From 2fbaa099192f7f3ee6ba2b996ddf2ca17baaacf5 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Thu, 11 Nov 2010 14:22:40 +1100
Subject: s4-kdc: split the kdc process return into a tri-state

this is in preparation for doing forwarding of packets for RODCs

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
---
 source4/kdc/kdc-glue.h | 20 +++++++++++++-------
 source4/kdc/kdc.c      | 48 ++++++++++++++++++++++++------------------------
 source4/kdc/kpasswdd.c | 44 ++++++++++++++++++++++----------------------
 3 files changed, 59 insertions(+), 53 deletions(-)

diff --git a/source4/kdc/kdc-glue.h b/source4/kdc/kdc-glue.h
index 6a2df1bc2c..09ae030934 100644
--- a/source4/kdc/kdc-glue.h
+++ b/source4/kdc/kdc-glue.h
@@ -42,13 +42,19 @@ struct kdc_server {
 	struct samba_kdc_base_context *base_ctx;
 };
 
-bool kpasswdd_process(struct kdc_server *kdc,
-		      TALLOC_CTX *mem_ctx,
-		      DATA_BLOB *input,
-		      DATA_BLOB *reply,
-		      struct tsocket_address *peer_addr,
-		      struct tsocket_address *my_addr,
-		      int datagram_reply);
+enum kdc_process_ret {
+	KDC_PROCESS_OK=0,
+	KDC_PROCESS_FAILED,
+	KDC_PROCESS_PROXY};
+
+
+enum kdc_process_ret kpasswdd_process(struct kdc_server *kdc,
+				      TALLOC_CTX *mem_ctx,
+				      DATA_BLOB *input,
+				      DATA_BLOB *reply,
+				      struct tsocket_address *peer_addr,
+				      struct tsocket_address *my_addr,
+				      int datagram_reply);
 
 /* from hdb-samba4.c */
 NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c
index efcdc59db5..43ac8f458b 100644
--- a/source4/kdc/kdc.c
+++ b/source4/kdc/kdc.c
@@ -46,13 +46,13 @@
 extern struct krb5plugin_windc_ftable windc_plugin_table;
 extern struct hdb_method hdb_samba4;
 
-typedef bool (*kdc_process_fn_t)(struct kdc_server *kdc,
-				 TALLOC_CTX *mem_ctx,
-				 DATA_BLOB *input,
-				 DATA_BLOB *reply,
-				 struct tsocket_address *peer_addr,
-				 struct tsocket_address *my_addr,
-				 int datagram);
+typedef enum kdc_process_ret (*kdc_process_fn_t)(struct kdc_server *kdc,
+						 TALLOC_CTX *mem_ctx,
+						 DATA_BLOB *input,
+						 DATA_BLOB *reply,
+						 struct tsocket_address *peer_addr,
+						 struct tsocket_address *my_addr,
+						 int datagram);
 
 /* hold information about one kdc socket */
 struct kdc_socket {
@@ -102,13 +102,13 @@ static void kdc_tcp_send(struct stream_connection *conn, uint16_t flags)
    calling conventions
 */
 
-static bool kdc_process(struct kdc_server *kdc,
-			TALLOC_CTX *mem_ctx,
-			DATA_BLOB *input,
-			DATA_BLOB *reply,
-			struct tsocket_address *peer_addr,
-			struct tsocket_address *my_addr,
-			int datagram_reply)
+static enum kdc_process_ret kdc_process(struct kdc_server *kdc,
+					TALLOC_CTX *mem_ctx,
+					DATA_BLOB *input,
+					DATA_BLOB *reply,
+					struct tsocket_address *peer_addr,
+					struct tsocket_address *my_addr,
+					int datagram_reply)
 {
 	int ret;
 	char *pa;
@@ -121,11 +121,11 @@ static bool kdc_process(struct kdc_server *kdc,
 	ret = tsocket_address_bsd_sockaddr(peer_addr, (struct sockaddr *) &ss,
 				sizeof(struct sockaddr_storage));
 	if (ret < 0) {
-		return false;
+		return KDC_PROCESS_FAILED;
 	}
 	pa = tsocket_address_string(peer_addr, mem_ctx);
 	if (pa == NULL) {
-		return false;
+		return KDC_PROCESS_FAILED;
 	}
 
