Add krb5_key versions of the auth context key accessors, and use them
authorGreg Hudson <ghudson@mit.edu>
Fri, 27 Nov 2009 21:30:51 +0000 (21:30 +0000)
committerGreg Hudson <ghudson@mit.edu>
Fri, 27 Nov 2009 21:30:51 +0000 (21:30 +0000)
to simplify the gss-krb5 code a little bit.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23372 dc483132-0cff-0310-8789-dd5450dbe970

src/include/krb5/krb5.hin
src/lib/gssapi/krb5/accept_sec_context.c
src/lib/krb5/krb/auth_con.c
src/lib/krb5/libkrb5.exports

index 61f318f2be3676ddd0a5fb656805eb29d5d721e6..675917052bae43c8a44ac260ea393f7580bb2c33 100644 (file)
@@ -2013,12 +2013,21 @@ krb5_auth_con_setuseruserkey(krb5_context, krb5_auth_context, krb5_keyblock *);
 krb5_error_code KRB5_CALLCONV
 krb5_auth_con_getkey(krb5_context, krb5_auth_context, krb5_keyblock **);
 
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getkey_k(krb5_context, krb5_auth_context, krb5_key *);
+
 krb5_error_code KRB5_CALLCONV
 krb5_auth_con_getsendsubkey(krb5_context, krb5_auth_context, krb5_keyblock **);
 
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getsendsubkey_k(krb5_context, krb5_auth_context, krb5_key *);
+
 krb5_error_code KRB5_CALLCONV
 krb5_auth_con_getrecvsubkey(krb5_context, krb5_auth_context, krb5_keyblock **);
 
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getrecvsubkey_k(krb5_context, krb5_auth_context, krb5_key *);
+
 krb5_error_code KRB5_CALLCONV
 krb5_auth_con_setsendsubkey(krb5_context, krb5_auth_context, krb5_keyblock *);
 
index ccfdb5c1cee0c2f0d2b17ae73484ef9571e11a93..52cf6fadcae87fdabdeac3c44cde07e52908031c 100644 (file)
@@ -437,7 +437,6 @@ kg_accept_krb5(minor_status, context_handle,
     int no_encap = 0;
     krb5_flags ap_req_options = 0;
     krb5_enctype negotiated_etype;
-    krb5_keyblock *keyblock = NULL;
     krb5_authdata_context ad_context = NULL;
 
     code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
@@ -611,10 +610,10 @@ kg_accept_krb5(minor_status, context_handle,
    if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) {
       /* Samba does not send 0x8003 GSS-API checksums */
       krb5_boolean valid;
-      krb5_keyblock *subkey;
+      krb5_key subkey;
       krb5_data zero;
 
-      code = krb5_auth_con_getkey(context, auth_context, &subkey);
+      code = krb5_auth_con_getkey_k(context, auth_context, &subkey);
       if (code) {
          major_status = GSS_S_FAILURE;
          goto fail;
@@ -623,23 +622,21 @@ kg_accept_krb5(minor_status, context_handle,
       zero.length = 0;
       zero.data = "";
 
-      code = krb5_c_verify_checksum(context,
+      code = krb5_k_verify_checksum(context,
                                     subkey,
                                     KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM,
                                     &zero,
                                     authdat->checksum,
                                     &valid);
+      krb5_k_free_key(context, subkey);
       if (code || !valid) {
           major_status = GSS_S_BAD_SIG;
-          krb5_free_keyblock(context, subkey);
           goto fail;
       }
 
       gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
       bigend = 0;
       decode_req_message = 0;
-
-      krb5_free_keyblock(context, subkey);
    } else {
         /* gss krb5 v1 */
 
@@ -883,22 +880,23 @@ kg_accept_krb5(minor_status, context_handle,
     authdat->client = NULL;
     krb5_auth_con_set_authdata_context(context, auth_context, NULL);
 
-    if ((code = krb5_auth_con_getrecvsubkey(context, auth_context,
-                                            &keyblock))) {
+    if ((code = krb5_auth_con_getrecvsubkey_k(context, auth_context,
+                                              &ctx->subkey))) {
         major_status = GSS_S_FAILURE;
         goto fail;
     }
 
     /* use the session key if the subkey isn't present */
 
-    if (keyblock == NULL) {
-        if ((code = krb5_auth_con_getkey(context, auth_context, &keyblock))) {
+    if (ctx->subkey == NULL) {
+        if ((code = krb5_auth_con_getkey_k(context, auth_context,
+                                           &ctx->subkey))) {
             major_status = GSS_S_FAILURE;
             goto fail;
         }
     }
 
