diff options
| author | Tom Yu <tlyu@mit.edu> | 2003-05-10 00:01:04 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2003-05-10 00:01:04 +0000 |
| commit | 508e90e51619c79d2680eaeca754d516c7f88fdf (patch) | |
| tree | 99bed617bdb438c95c55d7c265f9ef4beb9e23f3 /src/lib | |
| parent | 919b3a91b573c746a62a704fc5cdf883605d6aa9 (diff) | |
| download | krb5-508e90e51619c79d2680eaeca754d516c7f88fdf.tar.gz krb5-508e90e51619c79d2680eaeca754d516c7f88fdf.tar.xz krb5-508e90e51619c79d2680eaeca754d516c7f88fdf.zip | |
Rename the local_subkey and remote_subkey fields in the auth_context
to send_subkey and recv_subkey, respectively. Add new APIs to query
and set these fields. Change the behavior of mk_req_ext, rd_req_dec,
and rd_rep to set both subkeys. Applications wanting to set
unidirectional subkeys may still do so by saving the values of subkeys
and doing overrides. Cause mk_cred, mk_priv, and mk_safe to never use
the recv_subkey. Cause rd_cred, rd_priv, and rd_safe to never use the
send_subkey.
ticket: 1415
status: open
tags: pullup
target_version: 1.3
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15407 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/ChangeLog | 6 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/ChangeLog | 8 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/accept_sec_context.c | 8 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/init_sec_context.c | 4 | ||||
| -rw-r--r-- | src/lib/krb5/krb/ChangeLog | 35 | ||||
| -rw-r--r-- | src/lib/krb5/krb/auth_con.c | 54 | ||||
| -rw-r--r-- | src/lib/krb5/krb/auth_con.h | 4 | ||||
| -rw-r--r-- | src/lib/krb5/krb/chpw.c | 61 | ||||
| -rw-r--r-- | src/lib/krb5/krb/mk_cred.c | 5 | ||||
| -rw-r--r-- | src/lib/krb5/krb/mk_priv.c | 5 | ||||
| -rw-r--r-- | src/lib/krb5/krb/mk_req_ext.c | 13 | ||||
| -rw-r--r-- | src/lib/krb5/krb/mk_safe.c | 5 | ||||
| -rw-r--r-- | src/lib/krb5/krb/rd_cred.c | 5 | ||||
| -rw-r--r-- | src/lib/krb5/krb/rd_priv.c | 5 | ||||
| -rw-r--r-- | src/lib/krb5/krb/rd_rep.c | 10 | ||||
| -rw-r--r-- | src/lib/krb5/krb/rd_req_dec.c | 12 | ||||
| -rw-r--r-- | src/lib/krb5/krb/rd_safe.c | 5 | ||||
| -rw-r--r-- | src/lib/krb5/krb/ser_actx.c | 28 | ||||
| -rw-r--r-- | src/lib/krb5_32.def | 4 |
19 files changed, 200 insertions, 77 deletions
diff --git a/src/lib/ChangeLog b/src/lib/ChangeLog index fb87043923..2a1601859f 100644 --- a/src/lib/ChangeLog +++ b/src/lib/ChangeLog @@ -1,3 +1,9 @@ +2003-05-09 Tom Yu <tlyu@mit.edu> + + * krb5_32.def: Add krb5_auth_con_getrecvsubkey, + krb5_auth_con_getsendsubkey, krb5_auth_con_setrecvsubkey, + krb5_auth_con_setsendsubkey. + 2003-04-15 Sam Hartman <hartmans@mit.edu> * krb5_32.def: Add krb5_set_password and krb5_set_password_using_ccache diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index 47f718d162..008821022f 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,11 @@ +2003-05-09 Tom Yu <tlyu@mit.edu> + + * accept_sec_context.c (krb5_gss_accept_sec_context): Rename + remote_subkey -> recv_subkey. + + * init_sec_context.c (krb5_gss_init_sec_context): Rename + local_subkey -> send_subkey. + 2003-03-14 Sam Hartman <hartmans@mit.edu> * accept_sec_context.c (krb5_gss_accept_sec_context): Set diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index a004acb229..4cc0651afa 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -101,8 +101,8 @@ rd_and_store_for_creds(context, auth_context, inbuf, out_cred) * By the time krb5_rd_cred is called here (after krb5_rd_req has been * called in krb5_gss_accept_sec_context), the "keyblock" field of * auth_context contains a pointer to the session key, and the - * "remote_subkey" field might contain a session subkey. Either of - * these (the "remote_subkey" if it isn't NULL, otherwise the + * "recv_subkey" field might contain a session subkey. Either of + * these (the "recv_subkey" if it isn't NULL, otherwise the * "keyblock") might have been used to encrypt the encrypted part of * the KRB_CRED message that contains the forwarded credentials. (The * Java Crypto and Security Implementation from the DSTC in Australia @@ -592,8 +592,8 @@ krb5_gss_accept_sec_context(minor_status, context_handle, goto fail; } - if ((code = krb5_auth_con_getremotesubkey(context, auth_context, - &ctx->subkey))) { + if ((code = krb5_auth_con_getrecvsubkey(context, auth_context, + &ctx->subkey))) { major_status = GSS_S_FAILURE; goto fail; } diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index ba630f1eb4..ed36311528 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -572,8 +572,8 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, &ctx->seq_send); - krb5_auth_con_getlocalsubkey(context, ctx->auth_context, - &ctx->subkey); + krb5_auth_con_getsendsubkey(context, ctx->auth_context, + &ctx->subkey); /* fill in the encryption descriptors */ diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index 0d46e8eca1..62e652d667 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,38 @@ +2003-05-09 Tom Yu <tlyu@mit.edu> + + * auth_con.c (krb5_auth_con_setsendsubkey) + (krb5_auth_con_setrecvsubkey, krb5_auth_con_getsendsubkey) + (krb5_auth_con_getrecvsubkey): New functions. Set or retrieve + subkeys from an auth_context. + (krb5_auth_con_getlocalsubkey, krb5_auth_con_getremotesubkey): + Reimplement in terms of the above. + + * auth_con.h, ser_actx.c: Rename {local,remote}_subkey -> + {send,recv}_subkey. + + * chpw.c (krb5int_rd_chpw_rep): Save send_subkey prior to rd_rep; + use saved send_subkey to smash recv_subkey obtained from rd_rep. + + * mk_req_ext.c (krb5_mk_req_extended): Rename + {local,remote}_subkey -> {send,recv}_subkey. Set both subkeys if + subkey generation is requested. + + * mk_cred.c, mk_priv.c, mk_safe.c: Rename {local,remote}_subkey -> + {send,recv}_subkey. Use either send_subkey or keyblock, in that + order. + + * rd_cred.c, rd_priv.c, rd_safe.c: Rename {local,remote}_subkey -> + {send,recv}_subkey. Use either recv_subkey or keyblock, in that + order. + + * rd_rep.c (krb5_rd_rep): Rename {local,remote}_subkey -> + {send,recv}_subkey. Set both subkeys if a subkey is present in + the AP-REP message. + + * rd_req_dec.c (krb5_rd_req_decoded_opt): Rename + {local,remote}_subkey -> {send,recv}_subkey. Set both subkeys if + a subkey is present in the AP-REQ message. + 2003-05-06 Sam Hartman <hartmans@mit.edu> * kfree.c (krb5_free_etype_info): Free s2kparams diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c index 09ccf9808e..bc26774a6c 100644 --- a/src/lib/krb5/krb/auth_con.c +++ b/src/lib/krb5/krb/auth_con.c @@ -59,10 +59,10 @@ krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context) krb5_free_authenticator(context, auth_context->authentp); if (auth_context->keyblock) krb5_free_keyblock(context, auth_context->keyblock); - if (auth_context->local_subkey) - krb5_free_keyblock(context, auth_context->local_subkey); - if (auth_context->remote_subkey) - krb5_free_keyblock(context, auth_context->remote_subkey); + if (auth_context->send_subkey) + krb5_free_keyblock(context, auth_context->send_subkey); + if (auth_context->recv_subkey) + krb5_free_keyblock(context, auth_context->recv_subkey); if (auth_context->rcache) krb5_rc_close(context, auth_context->rcache); if (auth_context->permitted_etypes) @@ -176,17 +176,53 @@ krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_ krb5_error_code KRB5_CALLCONV krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock) { - if (auth_context->local_subkey) - return krb5_copy_keyblock(context,auth_context->local_subkey,keyblock); + return krb5_auth_con_getsendsubkey(context, auth_context, keyblock); +} + +krb5_error_code KRB5_CALLCONV +krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock) +{ + return krb5_auth_con_getrecvsubkey(context, auth_context, keyblock); +} + +krb5_error_code KRB5_CALLCONV +krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock) +{ + if (ac->send_subkey != NULL) + krb5_free_keyblock(ctx, ac->send_subkey); + ac->send_subkey = NULL; + if (keyblock !=NULL) + return krb5_copy_keyblock(ctx, keyblock, &ac->send_subkey); + else + return 0; +} + +krb5_error_code KRB5_CALLCONV +krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock) +{ + if (ac->recv_subkey != NULL) + krb5_free_keyblock(ctx, ac->recv_subkey); + ac->recv_subkey = NULL; + if (keyblock != NULL) + return krb5_copy_keyblock(ctx, keyblock, &ac->recv_subkey); + else + return 0; +} + +krb5_error_code KRB5_CALLCONV +krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock) +{ + if (ac->send_subkey != NULL) + return krb5_copy_keyblock(ctx, ac->send_subkey, keyblock); *keyblock = NULL; return 0; } krb5_error_code KRB5_CALLCONV -krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock) +krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock) { - if (auth_context->remote_subkey) - return krb5_copy_keyblock(context,auth_context->remote_subkey,keyblock); + if (ac->recv_subkey != NULL) + return krb5_copy_keyblock(ctx, ac->recv_subkey, keyblock); *keyblock = NULL; return 0; } diff --git a/src/lib/krb5/krb/auth_con.h b/src/lib/krb5/krb/auth_con.h index d83d6b86e8..1dcfc89e7b 100644 --- a/src/lib/krb5/krb/auth_con.h +++ b/src/lib/krb5/krb/auth_con.h @@ -9,8 +9,8 @@ struct _krb5_auth_context { krb5_address * local_addr; krb5_address * local_port; krb5_keyblock * keyblock; - krb5_keyblock * local_subkey; - krb5_keyblock * remote_subkey; + krb5_keyblock * send_subkey; + krb5_keyblock * recv_subkey; krb5_int32 auth_context_flags; krb5_int32 remote_seq_number; diff --git a/src/lib/krb5/krb/chpw.c b/src/lib/krb5/krb/chpw.c index 248c4c88c3..f640ce66c6 100644 --- a/src/lib/krb5/krb/chpw.c +++ b/src/lib/krb5/krb/chpw.c @@ -120,8 +120,18 @@ krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_d ap_rep.data = ptr; ptr += ap_rep.length; - if ((ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc))) + /* + * Save send_subkey to later smash recv_subkey. + */ + ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmp); + if (ret) + return ret; + + ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); + if (ret) { + krb5_free_keyblock(context, tmp); return(ret); + } krb5_free_ap_rep_enc_part(context, ap_rep_enc); @@ -130,18 +140,17 @@ krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_d cipherresult.data = ptr; cipherresult.length = (packet->data + packet->length) - ptr; - /* XXX there's no api to do this right. The problem is that - if there's a remote subkey, it will be used. This is - not what the spec requires */ - - tmp = auth_context->remote_subkey; - auth_context->remote_subkey = NULL; + /* + * Smash recv_subkey to be send_subkey, per spec. + */ + ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmp); + krb5_free_keyblock(context, tmp); + if (ret) + return ret; ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, &replay); - auth_context->remote_subkey = tmp; - if (ret) return(ret); } else { @@ -310,6 +319,7 @@ krb5int_rd_setpw_rep( krb5_context context, krb5_auth_context auth_context, krb5 krb5_data cipherresult; krb5_data clearresult; krb5_replay_data replay; + krb5_keyblock *tmpkey; /* ** validate the packet length - */ @@ -381,8 +391,18 @@ krb5int_rd_setpw_rep( krb5_context context, krb5_auth_context auth_context, krb5 ap_rep.data = ptr; ptr += ap_rep.length; - if (ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc)) + /* + * Save send_subkey to later smash recv_subkey. + */ + ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmpkey); + if (ret) + return ret; + + ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); + if (ret) { + krb5_free_keyblock(context, tmpkey); return(ret); + } krb5_free_ap_rep_enc_part(context, ap_rep_enc); /* @@ -391,19 +411,16 @@ krb5int_rd_setpw_rep( krb5_context context, krb5_auth_context auth_context, krb5 cipherresult.data = ptr; cipherresult.length = (packet->data + packet->length) - ptr; - { - krb5_keyblock *saved_remote_subkey; -/* -** save the remote_subkey, so it doesn't get used when decoding -*/ - saved_remote_subkey = auth_context->remote_subkey; - auth_context->remote_subkey = NULL; - - ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, - NULL); - auth_context->remote_subkey = saved_remote_subkey; - } + /* + * Smash recv_subkey to be send_subkey, per spec. + */ + ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmpkey); + krb5_free_keyblock(context, tmpkey); + if (ret) + return ret; + ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, + NULL); if (ret) return(ret); } /*We got an ap_rep*/ diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c index 6389298610..04248c08d1 100644 --- a/src/lib/krb5/krb/mk_cred.c +++ b/src/lib/krb5/krb/mk_cred.c @@ -182,9 +182,8 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, krb5_creds * memset(pcred->tickets, 0, sizeof(krb5_ticket *) * (ncred +1)); /* Get keyblock */ - if ((keyblock = auth_context->local_subkey) == NULL) - if ((keyblock = auth_context->remote_subkey) == NULL) - keyblock = auth_context->keyblock; + if ((keyblock = auth_context->send_subkey) == NULL) + keyblock = auth_context->keyblock; /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && diff --git a/src/lib/krb5/krb/mk_priv.c b/src/lib/krb5/krb/mk_priv.c index 196b6eea00..efe254ac09 100644 --- a/src/lib/krb5/krb/mk_priv.c +++ b/src/lib/krb5/krb/mk_priv.c @@ -119,9 +119,8 @@ krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, memset((char *) &replaydata, 0, sizeof(krb5_replay_data)); /* Get keyblock */ - if ((keyblock = auth_context->local_subkey) == NULL) - if ((keyblock = auth_context->remote_subkey) == NULL) - keyblock = auth_context->keyblock; + if ((keyblock = auth_context->send_subkey) == NULL) + keyblock = auth_context->keyblock; /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index 1ed14a9226..91a4f3d1cf 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -130,7 +130,7 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, goto cleanup; } - if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->local_subkey)) { + if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->send_subkey)) { /* Provide some more fodder for random number code. This isn't strong cryptographically; the point here is not to guarantee randomness, but to make it less likely that multiple @@ -145,8 +145,15 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_TIMING, &d); if ((retval = krb5_generate_subkey(context, &(in_creds)->keyblock, - &(*auth_context)->local_subkey))) + &(*auth_context)->send_subkey))) goto cleanup; + retval = krb5_copy_keyblock(context, (*auth_context)->send_subkey, + &((*auth_context)->recv_subkey)); + if (retval) { + krb5_free_keyblock(context, (*auth_context)->send_subkey); + (*auth_context)->send_subkey = NULL; + goto cleanup; + } } @@ -178,7 +185,7 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, if ((retval = krb5_generate_authenticator(context, (*auth_context)->authentp, (in_creds)->client, checksump, - (*auth_context)->local_subkey, + (*auth_context)->send_subkey, (*auth_context)->local_seq_number, (in_creds)->authdata))) goto cleanup_cksum; diff --git a/src/lib/krb5/krb/mk_safe.c b/src/lib/krb5/krb/mk_safe.c index 992a456a90..eefcab7cd4 100644 --- a/src/lib/krb5/krb/mk_safe.c +++ b/src/lib/krb5/krb/mk_safe.c @@ -120,9 +120,8 @@ krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, const krb5_da memset((char *) &replaydata, 0, sizeof(krb5_replay_data)); /* Get keyblock */ - if ((keyblock = auth_context->local_subkey) == NULL) - if ((keyblock = auth_context->remote_subkey) == NULL) - keyblock = auth_context->keyblock; + if ((keyblock = auth_context->send_subkey) == NULL) + keyblock = auth_context->keyblock; /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c index 228219f765..0359d40c3c 100644 --- a/src/lib/krb5/krb/rd_cred.c +++ b/src/lib/krb5/krb/rd_cred.c @@ -169,9 +169,8 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, krb5_data *pc krb5_replay_data replaydata; /* Get keyblock */ - if ((keyblock = auth_context->remote_subkey) == NULL) - if ((keyblock = auth_context->local_subkey) == NULL) - keyblock = auth_context->keyblock; + if ((keyblock = auth_context->recv_subkey) == NULL) + keyblock = auth_context->keyblock; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c index 8132056623..180559cc23 100644 --- a/src/lib/krb5/krb/rd_priv.c +++ b/src/lib/krb5/krb/rd_priv.c @@ -156,9 +156,8 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, const krb5_da krb5_replay_data replaydata; /* Get keyblock */ - if ((keyblock = auth_context->remote_subkey) == NULL) - if ((keyblock = auth_context->local_subkey) == NULL) - keyblock = auth_context->keyblock; + if ((keyblock = auth_context->recv_subkey) == NULL) + keyblock = auth_context->keyblock; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && diff --git a/src/lib/krb5/krb/rd_rep.c b/src/lib/krb5/krb/rd_rep.c index e35e43f5d2..50ce51331e 100644 --- a/src/lib/krb5/krb/rd_rep.c +++ b/src/lib/krb5/krb/rd_rep.c @@ -82,7 +82,15 @@ krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, const krb5_dat /* Set auth subkey */ if ((*repl)->subkey) { retval = krb5_copy_keyblock(context, (*repl)->subkey, - &auth_context->remote_subkey); + &auth_context->recv_subkey); + if (retval) + goto clean_scratch; + retval = krb5_copy_keyblock(context, (*repl)->subkey, + &auth_context->send_subkey); + if (retval) { + krb5_free_keyblock(context, auth_context->send_subkey); + auth_context->send_subkey = NULL; + } } /* Get remote sequence number */ diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index fa126b4abd..3c398aed1a 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -290,10 +290,18 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, c if ((*auth_context)->authentp->subkey) { if ((retval = krb5_copy_keyblock(context, (*auth_context)->authentp->subkey, - &((*auth_context)->remote_subkey)))) + &((*auth_context)->recv_subkey)))) goto cleanup; + retval = krb5_copy_keyblock(context, (*auth_context)->authentp->subkey, + &((*auth_context)->send_subkey)); + if (retval) { + krb5_free_keyblock(context, (*auth_context)->recv_subkey); + (*auth_context)->recv_subkey = NULL; + goto cleanup; + } } else { - (*auth_context)->remote_subkey = 0; + (*auth_context)->recv_subkey = 0; + (*auth_context)->send_subkey = 0; } if ((retval = krb5_copy_keyblock(context, req->ticket->enc_part2->session, diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c index 0f6cec27ff..3194229a39 100644 --- a/src/lib/krb5/krb/rd_safe.c +++ b/src/lib/krb5/krb/rd_safe.c @@ -161,9 +161,8 