From 34189a23fe1112275be42aeb2b667c21d1ae0572 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Wed, 13 Jul 2011 01:48:32 -0500 Subject: [PATCH] Added a flag to ensure that we don't mod/store hdb entries fetched with specified kvno. --- lib/hdb/common.c | 2 ++ lib/hdb/hdb.asn1 | 3 ++- lib/hdb/hdb_err.et | 1 + lib/hdb/mkey.c | 1 + 4 files changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/hdb/common.c b/lib/hdb/common.c index 90e600521..089c06a01 100644 --- a/lib/hdb/common.c +++ b/lib/hdb/common.c @@ -312,6 +312,8 @@ _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) krb5_data key, value; int code; + if (entry->entry.flags.do_not_store) + return HDB_ERR_MISUSE; /* check if new aliases already is used */ code = hdb_check_aliases(context, db, entry); if (code) diff --git a/lib/hdb/hdb.asn1 b/lib/hdb/hdb.asn1 index a2126ec65..a725fdad9 100644 --- a/lib/hdb/hdb.asn1 +++ b/lib/hdb/hdb.asn1 @@ -46,8 +46,9 @@ HDBFlags ::= BIT STRING { trusted-for-delegation(14), -- Trusted to print forwardabled tickets allow-kerberos4(15), -- Allow Kerberos 4 requests allow-digest(16), -- Allow digest requests - locked-out(17) -- Account is locked out, + locked-out(17), -- Account is locked out, -- authentication will be denied + do-not-store(31) -- Not to be modified and stored in HDB } GENERATION ::= SEQUENCE { diff --git a/lib/hdb/hdb_err.et b/lib/hdb/hdb_err.et index 2cad4daba..0bdcb385f 100644 --- a/lib/hdb/hdb_err.et +++ b/lib/hdb/hdb_err.et @@ -26,5 +26,6 @@ error_code NO_MKEY, "No correct master key" error_code MANDATORY_OPTION, "Entry contains unknown mandatory extension" error_code NO_WRITE_SUPPORT, "HDB backend doesn't contain write support" error_code NOT_FOUND_HERE, "The secret for this entry is not replicated to this database" +error_code MISUSE, "Incorrect use of the API" end diff --git a/lib/hdb/mkey.c b/lib/hdb/mkey.c index 103eadb04..e8f55c6aa 100644 --- a/lib/hdb/mkey.c +++ b/lib/hdb/mkey.c @@ -554,6 +554,7 @@ hdb_unseal_keys_kvno(krb5_context context, HDB *db, krb5_kvno kvno, ent->keys.len = hist_keys->val[i].keys.len; ent->keys.val = hist_keys->val[i].keys.val; ent->kvno = kvno; + ent->flags.do_not_store = 1; } return (ret);