-    if (keyblock == NULL) {
+    if (ctx->subkey == NULL) {
         /* this isn't a very good error, but it's not clear to me this
            can actually happen */
         major_status = GSS_S_FAILURE;
@@ -906,12 +904,6 @@ kg_accept_krb5(minor_status, context_handle,
         goto fail;
     }
 
-    code = krb5_k_create_key(context, keyblock, &ctx->subkey);
-    if (code) {
-        major_status = GSS_S_FAILURE;
-        goto fail;
-    }
-
     ctx->enc = NULL;
     ctx->seq = NULL;
     ctx->have_acceptor_subkey = 0;
@@ -1038,20 +1030,13 @@ kg_accept_krb5(minor_status, context_handle,
         if (cfx_generate_subkey) {
             /* Get the new acceptor subkey.  With the code above, there
                should always be one if we make it to this point.  */
-            code = krb5_auth_con_getsendsubkey(context, auth_context,
-                                               &keyblock);
-            if (code != 0) {
-                major_status = GSS_S_FAILURE;
-                goto fail;
-            }
-            code = krb5_k_create_key(context, keyblock, &ctx->acceptor_subkey);
+            code = krb5_auth_con_getsendsubkey_k(context, auth_context,
+                                                 &ctx->acceptor_subkey);
             if (code != 0) {
                 major_status = GSS_S_FAILURE;
                 goto fail;
             }
             ctx->have_acceptor_subkey = 1;
-            krb5_free_keyblock(context, keyblock);
-            keyblock = NULL;
 
             code = kg_setup_keys(context, ctx, ctx->acceptor_subkey,
                                  &ctx->acceptor_subkey_cksumtype);
@@ -1163,8 +1148,6 @@ fail:
         xfree(reqcksum.contents);
     if (ap_rep.data)
         krb5_free_data_contents(context, &ap_rep);
-    if (keyblock)
-        krb5_free_keyblock(context, keyblock);
     if (major_status == GSS_S_COMPLETE ||
         (major_status == GSS_S_CONTINUE_NEEDED && code != KRB5KRB_AP_ERR_MSG_TYPE)) {
         ctx->k5_context = context;
index e6bbac15aff58a511bc3c26085908671126c574e..a53b7d5b0f804a691c0afd5dc0233a83eadcdec1 100644 (file)
@@ -175,6 +175,15 @@ krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_
     return 0;
 }
 
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getkey_k(krb5_context context, krb5_auth_context auth_context,
+                       krb5_key *key)
+{
+    krb5_k_reference_key(context, auth_context->key);
+    *key = auth_context->key;
+    return 0;
+}
+
 krb5_error_code KRB5_CALLCONV
 krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock)
 {
@@ -220,6 +229,15 @@ krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keybloc
     return 0;
 }
 
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getsendsubkey_k(krb5_context ctx, krb5_auth_context ac,
+                              krb5_key *key)
+{
+    krb5_k_reference_key(ctx, ac->send_subkey);
+    *key = ac->send_subkey;
+    return 0;
+}
+
 krb5_error_code KRB5_CALLCONV
 krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock)
 {
@@ -229,6 +247,15 @@ krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keybloc
     return 0;
 }
 
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getrecvsubkey_k(krb5_context ctx, krb5_auth_context ac,
+                              krb5_key *key)
+{
+    krb5_k_reference_key(ctx, ac->recv_subkey);
+    *key = ac->recv_subkey;
+    return 0;
+}
+
 krb5_error_code KRB5_CALLCONV
 krb5_auth_con_set_req_cksumtype(krb5_context context, krb5_auth_context auth_context, krb5_cksumtype cksumtype)
 {
index 8ea6c0223d60973feec02afd19596f4fdb1f945e..3de9915c3fa8f1607212f9359e6ce268e242d9af 100644 (file)
@@ -119,14 +119,17 @@ krb5_auth_con_getauthenticator
 krb5_auth_con_getflags
 krb5_auth_con_getivector
 krb5_auth_con_getkey
+krb5_auth_con_getkey_k
 krb5_auth_con_getlocalseqnumber
 krb5_auth_con_getlocalsubkey
 krb5_auth_con_getpermetypes
 krb5_auth_con_getrcache
 krb5_auth_con_getrecvsubkey
+krb5_auth_con_getrecvsubkey_k
 krb5_auth_con_getremoteseqnumber
 krb5_auth_con_getremotesubkey
 krb5_auth_con_getsendsubkey
+krb5_auth_con_getsendsubkey_k
 krb5_auth_con_init
 krb5_auth_con_initivector
 krb5_auth_con_set_authdata_context