svn rev #23372: trunk/src/ include/krb5/ lib/gssapi/krb5/ lib/krb5/ lib/krb5/krb/
ghudson@MIT.EDU
ghudson at MIT.EDU
Fri Nov 27 16:30:51 EST 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=23372
Commit By: ghudson
Log Message:
Add krb5_key versions of the auth context key accessors, and use them
to simplify the gss-krb5 code a little bit.
Changed Files:
U trunk/src/include/krb5/krb5.hin
U trunk/src/lib/gssapi/krb5/accept_sec_context.c
U trunk/src/lib/krb5/krb/auth_con.c
U trunk/src/lib/krb5/libkrb5.exports
Modified: trunk/src/include/krb5/krb5.hin
===================================================================
--- trunk/src/include/krb5/krb5.hin 2009-11-27 21:15:53 UTC (rev 23371)
+++ trunk/src/include/krb5/krb5.hin 2009-11-27 21:30:51 UTC (rev 23372)
@@ -2014,12 +2014,21 @@
krb5_auth_con_getkey(krb5_context, krb5_auth_context, krb5_keyblock **);
krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getkey_k(krb5_context, krb5_auth_context, krb5_key *);
+
+krb5_error_code KRB5_CALLCONV
krb5_auth_con_getsendsubkey(krb5_context, krb5_auth_context, krb5_keyblock **);
krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getsendsubkey_k(krb5_context, krb5_auth_context, krb5_key *);
+
+krb5_error_code KRB5_CALLCONV
krb5_auth_con_getrecvsubkey(krb5_context, krb5_auth_context, krb5_keyblock **);
krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getrecvsubkey_k(krb5_context, krb5_auth_context, krb5_key *);
+
+krb5_error_code KRB5_CALLCONV
krb5_auth_con_setsendsubkey(krb5_context, krb5_auth_context, krb5_keyblock *);
krb5_error_code KRB5_CALLCONV
Modified: trunk/src/lib/gssapi/krb5/accept_sec_context.c
===================================================================
--- trunk/src/lib/gssapi/krb5/accept_sec_context.c 2009-11-27 21:15:53 UTC (rev 23371)
+++ trunk/src/lib/gssapi/krb5/accept_sec_context.c 2009-11-27 21:30:51 UTC (rev 23372)
@@ -437,7 +437,6 @@
int no_encap = 0;
krb5_flags ap_req_options = 0;
krb5_enctype negotiated_etype;
- krb5_keyblock *keyblock = NULL;
krb5_authdata_context ad_context = NULL;
code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
@@ -611,10 +610,10 @@
if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) {
/* Samba does not send 0x8003 GSS-API checksums */
krb5_boolean valid;
- krb5_keyblock *subkey;
+ krb5_key subkey;
krb5_data zero;
- code = krb5_auth_con_getkey(context, auth_context, &subkey);
+ code = krb5_auth_con_getkey_k(context, auth_context, &subkey);
if (code) {
major_status = GSS_S_FAILURE;
goto fail;
@@ -623,23 +622,21 @@
zero.length = 0;
zero.data = "";
- code = krb5_c_verify_checksum(context,
+ code = krb5_k_verify_checksum(context,
subkey,
KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM,
&zero,
authdat->checksum,
&valid);
+ krb5_k_free_key(context, subkey);
if (code || !valid) {
major_status = GSS_S_BAD_SIG;
- krb5_free_keyblock(context, subkey);
goto fail;
}
gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
bigend = 0;
decode_req_message = 0;
-
- krb5_free_keyblock(context, subkey);
} else {
/* gss krb5 v1 */
@@ -883,22 +880,23 @@
authdat->client = NULL;
krb5_auth_con_set_authdata_context(context, auth_context, NULL);
- if ((code = krb5_auth_con_getrecvsubkey(context, auth_context,
- &keyblock))) {
+ if ((code = krb5_auth_con_getrecvsubkey_k(context, auth_context,
+ &ctx->subkey))) {
major_status = GSS_S_FAILURE;
goto fail;
}
/* use the session key if the subkey isn't present */
- if (keyblock == NULL) {
- if ((code = krb5_auth_con_getkey(context, auth_context, &keyblock))) {
+ if (ctx->subkey == NULL) {
+ if ((code = krb5_auth_con_getkey_k(context, auth_context,
+ &ctx->subkey))) {
