oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Switch from using a specific error message context in the TLS to have

Browse Source 
a whole krb5_context in TLS. This have some interestion side-effekts
for the configruration setting options since they operate on
per-thread basis now.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19031 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2006-11-13 18:02:57 +00:00
parent a16e0b633c
commit 00bcd44370
39 changed files with 686 additions and 706 deletions
Download Patch File Download Diff File Expand all files Collapse all files

141
lib/gssapi/krb5/accept_sec_context.c
View File

@@ -41,20 +41,21 @@ krb5_keytab _gsskrb5_keytab;
OM_uint32
_gsskrb5_register_acceptor_identity (const char *identity)
{
krb5_context context;
krb5_error_code ret;
ret = _gsskrb5_init();
ret = _gsskrb5_init(&context);
if(ret)
return GSS_S_FAILURE;
HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
if(_gsskrb5_keytab != NULL) {
krb5_kt_close(_gsskrb5_context, _gsskrb5_keytab);
krb5_kt_close(context, _gsskrb5_keytab);
_gsskrb5_keytab = NULL;
}
if (identity == NULL) {
ret = krb5_kt_default(_gsskrb5_context, &_gsskrb5_keytab);
ret = krb5_kt_default(context, &_gsskrb5_keytab);
} else {
char *p;
@@ -63,7 +64,7 @@ _gsskrb5_register_acceptor_identity (const char *identity)
HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
return GSS_S_FAILURE;
}
ret = krb5_kt_resolve(_gsskrb5_context, p, &_gsskrb5_keytab);
ret = krb5_kt_resolve(context, p, &_gsskrb5_keytab);
free(p);
}
HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
@@ -120,6 +121,7 @@ static OM_uint32
gsskrb5_accept_delegated_token
(OM_uint32 * minor_status,
gsskrb5_ctx ctx,
krb5_context context,
gss_cred_id_t * delegated_cred_handle
)
{
@@ -131,33 +133,31 @@ gsskrb5_accept_delegated_token
/* XXX Create a new delegated_cred_handle? */
if (delegated_cred_handle == NULL) {
kret = krb5_cc_default (_gsskrb5_context, &ccache);
kret = krb5_cc_default (context, &ccache);
} else {
*delegated_cred_handle = NULL;
kret = krb5_cc_gen_new (_gsskrb5_context, &krb5_mcc_ops, &ccache);
kret = krb5_cc_gen_new (context, &krb5_mcc_ops, &ccache);
}
if (kret) {
ctx->flags &= ~GSS_C_DELEG_FLAG;
goto out;
}
kret = krb5_cc_initialize(_gsskrb5_context, ccache, ctx->source);
kret = krb5_cc_initialize(context, ccache, ctx->source);
if (kret) {
ctx->flags &= ~GSS_C_DELEG_FLAG;
goto out;
}
krb5_auth_con_removeflags(_gsskrb5_context,
krb5_auth_con_removeflags(context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_DO_TIME,
&ac_flags);
kret = krb5_rd_cred2(_gsskrb5_context,
kret = krb5_rd_cred2(context,
ctx->auth_context,
ccache,
&ctx->fwd_data);
if (kret)
_gsskrb5_set_error_string();
krb5_auth_con_setflags(_gsskrb5_context,
krb5_auth_con_setflags(context,
ctx->auth_context,
ac_flags);
if (kret) {
@@ -181,16 +181,16 @@ gsskrb5_accept_delegated_token
handle = (gsskrb5_cred) *delegated_cred_handle;
handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
krb5_cc_close(_gsskrb5_context, ccache);
krb5_cc_close(context, ccache);
ccache = NULL;
}
out:
if (ccache) {
if (delegated_cred_handle == NULL)
krb5_cc_close(_gsskrb5_context, ccache);
krb5_cc_close(context, ccache);
else
krb5_cc_destroy(_gsskrb5_context, ccache);
krb5_cc_destroy(context, ccache);
}
return ret;
}
@@ -198,13 +198,14 @@ out:
static OM_uint32
gsskrb5_acceptor_ready(OM_uint32 * minor_status,
gsskrb5_ctx ctx,
krb5_context context,
gss_cred_id_t *delegated_cred_handle)
{
OM_uint32 ret;
int32_t seq_number;
int is_cfx = 0;
krb5_auth_getremoteseqnumber (_gsskrb5_context,
krb5_auth_getremoteseqnumber (context,
ctx->auth_context,
&seq_number);
@@ -222,7 +223,7 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status,
* isn't a mutual authentication context
*/
if (!(ctx->flags & GSS_C_MUTUAL_FLAG) && _gssapi_msg_order_f(ctx->flags)) {
krb5_auth_con_setlocalseqnumber(_gsskrb5_context,
krb5_auth_con_setlocalseqnumber(context,
ctx->auth_context,
seq_number);
}
@@ -233,6 +234,7 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status,
if (ctx->fwd_data.length > 0 && (ctx->flags & GSS_C_DELEG_FLAG)) {
ret = gsskrb5_accept_delegated_token(minor_status,
ctx,
context,
delegated_cred_handle);
if (ret)
return ret;
@@ -250,6 +252,7 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status,
static OM_uint32
gsskrb5_acceptor_start(OM_uint32 * minor_status,
gsskrb5_ctx ctx,
krb5_context context,
const gss_cred_id_t acceptor_cred_handle,
const gss_buffer_t input_token_buffer,
const gss_channel_bindings_t input_chan_bindings,
@@ -301,49 +304,46 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
krb5_rd_req_in_ctx in = NULL;
krb5_rd_req_out_ctx out = NULL;
kret = krb5_rd_req_in_ctx_alloc(_gsskrb5_context, &in);
kret = krb5_rd_req_in_ctx_alloc(context, &in);
if (kret == 0)
kret = krb5_rd_req_in_set_keytab(_gsskrb5_context, in, keytab);
kret = krb5_rd_req_in_set_keytab(context, in, keytab);
if (kret) {
if (in)
krb5_rd_req_in_ctx_free(_gsskrb5_context, in);
krb5_rd_req_in_ctx_free(context, in);
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
kret = krb5_rd_req_ctx(_gsskrb5_context,
kret = krb5_rd_req_ctx(context,
&ctx->auth_context,
&indata,
(acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL : acceptor_cred->principal,
in, &out);
krb5_rd_req_in_ctx_free(_gsskrb5_context, in);
krb5_rd_req_in_ctx_free(context, in);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
/*
* We need to remember some data on the context_handle.
*/
kret = krb5_rd_req_out_get_ap_req_options(_gsskrb5_context, out,
kret = krb5_rd_req_out_get_ap_req_options(context, out,
&ap_options);
if (kret == 0)
kret = krb5_rd_req_out_get_ticket(_gsskrb5_context, out,
kret = krb5_rd_req_out_get_ticket(context, out,
&ctx->ticket);
if (kret == 0)
kret = krb5_rd_req_out_get_keyblock(_gsskrb5_context, out,
kret = krb5_rd_req_out_get_keyblock(context, out,
&ctx->service_keyblock);
ctx->lifetime = ctx->ticket->ticket.endtime;
krb5_rd_req_out_ctx_free(_gsskrb5_context, out);
krb5_rd_req_out_ctx_free(context, out);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
}
@@ -353,22 +353,20 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
* We need to copy the principal names to the context and the
* calling layer.
*/
kret = krb5_copy_principal(_gsskrb5_context,
kret = krb5_copy_principal(context,
ctx->ticket->client,
&ctx->source);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
}
kret = krb5_copy_principal(_gsskrb5_context,
kret = krb5_copy_principal(context,
ctx->ticket->server,
&ctx->target);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
@@ -376,18 +374,17 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
* We need to setup some compat stuff, this assumes that
* context_handle->target is already set.
*/
ret = _gss_DES3_get_mic_compat(minor_status, ctx);
ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
if (ret)
return ret;
if (src_name != NULL) {
kret = krb5_copy_principal (_gsskrb5_context,
kret = krb5_copy_principal (context,
ctx->ticket->client,
(gsskrb5_name*)src_name);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
}
@@ -398,13 +395,12 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
{
krb5_authenticator authenticator;
kret = krb5_auth_con_getauthenticator(_gsskrb5_context,
kret = krb5_auth_con_getauthenticator(context,
ctx->auth_context,
&authenticator);
if(kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
@@ -415,22 +411,21 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
&ctx->flags,
&ctx->fwd_data);
krb5_free_authenticator(_gsskrb5_context, &authenticator);
krb5_free_authenticator(context, &authenticator);
if (ret) {
return ret;
}
} else {
krb5_crypto crypto;
kret = krb5_crypto_init(_gsskrb5_context,
kret = krb5_crypto_init(context,
ctx->auth_context->keyblock,
0, &crypto);
if(kret) {
krb5_free_authenticator(_gsskrb5_context, &authenticator);
krb5_free_authenticator(context, &authenticator);
ret = GSS_S_FAILURE;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
@@ -439,16 +434,15 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
* GSSAPI checksum here
*/
kret = krb5_verify_checksum(_gsskrb5_context,
kret = krb5_verify_checksum(context,
crypto, KRB5_KU_AP_REQ_AUTH_CKSUM, NULL, 0,
authenticator->cksum);
krb5_free_authenticator(_gsskrb5_context, &authenticator);
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_free_authenticator(context, &authenticator);
krb5_crypto_destroy(context, crypto);
if(kret) {
ret = GSS_S_BAD_SIG;
*minor_status = kret;
_gsskrb5_set_error_string ();
return ret;
}
@@ -467,23 +461,22 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
if (is_cfx != 0
|| (ap_options & AP_OPTS_USE_SUBKEY)) {
kret = krb5_auth_con_addflags(_gsskrb5_context,
kret = krb5_auth_con_addflags(context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_USE_SUBKEY,
NULL);
ctx->more_flags |= ACCEPTOR_SUBKEY;
}
kret = krb5_mk_rep(_gsskrb5_context,
kret = krb5_mk_rep(context,
ctx->auth_context,
&outbuf);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
if (ctx->flags & GSS_C_DCE_STYLE) {
if (IS_DCE_STYLE(ctx)) {
output_token->length = outbuf.length;
output_token->value = outbuf.data;
} else {
@@ -510,6 +503,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
if (time_rec) {
ret = _gsskrb5_lifetime_left(minor_status,
context,
ctx->lifetime,
time_rec);
if (ret) {
@@ -521,7 +515,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
* When GSS_C_DCE_STYLE is in use, we need ask for a AP-REP from
* the client.
*/
if (ctx->flags & GSS_C_DCE_STYLE) {
if (IS_DCE_STYLE(ctx)) {
/*
* Return flags to caller, but we haven't processed
* delgations yet
@@ -533,7 +527,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
return GSS_S_CONTINUE_NEEDED;
}
ret = gsskrb5_acceptor_ready(minor_status, ctx, delegated_cred_handle);
ret = gsskrb5_acceptor_ready(minor_status, ctx, context,
delegated_cred_handle);
if (ret_flags)
*ret_flags = ctx->flags;
@@ -544,6 +539,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
static OM_uint32
acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
gsskrb5_ctx ctx,
krb5_context context,
const gss_cred_id_t acceptor_cred_handle,
const gss_buffer_t input_token_buffer,
const gss_channel_bindings_t input_chan_bindings,
@@ -572,29 +568,26 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
* the remote seq_number to the old value
*/
{
kret = krb5_auth_con_getlocalseqnumber(_gsskrb5_context,
kret = krb5_auth_con_getlocalseqnumber(context,
ctx->auth_context,
&l_seq_number);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
kret = krb5_auth_getremoteseqnumber(_gsskrb5_context,
kret = krb5_auth_getremoteseqnumber(context,
ctx->auth_context,
&r_seq_number);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
kret = krb5_auth_con_setremoteseqnumber(_gsskrb5_context,
kret = krb5_auth_con_setremoteseqnumber(context,
ctx->auth_context,
l_seq_number);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
@@ -609,19 +602,18 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
krb5_ap_rep_enc_part *repl;
int32_t auth_flags;
krb5_auth_con_removeflags(_gsskrb5_context,
krb5_auth_con_removeflags(context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_DO_TIME,
&auth_flags);
kret = krb5_rd_rep(_gsskrb5_context, ctx->auth_context, &inbuf, &repl);
kret = krb5_rd_rep(context, ctx->auth_context, &inbuf, &repl);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
krb5_free_ap_rep_enc_part(_gsskrb5_context, repl);
krb5_auth_con_setflags(_gsskrb5_context, ctx->auth_context, auth_flags);
krb5_free_ap_rep_enc_part(context, repl);
krb5_auth_con_setflags(context, ctx->auth_context, auth_flags);
}
/* We need to check the liftime */
@@ -629,6 +621,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
OM_uint32 lifetime_rec;
ret = _gsskrb5_lifetime_left(minor_status,
context,
ctx->lifetime,
&lifetime_rec);
if (ret) {
@@ -645,12 +638,11 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
if (ret_flags) *ret_flags = ctx->flags;
if (src_name) {
kret = krb5_copy_principal(_gsskrb5_context,
kret = krb5_copy_principal(context,
ctx->source,
(gsskrb5_name*)src_name);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
}
@@ -664,20 +656,19 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
{
int32_t tmp_r_seq_number, tmp_l_seq_number;
kret = krb5_auth_getremoteseqnumber(_gsskrb5_context,
kret = krb5_auth_getremoteseqnumber(context,
ctx->auth_context,
&tmp_r_seq_number);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
kret = krb5_auth_con_getlocalseqnumber(_gsskrb5_context,
kret = krb5_auth_con_getlocalseqnumber(context,
ctx->auth_context,
&tmp_l_seq_number);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
@@ -695,17 +686,17 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
* the old one for the GSS_wrap() calls
*/
{
kret = krb5_auth_con_setremoteseqnumber(_gsskrb5_context,
kret = krb5_auth_con_setremoteseqnumber(context,
ctx->auth_context,
r_seq_number);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
}
return gsskrb5_acceptor_ready(minor_status, ctx, delegated_cred_handle);
return gsskrb5_acceptor_ready(minor_status, ctx, context,
delegated_cred_handle);
}
@@ -722,10 +713,11 @@ _gsskrb5_accept_sec_context(OM_uint32 * minor_status,
OM_uint32 * time_rec,
gss_cred_id_t * delegated_cred_handle)
{
krb5_context context;
OM_uint32 ret;
gsskrb5_ctx ctx;
GSSAPI_KRB5_INIT();
GSSAPI_KRB5_INIT(&context);
output_token->length = 0;
output_token->value = NULL;
@@ -738,6 +730,7 @@ _gsskrb5_accept_sec_context(OM_uint32 * minor_status,
if (*context_handle == GSS_C_NO_CONTEXT) {
ret = _gsskrb5_create_ctx(minor_status,
context_handle,
context,
input_chan_bindings,
ACCEPTOR_START);
if (ret)
@@ -758,6 +751,7 @@ _gsskrb5_accept_sec_context(OM_uint32 * minor_status,
case ACCEPTOR_START:
ret = gsskrb5_acceptor_start(minor_status,
ctx,
context,
acceptor_cred_handle,
input_token_buffer,
input_chan_bindings,
@@ -771,6 +765,7 @@ _gsskrb5_accept_sec_context(OM_uint32 * minor_status,
case ACCEPTOR_WAIT_FOR_DCESTYLE:
ret = acceptor_wait_for_dcestyle(minor_status,
ctx,
context,
acceptor_cred_handle,
input_token_buffer,
input_chan_bindings,

