From 95e56fa3aea1f1b7c7acd8bced6aba8d30efb2a0 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Tue, 10 Mar 2015 23:35:32 -0500 Subject: [PATCH] hdb: fix hdb_unseal_keys_kvno return when no history Prior to this change hdb_unseal_keys_kvno() could return successfully (0) if the choice_HDB_extension_data_hist_keys extension was found but the hist_keys list was empty. As a side effect callers would believe that the provide hdb_entry keys were unsealed when they weren't. This could cause the KDC or kadmin to report invalid key size errors. If the extension is present and the history list is empty attempt to unseal the provided hdb_entry using hdb_unseal_keys_mkey(). Change-Id: I9218b02bccdbcf22133a9464a677374db53ade85 --- lib/hdb/mkey.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/lib/hdb/mkey.c b/lib/hdb/mkey.c index f107b0bce..6ccb0b0b0 100644 --- a/lib/hdb/mkey.c +++ b/lib/hdb/mkey.c @@ -490,6 +490,14 @@ hdb_unseal_keys(krb5_context context, HDB *db, hdb_entry *ent) return hdb_unseal_keys_mkey(context, ent, db->hdb_master_key); } +/* + * Unseal the keys for the given kvno (or all of them) of entry. + * + * If kvno == 0 -> unseal all. + * if kvno != 0 -> unseal the requested kvno and make sure it's the one listed + * as the current keyset for the entry (swapping it with a + * historical keyset if need be). + */ krb5_error_code hdb_unseal_keys_kvno(krb5_context context, HDB *db, krb5_kvno kvno, unsigned flags, hdb_entry *ent) @@ -519,8 +527,8 @@ hdb_unseal_keys_kvno(krb5_context context, HDB *db, krb5_kvno kvno, } ext = hdb_find_extension(ent, choice_HDB_extension_data_hist_keys); - if (ext == NULL) - return ret; + if (ext == NULL || (&ext->data.u.hist_keys)->len == 0) + return hdb_unseal_keys_mkey(context, ent, db->hdb_master_key); /* For swapping; see below */ tmp_len = ent->keys.len;