+Sat Sep 16 03:18:02 1995 Theodore Y. Ts'o <tytso@dcl>
+
+ * gssapiP_krb5.h: Remove context and cred from the gssapi security
+ context, as they aren't needed. kg_seal and kg_unseal now
+ take a krb5_context argument.
+
+ * ser_sctx.c (kg_ctx_size, kg_ctx_externalize,
+ kg_ctx_internalize): No longer serialize the context and
+ cred fields of the gssapi security context.
+
+ * krb5_gss_glue.c: Don't rely on the context field of the gssapi
+ security context. Use kg_context instead.
+
+ * verify.c (krb5_gss_verify, krb5_gss_verify_mic):
+ * unseal.c (krb5_gss_unwrap, krb5_gss_unseal):
+ * sign.c (krb5_gss_sign, krb5_gss_get_mic):
+ * seal.c (krb5_gss_seal, krb5_gss_wrap):
+ * process_context_token.c (krb5_gss_process_context_token):
+ * k5unseal.c (kg_unseal):
+ * k5seal.c (kg_seal_size): Add a krb5_context argument to this
+ function, so we don't have to depend on the context field
+ in the gssapi security context.
+
+ * init_sec_context.c (krb5_gss_init_sec_context): Don't initialize
+ the context and cred fields in the gssapi security
+ context. Copy ctx->subkey to ctx->seq.key, so they are
+ separately allocated.
+
+ * gssapi_krb5.c (kg_get_context): When initialize kg_context, call
+ krb5_init_ets() so that the error tables are initialized.
+
+ * export_sec_context.c (krb5_gss_export_sec_context): Don't depend
+ on the context field from the gssapi security context.
+ Free ctx->seq.key.
+
+ * delete_sec_context.c (krb5_gss_delete_sec_context): kg_seal()
+ now takes a krb5_context argument. Free ctx->seq.key.
+
+ * acquire_cred.c (krb5_gss_acquire_cred): Clear the gssapi
+ credential before setting it, to prevent purify from
+ complaining.
+
+ * accept_sec_context.c (krb5_gss_accept_sec_context): Remove
+ context and cred from the gssapi security context. Make
+ sure the ticket is freed after we're done with it.
+
+Fri Sep 15 22:12:49 1995 Theodore Y. Ts'o <tytso@dcl>
+
+ * import_sec_context.c (krb5_gss_import_sec_context): Don't bash
+ the input interprocess_token. Otherwise, it can't be
+ freed. Don't depend on the context field in the gss
+ security context.
+
Tue Sep 12 19:07:52 1995 Theodore Y. Ts'o <tytso@dcl>
* export_sec_context.c (krb5_gss_export_sec_context): Free the
}
memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec));
- ctx->context = context;
ctx->auth_context = auth_context;
ctx->initiate = 0;
ctx->mutual = gss_flags & GSS_C_MUTUAL_FLAG;
ctx->seed_init = 0;
- ctx->cred = cred;
ctx->big_endian = bigend;
if (code = krb5_copy_principal(context, cred->princ, &ctx->here)) {
krb5_use_enctype(context, &ctx->seq.eblock, ENCTYPE_DES_CBC_RAW);
ctx->seq.processed = 0;
- ctx->seq.key = ctx->subkey;
-
+ if (code = krb5_copy_keyblock(context, ctx->subkey, &ctx->seq.key))
+ return(code);
ctx->endtime = ticket->enc_part2->times.endtime;
-
ctx->flags = ticket->enc_part2->flags;
+ krb5_free_ticket(context, ticket); /* Done with ticket */
+
krb5_auth_con_getremoteseqnumber(context, auth_context, &ctx->seq_recv);
/* at this point, the entire context structure is filled in,
*minor_status = ENOMEM;
return(GSS_S_FAILURE);
}
+ memset(cred, 0, sizeof(krb5_gss_cred_id_rec));
cred->usage = cred_usage;
cred->princ = NULL;
gss_buffer_desc empty;
empty.length = 0; empty.value = NULL;
- if (major = kg_seal(minor_status, *context_handle, 0, GSS_C_QOP_DEFAULT,
+ if (major = kg_seal(context, minor_status, *context_handle, 0,
+ GSS_C_QOP_DEFAULT,
&empty, NULL, output_token, KG_TOK_DEL_CTX))
return(major);
}
if (ctx->seq.processed)
krb5_finish_key(context, &ctx->seq.eblock);
