "while getting master key principal %s", mkey_fullname); + if (retval != 0) { + com_err(progname, retval, + "while getting master key principal %s", + mkey_fullname); + exit_status++; + return; + } else if (nentries == 0) { + com_err(progname, retval, + "principal %s not found in Kerberos database", + mkey_fullname); + exit_status++; + return; + } else if (nentries > 1) { + com_err(progname, retval, + "principal %s has multiple entries in Kerberos database", + mkey_fullname); exit_status++; return; } @@ -391,8 +405,22 @@ kdb5_use_mkey(int argc, char *argv[]) retval = krb5_db_get_principal(util_context, master_princ, &master_entry, &nentries, &more); - if (retval != 0 || nentries != 1) { - com_err(progname, retval, "while getting master key principal %s", mkey_fullname); + if (retval != 0) { + com_err(progname, retval, + "while getting master key principal %s", + mkey_fullname); + exit_status++; + return; + } else if (nentries == 0) { + com_err(progname, retval, + "principal %s not found in Kerberos database", + mkey_fullname); + exit_status++; + return; + } else if (nentries > 1) { + com_err(progname, retval, + "principal %s has multiple entries in Kerberos database", + mkey_fullname); exit_status++; return; } @@ -524,8 +552,22 @@ kdb5_list_mkeys(int argc, char *argv[]) retval = krb5_db_get_principal(util_context, master_princ, &master_entry, &nentries, &more); - if (retval != 0 || nentries != 1) { - com_err(progname, retval, "while getting master key principal %s", mkey_fullname); + if (retval != 0) { + com_err(progname, retval, + "while getting master key principal %s", + mkey_fullname); + exit_status++; + return; + } else if (nentries == 0) { + com_err(progname, retval, + "principal %s not found in Kerberos database", + mkey_fullname); + exit_status++; + return; + } else if (nentries > 1) { + com_err(progname, retval, + "principal %s has multiple entries in Kerberos database", + mkey_fullname); exit_status++; return; } diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 0756d4c944..c55659d9dc 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -104,7 +104,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, const char *status; krb5_key_data *server_key, *client_key; krb5_keyblock server_keyblock, client_keyblock; - krb5_keyblock *tmp_mkey; + krb5_keyblock *mkey_ptr; krb5_enctype useenctype; krb5_boolean update_client = 0; krb5_data e_data; @@ -426,14 +426,26 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } - if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server, &tmp_mkey))) { - status = "FINDING_MASTER_KEY"; - goto errout; + if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server, + &mkey_ptr))) { + /* try refreshing master key list */ + /* XXX it would nice if we had the mkvno here for optimization */ + if (krb5_db_fetch_mkey_list(kdc_context, master_princ, + &master_keyblock, 0, &master_keylist) == 0) { + if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, + &server, &mkey_ptr))) { + status = "FINDING_MASTER_KEY"; + goto errout; + } + } else { + status = "FINDING_MASTER_KEY"; + goto errout; + } } /* convert server.key into a real key (it may be encrypted in the database) */ - if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, tmp_mkey, + if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr, /* server_keyblock is later used to generate auth data signatures */ server_key, &server_keyblock, NULL))) { @@ -462,13 +474,25 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } - if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &client, &tmp_mkey))) { - status = "FINDING_MASTER_KEY"; - goto errout; + if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &client, + &mkey_ptr))) { + /* try refreshing master key list */ + /* XXX it would nice if we had the mkvno here for optimization */ + if (krb5_db_fetch_mkey_list(kdc_context, master_princ, + &master_keyblock, 0, &master_keylist) == 0) { + if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, + &client, &mkey_ptr))) { + status = "FINDING_MASTER_KEY"; + goto errout; + } + } else { + status = "FINDING_MASTER_KEY"; + goto errout; + } } /* convert client.key_data into a real key */ - if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, tmp_mkey, + if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr, client_key, &client_keyblock, NULL))) { status = "DECRYPT_CLIENT_KEY"; diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 5ca9aeb79c..74a3899e38 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -101,7 +101,7 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, krb5_keyblock session_key; krb5_timestamp until, rtime; krb5_keyblock encrypting_key; - krb5_keyblock *tmp_mkey; + krb5_keyblock *mkey_ptr; krb5_key_data *server_key; char *cname = 0, *sname = 0, *altcname = 0; krb5_last_req_entry *nolrarray[2], nolrentry; @@ -548,15 +548,27 @@ tgt_again: goto cleanup; } - if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server, &tmp_mkey))) { - status = "FINDING_MASTER_KEY"; - goto cleanup; + if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server, + &mkey_ptr))) { + /* try refreshing master key list */ + /* XXX it would nice if we had the mkvno here for optimization */ + if (krb5_db_fetch_mkey_list(kdc_context, master_princ, + &master_keyblock, 0, &master_keylist) == 0) { + if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, + &server, &mkey_ptr))) { + status = "FINDING_MASTER_KEY"; + goto cleanup; + } + } else { + status = "FINDING_MASTER_KEY"; + goto cleanup; + } } /* convert server.key into a real key (it may be encrypted * in the database) */ if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, - tmp_mkey, + mkey_ptr, server_key, &encrypting_key, NULL))) { status = "DECRYPT_SERVER_KEY"; diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 00b8531d86..a4025e3f26 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -665,7 +665,7 @@ get_entry_data(krb5_context context, int i, k; krb5_data *ret; krb5_deltat *delta; - krb5_keyblock *keys, *tmp_mkey; + krb5_keyblock *keys, *mkey_ptr; krb5_key_data *entry_key; krb5_error_code error; @@ -701,9 +701,21 @@ get_entry_data(krb5_context context, ret->data = (char *) keys; ret->length = sizeof(krb5_keyblock) * (request->nktypes + 1); memset(ret->data, 0, ret->length); - if ((error = krb5_dbe_find_mkey(context, master_keylist, entry, &tmp_mkey))) { - free(ret); - return (error); + if ((error = krb5_dbe_find_mkey(context, master_keylist, entry, + &mkey_ptr))) { + /* try refreshing the mkey list in case it's been updated */ + if (krb5_db_fetch_mkey_list(context, master_princ, + &master_keyblock, 0, + &master_keylist) == 0) { + if ((error = krb5_dbe_find_mkey(context, master_keylist, entry, + &mkey_ptr))) { + free(ret); + return (error); + } + } else { + free(ret); + return (error); + } } k = 0; for (i = 0; i < request->nktypes; i++) { @@ -711,7 +723,7 @@ get_entry_data(krb5_context context, if (krb5_dbe_find_enctype(context, entry, request->ktype[i], -1, 0, &entry_key) != 0) continue; - if (krb5_dbekd_decrypt_key_data(context, tmp_mkey, + if (krb5_dbekd_decrypt_key_data(context, mkey_ptr, entry_key, &keys[k], NULL) != 0) { if (keys[k].contents != NULL) krb5_free_keyblock_contents(context, &keys[k]); @@ -1342,7 +1354,7 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client, krb5_data scratch; krb5_data enc_ts_data; krb5_enc_data *enc_data = 0; - krb5_keyblock key, *tmp_mkey; + krb5_keyblock key, *mkey_ptr; krb5_key_data * client_key; krb5_int32 start; krb5_timestamp timenow; @@ -1360,8 +1372,20 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client, if ((enc_ts_data.data = (char *) malloc(enc_ts_data.length)) == NULL) goto cleanup; - if ((retval = krb5_dbe_find_mkey(context, master_keylist, client, &tmp_mkey))) - goto cleanup; + if ((retval = krb5_dbe_find_mkey(context, master_keylist, client, + &mkey_ptr))) { + /* try refreshing the mkey list in case it's been updated */ + if (krb5_db_fetch_mkey_list(context, master_princ, + &master_keyblock, 0, + &master_keylist) == 0) { + if ((retval = krb5_dbe_find_mkey(context, master_keylist, client, + &mkey_ptr))) { + goto cleanup; + } + } else { + goto cleanup; + } + } start = 0; decrypt_err = 0; @@ -1371,7 +1395,7 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client, -1, 0, &client_key))) goto cleanup; - if ((retval = krb5_dbekd_decrypt_key_data(context, tmp_mkey, + if ((retval = krb5_dbekd_decrypt_key_data(context, mkey_ptr, client_key, &key, NULL))) goto cleanup; @@ -1954,7 +1978,7 @@ get_sam_edata(krb5_context context, krb5_kdc_req *request, krb5_sam_challenge sc; krb5_predicted_sam_response psr; krb5_data * scratch; - krb5_keyblock encrypting_key, *tmp_mkey; + krb5_keyblock encrypting_key, *mkey_ptr; char response[9]; char inputblock[8]; krb5_data predict_response; @@ -2018,8 +2042,20 @@ get_sam_edata(krb5_context context, krb5_kdc_req *request, if (sc.sam_type) { /* so use assoc to get the key out! */ { - if ((retval = krb5_dbe_find_mkey(kdc_context, master_keylist, &assoc, &tmp_mkey))) - return (retval); + if ((retval = krb5_dbe_find_mkey(context, master_keylist, &assoc, + &mkey_ptr))) { + /* try refreshing the mkey list in case it's been updated */ + if (krb5_db_fetch_mkey_list(context, master_princ, + &master_keyblock, 0, + &master_keylist) == 0) { + if ((retval = krb5_dbe_find_mkey(context, master_keylist, &assoc, + &mkey_ptr))) { + return (retval); + } + } else { + return (retval); + } + } /* here's what do_tgs_req does */ retval = krb5_dbe_find_enctype(kdc_context, &assoc, @@ -2037,7 +2073,7 @@ get_sam_edata(krb5_context context, krb5_kdc_req *request, } /* convert server.key into a real key */ retval = krb5_dbekd_decrypt_key_data(kdc_context, - tmp_mkey, + mkey_ptr, assoc_key, &encrypting_key, NULL); if (retval) { @@ -2524,7 +2560,7 @@ static krb5_error_code verify_pkinit_request( unsigned cert_hash_len; unsigned key_dex; unsigned cert_match = 0; - krb5_keyblock decrypted_key, *tmp_mkey; + krb5_keyblock decrypted_key, *mkey_ptr; /* the data we get from the AS-REQ */ krb5_timestamp client_ctime = 0; @@ -2668,8 +2704,19 @@ static krb5_error_code verify_pkinit_request( goto cleanup; } cert_hash_len = strlen(cert_hash); - if ((krtn = krb5_dbe_find_mkey(context, master_keylist, &entry, &tmp_mkey))) - goto cleanup; + if ((krtn = krb5_dbe_find_mkey(context, master_keylist, &entry, &mkey_ptr))) { + /* try refreshing the mkey list in case it's been updated */ + if (krb5_db_fetch_mkey_list(context, master_princ, + &master_keyblock, 0, + &master_keylist) == 0) { + if ((krtn = krb5_dbe_find_mkey(context, master_keylist, &entry, + &mkey_ptr))) { + goto cleanup; + } + } else { + goto cleanup; + } + } for(key_dex=0; key_dexn_key_data; key_dex++) { krb5_key_data *key_data = &client->key_data[key_dex]; kdcPkinitDebug("--- key %u type[0] %u length[0] %u type[1] %u length[1] %u\n", @@ -2684,7 +2731,7 @@ static krb5_error_code verify_pkinit_request( * Unfortunately this key is stored encrypted even though it's * not sensitive... */ - krtn = krb5_dbekd_decrypt_key_data(context, tmp_mkey, + krtn = krb5_dbekd_decrypt_key_data(context, mkey_ptr, key_data, &decrypted_key, NULL); if(krtn) { kdcPkinitDebug("verify_pkinit_request: error decrypting cert hash block\n"); diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index a9a89636e2..68d7b869f4 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -415,7 +415,7 @@ kdc_get_server_key(krb5_ticket *ticket, unsigned int flags, krb5_error_code retval; krb5_boolean more, similar; krb5_key_data * server_key; - krb5_keyblock * tmp_mkey; + krb5_keyblock * mkey_ptr; *nprincs = 1; @@ -447,9 +447,20 @@ kdc_get_server_key(krb5_ticket *ticket, unsigned int flags, goto errout; } - retval = krb5_dbe_find_mkey(kdc_context, master_keylist, server, &tmp_mkey); - if (retval) - goto errout; + if ((retval = krb5_dbe_find_mkey(kdc_context, master_keylist, server, + &mkey_ptr))) { + /* try refreshing master key list */ + /* XXX it would nice if we had the mkvno here for optimization */ + if (krb5_db_fetch_mkey_list(kdc_context, master_princ, + &master_keyblock, 0, &master_keylist) == 0) { + if ((retval = krb5_dbe_find_mkey(kdc_context, master_keylist, + server, &mkey_ptr))) { + goto