From a2cfd2a25cc59853720e434e6989c82e3eb38238 Mon Sep 17 00:00:00 2001
From: "Roland C. Dowdeswell" <elric@imrryr.org>
Date: Mon, 2 Aug 2021 22:55:33 +0100
Subject: [PATCH] gssapi/krb5/{export,import}_sec_context: fix for init_sec_ctx

When using these functions with gss_init_sec_context(), we noticed
that some things were missing and some needed to be made optional.
ctx->order may be NULL, ctx->ac->authenticator needs to be filled
out, and ctx->state needs be stored.

Note: SPNEGO still needs a little more work.
---
 lib/gssapi/krb5/export_sec_context.c | 31 ++++++++++++++++++++++++----
 lib/gssapi/krb5/gsskrb5_locl.h       | 16 +++++++-------
 lib/gssapi/krb5/import_sec_context.c | 21 ++++++++++++++++---
 3 files changed, 54 insertions(+), 14 deletions(-)

diff --git a/lib/gssapi/krb5/export_sec_context.c b/lib/gssapi/krb5/export_sec_context.c
index 63ffe4963..98959ab23 100644
--- a/lib/gssapi/krb5/export_sec_context.c
+++ b/lib/gssapi/krb5/export_sec_context.c
@@ -82,10 +82,14 @@ _gsskrb5_export_sec_context(
 	flags |= SC_LOCAL_SUBKEY;
     if (ac->remote_subkey)
 	flags |= SC_REMOTE_SUBKEY;
+    if (ac->authenticator)
+	flags |= SC_AUTHENTICATOR;
     if (ctx->source)
 	flags |= SC_SOURCE_NAME;
     if (ctx->target)
 	flags |= SC_TARGET_NAME;
+    if (ctx->order)
+	flags |= SC_ORDER;
 
     kret = krb5_store_int32 (sp, flags);
     if (kret) {
@@ -155,6 +159,18 @@ _gsskrb5_export_sec_context(
 	    *minor_status = kret;
 	    goto failure;
 	}
+    if (ac->authenticator) {
+        kret = krb5_store_int64(sp, ac->authenticator->ctime);
+        if (kret) {
+            *minor_status = kret;
+            goto failure;
+        }
+        kret = krb5_store_int32(sp, ac->authenticator->cusec);
+        if (kret) {
+            *minor_status = kret;
+            goto failure;
+        }
+    }
 
     kret = krb5_store_int32 (sp, ac->keytype);
     if (kret) {
@@ -212,6 +228,11 @@ _gsskrb5_export_sec_context(
 	*minor_status = kret;
 	goto failure;
     }
+    kret = krb5_store_int32 (sp, ctx->state);
+    if (kret) {
+        *minor_status = kret;
+        goto failure;
+    }
     /*
      * XXX We should put a 64-bit int here, but we don't have a
      * krb5_store_int64() yet.
@@ -221,10 +242,12 @@ _gsskrb5_export_sec_context(
 	*minor_status = kret;
 	goto failure;
     }
-    kret = _gssapi_msg_order_export(sp, ctx->order);
-    if (kret ) {
-        *minor_status = kret;
-        goto failure;
+    if (ctx->order) {
+        kret = _gssapi_msg_order_export(sp, ctx->order);
+        if (kret) {
+            *minor_status = kret;
+            goto failure;
+        }
     }
 
     kret = krb5_storage_to_data (sp, &data);
diff --git a/lib/gssapi/krb5/gsskrb5_locl.h b/lib/gssapi/krb5/gsskrb5_locl.h
index ef3f21903..e6f031010 100644
--- a/lib/gssapi/krb5/gsskrb5_locl.h
+++ b/lib/gssapi/krb5/gsskrb5_locl.h
@@ -135,12 +135,14 @@ extern HEIMDAL_MUTEX gssapi_keytab_mutex;
 
 /* sec_context flags */
 
-#define SC_LOCAL_ADDRESS  0x01
-#define SC_REMOTE_ADDRESS 0x02
-#define SC_KEYBLOCK	  0x04
-#define SC_LOCAL_SUBKEY	  0x08
-#define SC_REMOTE_SUBKEY  0x10
-#define SC_SOURCE_NAME    0x20
-#define SC_TARGET_NAME    0x40
+#define SC_LOCAL_ADDRESS  0x0001
+#define SC_REMOTE_ADDRESS 0x0002
+#define SC_KEYBLOCK       0x0004
+#define SC_LOCAL_SUBKEY   0x0008
+#define SC_REMOTE_SUBKEY  0x0010
+#define SC_SOURCE_NAME    0x0020
+#define SC_TARGET_NAME    0x0040
+#define SC_ORDER          0x0080
+#define SC_AUTHENTICATOR  0x0100
 
 #endif
diff --git a/lib/gssapi/krb5/import_sec_context.c b/lib/gssapi/krb5/import_sec_context.c
index 545b15fed..d64ec7718 100644
--- a/lib/gssapi/krb5/import_sec_context.c
+++ b/lib/gssapi/krb5/import_sec_context.c
@@ -51,6 +51,7 @@ _gsskrb5_import_sec_context (
     gss_buffer_desc buffer;
     krb5_keyblock keyblock;
     int32_t flags, tmp;
+    int64_t tmp64;
     gsskrb5_ctx ctx;
     gss_name_t name;
 
@@ -141,6 +142,15 @@ _gsskrb5_import_sec_context (
     if (krb5_ret_uint32 (sp, &ac->remote_seqnumber))
 	goto failure;
 
+    if (flags & SC_AUTHENTICATOR) {
+        if (krb5_ret_int64(sp, &tmp64))
+            goto failure;
+        ac->authenticator->ctime = tmp64;
+        if (krb5_ret_int32(sp, &tmp))
+            goto failure;
+        ac->authenticator->cusec = tmp;
+    }
+
     if (krb5_ret_int32 (sp, &tmp) != 0)
 	goto failure;
     ac->keytype = tmp;
@@ -195,6 +205,9 @@ _gsskrb5_import_sec_context (
     if (krb5_ret_int32 (sp, &tmp))
 	goto failure;
     ctx->more_flags = tmp;
+    if (krb5_ret_int32 (sp, &tmp))
+        goto failure;
+    ctx->state = tmp;
     /*
      * XXX endtime should be a 64-bit int, but we don't have
      * krb5_ret_int64() yet.
@@ -203,9 +216,11 @@ _gsskrb5_import_sec_context (
 	goto failure;
     ctx->endtime = tmp;
 
-    ret = _gssapi_msg_order_import(minor_status, sp, &ctx->order);
-    if (ret)
-        goto failure;
+    if (flags & SC_ORDER) {
+        ret = _gssapi_msg_order_import(minor_status, sp, &ctx->order);
+        if (ret)
+            goto failure;
+    }
 
     krb5_storage_free (sp);