svn rev #24400: trunk/src/ include/krb5/ lib/gssapi/krb5/ lib/krb5/ lib/krb5/krb/

ghudson@MIT.EDU ghudson at MIT.EDU
Thu Sep 30 23:47:38 EDT 2010 

http://src.mit.edu/fisheye/changelog/krb5/?cs=24400
Commit By: ghudson
Log Message:
ticket: 6768

A cleaner impleentation of r24399 which adds two new auth context APIs
(and is therefore less suitable for backporting to 1.8) but doesn't
reach inside the auth context structure in the krb5 mechanism code.



Changed Files:
U   trunk/src/include/krb5/krb5.hin
U   trunk/src/lib/gssapi/krb5/init_sec_context.c
U   trunk/src/lib/krb5/krb/auth_con.c
U   trunk/src/lib/krb5/libkrb5.exports
Modified: trunk/src/include/krb5/krb5.hin
===================================================================
--- trunk/src/include/krb5/krb5.hin	2010-10-01 03:45:43 UTC (rev 24399)
+++ trunk/src/include/krb5/krb5.hin	2010-10-01 03:47:38 UTC (rev 24400)
@@ -2083,8 +2083,14 @@
 krb5_auth_con_setsendsubkey(krb5_context, krb5_auth_context, krb5_keyblock *);
 
 krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setsendsubkey_k(krb5_context, krb5_auth_context, krb5_key);
+
+krb5_error_code KRB5_CALLCONV
 krb5_auth_con_setrecvsubkey(krb5_context, krb5_auth_context, krb5_keyblock *);
 
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setrecvsubkey_k(krb5_context, krb5_auth_context, krb5_key);
+
 #if KRB5_DEPRECATED
 KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
 krb5_auth_con_getlocalsubkey(krb5_context, krb5_auth_context,

Modified: trunk/src/lib/gssapi/krb5/init_sec_context.c
===================================================================
--- trunk/src/lib/gssapi/krb5/init_sec_context.c	2010-10-01 03:45:43 UTC (rev 24399)
+++ trunk/src/lib/gssapi/krb5/init_sec_context.c	2010-10-01 03:47:38 UTC (rev 24400)
@@ -270,7 +270,9 @@
     krb5_gss_ctx_ext_t exts;
 };
 
+#ifdef CFX_EXERCISE
 #include "../../krb5/krb/auth_con.h"
+#endif
 static krb5_error_code KRB5_CALLCONV
 make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
                    void *cksum_data, krb5_data **out)
@@ -301,10 +303,11 @@
         /*
          * RFC 4121 4.1.1 specifies forwarded credentials must be encrypted in
          * the session key, but krb5_fwd_tgt_creds will use the send subkey if
-         * it's set in the auth context.  Null out the send subkey temporarily.
+         * it's set in the auth context.  Suppress the send subkey
+         * temporarily.
          */
-        send_subkey = auth_context->send_subkey;
-        auth_context->send_subkey = NULL;
+        krb5_auth_con_getsendsubkey_k(context, auth_context, &send_subkey);
+        krb5_auth_con_setsendsubkey_k(context, auth_context, NULL);
 
         code = krb5_fwd_tgt_creds(context, auth_context, 0,
                                   data->cred->name->princ, data->ctx->there->princ,
@@ -313,7 +316,7 @@
 
         /* Turn KRB5_AUTH_CONTEXT_DO_TIME back on and reset the send subkey. */
         krb5_auth_con_setflags(context, auth_context, con_flags);
-        auth_context->send_subkey = send_subkey;
+        krb5_auth_con_setsendsubkey_k(context, auth_context, send_subkey);
 
         if (code) {
             /* don't fail here; just don't accept/do the delegation

Modified: trunk/src/lib/krb5/krb/auth_con.c
===================================================================
--- trunk/src/lib/krb5/krb/auth_con.c	2010-10-01 03:45:43 UTC (rev 24399)
+++ trunk/src/lib/krb5/krb/auth_con.c	2010-10-01 03:47:38 UTC (rev 24400)
@@ -221,6 +221,16 @@
 }
 
 krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setsendsubkey_k(krb5_context ctx, krb5_auth_context ac,
+                              krb5_key key)
+{
+    krb5_k_free_key(ctx, ac->send_subkey);
+    ac->send_subkey = key;
+    krb5_k_reference_key(ctx, key);
+    return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
 krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock)
 {
     if (ac->recv_subkey != NULL)
@@ -233,6 +243,16 @@
 }
 
 krb5_error_code KRB5_CALLCONV
+krb5_auth_con_setrecvsubkey_k(krb5_context ctx, krb5_auth_context ac,
+                              krb5_key key)
+{
+    krb5_k_free_key(ctx, ac->recv_subkey);
+    ac->recv_subkey = key;
+    krb5_k_reference_key(ctx, key);
+    return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
 krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock)
 {
     if (ac->send_subkey != NULL)

Modified: trunk/src/lib/krb5/libkrb5.exports
===================================================================
--- trunk/src/lib/krb5/libkrb5.exports	2010-10-01 03:45:43 UTC (rev 24399)
+++ trunk/src/lib/krb5/libkrb5.exports	2010-10-01 03:47:38 UTC (rev 24400)
@@ -156,7 +156,9 @@
 krb5_auth_con_setports
 krb5_auth_con_setrcache
 krb5_auth_con_setrecvsubkey
+krb5_auth_con_setrecvsubkey_k
 krb5_auth_con_setsendsubkey
+krb5_auth_con_setsendsubkey_k
 krb5_auth_con_setuseruserkey
 krb5_auth_to_rep
 krb5_authdata_context_copy

More information about the cvs-krb5 mailing list