+ krb5_free_keyblock(context, ctx->seq.key);
krb5_free_principal(context, ctx->here);
krb5_free_principal(context, ctx->there);
/* Now, clean up the context state */
(void) kg_delete_ctx_id((gss_ctx_id_t) ctx);
if (ctx->enc.processed)
- krb5_finish_key(ctx->context,
+ krb5_finish_key(context,
&ctx->enc.eblock);
- krb5_free_keyblock(ctx->context, ctx->enc.key);
+ krb5_free_keyblock(context, ctx->enc.key);
if (ctx->seq.processed)
- krb5_finish_key(ctx->context,
+ krb5_finish_key(context,
&ctx->seq.eblock);
- krb5_free_principal(ctx->context, ctx->here);
- krb5_free_principal(ctx->context, ctx->there);
- krb5_free_keyblock(ctx->context, ctx->subkey);
+ krb5_free_keyblock(context, ctx->seq.key);
+ krb5_free_principal(context, ctx->here);
+ krb5_free_principal(context, ctx->there);
+ krb5_free_keyblock(context, ctx->subkey);
if (ctx->auth_context)
krb5_auth_con_free(context, ctx->auth_context);
OM_uint32 mutual;
int seed_init;
unsigned char seed[16];
- krb5_gss_cred_id_t cred;
krb5_principal here;
krb5_principal there;
krb5_keyblock *subkey;
krb5_int32 seq_recv;
int established;
int big_endian;
- krb5_context context;
krb5_auth_context auth_context;
} krb5_gss_ctx_id_rec, krb5_gss_ctx_id_t;
krb5_error_code kg_decrypt PROTOTYPE((krb5_gss_enc_desc *ed,
krb5_pointer iv, krb5_pointer in, krb5_pointer out, int length));
-OM_uint32 kg_seal PROTOTYPE((OM_uint32 *minor_status,
+OM_uint32 kg_seal PROTOTYPE((krb5_context context,
+ OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
int conf_req_flag,
int qop_req,
gss_buffer_t output_message_buffer,
int toktype));
-OM_uint32 kg_unseal PROTOTYPE((OM_uint32 *minor_status,
+OM_uint32 kg_unseal PROTOTYPE((krb5_context context,
+ OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
gss_buffer_t input_token_buffer,
gss_buffer_t message_buffer,
return GSS_S_COMPLETE;
if (krb5_init_context(&kg_context))
return GSS_S_FAILURE;
+ krb5_init_ets(kg_context);
return GSS_S_COMPLETE;
}
/* Make sure that everything is cool. */
if (kg_validate_ctx_id((gss_ctx_id_t) ctx)) {
- interprocess_token->value = ibp;
- interprocess_token->length = blen;
*context_handle = (gss_ctx_id_t) ctx;
retval = GSS_S_COMPLETE;
}
if (ctx) {
(void) kg_delete_ctx_id((gss_ctx_id_t) ctx);
if (ctx->enc.processed)
- krb5_finish_key(ctx->context, &ctx->enc.eblock);
- krb5_free_keyblock(ctx->context, ctx->enc.key);
+ krb5_finish_key(context, &ctx->enc.eblock);
+ krb5_free_keyblock(context, ctx->enc.key);
if (ctx->seq.processed)
- krb5_finish_key(ctx->context, &ctx->seq.eblock);
- krb5_free_principal(ctx->context, ctx->here);
- krb5_free_principal(ctx->context, ctx->there);
- krb5_free_keyblock(ctx->context, ctx->subkey);
+ krb5_finish_key(context, &ctx->seq.eblock);
+ krb5_free_principal(context, ctx->here);
+ krb5_free_principal(context, ctx->there);
+ krb5_free_keyblock(context, ctx->subkey);
/* Zero out context */
memset(ctx, 0, sizeof(*ctx));
/* fill in the ctx */
memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec));
- ctx->context = context;
ctx->auth_context = NULL;
ctx->initiate = 1;
ctx->mutual = req_flags & GSS_C_MUTUAL_FLAG;
ctx->seed_init = 0;
- ctx->cred = cred;
ctx->big_endian = 0; /* all initiators do little-endian, as per spec */
if (time_req == 0 || time_req == GSS_C_INDEFINITE) {
return(GSS_S_FAILURE);
}
- if (code = make_ap_req(context, &(ctx->auth_context), ctx->cred,
+ if (code = make_ap_req(context, &(ctx->auth_context), cred,
ctx->there, &ctx->endtime, input_chan_bindings,
ctx->mutual, &ctx->flags, &token)) {
