From 33137a8c8246ef239c49a103bb1484cb389f5101 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Tue, 14 Apr 2020 12:34:44 +1000
Subject: [PATCH] gss: allow source/target to be null on export/import

Allow the source and target names to be NULL when exporting or importing a
security context for the krb5 mechanism. This will be used in the future to
support skeletal contexts that only provide RFC4121 message protection
services.
---
 lib/gssapi/krb5/export_sec_context.c | 56 ++++++++++++++++------------
 lib/gssapi/krb5/gsskrb5_locl.h       |  2 +
 lib/gssapi/krb5/import_sec_context.c | 53 +++++++++++++-------------
 3 files changed, 62 insertions(+), 49 deletions(-)

diff --git a/lib/gssapi/krb5/export_sec_context.c b/lib/gssapi/krb5/export_sec_context.c
index cba9f22f6..63ffe4963 100644
--- a/lib/gssapi/krb5/export_sec_context.c
+++ b/lib/gssapi/krb5/export_sec_context.c
@@ -82,6 +82,10 @@ _gsskrb5_export_sec_context(
 	flags |= SC_LOCAL_SUBKEY;
     if (ac->remote_subkey)
 	flags |= SC_REMOTE_SUBKEY;
+    if (ctx->source)
+	flags |= SC_SOURCE_NAME;
+    if (ctx->target)
+	flags |= SC_TARGET_NAME;
 
     kret = krb5_store_int32 (sp, flags);
     if (kret) {
@@ -164,34 +168,38 @@ _gsskrb5_export_sec_context(
     }
 
     /* names */
+    if (ctx->source) {
+	ret = _gsskrb5_export_name (minor_status,
+				    (gss_name_t)ctx->source, &buffer);
+	if (ret)
+	    goto failure;
+	data.data   = buffer.value;
+	data.length = buffer.length;
+	kret = krb5_store_data (sp, data);
+	_gsskrb5_release_buffer (&minor, &buffer);
 
-    ret = _gsskrb5_export_name (minor_status,
-				(gss_name_t)ctx->source, &buffer);
-    if (ret)
-	goto failure;
-    data.data   = buffer.value;
-    data.length = buffer.length;
-    kret = krb5_store_data (sp, data);
-    _gsskrb5_release_buffer (&minor, &buffer);
-    if (kret) {
-	*minor_status = kret;
-	goto failure;
+	ret = GSS_S_FAILURE;
+	if (kret) {
+	    *minor_status = kret;
+	    goto failure;
+	}
     }
 
-    ret = _gsskrb5_export_name (minor_status,
-				(gss_name_t)ctx->target, &buffer);
-    if (ret)
-	goto failure;
-    data.data   = buffer.value;
-    data.length = buffer.length;
+    if (ctx->target) {
+	ret = _gsskrb5_export_name (minor_status,
+				    (gss_name_t)ctx->target, &buffer);
+	if (ret)
+	    goto failure;
+	data.data   = buffer.value;
+	data.length = buffer.length;
+	kret = krb5_store_data (sp, data);
+	_gsskrb5_release_buffer (&minor, &buffer);
 
-    ret = GSS_S_FAILURE;
-
-    kret = krb5_store_data (sp, data);
-    _gsskrb5_release_buffer (&minor, &buffer);
-    if (kret) {
-	*minor_status = kret;
-	goto failure;
+	ret = GSS_S_FAILURE;
+	if (kret) {
+	    *minor_status = kret;
+	    goto failure;
+	}
     }
 
     kret = krb5_store_int32 (sp, ctx->flags);
diff --git a/lib/gssapi/krb5/gsskrb5_locl.h b/lib/gssapi/krb5/gsskrb5_locl.h
index e323881fa..c427c7ef9 100644
--- a/lib/gssapi/krb5/gsskrb5_locl.h
+++ b/lib/gssapi/krb5/gsskrb5_locl.h
@@ -134,5 +134,7 @@ extern HEIMDAL_MUTEX gssapi_keytab_mutex;
 #define SC_KEYBLOCK	  0x04
 #define SC_LOCAL_SUBKEY	  0x08
 #define SC_REMOTE_SUBKEY  0x10
+#define SC_SOURCE_NAME    0x20
+#define SC_TARGET_NAME    0x40
 
 #endif
diff --git a/lib/gssapi/krb5/import_sec_context.c b/lib/gssapi/krb5/import_sec_context.c
index e34e07115..545b15fed 100644
--- a/lib/gssapi/krb5/import_sec_context.c
+++ b/lib/gssapi/krb5/import_sec_context.c
@@ -149,42 +149,45 @@ _gsskrb5_import_sec_context (
     ac->cksumtype = tmp;
 
     /* names */
+    if (flags & SC_SOURCE_NAME) {
+	if (krb5_ret_data (sp, &data))
+	    goto failure;
+	buffer.value  = data.data;
+	buffer.length = data.length;
 
-    if (krb5_ret_data (sp, &data))
-	goto failure;
-    buffer.value  = data.data;
-    buffer.length = data.length;
-
-    ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME,
-				&name);
-    if (ret) {
-	ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NO_OID,
+	ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME,
 				    &name);
 	if (ret) {
-	    krb5_data_free (&data);
-	    goto failure;
+	    ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NO_OID,
+					&name);
+	    if (ret) {
+		krb5_data_free (&data);
+		goto failure;
+	    }
 	}
+	ctx->source = (krb5_principal)name;
+	krb5_data_free (&data);
     }
-    ctx->source = (krb5_principal)name;
-    krb5_data_free (&data);
 
-    if (krb5_ret_data (sp, &data) != 0)
-	goto failure;
-    buffer.value  = data.data;
-    buffer.length = data.length;
+    if (flags & SC_TARGET_NAME) {
+	if (krb5_ret_data (sp, &data) != 0)
+	    goto failure;
+	buffer.value  = data.data;
+	buffer.length = data.length;
 
-    ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME,
-				&name);
-    if (ret) {
-	ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NO_OID,
+	ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME,
 				    &name);
 	if (ret) {
-	    krb5_data_free (&data);
-	    goto failure;
+	    ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NO_OID,
+					&name);
+	    if (ret) {
+		krb5_data_free (&data);
+		goto failure;
+	    }
 	}
+	ctx->target = (krb5_principal)name;
+	krb5_data_free (&data);
     }
-    ctx->target = (krb5_principal)name;
-    krb5_data_free (&data);
 
     if (krb5_ret_int32 (sp, &tmp))
 	goto failure;