From 9fde1f049d4f2205a9cccdc82278d93e6eaad748 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 27 Nov 2009 21:30:51 +0000 Subject: [PATCH] Add krb5_key versions of the auth context key accessors, and use them to simplify the gss-krb5 code a little bit. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23372 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/krb5/krb5.hin | 9 ++++++ src/lib/gssapi/krb5/accept_sec_context.c | 41 +++++++----------------- src/lib/krb5/krb/auth_con.c | 27 ++++++++++++++++ src/lib/krb5/libkrb5.exports | 3 ++ 4 files changed, 51 insertions(+), 29 deletions(-) diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 61f318f2b..675917052 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -2013,12 +2013,21 @@ krb5_auth_con_setuseruserkey(krb5_context, krb5_auth_context, krb5_keyblock *); krb5_error_code KRB5_CALLCONV krb5_auth_con_getkey(krb5_context, krb5_auth_context, krb5_keyblock **); +krb5_error_code KRB5_CALLCONV +krb5_auth_con_getkey_k(krb5_context, krb5_auth_context, krb5_key *); + krb5_error_code KRB5_CALLCONV krb5_auth_con_getsendsubkey(krb5_context, krb5_auth_context, krb5_keyblock **); +krb5_error_code KRB5_CALLCONV +krb5_auth_con_getsendsubkey_k(krb5_context, krb5_auth_context, krb5_key *); + krb5_error_code KRB5_CALLCONV krb5_auth_con_getrecvsubkey(krb5_context, krb5_auth_context, krb5_keyblock **); +krb5_error_code KRB5_CALLCONV +krb5_auth_con_getrecvsubkey_k(krb5_context, krb5_auth_context, krb5_key *); + krb5_error_code KRB5_CALLCONV krb5_auth_con_setsendsubkey(krb5_context, krb5_auth_context, krb5_keyblock *); diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index ccfdb5c1c..52cf6fadc 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -437,7 +437,6 @@ kg_accept_krb5(minor_status, context_handle, int no_encap = 0; krb5_flags ap_req_options = 0; krb5_enctype negotiated_etype; - krb5_keyblock *keyblock = NULL; krb5_authdata_context ad_context = NULL; code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); @@ -611,10 +610,10 @@ kg_accept_krb5(minor_status, context_handle, if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) { /* Samba does not send 0x8003 GSS-API checksums */ krb5_boolean valid; - krb5_keyblock *subkey; + krb5_key subkey; krb5_data zero; - code = krb5_auth_con_getkey(context, auth_context, &subkey); + code = krb5_auth_con_getkey_k(context, auth_context, &subkey); if (code) { major_status = GSS_S_FAILURE; goto fail; @@ -623,23 +622,21 @@ kg_accept_krb5(minor_status, context_handle, zero.length = 0; zero.data = ""; - code = krb5_c_verify_checksum(context, + code = krb5_k_verify_checksum(context, subkey, KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, &zero, authdat->checksum, &valid); + krb5_k_free_key(context, subkey); if (code || !valid) { major_status = GSS_S_BAD_SIG; - krb5_free_keyblock(context, subkey); goto fail; } gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; bigend = 0; decode_req_message = 0; - - krb5_free_keyblock(context, subkey); } else { /* gss krb5 v1 */ @@ -883,22 +880,23 @@ kg_accept_krb5(minor_status, context_handle, authdat->client = NULL; krb5_auth_con_set_authdata_context(context, auth_context, NULL); - if ((code = krb5_auth_con_getrecvsubkey(context, auth_context, - &keyblock))) { + if ((code = krb5_auth_con_getrecvsubkey_k(context, auth_context, + &ctx->subkey))) { major_status = GSS_S_FAILURE; goto fail; } /* use the session key if the subkey isn't present */ - if (keyblock == NULL) { - if ((code = krb5_auth_con_getkey(context, auth_context, &keyblock))) { + if (ctx->subkey == NULL) { + if ((code = krb5_auth_con_getkey_k(context, auth_context, + &ctx->subkey))) { major_status = GSS_S_FAILURE; goto fail; } } - if (keyblock == NULL) { + if (ctx->subkey == NULL) { /* this isn't a very good error, but it's not clear to me this can actually happen */ major_status = GSS_S_FAILURE; @@ -906,12 +904,6 @@ kg_accept_krb5(minor_status, context_handle, goto fail; } - code = krb5_k_create_key(context, keyblock, &ctx->subkey); - if (code) { - major_status = GSS_S_FAILURE; - goto fail; - } - ctx->enc = NULL; ctx->seq = NULL; ctx->have_acceptor_subkey = 0; @@ -1038,20 +1030,13 @@ kg_accept_krb5(minor_status, context_handle, if (cfx_generate_subkey) { /* Get the new acceptor subkey. With the code above, there should always be one if we make it to this point. */ - code = krb5_auth_con_getsendsubkey(context, auth_context, - &keyblock); - if (code != 0) { - major_status = GSS_S_FAILURE; - goto fail; - } - code = krb5_k_create_key(context, keyblock, &ctx->acceptor_subkey); + code = krb5_auth_con_getsendsubkey_k(context, auth_context, + &ctx->acceptor_subkey); if (code != 0) { major_status = GSS_S_FAILURE; goto fail; } ctx->have_acceptor_subkey = 1; - krb5_free_keyblock(context, keyblock); - keyblock = NULL; code = kg_setup_keys(context, ctx, ctx->acceptor_subkey, &ctx->acceptor_subkey_cksumtype); @@ -1163,8 +1148,6 @@ fail: xfree(reqcksum.contents); if (ap_rep.data) krb5_free_data_contents(context, &ap_rep); - if (keyblock) - krb5_free_keyblock(context, keyblock); if (major_status == GSS_S_COMPLETE || (major_status == GSS_S_CONTINUE_NEEDED && code != KRB5KRB_AP_ERR_MSG_TYPE)) { ctx->k5_context = context; diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c index e6bbac15a..a53b7d5b0 100644 --- a/src/lib/krb5/krb/auth_con.c +++ b/src/lib/krb5/krb/auth_con.c @@ -175,6 +175,15 @@ krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_ return 0; } +krb5_error_code KRB5_CALLCONV +krb5_auth_con_getkey_k(krb5_context context, krb5_auth_context auth_context, + krb5_key *key) +{ + krb5_k_reference_key(context, auth_context->key); + *key = auth_context->key; + return 0; +} + krb5_error_code KRB5_CALLCONV krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock) { @@ -220,6 +229,15 @@ krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keybloc return 0; } +krb5_error_code KRB5_CALLCONV +krb5_auth_con_getsendsubkey_k(krb5_context ctx, krb5_auth_context ac, + krb5_key *key) +{ + krb5_k_reference_key(ctx, ac->send_subkey); + *key = ac->send_subkey; + return 0; +} + krb5_error_code KRB5_CALLCONV krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock) { @@ -229,6 +247,15 @@ krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keybloc return 0; } +krb5_error_code KRB5_CALLCONV +krb5_auth_con_getrecvsubkey_k(krb5_context ctx, krb5_auth_context ac, + krb5_key *key) +{ + krb5_k_reference_key(ctx, ac->recv_subkey); + *key = ac->recv_subkey; + return 0; +} + krb5_error_code KRB5_CALLCONV krb5_auth_con_set_req_cksumtype(krb5_context context, krb5_auth_context auth_context, krb5_cksumtype cksumtype) { diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index 8ea6c0223..3de9915c3 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -119,14 +119,17 @@ krb5_auth_con_getauthenticator krb5_auth_con_getflags krb5_auth_con_getivector krb5_auth_con_getkey +krb5_auth_con_getkey_k krb5_auth_con_getlocalseqnumber krb5_auth_con_getlocalsubkey krb5_auth_con_getpermetypes krb5_auth_con_getrcache krb5_auth_con_getrecvsubkey +krb5_auth_con_getrecvsubkey_k krb5_auth_con_getremoteseqnumber krb5_auth_con_getremotesubkey krb5_auth_con_getsendsubkey +krb5_auth_con_getsendsubkey_k krb5_auth_con_init krb5_auth_con_initivector krb5_auth_con_set_authdata_context -- 2.26.2