← Back to branch summary

~ubuntu-branches/ubuntu/maverick/krb5/maverick

« back to all changes in this revision

Viewing changes to src/lib/kadm5/srv/server_kdb.c

  • Committer: Bazaar Package Importer
  • Author(s): Sam Hartman
  • Date: 2009-05-07 16:16:34 UTC
  • mfrom: (13.1.7 sid)
  • Revision ID: james.westby@ubuntu.com-20090507161634-xqyk0s9na0le4flj
Tags: 1.7dfsg~beta1-4
http://bugs.debian.org/527353
When  decrypting the TGS response fails with the subkey, try with the
session key to work around Heimdal bug, Closes: #527353 

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/lib/kadm5/srv/server_kdb.c
4
4
 * $Header$
5
5
 */
6
6
 
 
7
/*
 
8
 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 
9
 * Use is subject to license terms.
 
10
 */
 
11
 
7
12
#if !defined(lint) && !defined(__CODECENTER__)
8
13
static char *rcsid = "$Header$";
9
14
#endif
15
20
#include "server_internal.h"
16
21
 
17
22
krb5_principal      master_princ;
18
 
krb5_keyblock       master_keyblock;
 
23
krb5_keyblock       master_keyblock; /* local mkey */
 
24
krb5_keylist_node  *master_keylist = NULL;
 
25
krb5_actkvno_node   *active_mkey_list = NULL;
19
26
krb5_db_entry       master_db;
20
27
 
21
28
krb5_principal      hist_princ;
32
39
    int            ret = 0;
33
40
    char           *realm;
34
41
    krb5_boolean   from_kbd = FALSE;
 
42
    krb5_kvno       mkvno = IGNORE_VNO;
35
43
 
36
44
    if (from_keyboard)
37
45
      from_kbd = TRUE;
50
58
 
51
59
    master_keyblock.enctype = handle->params.enctype;
52
60
 
 
61
    /* 
 
62
     * Fetch the local mkey, may not be the latest but that's okay because we
 
63
     * really want the list of all mkeys and those can be retrieved with any
 
64
     * valid mkey.
 
65
     */
53
66
    ret = krb5_db_fetch_mkey(handle->context, master_princ,
54
67
                             master_keyblock.enctype, from_kbd,
55
68
                             FALSE /* only prompt once */,
56
69
                             handle->params.stash_file,
 
70
                             &mkvno  /* get the kvno of the returned mkey */,
57
71
                             NULL /* I'm not sure about this,
58
72
                                     but it's what the kdc does --marc */,
59
73
                             &master_keyblock);
60
74
    if (ret)
61
75
        goto done;
62
76
                                 
 
77
#if 0 /************** Begin IFDEF'ed OUT *******************************/
 
78
    /*
 
79
     * krb5_db_fetch_mkey_list will verify mkey so don't call
 
80
     * krb5_db_verify_master_key()
 
81
     */
63
82
    if ((ret = krb5_db_verify_master_key(handle->context, master_princ,
64
 
                                         &master_keyblock))) {
 
83
                                         IGNORE_VNO, &master_keyblock))) {
65
84
          krb5_db_fini(handle->context);
66
85
          return ret;
67
86
    }
 
87
#endif /**************** END IFDEF'ed OUT *******************************/
 
88
 
 
89
    if ((ret = krb5_db_fetch_mkey_list(handle->context, master_princ,
 
90
                                       &master_keyblock, mkvno, &master_keylist))) {
 
91
        krb5_db_fini(handle->context);
 
92
        return (ret);
 
93
    }
 
94
 
 
95
    if ((ret = krb5_dbe_fetch_act_key_list(handle->context, master_princ,
 
96
                                           &active_mkey_list))) {
 
97
        krb5_db_fini(handle->context);
 
98
        return (ret);
 
99
    }
68
100
 
69
101
done:
70
102
    if (r == NULL)
105
137
    char    *realm, *hist_name;
106
138
    krb5_key_data *key_data;
107
139
    krb5_key_salt_tuple ks[1];
 
140
    krb5_keyblock *tmp_mkey;
108
141
 
109
142
    if (r == NULL)  {
110
143
        if ((ret = krb5_get_default_realm(handle->context, &realm)))
113
146
        realm = r;
114
147
    }
115
148
 
116
 
    if ((hist_name = (char *) malloc(strlen(KADM5_HIST_PRINCIPAL) +
117
 
                                     strlen(realm) + 2)) == NULL)
 
149
    if (asprintf(&hist_name, "%s@%s", KADM5_HIST_PRINCIPAL, realm) < 0) {
 
150
        hist_name = NULL;
118
151
        goto done;
119
 
 
120
 
    (void) sprintf(hist_name, "%s@%s", KADM5_HIST_PRINCIPAL, realm);
 
152
    }
121
153
 
122
154
    if ((ret = krb5_parse_name(handle->context, hist_name, &hist_princ)))
123
155
        goto done;
177
209
    if (ret)
178
210
        goto done;
179
211
 
180
 
    ret = krb5_dbekd_decrypt_key_data(handle->context, &master_keyblock,
 
212
    ret = krb5_dbe_find_mkey(handle->context, master_keylist, &hist_db,
 
213
                             &tmp_mkey);
 
214
    if (ret)
 
215
        goto done;
 
216
 
 
217
    ret = krb5_dbekd_decrypt_key_data(handle->context, tmp_mkey,
181
218
                                  key_data, &hist_key, NULL);
182
219
    if (ret)
183
220
        goto done;