krb5_free_principal(context, ctx->here);
krb5_use_enctype(context, &ctx->seq.eblock, ENCTYPE_DES_CBC_RAW);
ctx->seq.processed = 0;
- ctx->seq.key = ctx->subkey;
+ if (code = krb5_copy_keyblock(context, ctx->subkey, &ctx->seq.key))
+ return(code);
/* at this point, the context is constructed and valid,
hence, releaseable */
arguments are unchanged */
if ((ctx->established) ||
- (((gss_cred_id_t) ctx->cred) != claimant_cred_handle) ||
+ (((gss_cred_id_t) cred) != claimant_cred_handle) ||
((req_flags & GSS_C_MUTUAL_FLAG) == 0)) {
(void)krb5_gss_delete_sec_context(context, minor_status,
context_handle, NULL);
and do not encode the ENC_TYPE, MSG_LENGTH, or MSG_TEXT fields */
OM_uint32
-kg_seal(minor_status, context_handle, conf_req_flag, qop_req,
+kg_seal(context, minor_status, context_handle, conf_req_flag, qop_req,
input_message_buffer, conf_state, output_message_buffer, toktype)
+ krb5_context context;
OM_uint32 *minor_status;
gss_ctx_id_t context_handle;
int conf_req_flag;
return(GSS_S_NO_CONTEXT);
}
- if (code = krb5_timeofday(ctx->context, &now)) {
+ if (code = krb5_timeofday(context, &now)) {
*minor_status = code;
return(GSS_S_FAILURE);
}
- if (code = make_seal_token(ctx->context, &ctx->enc, &ctx->seq,
+ if (code = make_seal_token(context, &ctx->enc, &ctx->seq,
&ctx->seq_send, ctx->initiate,
input_message_buffer, output_message_buffer,
conf_req_flag, toktype, ctx->big_endian)) {
}
OM_uint32
-kg_seal_size(minor_status, context_handle, conf_req_flag, qop_req,
+kg_seal_size(context, minor_status, context_handle, conf_req_flag, qop_req,
output_size, input_size)
+ krb5_context context;
OM_uint32 *minor_status;
gss_ctx_id_t context_handle;
int conf_req_flag;
*/
OM_uint32
-kg_unseal(minor_status, context_handle, input_token_buffer, message_buffer,
- conf_state, qop_state, toktype)
+kg_unseal(context, minor_status, context_handle, input_token_buffer,
+ message_buffer, conf_state, qop_state, toktype)
+ krb5_context context;
OM_uint32 *minor_status;
gss_ctx_id_t context_handle;
gss_buffer_t input_token_buffer;
if (qop_state)
*qop_state = GSS_C_QOP_DEFAULT;
- if (code = krb5_timeofday(ctx->context, &now)) {
+ if (code = krb5_timeofday(context, &now)) {
*minor_status = code;
return(GSS_S_FAILURE);
}
{
krb5_gss_ctx_id_t * ctx;
+ if (!kg_context && kg_get_context())
+ return GSS_S_FAILURE;
+
/* validate the context handle */
if (! kg_validate_ctx_id(context_handle)) {
*minor_status = (OM_uint32) G_VALIDATE_FAILED;
ctx = (krb5_gss_ctx_id_rec *) context_handle;
- return(krb5_gss_context_time(ctx->context, minor_status, context_handle,
+ return(krb5_gss_context_time(kg_context, minor_status, context_handle,
time_rec));
}
{
krb5_gss_ctx_id_t * ctx;
+ if (!kg_context && kg_get_context())
+ return GSS_S_FAILURE;
+
/* validate the context handle */
if (! kg_validate_ctx_id(context_handle)) {
*minor_status = (OM_uint32) G_VALIDATE_FAILED;
ctx = (krb5_gss_ctx_id_rec *) *context_handle;
- return(krb5_gss_delete_sec_context(ctx->context, minor_status,
+ return(krb5_gss_delete_sec_context(kg_context, minor_status,
context_handle, output_token));
}
{
krb5_gss_ctx_id_t * ctx;
+ if (!kg_context && kg_get_context())
+ return GSS_S_FAILURE;
+
/* validate the context handle */
if (! kg_validate_ctx_id(context_handle)) {
*minor_status = (OM_uint32) G_VALIDATE_FAILED;
ctx = (krb5_gss_ctx_id_rec *) context_handle;
- return(krb5_gss_inquire_context(ctx->context, minor_status, context_handle,
+ return(krb5_gss_inquire_context(kg_context, minor_status, context_handle,