errout; + } + } else { + goto errout; + } + } retval = krb5_dbe_find_enctype(kdc_context, server, match_enctype ? ticket->enc_part.enctype : -1, @@ -462,7 +473,7 @@ kdc_get_server_key(krb5_ticket *ticket, unsigned int flags, goto errout; } if ((*key = (krb5_keyblock *)malloc(sizeof **key))) { - retval = krb5_dbekd_decrypt_key_data(kdc_context, tmp_mkey, + retval = krb5_dbekd_decrypt_key_data(kdc_context, mkey_ptr, server_key, *key, NULL); } else diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c index b73444cd60..47f00c0713 100644 --- a/src/lib/kadm5/srv/server_kdb.c +++ b/src/lib/kadm5/srv/server_kdb.c @@ -209,7 +209,8 @@ krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, char *r) if (ret) goto done; - ret = krb5_dbe_find_mkey(handle->context, master_keylist, &hist_db, &tmp_mkey); + ret = krb5_dbe_find_mkey(handle->context, master_keylist, &hist_db, + &tmp_mkey); if (ret) goto done; diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index 4a9d26f3f6..f3fd651058 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -33,8 +33,9 @@ static char *rcsid = "$Header$"; extern krb5_principal master_princ; extern krb5_principal hist_princ; +extern krb5_keyblock master_keyblock; extern krb5_keylist_node *master_keylist; -extern krb5_actkvno_node *active_mkey_list; +extern krb5_actkvno_node *active_mkey_list; extern krb5_keyblock hist_key; extern krb5_db_entry master_db; extern krb5_db_entry hist_db; @@ -2079,7 +2080,7 @@ kadm5_get_principal_keys(void *server_handle /* IN */, krb5_key_data *key_data; kadm5_ret_t ret; kadm5_server_handle_t handle = server_handle; - krb5_keyblock *tmp_mkey; + krb5_keyblock *mkey_ptr; if (keyblocks) *keyblocks = NULL; @@ -2093,9 +2094,22 @@ kadm5_get_principal_keys(void *server_handle /* IN */, return(ret); if (keyblocks) { - ret = krb5_dbe_find_mkey(handle->context, master_keylist, &kdb, &tmp_mkey); - if (ret) - goto done; + if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, &kdb, + &mkey_ptr))) { + /* try refreshing master key list */ + /* XXX it would nice if we had the mkvno here for optimization */ + if (krb5_db_fetch_mkey_list(handle->context, master_princ, + &master_keyblock, 0, + &master_keylist) == 0) { + if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, + &kdb, &mkey_ptr))) { + goto done; + } + } else { + goto done; + } + } + if (handle->api_version == KADM5_API_VERSION_1) { /* Version 1 clients will expect to see a DES_CRC enctype. */ if ((ret = krb5_dbe_find_enctype(handle->context, &kdb, @@ -2103,11 +2117,11 @@ kadm5_get_principal_keys(void *server_handle /* IN */, -1, -1, &key_data))) goto done; - if ((ret = decrypt_key_data(handle->context, tmp_mkey, 1, key_data, + if ((ret = decrypt_key_data(handle->context, mkey_ptr, 1, key_data, keyblocks, NULL))) goto done; } else { - ret = decrypt_key_data(handle->context, tmp_mkey, + ret = decrypt_key_data(handle->context, mkey_ptr, kdb.n_key_data, kdb.key_data, keyblocks, n_keys); if (ret) @@ -2205,7 +2219,7 @@ kadm5_ret_t kadm5_decrypt_key(void *server_handle, kadm5_server_handle_t handle = server_handle; krb5_db_entry dbent; krb5_key_data *key_data; - krb5_keyblock *tmp_mkey; + krb5_keyblock *mkey_ptr; int ret; CHECK_HANDLE(server_handle); @@ -2222,12 +2236,23 @@ kadm5_ret_t kadm5_decrypt_key(void *server_handle, /* find_mkey only uses this field */ dbent.tl_data = entry->tl_data; - ret = krb5_dbe_find_mkey(handle->context, master_keylist, &dbent, &tmp_mkey); - if (ret) - return (ret); + if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, &dbent, + &mkey_ptr))) { + /* try refreshing master key list */ + /* XXX it would nice if we had the mkvno here for optimization */ + if (krb5_db_fetch_mkey_list(handle->context, master_princ, + &master_keyblock, 0, &master_keylist) == 0) { + if ((ret = krb5_dbe_find_mkey(handle->context, master_keylist, + &dbent, &mkey_ptr))) { + return ret; + } + } else { + return ret; + } + } if ((ret = krb5_dbekd_decrypt_key_data(handle->context, - tmp_mkey, key_data, + mkey_ptr, key_data, keyblock, keysalt))) return