pull up r22397 from trunk

 ------------------------------------------------------------------------
 r22397 | ghudson | 2009-06-01 18:39:31 -0400 (Mon, 01 Jun 2009) | 17 lines

 ticket: 6506
 subject: Make results of krb5_db_def_fetch_mkey more predictable
 tags: pullup
 target_version: 1.7

 krb5_db_def_fetch_mkey tries the stash file as a keytab, then falls
 back to the old stash file format.  If the stash file was in keytab
 format, but didn't contain the desired master key, we would try to
 read a keytab file as a stash file.  This could succeed or fail
 depending on byte order and other unpredictable factors.  The upshot
 was that one of the libkadm5 unit tests (init 108) was getting a
 different error code on different platforms.

 To fix this, only try the stash file format if we get
 KRB5_KEYTAB_BADVNO trying the keytab format.  This requires reworking
 the error handling logic.

ticket: 6506
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22795 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
index 829f55ad7ca37f5dd7287e7525f9dc4a070715e9..b2f471b4d0114698e15fa1ff6b760537a6733060 100644 (file)
--- a/src/lib/kdb/kdb_default.c
+++ b/src/lib/kdb/kdb_default.c
@@ -403,7 +403,7 @@ krb5_db_def_fetch_mkey(krb5_context   context,
                        krb5_kvno     *kvno,
                        char          *db_args)
 {
-    krb5_error_code retval_ofs = 0, retval_kt = 0;
+    krb5_error_code retval;
     char keyfile[MAXPATHLEN+1];
     krb5_data *realm = krb5_princ_realm(context, mname);
 
@@ -418,31 +418,22 @@ krb5_db_def_fetch_mkey(krb5_context   context,
     /* null terminate no matter what */
     keyfile[sizeof(keyfile) - 1] = '\0';
 
-    /* assume the master key is in a keytab */
-    retval_kt = krb5_db_def_fetch_mkey_keytab(context, keyfile, mname, key, kvno);
-    if (retval_kt != 0) {
-        /*
-         * If it's not in a keytab, fall back and try getting the mkey from the
-         * older stash file format.
-         */
-        retval_ofs = krb5_db_def_fetch_mkey_stash(context, keyfile, key, kvno);
-    }
+    /* Try the keytab and old stash file formats. */
+    retval = krb5_db_def_fetch_mkey_keytab(context, keyfile, mname, key, kvno);
+    if (retval == KRB5_KEYTAB_BADVNO)
+        retval = krb5_db_def_fetch_mkey_stash(context, keyfile, key, kvno);
 
-    if (retval_kt != 0 && retval_ofs != 0) {
-        /*
-         * Error, not able to get mkey from either file format.  Note, in order
-         * to try to return a more correct error, the logic below is assuming
-         * that if either of the stash reading functions returned
-         * KRB5_KDB_BADSTORED_MKEY then this is probably the real error.
-         */
-        krb5_set_error_message (context, KRB5_KDB_CANTREAD_STORED,
-            "Can not fetch master key either from keytab (error: %s) or old "
-            "format (error %s).", error_message(retval_kt),
-            error_message(retval_ofs));
-        return KRB5_KDB_CANTREAD_STORED;
-    } else {
-        return 0;
-    }
+    /*
+     * Use a generic error code for failure to retrieve the master
+     * key, but set a message indicating the actual error.
+     */
+    if (retval != 0) {
+       krb5_set_error_message(context, KRB5_KDB_CANTREAD_STORED,
+                              "Can not fetch master key (error: %s).",
+                              error_message(retval));
+       return KRB5_KDB_CANTREAD_STORED;
+    } else
+       return 0;
 }
 
 /*