From 82f87f7e1268dd377295c09e0f266a99042e6220 Mon Sep 17 00:00:00 2001 From: Theodore Tso Date: Sat, 16 Sep 1995 07:33:23 +0000 Subject: [PATCH] Lots of memory leaks and other fixes... gssapiP_krb5.h: Remove context and cred from the gssapi security context, as they aren't needed. kg_seal and kg_unseal now take a krb5_context argument. ser_sctx.c (kg_ctx_size, kg_ctx_externalize, kg_ctx_internalize): No longer serialize the context and cred fields of the gssapi security context. krb5_gss_glue.c: Don't rely on the context field of the gssapi security context. Use kg_context instead. verify.c (krb5_gss_verify, krb5_gss_verify_mic): unseal.c (krb5_gss_unwrap, krb5_gss_unseal): sign.c (krb5_gss_sign, krb5_gss_get_mic): seal.c (krb5_gss_seal, krb5_gss_wrap): process_context_token.c (krb5_gss_process_context_token): k5unseal.c (kg_unseal): k5seal.c (kg_seal_size): Add a krb5_context argument to this function, so we don't have to depend on the context field in the gssapi security context. init_sec_context.c (krb5_gss_init_sec_context): Don't initialize the context and cred fields in the gssapi security context. Copy ctx->subkey to ctx->seq.key, so they are separately allocated. gssapi_krb5.c (kg_get_context): When initialize kg_context, call krb5_init_ets() so that the error tables are initialized. export_sec_context.c (krb5_gss_export_sec_context): Don't depend on the context field from the gssapi security context. Free ctx->seq.key. delete_sec_context.c (krb5_gss_delete_sec_context): kg_seal() now takes a krb5_context argument. Free ctx->seq.key. acquire_cred.c (krb5_gss_acquire_cred): Clear the gssapi credential before setting it, to prevent purify from complaining. accept_sec_context.c (krb5_gss_accept_sec_context): Remove context and cred from the gssapi security context. Make sure the ticket is freed after we're done with it. import_sec_context.c (krb5_gss_import_sec_context): Don't bash the input interprocess_token. Otherwise, it can't be freed. Don't depend on the context field in the gss security context. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6798 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/gssapi/krb5/ChangeLog | 53 +++++++++++++++++++++ src/lib/gssapi/krb5/accept_sec_context.c | 9 ++-- src/lib/gssapi/krb5/acquire_cred.c | 1 + src/lib/gssapi/krb5/delete_sec_context.c | 4 +- src/lib/gssapi/krb5/export_sec_context.c | 13 ++--- src/lib/gssapi/krb5/gssapiP_krb5.h | 8 ++-- src/lib/gssapi/krb5/gssapi_krb5.c | 1 + src/lib/gssapi/krb5/import_sec_context.c | 14 +++--- src/lib/gssapi/krb5/init_sec_context.c | 9 ++-- src/lib/gssapi/krb5/k5seal.c | 10 ++-- src/lib/gssapi/krb5/k5unseal.c | 7 +-- src/lib/gssapi/krb5/krb5_gss_glue.c | 40 ++++++++++++---- src/lib/gssapi/krb5/process_context_token.c | 2 +- src/lib/gssapi/krb5/seal.c | 6 +-- src/lib/gssapi/krb5/ser_sctx.c | 53 +-------------------- src/lib/gssapi/krb5/sign.c | 4 +- src/lib/gssapi/krb5/unseal.c | 4 +- src/lib/gssapi/krb5/verify.c | 4 +- 18 files changed, 136 insertions(+), 106 deletions(-) diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index 777d37d2f..4ce7115ce 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,56 @@ +Sat Sep 16 03:18:02 1995 Theodore Y. Ts'o + + * gssapiP_krb5.h: Remove context and cred from the gssapi security + context, as they aren't needed. kg_seal and kg_unseal now + take a krb5_context argument. + + * ser_sctx.c (kg_ctx_size, kg_ctx_externalize, + kg_ctx_internalize): No longer serialize the context and + cred fields of the gssapi security