The gssd code should not know about the glue layer's context structure.
A previous patch added gss_export_lucid_sec_context() and
gss_free_lucid_sec_context() functions to the gssapi glue layer.
Use these functions rather than calling directly to the Kerberos
gssapi code (which requires the Kerberos context handle rather
than the glue's context handle).
(really this time)
+2006-03-28 kwc@citi.umich.edu
+ Update krb5 code to use glue routine lucid context functions
+
+
+
+ The gssd code should not know about the glue layer's context structure.
+ A previous patch added gss_export_lucid_sec_context() and
+ gss_free_lucid_sec_context() functions to the gssapi glue layer.
+ Use these functions rather than calling directly to the Kerberos
+ gssapi code (which requires the Kerberos context handle rather
+ than the glue's context handle).
+
+ (really this time)
+
2006-03-28 kwc@citi.umich.edu
Separate out context handling code for MIT Kerberos and SPKM3
2006-03-28 kwc@citi.umich.edu
Separate out context handling code for MIT Kerberos and SPKM3
-serialize_context_for_kernel(gss_ctx_id_t ctx, gss_buffer_desc *buf)
+serialize_context_for_kernel(gss_ctx_id_t ctx,
+ gss_buffer_desc *buf,
+ gss_OID mech)
- gss_union_ctx_id_t uctx = (gss_union_ctx_id_t)ctx;
-
- if (g_OID_equal(&krb5oid, uctx->mech_type))
- return serialize_krb5_ctx(uctx->internal_ctx_id, buf);
+ if (g_OID_equal(&krb5oid, mech))
+ return serialize_krb5_ctx(ctx, buf);
- else if (g_OID_equal(&spkm3oid, uctx->mech_type))
- return serialize_spkm3_ctx(uctx, buf);
+ else if (g_OID_equal(&spkm3oid, mech))
+ return serialize_spkm3_ctx(ctx, buf);
#endif
else {
printerr(0, "ERROR: attempting to serialize context with "
#endif
else {
printerr(0, "ERROR: attempting to serialize context with "
- "unknown mechanism oid\n");
+ "unknown/unsupported mechanism oid\n");
-int serialize_context_for_kernel(gss_ctx_id_t ctx, gss_buffer_desc *buf);
+int serialize_context_for_kernel(gss_ctx_id_t ctx, gss_buffer_desc *buf,
+ gss_OID mech);
int serialize_spkm3_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf);
int serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf);
int serialize_spkm3_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf);
int serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf);
int retcode = 0;
printerr(2, "DEBUG: serialize_krb5_ctx: lucid version!\n");
int retcode = 0;
printerr(2, "DEBUG: serialize_krb5_ctx: lucid version!\n");
- maj_stat = gss_krb5_export_lucid_sec_context(&min_stat, &ctx,
- 1, &return_ctx);
- if (maj_stat != GSS_S_COMPLETE)
+ maj_stat = gss_export_lucid_sec_context(&min_stat, ctx,
+ 1, &return_ctx);
+ if (maj_stat != GSS_S_COMPLETE) {
+ pgsserr("gss_export_lucid_sec_context",
+ maj_stat, min_stat, &krb5oid);
/* Check the version returned, we only support v1 right now */
vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version;
/* Check the version returned, we only support v1 right now */
vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version;
else
retcode = prepare_krb5_rfc_cfx_buffer(lctx, buf);
else
retcode = prepare_krb5_rfc_cfx_buffer(lctx, buf);
- maj_stat = gss_krb5_free_lucid_sec_context(&min_stat,
- (void *)lctx);
- if (maj_stat != GSS_S_COMPLETE)
+ maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx);
+ if (maj_stat != GSS_S_COMPLETE) {
+ pgsserr("gss_export_lucid_sec_context",
+ maj_stat, min_stat, &krb5oid);
printerr(0, "WARN: failed to free lucid sec context\n");
printerr(0, "WARN: failed to free lucid sec context\n");
+ }
+
+ if (retcode) {
+ printerr(1, "serialize_krb5_ctx: prepare_krb5_*_buffer "
+ "failed (retcode = %d)\n", retcode);
- if (serialize_context_for_kernel(pd.pd_ctx, &token)) {
+ if (serialize_context_for_kernel(pd.pd_ctx, &token, &krb5oid)) {
printerr(0, "WARNING: Failed to serialize krb5 context for "
"user with uid %d for server %s\n",
uid, clp->servername);
printerr(0, "WARNING: Failed to serialize krb5 context for "
"user with uid %d for server %s\n",
uid, clp->servername);
- if (serialize_context_for_kernel(pd.pd_ctx, &token)) {
+ if (serialize_context_for_kernel(pd.pd_ctx, &token, &spkm3oid)) {
printerr(0, "WARNING: Failed to serialize spkm3 context for "
"user with uid %d for server\n",
uid, clp->servername);
printerr(0, "WARNING: Failed to serialize spkm3 context for "
"user with uid %d for server\n",
uid, clp->servername);
/* kernel needs ctx to calculate verifier on null response, so
* must give it context before doing null call: */
/* kernel needs ctx to calculate verifier on null response, so
* must give it context before doing null call: */
- if (serialize_context_for_kernel(ctx, &ctx_token)) {
+ if (serialize_context_for_kernel(ctx, &ctx_token, mech)) {
printerr(0, "WARNING: handle_nullreq: "
"serialize_context_for_kernel failed\n");
maj_stat = GSS_S_FAILURE;
printerr(0, "WARNING: handle_nullreq: "
"serialize_context_for_kernel failed\n");
maj_stat = GSS_S_FAILURE;