initiator_name, acceptor_name, lifetime_rec,
mech_type, ret_flags, locally_initiated,
open));
{
krb5_gss_ctx_id_t * ctx;
+ if (!kg_context && kg_get_context())
+ return GSS_S_FAILURE;
+
/* validate the context handle */
if (! kg_validate_ctx_id(context_handle)) {
*minor_status = (OM_uint32) G_VALIDATE_FAILED;
ctx = (krb5_gss_ctx_id_rec *) context_handle;
- return(krb5_gss_process_context_token(ctx->context, minor_status,
+ return(krb5_gss_process_context_token(kg_context, minor_status,
context_handle, token_buffer));
}
{
krb5_gss_ctx_id_t * ctx;
+ if (!kg_context && kg_get_context())
+ return GSS_S_FAILURE;
+
/* validate the context handle */
if (! kg_validate_ctx_id(context_handle)) {
*minor_status = (OM_uint32) G_VALIDATE_FAILED;
ctx = (krb5_gss_ctx_id_rec *) context_handle;
- return(krb5_gss_seal(ctx->context, minor_status, context_handle,
+ return(krb5_gss_seal(kg_context, minor_status, context_handle,
conf_req_flag, qop_req, input_message_buffer,
conf_state, output_message_buffer));
}
{
krb5_gss_ctx_id_t * ctx;
+ if (!kg_context && kg_get_context())
+ return GSS_S_FAILURE;
+
/* validate the context handle */
if (! kg_validate_ctx_id(context_handle)) {
*minor_status = (OM_uint32) G_VALIDATE_FAILED;
ctx = (krb5_gss_ctx_id_rec *) context_handle;
- return(krb5_gss_sign(ctx->context, minor_status, context_handle,
+ return(krb5_gss_sign(kg_context, minor_status, context_handle,
qop_req, message_buffer, message_token));
}
{
krb5_gss_ctx_id_t * ctx;
+ if (!kg_context && kg_get_context())
+ return GSS_S_FAILURE;
+
/* validate the context handle */
if (! kg_validate_ctx_id(context_handle)) {
*minor_status = (OM_uint32) G_VALIDATE_FAILED;
ctx = (krb5_gss_ctx_id_rec *) context_handle;
- return(krb5_gss_unseal(ctx->context, minor_status, context_handle,
+ return(krb5_gss_unseal(kg_context, minor_status, context_handle,
input_message_buffer, output_message_buffer,
conf_state, qop_state));
}
{
krb5_gss_ctx_id_t * ctx;
+ if (!kg_context && kg_get_context())
+ return GSS_S_FAILURE;
+
/* validate the context handle */
if (! kg_validate_ctx_id(context_handle)) {
*minor_status = (OM_uint32) G_VALIDATE_FAILED;
ctx = (krb5_gss_ctx_id_rec *) context_handle;
- return(krb5_gss_verify(ctx->context, minor_status, context_handle,
+ return(krb5_gss_verify(kg_context, minor_status, context_handle,
message_buffer, token_buffer, qop_state));
}
/* "unseal" the token */
- if (GSS_ERROR(majerr = kg_unseal(minor_status, ctx, token_buffer,
+ if (GSS_ERROR(majerr = kg_unseal(context, minor_status, ctx, token_buffer,
GSS_C_NO_BUFFER, NULL, NULL,
KG_TOK_DEL_CTX)))
return(majerr);
int *conf_state;
gss_buffer_t output_message_buffer;
{
- return(kg_seal(minor_status, context_handle, conf_req_flag,
+ return(kg_seal(context, minor_status, context_handle, conf_req_flag,
qop_req, input_message_buffer, conf_state,
output_message_buffer, KG_TOK_SEAL_MSG));
}
int *conf_state;
gss_buffer_t output_message_buffer;
{
- return(kg_seal(minor_status, context_handle, conf_req_flag,
+ return(kg_seal(context, minor_status, context_handle, conf_req_flag,
qop_req, input_message_buffer, conf_state,
output_message_buffer, KG_TOK_WRAP_MSG));
}
OM_uint32 *max_input_size;
{
/* XXX - should just put this in k5seal.c */
- return(kg_seal_size(minor_status, context_handle, conf_req_flag,
+ return(kg_seal_size(context, minor_status, context_handle, conf_req_flag,
qop_req, req_output_size, max_input_size));
}
required += sizeof(ctx->seed);
kret = 0;
- if (ctx->cred)
- kret = krb5_size_opaque(kcontext,
- KG_CRED,