context. + + * krb5_gss_glue.c: Don't rely on the context field of the gssapi + security context. Use kg_context instead. + + * verify.c (krb5_gss_verify, krb5_gss_verify_mic): + * unseal.c (krb5_gss_unwrap, krb5_gss_unseal): + * sign.c (krb5_gss_sign, krb5_gss_get_mic): + * seal.c (krb5_gss_seal, krb5_gss_wrap): + * process_context_token.c (krb5_gss_process_context_token): + * k5unseal.c (kg_unseal): + * k5seal.c (kg_seal_size): Add a krb5_context argument to this + function, so we don't have to depend on the context field + in the gssapi security context. + + * init_sec_context.c (krb5_gss_init_sec_context): Don't initialize + the context and cred fields in the gssapi security + context. Copy ctx->subkey to ctx->seq.key, so they are + separately allocated. + + * gssapi_krb5.c (kg_get_context): When initialize kg_context, call + krb5_init_ets() so that the error tables are initialized. + + * export_sec_context.c (krb5_gss_export_sec_context): Don't depend + on the context field from the gssapi security context. + Free ctx->seq.key. + + * delete_sec_context.c (krb5_gss_delete_sec_context): kg_seal() + now takes a krb5_context argument. Free ctx->seq.key. + + * acquire_cred.c (krb5_gss_acquire_cred): Clear the gssapi + credential before setting it, to prevent purify from + complaining. + + * accept_sec_context.c (krb5_gss_accept_sec_context): Remove + context and cred from the gssapi security context. Make + sure the ticket is freed after we're done with it. + +Fri Sep 15 22:12:49 1995 Theodore Y. Ts'o + + * import_sec_context.c (krb5_gss_import_sec_context): Don't bash + the input interprocess_token. Otherwise, it can't be + freed. Don't depend on the context field in the gss + security context. + Tue Sep 12 19:07:52 1995 Theodore Y. Ts'o * export_sec_context.c (krb5_gss_export_sec_context): Free the diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 55b0eb6b7..0415db4ef 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -214,12 +214,10 @@ krb5_gss_accept_sec_context(context, minor_status, context_handle, } memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec)); - ctx->context = context; ctx->auth_context = auth_context; ctx->initiate = 0; ctx->mutual = gss_flags & GSS_C_MUTUAL_FLAG; ctx->seed_init = 0; - ctx->cred = cred; ctx->big_endian = bigend; if (code = krb5_copy_principal(context, cred->princ, &ctx->here)) { @@ -258,12 +256,13 @@ krb5_gss_accept_sec_context(context, minor_status, context_handle, krb5_use_enctype(context, &ctx->seq.eblock, ENCTYPE_DES_CBC_RAW); ctx->seq.processed = 0; - ctx->seq.key = ctx->subkey; - + if (code = krb5_copy_keyblock(context, ctx->subkey, &ctx->seq.key)) + return(code); ctx->endtime = ticket->enc_part2->times.endtime; - ctx->flags = ticket->enc_part2->flags; + krb5_free_ticket(context, ticket); /* Done with ticket */ + krb5_auth_con_getremoteseqnumber(context, auth_context, &ctx->seq_recv); /* at this point, the entire context structure is filled in, diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c index 6ffbe49fa..9cbb0b68e 100644 --- a/src/lib/gssapi/krb5/acquire_cred.c +++ b/src/lib/gssapi/krb5/acquire_cred.c @@ -294,6 +294,7 @@ krb5_gss_acquire_cred(context, minor_status, desired_name, time_req, *minor_status = ENOMEM; return(GSS_S_FAILURE); } + memset(cred, 0, sizeof(krb5_gss_cred_id_rec)); cred->usage = cred_usage; cred->princ = NULL; diff --git a/src/lib/gssapi/krb5/delete_sec_context.c b/src/lib/gssapi/krb5/delete_sec_context.c index c23bfcca5..4e0766fa8 100644 --- a/src/lib/gssapi/krb5/delete_sec_context.c +++ b/src/lib/gssapi/krb5/delete_sec_context.c @@ -56,7 +56,8 @@ krb5_gss_delete_sec_context(context, minor_status, context_handle, output_token) gss_buffer_desc empty; empty.length = 0; empty.value = NULL; - if (major = kg_seal(minor_status, *context_handle, 0, GSS_C_QOP_DEFAULT, + if (major = kg_seal(context, minor_status, *context_handle, 0, + GSS_C_QOP_DEFAULT, &empty, NULL, output_token, KG_TOK_DEL_CTX)) return(major); } @@ -75,6 +76,7 @@ krb5_gss_delete_sec_context(context, minor_status, context_handle, output_token) if (ctx->seq.processed) krb5_finish_key(context, &ctx->seq.eblock); + krb5_free_keyblock(context, ctx->seq.key); krb5_free_principal(context, ctx->here); krb5_free_principal(context, ctx->there); diff --git a/src/lib/gssapi/krb5/export_sec_context.c b/src/lib/gssapi/krb5/export_sec_context.c index 01dbf9773..61856a364 100644 --- a/src/lib/gssapi/krb5/export_sec_context.c +++ b/src/lib/gssapi/krb5/export_sec_context.c @@ -85,15 +85,16 @@ krb5_gss_export_sec_context(context, /* Now, clean up the context state */ (void) kg_delete_ctx_id((gss_ctx_id_t) ctx); if (ctx->enc.processed) - krb5_finish_key(ctx->context, + krb5_finish_key(context, &ctx->enc.eblock); - krb5_free_keyblock(ctx->context, ctx->enc.key); + krb5_free_keyblock(context, ctx->enc.key); if (ctx->seq.processed) - krb5_finish_key(ctx->context, + krb5_finish_key(context, &ctx->seq.eblock); - krb5_free_principal(ctx->context, ctx->here); - krb5_free_principal(ctx->context, ctx->there); - krb5_free_keyblock(ctx->context, ctx->subkey); + krb5_free_keyblock(context, ctx->seq.key); + krb5_free_principal(context, ctx->here); + krb5_free_principal(context, ctx->there); + krb5_free_keyblock(context, ctx->subkey); if (ctx->auth_context) krb5_auth_con_free(context, ctx->auth_context); diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index 6d6a1a32f..35f78e1f8 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -84,7 +84,6 @@ typedef struct _krb5_gss_ctx_id_rec { OM_uint32 mutual; int seed_init; unsigned char seed[16]; - krb5_gss_cred_id_t cred; krb5_principal here; krb5_principal there; krb5_keyblock *subkey; @@ -96,7 +95,6 @@ typedef struct _krb5_gss_ctx_id_rec { krb5_int32 seq_recv; int established; int big_endian; - krb5_context context; krb5_auth_context auth_context; } krb5_gss_ctx_id_rec, krb5_gss_ctx_id_t; @@ -151,7 +149,8 @@ krb5_error_code kg_encrypt PROTOTYPE((krb5_gss_enc_desc *ed, krb5_error_code kg_decrypt PROTOTYPE((krb5_gss_enc_desc *ed, krb5_pointer iv, krb5_pointer in, krb5_pointer out, int length)); -OM_uint32 kg_seal PROTOTYPE((OM_uint32 *minor_status, +OM_uint32 kg_seal PROTOTYPE((krb5_context context, + OM_uint32 *minor_status, gss_ctx_id_t context_handle, int conf_req_flag, int qop_req, @@ -160,7 +159,8 @@ OM_uint32 kg_seal PROTOTYPE((OM_uint32 *minor_status, gss_buffer_t output_message_buffer, int toktype)); -OM_uint32 kg_unseal PROTOTYPE((OM_uint32 *minor_status, +OM_uint32 kg_unseal PROTOTYPE((krb5_context context, + OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_buffer_t input_token_buffer, gss_buffer_t message_buffer, diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c index 6e86eb97a..be08f9139 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.c +++ b/src/lib/gssapi/krb5/gssapi_krb5.c @@ -121,5 +121,6 @@ kg_get_context() return GSS_S_COMPLETE; if (krb5_init_context(&kg_context)) return GSS_S_FAILURE; + krb5_init_ets(kg_context); return GSS_S_COMPLETE; } diff --git a/src/lib/gssapi/krb5/import_sec_context.c