 	DEBUG(10,("Received KDC packet of length %lu from %s\n",
@@ -140,7 +140,7 @@ static bool kdc_process(struct kdc_server *kdc,
 					    datagram_reply);
 	if (ret == -1) {
 		*reply = data_blob(NULL, 0);
-		return false;
+		return KDC_PROCESS_FAILED;
 	}
 	if (k5_reply.length) {
 		*reply = data_blob_talloc(mem_ctx, k5_reply.data, k5_reply.length);
@@ -148,7 +148,7 @@ static bool kdc_process(struct kdc_server *kdc,
 	} else {
 		*reply = data_blob(NULL, 0);
 	}
-	return true;
+	return KDC_PROCESS_OK;
 }
 
 struct kdc_tcp_call {
@@ -167,7 +167,7 @@ static void kdc_tcp_call_loop(struct tevent_req *subreq)
 				      struct kdc_tcp_connection);
 	struct kdc_tcp_call *call;
 	NTSTATUS status;
-	bool ok;
+	enum kdc_process_ret ret;
 
 	call = talloc(kdc_conn, struct kdc_tcp_call);
 	if (call == NULL) {
@@ -204,14 +204,14 @@ static void kdc_tcp_call_loop(struct tevent_req *subreq)
 	call->in.length -= 4;
 
 	/* Call krb5 */
-	ok = kdc_conn->kdc_socket->process(kdc_conn->kdc_socket->kdc,
+	ret = kdc_conn->kdc_socket->process(kdc_conn->kdc_socket->kdc,
 					   call,
 					   &call->in,
 					   &call->out,
 					   kdc_conn->conn->remote_address,
 					   kdc_conn->conn->local_address,
 					   0 /* Stream */);
-	if (!ok) {
+	if (ret == KDC_PROCESS_FAILED) {
 		kdc_tcp_terminate_connection(kdc_conn,
 				"kdc_tcp_call_loop: process function failed");
 		return;
@@ -372,7 +372,7 @@ static void kdc_udp_call_loop(struct tevent_req *subreq)
 	uint8_t *buf;
 	ssize_t len;
 	int sys_errno;
-	bool ok;
+	enum kdc_process_ret ret;
 
 	call = talloc(sock, struct kdc_udp_call);
 	if (call == NULL) {
@@ -396,14 +396,14 @@ static void kdc_udp_call_loop(struct tevent_req *subreq)
 		 tsocket_address_string(call->src, call)));
 
 	/* Call krb5 */
-	ok = sock->kdc_socket->process(sock->kdc_socket->kdc,
+	ret = sock->kdc_socket->process(sock->kdc_socket->kdc,
 				       call,
 				       &call->in,
 				       &call->out,
 				       call->src,
 				       sock->kdc_socket->local_address,
 				       1 /* Datagram */);
-	if (!ok) {
+	if (ret == KDC_PROCESS_FAILED) {
 		talloc_free(call);
 		goto done;
 	}
diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index df94522660..ace8a89371 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -449,13 +449,13 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
 	}
 }
 
-bool kpasswdd_process(struct kdc_server *kdc,
-		      TALLOC_CTX *mem_ctx,
-		      DATA_BLOB *input,
-		      DATA_BLOB *reply,
-		      struct tsocket_address *peer_addr,
-		      struct tsocket_address *my_addr,
-		      int datagram_reply)
+enum kdc_process_ret kpasswdd_process(struct kdc_server *kdc,
+				      TALLOC_CTX *mem_ctx,
+				      DATA_BLOB *input,
+				      DATA_BLOB *reply,
+				      struct tsocket_address *peer_addr,
+				      struct tsocket_address *my_addr,
+				      int datagram_reply)
 {
 	bool ret;
 	const uint16_t header_len = 6;
@@ -475,20 +475,20 @@ bool kpasswdd_process(struct kdc_server *kdc,
 	char *keytab_name;
 
 	if (!tmp_ctx) {
-		return false;
+		return KDC_PROCESS_FAILED;
 	}
 
 	/* Be parinoid.  We need to ensure we don't just let the
 	 * caller lead us into a buffer overflow */
 	if (input->length <= header_len) {
 		talloc_free(tmp_ctx);
-		return false;
+		return KDC_PROCESS_FAILED;
 	}
 
 	len = RSVAL(input->data, 0);
 	if (input->length != len) {
 		talloc_free(tmp_ctx);
-		return false;
+		return KDC_PROCESS_FAILED;
 	}
 