108
lib/gssapi/krb5/acquire_cred.c
View File

@@ -37,9 +37,10 @@ RCSID("$Id$");
OM_uint32
__gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
krb5_ccache id,
krb5_principal principal,
OM_uint32 *lifetime)
krb5_context context,
krb5_ccache id,
krb5_principal principal,
OM_uint32 *lifetime)
{
krb5_creds in_cred, *out_cred;
krb5_const_realm realm;
@@ -48,32 +49,30 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
memset(&in_cred, 0, sizeof(in_cred));
in_cred.client = principal;
realm = krb5_principal_get_realm(_gsskrb5_context, principal);
realm = krb5_principal_get_realm(context, principal);
if (realm == NULL) {
_gsskrb5_clear_status ();
*minor_status = KRB5_PRINC_NOMATCH; /* XXX */
return GSS_S_FAILURE;
}
kret = krb5_make_principal(_gsskrb5_context, &in_cred.server,
kret = krb5_make_principal(context, &in_cred.server,
realm, KRB5_TGS_NAME, realm, NULL);
if (kret) {
_gsskrb5_set_error_string();
*minor_status = kret;
return GSS_S_FAILURE;
}
kret = krb5_get_credentials(_gsskrb5_context, 0,
kret = krb5_get_credentials(context, 0,
id, &in_cred, &out_cred);
krb5_free_principal(_gsskrb5_context, in_cred.server);
krb5_free_principal(context, in_cred.server);
if (kret) {
_gsskrb5_set_error_string();
*minor_status = kret;
return GSS_S_FAILURE;
}
*lifetime = out_cred->times.endtime;
krb5_free_creds(_gsskrb5_context, out_cred);
krb5_free_creds(context, out_cred);
return GSS_S_COMPLETE;
}
@@ -82,7 +81,7 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
static krb5_error_code
get_keytab(krb5_keytab *keytab)
get_keytab(krb5_context context, krb5_keytab *keytab)
{
char kt_name[256];
krb5_error_code kret;
@@ -90,13 +89,13 @@ get_keytab(krb5_keytab *keytab)
HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
if (_gsskrb5_keytab != NULL) {
kret = krb5_kt_get_name(_gsskrb5_context,
kret = krb5_kt_get_name(context,
_gsskrb5_keytab,
kt_name, sizeof(kt_name));
if (kret == 0)
kret = krb5_kt_resolve(_gsskrb5_context, kt_name, keytab);
kret = krb5_kt_resolve(context, kt_name, keytab);
} else
kret = krb5_kt_default(_gsskrb5_context, keytab);
kret = krb5_kt_default(context, keytab);
HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
@@ -105,6 +104,7 @@ get_keytab(krb5_keytab *keytab)
static OM_uint32 acquire_initiator_cred
(OM_uint32 * minor_status,
krb5_context context,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
@@ -132,33 +132,33 @@ static OM_uint32 acquire_initiator_cred
* caches, otherwise, fall back to default cache. Ignore
* errors. */
if (handle->principal)
kret = krb5_cc_cache_match (_gsskrb5_context,
kret = krb5_cc_cache_match (context,
handle->principal,
NULL,
&ccache);
if (ccache == NULL) {
kret = krb5_cc_default(_gsskrb5_context, &ccache);
kret = krb5_cc_default(context, &ccache);
if (kret)
goto end;
}
kret = krb5_cc_get_principal(_gsskrb5_context, ccache,
kret = krb5_cc_get_principal(context, ccache,
&def_princ);
if (kret != 0) {
/* we'll try to use a keytab below */
krb5_cc_destroy(_gsskrb5_context, ccache);
krb5_cc_destroy(context, ccache);
ccache = NULL;
kret = 0;
} else if (handle->principal == NULL) {
kret = krb5_copy_principal(_gsskrb5_context, def_princ,
kret = krb5_copy_principal(context, def_princ,
&handle->principal);
if (kret)
goto end;
} else if (handle->principal != NULL &&
krb5_principal_compare(_gsskrb5_context, handle->principal,
krb5_principal_compare(context, handle->principal,
def_princ) == FALSE) {
/* Before failing, lets check the keytab */
krb5_free_principal(_gsskrb5_context, def_princ);
krb5_free_principal(context, def_princ);
def_princ = NULL;
}
if (def_princ == NULL) {
@@ -166,30 +166,30 @@ static OM_uint32 acquire_initiator_cred
* so attempt to get a TGT using a keytab.
*/
if (handle->principal == NULL) {
kret = krb5_get_default_principal(_gsskrb5_context,
kret = krb5_get_default_principal(context,
&handle->principal);
if (kret)
goto end;
}
kret = get_keytab(&keytab);
kret = get_keytab(context, &keytab);
if (kret)
goto end;
kret = krb5_get_init_creds_opt_alloc(_gsskrb5_context, &opt);
kret = krb5_get_init_creds_opt_alloc(context, &opt);
if (kret)
goto end;
kret = krb5_get_init_creds_keytab(_gsskrb5_context, &cred,
kret = krb5_get_init_creds_keytab(context, &cred,
handle->principal, keytab, 0, NULL, opt);
krb5_get_init_creds_opt_free(opt);
if (kret)
goto end;
kret = krb5_cc_gen_new(_gsskrb5_context, &krb5_mcc_ops,
kret = krb5_cc_gen_new(context, &krb5_mcc_ops,
&ccache);
if (kret)
goto end;
kret = krb5_cc_initialize(_gsskrb5_context, ccache, cred.client);
kret = krb5_cc_initialize(context, ccache, cred.client);
if (kret)
goto end;
kret = krb5_cc_store_cred(_gsskrb5_context, ccache, &cred);
kret = krb5_cc_store_cred(context, ccache, &cred);
if (kret)
goto end;
handle->lifetime = cred.times.endtime;
@@ -197,9 +197,10 @@ static OM_uint32 acquire_initiator_cred
} else {
ret = __gsskrb5_ccache_lifetime(minor_status,
ccache,
handle->principal,
&handle->lifetime);
context,
ccache,
handle->principal,
&handle->lifetime);
if (ret != GSS_S_COMPLETE)
goto end;
kret = 0;
@@ -210,17 +211,16 @@ static OM_uint32 acquire_initiator_cred
end:
if (cred.client != NULL)
krb5_free_cred_contents(_gsskrb5_context, &cred);
krb5_free_cred_contents(context, &cred);
if (def_princ != NULL)
krb5_free_principal(_gsskrb5_context, def_princ);
krb5_free_principal(context, def_princ);
if (keytab != NULL)
krb5_kt_close(_gsskrb5_context, keytab);
krb5_kt_close(context, keytab);
if (ret != GSS_S_COMPLETE) {
if (ccache != NULL)
krb5_cc_close(_gsskrb5_context, ccache);
krb5_cc_close(context, ccache);
if (kret != 0) {
*minor_status = kret;
_gsskrb5_set_error_string ();
}
}
return (ret);
@@ -228,6 +228,7 @@ end:
static OM_uint32 acquire_acceptor_cred
(OM_uint32 * minor_status,
krb5_context context,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
@@ -242,7 +243,7 @@ static OM_uint32 acquire_acceptor_cred
kret = 0;
ret = GSS_S_FAILURE;
kret = get_keytab(&handle->keytab);
kret = get_keytab(context, &handle->keytab);
if (kret)
goto end;
@@ -250,21 +251,20 @@ static OM_uint32 acquire_acceptor_cred
if (handle->principal) {
krb5_keytab_entry entry;
kret = krb5_kt_get_entry(_gsskrb5_context, handle->keytab,
kret = krb5_kt_get_entry(context, handle->keytab,
handle->principal, 0, 0, &entry);
if (kret)
goto end;
krb5_kt_free_entry(_gsskrb5_context, &entry);
krb5_kt_free_entry(context, &entry);
}
ret = GSS_S_COMPLETE;
end:
if (ret != GSS_S_COMPLETE) {
if (handle->keytab != NULL)
krb5_kt_close(_gsskrb5_context, handle->keytab);
krb5_kt_close(context, handle->keytab);
if (kret != 0) {
*minor_status = kret;
_gsskrb5_set_error_string ();
}
}
return (ret);
@@ -281,6 +281,7 @@ OM_uint32 _gsskrb5_acquire_cred
OM_uint32 * time_rec
)
{
krb5_context context;
gsskrb5_cred handle;
OM_uint32 ret;
@@ -289,7 +290,7 @@ OM_uint32 _gsskrb5_acquire_cred
return GSS_S_FAILURE;
}
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT(&context);
*output_cred_handle = NULL;
if (time_rec)
@@ -320,31 +321,33 @@ OM_uint32 _gsskrb5_acquire_cred
if (desired_name != GSS_C_NO_NAME) {
krb5_principal name = (krb5_principal)desired_name;
ret = krb5_copy_principal(_gsskrb5_context, name, &handle->principal);
ret = krb5_copy_principal(context, name, &handle->principal);
if (ret) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
_gsskrb5_set_error_string();
*minor_status = ret;
free(handle);
return GSS_S_FAILURE;
}
}
if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
ret = acquire_initiator_cred(minor_status, desired_name, time_req,
desired_mechs, cred_usage, handle, actual_mechs, time_rec);
ret = acquire_initiator_cred(minor_status, context,
desired_name, time_req,
desired_mechs, cred_usage, handle,
actual_mechs, time_rec);
if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(_gsskrb5_context, handle->principal);
krb5_free_principal(context, handle->principal);
free(handle);
return (ret);
}
}
if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
ret = acquire_acceptor_cred(minor_status, desired_name, time_req,
ret = acquire_acceptor_cred(minor_status, context,
desired_name, time_req,
desired_mechs, cred_usage, handle, actual_mechs, time_rec);
if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(_gsskrb5_context, handle->principal);
krb5_free_principal(context, handle->principal);
free(handle);
return (ret);
}
@@ -360,15 +363,16 @@ OM_uint32 _gsskrb5_acquire_cred
if (handle->mechanisms != NULL)
_gsskrb5_release_oid_set(NULL, &handle->mechanisms);
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(_gsskrb5_context, handle->principal);
krb5_free_principal(context, handle->principal);
free(handle);
return (ret);
}
*minor_status = 0;
if (time_rec) {
ret = _gsskrb5_lifetime_left(minor_status,
handle->lifetime,
time_rec);
context,
handle->lifetime,
time_rec);
if (ret)
return ret;

29
lib/gssapi/krb5/add_cred.c
View File

@@ -48,6 +48,7 @@ OM_uint32 _gsskrb5_add_cred (
OM_uint32 *initiator_time_rec,
OM_uint32 *acceptor_time_rec)
{
krb5_context context;
OM_uint32 ret, lifetime;
gsskrb5_cred cred, handle;
krb5_const_principal dname;
@@ -56,6 +57,8 @@ OM_uint32 _gsskrb5_add_cred (
cred = (gsskrb5_cred)input_cred_handle;
dname = (krb5_const_principal)desired_name;
GSSAPI_KRB5_INIT (&context);
if (gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0) {
*minor_status = 0;
return GSS_S_BAD_MECH;
@@ -83,7 +86,7 @@ OM_uint32 _gsskrb5_add_cred (
/* check that we have the same name */
if (dname != NULL &&
krb5_principal_compare(_gsskrb5_context, dname,
krb5_principal_compare(context, dname,
cred->principal) != FALSE) {
if (output_cred_handle)
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
@@ -112,7 +115,7 @@ OM_uint32 _gsskrb5_add_cred (
ret = GSS_S_FAILURE;
kret = krb5_copy_principal(_gsskrb5_context, cred->principal,
kret = krb5_copy_principal(context, cred->principal,
&handle->principal);
if (kret) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
@@ -127,7 +130,7 @@ OM_uint32 _gsskrb5_add_cred (
ret = GSS_S_FAILURE;
kret = krb5_kt_get_type(_gsskrb5_context, cred->keytab,
kret = krb5_kt_get_type(context, cred->keytab,
name, KRB5_KT_PREFIX_MAX_LEN);
if (kret) {
*minor_status = kret;
@@ -136,7 +139,7 @@ OM_uint32 _gsskrb5_add_cred (
len = strlen(name);
name[len++] = ':';
kret = krb5_kt_get_name(_gsskrb5_context, cred->keytab,
kret = krb5_kt_get_name(context, cred->keytab,
name + len,
sizeof(name) - len);
if (kret) {
@@ -144,7 +147,7 @@ OM_uint32 _gsskrb5_add_cred (
goto failure;
}
kret = krb5_kt_resolve(_gsskrb5_context, name,
kret = krb5_kt_resolve(context, name,
&handle->keytab);
if (kret){
*minor_status = kret;
@@ -158,21 +161,21 @@ OM_uint32 _gsskrb5_add_cred (
ret = GSS_S_FAILURE;
type = krb5_cc_get_type(_gsskrb5_context, cred->ccache);
type = krb5_cc_get_type(context, cred->ccache);
if (type == NULL){
*minor_status = ENOMEM;
goto failure;
}
if (strcmp(type, "MEMORY") == 0) {
ret = krb5_cc_gen_new(_gsskrb5_context, &krb5_mcc_ops,
ret = krb5_cc_gen_new(context, &krb5_mcc_ops,
&handle->ccache);
if (ret) {
*minor_status = ret;
goto failure;
}
ret = krb5_cc_copy_cache(_gsskrb5_context, cred->ccache,
ret = krb5_cc_copy_cache(context, cred->ccache,
handle->ccache);
if (ret) {
*minor_status = ret;
@@ -180,7 +183,7 @@ OM_uint32 _gsskrb5_add_cred (
}
} else {
name = krb5_cc_get_name(_gsskrb5_context, cred->ccache);
name = krb5_cc_get_name(context, cred->ccache);
if (name == NULL) {
*minor_status = ENOMEM;
goto failure;
@@ -192,7 +195,7 @@ OM_uint32 _gsskrb5_add_cred (
goto failure;
}
kret = krb5_cc_resolve(_gsskrb5_context, type_name,
kret = krb5_cc_resolve(context, type_name,
&handle->ccache);
free(type_name);
if (kret) {
@@ -234,11 +237,11 @@ OM_uint32 _gsskrb5_add_cred (
if (handle) {
if (handle->principal)
krb5_free_principal(_gsskrb5_context, handle->principal);
krb5_free_principal(context, handle->principal);
if (handle->keytab)
krb5_kt_close(_gsskrb5_context, handle->keytab);
krb5_kt_close(context, handle->keytab);
if (handle->ccache)
krb5_cc_destroy(_gsskrb5_context, handle->ccache);
krb5_cc_destroy(context, handle->ccache);
if (handle->mechanisms)
_gsskrb5_release_oid_set(NULL, &handle->mechanisms);
free(handle);

7
lib/gssapi/krb5/address_to_krb5addr.c
View File

@@ -36,7 +36,8 @@
#include <roken.h>
krb5_error_code
_gsskrb5i_address_to_krb5addr(OM_uint32 gss_addr_type,
_gsskrb5i_address_to_krb5addr(krb5_context context,
OM_uint32 gss_addr_type,
gss_buffer_desc *gss_addr,
int16_t port,
krb5_address *address)
@@ -61,7 +62,7 @@ _gsskrb5i_address_to_krb5addr(OM_uint32 gss_addr_type,
return GSS_S_FAILURE;
}
problem = krb5_h_addr2sockaddr (_gsskrb5_context,
problem = krb5_h_addr2sockaddr (context,
addr_type,
gss_addr->value,
&sa,
@@ -70,7 +71,7 @@ _gsskrb5i_address_to_krb5addr(OM_uint32 gss_addr_type,
if (problem)
return GSS_S_FAILURE;
problem = krb5_sockaddr2address (_gsskrb5_context, &sa, address);
problem = krb5_sockaddr2address (context, &sa, address);
return problem;
}

