svn rev #22397: trunk/src/lib/kdb/

ghudson@MIT.EDU ghudson at MIT.EDU
Mon Jun 1 18:39:32 EDT 2009


http://src.mit.edu/fisheye/changelog/krb5/?cs=22397
Commit By: ghudson
Log Message:
ticket: 6506
subject: Make results of krb5_db_def_fetch_mkey more predictable
tags: pullup
target_version: 1.7

krb5_db_def_fetch_mkey tries the stash file as a keytab, then falls
back to the old stash file format.  If the stash file was in keytab
format, but didn't contain the desired master key, we would try to
read a keytab file as a stash file.  This could succeed or fail
depending on byte order and other unpredictable factors.  The upshot
was that one of the libkadm5 unit tests (init 108) was getting a
different error code on different platforms.

To fix this, only try the stash file format if we get
KRB5_KEYTAB_BADVNO trying the keytab format.  This requires reworking
the error handling logic.



Changed Files:
U   trunk/src/lib/kdb/kdb_default.c
Modified: trunk/src/lib/kdb/kdb_default.c
===================================================================
--- trunk/src/lib/kdb/kdb_default.c	2009-06-01 16:51:24 UTC (rev 22396)
+++ trunk/src/lib/kdb/kdb_default.c	2009-06-01 22:39:31 UTC (rev 22397)
@@ -403,7 +403,7 @@
                        krb5_kvno     *kvno,
                        char          *db_args)
 {
-    krb5_error_code retval_ofs = 0, retval_kt = 0;
+    krb5_error_code retval;
     char keyfile[MAXPATHLEN+1];
     krb5_data *realm = krb5_princ_realm(context, mname);
 
@@ -418,31 +418,22 @@
     /* null terminate no matter what */
     keyfile[sizeof(keyfile) - 1] = '\0';
 
-    /* assume the master key is in a keytab */
-    retval_kt = krb5_db_def_fetch_mkey_keytab(context, keyfile, mname, key, kvno);
-    if (retval_kt != 0) {
-        /*
-         * If it's not in a keytab, fall back and try getting the mkey from the
-         * older stash file format.
-         */
-        retval_ofs = krb5_db_def_fetch_mkey_stash(context, keyfile, key, kvno);
-    }
+    /* Try the keytab and old stash file formats. */
+    retval = krb5_db_def_fetch_mkey_keytab(context, keyfile, mname, key, kvno);
+    if (retval == KRB5_KEYTAB_BADVNO)
+        retval = krb5_db_def_fetch_mkey_stash(context, keyfile, key, kvno);
 
-    if (retval_kt != 0 && retval_ofs != 0) {
-        /*
-         * Error, not able to get mkey from either file format.  Note, in order
-         * to try to return a more correct error, the logic below is assuming
-         * that if either of the stash reading functions returned
-         * KRB5_KDB_BADSTORED_MKEY then this is probably the real error.
-         */
-        krb5_set_error_message (context, KRB5_KDB_CANTREAD_STORED,
-            "Can not fetch master key either from keytab (error: %s) or old "
-            "format (error %s).", error_message(retval_kt),
-            error_message(retval_ofs));
-        return KRB5_KDB_CANTREAD_STORED;
-    } else {
-        return 0;
-    }
+    /*
+     * Use a generic error code for failure to retrieve the master
+     * key, but set a message indicating the actual error.
+     */
+    if (retval != 0) {
+	krb5_set_error_message(context, KRB5_KDB_CANTREAD_STORED,
+			       "Can not fetch master key (error: %s).",
+			       error_message(retval));
+	return KRB5_KDB_CANTREAD_STORED;
+    } else
+	return 0;
 }
 
 /*




More information about the cvs-krb5 mailing list