- (krb5_pointer) ctx->cred,
- &required);
-
if (!kret && ctx->here)
kret = krb5_size_opaque(kcontext,
KV5M_PRINCIPAL,
(krb5_pointer) &ctx->seq,
&required);
- if (!kret && ctx->context)
- kret = krb5_size_opaque(kcontext,
- KV5M_CONTEXT,
- (krb5_pointer) ctx->context,
- &required);
-
if (!kret && ctx->auth_context)
kret = krb5_size_opaque(kcontext,
KV5M_AUTH_CONTEXT,
&bp, &remain);
/* Now dynamic data */
- if (ctx->cred)
- kret = krb5_externalize_opaque(kcontext,
- KG_CRED,
- (krb5_pointer) ctx->cred,
- &bp, &remain);
- else
- kret = 0;
+ kret = 0;
if (!kret && ctx->here)
kret = krb5_externalize_opaque(kcontext,
(krb5_pointer) &ctx->seq,
&bp, &remain);
- if (!kret && ctx->context)
- kret = krb5_externalize_opaque(kcontext,
- KV5M_CONTEXT,
- (krb5_pointer) ctx->context,
- &bp, &remain);
-
if (!kret && ctx->auth_context)
kret = krb5_externalize_opaque(kcontext,
KV5M_AUTH_CONTEXT,
/* Now get substructure data */
if ((kret = krb5_internalize_opaque(kcontext,
- KG_CRED,
- (krb5_pointer *) &ctx->cred,
- &bp, &remain))) {
- if (kret == EINVAL)
- kret = 0;
- }
- if (!kret &&
- (kret = krb5_internalize_opaque(kcontext,
KV5M_PRINCIPAL,
(krb5_pointer *) &ctx->here,
&bp, &remain))) {
xfree(edp);
}
}
- if (!kret &&
- (kret = krb5_internalize_opaque(kcontext,
- KV5M_CONTEXT,
- (krb5_pointer *) &ctx->context,
- &bp, &remain))) {
- if (kret == EINVAL)
- kret = 0;
- }
if (!kret &&
(kret = krb5_internalize_opaque(kcontext,
KV5M_AUTH_CONTEXT,
kret = EINVAL;
if (ctx->auth_context)
krb5_auth_con_free(kcontext, ctx->auth_context);
- if (ctx->context)
- krb5_free_context(ctx->context);
if (ctx->seq.eblock.key)
krb5_free_keyblock(kcontext, ctx->seq.eblock.key);
if (ctx->seq.eblock.priv && ctx->seq.eblock.priv_size)
krb5_free_principal(kcontext, ctx->there);
if (ctx->here)
krb5_free_principal(kcontext, ctx->here);
- if (ctx->cred) {
- if (ctx->cred->ccache)
- krb5_cc_close(kcontext, ctx->cred->ccache);
- if (ctx->cred->keytab)
- krb5_kt_close(kcontext, ctx->cred->keytab);
- if (ctx->cred->princ)
- krb5_free_principal(kcontext, ctx->cred->princ);
- krb5_xfree(ctx->cred);
- }
xfree(ctx);
}
}
gss_buffer_t message_buffer;
gss_buffer_t message_token;
{
- return(kg_seal(minor_status, context_handle, 0,
+ return(kg_seal(context, minor_status, context_handle, 0,
qop_req, message_buffer, NULL,
message_token, KG_TOK_SIGN_MSG));
}
gss_buffer_t message_buffer;
gss_buffer_t message_token;
{
- return(kg_seal(minor_status, context_handle, 0,
+ return(kg_seal(context, minor_status, context_handle, 0,
qop_req, message_buffer, NULL,
message_token, KG_TOK_MIC_MSG));
}
int *conf_state;
int *qop_state;
{
- return(kg_unseal(minor_status, context_handle,
+ return(kg_unseal(context, minor_status, context_handle,
input_message_buffer, output_message_buffer,
conf_state, qop_state, KG_TOK_SEAL_MSG));
}
OM_uint32 rstat;
int qstate;
- rstat = kg_unseal(minor_status, context_handle,
+ rstat = kg_unseal(context, minor_status, context_handle,
input_message_buffer, output_message_buffer,
conf_state, &qstate, KG_TOK_WRAP_MSG);
if (!rstat && qop_state)
gss_buffer_t token_buffer;
int *qop_state;
{
- return(kg_unseal(minor_status, context_handle,
+ return(kg_unseal(context, minor_status, context_handle,
token_buffer, message_buffer,
NULL, qop_state, KG_TOK_SIGN_MSG));
}
OM_uint32 rstat;
int qstate;
- rstat = kg_unseal(minor_status, context_handle,
+ rstat = kg_unseal(context, minor_status, context_handle,
token_buffer, message_buffer,
NULL, &qstate, KG_TOK_MIC_MSG);
if (!rstat && qop_state)
projects / krb5.git / commitdiff