krb5 commit: Document and check init_creds context requirement

Greg Hudson ghudson at mit.edu
Thu Jan 26 18:34:13 EST 2017 

https://github.com/krb5/krb5/commit/c4beb35c9ac0711ef650abc4f1e44a4c82d5f3d0
commit c4beb35c9ac0711ef650abc4f1e44a4c82d5f3d0
Author: Greg Hudson <ghudson at mit.edu>
Date:   Mon Jan 9 11:44:29 2017 -0500

    Document and check init_creds context requirement
    
    To ensure that the same clpreauth plugin modules and moddata pointers
    are used for each step of an initial creds operation, the caller must
    use the same library context for krb5_init_creds_init(),
    krb5_init_creds_step(), and krb5_init_creds_free().  Document and
    enforce this requirement.
    
    ticket: 7877

 src/include/krb5/krb5.hin     |   13 +++++++++++++
 src/lib/krb5/krb/get_in_tkt.c |    6 +++++-
 src/lib/krb5/krb/int-proto.h  |    3 +++
 src/lib/krb5/krb/preauth2.c   |   13 +++++++++++++
 4 files changed, 34 insertions(+), 1 deletions(-)

diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index c192dc7..4be5116 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -7308,6 +7308,9 @@ typedef struct _krb5_init_creds_context *krb5_init_creds_context;
  *
  * @param [in] context          Library context
  * @param [in] ctx              Initial credentials context
+ *
+ * @a context must be the same as the one passed to krb5_init_creds_init() for
+ * this initial credentials context.
  */
 void KRB5_CALLCONV
 krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx);
@@ -7322,6 +7325,9 @@ krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx);
  * krb5_init_creds_init().  On successful return, the credentials can be
  * retrieved with krb5_init_creds_get_creds().
  *
+ * @a context must be the same as the one passed to krb5_init_creds_init() for
+ * this initial credentials context.
+ *
  * @retval 0 Success; otherwise - Kerberos error codes
  */
 krb5_error_code KRB5_CALLCONV
@@ -7372,6 +7378,10 @@ krb5_init_creds_get_error(krb5_context context, krb5_init_creds_context ctx,
  * This function creates a new context for acquiring initial credentials.  Use
  * krb5_init_creds_free() to free @a ctx when it is no longer needed.
  *
+ * Any subsequent calls to krb5_init_creds_step(), krb5_init_creds_get(), or
+ * krb5_init_creds_free() for this initial credentials context must use the
+ * same @a context argument as the one passed to this function.
+ *
  * @retval 0 Success; otherwise - Kerberos error codes
  */
 krb5_error_code KRB5_CALLCONV
@@ -7421,6 +7431,9 @@ krb5_init_creds_set_keytab(krb5_context context, krb5_init_creds_context ctx,
  * transmit the next request using TCP rather than UDP.  If this function
  * returns any other error, the initial credential exchange has failed.
  *
+ * @a context must be the same as the one passed to krb5_init_creds_init() for
+ * this initial credentials context.
+ *
  * @retval 0 Success; otherwise - Kerberos error codes
  */
 krb5_error_code KRB5_CALLCONV
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index e422a04..3f6a3bf 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1685,7 +1685,7 @@ krb5_init_creds_step(krb5_context context,
                      krb5_data *realm,
                      unsigned int *flags)
 {
-    krb5_error_code code = 0, code2;
+    krb5_error_code code, code2;
 
     *flags = 0;
 
@@ -1698,6 +1698,10 @@ krb5_init_creds_step(krb5_context context,
     if (ctx->complete)
         return EINVAL;
 
+    code = k5_preauth_check_context(context, ctx);
+    if (code)
+        return code;
+
     if (in->length != 0) {
         code = init_creds_step_reply(context, ctx, in);
         if (code == KRB5KRB_ERR_RESPONSE_TOO_BIG) {
diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h
index c506253..40955ba 100644
--- a/src/lib/krb5/krb/int-proto.h
+++ b/src/lib/krb5/krb/int-proto.h
@@ -211,6 +211,9 @@ k5_preauth_request_context_fini(krb5_context context,
                                 krb5_init_creds_context ctx);
 
 krb5_error_code
+k5_preauth_check_context(krb5_context context, krb5_init_creds_context ctx);
+
+krb5_error_code
 k5_response_items_new(k5_response_items **ri_out);
 
 void
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index 9a178f4..9c5d6ea 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -296,6 +296,19 @@ k5_preauth_request_context_fini(krb5_context context,
     ctx->preauth_reqctx = NULL;
 }
 
+krb5_error_code
+k5_preauth_check_context(krb5_context context, krb5_init_creds_context ctx)
+{
+    krb5_preauth_req_context reqctx = ctx->preauth_reqctx;
+
+    if (reqctx != NULL && reqctx->orig_context != context) {
+        k5_setmsg(context, EINVAL,
+                  _("krb5_init_creds calls must use same library context"));
+        return EINVAL;
+    }
+    return 0;
+}
+
 /* Return 1 if pa_type is a real preauthentication mechanism according to the
  * module h.  Return 0 if it is not. */
 static int

More information about the cvs-krb5 mailing list