54
lib/gssapi/krb5/arcfour.c
View File

@@ -114,7 +114,8 @@ arcfour_mic_key(krb5_context context, krb5_keyblock *key,
static krb5_error_code
arcfour_mic_cksum(krb5_keyblock *key, unsigned usage,
arcfour_mic_cksum(krb5_context context,
krb5_keyblock *key, unsigned usage,
u_char *sgn_cksum, size_t sgn_cksum_sz,
const u_char *v1, size_t l1,
const void *v2, size_t l2,
@@ -138,13 +139,13 @@ arcfour_mic_cksum(krb5_keyblock *key, unsigned usage,
memcpy(ptr + l1, v2, l2);
memcpy(ptr + l1 + l2, v3, l3);
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret) {
free(ptr);
return ret;
}
ret = krb5_create_checksum(_gsskrb5_context,
ret = krb5_create_checksum(context,
crypto,
usage,
0,
@@ -155,7 +156,7 @@ arcfour_mic_cksum(krb5_keyblock *key, unsigned usage,
memcpy(sgn_cksum, CKSUM.checksum.data, sgn_cksum_sz);
free_Checksum(&CKSUM);
}
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return ret;
}
@@ -164,6 +165,7 @@ arcfour_mic_cksum(krb5_keyblock *key, unsigned usage,
OM_uint32
_gssapi_get_mic_arcfour(OM_uint32 * minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token,
@@ -200,7 +202,8 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status,
p = NULL;
ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SIGN,
ret = arcfour_mic_cksum(context,
key, KRB5_KU_USAGE_SIGN,
p0 + 16, 8, /* SGN_CKSUM */
p0, 8, /* TOK_ID, SGN_ALG, Filer */
message_buffer->value, message_buffer->length,
@@ -211,7 +214,7 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status,
return GSS_S_FAILURE;
}
ret = arcfour_mic_key(_gsskrb5_context, key,
ret = arcfour_mic_key(context, key,
p0 + 16, 8, /* SGN_CKSUM */
k6_data, sizeof(k6_data));
if (ret) {
@@ -221,13 +224,13 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status,
}
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
krb5_auth_con_getlocalseqnumber (context,
context_handle->auth_context,
&seq_number);
p = p0 + 8; /* SND_SEQ */
_gsskrb5_encode_be_om_uint32(seq_number, p);
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
krb5_auth_con_setlocalseqnumber (context,
context_handle->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
@@ -248,6 +251,7 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status,
OM_uint32
_gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
@@ -279,7 +283,8 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
return GSS_S_BAD_MIC;
p += 4;
ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SIGN,
ret = arcfour_mic_cksum(context,
key, KRB5_KU_USAGE_SIGN,
cksum_data, sizeof(cksum_data),
p - 8, 8,
message_buffer->value, message_buffer->length,
@@ -289,7 +294,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
return GSS_S_FAILURE;
}
ret = arcfour_mic_key(_gsskrb5_context, key,
ret = arcfour_mic_key(context, key,
cksum_data, sizeof(cksum_data),
k6_data, sizeof(k6_data));
if (ret) {
@@ -339,6 +344,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
OM_uint32
_gssapi_wrap_arcfour(OM_uint32 * minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
@@ -396,13 +402,13 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
p = NULL;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
krb5_auth_con_getlocalseqnumber (context,
context_handle->auth_context,
&seq_number);
_gsskrb5_encode_be_om_uint32(seq_number, p0 + 8);
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
krb5_auth_con_setlocalseqnumber (context,
context_handle->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
@@ -420,7 +426,8 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
if (!IS_DCE_STYLE(context_handle))
p[input_message_buffer->length] = 1; /* padding */
ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL,
ret = arcfour_mic_cksum(context,
key, KRB5_KU_USAGE_SEAL,
p0 + 16, 8, /* SGN_CKSUM */
p0, 8, /* TOK_ID, SGN_ALG, SEAL_ALG, Filler */
p0 + 24, 8, /* Confounder */
@@ -442,7 +449,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
for (i = 0; i < 16; i++)
Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0;
}
ret = arcfour_mic_key(_gsskrb5_context, &Klocal,
ret = arcfour_mic_key(context, &Klocal,
p0 + 8, 4, /* SND_SEQ */
k6_data, sizeof(k6_data));
memset(Klocaldata, 0, sizeof(Klocaldata));
@@ -463,7 +470,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
}
memset(k6_data, 0, sizeof(k6_data));
ret = arcfour_mic_key(_gsskrb5_context, key,
ret = arcfour_mic_key(context, key,
p0 + 16, 8, /* SGN_CKSUM */
k6_data, sizeof(k6_data));
if (ret) {
@@ -490,6 +497,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int *conf_state,
@@ -562,7 +570,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
return GSS_S_BAD_MIC;
p = NULL;
ret = arcfour_mic_key(_gsskrb5_context, key,
ret = arcfour_mic_key(context, key,
p0 + 16, 8, /* SGN_CKSUM */
k6_data, sizeof(k6_data));
if (ret) {
@@ -601,7 +609,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
for (i = 0; i < 16; i++)
Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0;
}
ret = arcfour_mic_key(_gsskrb5_context, &Klocal,
ret = arcfour_mic_key(context, &Klocal,
SND_SEQ, 4,
k6_data, sizeof(k6_data));
memset(Klocaldata, 0, sizeof(Klocaldata));
@@ -643,7 +651,8 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
output_message_buffer->length -= padlen;
}
ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL,
ret = arcfour_mic_cksum(context,
key, KRB5_KU_USAGE_SEAL,
cksum_data, sizeof(cksum_data),
p0, 8,
Confounder, sizeof(Confounder),
@@ -721,6 +730,7 @@ max_wrap_length_arcfour(const gsskrb5_ctx ctx,
OM_uint32
_gssapi_wrap_size_arcfour(OM_uint32 *minor_status,
const gsskrb5_ctx ctx,
krb5_context context,
int conf_req_flag,
gss_qop_t qop_req,
OM_uint32 req_output_size,
@@ -730,9 +740,8 @@ _gssapi_wrap_size_arcfour(OM_uint32 *minor_status,
krb5_error_code ret;
krb5_crypto crypto;
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -740,13 +749,12 @@ _gssapi_wrap_size_arcfour(OM_uint32 *minor_status,
ret = max_wrap_length_arcfour(ctx, crypto,
req_output_size, max_input_size);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_COMPLETE;
}

9
lib/gssapi/krb5/ccache_name.c
View File

@@ -42,11 +42,12 @@ _gsskrb5_krb5_ccache_name(OM_uint32 *minor_status,
const char *name,
const char **out_name)
{
krb5_context context;
krb5_error_code kret;
*minor_status = 0;
GSSAPI_KRB5_INIT();
GSSAPI_KRB5_INIT(&context);
if (out_name) {
const char *n;
@@ -56,10 +57,9 @@ _gsskrb5_krb5_ccache_name(OM_uint32 *minor_status,
last_out_name = NULL;
}
n = krb5_cc_default_name(_gsskrb5_context);
n = krb5_cc_default_name(context);
if (n == NULL) {
*minor_status = ENOMEM;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
last_out_name = strdup(n);
@@ -70,10 +70,9 @@ _gsskrb5_krb5_ccache_name(OM_uint32 *minor_status,
*out_name = last_out_name;
}
kret = krb5_cc_set_default_name(_gsskrb5_context, name);
kret = krb5_cc_set_default_name(context, name);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
return GSS_S_COMPLETE;

131
lib/gssapi/krb5/cfx.c
View File

@@ -43,7 +43,8 @@ RCSID("$Id$");
#define CFXAcceptorSubkey (1 << 2)
krb5_error_code
_gsskrb5cfx_wrap_length_cfx(krb5_crypto crypto,
_gsskrb5cfx_wrap_length_cfx(krb5_context context,
krb5_crypto crypto,
int conf_req_flag,
size_t input_length,
size_t *output_length,
@@ -57,11 +58,11 @@ _gsskrb5cfx_wrap_length_cfx(krb5_crypto crypto,
*output_length = sizeof(gss_cfx_wrap_token_desc);
*padlength = 0;
ret = krb5_crypto_get_checksum_type(_gsskrb5_context, crypto, &type);
ret = krb5_crypto_get_checksum_type(context, crypto, &type);
if (ret)
return ret;
ret = krb5_checksumsize(_gsskrb5_context, type, cksumsize);
ret = krb5_checksumsize(context, type, cksumsize);
if (ret)
return ret;
@@ -71,7 +72,7 @@ _gsskrb5cfx_wrap_length_cfx(krb5_crypto crypto,
/* Header is concatenated with data before encryption */
input_length += sizeof(gss_cfx_wrap_token_desc);
ret = krb5_crypto_getpadsize(_gsskrb5_context, crypto, &padsize);
ret = krb5_crypto_getpadsize(context, crypto, &padsize);
if (ret) {
return ret;
}
@@ -83,7 +84,7 @@ _gsskrb5cfx_wrap_length_cfx(krb5_crypto crypto,
input_length += *padlength;
}
*output_length += krb5_get_wrapped_length(_gsskrb5_context,
*output_length += krb5_get_wrapped_length(context,
crypto, input_length);
} else {
/* Checksum is concatenated with data */
@@ -96,7 +97,8 @@ _gsskrb5cfx_wrap_length_cfx(krb5_crypto crypto,
}
krb5_error_code
_gsskrb5cfx_max_wrap_length_cfx(krb5_crypto crypto,
_gsskrb5cfx_max_wrap_length_cfx(krb5_context context,
krb5_crypto crypto,
int conf_req_flag,
size_t input_length,
OM_uint32 *output_length)
@@ -116,7 +118,7 @@ _gsskrb5cfx_max_wrap_length_cfx(krb5_crypto crypto,
wrapped_size = input_length + 1;
do {
wrapped_size--;
sz = krb5_get_wrapped_length(_gsskrb5_context,
sz = krb5_get_wrapped_length(context,
crypto, wrapped_size);
} while (wrapped_size && sz > input_length);
if (wrapped_size == 0) {
@@ -136,11 +138,11 @@ _gsskrb5cfx_max_wrap_length_cfx(krb5_crypto crypto,
krb5_cksumtype type;
size_t cksumsize;
ret = krb5_crypto_get_checksum_type(_gsskrb5_context, crypto, &type);
ret = krb5_crypto_get_checksum_type(context, crypto, &type);
if (ret)
return ret;
ret = krb5_checksumsize(_gsskrb5_context, type, &cksumsize);
ret = krb5_checksumsize(context, type, &cksumsize);
if (ret)
return ret;
@@ -157,6 +159,7 @@ _gsskrb5cfx_max_wrap_length_cfx(krb5_crypto crypto,
OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
int conf_req_flag,
gss_qop_t qop_req,
OM_uint32 req_output_size,
@@ -166,23 +169,21 @@ OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
krb5_error_code ret;
krb5_crypto crypto;
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = _gsskrb5cfx_max_wrap_length_cfx(crypto, conf_req_flag,
ret = _gsskrb5cfx_max_wrap_length_cfx(context, crypto, conf_req_flag,
req_output_size, max_input_size);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_COMPLETE;
}
@@ -233,6 +234,7 @@ rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate)
OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
@@ -250,20 +252,19 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
int32_t seq_number;
u_char *p;
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = _gsskrb5cfx_wrap_length_cfx(crypto, conf_req_flag,
ret = _gsskrb5cfx_wrap_length_cfx(context,
crypto, conf_req_flag,
input_message_buffer->length,
&wrapped_len, &cksumsize, &padlength);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
@@ -274,7 +275,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
output_message_buffer->value = malloc(output_message_buffer->length);
if (output_message_buffer->value == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
@@ -324,12 +325,12 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
token->RRC[1] = 0;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber(_gsskrb5_context,
krb5_auth_con_getlocalseqnumber(context,
context_handle->auth_context,
&seq_number);
_gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]);
_gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
krb5_auth_con_setlocalseqnumber(_gsskrb5_context,
krb5_auth_con_setlocalseqnumber(context,
context_handle->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
@@ -364,15 +365,14 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
memcpy(p + input_message_buffer->length + padlength,
token, sizeof(*token));
ret = krb5_encrypt(_gsskrb5_context, crypto,
ret = krb5_encrypt(context, crypto,
usage, p,
input_message_buffer->length + padlength +
sizeof(*token),
&cipher);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_FAILURE;
}
@@ -382,9 +382,8 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_FAILURE;
}
@@ -397,22 +396,21 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
buf = malloc(input_message_buffer->length + sizeof(*token));
if (buf == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_FAILURE;
}
memcpy(buf, input_message_buffer->value, input_message_buffer->length);
memcpy(buf + input_message_buffer->length, token, sizeof(*token));
ret = krb5_create_checksum(_gsskrb5_context, crypto,
ret = krb5_create_checksum(context, crypto,
usage, 0, buf,
input_message_buffer->length +
sizeof(*token),
&cksum);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
free(buf);
return GSS_S_FAILURE;
@@ -434,9 +432,8 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
ret = rrc_rotate(p,
input_message_buffer->length + cksum.checksum.length, rrc, FALSE);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
free_Checksum(&cksum);
return GSS_S_FAILURE;
@@ -444,7 +441,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
free_Checksum(&cksum);
}
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
if (conf_state != NULL) {
*conf_state = conf_req_flag;
@@ -456,6 +453,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int *conf_state,
@@ -539,9 +537,8 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/*
* Decrypt and/or verify checksum
*/
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -559,23 +556,22 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/* Rotate by RRC; bogus to do this in-place XXX */
*minor_status = rrc_rotate(p, len, rrc, TRUE);
if (*minor_status != 0) {
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
if (token_flags & CFXSealed) {
ret = krb5_decrypt(_gsskrb5_context, crypto, usage,
ret = krb5_decrypt(context, crypto, usage,
p, len, &data);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_BAD_MIC;
}
/* Check that there is room for the pad and token header */
if (data.length < ec + sizeof(*token)) {
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
krb5_data_free(&data);
return GSS_S_DEFECTIVE_TOKEN;
}
@@ -588,7 +584,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/* Check the integrity of the header */
if (memcmp(p, token, sizeof(*token)) != 0) {
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
krb5_data_free(&data);
return GSS_S_BAD_MIC;
}
@@ -599,12 +595,11 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
Checksum cksum;
/* Determine checksum type */
ret = krb5_crypto_get_checksum_type(_gsskrb5_context,
ret = krb5_crypto_get_checksum_type(context,
crypto, &cksum.cksumtype);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
@@ -613,7 +608,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/* Check we have at least as much data as the checksum */
if (len < cksum.checksum.length) {
*minor_status = ERANGE;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_BAD_MIC;
}
@@ -625,7 +620,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
output_message_buffer->value = malloc(len + sizeof(*token));
if (output_message_buffer->value == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
@@ -642,21 +637,20 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
token->RRC[0] = 0;
token->RRC[1] = 0;
ret = krb5_verify_checksum(_gsskrb5_context, crypto,
ret = krb5_verify_checksum(context, crypto,
usage,
output_message_buffer->value,
len + sizeof(*token),
&cksum);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_BAD_MIC;
}
}
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
if (qop_state != NULL) {
*qop_state = GSS_C_QOP_DEFAULT;
@@ -668,6 +662,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token,
@@ -682,9 +677,8 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
size_t len;
int32_t seq_number;
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -693,7 +687,7 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
buf = malloc(len);
if (buf == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
@@ -710,12 +704,12 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
memset(token->Filler, 0xFF, 5);
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber(_gsskrb5_context,
krb5_auth_con_getlocalseqnumber(context,
context_handle->auth_context,
&seq_number);
_gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]);
_gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
krb5_auth_con_setlocalseqnumber(_gsskrb5_context,
krb5_auth_con_setlocalseqnumber(context,
context_handle->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
@@ -726,16 +720,15 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;
}
ret = krb5_create_checksum(_gsskrb5_context, crypto,
ret = krb5_create_checksum(context, crypto,
usage, 0, buf, len, &cksum);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
free(buf);
return GSS_S_FAILURE;
}
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
/* Determine MIC length */
message_token->length = sizeof(*token) + cksum.checksum.length;
@@ -761,6 +754,7 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t *qop_state,
@@ -830,19 +824,17 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
/*
* Verify checksum
*/
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_crypto_get_checksum_type(_gsskrb5_context, crypto,
ret = krb5_crypto_get_checksum_type(context, crypto,
&cksum.cksumtype);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
@@ -858,20 +850,19 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
buf = malloc(message_buffer->length + sizeof(*token));
if (buf == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
memcpy(buf, message_buffer->value, message_buffer->length);
memcpy(buf + message_buffer->length, token, sizeof(*token));
ret = krb5_verify_checksum(_gsskrb5_context, crypto,
ret = krb5_verify_checksum(context, crypto,
usage,
buf,
sizeof(*token) + message_buffer->length,
&cksum);
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
if (ret != 0) {
_gsskrb5_set_error_string();
*minor_status = ret;
free(buf);
return GSS_S_BAD_MIC;

15
lib/gssapi/krb5/cfx.h
View File

@@ -62,19 +62,4 @@ typedef struct gss_cfx_delete_token_desc_struct {
u_char SND_SEQ[8];
} gss_cfx_delete_token_desc, *gss_cfx_delete_token;
krb5_error_code
_gsskrb5cfx_wrap_length_cfx(krb5_crypto crypto,
int conf_req_flag,
size_t input_length,
size_t *output_length,
size_t *cksumsize,
uint16_t *padlength);
krb5_error_code
_gsskrb5cfx_max_wrap_length_cfx(krb5_crypto crypto,
int conf_req_flag,
size_t input_length,
OM_uint32 *output_length);
#endif /* GSSAPI_CFX_H_ */

5
lib/gssapi/krb5/compare_name.c
View File

@@ -44,10 +44,11 @@ OM_uint32 _gsskrb5_compare_name
{
krb5_const_principal princ1 = (krb5_const_principal)name1;
krb5_const_principal princ2 = (krb5_const_principal)name2;
krb5_context context;
GSSAPI_KRB5_INIT();
GSSAPI_KRB5_INIT(&context);
*name_equal = krb5_principal_compare (_gsskrb5_context,
*name_equal = krb5_principal_compare (context,
princ1, princ2);
*minor_status = 0;
return GSS_S_COMPLETE;

