From: Ken Raeburn Date: Mon, 15 Mar 2004 17:45:01 +0000 (+0000) Subject: * k5seal.c (kg_seal): Extract the krb5 context from the security context X-Git-Tag: krb5-1.4-beta1~541 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=730ebd39f1e4cdc77c7f9719274e7e1a4346c9f8;p=krb5.git * k5seal.c (kg_seal): Extract the krb5 context from the security context instead of requiring it be passed in as an argument. * k5unseal.c (kg_unseal): Likewise. * gssapiP_krb5.h (kg_seal, kg_unseal): Declarations updated. * delete_sec_context.c, process_context_token.c, seal.c, sign.c, unseal.c, verify.c: Callers changed. * inq_context.c (krb5_gss_inquire_context): Use krb5 context contained in security context instead of calling kg_get_context. * wrap_size_limit.c (krb5_gss_wrap_size_limit): Likewise. * import_sec_context.c (krb5_gss_ser_init): New function. (krb5_gss_import_sec_context): Create a krb5 context locally to use for the import. * export_sec_context.c (krb5_gss_export_sec_context): Use the krb5 context in the security context. * gssapiP_krb5.h (krb5_gss_ser_init): Declare. * gssapi_krb5.c (kg_get_context): Don't call krb5 serialization initialization code here. * accept_sec_context.c (krb5_gss_accept_sec_context): Free the new krb5 context in an error case not caught before. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16171 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index a3704fa97..ae317482f 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,27 @@ +2004-03-15 Ken Raeburn + + * k5seal.c (kg_seal): Extract the krb5 context from the security + context instead of requiring it be passed in as an argument. + * k5unseal.c (kg_unseal): Likewise. + * gssapiP_krb5.h (kg_seal, kg_unseal): Declarations updated. + * delete_sec_context.c, process_context_token.c, seal.c, sign.c, + unseal.c, verify.c: Callers changed. + * inq_context.c (krb5_gss_inquire_context): Use krb5 context + contained in security context instead of calling kg_get_context. + * wrap_size_limit.c (krb5_gss_wrap_size_limit): Likewise. + + * import_sec_context.c (krb5_gss_ser_init): New function. + (krb5_gss_import_sec_context): Create a krb5 context locally to + use for the import. + * export_sec_context.c (krb5_gss_export_sec_context): Use the + krb5 context in the security context. + * gssapiP_krb5.h (krb5_gss_ser_init): Declare. + * gssapi_krb5.c (kg_get_context): Don't call krb5 serialization + initialization code here. + + * accept_sec_context.c (krb5_gss_accept_sec_context): Free the + new krb5 context in an error case not caught before. + 2004-03-14 Ken Raeburn * gssapiP_krb5.h (struct _krb5_gss_ctx_id_rec): Add a krb5 diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 021866ab3..731cc4760 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -287,6 +287,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, /*SUPPRESS 29*/ if (*context_handle != GSS_C_NO_CONTEXT) { *minor_status = 0; + krb5_free_context(context); return(GSS_S_FAILURE); } diff --git a/src/lib/gssapi/krb5/delete_sec_context.c b/src/lib/gssapi/krb5/delete_sec_context.c index 70a79f5e9..3d4706808 100644 --- a/src/lib/gssapi/krb5/delete_sec_context.c +++ b/src/lib/gssapi/krb5/delete_sec_context.c @@ -63,7 +63,7 @@ krb5_gss_delete_sec_context(minor_status, context_handle, output_token) gss_buffer_desc empty; empty.length = 0; empty.value = NULL; - if ((major = kg_seal(context, minor_status, *context_handle, 0, + if ((major = kg_seal(minor_status, *context_handle, 0, GSS_C_QOP_DEFAULT, &empty, NULL, output_token, KG_TOK_DEL_CTX))) return(major); diff --git a/src/lib/gssapi/krb5/export_sec_context.c b/src/lib/gssapi/krb5/export_sec_context.c index fc4b0ace2..fb57b882a 100644 --- a/src/lib/gssapi/krb5/export_sec_context.c +++ b/src/lib/gssapi/krb5/export_sec_context.c @@ -43,9 +43,6 @@ krb5_gss_export_sec_context(minor_status, context_handle, interprocess_token) krb5_gss_ctx_id_t