ret; diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index 87a9244409..0f2c6a078a 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -126,24 +126,24 @@ krb5_dbe_free_key_data_contents(krb5_context context, krb5_key_data *key) } void -krb5_dbe_free_key_list(krb5_context context, krb5_keylist_node *key_list) +krb5_dbe_free_key_list(krb5_context context, krb5_keylist_node *val) { - krb5_keylist_node *cur_node, *next_node; + krb5_keylist_node *temp = val, *prev; - for (cur_node = key_list; cur_node != NULL; cur_node = next_node) { - next_node = cur_node->next; - krb5_free_keyblock_contents(context, &(cur_node->keyblock)); - krb5_xfree(cur_node); + while (temp != NULL) { + prev = temp; + temp = temp->next; + krb5_free_keyblock_contents(context, &(prev->keyblock)); + krb5_xfree(prev); } - return; } void krb5_dbe_free_actkvno_list(krb5_context context, krb5_actkvno_node *val) { - krb5_actkvno_node *temp, *prev; + krb5_actkvno_node *temp = val, *prev; - for (temp = val; temp != NULL;) { + while (temp != NULL) { prev = temp; temp = temp->next; krb5_xfree(prev); @@ -153,9 +153,9 @@ krb5_dbe_free_actkvno_list(krb5_context context, krb5_actkvno_node *val) void krb5_dbe_free_mkey_aux_list(krb5_context context, krb5_mkey_aux_node *val) { - krb5_mkey_aux_node *temp, *prev; + krb5_mkey_aux_node *temp = val, *prev; - for (temp = val; temp != NULL;) { + while (temp != NULL) { prev = temp; temp = temp->next; krb5_dbe_free_key_data_contents(context, &prev->latest_mkey); @@ -1940,10 +1940,10 @@ krb5_dbe_find_act_mkey(krb5_context context, * free the output key. */ krb5_error_code -krb5_dbe_find_mkey(krb5_context context, - krb5_keylist_node *mkey_list, - krb5_db_entry *entry, - krb5_keyblock **mkey) +krb5_dbe_find_mkey(krb5_context context, + krb5_keylist_node * mkey_list, + krb5_db_entry * entry, + krb5_keyblock ** mkey) { krb5_kvno mkvno; krb5_error_code retval; @@ -2344,9 +2344,9 @@ krb5_dbe_lookup_mkey_aux(krb5_context context, prev_data = new_data; } } else { - krb5_set_error_message (context, KRB5_KDB_BAD_VERSION, - "Illegal version number for KRB5_TL_MKEY_AUX %d\n", - version); + krb5_set_error_message(context, KRB5_KDB_BAD_VERSION, + "Illegal version number for KRB5_TL_MKEY_AUX %d\n", + version); return (KRB5_KDB_BAD_VERSION); } } diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index 82b2ced08c..7ad847c129 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -502,7 +502,7 @@ krb5_def_fetch_mkey_list(krb5_context context, nprinc = 1; if ((retval = krb5_db_get_principal(context, mprinc, - &master_entry, &nprinc, &more))) + &master_entry, &nprinc, &more))) return (retval); if (nprinc != 1) { @@ -532,7 +532,8 @@ krb5_def_fetch_mkey_list(krb5_context context, * Note the mkvno may provide a hint as to which mkey_aux tuple to * decrypt. */ - if ((retval = krb5_dbe_lookup_mkey_aux(context, &master_entry, &mkey_aux_data_list))) + if ((retval = krb5_dbe_lookup_mkey_aux(context, &master_entry, + &mkey_aux_data_list))) goto clean_n_exit; /* mkvno may be 0 in some cases like keyboard and should be ignored */ @@ -542,7 +543,8 @@ krb5_def_fetch_mkey_list(krb5_context context, aux_data_entry = aux_data_entry->next) { if (aux_data_entry->mkey_kvno == mkvno) { - if (krb5_dbekd_decrypt_key_data(context, mkey, &aux_data_entry->latest_mkey, + if (krb5_dbekd_decrypt_key_data(context, mkey, + &aux_data_entry->latest_mkey, &cur_mkey, NULL) == 0) { found_key = TRUE; break; @@ -556,8 +558,9 @@ krb5_def_fetch_mkey_list(krb5_context context, aux_data_entry = aux_data_entry->next) { if (mkey->enctype == aux_data_entry->latest_mkey.key_data_type[0] && - (krb5_dbekd_decrypt_key_data(context, mkey, &aux_data_entry->latest_mkey, - &cur_mkey, NULL) == 0)) { + (krb5_dbekd_decrypt_key_data(context, mkey, + &aux_data_entry->latest_mkey, + &cur_mkey, NULL) == 0)) { found_key = TRUE; break; } @@ -617,12 +620,9 @@ krb5_def_fetch_mkey_list(krb5_context context, *mkeys_list = mkey_list_head; clean_n_exit: - krb5_db_free_principal(context, &master_entry, nprinc); - if (retval != 0) krb5_dbe_free_key_list(context, mkey_list_head); - return retval; }