21
lib/gssapi/krb5/compat.c
View File

@@ -37,7 +37,8 @@ RCSID("$Id$");
static krb5_error_code
check_compat(OM_uint32 *minor_status, krb5_const_principal name,
check_compat(OM_uint32 *minor_status,
krb5_context context, krb5_const_principal name,
const char *option, krb5_boolean *compat,
krb5_boolean match_val)
{
@@ -46,27 +47,27 @@ check_compat(OM_uint32 *minor_status, krb5_const_principal name,
krb5_principal match;
p = krb5_config_get_strings(_gsskrb5_context, NULL, "gssapi",
p = krb5_config_get_strings(context, NULL, "gssapi",
option, NULL);
if(p == NULL)
return 0;
match = NULL;
for(q = p; *q; q++) {
ret = krb5_parse_name(_gsskrb5_context, *q, &match);
ret = krb5_parse_name(context, *q, &match);
if (ret)
break;
if (krb5_principal_match(_gsskrb5_context, name, match)) {
if (krb5_principal_match(context, name, match)) {
*compat = match_val;
break;
}
krb5_free_principal(_gsskrb5_context, match);
krb5_free_principal(context, match);
match = NULL;
}
if (match)
krb5_free_principal(_gsskrb5_context, match);
krb5_free_principal(context, match);
krb5_config_free_strings(p);
if (ret) {
@@ -83,17 +84,19 @@ check_compat(OM_uint32 *minor_status, krb5_const_principal name,
*/
OM_uint32
_gss_DES3_get_mic_compat(OM_uint32 *minor_status, gsskrb5_ctx ctx)
_gss_DES3_get_mic_compat(OM_uint32 *minor_status,
gsskrb5_ctx ctx,
krb5_context context)
{
krb5_boolean use_compat = FALSE;
OM_uint32 ret;
if ((ctx->more_flags & COMPAT_OLD_DES3_SELECTED) == 0) {
ret = check_compat(minor_status, ctx->target,
ret = check_compat(minor_status, context, ctx->target,
"broken_des3_mic", &use_compat, TRUE);
if (ret)
return ret;
ret = check_compat(minor_status, ctx->target,
ret = check_compat(minor_status, context, ctx->target,
"correct_des3_mic", &use_compat, FALSE);
if (ret)
return ret;

14
lib/gssapi/krb5/context_time.c
View File

@@ -37,8 +37,9 @@ RCSID("$Id$");
OM_uint32
_gsskrb5_lifetime_left(OM_uint32 *minor_status,
OM_uint32 lifetime,
OM_uint32 *lifetime_rec)
krb5_context context,
OM_uint32 lifetime,
OM_uint32 *lifetime_rec)
{
krb5_timestamp timeret;
krb5_error_code kret;
@@ -48,10 +49,9 @@ _gsskrb5_lifetime_left(OM_uint32 *minor_status,
return GSS_S_COMPLETE;
}
kret = krb5_timeofday(_gsskrb5_context, &timeret);
kret = krb5_timeofday(context, &timeret);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
@@ -70,17 +70,19 @@ OM_uint32 _gsskrb5_context_time
OM_uint32 * time_rec
)
{
krb5_context context;
OM_uint32 lifetime;
OM_uint32 major_status;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
lifetime = ctx->lifetime;
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
major_status = _gsskrb5_lifetime_left(minor_status, lifetime, time_rec);
major_status = _gsskrb5_lifetime_left(minor_status, context,
lifetime, time_rec);
if (major_status != GSS_S_COMPLETE)
return major_status;

36
lib/gssapi/krb5/copy_ccache.c
View File

@@ -38,6 +38,7 @@ RCSID("$Id$");
#if 0
OM_uint32
gss_krb5_copy_ccache(OM_uint32 *minor_status,
krb5_context context,
gss_cred_id_t cred,
krb5_ccache out)
{
@@ -51,11 +52,10 @@ gss_krb5_copy_ccache(OM_uint32 *minor_status,
return GSS_S_FAILURE;
}
kret = krb5_cc_copy_cache(_gsskrb5_context, cred->ccache, out);
kret = krb5_cc_copy_cache(context, cred->ccache, out);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
*minor_status = 0;
@@ -71,13 +71,14 @@ _gsskrb5_import_cred(OM_uint32 *minor_status,
krb5_keytab keytab,
gss_cred_id_t *cred)
{
krb5_context context;
krb5_error_code kret;
gsskrb5_cred handle;
OM_uint32 ret;
*cred = NULL;
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT (&context);
handle = calloc(1, sizeof(*handle));
if (handle == NULL) {
@@ -94,11 +95,10 @@ _gsskrb5_import_cred(OM_uint32 *minor_status,
handle->usage |= GSS_C_INITIATE;
kret = krb5_cc_get_principal(_gsskrb5_context, id,
kret = krb5_cc_get_principal(context, id,
&handle->principal);
if (kret) {
free(handle);
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
@@ -106,11 +106,11 @@ _gsskrb5_import_cred(OM_uint32 *minor_status,
if (keytab_principal) {
krb5_boolean match;
match = krb5_principal_compare(_gsskrb5_context,
match = krb5_principal_compare(context,
handle->principal,
keytab_principal);
if (match == FALSE) {
krb5_free_principal(_gsskrb5_context, handle->principal);
krb5_free_principal(context, handle->principal);
free(handle);
_gsskrb5_clear_status ();
*minor_status = EINVAL;
@@ -119,21 +119,22 @@ _gsskrb5_import_cred(OM_uint32 *minor_status,
}
ret = __gsskrb5_ccache_lifetime(minor_status,
id,
handle->principal,
&handle->lifetime);
context,
id,
handle->principal,
&handle->lifetime);
if (ret != GSS_S_COMPLETE) {
krb5_free_principal(_gsskrb5_context, handle->principal);
krb5_free_principal(context, handle->principal);
free(handle);
return ret;
}
kret = krb5_cc_get_full_name(_gsskrb5_context, id, &str);
kret = krb5_cc_get_full_name(context, id, &str);
if (kret)
goto out;
kret = krb5_cc_resolve(_gsskrb5_context, str, &handle->ccache);
kret = krb5_cc_resolve(context, str, &handle->ccache);
free(str);
if (kret)
goto out;
@@ -146,18 +147,18 @@ _gsskrb5_import_cred(OM_uint32 *minor_status,
handle->usage |= GSS_C_ACCEPT;
if (keytab_principal && handle->principal == NULL) {
kret = krb5_copy_principal(_gsskrb5_context,
kret = krb5_copy_principal(context,
keytab_principal,
&handle->principal);
if (kret)
goto out;
}
kret = krb5_kt_get_full_name(_gsskrb5_context, keytab, &str);
kret = krb5_kt_get_full_name(context, keytab, &str);
if (kret)
goto out;
kret = krb5_kt_resolve(_gsskrb5_context, str, &handle->keytab);
kret = krb5_kt_resolve(context, str, &handle->keytab);
free(str);
if (kret)
goto out;
@@ -180,9 +181,8 @@ _gsskrb5_import_cred(OM_uint32 *minor_status,
return GSS_S_COMPLETE;
out:
_gsskrb5_set_error_string ();
if (handle->principal)
krb5_free_principal(_gsskrb5_context, handle->principal);
krb5_free_principal(context, handle->principal);
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
free(handle);
*minor_status = kret;

13
lib/gssapi/krb5/delete_sec_context.c
View File

@@ -40,9 +40,10 @@ _gsskrb5_delete_sec_context(OM_uint32 * minor_status,
gss_ctx_id_t * context_handle,
gss_buffer_t output_token)
{
krb5_context context;
gsskrb5_ctx ctx;
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT (&context);
*minor_status = 0;
@@ -59,17 +60,17 @@ _gsskrb5_delete_sec_context(OM_uint32 * minor_status,
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
krb5_auth_con_free (_gsskrb5_context, ctx->auth_context);
krb5_auth_con_free (context, ctx->auth_context);
if(ctx->source)
krb5_free_principal (_gsskrb5_context, ctx->source);
krb5_free_principal (context, ctx->source);
if(ctx->target)
krb5_free_principal (_gsskrb5_context, ctx->target);
krb5_free_principal (context, ctx->target);
if (ctx->ticket)
krb5_free_ticket (_gsskrb5_context, ctx->ticket);
krb5_free_ticket (context, ctx->ticket);
if(ctx->order)
_gssapi_msg_order_destroy(&ctx->order);
if (ctx->service_keyblock)
krb5_free_keyblock (_gsskrb5_context, ctx->service_keyblock);
krb5_free_keyblock (context, ctx->service_keyblock);
krb5_data_free(&ctx->fwd_data);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);

7
lib/gssapi/krb5/display_name.c
View File

@@ -42,16 +42,17 @@ OM_uint32 _gsskrb5_display_name
gss_OID * output_name_type
)
{
krb5_context context;
krb5_const_principal name = (krb5_const_principal)input_name;
krb5_error_code kret;
char *buf;
size_t len;
GSSAPI_KRB5_INIT ();
kret = krb5_unparse_name (_gsskrb5_context, name, &buf);
GSSAPI_KRB5_INIT (&context);
kret = krb5_unparse_name (context, name, &buf);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
len = strlen (buf);

152
lib/gssapi/krb5/display_status.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 1998 - 2005 Kungliga Tekniska H<>gskolan
* Copyright (c) 1998 - 2006 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -114,117 +114,87 @@ supplementary_error(OM_uint32 v)
void
_gsskrb5_clear_status (void)
{
struct gssapi_thr_context *ctx = _gsskrb5_get_thread_context(1);
if (ctx == NULL)
krb5_context context;
if (_gsskrb5_init (&context) != 0)
return;
HEIMDAL_MUTEX_lock(&ctx->mutex);
if (ctx->error_string)
free(ctx->error_string);
ctx->error_string = NULL;
HEIMDAL_MUTEX_unlock(&ctx->mutex);
krb5_clear_error_string(context);
}
void
_gsskrb5_set_status (const char *fmt, ...)
{
struct gssapi_thr_context *ctx = _gsskrb5_get_thread_context(1);
krb5_context context;
va_list args;
char *str;
if (ctx == NULL)
if (_gsskrb5_init (&context) != 0)
return;
HEIMDAL_MUTEX_lock(&ctx->mutex);
va_start(args, fmt);
if (ctx->error_string)
free(ctx->error_string);
/* ignore failures, will use status code instead */
vasprintf(&ctx->error_string, fmt, args);
vasprintf(&str, fmt, args);
va_end(args);
HEIMDAL_MUTEX_unlock(&ctx->mutex);
}
void
_gsskrb5_set_error_string (void)
{
char *e;
e = krb5_get_error_string(_gsskrb5_context);
if (e) {
_gsskrb5_set_status("%s", e);
krb5_free_error_string(_gsskrb5_context, e);
} else
_gsskrb5_clear_status();
}
char *
_gsskrb5_get_error_string (void)
{
struct gssapi_thr_context *ctx = _gsskrb5_get_thread_context(0);
char *ret;
if (ctx == NULL)
return NULL;
HEIMDAL_MUTEX_lock(&ctx->mutex);
ret = ctx->error_string;
ctx->error_string = NULL;
HEIMDAL_MUTEX_unlock(&ctx->mutex);
return ret;
if (str) {
krb5_set_error_string(context, str);
free(str);
}
}
OM_uint32 _gsskrb5_display_status
(OM_uint32 *minor_status,
OM_uint32 status_value,
int status_type,
const gss_OID mech_type,
OM_uint32 *message_context,
gss_buffer_t status_string)
(OM_uint32 *minor_status,
OM_uint32 status_value,
int status_type,
const gss_OID mech_type,
OM_uint32 *message_context,
gss_buffer_t status_string)
{
char *buf;
krb5_context context;
char *buf;
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT (&context);
status_string->length = 0;
status_string->value = NULL;
status_string->length = 0;
status_string->value = NULL;
if (gss_oid_equal(mech_type, GSS_C_NO_OID) == 0 &&
gss_oid_equal(mech_type, GSS_KRB5_MECHANISM) == 0) {
*minor_status = 0;
return GSS_C_GSS_CODE;
}
if (gss_oid_equal(mech_type, GSS_C_NO_OID) == 0 &&
gss_oid_equal(mech_type, GSS_KRB5_MECHANISM) == 0) {
*minor_status = 0;
return GSS_C_GSS_CODE;
}
if (status_type == GSS_C_GSS_CODE) {
if (GSS_SUPPLEMENTARY_INFO(status_value))
asprintf(&buf, "%s",
supplementary_error(GSS_SUPPLEMENTARY_INFO(status_value)));
else
asprintf (&buf, "%s %s",
calling_error(GSS_CALLING_ERROR(status_value)),
routine_error(GSS_ROUTINE_ERROR(status_value)));
} else if (status_type == GSS_C_MECH_CODE) {
buf = _gsskrb5_get_error_string ();
if (buf == NULL) {
const char *tmp = krb5_get_err_text (_gsskrb5_context,
status_value);
if (tmp == NULL)
asprintf(&buf, "unknown mech error-code %u",
(unsigned)status_value);
else
buf = strdup(tmp);
}
} else {
*minor_status = EINVAL;
return GSS_S_BAD_STATUS;
}
if (status_type == GSS_C_GSS_CODE) {
if (GSS_SUPPLEMENTARY_INFO(status_value))
asprintf(&buf, "%s",
supplementary_error(GSS_SUPPLEMENTARY_INFO(status_value)));
else
asprintf (&buf, "%s %s",
calling_error(GSS_CALLING_ERROR(status_value)),
routine_error(GSS_ROUTINE_ERROR(status_value)));
} else if (status_type == GSS_C_MECH_CODE) {
buf = krb5_get_error_string(context);
if (buf == NULL) {
const char *tmp = krb5_get_err_text (context, status_value);
if (tmp == NULL)
asprintf(&buf, "unknown mech error-code %u",
(unsigned)status_value);
else
buf = strdup(tmp);
}
} else {
*minor_status = EINVAL;
return GSS_S_BAD_STATUS;
}
if (buf == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
if (buf == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
*message_context = 0;
*minor_status = 0;
*message_context = 0;
*minor_status = 0;
status_string->length = strlen(buf);
status_string->value = buf;
status_string->length = strlen(buf);
status_string->value = buf;
return GSS_S_COMPLETE;
return GSS_S_COMPLETE;
}

6
lib/gssapi/krb5/duplicate_name.c
View File

@@ -41,16 +41,16 @@ OM_uint32 _gsskrb5_duplicate_name (
gss_name_t * dest_name
)
{
krb5_context context;
krb5_const_principal src = (krb5_const_principal)src_name;
krb5_principal *dest = (krb5_principal *)dest_name;
krb5_error_code kret;
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT (&context);
kret = krb5_copy_principal (_gsskrb5_context, src, dest);
kret = krb5_copy_principal (context, src, dest);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
} else {
*minor_status = 0;

7
lib/gssapi/krb5/export_name.c
View File

@@ -41,16 +41,17 @@ OM_uint32 _gsskrb5_export_name
gss_buffer_t exported_name
)
{
krb5_context context;
krb5_const_principal princ = (krb5_const_principal)input_name;
krb5_error_code kret;
char *buf, *name;
size_t len;
GSSAPI_KRB5_INIT ();
kret = krb5_unparse_name (_gsskrb5_context, princ, &name);
GSSAPI_KRB5_INIT (&context);
kret = krb5_unparse_name (context, princ, &name);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}
len = strlen (name);

3
lib/gssapi/krb5/export_sec_context.c
View File

@@ -42,6 +42,7 @@ _gsskrb5_export_sec_context (
gss_buffer_t interprocess_token
)
{
krb5_context context;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) *context_handle;
krb5_storage *sp;
krb5_auth_context ac;
@@ -52,7 +53,7 @@ _gsskrb5_export_sec_context (
OM_uint32 minor;
krb5_error_code kret;
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);

2
lib/gssapi/krb5/external.c
View File

@@ -369,7 +369,7 @@ gss_OID GSS_SASL_DIGEST_MD5_MECHANISM = &gss_sasl_digest_md5_mechanism_desc;
* Context for krb5 calls.
*/
krb5_context _gsskrb5_context;
krb5_context context;
/*
*

