kdc: Rewrite get_pa_etype_info and set_salt_padata

We weren't checking for errors, and we weren't using the convience SEQUENCE OF add_METHOD_DATA() and add_ETYPE_INFO() functions generated by the ASN.1 compiler. Using those utilities made get_pa_etype_info() and make_etype_info_entry() sufficiently simpler that merging the two makes for simpler, more readable code.
2022-01-18 00:22:42 -06:00
parent 2801606b80
commit f155150969
1 changed files with 55 additions and 88 deletions
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -60,15 +60,16 @@ realloc_method_data(METHOD_DATA *md)
    return 0;
 }
-static void
+static krb5_error_code
 set_salt_padata(METHOD_DATA *md, Salt *salt)
 {
-    if (salt) {
+    PA_DATA pa; /* do not free */
-       realloc_method_data(md);
+
-       md->val[md->len - 1].padata_type = salt->type;
+    if (!salt)
-       der_copy_octet_string(&salt->salt,
+        return 0;
-                             &md->val[md->len - 1].padata_value);
+    pa.padata_type = salt->type;
-    }
+    pa.padata_value = salt->salt;
    return add_METHOD_DATA(md, &pa);
 }
 const PA_DATA*
@@ -764,7 +765,8 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
 	if (ret)
 	    goto out;
-	set_salt_padata(r->rep.padata, k->salt);
+        if (ret == 0)
            ret = set_salt_padata(r->rep.padata, k->salt);
 	/*
 	 * Success
@@ -938,9 +940,9 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
    }
    free_PA_ENC_TS_ENC(&p);
-    set_salt_padata(r->rep.padata, pa_key->salt);
+    ret = set_salt_padata(r->rep.padata, pa_key->salt);
-
+    if (ret == 0)
-    ret = krb5_copy_keyblock_contents(r->context, &pa_key->key, &r->reply_key);
+        ret = krb5_copy_keyblock_contents(r->context, &pa_key->key, &r->reply_key);
    if (ret)
 	return ret;
@@ -1259,57 +1261,6 @@ _kdc_encode_reply(krb5_context context,
 *
 */
 static krb5_error_code
 make_etype_info_entry(krb5_context context,
 		      ETYPE_INFO_ENTRY *ent,
 		      Key *key,
 		      krb5_boolean include_salt)
 {
    ent->etype = key->key.keytype;
    if (key->salt && include_salt){
 #if 0
 	ALLOC(ent->salttype);
 	if(key->salt->type == hdb_pw_salt)
 	    *ent->salttype = 0; /* or 1? or NULL? */
 	else if(key->salt->type == hdb_afs3_salt)
 	    *ent->salttype = 2;
 	else {
 	    kdc_log(context, config, 4, "unknown salt-type: %d",
 		    key->salt->type);
 	    return KRB5KRB_ERR_GENERIC;
 	}
 	/* according to `the specs', we can't send a salt if
 	   we have AFS3 salted key, but that requires that you
 	   *know* what cell you are using (e.g by assuming
 	   that the cell is the same as the realm in lower
 	   case) */
 #elif 0
 	ALLOC(ent->salttype);
 	*ent->salttype = key->salt->type;
 #else
 	/*
 	 * We shouldn't sent salttype since it is incompatible with the
 	 * specification and it breaks windows clients.  The afs
 	 * salting problem is solved by using KRB5-PADATA-AFS3-SALT
 	 * implemented in Heimdal 0.7 and later.
 	 */
 	ent->salttype = NULL;
 #endif
 	krb5_copy_data(context, &key->salt->salt,
 		       &ent->salt);
    } else {
 	/* we return no salt type at all, as that should indicate
 	 * the default salt type and make everybody happy.  some
 	 * systems (like w2k) dislike being told the salt type
 	 * here. */
 	ent->salttype = NULL;
 	ent->salt = NULL;
    }
    return 0;
 }
 static krb5_error_code
 get_pa_etype_info(krb5_context context,
 		  krb5_kdc_configuration *config,
@@ -1317,35 +1268,51 @@ get_pa_etype_info(krb5_context context,
 		  krb5_boolean include_salt)
 {
    krb5_error_code ret = 0;
-    ETYPE_INFO pa;
+    ETYPE_INFO_ENTRY eie; /* do not free this one */
-    unsigned char *buf;
+    ETYPE_INFO ei;
    PA_DATA pa;
    size_t len;
    /*
     * Code moved here from what used to be make_etype_info_entry() because
     * using the ASN.1 compiler-generated SEQUENCE OF add functions makes that
     * old function's body and this one's small and clean.
     *
     * The following comment blocks were there:
     *
     *  According to `the specs', we can't send a salt if we have AFS3 salted
     *  key, but that requires that you *know* what cell you are using (e.g by
     *  assuming that the cell is the same as the realm in lower case)
     *
     *  We shouldn't sent salttype since it is incompatible with the
     *  specification and it breaks windows clients.  The afs salting problem
     *  is solved by using KRB5-PADATA-AFS3-SALT implemented in Heimdal 0.7 and
     *  later.
     *
     *  We return no salt type at all, as that should indicate the default salt
     *  type and make everybody happy.  some systems (like w2k) dislike being
     *  told the salt type here.
     */
-    pa.len = 1;
+    pa.padata_type = KRB5_PADATA_ETYPE_INFO;
-    pa.val = calloc(1, sizeof(pa.val[0]));
+    pa.padata_value.data = NULL;
-    if(pa.val == NULL)
+    pa.padata_value.length = 0;
-	return ENOMEM;
+    ei.len = 0;
-
+    ei.val = NULL;
-    ret = make_etype_info_entry(context, &pa.val[0], ckey, include_salt);
+    eie.etype = ckey->key.keytype;
-    if (ret) {
+    eie.salttype = NULL;
-	free_ETYPE_INFO(&pa);
+    eie.salt = NULL;
-	return ret;
+    if (include_salt && ckey->salt)
-    }
+        eie.salt = &ckey->salt->salt;
-
+    ret = add_ETYPE_INFO(&ei, &eie);
-    ASN1_MALLOC_ENCODE(ETYPE_INFO, buf, len, &pa, &len, ret);
+    if (ret == 0)
-    free_ETYPE_INFO(&pa);
+        ASN1_MALLOC_ENCODE(ETYPE_INFO, pa.padata_value.data, pa.padata_value.length,
-    if(ret)
+                           &ei, &len, ret);
-	return ret;
+    if (ret == 0)
-    ret = realloc_method_data(md);
+        add_METHOD_DATA(md, &pa);
-    if(ret) {
+    free_ETYPE_INFO(&ei);
-	free(buf);
+    free_PA_DATA(&pa);
-	return ret;
+    return ret;
    }
    md->val[md->len - 1].padata_type = KRB5_PADATA_ETYPE_INFO;
    md->val[md->len - 1].padata_value.length = len;
    md->val[md->len - 1].padata_value.data = buf;
    return 0;
 }
 /*