krb5-trunk-kpasswd_tcp2.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233

Use a list of disconnected and connected sockets to talk to kpasswd
servers, so we automatically try TCP if we fail to change the password
UDP, or if the UDP-based server is just slow.

This patch looks big, but most of it's actually whitespace because
most of the logic is no longer called as part of a loop with UDP and
TCP being used in different iterations.  RT #5868.

Index: src/lib/krb5/os/changepw.c
===================================================================
--- src/lib/krb5/os/changepw.c	(revision 20199)
+++ src/lib/krb5/os/changepw.c	(working copy)
@@ -199,14 +199,14 @@
     krb5_address 		remote_kaddr;
     krb5_boolean		useTcp = 0;
     GETSOCKNAME_ARG3_TYPE 	addrlen;
-    krb5_error_code 		code = 0;
+    krb5_error_code 		code = 0, code2 = 0;
     char 			*code_string;
-    int				local_result_code;
+    int				local_result_code, i;
     
     struct sendto_callback_context  callback_ctx;
     struct sendto_callback_info	callback_info;
     struct sockaddr_storage	remote_addr;
-    struct addrlist 		al = ADDRLIST_INIT;
+    struct addrlist 		al = ADDRLIST_INIT, al2 = ADDRLIST_INIT;
 
     memset( &callback_ctx, 0, sizeof(struct sendto_callback_context));
     callback_ctx.context = context;
@@ -225,109 +225,104 @@
 				     &callback_ctx.ap_req)))
 	goto cleanup;
 