ctx; krb5_octet *obuffer, *obp; - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); - /* Assume a tragic failure */ obuffer = (krb5_octet *) NULL; retval = GSS_S_FAILURE; @@ -58,6 +55,10 @@ krb5_gss_export_sec_context(minor_status, context_handle, interprocess_token) } ctx = (krb5_gss_ctx_id_t) *context_handle; + context = ctx->k5_context; + kret = krb5_gss_ser_init(context); + if (kret) + goto error_out; /* Determine size needed for externalization of context */ bufsize = 0; diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index 7c58c9a85..d207010c1 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -258,8 +258,7 @@ krb5_error_code kg_decrypt (krb5_context context, krb5_pointer out, unsigned int length); -OM_uint32 kg_seal (krb5_context context, - OM_uint32 *minor_status, +OM_uint32 kg_seal (OM_uint32 *minor_status, gss_ctx_id_t context_handle, int conf_req_flag, int qop_req, @@ -268,8 +267,7 @@ OM_uint32 kg_seal (krb5_context context, gss_buffer_t output_message_buffer, int toktype); -OM_uint32 kg_unseal (krb5_context context, - OM_uint32 *minor_status, +OM_uint32 kg_unseal (OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_buffer_t input_token_buffer, gss_buffer_t message_buffer, @@ -277,8 +275,7 @@ OM_uint32 kg_unseal (krb5_context context, int *qop_state, int toktype); -OM_uint32 kg_seal_size (krb5_context context, - OM_uint32 *minor_status, +OM_uint32 kg_seal_size (OM_uint32 *minor_status, gss_ctx_id_t context_handle, int conf_req_flag, gss_qop_t qop_req, @@ -569,6 +566,8 @@ OM_uint32 krb5_gss_import_sec_context gss_ctx_id_t * /* context_handle */ ); +krb5_error_code krb5_gss_ser_init(krb5_context); + OM_uint32 krb5_gss_release_oid (OM_uint32 *, /* minor_status */ gss_OID * /* oid */ diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c index de85a3a7b..a77b9541d 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.c +++ b/src/lib/gssapi/krb5/gssapi_krb5.c @@ -161,18 +161,6 @@ kg_get_context(minor_status, context) if (!kg_context) { if ((code = krb5_init_context(&kg_context))) goto fail; - if ((code = krb5_ser_context_init(kg_context))) - goto fail; - if ((code = krb5_ser_auth_context_init(kg_context))) - goto fail; - if ((code = krb5_ser_ccache_init(kg_context))) - goto fail; - if ((code = krb5_ser_rcache_init(kg_context))) - goto fail; - if ((code = krb5_ser_keytab_init(kg_context))) - goto fail; - if ((code = krb5_ser_auth_context_init(kg_context))) - goto fail; } *context = kg_context; *minor_status = 0; diff --git a/src/lib/gssapi/krb5/import_sec_context.c b/src/lib/gssapi/krb5/import_sec_context.c index 3745a7c23..19ddb09d3 100644 --- a/src/lib/gssapi/krb5/import_sec_context.c +++ b/src/lib/gssapi/krb5/import_sec_context.c @@ -1,7 +1,7 @@ /* * lib/gssapi/krb5/import_sec_context.c * - * Copyright 1995 by the Massachusetts Institute of Technology. + * Copyright 1995,2004 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -29,6 +29,8 @@ * import_sec_context.c - Internalize the security context. */ #include "gssapiP_krb5.h" +/* for serialization initialization functions */ +#include "k5-int.h" /* * Fix up the OID of the mechanism so that uses the static version of @@ -50,6 +52,22 @@ gss_OID krb5_gss_convert_static_mech_oid(oid) return oid; } +krb5_error_code +krb5_gss_ser_init (krb5_context context) +{ + krb5_error_code code; + static krb5_error_code (*const fns[])(krb5_context) = { + krb5_ser_context_init, krb5_ser_auth_context_init, + krb5_ser_ccache_init, krb5_ser_rcache_init, krb5_ser_keytab_init, + }; + int i; + + for (i = 0; i < sizeof(fns)/sizeof(fns[0]); i++) + if ((code = (fns[i])(context)) != 0) + return code; + return 0; +} + OM_uint32 krb5_gss_import_sec_context(minor_status, interprocess_token, context_handle) OM_uint32 *minor_status; @@ -62,8 +80,21 @@ krb5_gss_import_sec_context(minor_status, interprocess_token, context_handle) krb5_gss_ctx_id_t