From 38f726d8b4ded89640e54eead08802b6dd089ec5 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Fri, 11 Nov 2011 22:33:37 -0600 Subject: [PATCH] Fix bug in key rollover code in TGS, make check-kdc test what we can We can't test the key rollover support in the TGS in the x-realm path using just Heimdal because the krb5_get_creds() path will try a referral, which will produce a cross-realm TGT that has the enc_part.kvno set. But we can test this for the plain TGT case. --- kdc/krb5tgs.c | 4 +++- tests/kdc/check-kdc.in | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index 06bd80783..6ec4493bb 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -1192,9 +1192,11 @@ tgs_parse_request(krb5_context context, ap_req.ticket.realm); krbtgt_kvno = ap_req.ticket.enc_part.kvno ? *ap_req.ticket.enc_part.kvno : 0; - krbtgt_kvno_try = ap_req.ticket.enc_part.kvno ? *ap_req.ticket.enc_part.kvno : 0; ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, &krbtgt_kvno, NULL, krbtgt); + krbtgt_kvno_try = ap_req.ticket.enc_part.kvno ? + *ap_req.ticket.enc_part.kvno : + (*krbtgt)->entry.kvno; if (ret == HDB_ERR_NOT_FOUND_HERE) { /* XXX Factor out this unparsing of the same princ all over */ diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in index 181907b40..243b5ad1d 100644 --- a/tests/kdc/check-kdc.in +++ b/tests/kdc/check-kdc.in @@ -254,7 +254,6 @@ ${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; } ${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; } echo "Getting service ticket"; > messages.log ${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } -${klist} -v ${kdestroy} echo "Trying x-realm TGT with kvno 0 case with key rollover"; @@ -264,12 +263,13 @@ ${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; } echo "Getting cross realm tickets"; > messages.log ${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; } echo "Rolling over cross realm keys"; > messages.log +${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; } ${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; } ${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; } ${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; } echo "Getting service ticket"; > messages.log +echo "Start tracing kdc, then hit return" ${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } -${klist} -v ${kdestroy} echo "try all permutations"; > messages.log