b/src/lib/gssapi/krb5/import_sec_context.c index 1c9ffabd8..cc20ec8f6 100644 --- a/src/lib/gssapi/krb5/import_sec_context.c +++ b/src/lib/gssapi/krb5/import_sec_context.c @@ -69,8 +69,6 @@ krb5_gss_import_sec_context(context, /* Make sure that everything is cool. */ if (kg_validate_ctx_id((gss_ctx_id_t) ctx)) { - interprocess_token->value = ibp; - interprocess_token->length = blen; *context_handle = (gss_ctx_id_t) ctx; retval = GSS_S_COMPLETE; } @@ -82,13 +80,13 @@ krb5_gss_import_sec_context(context, if (ctx) { (void) kg_delete_ctx_id((gss_ctx_id_t) ctx); if (ctx->enc.processed) - krb5_finish_key(ctx->context, &ctx->enc.eblock); - krb5_free_keyblock(ctx->context, ctx->enc.key); + krb5_finish_key(context, &ctx->enc.eblock); + krb5_free_keyblock(context, ctx->enc.key); if (ctx->seq.processed) - krb5_finish_key(ctx->context, &ctx->seq.eblock); - krb5_free_principal(ctx->context, ctx->here); - krb5_free_principal(ctx->context, ctx->there); - krb5_free_keyblock(ctx->context, ctx->subkey); + krb5_finish_key(context, &ctx->seq.eblock); + krb5_free_principal(context, ctx->here); + krb5_free_principal(context, ctx->there); + krb5_free_keyblock(context, ctx->subkey); /* Zero out context */ memset(ctx, 0, sizeof(*ctx)); diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index bcd999ae7..9de905e8c 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -244,12 +244,10 @@ krb5_gss_init_sec_context(context, minor_status, claimant_cred_handle, /* fill in the ctx */ memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec)); - ctx->context = context; ctx->auth_context = NULL; ctx->initiate = 1; ctx->mutual = req_flags & GSS_C_MUTUAL_FLAG; ctx->seed_init = 0; - ctx->cred = cred; ctx->big_endian = 0; /* all initiators do little-endian, as per spec */ if (time_req == 0 || time_req == GSS_C_INDEFINITE) { @@ -277,7 +275,7 @@ krb5_gss_init_sec_context(context, minor_status, claimant_cred_handle, return(GSS_S_FAILURE); } - if (code = make_ap_req(context, &(ctx->auth_context), ctx->cred, + if (code = make_ap_req(context, &(ctx->auth_context), cred, ctx->there, &ctx->endtime, input_chan_bindings, ctx->mutual, &ctx->flags, &token)) { krb5_free_principal(context, ctx->here); @@ -304,7 +302,8 @@ krb5_gss_init_sec_context(context, minor_status, claimant_cred_handle, krb5_use_enctype(context, &ctx->seq.eblock, ENCTYPE_DES_CBC_RAW); ctx->seq.processed = 0; - ctx->seq.key = ctx->subkey; + if (code = krb5_copy_keyblock(context, ctx->subkey, &ctx->seq.key)) + return(code); /* at this point, the context is constructed and valid, hence, releaseable */ @@ -375,7 +374,7 @@ krb5_gss_init_sec_context(context, minor_status, claimant_cred_handle, arguments are unchanged */ if ((ctx->established) || - (((gss_cred_id_t) ctx->cred) != claimant_cred_handle) || + (((gss_cred_id_t) cred) != claimant_cred_handle) || ((req_flags & GSS_C_MUTUAL_FLAG) == 0)) { (void)krb5_gss_delete_sec_context(context, minor_status, context_handle, NULL); diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c index 38770173e..1653a4553 100644 --- a/src/lib/gssapi/krb5/k5seal.c +++ b/src/lib/gssapi/krb5/k5seal.c @@ -181,8 +181,9 @@ make_seal_token(context, enc_ed, seq_ed, seqnum, direction, text, token, and do not encode the ENC_TYPE, MSG_LENGTH, or MSG_TEXT fields */ OM_uint32 -kg_seal(minor_status, context_handle, conf_req_flag, qop_req, +kg_seal(context, minor_status, context_handle, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer, toktype) + krb5_context context; OM_uint32 *minor_status; gss_ctx_id_t