48
lib/gssapi/krb5/get_mic.c
View File

@@ -39,6 +39,7 @@ static OM_uint32
mic_des
(OM_uint32 * minor_status,
const gsskrb5_ctx ctx,
krb5_context context,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token,
@@ -94,9 +95,9 @@ mic_des
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
/* sequence number */
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
ctx->auth_context,
&seq_number);
krb5_auth_con_getlocalseqnumber (context,
ctx->auth_context,
&seq_number);
p -= 16; /* SND_SEQ */
p[0] = (seq_number >> 0) & 0xFF;
@@ -111,7 +112,7 @@ mic_des
DES_cbc_encrypt ((void *)p, (void *)p, 8,
&schedule, (DES_cblock *)(p + 8), DES_ENCRYPT);
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
krb5_auth_con_setlocalseqnumber (context,
ctx->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
@@ -127,6 +128,7 @@ static OM_uint32
mic_des3
(OM_uint32 * minor_status,
const gsskrb5_ctx ctx,
krb5_context context,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token,
@@ -180,18 +182,17 @@ mic_des3
memcpy (tmp, p - 8, 8);
memcpy (tmp + 8, message_buffer->value, message_buffer->length);
kret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
kret = krb5_crypto_init(context, key, 0, &crypto);
if (kret) {
free (message_token->value);
message_token->value = NULL;
message_token->length = 0;
free (tmp);
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
kret = krb5_create_checksum (_gsskrb5_context,
kret = krb5_create_checksum (context,
crypto,
KRB5_KU_USAGE_SIGN,
0,
@@ -199,12 +200,11 @@ mic_des3
message_buffer->length + 8,
&cksum);
free (tmp);
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
if (kret) {
free (message_token->value);
message_token->value = NULL;
message_token->length = 0;
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
@@ -213,7 +213,7 @@ mic_des3
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
/* sequence number */
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
krb5_auth_con_getlocalseqnumber (context,
ctx->auth_context,
&seq_number);
@@ -225,13 +225,12 @@ mic_des3
(ctx->more_flags & LOCAL) ? 0 : 0xFF,
4);
kret = krb5_crypto_init(_gsskrb5_context, key,
kret = krb5_crypto_init(context, key,
ETYPE_DES3_CBC_NONE, &crypto);
if (kret) {
free (message_token->value);
message_token->value = NULL;
message_token->length = 0;
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
@@ -241,16 +240,15 @@ mic_des3
else
memcpy(ivec, p + 8, 8);
kret = krb5_encrypt_ivec (_gsskrb5_context,
kret = krb5_encrypt_ivec (context,
crypto,
KRB5_KU_USAGE_SEQ,
seq, 8, &encdata, ivec);
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
if (kret) {
free (message_token->value);
message_token->value = NULL;
message_token->length = 0;
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
@@ -260,7 +258,7 @@ mic_des3
memcpy (p, encdata.data, encdata.length);
krb5_data_free (&encdata);
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
krb5_auth_con_setlocalseqnumber (context,
ctx->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
@@ -278,40 +276,42 @@ OM_uint32 _gsskrb5_get_mic
gss_buffer_t message_token
)
{
krb5_context context;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
krb5_keyblock *key;
OM_uint32 ret;
krb5_keytype keytype;
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = _gsskrb5i_get_token_key(ctx, &key);
ret = _gsskrb5i_get_token_key(ctx, context, &key);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype);
krb5_enctype_to_keytype (context, key->keytype, &keytype);
switch (keytype) {
case KEYTYPE_DES :
ret = mic_des (minor_status, ctx, qop_req,
ret = mic_des (minor_status, ctx, context, qop_req,
message_buffer, message_token, key);
break;
case KEYTYPE_DES3 :
ret = mic_des3 (minor_status, ctx, qop_req,
ret = mic_des3 (minor_status, ctx, context, qop_req,
message_buffer, message_token, key);
break;
case KEYTYPE_ARCFOUR:
case KEYTYPE_ARCFOUR_56:
ret = _gssapi_get_mic_arcfour (minor_status, ctx, qop_req,
ret = _gssapi_get_mic_arcfour (minor_status, ctx, context, qop_req,
message_buffer, message_token, key);
break;
default :
ret = _gssapi_mic_cfx (minor_status, ctx, qop_req,
ret = _gssapi_mic_cfx (minor_status, ctx, context, qop_req,
message_buffer, message_token, key);
break;
}
krb5_free_keyblock (_gsskrb5_context, key);
krb5_free_keyblock (context, key);
return ret;
}

6
lib/gssapi/krb5/gsskrb5_locl.h
View File

@@ -100,8 +100,6 @@ typedef struct Principal *gsskrb5_name;
*
*/
extern krb5_context _gsskrb5_context;
extern krb5_keytab _gsskrb5_keytab;
extern HEIMDAL_MUTEX gssapi_keytab_mutex;
@@ -116,9 +114,9 @@ struct gssapi_thr_context {
#include <krb5/gsskrb5-private.h>
#define GSSAPI_KRB5_INIT() do { \
#define GSSAPI_KRB5_INIT(ctx) do { \
krb5_error_code kret_gss_init; \
if((kret_gss_init = _gsskrb5_init ()) != 0) { \
if((kret_gss_init = _gsskrb5_init (ctx)) != 0) { \
*minor_status = kret_gss_init; \
return GSS_S_FAILURE; \
} \

22
lib/gssapi/krb5/import_name.c
View File

@@ -37,19 +37,19 @@ RCSID("$Id$");
static OM_uint32
parse_krb5_name (OM_uint32 *minor_status,
krb5_context context,
const char *name,
gss_name_t *output_name)
{
krb5_principal princ;
krb5_error_code kerr;
kerr = krb5_parse_name (_gsskrb5_context, name, &princ);
kerr = krb5_parse_name (context, name, &princ);
if (kerr == 0) {
*output_name = (gss_name_t)princ;
return GSS_S_COMPLETE;
}
_gsskrb5_set_error_string ();
*minor_status = kerr;
if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED)
@@ -60,6 +60,7 @@ parse_krb5_name (OM_uint32 *minor_status,
static OM_uint32
import_krb5_name (OM_uint32 *minor_status,
krb5_context context,
const gss_buffer_t input_name_buffer,
gss_name_t *output_name)
{
@@ -76,7 +77,7 @@ import_krb5_name (OM_uint32 *minor_status,
input_name_buffer->length);
tmp[input_name_buffer->length] = '\0';
ret = parse_krb5_name(minor_status, tmp, output_name);
ret = parse_krb5_name(minor_status, context, tmp, output_name);
free(tmp);
return ret;
@@ -84,6 +85,7 @@ import_krb5_name (OM_uint32 *minor_status,
static OM_uint32
import_hostbased_name (OM_uint32 *minor_status,
krb5_context context,
const gss_buffer_t input_name_buffer,
gss_name_t *output_name)
{
@@ -117,7 +119,7 @@ import_hostbased_name (OM_uint32 *minor_status,
host = local_hostname;
}
kerr = krb5_sname_to_principal (_gsskrb5_context,
kerr = krb5_sname_to_principal (context,
host,
tmp,
KRB5_NT_SRV_HST,
@@ -128,8 +130,6 @@ import_hostbased_name (OM_uint32 *minor_status,
*output_name = (gss_name_t)princ;
return GSS_S_COMPLETE;
}
_gsskrb5_set_error_string ();
*minor_status = kerr;
if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED)
return GSS_S_BAD_NAME;
@@ -139,6 +139,7 @@ import_hostbased_name (OM_uint32 *minor_status,
static OM_uint32
import_export_name (OM_uint32 *minor_status,
krb5_context context,
const gss_buffer_t input_name_buffer,
gss_name_t *output_name)
{
@@ -178,7 +179,7 @@ import_export_name (OM_uint32 *minor_status,
memcpy(name, p, length);
name[length] = '\0';
ret = parse_krb5_name(minor_status, name, output_name);
ret = parse_krb5_name(minor_status, context, name, output_name);
free(name);
return ret;
@@ -191,14 +192,17 @@ OM_uint32 _gsskrb5_import_name
gss_name_t * output_name
)
{
GSSAPI_KRB5_INIT ();
krb5_context context;
*minor_status = 0;
*output_name = GSS_C_NO_NAME;
GSSAPI_KRB5_INIT (&context);
if (gss_oid_equal(input_name_type, GSS_C_NT_HOSTBASED_SERVICE) ||
gss_oid_equal(input_name_type, GSS_C_NT_HOSTBASED_SERVICE_X))
return import_hostbased_name (minor_status,
context,
input_name_buffer,
output_name);
else if (gss_oid_equal(input_name_type, GSS_C_NO_OID)
@@ -206,10 +210,12 @@ OM_uint32 _gsskrb5_import_name
|| gss_oid_equal(input_name_type, GSS_KRB5_NT_PRINCIPAL_NAME))
/* default printable syntax */
return import_krb5_name (minor_status,
context,
input_name_buffer,
output_name);
else if (gss_oid_equal(input_name_type, GSS_C_NT_EXPORT_NAME)) {
return import_export_name(minor_status,
context,
input_name_buffer,
output_name);
} else {

34
lib/gssapi/krb5/import_sec_context.c
View File

@@ -43,6 +43,7 @@ _gsskrb5_import_sec_context (
)
{
OM_uint32 ret = GSS_S_FAILURE;
krb5_context context;
krb5_error_code kret;
krb5_storage *sp;
krb5_auth_context ac;
@@ -56,7 +57,7 @@ _gsskrb5_import_sec_context (
gsskrb5_ctx ctx;
gss_name_t name;
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT (&context);
*context_handle = GSS_C_NO_CONTEXT;
@@ -77,10 +78,9 @@ _gsskrb5_import_sec_context (
}
HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex);
kret = krb5_auth_con_init (_gsskrb5_context,
kret = krb5_auth_con_init (context,
&ctx->auth_context);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
@@ -108,11 +108,11 @@ _gsskrb5_import_sec_context (
goto failure;
}
krb5_auth_con_setaddrs (_gsskrb5_context, ac, localp, remotep);
krb5_auth_con_setaddrs (context, ac, localp, remotep);
if (localp)
krb5_free_address (_gsskrb5_context, localp);
krb5_free_address (context, localp);
if (remotep)
krb5_free_address (_gsskrb5_context, remotep);
krb5_free_address (context, remotep);
localp = remotep = NULL;
if (krb5_ret_int16 (sp, &ac->local_port) != 0)
@@ -123,20 +123,20 @@ _gsskrb5_import_sec_context (
if (flags & SC_KEYBLOCK) {
if (krb5_ret_keyblock (sp, &keyblock) != 0)
goto failure;
krb5_auth_con_setkey (_gsskrb5_context, ac, &keyblock);
krb5_free_keyblock_contents (_gsskrb5_context, &keyblock);
krb5_auth_con_setkey (context, ac, &keyblock);
krb5_free_keyblock_contents (context, &keyblock);
}
if (flags & SC_LOCAL_SUBKEY) {
if (krb5_ret_keyblock (sp, &keyblock) != 0)
goto failure;
krb5_auth_con_setlocalsubkey (_gsskrb5_context, ac, &keyblock);
krb5_free_keyblock_contents (_gsskrb5_context, &keyblock);
krb5_auth_con_setlocalsubkey (context, ac, &keyblock);
krb5_free_keyblock_contents (context, &keyblock);
}
if (flags & SC_REMOTE_SUBKEY) {
if (krb5_ret_keyblock (sp, &keyblock) != 0)
goto failure;
krb5_auth_con_setremotesubkey (_gsskrb5_context, ac, &keyblock);
krb5_free_keyblock_contents (_gsskrb5_context, &keyblock);
krb5_auth_con_setremotesubkey (context, ac, &keyblock);
krb5_free_keyblock_contents (context, &keyblock);
}
if (krb5_ret_uint32 (sp, &ac->local_seqnumber))
goto failure;
@@ -209,16 +209,16 @@ _gsskrb5_import_sec_context (
return GSS_S_COMPLETE;
failure:
krb5_auth_con_free (_gsskrb5_context,
krb5_auth_con_free (context,
ctx->auth_context);
if (ctx->source != NULL)
krb5_free_principal(_gsskrb5_context, ctx->source);
krb5_free_principal(context, ctx->source);
if (ctx->target != NULL)
krb5_free_principal(_gsskrb5_context, ctx->target);
krb5_free_principal(context, ctx->target);
if (localp)
krb5_free_address (_gsskrb5_context, localp);
krb5_free_address (context, localp);
if (remotep)
krb5_free_address (_gsskrb5_context, remotep);
krb5_free_address (context, remotep);
if(ctx->order)
_gssapi_msg_order_destroy(&ctx->order);
HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);

84
lib/gssapi/krb5/init.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska H<>gskolan
* Copyright (c) 1997 - 2001, 2003, 2006 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -35,77 +35,49 @@
RCSID("$Id$");
static HEIMDAL_MUTEX _gsskrb5_context_mutex = HEIMDAL_MUTEX_INITIALIZER;
static HEIMDAL_MUTEX context_mutex = HEIMDAL_MUTEX_INITIALIZER;
static int created_key;
static HEIMDAL_thread_key gssapi_context_key;
static HEIMDAL_thread_key context_key;
static void
gssapi_destroy_thread_context(void *ptr)
destroy_context(void *ptr)
{
struct gssapi_thr_context *ctx = ptr;
krb5_context context = ptr;
if (ctx == NULL)
if (context == NULL)
return;
if (ctx->error_string)
free(ctx->error_string);
HEIMDAL_MUTEX_destroy(&ctx->mutex);
free(ctx);
}
struct gssapi_thr_context *
_gsskrb5_get_thread_context(int createp)
{
struct gssapi_thr_context *ctx;
int ret;
HEIMDAL_MUTEX_lock(&_gsskrb5_context_mutex);
if (!created_key)
abort();
ctx = HEIMDAL_getspecific(gssapi_context_key);
if (ctx == NULL) {
if (!createp)
goto fail;
ctx = malloc(sizeof(*ctx));
if (ctx == NULL)
goto fail;
ctx->error_string = NULL;
HEIMDAL_MUTEX_init(&ctx->mutex);
HEIMDAL_setspecific(gssapi_context_key, ctx, ret);
if (ret)
goto fail;
}
HEIMDAL_MUTEX_unlock(&_gsskrb5_context_mutex);
return ctx;
fail:
HEIMDAL_MUTEX_unlock(&_gsskrb5_context_mutex);
if (ctx)
free(ctx);
return NULL;
krb5_free_context(context);
}
krb5_error_code
_gsskrb5_init (void)
_gsskrb5_init (krb5_context *context)
{
krb5_error_code ret = 0;
HEIMDAL_MUTEX_lock(&_gsskrb5_context_mutex);
HEIMDAL_MUTEX_lock(&context_mutex);
if(_gsskrb5_context == NULL)
ret = krb5_init_context (&_gsskrb5_context);
if (ret == 0 && !created_key) {
HEIMDAL_key_create(&gssapi_context_key,
gssapi_destroy_thread_context,
ret);
if (!created_key) {
HEIMDAL_key_create(&context_key, destroy_context, ret);
if (ret) {
krb5_free_context(_gsskrb5_context);
_gsskrb5_context = NULL;
} else
created_key = 1;
HEIMDAL_MUTEX_unlock(&context_mutex);
return ret;
}
created_key = 1;
}
HEIMDAL_MUTEX_unlock(&context_mutex);
HEIMDAL_MUTEX_unlock(&_gsskrb5_context_mutex);
*context = HEIMDAL_getspecific(context_key);
if (*context == NULL) {
ret = krb5_init_context(context);
if (ret == 0) {
HEIMDAL_setspecific(context_key, *context, ret);
if (ret) {
krb5_free_context(*context);
*context = NULL;
}
}
}
return ret;
}

