From 64a0735edc36540b5d679a04a2453a093801efcc Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Wed, 23 Nov 2011 01:00:36 +0000 Subject: [PATCH] FAST: error handling and const keyblock krb5int_fast_process_error: Allow out_padata and retry to be null for TGS case. Refactor function to do more frees in the exit handling and to declare variables at the top. krb5int_fast_reply_key: input keyblock arguments should be const ticket: 7025 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25487 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/krb/fast.c | 53 +++++++++++++++++++++++++---------------- src/lib/krb5/krb/fast.h | 4 ++-- 2 files changed, 34 insertions(+), 23 deletions(-) diff --git a/src/lib/krb5/krb/fast.c b/src/lib/krb5/krb/fast.c index e5eb960be..ee7534b8d 100644 --- a/src/lib/krb5/krb/fast.c +++ b/src/lib/krb5/krb/fast.c @@ -353,16 +353,20 @@ krb5int_fast_process_error(krb5_context context, { krb5_error_code retval = 0; krb5_error *err_reply = *err_replyptr; - - *out_padata = NULL; - *retry = 0; - if (state->armor_key) { krb5_pa_data *fx_error_pa; - krb5_pa_data **result = NULL; - krb5_data scratch; + krb5_pa_data **result = NULL; + krb5_data scratch; krb5_error *fx_error = NULL; krb5_fast_response *fast_response = NULL; + scratch.data = NULL; + + if (out_padata) + *out_padata = NULL; + if (retry) + *retry = 0; + + if (state->armor_key) { retval = decode_krb5_padata_sequence(&err_reply->e_data, &result); if (retval == 0) retval = decrypt_fast_reply(context, state, result, @@ -373,12 +377,12 @@ krb5int_fast_process_error(krb5_context context, * expect that, but treating it as the fatal error indicated by the * KDC seems reasonable. */ + if (retry != NULL) *retry = 0; krb5_free_pa_data(context, result); + result = NULL; return 0; } - krb5_free_pa_data(context, result); - result = NULL; if (retval == 0) { fx_error_pa = krb5int_find_pa_data(context, fast_response->padata, KRB5_PADATA_FX_ERROR); @@ -398,26 +402,29 @@ krb5int_fast_process_error(krb5_context context, krb5_free_error(context, err_reply); *err_replyptr = fx_error; fx_error = NULL; + if (out_padata) { *out_padata = fast_response->padata; fast_response->padata = NULL; + } /* * If there is more than the fx_error padata, then we want * to retry the error if a cookie is present */ - *retry = (*out_padata)[1] != NULL; - if (krb5int_find_pa_data(context, *out_padata, - KRB5_PADATA_FX_COOKIE) == NULL) - *retry = 0; + if (retry != NULL) { + *retry = (*out_padata)[1] != NULL; + if (krb5int_find_pa_data(context, *out_padata, + KRB5_PADATA_FX_COOKIE) == NULL) + *retry = 0; + } } - if (fx_error) - krb5_free_error(context, fx_error); - krb5_free_fast_response(context, fast_response); } else { /*not FAST*/ /* Possibly retry if there's any e_data to process. */ + if (retry) *retry = (err_reply->e_data.length > 0); /* Try to decode e_data as pa-data or typed-data for out_padata. */ - retval = decode_krb5_padata_sequence(&err_reply->e_data, out_padata); - if (retval != 0) { + if (out_padata) + retval = decode_krb5_padata_sequence(&err_reply->e_data, out_padata); + if ((out_padata != NULL) && (retval != 0)) { krb5_typed_data **tdata; /* krb5_typed data and krb5_pa_data are compatible structures. */ if (decode_krb5_typed_data(&err_reply->e_data, &tdata) == 0) @@ -425,6 +432,10 @@ krb5int_fast_process_error(krb5_context context, retval = 0; } } + krb5_free_pa_data(context, result); + krb5_free_fast_response(context, fast_response); +if (fx_error) + krb5_free_error(context, fx_error); return retval; } @@ -486,16 +497,16 @@ krb5int_fast_process_response(krb5_context context, krb5_error_code krb5int_fast_reply_key(krb5_context context, - krb5_keyblock *strengthen_key, - krb5_keyblock *existing_key, + const krb5_keyblock *strengthen_key, + const krb5_keyblock *existing_key, krb5_keyblock *out_key) { krb5_keyblock *key = NULL; krb5_error_code retval = 0; krb5_free_keyblock_contents(context, out_key); if (strengthen_key) { - retval = krb5_c_fx_cf2_simple(context, strengthen_key, - "strengthenkey", existing_key, + retval = krb5_c_fx_cf2_simple(context, (krb5_keyblock *) strengthen_key, + "strengthenkey", (krb5_keyblock *) existing_key, "replykey", &key); if (retval == 0) { TRACE_FAST_REPLY_KEY(context, key); diff --git a/src/lib/krb5/krb/fast.h b/src/lib/krb5/krb/fast.h index 522821d05..5b8e3aa5a 100644 --- a/src/lib/krb5/krb/fast.h +++ b/src/lib/krb5/krb/fast.h @@ -87,8 +87,8 @@ krb5int_fast_as_armor(krb5_context context, krb5_error_code krb5int_fast_reply_key(krb5_context context, - krb5_keyblock *strengthen_key, - krb5_keyblock *existing_key, krb5_keyblock *output_key); + const krb5_keyblock *strengthen_key, + const krb5_keyblock *existing_key, krb5_keyblock *output_key); krb5_error_code -- 2.26.2