svn rev #23599: trunk/src/lib/kdb/

ghudson@MIT.EDU ghudson at MIT.EDU
Wed Jan 6 18:44:05 EST 2010 

http://src.mit.edu/fisheye/changelog/krb5/?cs=23599
Commit By: ghudson
Log Message:
Make krb5_dbe_def_search_enctype more consistent about when it returns
KRB5_KDB_NO_PERMITTED_KEY.  Now it will return that error if it sees
any non-permitted enctypes which match the search criteria.



Changed Files:
U   trunk/src/lib/kdb/kdb_default.c
Modified: trunk/src/lib/kdb/kdb_default.c
===================================================================
--- trunk/src/lib/kdb/kdb_default.c	2010-01-06 23:25:53 UTC (rev 23598)
+++ trunk/src/lib/kdb/kdb_default.c	2010-01-06 23:44:04 UTC (rev 23599)
@@ -61,6 +61,7 @@
     int                 maxkvno;
     krb5_key_data       *datap;
     krb5_error_code     ret;
+    krb5_boolean        saw_non_permitted = FALSE;
 
     ret = 0;
     if (kvno == -1 && stype == -1 && ktype == -1)
@@ -88,43 +89,38 @@
             db_stype = KRB5_KDB_SALTTYPE_NORMAL;
         }
 
-        /*
-         * Filter out non-permitted enctypes.
-         */
-        if (!krb5_is_permitted_enctype(kcontext,
-                                       dbentp->key_data[i].key_data_type[0])) {
-            if (*start == 0)
-                ret = KRB5_KDB_NO_PERMITTED_KEY;
-            continue;
-        }
-
-
+        /* Match this entry against the arguments. */
         if (ktype != -1) {
             if ((ret = krb5_c_enctype_compare(kcontext, (krb5_enctype) ktype,
                                               dbentp->key_data[i].key_data_type[0],
                                               &similar)))
 
                 return(ret);
+            if (!similar)
+                continue;
         }
+        if (stype >= 0 && db_stype != stype)
+            continue;
+        if (kvno >= 0 && dbentp->key_data[i].key_data_kvno != kvno)
+            continue;
 
-        if (((ktype == -1) || similar) &&
-            ((db_stype == stype) || (stype < 0))) {
-            if (kvno >= 0) {
-                if (kvno == dbentp->key_data[i].key_data_kvno) {
-                    datap = &dbentp->key_data[i];
-                    idx = i;
-                    maxkvno = kvno;
-                    break;
-                }
-            } else {
-                if (dbentp->key_data[i].key_data_kvno > maxkvno) {
-                    maxkvno = dbentp->key_data[i].key_data_kvno;
-                    datap = &dbentp->key_data[i];
-                    idx = i;
-                }
-            }
+        /* Filter out non-permitted enctypes. */
+        if (!krb5_is_permitted_enctype(kcontext,
+                                       dbentp->key_data[i].key_data_type[0])) {
+            saw_non_permitted = TRUE;
+            continue;
         }
+
+        if (dbentp->key_data[i].key_data_kvno > maxkvno) {
+            maxkvno = dbentp->key_data[i].key_data_kvno;
+            datap = &dbentp->key_data[i];
+            idx = i;
+        }
     }
+    /* If we scanned the whole set of keys and matched only non-permitted
+     * enctypes, indicate that. */
+    if (maxkvno < 0 && *start == 0 && saw_non_permitted)
+        ret = KRB5_KDB_NO_PERMITTED_KEY;
     if (maxkvno < 0)
         return ret ? ret : KRB5_KDB_NO_MATCHING_KEY;
     *kdatap = datap;

More information about the cvs-krb5 mailing list