From: Greg Hudson Date: Mon, 17 Jul 2017 17:11:54 +0000 (-0400) Subject: Simplify KDC status assignment X-Git-Tag: krb5-1.16-beta1~35 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d265f16b71058b0cb0546a3993c941975a48b70f;p=thirdparty%2Fkrb5.git Simplify KDC status assignment Omit assigning status values for very unlikely error cases. Remove the "UNKNOWN_REASON" fallback for validate_as_request() and validate_tgs_request() as that fallback is now applied globally. --- diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 9b256c8764..5d49e80362 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -240,10 +240,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) state->reply.ticket = &state->ticket_reply; state->reply_encpart.session = &state->session_key; if ((errcode = fetch_last_req_info(state->client, - &state->reply_encpart.last_req))) { - state->status = "FETCH_LAST_REQ"; + &state->reply_encpart.last_req))) goto egress; - } state->reply_encpart.nonce = state->request->nonce; state->reply_encpart.key_exp = get_key_exp(state->client); state->reply_encpart.flags = state->enc_tkt_reply.flags; @@ -301,27 +299,21 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) errcode = krb5_encrypt_tkt_part(kdc_context, &state->server_keyblock, &state->ticket_reply); - if (errcode) { - state->status = "ENCRYPT_TICKET"; + if (errcode) goto egress; - } errcode = kau_make_tkt_id(kdc_context, &state->ticket_reply, &au_state->tkt_out_id); - if (errcode) { - state->status = "GENERATE_TICKET_ID"; + if (errcode) goto egress; - } state->ticket_reply.enc_part.kvno = server_key->key_data_kvno; errcode = kdc_fast_response_handle_padata(state->rstate, state->request, &state->reply, state->client_keyblock.enctype); - if (errcode) { - state->status = "MAKE_FAST_RESPONSE"; + if (errcode) goto egress; - } /* now encode/encrypt the response */ @@ -329,10 +321,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) errcode = kdc_fast_handle_reply_key(state->rstate, &state->client_keyblock, &as_encrypting_key); - if (errcode) { - state->status = "MAKE_FAST_REPLY_KEY"; + if (errcode) goto egress; - } errcode = return_enc_padata(kdc_context, state->req_pkt, state->request, as_encrypting_key, state->server, &state->reply_encpart, FALSE); @@ -349,10 +339,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) &state->reply, &response); if (state->client_key != NULL) state->reply.enc_part.kvno = state->client_key->key_data_kvno; - if (errcode) { - state->status = "ENCODE_KDC_REP"; + if (errcode) goto egress; - } /* these parts are left on as a courtesy from krb5_encode_kdc_rep so we can use them in raw form if needed. But, we don't... */ @@ -547,7 +535,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, if (fetch_asn1_field((unsigned char *) req_pkt->data, 1, 4, &encoded_req_body) != 0) { errcode = ASN1_BAD_ID; - state->status = "FETCH_REQ_BODY"; goto errout; } errcode = kdc_find_fast(&state->request, &encoded_req_body, NULL, NULL, @@ -560,10 +547,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, /* Not a FAST request; copy the encoded request body. */ errcode = krb5_copy_data(kdc_context, &encoded_req_body, &state->inner_body); - if (errcode) { - state->status = "COPY_REQ_BODY"; + if (errcode) goto errout; - } } au_state->request = state->request; state->rock.request = state->request; @@ -578,10 +563,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } if ((errcode = krb5_unparse_name(kdc_context, state->request->client, - &state->cname))) { - state->status = "UNPARSE_CLIENT"; + &state->cname))) goto errout; - } limit_string(state->cname); if (!state->request->server) { @@ -591,10 +574,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } if ((errcode = krb5_unparse_name(kdc_context, state->request->server, - &state->sname))) { - state->status = "UNPARSE_SERVER"; + &state->sname))) goto errout; - } limit_string(state->sname); /* @@ -674,18 +655,14 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, au_state->stage = VALIDATE_POL; - if ((errcode = krb5_timeofday(kdc_context, &state->kdc_time))) { - state->status = "TIMEOFDAY"; + if ((errcode = krb5_timeofday(kdc_context, &state->kdc_time))) goto errout; - } state->authtime = state->kdc_time; /* for audit_as_request() */ if ((errcode = validate_as_request(kdc_active_realm, state->request, *state->client, *state->server, state->kdc_time, &state->status, &state->e_data))) { - if (!state->status) - state->status = "UNKNOWN_REASON"; errcode += ERROR_TABLE_BASE_krb5; goto errout; } @@ -705,10 +682,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } if ((errcode = krb5_c_make_random_key(kdc_context, useenctype, - &state->session_key))) { - state->status = "MAKE_RANDOM_KEY"; + &state->session_key))) goto errout; - } /* * Canonicalization is only effective if we are issuing a TGT @@ -789,10 +764,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->request->client = NULL; errcode = krb5_copy_principal(kdc_context, krb5_anonymous_principal(), &state->request->client); - if (errcode) { - state->status = "COPY_ANONYMOUS_PRINCIPAL"; + if (errcode) goto errout; - } state->enc_tkt_reply.client = state->request->client; setflag(state->client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH); } diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index d8d67199b9..84445ed904 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -195,15 +195,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, if (!header_ticket) { errcode = KRB5_NO_TKT_SUPPLIED; /* XXX? */ - status="UNEXPECTED NULL in header_ticket"; goto cleanup; } errcode = kau_make_tkt_id(kdc_context, header_ticket, &au_state->tkt_in_id); - if (errcode) { - status = "GENERATE_TICKET_ID"; + if (errcode) goto cleanup; - } scratch.length = pa_tgs_req->length; scratch.data = (char *) pa_tgs_req->contents; @@ -264,16 +261,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, au_state->stage = VALIDATE_POL; - if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) { - status = "TIME_OF_DAY"; + if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) goto cleanup; - } if ((retval = validate_tgs_request(kdc_active_realm, request, *server, header_ticket, kdc_time, &status, &e_data))) { - if (!status) - status = "UNKNOWN_REASON"; if (retval == KDC_ERR_POLICY || retval == KDC_ERR_BADOPTION) au_state->violation = PROT_CONSTRAINT; errcode = retval + ERROR_TABLE_BASE_krb5; @@ -340,7 +333,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, retval = kau_make_tkt_id(kdc_context, request->second_ticket[st_idx], &au_state->evid_tkt_id); if (retval) { - status = "GENERATE_TICKET_ID"; errcode = retval; goto cleanup; } @@ -723,10 +715,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, &ticket_reply); if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) krb5_free_keyblock_contents(kdc_context, &encrypting_key); - if (errcode) { - status = "ENCRYPT_TICKET"; + if (errcode) goto cleanup; - } ticket_reply.enc_part.kvno = ticket_kvno; /* Start assembling the response */ au_state->stage = ENCR_REP; @@ -740,10 +730,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, s4u_x509_user, &reply, &reply_encpart); - if (errcode) { - status = "MAKE_S4U2SELF_PADATA"; + if (errcode) au_state->status = status; - } kau_s4u2self(kdc_context, errcode ? FALSE : TRUE, au_state); if (errcode) goto cleanup; @@ -775,16 +763,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, header_ticket->enc_part2->session->enctype; errcode = kdc_fast_response_handle_padata(state, request, &reply, subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype); - if (errcode !=0 ) { - status = "MAKE_FAST_RESPONSE"; + if (errcode) goto cleanup; - } errcode =kdc_fast_handle_reply_key(state, subkey?subkey:header_ticket->enc_part2->session, &reply_key); - if (errcode) { - status = "MAKE_FAST_REPLY_KEY"; + if (errcode) goto cleanup; - } errcode = return_enc_padata(kdc_context, pkt, request, reply_key, server, &reply_encpart, is_referral && @@ -796,10 +780,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, } errcode = kau_make_tkt_id(kdc_context, &ticket_reply, &au_state->tkt_out_id); - if (errcode) { - status = "GENERATE_TICKET_ID"; + if (errcode) goto cleanup; - } if (kdc_fast_hide_client(state)) reply.client = (krb5_principal)krb5_anonymous_principal(); @@ -807,11 +789,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, subkey ? 1 : 0, reply_key, &reply, response); - if (errcode) { - status = "ENCODE_KDC_REP"; - } else { + if (!errcode) status = "ISSUE"; - } memset(ticket_reply.enc_part.ciphertext.data, 0, ticket_reply.enc_part.ciphertext.length); @@ -1054,7 +1033,7 @@ gen_session_key(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, retval = get_2ndtkt_enctype(kdc_active_realm, req, &useenctype, status); if (retval != 0) - goto cleanup; + return retval; } if (useenctype == 0) { useenctype = select_session_keytype(kdc_active_realm, server, @@ -1064,17 +1043,10 @@ gen_session_key(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, if (useenctype == 0) { /* unsupported ktype */ *status = "BAD_ENCRYPTION_TYPE"; - retval = KRB5KDC_ERR_ETYPE_NOSUPP; - goto cleanup; - } - retval = krb5_c_make_random_key(kdc_context, useenctype, skey); - if (retval != 0) { - /* random key failed */ - *status = "MAKE_RANDOM_KEY"; - goto cleanup; + return KRB5KDC_ERR_ETYPE_NOSUPP; } -cleanup: - return retval; + + return krb5_c_make_random_key(kdc_context, useenctype, skey); } /*