ctx; krb5_octet *ibp; - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); + /* This is a bit screwy. We create a krb5 context because we need + one when calling the serialization code. However, one of the + objects we're unpacking is a krb5 context, so when we finish, + we can throw this one away. */ + kret = krb5_init_context(&context); + if (kret) { + *minor_status = kret; + return GSS_S_FAILURE; + } + kret = krb5_gss_ser_init(context); + if (kret) { + krb5_free_context(context); + *minor_status = kret; + return GSS_S_FAILURE; + } /* Assume a tragic failure */ ctx = (krb5_gss_ctx_id_t) NULL; @@ -72,9 +103,9 @@ krb5_gss_import_sec_context(minor_status, interprocess_token, context_handle) /* Internalize the context */ ibp = (krb5_octet *) interprocess_token->value; blen = (size_t) interprocess_token->length; - if ((kret = kg_ctx_internalize(context, - (krb5_pointer *) &ctx, - &ibp, &blen))) { + kret = kg_ctx_internalize(context, (krb5_pointer *) &ctx, &ibp, &blen); + krb5_free_context(context); + if (kret) { *minor_status = (OM_uint32) kret; return(GSS_S_FAILURE); } diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c index 5c156f86d..0954ddc5d 100644 --- a/src/lib/gssapi/krb5/inq_context.c +++ b/src/lib/gssapi/krb5/inq_context.c @@ -43,9 +43,6 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name, krb5_timestamp now; krb5_deltat lifetime; - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); - if (initiator_name) *initiator_name = (gss_name_t) NULL; if (acceptor_name) @@ -66,6 +63,7 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name, init = NULL; accept = NULL; + context = ctx->k5_context; if ((code = krb5_timeofday(context, &now))) { *minor_status = code; diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c index 7999a3e15..30dbcab64 100644 --- a/src/lib/gssapi/krb5/k5seal.c +++ b/src/lib/gssapi/krb5/k5seal.c @@ -316,9 +316,8 @@ make_seal_token_v1 (krb5_context context, and do not encode the ENC_TYPE, MSG_LENGTH, or MSG_TEXT fields */ OM_uint32 -kg_seal(context, minor_status, context_handle, conf_req_flag, qop_req, +kg_seal(minor_status, context_handle, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer, toktype) - krb5_context context; OM_uint32 *minor_status; gss_ctx_id_t context_handle; int conf_req_flag; @@ -331,6 +330,7 @@ kg_seal(context, minor_status, context_handle, conf_req_flag, qop_req, krb5_gss_ctx_id_rec *ctx; krb5_error_code code; krb5_timestamp now; + krb5_context context; output_message_buffer->length = 0; output_message_buffer->value = NULL; @@ -359,6 +359,7 @@ kg_seal(context, minor_status, context_handle, conf_req_flag, qop_req, return(GSS_S_NO_CONTEXT); } + context = ctx->k5_context; if ((code = krb5_timeofday(context, &now))) { *minor_status = code; return(GSS_S_FAILURE); diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c index 6851352ee..714610102 100644 --- a/src/lib/gssapi/krb5/k5unseal.c +++ b/src/lib/gssapi/krb5/k5unseal.c @@ -475,9 +475,8 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, conf_state is only valid if SEAL. */ OM_uint32 -kg_unseal(context, minor_status, context_handle, input_token_buffer, +kg_unseal(minor_status, context_handle, input_token_buffer, message_buffer, conf_state, qop_state, toktype) - krb5_context context; OM_uint32 *minor_status; gss_ctx_id_t context_handle; gss_buffer_t input_token_buffer; @@ -538,11 +537,11 @@ kg_unseal(context, minor_status, context_handle, input_token_buffer, } if (ctx->proto == 0) - return kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, + return kg_unseal_v1(ctx->k5_context, minor_status, ctx, ptr, bodysize, message_buffer, conf_state, qop_state, toktype); else - return gss_krb5int_unseal_token_v3(context, minor_status, ctx, + return gss_krb5int_unseal_token_v3(ctx->k5_context, minor_status, ctx, ptr, bodysize, message_buffer, conf_state, qop_state, toktype); } diff --git a/src/lib/gssapi/krb5/process_context_token.c b/src/lib/gssapi/krb5/process_context_token.c index 4639108d5..f1bf5c537 100644 --- a/src/lib/gssapi/krb5/process_context_token.c +++ b/src/lib/gssapi/krb5/process_context_token.c @@ -33,13 +33,9 @@ krb5_gss_process_context_token(minor_status, context_handle, gss_ctx_id_t context_handle; gss_buffer_t token_buffer; { - krb5_context context; krb5_gss_ctx_id_rec *ctx; OM_uint32 majerr; - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); - /* validate the context handle */ if (! kg_validate_ctx_id(context_handle)) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; @@ -55,7 +51,7 @@ krb5_gss_process_context_token(minor_status, context_handle, /* "unseal" the token */ - if (GSS_ERROR(majerr = kg_unseal(context, minor_status, ctx, token_buffer, + if (GSS_ERROR(majerr = kg_unseal(minor_status, ctx, token_buffer, GSS_C_NO_BUFFER, NULL, NULL, KG_TOK_DEL_CTX))) return(majerr); diff --git a/src/lib/gssapi/krb5/seal.c b/src/lib/gssapi/krb5/seal.c index 818de191f..63d3dabe0 100644 --- a/src/lib/gssapi/krb5/seal.c +++ b/src/lib/gssapi/krb5/seal.c @@ -38,12 +38,7 @@ krb5_gss_seal(minor_status, context_handle, conf_req_flag, int *conf_state; gss_buffer_t output_message_buffer; { - krb5_context context; - - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); - - return(kg_seal(context, minor_status, context_handle, conf_req_flag, + return(kg_seal(minor_status, context_handle, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer, KG_TOK_SEAL_MSG)); } @@ -61,12 +56,7 @@ krb5_gss_wrap(minor_status, context_handle, conf_req_flag, int *conf_state; gss_buffer_t output_message_buffer; { - krb5_context context; - - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); - - return(kg_seal(context, minor_status, context_handle, conf_req_flag, + return(kg_seal(minor_status, context_handle, conf_req_flag, (int) qop_req, input_message_buffer, conf_state, output_message_buffer, KG_TOK_WRAP_MSG)); } diff --git a/src/lib/gssapi/krb5/ser_sctx.c b/src/lib/gssapi/krb5/ser_sctx.c index e0d0ee0af..452ffbf43 100644 --- a/src/lib/gssapi/krb5/ser_sctx.c +++ b/src/lib/gssapi/krb5/ser_sctx.c @@ -1,7 +1,7 @@ /* * lib/gssapi/krb5/ser_sctx.c * - * Copyright 1995 by the Massachusetts Institute of Technology. + * Copyright 1995, 2004 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -320,6 +320,11 @@ kg_ctx_size(kcontext, arg, sizep) if (!kret && ctx->seqstate) kret = kg_queue_size(kcontext, ctx->seqstate, &required); + if (!kret) + kret = krb5_size_opaque(kcontext, + KV5M_CONTEXT, + (krb5_pointer) ctx->k5_context, + &required); if (!kret) kret = krb5_size_opaque(kcontext, KV5M_AUTH_CONTEXT, @@ -440,6 +445,12 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain) kret = kg_queue_externalize(kcontext, ctx->seqstate, &bp, &remain); + if (!kret) + kret = krb5_externalize_opaque(kcontext, + KV5M_CONTEXT, + (krb5_pointer) ctx->k5_context, + &bp, &remain); + if (!kret) kret = krb5_externalize_opaque(kcontext, KV5M_AUTH_CONTEXT, @@ -511,6 +522,8 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain) xmalloc(sizeof(krb5_gss_ctx_id_rec)))) { memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec)); + ctx->k5_context = kcontext; + /* Get static data */ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); ctx->initiate = (int) ibuf; @@ -597,6 +610,12 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain) kret = 0; } + if (!kret) + kret = krb5_internalize_opaque(kcontext, + KV5M_CONTEXT, + (krb5_pointer *) &ctx->k5_context, + &bp, &remain); + if (!kret) kret = krb5_internalize_opaque(kcontext, KV5M_AUTH_CONTEXT, diff --git a/src/lib/gssapi/krb5/sign.c b/src/lib/gssapi/krb5/sign.c index 0177f40d4..2d192c9bb 100644 --- a/src/lib/gssapi/krb5/sign.c +++ b/src/lib/gssapi/krb5/sign.c @@ -36,12 +36,7 @@ krb5_gss_sign(minor_status, context_handle, gss_buffer_t message_buffer; gss_buffer_t message_token; { - krb5_context context; - - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); - - return(kg_seal(context, minor_status, context_handle, 0, + return(kg_seal(minor_status, context_handle, 0, qop_req, message_buffer, NULL, message_token, KG_TOK_SIGN_MSG)); } @@ -56,12 +51,7 @@ krb5_gss_get_mic(minor_status, context_handle, qop_req, gss_buffer_t message_buffer; gss_buffer_t message_token; { - krb5_context context; - - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); - - return(kg_seal(context, minor_status, context_handle, 0, + return(kg_seal(minor_status, context_handle, 0, (int) qop_req, message_buffer, NULL, message_token, KG_TOK_MIC_MSG)); } diff --git a/src/lib/gssapi/krb5/unseal.c b/src/lib/gssapi/krb5/unseal.c index 546521e1b..71dc11048 100644 --- a/src/lib/gssapi/krb5/unseal.c +++ b/src/lib/gssapi/krb5/unseal.c @@ -37,12 +37,7 @@ krb5_gss_unseal(minor_status, context_handle, int *conf_state; int *qop_state; { - krb5_context context; - - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); - - return(kg_unseal(context, minor_status, context_handle, + return(kg_unseal(minor_status, context_handle, input_message_buffer, output_message_buffer, conf_state, qop_state, KG_TOK_SEAL_MSG)); } @@ -59,14 +54,10 @@ krb5_gss_unwrap(minor_status, context_handle, int *conf_state; gss_qop_t *qop_state; { - krb5_context context; OM_uint32 rstat; int qstate; - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); - - rstat = kg_unseal(context, minor_status, context_handle, + rstat = kg_unseal(minor_status, context_handle, input_message_buffer, output_message_buffer, conf_state, &qstate, KG_TOK_WRAP_MSG); if (!rstat && qop_state) diff --git a/src/lib/gssapi/krb5/verify.c b/src/lib/gssapi/krb5/verify.c index 0e7305640..833697b19 100644 --- a/src/lib/gssapi/krb5/verify.c +++ b/src/lib/gssapi/krb5/verify.c @@ -36,13 +36,7 @@ krb5_gss_verify(minor_status, context_handle, gss_buffer_t token_buffer; int *qop_state; { - krb5_context context; - - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); - - - return(kg_unseal(context, minor_status, context_handle, + return(kg_unseal(minor_status, context_handle, token_buffer, message_buffer, NULL, qop_state, KG_TOK_SIGN_MSG)); } @@ -58,15 +52,10 @@ krb5_gss_verify_mic(minor_status, context_handle, gss_buffer_t token_buffer; gss_qop_t *qop_state; { - krb5_context context; OM_uint32 rstat; int qstate; - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); - - - rstat = kg_unseal(context, minor_status, context_handle, + rstat = kg_unseal(minor_status, context_handle, token_buffer, message_buffer, NULL, &qstate, KG_TOK_MIC_MSG); if (!rstat && qop_state) diff --git a/src/lib/gssapi/krb5/wrap_size_limit.c b/src/lib/gssapi/krb5/wrap_size_limit.c index b91c7f759..460070637 100644 --- a/src/lib/gssapi/krb5/wrap_size_limit.c +++ b/src/lib/gssapi/krb5/wrap_size_limit.c @@ -83,15 +83,11 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag, OM_uint32 req_output_size; OM_uint32 *max_input_size; { - krb5_context context; krb5_gss_ctx_id_rec *ctx; OM_uint32 data_size, conflen; OM_uint32 ohlen; int overhead; - if (GSS_ERROR(kg_get_context(minor_status, &context))) - return(GSS_S_FAILURE); - /* only default qop is allowed */ if (qop_req != GSS_C_QOP_DEFAULT) { *minor_status = (OM_uint32) G_UNKNOWN_QOP; @@ -147,7 +143,7 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag, /* Calculate the token size and subtract that from the output size */ overhead = 7 + ctx->mech_used->length; data_size = req_output_size; - conflen = kg_confounder_size(context, ctx->enc); + conflen = kg_confounder_size(ctx->k5_context, ctx->enc); data_size = (conflen + data_size + 8) & (~(OM_uint32)7); ohlen = g_token_size((gss_OID) ctx->mech_used, (unsigned int) (data_size + ctx->cksum_size + 14))