From 1e4a6015a73684d86de99c03db335714fbd4041d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Sun, 14 Mar 2004 16:38:46 +0000
Subject: [PATCH] support cfx, try to handle acceptor asserted subkey

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13523 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/gssapi/krb5/unwrap.c | 44 +++++++++++++++++++++++-----------------
 lib/gssapi/krb5/wrap.c   | 39 ++++++++++++++++++-----------------
 lib/gssapi/unwrap.c      | 44 +++++++++++++++++++++++-----------------
 lib/gssapi/wrap.c        | 39 ++++++++++++++++++-----------------
 4 files changed, 90 insertions(+), 76 deletions(-)

diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c
index 48b108504..876122043 100644
--- a/lib/gssapi/krb5/unwrap.c
+++ b/lib/gssapi/krb5/unwrap.c
@@ -42,20 +42,31 @@ gss_krb5_get_remotekey(const gss_ctx_id_t context_handle,
     krb5_keyblock *skey;
 
     HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
-    krb5_auth_con_getremotesubkey(gssapi_krb5_context,
-				  context_handle->auth_context, 
-				  &skey);
-    if(skey == NULL)
-	krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
-				     context_handle->auth_context, 
-				     &skey);
-    if(skey == NULL)
-	krb5_auth_con_getkey(gssapi_krb5_context,
-			     context_handle->auth_context, 
-			     &skey);
-    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
-    if(skey == NULL)
-	return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */
+    if (context_handle->more_flags & ACCEPTOR_SUBKEY) {
+	if (context_handle->more_flags & LOCAL)
+	    krb5_auth_con_getremotesubkey(gssapi_krb5_context,
+					  context_handle->auth_context, 
+					  &skey);
+	else
+	    krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
+					 context_handle->auth_context, 
+					 &skey);
+    } else {
+	krb5_auth_con_getremotesubkey(gssapi_krb5_context,
+				      context_handle->auth_context, 
+				      &skey);
+	if(skey == NULL)
+	    krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
+					 context_handle->auth_context, 
+					 &skey);
+	if(skey == NULL)
+	    krb5_auth_con_getkey(gssapi_krb5_context,
+				 context_handle->auth_context, 
+				 &skey);
+	HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+	if(skey == NULL)
+	    return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */
+    }
     *key = skey;
     return 0;
 }
@@ -427,14 +438,9 @@ OM_uint32 gss_unwrap
 				    conf_state, qop_state, key);
       break;
   default :
-#ifdef HAVE_GSSAPI_CFX
       ret = _gssapi_unwrap_cfx (minor_status, context_handle,
 				input_message_buffer, output_message_buffer,
 				conf_state, qop_state, key);
-#else
-      *minor_status = (OM_uint32)KRB5_PROG_ETYPE_NOSUPP;
-      ret = GSS_S_FAILURE;
-#endif
       break;
   }
   krb5_free_keyblock (gssapi_krb5_context, key);
diff --git a/lib/gssapi/krb5/wrap.c b/lib/gssapi/krb5/wrap.c
index 46939fc99..01a9f3e88 100644
--- a/lib/gssapi/krb5/wrap.c
+++ b/lib/gssapi/krb5/wrap.c
@@ -42,17 +42,28 @@ gss_krb5_get_localkey(const gss_ctx_id_t context_handle,
     krb5_keyblock *skey;
 
     HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
-    krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
+    if (context_handle->more_flags & ACCEPTOR_SUBKEY) {
+	if (context_handle->more_flags & LOCAL)
+	    krb5_auth_con_getremotesubkey(gssapi_krb5_context,
+					  context_handle->auth_context, 
+					  &skey);
+	else
+	    krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
+					 context_handle->auth_context, 
+					 &skey);
+    } else {
+	krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
+				     context_handle->auth_context, 
+				     &skey);
+	if(skey == NULL)
+	    krb5_auth_con_getremotesubkey(gssapi_krb5_context,
+					  context_handle->auth_context, 
+					  &skey);
+	if(skey == NULL)
+	    krb5_auth_con_getkey(gssapi_krb5_context,
 				 context_handle->auth_context, 
 				 &skey);
-    if(skey == NULL)
-	krb5_auth_con_getremotesubkey(gssapi_krb5_context,
-				      context_handle->auth_context, 
-				      &skey);
-    if(skey == NULL)
-	krb5_auth_con_getkey(gssapi_krb5_context,
-			     context_handle->auth_context, 
-			     &skey);
+    }
     HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
     if(skey == NULL)
 	return GSS_S_FAILURE;
@@ -115,14 +126,9 @@ gss_wrap_size_limit (
       ret = sub_wrap_size(req_output_size, max_input_size, 8, 34);
       break;
   default :
-#ifdef HAVE_GSSAPI_CFX
       ret = _gssapi_wrap_size_cfx(minor_status, context_handle, 
 				  conf_req_flag, qop_req, 
 				  req_output_size, max_input_size, key);
-#else
-      *minor_status = (OM_uint32)KRB5_PROG_ETYPE_NOSUPP;
-      ret = GSS_S_FAILURE;
-#endif
       break;
   }
   krb5_free_keyblock (gssapi_krb5_context, key);
@@ -467,14 +473,9 @@ OM_uint32 gss_wrap
 				  output_message_buffer, key);
       break;
   default :
-#ifdef HAVE_GSSAPI_CFX
       ret = _gssapi_wrap_cfx (minor_status, context_handle, conf_req_flag,
 			      qop_req, input_message_buffer, conf_state,
 			      output_message_buffer, key);
-#else
-      *minor_status = (OM_uint32)KRB5_PROG_ETYPE_NOSUPP;
-      ret = GSS_S_FAILURE;
-#endif
       break;
   }
   krb5_free_keyblock (gssapi_krb5_context, key);
diff --git a/lib/gssapi/unwrap.c b/lib/gssapi/unwrap.c
index 48b108504..876122043 100644
--- a/lib/gssapi/unwrap.c
+++ b/lib/gssapi/unwrap.c
@@ -42,20 +42,31 @@ gss_krb5_get_remotekey(const gss_ctx_id_t context_handle,
     krb5_keyblock *skey;
 
     HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
-    krb5_auth_con_getremotesubkey(gssapi_krb5_context,
-				  context_handle->auth_context, 
-				  &skey);
-    if(skey == NULL)
-	krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
-				     context_handle->auth_context, 
-				     &skey);
-    if(skey == NULL)
-	krb5_auth_con_getkey(gssapi_krb5_context,
-			     context_handle->auth_context, 
-			     &skey);
-    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
-    if(skey == NULL)
-	return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */
+    if (context_handle->more_flags & ACCEPTOR_SUBKEY) {
+	if (context_handle->more_flags & LOCAL)
+	    krb5_auth_con_getremotesubkey(gssapi_krb5_context,
+					  context_handle->auth_context, 
+					  &skey);
+	else
+	    krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
+					 context_handle->auth_context, 
+					 &skey);
+    } else {
+	krb5_auth_con_getremotesubkey(gssapi_krb5_context,
+				      context_handle->auth_context, 
+				      &skey);
+	if(skey == NULL)
+	    krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
+					 context_handle->auth_context, 
+					 &skey);
+	if(skey == NULL)
+	    krb5_auth_con_getkey(gssapi_krb5_context,
+				 context_handle->auth_context, 
+				 &skey);
+	HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+	if(skey == NULL)
+	    return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */
+    }
     *key = skey;
     return 0;
 }
@@ -427,14 +438,9 @@ OM_uint32 gss_unwrap
 				    conf_state, qop_state, key);
       break;
   default :
-#ifdef HAVE_GSSAPI_CFX
       ret = _gssapi_unwrap_cfx (minor_status, context_handle,
 				input_message_buffer, output_message_buffer,
 				conf_state, qop_state, key);
-#else
-      *minor_status = (OM_uint32)KRB5_PROG_ETYPE_NOSUPP;
-      ret = GSS_S_FAILURE;
-#endif
       break;
   }
   krb5_free_keyblock (gssapi_krb5_context, key);
diff --git a/lib/gssapi/wrap.c b/lib/gssapi/wrap.c
index 46939fc99..01a9f3e88 100644
--- a/lib/gssapi/wrap.c
+++ b/lib/gssapi/wrap.c
@@ -42,17 +42,28 @@ gss_krb5_get_localkey(const gss_ctx_id_t context_handle,
     krb5_keyblock *skey;
 
     HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
-    krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
+    if (context_handle->more_flags & ACCEPTOR_SUBKEY) {
+	if (context_handle->more_flags & LOCAL)
+	    krb5_auth_con_getremotesubkey(gssapi_krb5_context,
+					  context_handle->auth_context, 
+					  &skey);
+	else
+	    krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
+					 context_handle->auth_context, 
+					 &skey);
+    } else {
+	krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
+				     context_handle->auth_context, 
+				     &skey);
+	if(skey == NULL)
+	    krb5_auth_con_getremotesubkey(gssapi_krb5_context,
+					  context_handle->auth_context, 
+					  &skey);
+	if(skey == NULL)
+	    krb5_auth_con_getkey(gssapi_krb5_context,
 				 context_handle->auth_context, 
 				 &skey);
-    if(skey == NULL)
-	krb5_auth_con_getremotesubkey(gssapi_krb5_context,
-				      context_handle->auth_context, 
-				      &skey);
-    if(skey == NULL)
-	krb5_auth_con_getkey(gssapi_krb5_context,
-			     context_handle->auth_context, 
-			     &skey);
+    }
     HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
     if(skey == NULL)
 	return GSS_S_FAILURE;
@@ -115,14 +126,9 @@ gss_wrap_size_limit (
       ret = sub_wrap_size(req_output_size, max_input_size, 8, 34);
       break;
   default :
-#ifdef HAVE_GSSAPI_CFX
       ret = _gssapi_wrap_size_cfx(minor_status, context_handle, 
 				  conf_req_flag, qop_req, 
 				  req_output_size, max_input_size, key);
-#else
-      *minor_status = (OM_uint32)KRB5_PROG_ETYPE_NOSUPP;
-      ret = GSS_S_FAILURE;
-#endif
       break;
   }
   krb5_free_keyblock (gssapi_krb5_context, key);
@@ -467,14 +473,9 @@ OM_uint32 gss_wrap
 				  output_message_buffer, key);
       break;
   default :
-#ifdef HAVE_GSSAPI_CFX
       ret = _gssapi_wrap_cfx (minor_status, context_handle, conf_req_flag,
 			      qop_req, input_message_buffer, conf_state,
 			      output_message_buffer, key);
-#else
-      *minor_status = (OM_uint32)KRB5_PROG_ETYPE_NOSUPP;
-      ret = GSS_S_FAILURE;
-#endif
       break;
   }
   krb5_free_keyblock (gssapi_krb5_context, key);