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, const krb5_da return KRB5_RC_REQUIRED; /* Get keyblock */ - if ((keyblock = auth_context->remote_subkey) == NULL) - if ((keyblock = auth_context->local_subkey) == NULL) - keyblock = auth_context->keyblock; + if ((keyblock = auth_context->recv_subkey) == NULL) + keyblock = auth_context->keyblock; { krb5_address * premote_fulladdr = NULL; diff --git a/src/lib/krb5/krb/ser_actx.c b/src/lib/krb5/krb/ser_actx.c index a8ec90ee6f..32519e19f0 100644 --- a/src/lib/krb5/krb/ser_actx.c +++ b/src/lib/krb5/krb/ser_actx.c @@ -151,21 +151,21 @@ krb5_auth_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) required += sizeof(krb5_int32); } - /* Calculate size required by local_subkey, if appropriate */ - if (!kret && auth_context->local_subkey) { + /* Calculate size required by send_subkey, if appropriate */ + if (!kret && auth_context->send_subkey) { kret = krb5_size_opaque(kcontext, KV5M_KEYBLOCK, - (krb5_pointer) auth_context->local_subkey, + (krb5_pointer) auth_context->send_subkey, &required); if (!kret) required += sizeof(krb5_int32); } - /* Calculate size required by remote_subkey, if appropriate */ - if (!kret && auth_context->remote_subkey) { + /* Calculate size required by recv_subkey, if appropriate */ + if (!kret && auth_context->recv_subkey) { kret = krb5_size_opaque(kcontext, KV5M_KEYBLOCK, - (krb5_pointer) auth_context->remote_subkey, + (krb5_pointer) auth_context->recv_subkey, &required); if (!kret) required += sizeof(krb5_int32); @@ -300,23 +300,23 @@ krb5_auth_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octe } /* Now handle subkey, if appropriate */ - if (!kret && auth_context->local_subkey) { + if (!kret && auth_context->send_subkey) { (void) krb5_ser_pack_int32(TOKEN_LSKBLOCK, &bp, &remain); kret = krb5_externalize_opaque(kcontext, KV5M_KEYBLOCK, (krb5_pointer) - auth_context->local_subkey, + auth_context->send_subkey, &bp, &remain); } /* Now handle subkey, if appropriate */ - if (!kret && auth_context->remote_subkey) { + if (!kret && auth_context->recv_subkey) { (void) krb5_ser_pack_int32(TOKEN_RSKBLOCK, &bp, &remain); kret = krb5_externalize_opaque(kcontext, KV5M_KEYBLOCK, (krb5_pointer) - auth_context->remote_subkey, + auth_context->recv_subkey, &bp, &remain); } @@ -474,26 +474,26 @@ krb5_auth_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_oc kret = krb5_ser_unpack_int32(&tag, &bp, &remain); } - /* This is the local_subkey */ + /* This is the send_subkey */ if (!kret && (tag == TOKEN_LSKBLOCK)) { if (!(kret = krb5_internalize_opaque(kcontext, KV5M_KEYBLOCK, (krb5_pointer *) &auth_context-> - local_subkey, + send_subkey, &bp, &remain))) kret = krb5_ser_unpack_int32(&tag, &bp, &remain); } - /* This is the remote_subkey */ + /* This is the recv_subkey */ if (!kret) { if (tag == TOKEN_RSKBLOCK) { kret = krb5_internalize_opaque(kcontext, KV5M_KEYBLOCK, (krb5_pointer *) &auth_context-> - remote_subkey, + recv_subkey, &bp, &remain); } diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def index 0d4d5f24d1..257dd287e0 100644 --- a/src/lib/krb5_32.def +++ b/src/lib/krb5_32.def @@ -36,8 +36,10 @@ EXPORTS krb5_auth_con_getlocalseqnumber krb5_auth_con_getlocalsubkey krb5_auth_con_getrcache ; KRB5_CALLCONV_WRONG + krb5_auth_con_getrecvsubkey krb5_auth_con_getremoteseqnumber krb5_auth_con_getremotesubkey + krb5_auth_con_getsendsubkey krb5_auth_con_init krb5_auth_con_initivector ; DEPRECATED krb5_auth_con_setaddrs ; KRB5_CALLCONV_WRONG @@ -45,6 +47,8 @@ EXPORTS krb5_auth_con_setflags krb5_auth_con_setports krb5_auth_con_setrcache + krb5_auth_con_setrecvsubkey + krb5_auth_con_setsendsubkey krb5_auth_con_setuseruserkey krb5_build_principal krb5_build_principal_ext |