major_status = GSS_S_FAILURE;
goto fail;
}
}
- if (keyblock == NULL) {
+ if (ctx->subkey == NULL) {
/* this isn't a very good error, but it's not clear to me this
can actually happen */
major_status = GSS_S_FAILURE;
@@ -906,12 +904,6 @@
goto fail;
}
- code = krb5_k_create_key(context, keyblock, &ctx->subkey);
- if (code) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
-
ctx->enc = NULL;
ctx->seq = NULL;
ctx->have_acceptor_subkey = 0;
@@ -1038,20 +1030,13 @@
if (cfx_generate_subkey) {
/* Get the new acceptor subkey. With the code above, there
should always be one if we make it to this point. */
- code = krb5_auth_con_getsendsubkey(context, auth_context,
- &keyblock);
+ code = krb5_auth_con_getsendsubkey_k(context, auth_context,
+ &ctx->acceptor_subkey);
if (code != 0) {
major_status = GSS_S_FAILURE;
goto fail;
}
- code = krb5_k_create_key(context, keyblock, &ctx->acceptor_subkey);
- if (code != 0) {
- major_status = GSS_S_FAILURE;
- goto fail;
- }
ctx->have_acceptor_subkey = 1;
- krb5_free_keyblock(context, keyblock);
- keyblock = NULL;
code = kg_setup_keys(context, ctx, ctx->acceptor_subkey,
&ctx->acceptor_subkey_cksumtype);
@@ -1163,8 +1148,6 @@
xfree(reqcksum.contents);
if (ap_rep.data)
krb5_free_data_contents(context, &ap_rep);
- if (keyblock)
- krb5_free_keyblock(context, keyblock);
if (major_status == GSS_S_COMPLETE ||
(major_status == GSS_S_CONTINUE_NEEDED && code != KRB5KRB_AP_ERR_MSG_TYPE)) {
ctx->k5_context = context;
Modified: trunk/src/lib/krb5/krb/auth_con.c
===================================================================
--- trunk/src/lib/krb5/krb/auth_con.c 2009-11-27 21:15:53 UTC (rev 23371)
+++ trunk/src/lib/krb5/krb/auth_con.c 2009-11-27 21:30:51 UTC (rev 23372)
@@ -176,6 +176,15 @@
}
krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getkey_k(krb5_context context, krb5_auth_context auth_context,
+ krb5_key *key)
+{
+ krb5_k_reference_key(context, auth_context->key);
+ *key = auth_context->key;
+ return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock)
{
return krb5_auth_con_getsendsubkey(context, auth_context, keyblock);
@@ -221,6 +230,15 @@
}
krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getsendsubkey_k(krb5_context ctx, krb5_auth_context ac,
+ krb5_key *key)
+{
+ krb5_k_reference_key(ctx, ac->send_subkey);
+ *key = ac->send_subkey;
+ return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock)
{
if (ac->recv_subkey != NULL)
@@ -230,6 +248,15 @@
}
krb5_error_code KRB5_CALLCONV
+krb5_auth_con_getrecvsubkey_k(krb5_context ctx, krb5_auth_context ac,
+ krb5_key *key)
+{
+ krb5_k_reference_key(ctx, ac->recv_subkey);
+ *key = ac->recv_subkey;
+ return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
krb5_auth_con_set_req_cksumtype(krb5_context context, krb5_auth_context auth_context, krb5_cksumtype cksumtype)
{
auth_context->req_cksumtype = cksumtype;
Modified: trunk/src/lib/krb5/libkrb5.exports
===================================================================
--- trunk/src/lib/krb5/libkrb5.exports 2009-11-27 21:15:53 UTC (rev 23371)
+++ trunk/src/lib/krb5/libkrb5.exports 2009-11-27 21:30:51 UTC (rev 23372)
@@ -119,14 +119,17 @@
krb5_auth_con_getflags
krb5_auth_con_getivector
krb5_auth_con_getkey
+krb5_auth_con_getkey_k
krb5_auth_con_getlocalseqnumber
krb5_auth_con_getlocalsubkey
krb5_auth_con_getpermetypes
krb5_auth_con_getrcache
krb5_auth_con_getrecvsubkey
+krb5_auth_con_getrecvsubkey_k
krb5_auth_con_getremoteseqnumber
krb5_auth_con_getremotesubkey
krb5_auth_con_getsendsubkey
+krb5_auth_con_getsendsubkey_k
krb5_auth_con_init
krb5_auth_con_initivector
krb5_auth_con_set_authdata_context
More information about the cvs-krb5
mailing list