aboutsummaryrefslogtreecommitdiff
path: root/crypto/heimdal/lib/hdb/common.c
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/heimdal/lib/hdb/common.c')
-rw-r--r--crypto/heimdal/lib/hdb/common.c68
1 files changed, 49 insertions, 19 deletions
diff --git a/crypto/heimdal/lib/hdb/common.c b/crypto/heimdal/lib/hdb/common.c
index 2715adf63dca..80482e7a4c1c 100644
--- a/crypto/heimdal/lib/hdb/common.c
+++ b/crypto/heimdal/lib/hdb/common.c
@@ -105,7 +105,6 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
krb5_principal enterprise_principal = NULL;
krb5_data key, value;
krb5_error_code ret;
- int code;
if (principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
if (principal->name.name_string.len != 1) {
@@ -125,43 +124,74 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
hdb_principal2key(context, principal, &key);
if (enterprise_principal)
krb5_free_principal(context, enterprise_principal);
- code = db->hdb__get(context, db, key, &value);
+ ret = db->hdb__get(context, db, key, &value);
krb5_data_free(&key);
- if(code)
- return code;
- code = hdb_value2entry(context, &value, &entry->entry);
- if (code == ASN1_BAD_ID && (flags & HDB_F_CANON) == 0) {
+ if(ret)
+ return ret;
+ ret = hdb_value2entry(context, &value, &entry->entry);
+ if (ret == ASN1_BAD_ID && (flags & HDB_F_CANON) == 0) {
krb5_data_free(&value);
return HDB_ERR_NOENTRY;
- } else if (code == ASN1_BAD_ID) {
+ } else if (ret == ASN1_BAD_ID) {
hdb_entry_alias alias;
- code = hdb_value2entry_alias(context, &value, &alias);
- if (code) {
+ ret = hdb_value2entry_alias(context, &value, &alias);
+ if (ret) {
krb5_data_free(&value);
- return code;
+ return ret;
}
hdb_principal2key(context, alias.principal, &key);
krb5_data_free(&value);
free_hdb_entry_alias(&alias);
- code = db->hdb__get(context, db, key, &value);
+ ret = db->hdb__get(context, db, key, &value);
krb5_data_free(&key);
- if (code)
- return code;
- code = hdb_value2entry(context, &value, &entry->entry);
- if (code) {
+ if (ret)
+ return ret;
+ ret = hdb_value2entry(context, &value, &entry->entry);
+ if (ret) {
krb5_data_free(&value);
- return code;
+ return ret;
}
}
krb5_data_free(&value);
if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
- code = hdb_unseal_keys (context, db, &entry->entry);
- if (code)
+#ifdef notnow
+ if ((flags & HDB_F_KVNO_SPECIFIED) == 0 &&
+ (flags & HDB_F_CURRENT_KVNO) == 0) {
+
+ /*
+ * Decrypt all the old keys too, since we don't know which
+ * the caller will need.
+ */
+ ret = hdb_unseal_keys_kvno(context, db, 0, &entry->entry);
+ if (ret) {
+ hdb_free_entry(context, entry);
+ return ret;
+ }
+ } else if ((flags & HDB_F_KVNO_SPECIFIED) != 0 &&
+ kvno != entry->entry.kvno &&
+ kvno < entry->entry.kvno &&
+ kvno > 0) {
+
+ /* Decrypt the keys we were asked for, if not the current ones */
+ ret = hdb_unseal_keys_kvno(context, db, kvno, &entry->entry);
+ if (ret) {
+ hdb_free_entry(context, entry);
+ return ret;
+ }
+ }
+#endif
+
+ /* Always decrypt the current keys too */
+ ret = hdb_unseal_keys(context, db, &entry->entry);
+ if (ret) {
hdb_free_entry(context, entry);
+ return ret;
+ }
}
- return code;
+
+ return ret;
}
static krb5_error_code
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-06 17:27:57 +0000