krb5_error_code KRB5_CALLCONV
krb5_auth_con_getkey(krb5_context, krb5_auth_context, krb5_keyblock **);
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getkey_k(krb5_context, krb5_auth_context, krb5_key *);
+
krb5_error_code KRB5_CALLCONV
krb5_auth_con_getsendsubkey(krb5_context, krb5_auth_context, krb5_keyblock **);
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getsendsubkey_k(krb5_context, krb5_auth_context, krb5_key *);
+
krb5_error_code KRB5_CALLCONV
krb5_auth_con_getrecvsubkey(krb5_context, krb5_auth_context, krb5_keyblock **);
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getrecvsubkey_k(krb5_context, krb5_auth_context, krb5_key *);
+
krb5_error_code KRB5_CALLCONV
krb5_auth_con_setsendsubkey(krb5_context, krb5_auth_context, krb5_keyblock *);
int no_encap = 0;
krb5_flags ap_req_options = 0;
krb5_enctype negotiated_etype;
- krb5_keyblock *keyblock = NULL;
krb5_authdata_context ad_context = NULL;
code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) {
/* Samba does not send 0x8003 GSS-API checksums */
krb5_boolean valid;
- krb5_keyblock *subkey;
+ krb5_key subkey;
krb5_data zero;
- code = krb5_auth_con_getkey(context, auth_context, &subkey);
+ code = krb5_auth_con_getkey_k(context, auth_context, &subkey);
if (code) {
major_status = GSS_S_FAILURE;
goto fail;
zero.length = 0;
zero.data = "";
- code = krb5_c_verify_checksum(context,
+ code = krb5_k_verify_checksum(context,
subkey,
KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM,
&zero,
authdat->checksum,
&valid);
+ krb5_k_free_key(context, subkey);
if (code || !valid) {
major_status = GSS_S_BAD_SIG;
- krb5_free_keyblock(context, subkey);
goto fail;
}
gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
bigend = 0;
decode_req_message = 0;
-
- krb5_free_keyblock(context, subkey);
} else {
/* gss krb5 v1 */
authdat->client = NULL;
krb5_auth_con_set_authdata_context(context, auth_context, NULL);
- if ((code = krb5_auth_con_getrecvsubkey(context, auth_context,
- &keyblock))) {
+ if ((code = krb5_auth_con_getrecvsubkey_k(context, auth_context,
+ &ctx->subkey))) {
major_status = GSS_S_FAILURE;
goto fail;
}
/* use the session key if the subkey isn't present */
- if (keyblock == NULL) {
- if ((code = krb5_auth_con_getkey(context, auth_context, &keyblock))) {
+ if (ctx->subkey == NULL) {
+ if ((code = krb5_auth_con_getkey_k(context, auth_context,
+ &ctx->subkey))) {
major_status = GSS_S_FAILURE;
goto fail;
}
}
- if (keyblock == NULL) {
+ if (ctx->subkey == NULL) {
/* this isn't a very good error, but it's not clear to me this
can actually happen */
major_status = GSS_S_FAILURE;
goto fail;
}
- code = krb5_k_create_key(context, keyblock, &ctx->subkey);
- if (code) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
-
ctx->enc = NULL;
ctx->seq = NULL;
ctx->have_acceptor_subkey = 0;
if (cfx_generate_subkey) {
/* Get the new acceptor subkey. With the code above, there
should always be one if we make it to this point. */
- code = krb5_auth_con_getsendsubkey(context, auth_context,
- &keyblock);
- if (code != 0) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
- code = krb5_k_create_key(context, keyblock, &ctx->acceptor_subkey);
+ code = krb5_auth_con_getsendsubkey_k(context, auth_context,
+ &ctx->acceptor_subkey);
if (code != 0) {
major_status = GSS_S_FAILURE;
goto fail;
}
ctx->have_acceptor_subkey = 1;
- krb5_free_keyblock(context, keyblock);
- keyblock = NULL;
code = kg_setup_keys(context, ctx, ctx->acceptor_subkey,
&ctx->acceptor_subkey_cksumtype);
xfree(reqcksum.contents);
if (ap_rep.data)
krb5_free_data_contents(context, &ap_rep);
- if (keyblock)
- krb5_free_keyblock(context, keyblock);
if (major_status == GSS_S_COMPLETE ||
(major_status == GSS_S_CONTINUE_NEEDED && code != KRB5KRB_AP_ERR_MSG_TYPE)) {
ctx->k5_context = context;
return 0;
}
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getkey_k(krb5_context context, krb5_auth_context auth_context,
+ krb5_key *key)
+{
+ krb5_k_reference_key(context, auth_context->key);
+ *key = auth_context->key;
+ return 0;
+}
+
krb5_error_code KRB5_CALLCONV
krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock)
{
return 0;
}
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getsendsubkey_k(krb5_context ctx, krb5_auth_context ac,
+ krb5_key *key)
+{
+ krb5_k_reference_key(ctx, ac->send_subkey);
+ *key = ac->send_subkey;
+ return 0;
+}
+
krb5_error_code KRB5_CALLCONV
krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock)
{
return 0;
}
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getrecvsubkey_k(krb5_context ctx, krb5_auth_context ac,
+ krb5_key *key)
+{
+ krb5_k_reference_key(ctx, ac->recv_subkey);
+ *key = ac->recv_subkey;
+ return 0;
+}
+
krb5_error_code KRB5_CALLCONV
krb5_auth_con_set_req_cksumtype(krb5_context context, krb5_auth_context auth_context, krb5_cksumtype cksumtype)
{