Reject if any key in old keys are in the new keyset, the list of enctypes might have changed. Pointed out by David Markey

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24024 ec53bebd-3082-4978-b11e-865c3cabbd6b
2008-11-12 04:17:47 +00:00
parent 960f3f45ec
commit bbd689d3b3
2 changed files with 29 additions and 27 deletions
--- a/lib/kadm5/chpass_s.c
+++ b/lib/kadm5/chpass_s.c
@@ -46,7 +46,7 @@ change(void *server_handle,
    kadm5_ret_t ret;
    Key *keys;
    size_t num_keys;
-    int cmp = 1;
+    int existsp = 0;

    memset(&ent, 0, sizeof(ent));
    ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
@@ -70,11 +70,11 @@ change(void *server_handle,
    }
    ent.entry.kvno++;
    if (cond)
-	cmp = _kadm5_cmp_keys (ent.entry.keys.val, ent.entry.keys.len,
-			       keys, num_keys);
+	existsp = _kadm5_exists_keys (ent.entry.keys.val, ent.entry.keys.len,
+				      keys, num_keys);
    _kadm5_free_keys (context->context, num_keys, keys);

-    if (cmp == 0) {
+    if (existsp) {
 	ret = KADM5_PASS_REUSE;
 	krb5_set_error_message(context->context, ret, "Password reuse forbidden");
 	goto out2;
--- a/lib/kadm5/keys.c
+++ b/lib/kadm5/keys.c
@@ -64,37 +64,39 @@ _kadm5_init_keys (Key *keys, int len)
 }

 /*
- * return 0 iff `keys1, len1' and `keys2, len2' are identical
+ * return 1 if any key in `keys1, len1' exists in `keys2, len2'
 */

 int
-_kadm5_cmp_keys(Key *keys1, int len1, Key *keys2, int len2)
+_kadm5_exists_keys(Key *keys1, int len1, Key *keys2, int len2)
 {
-    int i;
-
-    if (len1 != len2)
-	return 1;
+    unsigned int i, j;

    for (i = 0; i < len1; ++i) {
-	if ((keys1[i].salt != NULL && keys2[i].salt == NULL)
-	    || (keys1[i].salt == NULL && keys2[i].salt != NULL))
+	for (j = 0; j < len2; j++) {
+	    if ((keys1[i].salt != NULL && keys2[j].salt == NULL)
+		|| (keys1[i].salt == NULL && keys2[j].salt != NULL))
+		continue;
+
+	    if (keys1[i].salt != NULL) {
+		if (keys1[i].salt->type != keys2[j].salt->type)
+		    continue;
+		if (keys1[i].salt->salt.length != keys2[j].salt->salt.length)
+		    continue;
+		if (memcmp (keys1[i].salt->salt.data, keys2[j].salt->salt.data,
+			    keys1[i].salt->salt.length) != 0)
+		    continue;
+	    }
+	    if (keys1[i].key.keytype != keys2[j].key.keytype)
+		continue;
+	    if (keys1[i].key.keyvalue.length != keys2[j].key.keyvalue.length)
+		continue;
+	    if (memcmp (keys1[i].key.keyvalue.data, keys2[j].key.keyvalue.data,
+			keys1[i].key.keyvalue.length) != 0)
+		continue;
+
 	    return 1;
-	if (keys1[i].salt != NULL) {
-	    if (keys1[i].salt->type != keys2[i].salt->type)
-		return 1;
-	    if (keys1[i].salt->salt.length != keys2[i].salt->salt.length)
-		return 1;
-	    if (memcmp (keys1[i].salt->salt.data, keys2[i].salt->salt.data,
-			keys1[i].salt->salt.length) != 0)
-		return 1;
 	}
-	if (keys1[i].key.keytype != keys2[i].key.keytype)
-	    return 1;
-	if (keys1[i].key.keyvalue.length != keys2[i].key.keyvalue.length)
-	    return 1;
-	if (memcmp (keys1[i].key.keyvalue.data, keys2[i].key.keyvalue.data,
-		    keys1[i].key.keyvalue.length) != 0)
-	    return 1;
    }
    return 0;
 }