context_handle; int conf_req_flag; @@ -218,12 +219,12 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req, return(GSS_S_NO_CONTEXT); } - if (code = krb5_timeofday(ctx->context, &now)) { + if (code = krb5_timeofday(context, &now)) { *minor_status = code; return(GSS_S_FAILURE); } - if (code = make_seal_token(ctx->context, &ctx->enc, &ctx->seq, + if (code = make_seal_token(context, &ctx->enc, &ctx->seq, &ctx->seq_send, ctx->initiate, input_message_buffer, output_message_buffer, conf_req_flag, toktype, ctx->big_endian)) { @@ -241,8 +242,9 @@ kg_seal(minor_status, context_handle, conf_req_flag, qop_req, } OM_uint32 -kg_seal_size(minor_status, context_handle, conf_req_flag, qop_req, +kg_seal_size(context, minor_status, context_handle, conf_req_flag, qop_req, output_size, input_size) + krb5_context context; OM_uint32 *minor_status; gss_ctx_id_t context_handle; int conf_req_flag; diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c index a50c4cb21..48bc07119 100644 --- a/src/lib/gssapi/krb5/k5unseal.c +++ b/src/lib/gssapi/krb5/k5unseal.c @@ -29,8 +29,9 @@ */ OM_uint32 -kg_unseal(minor_status, context_handle, input_token_buffer, message_buffer, - conf_state, qop_state, toktype) +kg_unseal(context, minor_status, context_handle, input_token_buffer, + message_buffer, conf_state, qop_state, toktype) + krb5_context context; OM_uint32 *minor_status; gss_ctx_id_t context_handle; gss_buffer_t input_token_buffer; @@ -240,7 +241,7 @@ kg_unseal(minor_status, context_handle, input_token_buffer, message_buffer, if (qop_state) *qop_state = GSS_C_QOP_DEFAULT; - if (code = krb5_timeofday(ctx->context, &now)) { + if (code = krb5_timeofday(context, &now)) { *minor_status = code; return(GSS_S_FAILURE); } diff --git a/src/lib/gssapi/krb5/krb5_gss_glue.c b/src/lib/gssapi/krb5/krb5_gss_glue.c index 3634cc1ea..dd2e108fd 100644 --- a/src/lib/gssapi/krb5/krb5_gss_glue.c +++ b/src/lib/gssapi/krb5/krb5_gss_glue.c @@ -146,6 +146,9 @@ gss_context_time(minor_status, context_handle, time_rec) { krb5_gss_ctx_id_t * ctx; + if (!kg_context && kg_get_context()) + return GSS_S_FAILURE; + /* validate the context handle */ if (! kg_validate_ctx_id(context_handle)) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; @@ -154,7 +157,7 @@ gss_context_time(minor_status, context_handle, time_rec) ctx = (krb5_gss_ctx_id_rec *) context_handle; - return(krb5_gss_context_time(ctx->context, minor_status, context_handle, + return(krb5_gss_context_time(kg_context, minor_status, context_handle, time_rec)); } @@ -175,6 +178,9 @@ gss_delete_sec_context(minor_status, context_handle, output_token) { krb5_gss_ctx_id_t * ctx; + if (!kg_context && kg_get_context()) + return GSS_S_FAILURE; + /* validate the context handle */ if (! kg_validate_ctx_id(context_handle)) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; @@ -183,7 +189,7 @@ gss_delete_sec_context(minor_status, context_handle, output_token) ctx = (krb5_gss_ctx_id_rec *) *context_handle; - return(krb5_gss_delete_sec_context(ctx->context, minor_status, + return(krb5_gss_delete_sec_context(kg_context, minor_status, context_handle, output_token)); } @@ -338,6 +344,9 @@ gss_inquire_context(minor_status, context_handle, initiator_name, acceptor_name, { krb5_gss_ctx_id_t * ctx; + if (!kg_context && kg_get_context()) + return GSS_S_FAILURE; + /* validate the context handle */ if (! kg_validate_ctx_id(context_handle)) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; @@ -346,7 +355,7 @@ gss_inquire_context(minor_status, context_handle, initiator_name, acceptor_name, ctx = (krb5_gss_ctx_id_rec *) context_handle; - return(krb5_gss_inquire_context(ctx->context, minor_status, context_handle, + return(krb5_gss_inquire_context(kg_context, minor_status, context_handle, initiator_name, acceptor_name, lifetime_rec, mech_type, ret_flags, locally_initiated, open)); @@ -419,6 +428,9 @@ gss_process_context_token(minor_status, context_handle, token_buffer) { krb5_gss_ctx_id_t * ctx; + if (!kg_context && kg_get_context()) + return GSS_S_FAILURE; + /* validate the context handle */ if (! kg_validate_ctx_id(context_handle)) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; @@ -427,7 +439,7 @@ gss_process_context_token(minor_status, context_handle, token_buffer) ctx = (krb5_gss_ctx_id_rec *) context_handle; - return(krb5_gss_process_context_token(ctx->context, minor_status, + return(krb5_gss_process_context_token(kg_context, minor_status, context_handle, token_buffer)); } @@ -493,6 +505,9 @@ gss_seal(minor_status, context_handle, conf_req_flag, qop_req, { krb5_gss_ctx_id_t * ctx; + if (!kg_context && kg_get_context()) + return GSS_S_FAILURE; + /* validate the context handle */ if (! kg_validate_ctx_id(context_handle)) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; @@ -501,7 +516,7 @@ gss_seal(minor_status, context_handle, conf_req_flag, qop_req, ctx = (krb5_gss_ctx_id_rec *) context_handle; - return(krb5_gss_seal(ctx->context, minor_status, context_handle, + return(krb5_gss_seal(kg_context, minor_status, context_handle, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer)); } @@ -517,6 +532,9 @@ gss_sign(minor_status, context_handle, qop_req, message_buffer, message_token) { krb5_gss_ctx_id_t * ctx; + if (!kg_context && kg_get_context()) + return GSS_S_FAILURE; + /* validate the context handle */ if (! kg_validate_ctx_id(context_handle)) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; @@ -525,7 +543,7 @@ gss_sign(minor_status, context_handle, qop_req, message_buffer, message_token) ctx = (krb5_gss_ctx_id_rec *) context_handle; - return(krb5_gss_sign(ctx->context, minor_status, context_handle, + return(krb5_gss_sign(kg_context, minor_status, context_handle, qop_req, message_buffer, message_token)); } @@ -564,6 +582,9 @@ gss_unseal(minor_status, context_handle, input_message_buffer, { krb5_gss_ctx_id_t * ctx; + if (!kg_context && kg_get_context()) + return GSS_S_FAILURE; + /* validate the context handle */ if (! kg_validate_ctx_id(context_handle)) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; @@ -572,7 +593,7 @@ gss_unseal(minor_status, context_handle, input_message_buffer, ctx = (krb5_gss_ctx_id_rec *) context_handle; - return(krb5_gss_unseal(ctx->context, minor_status, context_handle, + return(krb5_gss_unseal(kg_context, minor_status, context_handle, input_message_buffer, output_message_buffer, conf_state, qop_state)); } @@ -607,6 +628,9 @@ gss_verify(minor_status, context_handle, message_buffer, { krb5_gss_ctx_id_t * ctx; + if (!kg_context && kg_get_context()) + return GSS_S_FAILURE; + /* validate the context handle */ if (! kg_validate_ctx_id(context_handle)) { *minor_status = (OM_uint32) G_VALIDATE_FAILED; @@ -615,7 +639,7 @@ gss_verify(minor_status, context_handle, message_buffer, ctx = (krb5_gss_ctx_id_rec *) context_handle; - return(krb5_gss_verify(ctx->context, minor_status, context_handle, + return(krb5_gss_verify(kg_context, minor_status, context_handle, message_buffer, token_buffer, qop_state)); } diff --git a/src/lib/gssapi/krb5/process_context_token.c b/src/lib/gssapi/krb5/process_context_token.c