heimdal Add support for extracting a particular KVNO from the database

This should allow master key rollover.

(but the real reason is to allow multiple krbtgt accounts, as used by
Active Directory to implement RODC support)

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>

lib/hdb/hdb-keytab.c

@@ -117,13 +117,18 @@ hkt_open(krb5_context context, HDB * db, int flags, mode_t mode)
 }
 
 static krb5_error_code
-hkt_fetch(krb5_context context, HDB * db, krb5_const_principal principal,
-	  unsigned flags, hdb_entry_ex * entry)
+hkt_fetch_kvno(krb5_context context, HDB * db, krb5_const_principal principal,
+	       unsigned flags, unsigned kvno, hdb_entry_ex * entry)
 {
     hdb_keytab k = (hdb_keytab)db->hdb_db;
     krb5_error_code ret;
     krb5_keytab_entry ktentry;
 
+    if (!(flags & HDB_F_KVNO_SPECIFIED)) {
+	    /* Preserve previous behaviour if no kvno specified */
+	    kvno = 0;
+    }
+
     memset(&ktentry, 0, sizeof(ktentry));
 
     entry->entry.flags.server = 1;
@@ -143,7 +148,7 @@ hkt_fetch(krb5_context context, HDB * db, krb5_const_principal principal,
      * enctypes should work.
      */
 
-    ret = krb5_kt_get_entry(context, k->keytab, principal, 0, 0, &ktentry);
+    ret = krb5_kt_get_entry(context, k->keytab, principal, kvno, 0, &ktentry);
     if (ret) {
 	ret = HDB_ERR_NOENTRY;
 	goto out;
@@ -165,6 +170,13 @@ hkt_fetch(krb5_context context, HDB * db, krb5_const_principal principal,
     return ret;
 }
 
+static krb5_error_code
+hkt_fetch(krb5_context context, HDB * db, krb5_const_principal principal,
+	  unsigned flags, hdb_entry_ex * entry)
+{
+	return hkt_fetch_kvno(context, db, principal, flags & ~HDB_F_KVNO_SPECIFIED, 0, entry);
+}
+
 static krb5_error_code
 hkt_store(krb5_context context, HDB * db, unsigned flags,
 	  hdb_entry_ex * entry)
@@ -210,6 +222,7 @@ hdb_keytab_create(krb5_context context, HDB ** db, const char *arg)
     (*db)->hdb_open = hkt_open;
     (*db)->hdb_close = hkt_close;
     (*db)->hdb_fetch = hkt_fetch;
+    (*db)->hdb_fetch_kvno = hkt_fetch_kvno;
     (*db)->hdb_store = hkt_store;
     (*db)->hdb_remove = NULL;
     (*db)->hdb_firstkey = hkt_firstkey;

lib/hdb/hdb.h

@@ -54,6 +54,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 #define HDB_F_GET_ANY		28	/* fetch any of client,server,krbtgt */
 #define HDB_F_CANON		32	/* want canonicalition */
 #define HDB_F_ADMIN_DATA	64	/* want data that kdc don't use  */
+#define HDB_F_KVNO_SPECIFIED	128	/* we want a particular KVNO */
 
 /* hdb_capability_flags */
 #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
@@ -129,8 +130,18 @@ typedef struct HDB{
      * should be fetch: client, server, krbtgt.
      */
     krb5_error_code (*hdb_fetch)(krb5_context, struct HDB*,
-				 krb5_const_principal, unsigned,
+				 krb5_const_principal, unsigned, 
 				 hdb_entry_ex*);
+    /**
+     * Fetch an entry from the backend
+     *
+     * Fetch an entry from the backend, flags are what type of entry
+     * should be fetch: client, server, krbtgt.
+     * knvo (if specified and flags HDB_F_KVNO_SPECIFIED set) is the kvno to get
+     */
+    krb5_error_code (*hdb_fetch_kvno)(krb5_context, struct HDB*,
+				      krb5_const_principal, unsigned, unsigned,
+				      hdb_entry_ex*);
     /**
      * Store an entry to database
      */

lib/hdb/keytab.c

@@ -210,10 +210,18 @@ hdb_get_entry(krb5_context context,
 	(*db->hdb_destroy)(context, db);
 	goto out2;
     }
-    ret = (*db->hdb_fetch)(context, db, principal,
-			   HDB_F_DECRYPT|
-			   HDB_F_GET_CLIENT|HDB_F_GET_SERVER|HDB_F_GET_KRBTGT,
-			   &ent);
+    
+    if (*db->hdb_fetch_kvno) {
+	    ret = (*db->hdb_fetch_kvno)(context, db, principal,
+					HDB_F_DECRYPT|HDB_F_KVNO_SPECIFIED|
+					HDB_F_GET_CLIENT|HDB_F_GET_SERVER|HDB_F_GET_KRBTGT,
+					kvno, &ent);
+    } else {
+	    ret = (*db->hdb_fetch)(context, db, principal,
+				   HDB_F_DECRYPT|
+				   HDB_F_GET_CLIENT|HDB_F_GET_SERVER|HDB_F_GET_KRBTGT,
+				   &ent);
+    }
 
     if(ret == HDB_ERR_NOENTRY) {
 	ret = KRB5_KT_NOTFOUND;