hdb: Do not apply new service key delay to clients

The new [hdb] new_service_key_delay parameter should not apply to principal entries when used as clients. Otherwise new passwords would not take effect immediately, and that would be very confusing.
2020-09-09 21:48:29 -05:00
parent 18459de867
commit ff13573ce5
6 changed files with 15 additions and 10 deletions
--- a/kdc/fast.c
+++ b/kdc/fast.c
@@ -429,7 +429,8 @@ _kdc_fast_unwrap_request(astgs_request_t r)
    }

    ret = _kdc_db_fetch(r->context, r->config, armor_server,
-			HDB_F_GET_SERVER, NULL, NULL, &armor_user);
+			HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS,
+			NULL, NULL, &armor_user);
    if(ret == HDB_ERR_NOT_FOUND_HERE) {
 	kdc_log(r->context, r->config, 5,
 		"armor key does not have secrets at this KDC, "
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1945,7 +1945,8 @@ _kdc_as_rep(astgs_request_t r)
 	goto out;
    }
    ret = _kdc_db_fetch(context, config, r->server_princ,
-			HDB_F_GET_SERVER | flags | (is_tgs ? HDB_F_GET_KRBTGT : 0),
+			HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS |
+			flags | (is_tgs ? HDB_F_GET_KRBTGT : 0),
 			NULL, NULL, &r->server);
    switch (ret) {
    case 0:	/* Success */
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -1702,7 +1702,8 @@ tgs_build_reply(astgs_request_t priv,
     */

 server_lookup:
-    ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | flags,
+    ret = _kdc_db_fetch(context, config, sp,
+                        HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags,
 			NULL, NULL, &server);
    priv->server = server;
    if (ret == HDB_ERR_NOT_FOUND_HERE) {
--- a/lib/hdb/common.c
+++ b/lib/hdb/common.c
@@ -1161,10 +1161,11 @@ fix_keys(krb5_context context,
    size_t i;

    /*
-     * If we want a specific kvno, or if we're not decrypting the keys, or if
-     * there's no new-key delay, then we're out.
+     * If we want a specific kvno, or if the caller doesn't want new keys
+     * delayed, or if there's no new-key delay configured, or we're not
+     * fetching for use as a service principal, then we're out.
     */
-    if (!(flags & HDB_F_DECRYPT) || kvno || h->entry.flags.virtual ||
+    if (!(flags & HDB_F_DELAY_NEW_KEYS) || kvno || h->entry.flags.virtual ||
        h->entry.flags.virtual_keys || db->new_service_key_delay <= 0)
        return 0;

--- a/lib/hdb/hdb.h
+++ b/lib/hdb/hdb.h
@@ -66,6 +66,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 #define HDB_F_FOR_AS_REQ	4096	/* fetch is for a AS REQ */
 #define HDB_F_FOR_TGS_REQ	8192	/* fetch is for a TGS REQ */
 #define HDB_F_PRECHECK		16384	/* check that the operation would succeed */
+#define HDB_F_DELAY_NEW_KEYS	32768	/* apply [hdb] new_service_key_delay */

 /* hdb_capability_flags */
 #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
--- a/lib/kadm5/get_s.c
+++ b/lib/kadm5/get_s.c
@@ -123,7 +123,8 @@ kadm5_s_get_principal(void *server_handle,
    kadm5_server_context *context = server_handle;
    kadm5_ret_t ret;
    hdb_entry_ex ent;
-    unsigned int flags = HDB_F_GET_ANY | HDB_F_ADMIN_DATA;
+    unsigned int flags = HDB_F_GET_ANY | HDB_F_ADMIN_DATA |
+        HDB_F_DELAY_NEW_KEYS;

    if ((mask & KADM5_KEY_DATA) || (mask & KADM5_KVNO))
        flags |= HDB_F_ALL_KVNOS | HDB_F_DECRYPT;
@@ -148,9 +149,8 @@ kadm5_s_get_principal(void *server_handle,
     * For now we won't attempt to recover the log.
     */

-    ret = hdb_fetch_kvno(context->context, context->db, princ,
-                         HDB_F_DECRYPT|HDB_F_ALL_KVNOS|
-                         HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, 0, 0, &ent);
+    ret = hdb_fetch_kvno(context->context, context->db, princ, flags,
+                         0 /*timestamp*/, 0/*etype*/, 0/*kvno*/, &ent);

    if (!context->keep_open)
 	context->db->hdb_close(context->context, context->db);