krb5 commit: Simplify KDC status assignment
Greg Hudson
ghudson at mit.edu
Mon Jul 24 10:52:34 EDT 2017
https://github.com/krb5/krb5/commit/d265f16b71058b0cb0546a3993c941975a48b70f
commit d265f16b71058b0cb0546a3993c941975a48b70f
Author: Greg Hudson <ghudson at mit.edu>
Date: Mon Jul 17 13:11:54 2017 -0400
Simplify KDC status assignment
Omit assigning status values for very unlikely error cases. Remove
the "UNKNOWN_REASON" fallback for validate_as_request() and
validate_tgs_request() as that fallback is now applied globally.
src/kdc/do_as_req.c | 51 +++++++++++-------------------------------------
src/kdc/do_tgs_req.c | 52 +++++++++++--------------------------------------
2 files changed, 24 insertions(+), 79 deletions(-)
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 9b256c8..5d49e80 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -240,10 +240,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
state->reply.ticket = &state->ticket_reply;
state->reply_encpart.session = &state->session_key;
if ((errcode = fetch_last_req_info(state->client,
- &state->reply_encpart.last_req))) {
- state->status = "FETCH_LAST_REQ";
+ &state->reply_encpart.last_req)))
goto egress;
- }
state->reply_encpart.nonce = state->request->nonce;
state->reply_encpart.key_exp = get_key_exp(state->client);
state->reply_encpart.flags = state->enc_tkt_reply.flags;
@@ -301,27 +299,21 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
errcode = krb5_encrypt_tkt_part(kdc_context, &state->server_keyblock,
&state->ticket_reply);
- if (errcode) {
- state->status = "ENCRYPT_TICKET";
+ if (errcode)
goto egress;
- }
errcode = kau_make_tkt_id(kdc_context, &state->ticket_reply,
&au_state->tkt_out_id);
- if (errcode) {
- state->status = "GENERATE_TICKET_ID";
+ if (errcode)
goto egress;
- }
state->ticket_reply.enc_part.kvno = server_key->key_data_kvno;
errcode = kdc_fast_response_handle_padata(state->rstate,
state->request,
&state->reply,
state->client_keyblock.enctype);
- if (errcode) {
- state->status = "MAKE_FAST_RESPONSE";
+ if (errcode)
goto egress;
- }
/* now encode/encrypt the response */
@@ -329,10 +321,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
errcode = kdc_fast_handle_reply_key(state->rstate, &state->client_keyblock,
&as_encrypting_key);
- if (errcode) {
- state->status = "MAKE_FAST_REPLY_KEY";
+ if (errcode)
goto egress;
- }
errcode = return_enc_padata(kdc_context, state->req_pkt, state->request,
as_encrypting_key, state->server,
&state->reply_encpart, FALSE);
@@ -349,10 +339,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
&state->reply, &response);
if (state->client_key != NULL)
state->reply.enc_part.kvno = state->client_key->key_data_kvno;
- if (errcode) {
- state->status = "ENCODE_KDC_REP";
+ if (errcode)
goto egress;
- }
/* these parts are left on as a courtesy from krb5_encode_kdc_rep so we
can use them in raw form if needed. But, we don't... */
@@ -547,7 +535,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
if (fetch_asn1_field((unsigned char *) req_pkt->data,
1, 4, &encoded_req_body) != 0) {
errcode = ASN1_BAD_ID;
- state->status = "FETCH_REQ_BODY";
goto errout;
}
errcode = kdc_find_fast(&state->request, &encoded_req_body, NULL, NULL,
@@ -560,10 +547,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
/* Not a FAST request; copy the encoded request body. */
errcode = krb5_copy_data(kdc_context, &encoded_req_body,
&state->inner_body);
- if (errcode) {
- state->status = "COPY_REQ_BODY";
+ if (errcode)
goto errout;
- }
}
au_state->request = state->request;
state->rock.request = state->request;
@@ -578,10 +563,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
}
if ((errcode = krb5_unparse_name(kdc_context,
state->request->client,
- &state->cname))) {
- state->status = "UNPARSE_CLIENT";
+ &state->cname)))
goto errout;
- }
limit_string(state->cname);
if (!state->request->server) {
@@ -591,10 +574,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
}
if ((errcode = krb5_unparse_name(kdc_context,
state->request->server,
- &state->sname))) {
- state->status = "UNPARSE_SERVER";
+ &state->sname)))
goto errout;
- }
limit_string(state->sname);
/*
@@ -674,18 +655,14 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
au_state->stage = VALIDATE_POL;
- if ((errcode = krb5_timeofday(kdc_context, &state->kdc_time))) {
- state->status = "TIMEOFDAY";
+ if ((errcode = krb5_timeofday(kdc_context, &state->kdc_time)))
goto errout;
- }
state->authtime = state->kdc_time; /* for audit_as_request() */
if ((errcode = validate_as_request(kdc_active_realm,
state->request, *state->client,
*state->server, state->kdc_time,
&state->status, &state->e_data))) {
- if (!state->status)
- state->status = "UNKNOWN_REASON";
errcode += ERROR_TABLE_BASE_krb5;
goto errout;
}
@@ -705,10 +682,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
}
