diff options
| author | Greg Hudson <ghudson@mit.edu> | 2009-06-01 22:39:31 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2009-06-01 22:39:31 +0000 |
| commit | 9d4a7b700805858bc1a091cd6561ee9f5aef20af (patch) | |
| tree | 79b58bb79d763be33f6d4486518c47ce5b17a13c /src/lib | |
| parent | 023b437e080172568dd7cee175a95b450b89c90b (diff) | |
| download | krb5-9d4a7b700805858bc1a091cd6561ee9f5aef20af.tar.gz krb5-9d4a7b700805858bc1a091cd6561ee9f5aef20af.tar.xz krb5-9d4a7b700805858bc1a091cd6561ee9f5aef20af.zip | |
Make results of krb5_db_def_fetch_mkey more predictable
krb5_db_def_fetch_mkey tries the stash file as a keytab, then falls
back to the old stash file format. If the stash file was in keytab
format, but didn't contain the desired master key, we would try to
read a keytab file as a stash file. This could succeed or fail
depending on byte order and other unpredictable factors. The upshot
was that one of the libkadm5 unit tests (init 108) was getting a
different error code on different platforms.
To fix this, only try the stash file format if we get
KRB5_KEYTAB_BADVNO trying the keytab format. This requires reworking
the error handling logic.
ticket: 6506
tags: pullup
target_version: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22397 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/kdb/kdb_default.c | 41 |
1 files changed, 16 insertions, 25 deletions
diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index 9985a4ebf..69cc52b8e 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -403,7 +403,7 @@ krb5_db_def_fetch_mkey(krb5_context context, krb5_kvno *kvno, char *db_args) { - krb5_error_code retval_ofs = 0, retval_kt = 0; + krb5_error_code retval; char keyfile[MAXPATHLEN+1]; krb5_data *realm = krb5_princ_realm(context, mname); @@ -418,31 +418,22 @@ krb5_db_def_fetch_mkey(krb5_context context, /* null terminate no matter what */ keyfile[sizeof(keyfile) - 1] = '\0'; - /* assume the master key is in a keytab */ - retval_kt = krb5_db_def_fetch_mkey_keytab(context, keyfile, mname, key, kvno); - if (retval_kt != 0) { - /* - * If it's not in a keytab, fall back and try getting the mkey from the - * older stash file format. - */ - retval_ofs = krb5_db_def_fetch_mkey_stash(context, keyfile, key, kvno); - } + /* Try the keytab and old stash file formats. */ + retval = krb5_db_def_fetch_mkey_keytab(context, keyfile, mname, key, kvno); + if (retval == KRB5_KEYTAB_BADVNO) + retval = krb5_db_def_fetch_mkey_stash(context, keyfile, key, kvno); - if (retval_kt != 0 && retval_ofs != 0) { - /* - * Error, not able to get mkey from either file format. Note, in order - * to try to return a more correct error, the logic below is assuming - * that if either of the stash reading functions returned - * KRB5_KDB_BADSTORED_MKEY then this is probably the real error. - */ - krb5_set_error_message (context, KRB5_KDB_CANTREAD_STORED, - "Can not fetch master key either from keytab (error: %s) or old " - "format (error %s).", error_message(retval_kt), - error_message(retval_ofs)); - return KRB5_KDB_CANTREAD_STORED; - } else { - return 0; - } + /* + * Use a generic error code for failure to retrieve the master + * key, but set a message indicating the actual error. + */ + if (retval != 0) { + krb5_set_error_message(context, KRB5_KDB_CANTREAD_STORED, + "Can not fetch master key (error: %s).", + error_message(retval)); + return KRB5_KDB_CANTREAD_STORED; + } else + return 0; } /* |