A cleaner impleentation of r24399 which adds two new auth context APIs

author Greg Hudson <ghudson@mit.edu>

Fri, 1 Oct 2010 03:47:38 +0000 (03:47 +0000)

committer Greg Hudson <ghudson@mit.edu>

Fri, 1 Oct 2010 03:47:38 +0000 (03:47 +0000)
author Greg Hudson <ghudson@mit.edu>
Fri, 1 Oct 2010 03:47:38 +0000 (03:47 +0000)
committer Greg Hudson <ghudson@mit.edu>
Fri, 1 Oct 2010 03:47:38 +0000 (03:47 +0000)
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin

index 1b60dac8375e0289e249bfd386b22a045db5e095..bd89f337219907548d46e2e69703c95773bd0b66 100644 (file)
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -2082,9 +2082,15 @@ krb5_auth_con_getrecvsubkey_k(krb5_context, krb5_auth_context, krb5_key *);
  krb5_error_code KRB5_CALLCONV
  krb5_auth_con_setsendsubkey(krb5_context, krb5_auth_context, krb5_keyblock *);
  
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setsendsubkey_k(krb5_context, krb5_auth_context, krb5_key);
+
  krb5_error_code KRB5_CALLCONV
  krb5_auth_con_setrecvsubkey(krb5_context, krb5_auth_context, krb5_keyblock *);
  
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setrecvsubkey_k(krb5_context, krb5_auth_context, krb5_key);
+
  #if KRB5_DEPRECATED
  KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
  krb5_auth_con_getlocalsubkey(krb5_context, krb5_auth_context,
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c

index 8e27b6d41bf73fb11208fa53a2f39117cc6a448d..03e1260974508fccd6e486cd993e2d23a064f41e 100644 (file)
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -270,7 +270,9 @@ struct gss_checksum_data {
      krb5_gss_ctx_ext_t exts;
  };
  
+#ifdef CFX_EXERCISE
  #include "../../krb5/krb/auth_con.h"
+#endif
  static krb5_error_code KRB5_CALLCONV
  make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
                     void *cksum_data, krb5_data **out)
@@ -301,10 +303,11 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
          /*
           * RFC 4121 4.1.1 specifies forwarded credentials must be encrypted in
           * the session key, but krb5_fwd_tgt_creds will use the send subkey if
-         * it's set in the auth context.  Null out the send subkey temporarily.
+         * it's set in the auth context.  Suppress the send subkey
+         * temporarily.
           */
-        send_subkey = auth_context->send_subkey;
-        auth_context->send_subkey = NULL;
+        krb5_auth_con_getsendsubkey_k(context, auth_context, &send_subkey);
+        krb5_auth_con_setsendsubkey_k(context, auth_context, NULL);
  
          code = krb5_fwd_tgt_creds(context, auth_context, 0,
                                    data->cred->name->princ, data->ctx->there->princ,
@@ -313,7 +316,7 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
  
          /* Turn KRB5_AUTH_CONTEXT_DO_TIME back on and reset the send subkey. */
          krb5_auth_con_setflags(context, auth_context, con_flags);
-        auth_context->send_subkey = send_subkey;
+        krb5_auth_con_setsendsubkey_k(context, auth_context, send_subkey);
  
          if (code) {
              /* don't fail here; just don't accept/do the delegation
diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c

index debad36401936bdac4cefc1e886b52d3eab9c020..5efb371050fcc0f1a467caa5fc82c09225d67b56 100644 (file)
--- a/src/lib/krb5/krb/auth_con.c
+++ b/src/lib/krb5/krb/auth_con.c
@@ -220,6 +220,16 @@ krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keybloc
          return 0;
  }
  
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setsendsubkey_k(krb5_context ctx, krb5_auth_context ac,
+                              krb5_key key)
+{
+    krb5_k_free_key(ctx, ac->send_subkey);
+    ac->send_subkey = key;
+    krb5_k_reference_key(ctx, key);
+    return 0;
+}
+
  krb5_error_code KRB5_CALLCONV
  krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock)
  {
@@ -232,6 +242,16 @@ krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keybloc
          return 0;
  }
  
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setrecvsubkey_k(krb5_context ctx, krb5_auth_context ac,
+                              krb5_key key)
+{
+    krb5_k_free_key(ctx, ac->recv_subkey);
+    ac->recv_subkey = key;
+    krb5_k_reference_key(ctx, key);
+    return 0;
+}
+
  krb5_error_code KRB5_CALLCONV
  krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock)
  {
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports

index 9554fa21c0ad881c802f57bffd29f1f7f0da728f..81e18d0c6ac8b47d07f6480b22ff7a6b799ec82a 100644 (file)
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -156,7 +156,9 @@ krb5_auth_con_setpermetypes
  krb5_auth_con_setports
  krb5_auth_con_setrcache
  krb5_auth_con_setrecvsubkey
+krb5_auth_con_setrecvsubkey_k
  krb5_auth_con_setsendsubkey
+krb5_auth_con_setsendsubkey_k
  krb5_auth_con_setuseruserkey
  krb5_auth_to_rep
  krb5_authdata_context_copy
author	Greg Hudson <ghudson@mit.edu>
	Fri, 1 Oct 2010 03:47:38 +0000 (03:47 +0000)
committer	Greg Hudson <ghudson@mit.edu>
	Fri, 1 Oct 2010 03:47:38 +0000 (03:47 +0000)
src/include/krb5/krb5.hin		patch \| blob \| history
src/lib/gssapi/krb5/init_sec_context.c		patch \| blob \| history
src/lib/krb5/krb/auth_con.c		patch \| blob \| history
src/lib/krb5/libkrb5.exports		patch \| blob \| history