124
lib/gssapi/krb5/init_sec_context.c
View File

@@ -41,7 +41,8 @@ RCSID("$Id$");
*/
static OM_uint32
set_addresses (krb5_auth_context ac,
set_addresses (krb5_context context,
krb5_auth_context ac,
const gss_channel_bindings_t input_chan_bindings)
{
/* Port numbers are expected to be in application_data.value,
@@ -64,29 +65,31 @@ set_addresses (krb5_auth_context ac,
ac->remote_port =
*((int16_t *) input_chan_bindings->application_data.value + 1);
kret = _gsskrb5i_address_to_krb5addr(input_chan_bindings->acceptor_addrtype,
kret = _gsskrb5i_address_to_krb5addr(context,
input_chan_bindings->acceptor_addrtype,
&input_chan_bindings->acceptor_address,
ac->remote_port,
&acceptor_addr);
if (kret)
return kret;
kret = _gsskrb5i_address_to_krb5addr(input_chan_bindings->initiator_addrtype,
kret = _gsskrb5i_address_to_krb5addr(context,
input_chan_bindings->initiator_addrtype,
&input_chan_bindings->initiator_address,
ac->local_port,
&initiator_addr);
if (kret) {
krb5_free_address (_gsskrb5_context, &acceptor_addr);
krb5_free_address (context, &acceptor_addr);
return kret;
}
kret = krb5_auth_con_setaddrs(_gsskrb5_context,
kret = krb5_auth_con_setaddrs(context,
ac,
&initiator_addr, /* local address */
&acceptor_addr); /* remote address */
krb5_free_address (_gsskrb5_context, &initiator_addr);
krb5_free_address (_gsskrb5_context, &acceptor_addr);
krb5_free_address (context, &initiator_addr);
krb5_free_address (context, &acceptor_addr);
#if 0
free(input_chan_bindings->application_data.value);
@@ -101,6 +104,7 @@ OM_uint32
_gsskrb5_create_ctx(
OM_uint32 * minor_status,
gss_ctx_id_t * context_handle,
krb5_context context,
const gss_channel_bindings_t input_chan_bindings,
enum gss_ctx_id_t_state state)
{
@@ -127,23 +131,22 @@ _gsskrb5_create_ctx(
ctx->order = NULL;
HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex);
kret = krb5_auth_con_init (_gsskrb5_context, &ctx->auth_context);
kret = krb5_auth_con_init (context, &ctx->auth_context);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
return GSS_S_FAILURE;
}
kret = set_addresses(ctx->auth_context, input_chan_bindings);
kret = set_addresses(context, ctx->auth_context, input_chan_bindings);
if (kret) {
*minor_status = kret;
HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
krb5_auth_con_free(_gsskrb5_context, ctx->auth_context);
krb5_auth_con_free(context, ctx->auth_context);
return GSS_S_BAD_BINDINGS;
}
@@ -152,7 +155,7 @@ _gsskrb5_create_ctx(
* We need a sequence number
*/
krb5_auth_con_addflags(_gsskrb5_context,
krb5_auth_con_addflags(context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_DO_SEQUENCE |
KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED,
@@ -167,6 +170,7 @@ _gsskrb5_create_ctx(
static OM_uint32
gsskrb5_get_creds(
OM_uint32 * minor_status,
krb5_context context,
krb5_ccache ccache,
gsskrb5_ctx ctx,
krb5_const_principal target_name,
@@ -188,7 +192,7 @@ gsskrb5_get_creds(
if (time_req && time_req != GSS_C_INDEFINITE) {
krb5_timestamp ts;
krb5_timeofday (_gsskrb5_context, &ts);
krb5_timeofday (context, &ts);
this_cred.times.endtime = ts + time_req;
} else {
this_cred.times.endtime = 0;
@@ -196,20 +200,20 @@ gsskrb5_get_creds(
this_cred.session.keytype = KEYTYPE_NULL;
kret = krb5_get_credentials(_gsskrb5_context,
kret = krb5_get_credentials(context,
0,
ccache,
&this_cred,
cred);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
ctx->lifetime = (*cred)->times.endtime;
ret = _gsskrb5_lifetime_left(minor_status, ctx->lifetime, &lifetime_rec);
ret = _gsskrb5_lifetime_left(minor_status, context,
ctx->lifetime, &lifetime_rec);
if (ret) return ret;
if (lifetime_rec == 0) {
@@ -225,14 +229,15 @@ gsskrb5_get_creds(
static OM_uint32
gsskrb5_initiator_ready(
OM_uint32 * minor_status,
gsskrb5_ctx ctx)
gsskrb5_ctx ctx,
krb5_context context)
{
OM_uint32 ret;
int32_t seq_number;
int is_cfx = 0;
OM_uint32 flags = ctx->flags;
krb5_auth_getremoteseqnumber (_gsskrb5_context,
krb5_auth_getremoteseqnumber (context,
ctx->auth_context,
&seq_number);
@@ -255,7 +260,8 @@ gsskrb5_initiator_ready(
*/
static void
do_delegation (krb5_auth_context ac,
do_delegation (krb5_context context,
krb5_auth_context ac,
krb5_ccache ccache,
krb5_creds *cred,
krb5_const_principal name,
@@ -269,11 +275,11 @@ do_delegation (krb5_auth_context ac,
memset (&creds, 0, sizeof(creds));
krb5_data_zero (fwd_data);
kret = krb5_cc_get_principal(_gsskrb5_context, ccache, &creds.client);
kret = krb5_cc_get_principal(context, ccache, &creds.client);
if (kret)
goto out;
kret = krb5_build_principal(_gsskrb5_context,
kret = krb5_build_principal(context,
&creds.server,
strlen(creds.client->realm),
creds.client->realm,
@@ -293,7 +299,7 @@ do_delegation (krb5_auth_context ac,
name->name.name_string.len < 2)
goto out;
kret = krb5_get_forwarded_creds(_gsskrb5_context,
kret = krb5_get_forwarded_creds(context,
ac,
ccache,
KDCOptions2int(fwd_flags),
@@ -308,9 +314,9 @@ do_delegation (krb5_auth_context ac,
*flags |= GSS_C_DELEG_FLAG;
if (creds.client)
krb5_free_principal(_gsskrb5_context, creds.client);
krb5_free_principal(context, creds.client);
if (creds.server)
krb5_free_principal(_gsskrb5_context, creds.server);
krb5_free_principal(context, creds.server);
}
/*
@@ -322,6 +328,7 @@ init_auth
(OM_uint32 * minor_status,
gsskrb5_cred initiator_cred_handle,
gsskrb5_ctx ctx,
krb5_context context,
krb5_const_principal name,
const gss_OID mech_type,
OM_uint32 req_flags,
@@ -356,9 +363,8 @@ init_auth
*actual_mech_type = GSS_KRB5_MECHANISM;
if (initiator_cred_handle == NULL) {
kret = krb5_cc_default (_gsskrb5_context, &ccache);
kret = krb5_cc_default (context, &ccache);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
@@ -366,28 +372,27 @@ init_auth
} else
ccache = initiator_cred_handle->ccache;
kret = krb5_cc_get_principal (_gsskrb5_context, ccache, &ctx->source);
kret = krb5_cc_get_principal (context, ccache, &ctx->source);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
}
kret = krb5_copy_principal (_gsskrb5_context, name, &ctx->target);
kret = krb5_copy_principal (context, name, &ctx->target);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
}
ret = _gss_DES3_get_mic_compat(minor_status, ctx);
ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
if (ret)
goto failure;
ret = gsskrb5_get_creds(minor_status,
context,
ccache,
ctx,
ctx->target,
@@ -400,8 +405,9 @@ init_auth
ctx->lifetime = cred->times.endtime;
ret = _gsskrb5_lifetime_left(minor_status,
ctx->lifetime,
&lifetime_rec);
context,
ctx->lifetime,
&lifetime_rec);
if (ret) {
goto failure;
}
@@ -412,15 +418,14 @@ init_auth
goto failure;
}
krb5_auth_con_setkey(_gsskrb5_context,
krb5_auth_con_setkey(context,
ctx->auth_context,
&cred->session);
kret = krb5_auth_con_generatelocalsubkey(_gsskrb5_context,
kret = krb5_auth_con_generatelocalsubkey(context,
ctx->auth_context,
&cred->session);
if(kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
@@ -436,7 +441,7 @@ init_auth
if (!cred->flags.b.ok_as_delegate) {
krb5_boolean delegate;
krb5_appdefault_boolean(_gsskrb5_context,
krb5_appdefault_boolean(context,
"gssapi", name->realm,
"ok-as-delegate", FALSE, &delegate);
if (delegate)
@@ -446,7 +451,8 @@ init_auth
flags = 0;
ap_options = 0;
if (req_flags & GSS_C_DELEG_FLAG)
do_delegation (ctx->auth_context,
do_delegation (context,
ctx->auth_context,
ccache, cred, name, &fwd_data, &flags);
if (req_flags & GSS_C_MUTUAL_FLAG) {
@@ -490,7 +496,7 @@ init_auth
enctype = ctx->auth_context->keyblock->keytype;
kret = krb5_build_authenticator (_gsskrb5_context,
kret = krb5_build_authenticator (context,
ctx->auth_context,
enctype,
cred,
@@ -500,13 +506,12 @@ init_auth
KRB5_KU_AP_REQ_AUTH);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
}
kret = krb5_build_ap_req (_gsskrb5_context,
kret = krb5_build_ap_req (context,
enctype,
cred,
ap_options,
@@ -514,7 +519,6 @@ init_auth
&outbuf);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
@@ -526,22 +530,22 @@ init_auth
goto failure;
krb5_data_free (&outbuf);
krb5_free_creds(_gsskrb5_context, cred);
krb5_free_creds(context, cred);
free_Checksum(&cksum);
if (initiator_cred_handle == NULL)
krb5_cc_close(_gsskrb5_context, ccache);
krb5_cc_close(context, ccache);
if (flags & GSS_C_MUTUAL_FLAG) {
ctx->state = INITIATOR_WAIT_FOR_MUTAL;
return GSS_S_CONTINUE_NEEDED;
}
return gsskrb5_initiator_ready(minor_status, ctx);
return gsskrb5_initiator_ready(minor_status, ctx, context);
failure:
if(cred)
krb5_free_creds(_gsskrb5_context, cred);
krb5_free_creds(context, cred);
if (ccache && initiator_cred_handle == NULL)
krb5_cc_close(_gsskrb5_context, ccache);
krb5_cc_close(context, ccache);
return ret;
@@ -551,6 +555,7 @@ static OM_uint32
repl_mutual
(OM_uint32 * minor_status,
gsskrb5_ctx ctx,
krb5_context context,
const gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
@@ -590,28 +595,27 @@ repl_mutual
}
}
kret = krb5_rd_rep (_gsskrb5_context,
kret = krb5_rd_rep (context,
ctx->auth_context,
&indata,
&repl);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
krb5_free_ap_rep_enc_part (_gsskrb5_context,
krb5_free_ap_rep_enc_part (context,
repl);
_gsskrb5i_is_cfx(ctx, &is_cfx);
if (is_cfx) {
krb5_keyblock *key = NULL;
kret = krb5_auth_con_getremotesubkey(_gsskrb5_context,
kret = krb5_auth_con_getremotesubkey(context,
ctx->auth_context,
&key);
if (kret == 0 && key != NULL) {
ctx->more_flags |= ACCEPTOR_SUBKEY;
krb5_free_keyblock (_gsskrb5_context, key);
krb5_free_keyblock (context, key);
}
}
@@ -619,6 +623,7 @@ repl_mutual
*minor_status = 0;
if (time_rec) {
ret = _gsskrb5_lifetime_left(minor_status,
context,
ctx->lifetime,
time_rec);
} else {
@@ -632,16 +637,15 @@ repl_mutual
krb5_data outbuf;
/* Do don't do sequence number for the mk-rep */
krb5_auth_con_removeflags(_gsskrb5_context,
krb5_auth_con_removeflags(context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_DO_SEQUENCE,
&con_flags);
kret = krb5_mk_rep(_gsskrb5_context,
kret = krb5_mk_rep(context,
ctx->auth_context,
&outbuf);
if (kret) {
_gsskrb5_set_error_string ();
*minor_status = kret;
return GSS_S_FAILURE;
}
@@ -649,13 +653,13 @@ repl_mutual
output_token->length = outbuf.length;
output_token->value = outbuf.data;
krb5_auth_con_removeflags(_gsskrb5_context,
krb5_auth_con_removeflags(context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_DO_SEQUENCE,
NULL);
}
return gsskrb5_initiator_ready(minor_status, ctx);
return gsskrb5_initiator_ready(minor_status, ctx, context);
}
/*
@@ -678,12 +682,13 @@ OM_uint32 _gsskrb5_init_sec_context
OM_uint32 * time_rec
)
{
krb5_context context;
gsskrb5_cred cred = (gsskrb5_cred)initiator_cred_handle;
krb5_const_principal name = (krb5_const_principal)target_name;
gsskrb5_ctx ctx;
OM_uint32 ret;
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT (&context);
output_token->length = 0;
output_token->value = NULL;
@@ -719,6 +724,7 @@ OM_uint32 _gsskrb5_init_sec_context
ret = _gsskrb5_create_ctx(minor_status,
context_handle,
context,
input_chan_bindings,
INITIATOR_START);
if (ret)
@@ -739,6 +745,7 @@ OM_uint32 _gsskrb5_init_sec_context
ret = init_auth(minor_status,
cred,
ctx,
context,
name,
mech_type,
req_flags,
@@ -753,6 +760,7 @@ OM_uint32 _gsskrb5_init_sec_context
case INITIATOR_WAIT_FOR_MUTAL:
ret = repl_mutual(minor_status,
ctx,
context,
mech_type,
req_flags,
time_req,

4
lib/gssapi/krb5/inquire_context.c
View File

@@ -47,6 +47,7 @@ OM_uint32 _gsskrb5_inquire_context (
int * open_context
)
{
krb5_context context;
OM_uint32 ret;
gsskrb5_ctx ctx = (gsskrb5_ctx)context_handle;
gss_name_t name;
@@ -56,6 +57,8 @@ OM_uint32 _gsskrb5_inquire_context (
if (targ_name)
*targ_name = GSS_C_NO_NAME;
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
if (src_name) {
@@ -74,6 +77,7 @@ OM_uint32 _gsskrb5_inquire_context (
if (lifetime_rec) {
ret = _gsskrb5_lifetime_left(minor_status,
context,
ctx->lifetime,
lifetime_rec);
if (ret)

8
lib/gssapi/krb5/inquire_cred.c
View File

@@ -44,6 +44,7 @@ OM_uint32 _gsskrb5_inquire_cred
gss_OID_set * mechanisms
)
{
krb5_context context;
gss_cred_id_t aqcred_init = GSS_C_NO_CREDENTIAL;
gss_cred_id_t aqcred_accept = GSS_C_NO_CREDENTIAL;
gsskrb5_cred acred = NULL, icred = NULL;
@@ -56,6 +57,8 @@ OM_uint32 _gsskrb5_inquire_cred
if (mechanisms)
*mechanisms = GSS_C_NO_OID_SET;
GSSAPI_KRB5_INIT (&context);
if (cred_handle == GSS_C_NO_CREDENTIAL) {
ret = _gsskrb5_acquire_cred(minor_status,
GSS_C_NO_NAME,
@@ -105,7 +108,7 @@ OM_uint32 _gsskrb5_inquire_cred
goto out;
} else if (acred && acred->usage == GSS_C_ACCEPT) {
krb5_principal princ;
*minor_status = krb5_sname_to_principal(_gsskrb5_context, NULL,
*minor_status = krb5_sname_to_principal(context, NULL,
NULL, KRB5_NT_SRV_HST,
&princ);
if (*minor_status) {
@@ -115,7 +118,7 @@ OM_uint32 _gsskrb5_inquire_cred
*output_name = (gss_name_t)princ;
} else {
krb5_principal princ;
*minor_status = krb5_get_default_principal(_gsskrb5_context,
*minor_status = krb5_get_default_principal(context,
&princ);
if (*minor_status) {
ret = GSS_S_FAILURE;
@@ -131,6 +134,7 @@ OM_uint32 _gsskrb5_inquire_cred
if (icred) ilife = icred->lifetime;
ret = _gsskrb5_lifetime_left(minor_status,
context,
min(alife,ilife),
lifetime);
if (ret)

6
lib/gssapi/krb5/inquire_cred_by_oid.c
View File

@@ -40,11 +40,14 @@ OM_uint32 _gsskrb5_inquire_cred_by_oid
const gss_OID desired_object,
gss_buffer_set_t *data_set)
{
krb5_context context;
gsskrb5_cred cred = (gsskrb5_cred)cred_handle;
krb5_error_code ret;
gss_buffer_desc buffer;
char *str;
GSSAPI_KRB5_INIT (&context);
if (gss_oid_equal(desired_object, GSS_KRB5_COPY_CCACHE_X) == 0) {
*minor_status = EINVAL;
return GSS_S_FAILURE;
@@ -58,11 +61,10 @@ OM_uint32 _gsskrb5_inquire_cred_by_oid
return GSS_S_FAILURE;
}
ret = krb5_cc_get_full_name(_gsskrb5_context, cred->ccache, &str);
ret = krb5_cc_get_full_name(context, cred->ccache, &str);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
if (ret) {
*minor_status = ret;
_gsskrb5_set_error_string ();
return GSS_S_FAILURE;
}

