diff --git a/lib/hdb/hdb.asn1 b/lib/hdb/hdb.asn1 index 8f97268a0..668235b68 100644 --- a/lib/hdb/hdb.asn1 +++ b/lib/hdb/hdb.asn1 @@ -91,7 +91,7 @@ HDB-Ext-Aliases ::= SEQUENCE { hdb_keyset ::= SEQUENCE { kvno[0] INTEGER (0..4294967295), keys[2] SEQUENCE OF Key, - set-time[1] KerberosTime, -- time this keyset was created/set + set-time[1] KerberosTime OPTIONAL, -- time this keyset was created/set ... } diff --git a/lib/hdb/keys.c b/lib/hdb/keys.c index 0800af8d1..7ca1ad904 100644 --- a/lib/hdb/keys.c +++ b/lib/hdb/keys.c @@ -227,7 +227,7 @@ hdb_add_current_keys_to_history(krb5_context context, hdb_entry *entry) HDB_Ext_KeySet *hist_keys; hdb_keyset *tmp_keysets; size_t i; - size_t add = 0; + size_t replace = 0; ext = hdb_find_extension(entry, choice_HDB_extension_data_hist_keys); if (ext != NULL) { @@ -240,7 +240,7 @@ hdb_add_current_keys_to_history(krb5_context context, hdb_entry *entry) memmove(&hist_keys->val[1], hist_keys->val, sizeof (*hist_keys->val) * hist_keys->len++); } else { - add = 1; + replace = 1; ext = calloc(1, sizeof (*ext)); if (ext == NULL) return ENOMEM; @@ -265,19 +265,22 @@ hdb_add_current_keys_to_history(krb5_context context, hdb_entry *entry) } } hist_keys->val[0].kvno = entry->kvno; - (void) hdb_entry_get_pw_change_time(entry, &hist_keys->val[0].set_time); + hist_keys->val[0].set_time = malloc(sizeof (*hist_keys->val[0].set_time)); + if (hist_keys->val[0].set_time == NULL) { + free_HDB_extension(ext); + return ENOMEM; + } + (void) hdb_entry_get_pw_change_time(entry, hist_keys->val[0].set_time); - if (add) { - /* XXX hdb_replace_extension() deep-copies ext; what a waste */ + if (replace) { + /* hdb_replace_extension() deep-copies ext; what a waste */ ret = hdb_replace_extension(context, entry, ext); if (ret) { free_HDB_extension(ext); return ret; } + free_HDB_extension(ext); } - - /* hdb_replace_extension() copies ext, so we have to free it */ - free_HDB_extension(ext); return 0; } diff --git a/lib/hdb/mkey.c b/lib/hdb/mkey.c index e4c929c9f..dd6255d1a 100644 --- a/lib/hdb/mkey.c +++ b/lib/hdb/mkey.c @@ -495,6 +495,7 @@ hdb_unseal_keys_kvno(krb5_context context, HDB *db, krb5_kvno kvno, int i, k; int exclude_dead = 0; KerberosTime now = 0; + time_t *set_time; if ((flags & HDB_F_LIVE_CLNT_KVNOS) || (flags & HDB_F_LIVE_SVC_KVNOS)) { exclude_dead = 1; @@ -523,6 +524,7 @@ hdb_unseal_keys_kvno(krb5_context context, HDB *db, krb5_kvno kvno, if (exclude_dead && ((ent->max_life != NULL && + hist_keys->val[i].set_time != NULL && hist_keys->val[i].set_time < (now - (*ent->max_life))) || (hist_keys->val[i].kvno < kvno && (kvno - hist_keys->val[i].kvno) > kvno_diff))) @@ -573,6 +575,9 @@ hdb_unseal_keys_kvno(krb5_context context, HDB *db, krb5_kvno kvno, * so there's no danger that we'll dump this entry and load it * again, repeatedly causing the history to grow boundelessly. */ + set_time = malloc(*set_time); + if (set_time == NULL) + return ENOMEM; tmp_keys = realloc(hist_keys->val, sizeof (*hist_keys->val) * (hist_keys->len + 1)); if (tmp_keys == NULL) @@ -583,7 +588,8 @@ hdb_unseal_keys_kvno(krb5_context context, HDB *db, krb5_kvno kvno, tmp_keys[0].keys.len = ent->keys.len; tmp_keys[0].keys.val = ent->keys.val; tmp_keys[0].kvno = ent->kvno; - (void) hdb_entry_get_pw_change_time(ent, &tmp_keys[0].set_time); + tmp_keys[0].set_time = set_time; + (void) hdb_entry_get_pw_change_time(ent, tmp_keys[0].set_time); i++; ent->keys.len = hist_keys->val[i].keys.len; ent->keys.val = hist_keys->val[i].keys.val;