svn rev #23711: branches/krb5-1-8/src/lib/kdb/
tlyu@MIT.EDU
tlyu at MIT.EDU
Mon Feb 8 16:22:18 EST 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=23711
Commit By: tlyu
Log Message:
ticket: 6652
version_fixed: 1.8
status: resolved
pull up r23677 from trunk
------------------------------------------------------------------------
r23677 | ghudson | 2010-01-28 20:22:17 -0500 (Thu, 28 Jan 2010) | 14 lines
ticket: 6652
subject: Make decryption of master key list more robust
target_version: 1.8
tags: pullup
krb5_def_fetch_mkey_list was incorrectly filtering mkey_aux entries
when searching the list for an entry which can be decrypted with the
stashed master key. This bug was masked in most cases by the mkvno
heuristic.
Remove the mkvno heuristic, since performance is not an issue for this
rarely-performed operation, and remove the incorrect enctype
comparison in the brute-force search.
Changed Files:
U branches/krb5-1-8/src/lib/kdb/kdb_default.c
Modified: branches/krb5-1-8/src/lib/kdb/kdb_default.c
===================================================================
--- branches/krb5-1-8/src/lib/kdb/kdb_default.c 2010-02-08 20:55:48 UTC (rev 23710)
+++ branches/krb5-1-8/src/lib/kdb/kdb_default.c 2010-02-08 21:22:18 UTC (rev 23711)
@@ -542,49 +542,25 @@
}
if (!found_key) {
- /*
- * Note the mkvno may provide a hint as to which mkey_aux tuple to
- * decrypt.
- */
if ((retval = krb5_dbe_lookup_mkey_aux(context, &master_entry,
&mkey_aux_data_list)))
goto clean_n_exit;
- /* mkvno may be 0 in some cases like keyboard and should be ignored */
- if (mkvno != 0) {
- /* for performance sake, try decrypting with matching kvno */
- for (aux_data_entry = mkey_aux_data_list; aux_data_entry != NULL;
- aux_data_entry = aux_data_entry->next) {
+ for (aux_data_entry = mkey_aux_data_list; aux_data_entry != NULL;
+ aux_data_entry = aux_data_entry->next) {
- if (aux_data_entry->mkey_kvno == mkvno) {
- if (krb5_dbekd_decrypt_key_data(context, mkey,
- &aux_data_entry->latest_mkey,
- &cur_mkey, NULL) == 0) {
- found_key = TRUE;
- break;
- }
- }
+ if (krb5_dbekd_decrypt_key_data(context, mkey,
+ &aux_data_entry->latest_mkey,
+ &cur_mkey, NULL) == 0) {
+ found_key = TRUE;
+ break;
}
}
- if (!found_key) {
- /* given the importance of acquiring the latest mkey, try brute force */
- for (aux_data_entry = mkey_aux_data_list; aux_data_entry != NULL;
- aux_data_entry = aux_data_entry->next) {
-
- if (mkey->enctype == aux_data_entry->latest_mkey.key_data_type[0] &&
- (krb5_dbekd_decrypt_key_data(context, mkey,
- &aux_data_entry->latest_mkey,
- &cur_mkey, NULL) == 0)) {
- found_key = TRUE;
- break;
- }
- }
- if (found_key != TRUE) {
- krb5_set_error_message (context, KRB5_KDB_BADMASTERKEY,
- "Unable to decrypt latest master key with the provided master key\n");
- retval = KRB5_KDB_BADMASTERKEY;
- goto clean_n_exit;
- }
+ if (found_key != TRUE) {
+ krb5_set_error_message (context, KRB5_KDB_BADMASTERKEY,
+ "Unable to decrypt latest master key with the provided master key\n");
+ retval = KRB5_KDB_BADMASTERKEY;
+ goto clean_n_exit;
}
}
More information about the cvs-krb5
mailing list