47
lib/gssapi/krb5/inquire_sec_context_by_oid.c
View File

@@ -106,6 +106,7 @@ enum keytype { ACCEPTOR_KEY, INITIATOR_KEY, TOKEN_KEY };
static OM_uint32 inquire_sec_context_get_subkey
(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
enum keytype keytype,
gss_buffer_set_t *data_set)
{
@@ -127,19 +128,13 @@ static OM_uint32 inquire_sec_context_get_subkey
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
switch(keytype) {
case ACCEPTOR_KEY:
ret = _gsskrb5i_get_acceptor_subkey(context_handle, &key);
if (ret)
_gsskrb5_set_error_string ();
ret = _gsskrb5i_get_acceptor_subkey(context_handle, context, &key);
break;
case INITIATOR_KEY:
ret = _gsskrb5i_get_initiator_subkey(context_handle, &key);
if (ret)
_gsskrb5_set_error_string ();
ret = _gsskrb5i_get_initiator_subkey(context_handle, context, &key);
break;
case TOKEN_KEY:
ret = _gsskrb5i_get_token_key(context_handle, &key);
if (ret)
_gsskrb5_set_error_string ();
ret = _gsskrb5i_get_token_key(context_handle, context, &key);
break;
default:
_gsskrb5_set_status("%d is not a valid subkey type", keytype);
@@ -156,17 +151,13 @@ static OM_uint32 inquire_sec_context_get_subkey
}
ret = krb5_store_keyblock(sp, *key);
krb5_free_keyblock (_gsskrb5_context, key);
if (ret) {
_gsskrb5_set_error_string ();
krb5_free_keyblock (context, key);
if (ret)
goto out;
}
ret = krb5_storage_to_data(sp, &data);
if (ret) {
_gsskrb5_set_error_string ();
if (ret)
goto out;
}
{
gss_buffer_desc value;
@@ -193,6 +184,7 @@ out:
static OM_uint32 inquire_sec_context_authz_data
(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
unsigned ad_type,
gss_buffer_set_t *data_set)
{
@@ -211,13 +203,12 @@ static OM_uint32 inquire_sec_context_authz_data
return GSS_S_NO_CONTEXT;
}
ret = krb5_ticket_get_authorization_data_type(_gsskrb5_context,
ret = krb5_ticket_get_authorization_data_type(context,
context_handle->ticket,
ad_type,
&data);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -276,6 +267,7 @@ static OM_uint32 inquire_sec_context_has_updated_spnego
static OM_uint32
export_lucid_sec_context_v1(OM_uint32 *minor_status,
gsskrb5_ctx context_handle,
krb5_context context,
gss_buffer_set_t *data_set)
{
krb5_storage *sp = NULL;
@@ -288,8 +280,6 @@ export_lucid_sec_context_v1(OM_uint32 *minor_status,
*minor_status = 0;
GSSAPI_KRB5_INIT ();
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
_gsskrb5i_is_cfx(context_handle, &is_cfx);
@@ -307,12 +297,12 @@ export_lucid_sec_context_v1(OM_uint32 *minor_status,
if (ret) goto out;
ret = krb5_store_int32(sp, context_handle->lifetime);
if (ret) goto out;
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
krb5_auth_con_getlocalseqnumber (context,
context_handle->auth_context,
&number);
ret = krb5_store_uint32(sp, (uint32_t)0); /* store top half as zero */
ret = krb5_store_uint32(sp, (uint32_t)number);
krb5_auth_getremoteseqnumber (_gsskrb5_context,
krb5_auth_getremoteseqnumber (context,
context_handle->auth_context,
&number);
ret = krb5_store_uint32(sp, (uint32_t)0); /* store top half as zero */
@@ -320,7 +310,7 @@ export_lucid_sec_context_v1(OM_uint32 *minor_status,
ret = krb5_store_int32(sp, (is_cfx) ? 1 : 0);
if (ret) goto out;
ret = _gsskrb5i_get_token_key(context_handle, &key);
ret = _gsskrb5i_get_token_key(context_handle, context, &key);
if (ret) goto out;
if (is_cfx == 0) {
@@ -387,7 +377,7 @@ export_lucid_sec_context_v1(OM_uint32 *minor_status,
out:
if (key)
krb5_free_keyblock (_gsskrb5_context, key);
krb5_free_keyblock (context, key);
if (sp)
krb5_storage_free(sp);
if (ret) {
@@ -485,7 +475,6 @@ out:
if (sp)
krb5_storage_free(sp);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
maj_stat = GSS_S_FAILURE;
}
@@ -501,6 +490,7 @@ OM_uint32 _gsskrb5_inquire_sec_context_by_oid
const gss_OID desired_object,
gss_buffer_set_t *data_set)
{
krb5_context context;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
unsigned suffix;
@@ -509,6 +499,8 @@ OM_uint32 _gsskrb5_inquire_sec_context_by_oid
return GSS_S_NO_CONTEXT;
}
GSSAPI_KRB5_INIT (&context);
if (gss_oid_equal(desired_object, GSS_KRB5_GET_TKT_FLAGS_X)) {
return inquire_sec_context_tkt_flags(minor_status,
ctx,
@@ -520,16 +512,19 @@ OM_uint32 _gsskrb5_inquire_sec_context_by_oid
} else if (gss_oid_equal(desired_object, GSS_KRB5_GET_SUBKEY_X)) {
return inquire_sec_context_get_subkey(minor_status,
ctx,
context,
TOKEN_KEY,
data_set);
} else if (gss_oid_equal(desired_object, GSS_KRB5_GET_INITIATOR_SUBKEY_X)) {
return inquire_sec_context_get_subkey(minor_status,
ctx,
context,
INITIATOR_KEY,
data_set);
} else if (gss_oid_equal(desired_object, GSS_KRB5_GET_ACCEPTOR_SUBKEY_X)) {
return inquire_sec_context_get_subkey(minor_status,
ctx,
context,
ACCEPTOR_KEY,
data_set);
} else if (gss_oid_equal(desired_object, GSS_KRB5_GET_AUTHTIME_X)) {
@@ -539,6 +534,7 @@ OM_uint32 _gsskrb5_inquire_sec_context_by_oid
&suffix)) {
return inquire_sec_context_authz_data(minor_status,
ctx,
context,
suffix,
data_set);
} else if (oid_prefix_equal(desired_object,
@@ -547,6 +543,7 @@ OM_uint32 _gsskrb5_inquire_sec_context_by_oid
if (suffix == 1)
return export_lucid_sec_context_v1(minor_status,
ctx,
context,
data_set);
*minor_status = 0;
return GSS_S_FAILURE;

4
lib/gssapi/krb5/process_context_token.c
View File

@@ -41,6 +41,7 @@ OM_uint32 _gsskrb5_process_context_token (
const gss_buffer_t token_buffer
)
{
krb5_context context;
OM_uint32 ret = GSS_S_FAILURE;
gss_buffer_desc empty_buffer;
gss_qop_t qop_state;
@@ -48,10 +49,13 @@ OM_uint32 _gsskrb5_process_context_token (
empty_buffer.length = 0;
empty_buffer.value = NULL;
GSSAPI_KRB5_INIT (&context);
qop_state = GSS_C_QOP_DEFAULT;
ret = _gsskrb5_verify_mic_internal(minor_status,
(gsskrb5_ctx)context_handle,
context,
token_buffer, &empty_buffer,
GSS_C_QOP_DEFAULT, "\x01\x02");

13
lib/gssapi/krb5/release_cred.c
View File

@@ -40,6 +40,7 @@ OM_uint32 _gsskrb5_release_cred
gss_cred_id_t * cred_handle
)
{
krb5_context context;
gsskrb5_cred cred;
*minor_status = 0;
@@ -50,21 +51,21 @@ OM_uint32 _gsskrb5_release_cred
cred = (gsskrb5_cred)*cred_handle;
*cred_handle = GSS_C_NO_CREDENTIAL;
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
if (cred->principal != NULL)
krb5_free_principal(_gsskrb5_context, cred->principal);
krb5_free_principal(context, cred->principal);
if (cred->keytab != NULL)
krb5_kt_close(_gsskrb5_context, cred->keytab);
krb5_kt_close(context, cred->keytab);
if (cred->ccache != NULL) {
const krb5_cc_ops *ops;
ops = krb5_cc_get_ops(_gsskrb5_context, cred->ccache);
ops = krb5_cc_get_ops(context, cred->ccache);
if (cred->cred_flags & GSS_CF_DESTROY_CRED_ON_RELEASE)
krb5_cc_destroy(_gsskrb5_context, cred->ccache);
krb5_cc_destroy(context, cred->ccache);
else
krb5_cc_close(_gsskrb5_context, cred->ccache);
krb5_cc_close(context, cred->ccache);
}
_gsskrb5_release_oid_set(NULL, &cred->mechanisms);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);

7
lib/gssapi/krb5/release_name.c
View File

@@ -40,16 +40,17 @@ OM_uint32 _gsskrb5_release_name
gss_name_t * input_name
)
{
krb5_context context;
krb5_principal name = (krb5_principal)*input_name;
GSSAPI_KRB5_INIT ();
if (minor_status)
*minor_status = 0;
GSSAPI_KRB5_INIT (&context);
*input_name = GSS_C_NO_NAME;
krb5_free_principal(_gsskrb5_context, name);
krb5_free_principal(context, name);
return GSS_S_COMPLETE;
}

19
lib/gssapi/krb5/set_cred_option.c
View File

@@ -41,6 +41,7 @@ gss_OID GSS_KRB5_IMPORT_CRED_X = &gss_krb5_import_cred_x_oid_desc;
static OM_uint32
import_cred(OM_uint32 *minor_status,
krb5_context context,
gss_cred_id_t *cred_handle,
const gss_buffer_t value)
{
@@ -71,7 +72,7 @@ import_cred(OM_uint32 *minor_status,
goto out;
}
if (str[0]) {
ret = krb5_cc_resolve(_gsskrb5_context, str, &id);
ret = krb5_cc_resolve(context, str, &id);
if (ret) {
*minor_status = ret;
major_stat = GSS_S_FAILURE;
@@ -84,7 +85,7 @@ import_cred(OM_uint32 *minor_status,
/* keytab principal name */
ret = krb5_ret_string(sp, &str);
if (ret == 0 && str[0])
ret = krb5_parse_name(_gsskrb5_context, str, &keytab_principal);
ret = krb5_parse_name(context, str, &keytab_principal);
if (ret) {
*minor_status = ret;
major_stat = GSS_S_FAILURE;
@@ -101,7 +102,7 @@ import_cred(OM_uint32 *minor_status,
goto out;
}
if (str[0]) {
ret = krb5_kt_resolve(_gsskrb5_context, str, &keytab);
ret = krb5_kt_resolve(context, str, &keytab);
if (ret) {
*minor_status = ret;
major_stat = GSS_S_FAILURE;
@@ -115,11 +116,11 @@ import_cred(OM_uint32 *minor_status,
keytab, cred_handle);
out:
if (id)
krb5_cc_close(_gsskrb5_context, id);
krb5_cc_close(context, id);
if (keytab_principal)
krb5_free_principal(_gsskrb5_context, keytab_principal);
krb5_free_principal(context, keytab_principal);
if (keytab)
krb5_kt_close(_gsskrb5_context, keytab);
krb5_kt_close(context, keytab);
if (str)
free(str);
if (sp)
@@ -136,7 +137,9 @@ _gsskrb5_set_cred_option
const gss_OID desired_object,
const gss_buffer_t value)
{
GSSAPI_KRB5_INIT ();
krb5_context context;
GSSAPI_KRB5_INIT (&context);
if (value == GSS_C_NO_BUFFER) {
*minor_status = EINVAL;
@@ -144,7 +147,7 @@ _gsskrb5_set_cred_option
}
if (gss_oid_equal(desired_object, GSS_KRB5_IMPORT_CRED_X)) {
return import_cred(minor_status, cred_handle, value);
return import_cred(minor_status, context, cred_handle, value);
}
*minor_status = EINVAL;

11
lib/gssapi/krb5/set_sec_context_option.c
View File

@@ -58,9 +58,10 @@ _gsskrb5_set_sec_context_option
const gss_OID desired_object,
const gss_buffer_t value)
{
krb5_context context;
OM_uint32 maj_stat;
GSSAPI_KRB5_INIT ();
GSSAPI_KRB5_INIT (&context);
if (value == GSS_C_NO_BUFFER) {
*minor_status = EINVAL;
@@ -96,7 +97,7 @@ _gsskrb5_set_sec_context_option
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
krb5_set_dns_canonicalize_hostname(_gsskrb5_context, flag);
krb5_set_dns_canonicalize_hostname(context, flag);
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X)) {
@@ -135,7 +136,7 @@ _gsskrb5_set_sec_context_option
memcpy(str, value->value, value->length);
str[value->length] = '\0';
krb5_set_default_realm(_gsskrb5_context, str);
krb5_set_default_realm(context, str);
free(str);
*minor_status = 0;
@@ -144,7 +145,7 @@ _gsskrb5_set_sec_context_option
} else if (gss_oid_equal(desired_object, GSS_KRB5_SEND_TO_KDC_X)) {
if (value == NULL || value->length == 0) {
krb5_set_send_to_kdc_func(_gsskrb5_context, NULL, NULL);
krb5_set_send_to_kdc_func(context, NULL, NULL);
} else {
struct gsskrb5_send_to_kdc c;
@@ -153,7 +154,7 @@ _gsskrb5_set_sec_context_option
return GSS_S_FAILURE;
}
memcpy(&c, value->value, sizeof(c));
krb5_set_send_to_kdc_func(_gsskrb5_context,
krb5_set_send_to_kdc_func(context,
(krb5_send_to_kdc_func)c.func,
c.ptr);
}

12
lib/gssapi/krb5/test_cfx.c
View File

@@ -60,7 +60,8 @@ test_range(const struct range *r, int integ,
size_t cksumsize;
uint16_t padsize;
ret = _gsskrb5cfx_max_wrap_length_cfx(crypto,
ret = _gsskrb5cfx_max_wrap_length_cfx(context,
crypto,
integ,
size,
&max_wrap_size);
@@ -69,7 +70,8 @@ test_range(const struct range *r, int integ,
if (max_wrap_size == 0)
continue;
ret = _gsskrb5cfx_wrap_length_cfx(crypto,
ret = _gsskrb5cfx_wrap_length_cfx(context,
crypto,
integ,
max_wrap_size,
&rsize, &cksumsize, &padsize);
@@ -93,14 +95,16 @@ test_special(krb5_context context, krb5_crypto crypto,
size_t cksumsize;
uint16_t padsize;
ret = _gsskrb5cfx_max_wrap_length_cfx(crypto,
ret = _gsskrb5cfx_max_wrap_length_cfx(context,
crypto,
integ,
testsize,
&max_wrap_size);
if (ret)
krb5_errx(context, 1, "_gsskrb5cfx_max_wrap_length_cfx: %d", ret);
ret = _gsskrb5cfx_wrap_length_cfx(crypto,
ret = _gsskrb5cfx_wrap_length_cfx(context,
crypto,
integ,
max_wrap_size,
&rsize, &cksumsize, &padsize);

2
lib/gssapi/krb5/test_kcred.c
View File

@@ -73,7 +73,7 @@ copy_import(void)
if (ret)
krb5_err(context, 1, ret, "krb5_cc_gen_new");
maj_stat = gss_krb5_copy_ccache(&min_stat, cred1, id);
maj_stat = gss_krb5_copy_ccache(&min_stat, context, cred1, id);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "gss_krb5_copy_ccache");