 	/* There are two different versions of this protocol so far,
@@ -498,7 +498,7 @@ bool kpasswdd_process(struct kdc_server *kdc,
 	ap_req_len = RSVAL(input->data, 4);
 	if ((ap_req_len >= len) || (ap_req_len + header_len) >= len) {
 		talloc_free(tmp_ctx);
-		return false;
+		return KDC_PROCESS_FAILED;
 	}
 
 	krb_priv_len = len - ap_req_len;
@@ -508,7 +508,7 @@ bool kpasswdd_process(struct kdc_server *kdc,
 	server_credentials = cli_credentials_init(tmp_ctx);
 	if (!server_credentials) {
 		DEBUG(1, ("Failed to init server credentials\n"));
-		return false;
+		return KDC_PROCESS_FAILED;
 	}
 
 	/* We want the credentials subsystem to use the krb5 context
@@ -547,7 +547,7 @@ bool kpasswdd_process(struct kdc_server *kdc,
 					      &gensec_security);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(tmp_ctx);
-		return false;
+		return KDC_PROCESS_FAILED;
 	}
 
 	/* The kerberos PRIV packets include these addresses.  MIT
@@ -561,14 +561,14 @@ bool kpasswdd_process(struct kdc_server *kdc,
 	nt_status = gensec_set_local_address(gensec_security, peer_addr);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(tmp_ctx);
-		return false;
+		return KDC_PROCESS_FAILED;
 	}
 #endif
 
 	nt_status = gensec_set_local_address(gensec_security, my_addr);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(tmp_ctx);
-		return false;
+		return KDC_PROCESS_FAILED;
 	}
 
 	/* We want the GENSEC wrap calls to generate PRIV tokens */
@@ -577,7 +577,7 @@ bool kpasswdd_process(struct kdc_server *kdc,
 	nt_status = gensec_start_mech_by_name(gensec_security, "krb5");
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(tmp_ctx);
-		return false;
+		return KDC_PROCESS_FAILED;
 	}
 
 	/* Accept the AP-REQ and generate teh AP-REP we need for the reply */
@@ -595,7 +595,7 @@ bool kpasswdd_process(struct kdc_server *kdc,
 			goto reply;
 		}
 		talloc_free(tmp_ctx);
-		return ret;
+		return KDC_PROCESS_FAILED;
 	}
 
 	/* Extract the data from the KRB-PRIV half of the message */
@@ -612,7 +612,7 @@ bool kpasswdd_process(struct kdc_server *kdc,
 			goto reply;
 		}
 		talloc_free(tmp_ctx);
-		return ret;
+		return KDC_PROCESS_FAILED;
 	}
 
 	/* Figure out something to do with it (probably changing a password...) */
@@ -622,7 +622,7 @@ bool kpasswdd_process(struct kdc_server *kdc,
 				      &kpasswd_req, &kpasswd_rep);
 	if (!ret) {
 		/* Argh! */
-		return false;
+		return KDC_PROCESS_FAILED;
 	}
 
 	/* And wrap up the reply: This ensures that the error message
@@ -641,13 +641,13 @@ bool kpasswdd_process(struct kdc_server *kdc,
 			goto reply;
 		}
 		talloc_free(tmp_ctx);
-		return ret;
+		return KDC_PROCESS_FAILED;
 	}
 
 reply:
 	*reply = data_blob_talloc(mem_ctx, NULL, krb_priv_rep.length + ap_rep.length + header_len);
 	if (!reply->data) {
-		return false;
+		return KDC_PROCESS_FAILED;
 	}
 
 	RSSVAL(reply->data, 0, reply->length);
@@ -661,6 +661,6 @@ reply:
 	       krb_priv_rep.length);
 
 	talloc_free(tmp_ctx);
-	return ret;
+	return KDC_PROCESS_OK;
 }
 
-- 
cgit