Initial commit for second approach for multiple kvno. NOT TESTED!

2011-03-25 16:00:49 -05:00
parent ed91d4c9e3
commit fca53990e4
12 changed files with 227 additions and 32 deletions
--- a/lib/hdb/common.c
+++ b/lib/hdb/common.c
@@ -105,7 +105,6 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
    krb5_principal enterprise_principal = NULL;
    krb5_data key, value;
    krb5_error_code ret;
-    int code;

    if (principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
 	if (principal->name.name_string.len != 1) {
@@ -125,43 +124,72 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
    hdb_principal2key(context, principal, &key);
    if (enterprise_principal)
 	krb5_free_principal(context, enterprise_principal);
-    code = db->hdb__get(context, db, key, &value);
+    ret = db->hdb__get(context, db, key, &value);
    krb5_data_free(&key);
-    if(code)
-	return code;
-    code = hdb_value2entry(context, &value, &entry->entry);
-    if (code == ASN1_BAD_ID && (flags & HDB_F_CANON) == 0) {
+    if(ret)
+	return ret;
+    ret = hdb_value2entry(context, &value, &entry->entry);
+    if (ret == ASN1_BAD_ID && (flags & HDB_F_CANON) == 0) {
 	krb5_data_free(&value);
 	return HDB_ERR_NOENTRY;
-    } else if (code == ASN1_BAD_ID) {
+    } else if (ret == ASN1_BAD_ID) {
 	hdb_entry_alias alias;

-	code = hdb_value2entry_alias(context, &value, &alias);
-	if (code) {
+	ret = hdb_value2entry_alias(context, &value, &alias);
+	if (ret) {
 	    krb5_data_free(&value);
-	    return code;
+	    return ret;
 	}
 	hdb_principal2key(context, alias.principal, &key);
 	krb5_data_free(&value);
 	free_hdb_entry_alias(&alias);

-	code = db->hdb__get(context, db, key, &value);
+	ret = db->hdb__get(context, db, key, &value);
 	krb5_data_free(&key);
-	if (code)
-	    return code;
-	code = hdb_value2entry(context, &value, &entry->entry);
-	if (code) {
+	if (ret)
+	    return ret;
+	ret = hdb_value2entry(context, &value, &entry->entry);
+	if (ret) {
 	    krb5_data_free(&value);
-	    return code;
+	    return ret;
 	}
    }
    krb5_data_free(&value);
    if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
-	code = hdb_unseal_keys (context, db, &entry->entry);
-	if (code)
+	if ((flags & HDB_F_KVNO_SPECIFIED) == 0 &&
+	    (flags & HDB_F_CURRENT_KVNO) == 0) {
+
+	    /*
+	     * Decrypt all the old keys too, since we don't know which
+	     * the caller will need.
+	     */
+	    ret = hdb_unseal_keys_kvno(context, db, 0, &entry->entry);
+	    if (ret) {
+		hdb_free_entry(context, entry);
+		return ret;
+	    }
+	} else if ((flags & HDB_F_KVNO_SPECIFIED) != 0 &&
+	    kvno != entry->entry.kvno &&
+	    kvno < entry->entry.kvno &&
+	    kvno > 0) {
+
+	    /* Decrypt the keys we were asked for, if not the current ones */
+	    ret = hdb_unseal_keys_kvno(context, db, kvno, &entry->entry);
+	    if (ret) {
+		hdb_free_entry(context, entry);
+		return ret;
+	    }
+	}
+
+	/* Always decrypt the current keys too */
+	ret = hdb_unseal_keys(context, db, &entry->entry);
+	if (ret) {
 	    hdb_free_entry(context, entry);
+	    return ret;
+	}
    }
-    return code;
+
+    return ret;
 }

 static krb5_error_code