41
lib/gssapi/krb5/unwrap.c
View File

@@ -175,6 +175,7 @@ static OM_uint32
unwrap_des3
(OM_uint32 * minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int * conf_state,
@@ -226,18 +227,16 @@ unwrap_des3
/* decrypt data */
krb5_data tmp;
ret = krb5_crypto_init(_gsskrb5_context, key,
ret = krb5_crypto_init(context, key,
ETYPE_DES3_CBC_NONE, &crypto);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_decrypt(_gsskrb5_context, crypto, KRB5_KU_USAGE_SEAL,
ret = krb5_decrypt(context, crypto, KRB5_KU_USAGE_SEAL,
p, input_message_buffer->length - len, &tmp);
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -259,10 +258,9 @@ unwrap_des3
p -= 28;
ret = krb5_crypto_init(_gsskrb5_context, key,
ret = krb5_crypto_init(context, key,
ETYPE_DES3_CBC_NONE, &crypto);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
return GSS_S_FAILURE;
@@ -271,15 +269,14 @@ unwrap_des3
DES_cblock ivec;
memcpy(&ivec, p + 8, 8);
ret = krb5_decrypt_ivec (_gsskrb5_context,
ret = krb5_decrypt_ivec (context,
crypto,
KRB5_KU_USAGE_SEQ,
p, 8, &seq_data,
&ivec);
}
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
return GSS_S_FAILURE;
@@ -325,21 +322,19 @@ unwrap_des3
csum.checksum.length = 20;
csum.checksum.data = cksum;
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_verify_checksum (_gsskrb5_context, crypto,
ret = krb5_verify_checksum (context, crypto,
KRB5_KU_USAGE_SIGN,
p + 20,
input_message_buffer->length - len + 8,
&csum);
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -367,6 +362,7 @@ OM_uint32 _gsskrb5_unwrap
)
{
krb5_keyblock *key;
krb5_context context;
OM_uint32 ret;
krb5_keytype keytype;
gsskrb5_ctx ctx = (gsskrb5_ctx) context_handle;
@@ -374,17 +370,18 @@ OM_uint32 _gsskrb5_unwrap
output_message_buffer->value = NULL;
output_message_buffer->length = 0;
GSSAPI_KRB5_INIT (&context);
if (qop_state != NULL)
*qop_state = GSS_C_QOP_DEFAULT;
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = _gsskrb5i_get_token_key(ctx, &key);
ret = _gsskrb5i_get_token_key(ctx, context, &key);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype);
krb5_enctype_to_keytype (context, key->keytype, &keytype);
*minor_status = 0;
@@ -395,22 +392,22 @@ OM_uint32 _gsskrb5_unwrap
conf_state, qop_state, key);
break;
case KEYTYPE_DES3 :
ret = unwrap_des3 (minor_status, ctx,
ret = unwrap_des3 (minor_status, ctx, context,
input_message_buffer, output_message_buffer,
conf_state, qop_state, key);
break;
case KEYTYPE_ARCFOUR:
case KEYTYPE_ARCFOUR_56:
ret = _gssapi_unwrap_arcfour (minor_status, ctx,
ret = _gssapi_unwrap_arcfour (minor_status, ctx, context,
input_message_buffer, output_message_buffer,
conf_state, qop_state, key);
break;
default :
ret = _gssapi_unwrap_cfx (minor_status, ctx,
ret = _gssapi_unwrap_cfx (minor_status, ctx, context,
input_message_buffer, output_message_buffer,
conf_state, qop_state, key);
break;
}
krb5_free_keyblock (_gsskrb5_context, key);
krb5_free_keyblock (context, key);
return ret;
}

45
lib/gssapi/krb5/verify_mic.c
View File

@@ -39,6 +39,7 @@ static OM_uint32
verify_mic_des
(OM_uint32 * minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
@@ -131,6 +132,7 @@ static OM_uint32
verify_mic_des3
(OM_uint32 * minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
@@ -164,10 +166,9 @@ verify_mic_des3
return GSS_S_BAD_MIC;
p += 4;
ret = krb5_crypto_init(_gsskrb5_context, key,
ret = krb5_crypto_init(context, key,
ETYPE_DES3_CBC_NONE, &crypto);
if (ret){
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
@@ -180,14 +181,13 @@ retry:
else
memcpy(ivec, p + 8, 8);
ret = krb5_decrypt_ivec (_gsskrb5_context,
ret = krb5_decrypt_ivec (context,
crypto,
KRB5_KU_USAGE_SEQ,
p, 8, &seq_data, ivec);
if (ret) {
if (docompat++) {
_gsskrb5_set_error_string ();
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
*minor_status = ret;
return GSS_S_FAILURE;
} else
@@ -197,7 +197,7 @@ retry:
if (seq_data.length != 8) {
krb5_data_free (&seq_data);
if (docompat++) {
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
return GSS_S_BAD_MIC;
} else
goto retry;
@@ -215,7 +215,7 @@ retry:
krb5_data_free (&seq_data);
if (cmp != 0) {
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
*minor_status = 0;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
return GSS_S_BAD_MIC;
@@ -223,7 +223,7 @@ retry:
ret = _gssapi_msg_order_check(context_handle->order, seq_number);
if (ret) {
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
*minor_status = 0;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
return ret;
@@ -233,7 +233,7 @@ retry:
tmp = malloc (message_buffer->length + 8);
if (tmp == NULL) {
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
*minor_status = ENOMEM;
return GSS_S_FAILURE;
@@ -246,21 +246,20 @@ retry:
csum.checksum.length = 20;
csum.checksum.data = p + 8;
ret = krb5_verify_checksum (_gsskrb5_context, crypto,
ret = krb5_verify_checksum (context, crypto,
KRB5_KU_USAGE_SIGN,
tmp, message_buffer->length + 8,
&csum);
free (tmp);
if (ret) {
_gsskrb5_set_error_string ();
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
*minor_status = ret;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
return GSS_S_BAD_MIC;
}
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
return GSS_S_COMPLETE;
}
@@ -268,6 +267,7 @@ OM_uint32
_gsskrb5_verify_mic_internal
(OM_uint32 * minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
@@ -279,39 +279,40 @@ _gsskrb5_verify_mic_internal
krb5_keytype keytype;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
ret = _gsskrb5i_get_token_key(context_handle, &key);
ret = _gsskrb5i_get_token_key(context_handle, context, &key);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
*minor_status = 0;
krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype);
krb5_enctype_to_keytype (context, key->keytype, &keytype);
switch (keytype) {
case KEYTYPE_DES :
ret = verify_mic_des (minor_status, context_handle,
ret = verify_mic_des (minor_status, context_handle, context,
message_buffer, token_buffer, qop_state, key,
type);
break;
case KEYTYPE_DES3 :
ret = verify_mic_des3 (minor_status, context_handle,
ret = verify_mic_des3 (minor_status, context_handle, context,
message_buffer, token_buffer, qop_state, key,
type);
break;
case KEYTYPE_ARCFOUR :
case KEYTYPE_ARCFOUR_56 :
ret = _gssapi_verify_mic_arcfour (minor_status, context_handle,
context,
message_buffer, token_buffer,
qop_state, key, type);
break;
default :
ret = _gssapi_verify_mic_cfx (minor_status, context_handle,
context,
message_buffer, token_buffer, qop_state,
key);
break;
}
krb5_free_keyblock (_gsskrb5_context, key);
krb5_free_keyblock (context, key);
return ret;
}
@@ -325,13 +326,17 @@ _gsskrb5_verify_mic
gss_qop_t * qop_state
)
{
krb5_context context;
OM_uint32 ret;
GSSAPI_KRB5_INIT (&context);
if (qop_state != NULL)
*qop_state = GSS_C_QOP_DEFAULT;
ret = _gsskrb5_verify_mic_internal(minor_status,
(gsskrb5_ctx)context_handle,
(gsskrb5_ctx)context_handle,
context,
message_buffer, token_buffer,
qop_state, "\x01\x01");

95
lib/gssapi/krb5/wrap.c
View File

@@ -40,39 +40,43 @@ RCSID("$Id$");
*/
krb5_error_code
_gsskrb5i_get_initiator_subkey(const gsskrb5_ctx ctx, krb5_keyblock **key)
_gsskrb5i_get_initiator_subkey(const gsskrb5_ctx ctx,
krb5_context context,
krb5_keyblock **key)
{
krb5_error_code ret;
*key = NULL;
if (ctx->more_flags & LOCAL) {
ret = krb5_auth_con_getlocalsubkey(_gsskrb5_context,
ret = krb5_auth_con_getlocalsubkey(context,
ctx->auth_context,
key);
} else {
ret = krb5_auth_con_getremotesubkey(_gsskrb5_context,
ret = krb5_auth_con_getremotesubkey(context,
ctx->auth_context,
key);
}
if (*key == NULL)
ret = krb5_auth_con_getkey(_gsskrb5_context,
ret = krb5_auth_con_getkey(context,
ctx->auth_context,
key);
return ret;
}
krb5_error_code
_gsskrb5i_get_acceptor_subkey(const gsskrb5_ctx ctx, krb5_keyblock **key)
_gsskrb5i_get_acceptor_subkey(const gsskrb5_ctx ctx,
krb5_context context,
krb5_keyblock **key)
{
krb5_error_code ret;
*key = NULL;
if (ctx->more_flags & LOCAL) {
ret = krb5_auth_con_getremotesubkey(_gsskrb5_context,
ret = krb5_auth_con_getremotesubkey(context,
ctx->auth_context,
key);
} else {
ret = krb5_auth_con_getlocalsubkey(_gsskrb5_context,
ret = krb5_auth_con_getlocalsubkey(context,
ctx->auth_context,
key);
}
@@ -80,16 +84,18 @@ _gsskrb5i_get_acceptor_subkey(const gsskrb5_ctx ctx, krb5_keyblock **key)
}
OM_uint32
_gsskrb5i_get_token_key(const gsskrb5_ctx ctx, krb5_keyblock **key)
_gsskrb5i_get_token_key(const gsskrb5_ctx ctx,
krb5_context context,
krb5_keyblock **key)
{
_gsskrb5i_get_acceptor_subkey(ctx, key);
_gsskrb5i_get_acceptor_subkey(ctx, context, key);
if(*key == NULL) {
/*
* Only use the initiator subkey or ticket session key if an
* acceptor subkey was not required.
*/
if ((ctx->more_flags & ACCEPTOR_SUBKEY) == 0)
_gsskrb5i_get_initiator_subkey(ctx, key);
_gsskrb5i_get_initiator_subkey(ctx, context, key);
}
if (*key == NULL)
return GSS_KRB5_S_KG_NO_SUBKEY;
@@ -130,20 +136,22 @@ _gsskrb5_wrap_size_limit (
OM_uint32 * max_input_size
)
{
krb5_context context;
krb5_keyblock *key;
OM_uint32 ret;
krb5_keytype keytype;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = _gsskrb5i_get_token_key(ctx, &key);
ret = _gsskrb5i_get_token_key(ctx, context, &key);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype);
krb5_enctype_to_keytype (context, key->keytype, &keytype);
switch (keytype) {
case KEYTYPE_DES :
@@ -151,7 +159,7 @@ _gsskrb5_wrap_size_limit (
break;
case KEYTYPE_ARCFOUR:
case KEYTYPE_ARCFOUR_56:
ret = _gssapi_wrap_size_arcfour(minor_status, ctx,
ret = _gssapi_wrap_size_arcfour(minor_status, ctx, context,
conf_req_flag, qop_req,
req_output_size, max_input_size, key);
break;
@@ -159,12 +167,12 @@ _gsskrb5_wrap_size_limit (
ret = sub_wrap_size(req_output_size, max_input_size, 8, 34);
break;
default :
ret = _gssapi_wrap_size_cfx(minor_status, ctx,
ret = _gssapi_wrap_size_cfx(minor_status, ctx, context,
conf_req_flag, qop_req,
req_output_size, max_input_size, key);
break;
}
krb5_free_keyblock (_gsskrb5_context, key);
krb5_free_keyblock (context, key);
*minor_status = 0;
return ret;
}
@@ -173,6 +181,7 @@ static OM_uint32
wrap_des
(OM_uint32 * minor_status,
const gsskrb5_ctx ctx,
krb5_context context,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
@@ -247,9 +256,9 @@ wrap_des
/* sequence number */
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
ctx->auth_context,
&seq_number);
krb5_auth_con_getlocalseqnumber (context,
ctx->auth_context,
&seq_number);
p -= 16;
p[0] = (seq_number >> 0) & 0xFF;
@@ -264,7 +273,7 @@ wrap_des
DES_cbc_encrypt ((void *)p, (void *)p, 8,
&schedule, (DES_cblock *)(p + 8), DES_ENCRYPT);
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
krb5_auth_con_setlocalseqnumber (context,
ctx->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
@@ -299,6 +308,7 @@ static OM_uint32
wrap_des3
(OM_uint32 * minor_status,
const gsskrb5_ctx ctx,
krb5_context context,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
@@ -355,9 +365,8 @@ wrap_des3
input_message_buffer->length);
memset (p + 28 + 8 + input_message_buffer->length, padlength, padlength);
ret = krb5_crypto_init(_gsskrb5_context, key, 0, &crypto);
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret) {
_gsskrb5_set_error_string ();
free (output_message_buffer->value);
output_message_buffer->length = 0;
output_message_buffer->value = NULL;
@@ -365,16 +374,15 @@ wrap_des3
return GSS_S_FAILURE;
}
ret = krb5_create_checksum (_gsskrb5_context,
ret = krb5_create_checksum (context,
crypto,
KRB5_KU_USAGE_SIGN,
0,
p + 20,
datalen + 8,
&cksum);
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
if (ret) {
_gsskrb5_set_error_string ();
free (output_message_buffer->value);
output_message_buffer->length = 0;
output_message_buffer->value = NULL;
@@ -390,7 +398,7 @@ wrap_des3
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
/* sequence number */
krb5_auth_con_getlocalseqnumber (_gsskrb5_context,
krb5_auth_con_getlocalseqnumber (context,
ctx->auth_context,
&seq_number);
@@ -403,7 +411,7 @@ wrap_des3
4);
ret = krb5_crypto_init(_gsskrb5_context, key, ETYPE_DES3_CBC_NONE,
ret = krb5_crypto_init(context, key, ETYPE_DES3_CBC_NONE,
&crypto);
if (ret) {
free (output_message_buffer->value);
@@ -417,15 +425,14 @@ wrap_des3
DES_cblock ivec;
memcpy (&ivec, p + 8, 8);
ret = krb5_encrypt_ivec (_gsskrb5_context,
ret = krb5_encrypt_ivec (context,
crypto,
KRB5_KU_USAGE_SEQ,
seq, 8, &encdata,
&ivec);
}
krb5_crypto_destroy (_gsskrb5_context, crypto);
krb5_crypto_destroy (context, crypto);
if (ret) {
_gsskrb5_set_error_string ();
free (output_message_buffer->value);
output_message_buffer->length = 0;
output_message_buffer->value = NULL;
@@ -438,7 +445,7 @@ wrap_des3
memcpy (p, encdata.data, encdata.length);
krb5_data_free (&encdata);
krb5_auth_con_setlocalseqnumber (_gsskrb5_context,
krb5_auth_con_setlocalseqnumber (context,
ctx->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
@@ -449,21 +456,19 @@ wrap_des3
if(conf_req_flag) {
krb5_data tmp;
ret = krb5_crypto_init(_gsskrb5_context, key,
ret = krb5_crypto_init(context, key,
ETYPE_DES3_CBC_NONE, &crypto);
if (ret) {
_gsskrb5_set_error_string ();
free (output_message_buffer->value);
output_message_buffer->length = 0;
output_message_buffer->value = NULL;
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_encrypt(_gsskrb5_context, crypto, KRB5_KU_USAGE_SEAL,
ret = krb5_encrypt(context, crypto, KRB5_KU_USAGE_SEAL,
p, datalen, &tmp);
krb5_crypto_destroy(_gsskrb5_context, crypto);
krb5_crypto_destroy(context, crypto);
if (ret) {
_gsskrb5_set_error_string ();
free (output_message_buffer->value);
output_message_buffer->length = 0;
output_message_buffer->value = NULL;
@@ -491,44 +496,46 @@ OM_uint32 _gsskrb5_wrap
gss_buffer_t output_message_buffer
)
{
krb5_context context;
krb5_keyblock *key;
OM_uint32 ret;
krb5_keytype keytype;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = _gsskrb5i_get_token_key(ctx, &key);
ret = _gsskrb5i_get_token_key(ctx, context, &key);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
if (ret) {
_gsskrb5_set_error_string ();
*minor_status = ret;
return GSS_S_FAILURE;
}
krb5_enctype_to_keytype (_gsskrb5_context, key->keytype, &keytype);
krb5_enctype_to_keytype (context, key->keytype, &keytype);
switch (keytype) {
case KEYTYPE_DES :
ret = wrap_des (minor_status, ctx, conf_req_flag,
ret = wrap_des (minor_status, ctx, context, conf_req_flag,
qop_req, input_message_buffer, conf_state,
output_message_buffer, key);
break;
case KEYTYPE_DES3 :
ret = wrap_des3 (minor_status, ctx, conf_req_flag,
ret = wrap_des3 (minor_status, ctx, context, conf_req_flag,
qop_req, input_message_buffer, conf_state,
output_message_buffer, key);
break;
case KEYTYPE_ARCFOUR:
case KEYTYPE_ARCFOUR_56:
ret = _gssapi_wrap_arcfour (minor_status, ctx, conf_req_flag,
ret = _gssapi_wrap_arcfour (minor_status, ctx, context, conf_req_flag,
qop_req, input_message_buffer, conf_state,
output_message_buffer, key);
break;
default :
ret = _gssapi_wrap_cfx (minor_status, ctx, conf_req_flag,
ret = _gssapi_wrap_cfx (minor_status, ctx, context, conf_req_flag,
qop_req, input_message_buffer, conf_state,
output_message_buffer, key);
break;
}
krb5_free_keyblock (_gsskrb5_context, key);
krb5_free_keyblock (context, key);
return ret;
}