From: Greg Hudson Date: Mon, 1 Jun 2009 22:39:31 +0000 (+0000) Subject: Make results of krb5_db_def_fetch_mkey more predictable X-Git-Tag: krb5-1.8-alpha1~446 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=9d4a7b700805858bc1a091cd6561ee9f5aef20af;p=krb5.git Make results of krb5_db_def_fetch_mkey more predictable krb5_db_def_fetch_mkey tries the stash file as a keytab, then falls back to the old stash file format. If the stash file was in keytab format, but didn't contain the desired master key, we would try to read a keytab file as a stash file. This could succeed or fail depending on byte order and other unpredictable factors. The upshot was that one of the libkadm5 unit tests (init 108) was getting a different error code on different platforms. To fix this, only try the stash file format if we get KRB5_KEYTAB_BADVNO trying the keytab format. This requires reworking the error handling logic. ticket: 6506 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22397 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index 9985a4ebf..69cc52b8e 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -403,7 +403,7 @@ krb5_db_def_fetch_mkey(krb5_context context, krb5_kvno *kvno, char *db_args) { - krb5_error_code retval_ofs = 0, retval_kt = 0; + krb5_error_code retval; char keyfile[MAXPATHLEN+1]; krb5_data *realm = krb5_princ_realm(context, mname); @@ -418,31 +418,22 @@ krb5_db_def_fetch_mkey(krb5_context context, /* null terminate no matter what */ keyfile[sizeof(keyfile) - 1] = '\0'; - /* assume the master key is in a keytab */ - retval_kt = krb5_db_def_fetch_mkey_keytab(context, keyfile, mname, key, kvno); - if (retval_kt != 0) { - /* - * If it's not in a keytab, fall back and try getting the mkey from the - * older stash file format. - */ - retval_ofs = krb5_db_def_fetch_mkey_stash(context, keyfile, key, kvno); - } + /* Try the keytab and old stash file formats. */ + retval = krb5_db_def_fetch_mkey_keytab(context, keyfile, mname, key, kvno); + if (retval == KRB5_KEYTAB_BADVNO) + retval = krb5_db_def_fetch_mkey_stash(context, keyfile, key, kvno); - if (retval_kt != 0 && retval_ofs != 0) { - /* - * Error, not able to get mkey from either file format. Note, in order - * to try to return a more correct error, the logic below is assuming - * that if either of the stash reading functions returned - * KRB5_KDB_BADSTORED_MKEY then this is probably the real error. - */ - krb5_set_error_message (context, KRB5_KDB_CANTREAD_STORED, - "Can not fetch master key either from keytab (error: %s) or old " - "format (error %s).", error_message(retval_kt), - error_message(retval_ofs)); - return KRB5_KDB_CANTREAD_STORED; - } else { - return 0; - } + /* + * Use a generic error code for failure to retrieve the master + * key, but set a message indicating the actual error. + */ + if (retval != 0) { + krb5_set_error_message(context, KRB5_KDB_CANTREAD_STORED, + "Can not fetch master key (error: %s).", + error_message(retval)); + return KRB5_KDB_CANTREAD_STORED; + } else + return 0; } /*