-    do {
-	if ((code = krb5_locate_kpasswd(callback_ctx.context,
-					krb5_princ_realm(callback_ctx.context,
-							 creds->server),
-					&al, useTcp)))
-	    break;
-
+    code = krb5_locate_kpasswd(callback_ctx.context,
+			       krb5_princ_realm(callback_ctx.context,
+						creds->server),
+			       &al, useTcp);
+    code2 = krb5_locate_kpasswd(callback_ctx.context,
+				krb5_princ_realm(callback_ctx.context,
+						 creds->server),
+				&al2, !useTcp);
+    if ((al.naddrs + al2.naddrs) == 0) {
+	if (!code)
+	    code = code2 ? code2 : KRB5_REALM_CANT_RESOLVE;
+	goto cleanup;
+    }
+
+    if (al2.naddrs > 0) {
+	if (krb5int_grow_addrlist(&al, al2.naddrs))
+	    goto cleanup;
+	for (i = 0; i < al2.naddrs; i++)
+	    al.addrs[al.naddrs++] = al2.addrs[i];
+	al2.naddrs = 0;
+    }
+
-	addrlen = sizeof(remote_addr);
-
-	callback_info.context = (void*) &callback_ctx;
-	callback_info.pfn_callback = kpasswd_sendto_msg_callback;
-	callback_info.pfn_cleanup = kpasswd_sendto_msg_cleanup;
-
-	if ((code = krb5int_sendto(callback_ctx.context, 
-				   NULL, 
-				   &al, 
-				   &callback_info,
-				   &chpw_rep,
-				   NULL,
-				   NULL,
-				   ss2sa(&remote_addr),
-                                   &addrlen,
-				   NULL,
-				   NULL,
-				   NULL
-		 ))) {
-
-	    /*
-	     * Here we may want to switch to TCP on some errors.
-	     * right?
-	     */
-	    break;
-	}
-
+    addrlen = sizeof(remote_addr);
+
+    callback_info.context = (void*) &callback_ctx;
+    callback_info.pfn_callback = kpasswd_sendto_msg_callback;
+    callback_info.pfn_cleanup = kpasswd_sendto_msg_cleanup;
+
+    if ((code = krb5int_sendto(callback_ctx.context, 
+			       NULL, 
+			       &al, 
+			       &callback_info,
+			       &chpw_rep,
+			       NULL,
+			       NULL,
+			       ss2sa(&remote_addr),
+			       &addrlen,
+			       NULL,
+			       NULL,
+			       NULL
+		 )))
+	goto cleanup;
+
-	remote_kaddr.addrtype = ADDRTYPE_INET;
-	remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr);
-	remote_kaddr.contents = (krb5_octet *) &ss2sin(&remote_addr)->sin_addr;
-
-	if ((code = krb5_auth_con_setaddrs(callback_ctx.context,  
-					   callback_ctx.auth_context,  
-					   NULL, 
-					   &remote_kaddr)))
-	    break;
-
+    remote_kaddr.addrtype = ADDRTYPE_INET;
+    remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr);
+    remote_kaddr.contents = (krb5_octet *) &ss2sin(&remote_addr)->sin_addr;
+
+    if ((code = krb5_auth_con_setaddrs(callback_ctx.context,  
+				       callback_ctx.auth_context,
+				       NULL,
+				       &remote_kaddr)))
+	goto cleanup;
+
-	if (set_password_for)
-	    code = krb5int_rd_setpw_rep(callback_ctx.context, 
-					callback_ctx.auth_context, 
-					&chpw_rep, 
-					&local_result_code, 
-					result_string);
-	else
-	    code = krb5int_rd_chpw_rep(callback_ctx.context, 
-				       callback_ctx.auth_context, 
-				       &chpw_rep, 
-				       &local_result_code, 
-				       result_string);
-
-	if (code) {
-	    if (code == KRB5KRB_ERR_RESPONSE_TOO_BIG && !useTcp ) {
-		krb5int_free_addrlist (&al);
-		useTcp = 1;
-		continue;
-	    }
-
-	    break;
-	}
-
-	if (result_code)
-	    *result_code = local_result_code;
-	
+    if (set_password_for)
+	code = krb5int_rd_setpw_rep(callback_ctx.context, 
+				    callback_ctx.auth_context, 
+				    &chpw_rep, 
+				    &local_result_code, 
+				    result_string);
+    else
+	code = krb5int_rd_chpw_rep(callback_ctx.context, 
+				   callback_ctx.auth_context, 
+				   &chpw_rep, 
+				   &local_result_code, 
+				   result_string);
+
+    if (code)
+	goto cleanup;
+
+    if (result_code)
+	*result_code = local_result_code;
+	
-	if (result_code_string) {
-	    if (set_password_for)
-		code = krb5int_setpw_result_code_string(callback_ctx.context, 
-							local_result_code, 
-							(const char **)&code_string);
-	    else
-		code = krb5_chpw_result_code_string(callback_ctx.context, 
-						    local_result_code, 
-						    &code_string);
-	    if(code)
-		goto cleanup;
-
-	    result_code_string->length = strlen(code_string);
-	    result_code_string->data = malloc(result_code_string->length);
-	    if (result_code_string->data == NULL) {
-		code = ENOMEM;
-		goto cleanup;
-	    }
-	    strncpy(result_code_string->data, code_string, result_code_string->length);
-	}
-
-	if (code == KRB5KRB_ERR_RESPONSE_TOO_BIG && !useTcp ) {
-	    krb5int_free_addrlist (&al);
-	    useTcp = 1;
-        } else {
-	    break;
-	} 
-    } while (TRUE);
+    if (result_code_string) {
+	if (set_password_for)
+	    code = krb5int_setpw_result_code_string(callback_ctx.context, 
+						    local_result_code, 
+						    (const char **) &code_string);
+	else
+	    code = krb5_chpw_result_code_string(callback_ctx.context, 
+						local_result_code, 
+						&code_string);
+	if (code)
+	    goto cleanup;
+
+	result_code_string->length = strlen(code_string);
+	result_code_string->data = malloc(result_code_string->length);
+	if (result_code_string->data == NULL) {
+	    code = ENOMEM;
+	    goto cleanup;
+	}
+	strncpy(result_code_string->data, code_string, result_code_string->length);
+    }
 
 cleanup:
     if (callback_ctx.auth_context != NULL)
 	krb5_auth_con_free(callback_ctx.context, callback_ctx.auth_context);
 
+    krb5int_free_addrlist (&al2);
     krb5int_free_addrlist (&al);
     krb5_free_data_contents(callback_ctx.context, &callback_ctx.ap_req);