if ((errcode = krb5_c_make_random_key(kdc_context, useenctype,
- &state->session_key))) {
- state->status = "MAKE_RANDOM_KEY";
+ &state->session_key)))
goto errout;
- }
/*
* Canonicalization is only effective if we are issuing a TGT
@@ -789,10 +764,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
state->request->client = NULL;
errcode = krb5_copy_principal(kdc_context, krb5_anonymous_principal(),
&state->request->client);
- if (errcode) {
- state->status = "COPY_ANONYMOUS_PRINCIPAL";
+ if (errcode)
goto errout;
- }
state->enc_tkt_reply.client = state->request->client;
setflag(state->client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH);
}
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index d8d6719..84445ed 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -195,15 +195,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
if (!header_ticket) {
errcode = KRB5_NO_TKT_SUPPLIED; /* XXX? */
- status="UNEXPECTED NULL in header_ticket";
goto cleanup;
}
errcode = kau_make_tkt_id(kdc_context, header_ticket,
&au_state->tkt_in_id);
- if (errcode) {
- status = "GENERATE_TICKET_ID";
+ if (errcode)
goto cleanup;
- }
scratch.length = pa_tgs_req->length;
scratch.data = (char *) pa_tgs_req->contents;
@@ -264,16 +261,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
au_state->stage = VALIDATE_POL;
- if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) {
- status = "TIME_OF_DAY";
+ if ((errcode = krb5_timeofday(kdc_context, &kdc_time)))
goto cleanup;
- }
if ((retval = validate_tgs_request(kdc_active_realm,
request, *server, header_ticket,
kdc_time, &status, &e_data))) {
- if (!status)
- status = "UNKNOWN_REASON";
if (retval == KDC_ERR_POLICY || retval == KDC_ERR_BADOPTION)
au_state->violation = PROT_CONSTRAINT;
errcode = retval + ERROR_TABLE_BASE_krb5;
@@ -340,7 +333,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
retval = kau_make_tkt_id(kdc_context, request->second_ticket[st_idx],
&au_state->evid_tkt_id);
if (retval) {
- status = "GENERATE_TICKET_ID";
errcode = retval;
goto cleanup;
}
@@ -723,10 +715,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
&ticket_reply);
if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
krb5_free_keyblock_contents(kdc_context, &encrypting_key);
- if (errcode) {
- status = "ENCRYPT_TICKET";
+ if (errcode)
goto cleanup;
- }
ticket_reply.enc_part.kvno = ticket_kvno;
/* Start assembling the response */
au_state->stage = ENCR_REP;
@@ -740,10 +730,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
s4u_x509_user,
&reply,
&reply_encpart);
- if (errcode) {
- status = "MAKE_S4U2SELF_PADATA";
+ if (errcode)
au_state->status = status;
- }
kau_s4u2self(kdc_context, errcode ? FALSE : TRUE, au_state);
if (errcode)
goto cleanup;
@@ -775,16 +763,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
header_ticket->enc_part2->session->enctype;
errcode = kdc_fast_response_handle_padata(state, request, &reply,
subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype);
- if (errcode !=0 ) {
- status = "MAKE_FAST_RESPONSE";
+ if (errcode)
goto cleanup;
- }
errcode =kdc_fast_handle_reply_key(state,
subkey?subkey:header_ticket->enc_part2->session, &reply_key);
- if (errcode) {
- status = "MAKE_FAST_REPLY_KEY";
+ if (errcode)
goto cleanup;
- }
errcode = return_enc_padata(kdc_context, pkt, request,
reply_key, server, &reply_encpart,
is_referral &&
@@ -796,10 +780,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
}
errcode = kau_make_tkt_id(kdc_context, &ticket_reply, &au_state->tkt_out_id);
- if (errcode) {
- status = "GENERATE_TICKET_ID";
+ if (errcode)
goto cleanup;
- }
if (kdc_fast_hide_client(state))
reply.client = (krb5_principal)krb5_anonymous_principal();
@@ -807,11 +789,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
subkey ? 1 : 0,
reply_key,
&reply, response);
- if (errcode) {
- status = "ENCODE_KDC_REP";
- } else {
+ if (!errcode)
status = "ISSUE";
- }
memset(ticket_reply.enc_part.ciphertext.data, 0,
ticket_reply.enc_part.ciphertext.length);
@@ -1054,7 +1033,7 @@ gen_session_key(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
retval = get_2ndtkt_enctype(kdc_active_realm, req, &useenctype,
status);
if (retval != 0)
- goto cleanup;
+ return retval;
}
if (useenctype == 0) {
useenctype = select_session_keytype(kdc_active_realm, server,
@@ -1064,17 +1043,10 @@ gen_session_key(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
if (useenctype == 0) {
/* unsupported ktype */
*status = "BAD_ENCRYPTION_TYPE";
- retval = KRB5KDC_ERR_ETYPE_NOSUPP;
- goto cleanup;
- }
- retval = krb5_c_make_random_key(kdc_context, useenctype, skey);
- if (retval != 0) {
- /* random key failed */
- *status = "MAKE_RANDOM_KEY";
- goto cleanup;
+ return KRB5KDC_ERR_ETYPE_NOSUPP;
}
-cleanup:
- return retval;
+
+ return krb5_c_make_random_key(kdc_context, useenctype, skey);
}
/*
More information about the cvs-krb5
mailing list