Simplify krb5_dbe_def_search_enctype()

2019-08-27 11:24:25 -04:00 · 2019-08-27 11:24:25 -04:00 · 6ea5e5fa9a
commit 6ea5e5fa9a
parent 2dabf02464
2 changed files with 170 additions and 1 deletions
--- a/Simplify-krb5_dbe_def_search_enctype.patch
+++ b/Simplify-krb5_dbe_def_search_enctype.patch
@ -0,0 +1,165 @@
 From 18bd513161900357110e96b06c53144a212ab00c Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 22 Aug 2019 16:19:12 -0400
 Subject: [PATCH] Simplify krb5_dbe_def_search_enctype()
 Key data is now sorted in descending kvno order (since commit
 44ad57d8d38efc944f64536354435f5b721c0ee0) and key enctypes can be
 compared with a simple equality test (since single-DES support was
 removed in commit fb2dada5eb89c4cd4e39dedd6dbb7dbd5e94f8b8).  Use
 these assumptions to simplify krb5_dbe_def_search_enctype().
 The rewrite contains one probably-unnoticeable bugfix: if enctype,
 salttype, and kvno are all given as -1 in a repeated search, yield all
 key entries of permitted enctype, not just entries of the maximum
 kvno.
 (cherry picked from commit fcfb0e47c995a7e9f956c3716be3175f44ad26e0)
 ---
 src/lib/kdb/kdb_default.c | 117 +++++++++++++++-----------------------
 1 file changed, 45 insertions(+), 72 deletions(-)
 diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
 index a1021f13a..231a0d8b4 100644
 --- a/src/lib/kdb/kdb_default.c
 +++ b/src/lib/kdb/kdb_default.c
@@ -37,94 +37,67 @@
 /*
 - * Given a particular enctype and optional salttype and kvno, find the
 - * most appropriate krb5_key_data entry of the database entry.
 - *
 - * If stype or kvno is negative, it is ignored.
 - * If kvno is 0 get the key which is maxkvno for the princ and matches
 - * the other attributes.
 + * Set *kd_out to the key data entry matching kvno, enctype, and salttype.  If
 + * any of those three parameters are -1, ignore them.  If kvno is 0, match only
 + * the highest kvno.  Begin searching at the index *start and set *start to the
 + * index after the match.  Do not return keys of non-permitted enctypes; return
 + * KRB5_KDB_NO_PERMITTED_KEY if the whole list was searched and only
 + * non-permitted matches were found.
  */
 krb5_error_code
 -krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
 -    krb5_context        kcontext;
 -    krb5_db_entry       *dbentp;
 -    krb5_int32          *start;
 -    krb5_int32          ktype;
 -    krb5_int32          stype;
 -    krb5_int32          kvno;
 -    krb5_key_data       **kdatap;
 +krb5_dbe_def_search_enctype(krb5_context context, krb5_db_entry *ent,
 +                            krb5_int32 *start, krb5_int32 enctype,
 +                            krb5_int32 salttype, krb5_int32 kvno,
 +                            krb5_key_data **kd_out)
 {
 -    int                 i, idx;
 -    int                 maxkvno;
 -    krb5_key_data       *datap;
 -    krb5_error_code     ret;
 -    krb5_boolean        saw_non_permitted = FALSE;
 -
 -    ret = 0;
 -    if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype))
 -        return KRB5_KDB_NO_PERMITTED_KEY;
 -
 -    if (kvno == -1 && stype == -1 && ktype == -1)
 -        kvno = 0;
 +    krb5_key_data *kd;
 +    krb5_int32 db_salttype;
 +    krb5_boolean saw_non_permitted = FALSE;
 +    int i;
 -    if (kvno == 0) {
 -        /* Get the max key version */
 -        for (i = 0; i < dbentp->n_key_data; i++) {
 -            if (kvno < dbentp->key_data[i].key_data_kvno) {
 -                kvno = dbentp->key_data[i].key_data_kvno;
 -            }
 -        }
 -    }
 +    *kd_out = NULL;
 -    maxkvno = -1;
 -    idx = -1;
 -    datap = (krb5_key_data *) NULL;
 -    for (i = *start; i < dbentp->n_key_data; i++) {
 -        krb5_boolean    similar;
 -        krb5_int32      db_stype;
