Initial patch for dealing with AD x-realm key rollover

AD issues x-realm TGTs with kvno 0. On key x-realm trust key change we need to be able to try current and previous keys for trust, else we will have some failures.
2011-11-11 02:06:48 -06:00
parent b26fc106de
commit c9609cdb37
9 changed files with 105 additions and 47 deletions
--- a/lib/hdb/hdb.c
+++ b/lib/hdb/hdb.c
@@ -92,19 +92,42 @@ static struct hdb_method dbmetod =
    { HDB_INTERFACE_VERSION, "", hdb_ndbm_create };
 #endif

+const Keys *
+hdb_kvno2keys(krb5_context context,
+	      const hdb_entry *e,
+	      krb5_kvno kvno)
+{
+    HDB_Ext_KeySet *hist_keys;
+    HDB_extension *extp;
+    size_t i;
+
+    if (kvno == 0)
+	return &e->keys;
+
+    extp = hdb_find_extension(e, choice_HDB_extension_data_hist_keys);
+    if (extp == NULL)
+	return 0;
+
+    hist_keys = &extp->data.u.hist_keys;
+    for (i = 0; i < hist_keys->len; i++) {
+	if (hist_keys->val[i].kvno == kvno)
+	    return &hist_keys->val[i].keys;
+    }
+
+    return NULL;
+}

 krb5_error_code
 hdb_next_enctype2key(krb5_context context,
 		     const hdb_entry *e,
+		     const Keys *keyset,
 		     krb5_enctype enctype,
 		     Key **key)
 {
+    const Keys *keys = keyset ? keyset : &e->keys;
    Key *k;

-    for (k = *key ? (*key) + 1 : e->keys.val;
-	 k < e->keys.val + e->keys.len;
-	 k++)
-    {
+    for (k = *key ? (*key) + 1 : keys->val; k < keys->val + keys->len; k++) {
 	if(k->key.keytype == enctype){
 	    *key = k;
 	    return 0;
@@ -119,11 +142,12 @@ hdb_next_enctype2key(krb5_context context,
 krb5_error_code
 hdb_enctype2key(krb5_context context,
 		hdb_entry *e,
+		const Keys *keyset,
 		krb5_enctype enctype,
 		Key **key)
 {
    *key = NULL;
-    return hdb_next_enctype2key(context, e, enctype, key);
+    return hdb_next_enctype2key(context, e, keyset, enctype, key);
 }

 void
--- a/lib/hdb/libhdb-exports.def
+++ b/lib/hdb/libhdb-exports.def
@@ -45,6 +45,7 @@ EXPORTS
 	hdb_init_db
        hdb_interface_version   DATA
 	hdb_key2principal
+	hdb_kvno2keys
 	hdb_list_builtin
 	hdb_lock
 	hdb_next_enctype2key
--- a/lib/hdb/version-script.map
+++ b/lib/hdb/version-script.map
@@ -47,6 +47,7 @@ HEIMDAL_HDB_1.0 {
 		hdb_get_dbinfo;
 		hdb_init_db;
 		hdb_key2principal;
+		hdb_kvno2keys;
 		hdb_list_builtin;
 		hdb_lock;
 		hdb_next_enctype2key;