X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fgssd%2Fcontext_mit.c;h=c0b494b4a102a42cb7e492cb8d79efb9696a23ab;hp=0af92a3804a7c6312546171affb3d8414e43b863;hb=119c3e9aafe84c0f7c2846c46ad5e6f5eeece0da;hpb=4ce79c4ef9d40b9df12e1f55c2fbb7a75744052c diff --git a/utils/gssd/context_mit.c b/utils/gssd/context_mit.c index 0af92a3..c0b494b 100644 --- a/utils/gssd/context_mit.c +++ b/utils/gssd/context_mit.c @@ -86,7 +86,7 @@ typedef struct _krb5_gss_ctx_id_rec { uint64_t seq_recv; /* gssint_uint64 */ void *seqstate; krb5_auth_context auth_context; - gss_buffer_desc *mech_used; /* gss_OID_desc */ + gss_OID_desc *mech_used; /* gss_OID_desc */ /* Protocol spec revision 0 => RFC 1964 with 3DES and RC4 enhancements 1 => draft-ietf-krb-wg-gssapi-cfx-01 @@ -123,7 +123,7 @@ typedef struct _krb5_gss_ctx_id_rec { int established; int big_endian; krb5_auth_context auth_context; - gss_buffer_desc *mech_used; + gss_OID_desc *mech_used; int nctypes; krb5_cksumtype *ctypes; } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t; @@ -185,6 +185,11 @@ prepare_krb5_rfc1964_buffer(gss_krb5_lucid_context_v1_t *lctx, if (WRITE_BYTES(&p, end, word_send_seq)) goto out_err; if (write_buffer(&p, end, (gss_buffer_desc*)&krb5oid)) goto out_err; + printerr(2, "prepare_krb5_rfc1964_buffer: serializing keys with " + "enctype %d and length %d\n", + lctx->rfc1964_kd.ctx_key.type, + lctx->rfc1964_kd.ctx_key.length); + /* derive the encryption key and copy it into buffer */ enc_key.type = lctx->rfc1964_kd.ctx_key.type; enc_key.length = lctx->rfc1964_kd.ctx_key.length; @@ -232,10 +237,13 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf) int retcode = 0; printerr(2, "DEBUG: serialize_krb5_ctx: lucid version!\n"); - maj_stat = gss_krb5_export_lucid_sec_context(&min_stat, &ctx, - 1, &return_ctx); - if (maj_stat != GSS_S_COMPLETE) + maj_stat = gss_export_lucid_sec_context(&min_stat, &ctx, + 1, &return_ctx); + if (maj_stat != GSS_S_COMPLETE) { + pgsserr("gss_export_lucid_sec_context", + maj_stat, min_stat, &krb5oid); goto out_err; + } /* Check the version returned, we only support v1 right now */ vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version; @@ -256,12 +264,18 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf) else retcode = prepare_krb5_rfc_cfx_buffer(lctx, buf); - maj_stat = gss_krb5_free_lucid_sec_context(&min_stat, - (void *)lctx); - if (maj_stat != GSS_S_COMPLETE) + maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx); + if (maj_stat != GSS_S_COMPLETE) { + pgsserr("gss_export_lucid_sec_context", + maj_stat, min_stat, &krb5oid); printerr(0, "WARN: failed to free lucid sec context\n"); - if (retcode) + } + + if (retcode) { + printerr(1, "serialize_krb5_ctx: prepare_krb5_*_buffer " + "failed (retcode = %d)\n", retcode); goto out_err; + } return 0; @@ -285,10 +299,21 @@ write_keyblock(char **p, char *end, struct _krb5_keyblock *arg) return 0; } +/* + * We really shouldn't know about glue-layer context structure, but + * we need to get at the real krb5 context pointer. This should be + * removed as soon as we say there is no support for MIT Kerberos + * prior to 1.4 -- which gives us "legal" access to the context info. + */ +typedef struct gss_union_ctx_id_t { + gss_OID mech_type; + gss_ctx_id_t internal_ctx_id; +} gss_union_ctx_id_desc, *gss_union_ctx_id_t; + int serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf) { - krb5_gss_ctx_id_t kctx = (krb5_gss_ctx_id_t)ctx; + krb5_gss_ctx_id_t kctx = ((gss_union_ctx_id_t)ctx)->internal_ctx_id; char *p, *end; static int constant_one = 1; static int constant_zero = 0; @@ -318,7 +343,12 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf) if (WRITE_BYTES(&p, end, kctx->endtime)) goto out_err; word_seq_send = kctx->seq_send; if (WRITE_BYTES(&p, end, word_seq_send)) goto out_err; - if (write_buffer(&p, end, kctx->mech_used)) goto out_err; + if (write_oid(&p, end, kctx->mech_used)) goto out_err; + + printerr(2, "serialize_krb5_ctx: serializing keys with " + "enctype %d and length %d\n", + kctx->enc->enctype, kctx->enc->length); + if (write_keyblock(&p, end, kctx->enc)) goto out_err; if (write_keyblock(&p, end, kctx->seq)) goto out_err;