 -
 -        ret = 0;
 -        if (dbentp->key_data[i].key_data_ver > 1) {
 -            db_stype = dbentp->key_data[i].key_data_type[1];
 -        } else {
 -            db_stype = KRB5_KDB_SALTTYPE_NORMAL;
 -        }
 -
 -        /* Match this entry against the arguments. */
 -        if (ktype != -1) {
 -            ret = krb5_c_enctype_compare(kcontext, (krb5_enctype) ktype,
 -                                         dbentp->key_data[i].key_data_type[0],
 -                                         &similar);
 -            if (ret != 0 || !similar)
 -                continue;
 -        }
 -        if (stype >= 0 && db_stype != stype)
 +    if (enctype != -1 && !krb5_is_permitted_enctype(context, enctype))
 +        return KRB5_KDB_NO_PERMITTED_KEY;
 +    if (ent->n_key_data == 0)
 +        return KRB5_KDB_NO_MATCHING_KEY;
 +
 +    /* Match the highest kvno if kvno is 0.  Key data is sorted in descending
 +     * order of kvno. */
 +    if (kvno == 0)
 +        kvno = ent->key_data[0].key_data_kvno;
 +
 +    for (i = *start; i < ent->n_key_data; i++) {
 +        kd = &ent->key_data[i];
 +        db_salttype = (kd->key_data_ver > 1) ? kd->key_data_type[1] :
 +            KRB5_KDB_SALTTYPE_NORMAL;
 +
 +        /* Match this entry against the arguments.  Stop searching if we have
 +         * passed the entries for the requested kvno. */
 +        if (enctype != -1 && kd->key_data_type[0] != enctype)
 +            continue;
 +        if (salttype >= 0 && db_salttype != salttype)
             continue;
 -        if (kvno >= 0 && dbentp->key_data[i].key_data_kvno != kvno)
 +        if (kvno >= 0 && kd->key_data_kvno < kvno)
 +            break;
 +        if (kvno >= 0 && kd->key_data_kvno != kvno)
             continue;
         /* Filter out non-permitted enctypes. */
 -        if (!krb5_is_permitted_enctype(kcontext,
 -                                       dbentp->key_data[i].key_data_type[0])) {
 +        if (!krb5_is_permitted_enctype(context, kd->key_data_type[0])) {
             saw_non_permitted = TRUE;
             continue;
         }
 -        if (dbentp->key_data[i].key_data_kvno > maxkvno) {
 -            maxkvno = dbentp->key_data[i].key_data_kvno;
 -            datap = &dbentp->key_data[i];
 -            idx = i;
 -        }
 +        *start = i + 1;
 +        *kd_out = kd;
 +        return 0;
     }
 +
     /* If we scanned the whole set of keys and matched only non-permitted
      * enctypes, indicate that. */
 -    if (maxkvno < 0 && *start == 0 && saw_non_permitted)
 -        ret = KRB5_KDB_NO_PERMITTED_KEY;
 -    if (maxkvno < 0)
 -        return ret ? ret : KRB5_KDB_NO_MATCHING_KEY;
 -    *kdatap = datap;
 -    *start = idx+1;
 -    return 0;
 +    return (*start == 0 && saw_non_permitted) ? KRB5_KDB_NO_PERMITTED_KEY :
 +        KRB5_KDB_NO_MATCHING_KEY;
 }
 /*
--- a/krb5.spec
+++ b/krb5.spec
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.17
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 42%{?dist}
+Release: 43%{?dist}
 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@ -120,6 +120,7 @@ Patch158: Fix-memory-leaks-in-soft-pkcs11-code.patch
 Patch159: Initialize-life-rlife-in-kdcpolicy-interface.patch
 Patch160: Fix-KCM-client-time-offset-propagation.patch
 Patch161: krb5-1.17post5-FIPS-with-PRNG-and-RADIUS-without-SPA.patch
 Patch162: Simplify-krb5_dbe_def_search_enctype.patch
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@ -726,6 +727,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 %changelog
 * Tue Aug 27 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-43
 - Simplify krb5_dbe_def_search_enctype()
 * Thu Aug 22 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-42
 - Update FIPS patches to remove SPAKE