index 0de7e090f..819f22619 100644 --- a/src/lib/gssapi/krb5/process_context_token.c +++ b/src/lib/gssapi/krb5/process_context_token.c @@ -48,7 +48,7 @@ krb5_gss_process_context_token(context, minor_status, context_handle, /* "unseal" the token */ - if (GSS_ERROR(majerr = kg_unseal(minor_status, ctx, token_buffer, + if (GSS_ERROR(majerr = kg_unseal(context, minor_status, ctx, token_buffer, GSS_C_NO_BUFFER, NULL, NULL, KG_TOK_DEL_CTX))) return(majerr); diff --git a/src/lib/gssapi/krb5/seal.c b/src/lib/gssapi/krb5/seal.c index 15e7a8bb1..49c726d12 100644 --- a/src/lib/gssapi/krb5/seal.c +++ b/src/lib/gssapi/krb5/seal.c @@ -35,7 +35,7 @@ krb5_gss_seal(context, minor_status, context_handle, conf_req_flag, int *conf_state; gss_buffer_t output_message_buffer; { - return(kg_seal(minor_status, context_handle, conf_req_flag, + return(kg_seal(context, minor_status, context_handle, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer, KG_TOK_SEAL_MSG)); } @@ -54,7 +54,7 @@ krb5_gss_wrap(context, minor_status, context_handle, conf_req_flag, int *conf_state; gss_buffer_t output_message_buffer; { - return(kg_seal(minor_status, context_handle, conf_req_flag, + return(kg_seal(context, minor_status, context_handle, conf_req_flag, qop_req, input_message_buffer, conf_state, output_message_buffer, KG_TOK_WRAP_MSG)); } @@ -72,6 +72,6 @@ krb5_gss_wrap_size_limit(context, minor_status, context_handle, conf_req_flag, OM_uint32 *max_input_size; { /* XXX - should just put this in k5seal.c */ - return(kg_seal_size(minor_status, context_handle, conf_req_flag, + return(kg_seal_size(context, minor_status, context_handle, conf_req_flag, qop_req, req_output_size, max_input_size)); } diff --git a/src/lib/gssapi/krb5/ser_sctx.c b/src/lib/gssapi/krb5/ser_sctx.c index c1ddfd701..4cd0e7d35 100644 --- a/src/lib/gssapi/krb5/ser_sctx.c +++ b/src/lib/gssapi/krb5/ser_sctx.c @@ -451,12 +451,6 @@ kg_ctx_size(kcontext, arg, sizep) required += sizeof(ctx->seed); kret = 0; - if (ctx->cred) - kret = krb5_size_opaque(kcontext, - KG_CRED, - (krb5_pointer) ctx->cred, - &required); - if (!kret && ctx->here) kret = krb5_size_opaque(kcontext, KV5M_PRINCIPAL, @@ -487,12 +481,6 @@ kg_ctx_size(kcontext, arg, sizep) (krb5_pointer) &ctx->seq, &required); - if (!kret && ctx->context) - kret = krb5_size_opaque(kcontext, - KV5M_CONTEXT, - (krb5_pointer) ctx->context, - &required); - if (!kret && ctx->auth_context) kret = krb5_size_opaque(kcontext, KV5M_AUTH_CONTEXT, @@ -556,13 +544,7 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain) &bp, &remain); /* Now dynamic data */ - if (ctx->cred) - kret = krb5_externalize_opaque(kcontext, - KG_CRED, - (krb5_pointer) ctx->cred, - &bp, &remain); - else - kret = 0; + kret = 0; if (!kret && ctx->here) kret = krb5_externalize_opaque(kcontext, @@ -594,12 +576,6 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain) (krb5_pointer) &ctx->seq, &bp, &remain); - if (!kret && ctx->context) - kret = krb5_externalize_opaque(kcontext, - KV5M_CONTEXT, - (krb5_pointer) ctx->context, - &bp, &remain); - if (!kret && ctx->auth_context) kret = krb5_externalize_opaque(kcontext, KV5M_AUTH_CONTEXT, @@ -671,14 +647,6 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain) /* Now get substructure data */ if ((kret = krb5_internalize_opaque(kcontext, - KG_CRED, - (krb5_pointer *) &ctx->cred, - &bp, &remain))) { - if (kret == EINVAL) - kret = 0; - } - if (!kret && - (kret = krb5_internalize_opaque(kcontext, KV5M_PRINCIPAL, (krb5_pointer *) &ctx->here, &bp, &remain))) { @@ -727,14 +695,6 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain) xfree(edp); } } - if (!kret && - (kret = krb5_internalize_opaque(kcontext, - KV5M_CONTEXT, - (krb5_pointer *) &ctx->context, - &bp, &remain))) { - if (kret == EINVAL) - kret = 0; - } if (!kret && (kret = krb5_internalize_opaque(kcontext, KV5M_AUTH_CONTEXT, @@ -758,8 +718,6 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain) kret = EINVAL; if (ctx->auth_context) krb5_auth_con_free(kcontext, ctx->auth_context); - if (ctx->context) - krb5_free_context(ctx->context); if (ctx->seq.eblock.key) krb5_free_keyblock(kcontext, ctx->seq.eblock.key); if (ctx->seq.eblock.priv && ctx->seq.eblock.priv_size) @@ -778,15 +736,6 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain) krb5_free_principal(kcontext, ctx->there); if (ctx->here) krb5_free_principal(kcontext, ctx->here); - if (ctx->cred) { - if (ctx->cred->ccache) - krb5_cc_close(kcontext, ctx->cred->ccache); - if (ctx->cred->keytab) - krb5_kt_close(kcontext, ctx->cred->keytab); - if (ctx->cred->princ) - krb5_free_principal(kcontext, ctx->cred->princ); - krb5_xfree(ctx->cred); - } xfree(ctx); } } diff --git a/src/lib/gssapi/krb5/sign.c b/src/lib/gssapi/krb5/sign.c index 3f8b43619..74eab6bca 100644 --- a/src/lib/gssapi/krb5/sign.c +++ b/src/lib/gssapi/krb5/sign.c @@ -33,7 +33,7 @@ krb5_gss_sign(context, minor_status, context_handle, gss_buffer_t message_buffer; gss_buffer_t message_token; { - return(kg_seal(minor_status, context_handle, 0, + return(kg_seal(context, minor_status, context_handle, 0, qop_req, message_buffer, NULL, message_token, KG_TOK_SIGN_MSG)); } @@ -49,7 +49,7 @@ krb5_gss_get_mic(context, minor_status, context_handle, qop_req, gss_buffer_t message_buffer; gss_buffer_t message_token; { - return(kg_seal(minor_status, context_handle, 0, + return(kg_seal(context, minor_status, context_handle, 0, qop_req, message_buffer, NULL, message_token, KG_TOK_MIC_MSG)); } diff --git a/src/lib/gssapi/krb5/unseal.c b/src/lib/gssapi/krb5/unseal.c index 7871352d1..294e37cc2 100644 --- a/src/lib/gssapi/krb5/unseal.c +++ b/src/lib/gssapi/krb5/unseal.c @@ -34,7 +34,7 @@ krb5_gss_unseal(context, minor_status, context_handle, int *conf_state; int *qop_state; { - return(kg_unseal(minor_status, context_handle, + return(kg_unseal(context, minor_status, context_handle, input_message_buffer, output_message_buffer, conf_state, qop_state, KG_TOK_SEAL_MSG)); } @@ -55,7 +55,7 @@ krb5_gss_unwrap(context, minor_status, context_handle, OM_uint32 rstat; int qstate; - rstat = kg_unseal(minor_status, context_handle, + rstat = kg_unseal(context, minor_status, context_handle, input_message_buffer, output_message_buffer, conf_state, &qstate, KG_TOK_WRAP_MSG); if (!rstat && qop_state) diff --git a/src/lib/gssapi/krb5/verify.c b/src/lib/gssapi/krb5/verify.c index 69fa967b7..f2d5d4a0c 100644 --- a/src/lib/gssapi/krb5/verify.c +++ b/src/lib/gssapi/krb5/verify.c @@ -33,7 +33,7 @@ krb5_gss_verify(context, minor_status, context_handle, gss_buffer_t token_buffer; int *qop_state; { - return(kg_unseal(minor_status, context_handle, + return(kg_unseal(context, minor_status, context_handle, token_buffer, message_buffer, NULL, qop_state, KG_TOK_SIGN_MSG)); } @@ -53,7 +53,7 @@ krb5_gss_verify_mic(context, minor_status, context_handle, OM_uint32 rstat; int qstate; - rstat = kg_unseal(minor_status, context_handle, + rstat = kg_unseal(context, minor_status, context_handle, token_buffer, message_buffer, NULL, &qstate, KG_TOK_MIC_MSG); if (!rstat && qop_state) -- 2.26.2