X-Git-Url: https://git.whamcloud.com/?a=blobdiff_plain;f=lustre%2Futils%2Fgss%2Fcontext_lucid.c;h=3b2d90bde28634210868507ac4b7534fc21939fc;hb=c431dc7642bea736b9c360d0b2e038cf76b26888;hp=2f802de127c8668641d9e087cb09bec4ec454a22;hpb=d2d56f38da01001c92a09afc6b52b5acbd9bc13c;p=fs%2Flustre-release.git

diff --git a/lustre/utils/gss/context_lucid.c b/lustre/utils/gss/context_lucid.c
index 2f802de..3b2d90b 100644
--- a/lustre/utils/gss/context_lucid.c
+++ b/lustre/utils/gss/context_lucid.c
@@ -49,11 +49,24 @@ typedef uint64_t OM_uint64;
 #endif
 #include <gssapi/gssapi_krb5.h>
 
-#include "gss_util.h"
-#include "gss_oids.h"
-#include "err_util.h"
+#ifdef _NEW_BUILD_
+# include "lgss_utils.h"
+#else
+# include "gss_util.h"
+# include "gss_oids.h"
+# include "err_util.h"
+#endif
+#include "write_bytes.h"
 #include "context.h"
 
+extern OM_uint32 gss_export_lucid_sec_context(OM_uint32 *min_stat,
+					      gss_ctx_id_t *ctx,
+					      OM_uint32 version,
+					      void **kctx);
+extern OM_uint32 gss_free_lucid_sec_context(OM_uint32 *min_stat,
+					    gss_ctx_id_t ctx,
+					    void *kctx);
+
 static int
 write_lucid_keyblock(char **p, char *end, gss_krb5_lucid_key_t *key)
 {
@@ -72,12 +85,11 @@ prepare_krb5_rfc1964_buffer(gss_krb5_lucid_context_v1_t *lctx,
 {
 	char *p, *end;
 	static int constant_zero = 0;
-	unsigned char fakeseed[16];
+	unsigned char fakeseed[16] = { 0 };
 	uint32_t word_send_seq;
 	gss_krb5_lucid_key_t enc_key;
 	int i;
 	char *skd, *dkd;
-	gss_buffer_desc fakeoid;
 
 	/*
 	 * The new Kerberos interface to get the gss context
@@ -87,7 +99,6 @@ prepare_krb5_rfc1964_buffer(gss_krb5_lucid_context_v1_t *lctx,
 	 * interface to the kernel.
 	 */
 	memset(&enc_key, 0, sizeof(enc_key));
-	memset(&fakeoid, 0, sizeof(fakeoid));
 
 	if (!(buf->value = calloc(1, MAX_CTX_LEN)))
 		goto out_err;
@@ -133,20 +144,20 @@ prepare_krb5_rfc1964_buffer(gss_krb5_lucid_context_v1_t *lctx,
 	dkd = (char *) enc_key.data;
 	for (i = 0; i < enc_key.length; i++)
 		dkd[i] = skd[i] ^ 0xf0;
-	if (write_lucid_keyblock(&p, end, &enc_key)) {
-		free(enc_key.data);
+	if (write_lucid_keyblock(&p, end, &enc_key))
 		goto out_err;
-	}
-	free(enc_key.data);
-
 	if (write_lucid_keyblock(&p, end, &lctx->rfc1964_kd.ctx_key))
 		goto out_err;
+	free(enc_key.data);
 
 	buf->length = p - (char *)buf->value;
 	return 0;
 out_err:
 	printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
-	if (buf->value) free(buf->value);
+	if (buf->value) {
+		free(buf->value);
+		buf->value = NULL;
+	}
 	buf->length = 0;
 	if (enc_key.data) free(enc_key.data);
 	return -1;
@@ -191,16 +202,15 @@ enum seal_alg {
  * We don't have "legal" access to these MIT-only
  * structures located in libk5crypto
  */
-extern void krb5int_enc_arcfour;
-extern void krb5int_enc_des3;
-extern void krb5int_enc_aes128;
-extern void krb5int_enc_aes256;
-extern int krb5_derive_key();
+extern void *krb5int_enc_arcfour;
+extern void *krb5int_enc_des3;
+extern void *krb5int_enc_aes128;
+extern void *krb5int_enc_aes256;
 
 static void
 key_lucid_to_krb5(const gss_krb5_lucid_key_t *lin, krb5_keyblock *kout)
 {
-	memset(kout, '\0', sizeof(kout));
+	memset(kout, 0, sizeof(*kout));
 #ifdef HAVE_KRB5
 	kout->enctype = lin->type;
 	kout->length = lin->length;
@@ -215,7 +225,7 @@ key_lucid_to_krb5(const gss_krb5_lucid_key_t *lin, krb5_keyblock *kout)
 static void
 key_krb5_to_lucid(const krb5_keyblock *kin, gss_krb5_lucid_key_t *lout)
 {
-	memset(lout, '\0', sizeof(lout));
+	memset(lout, 0, sizeof(*lout));
 #ifdef HAVE_KRB5
 	lout->type = kin->enctype;
 	lout->length = kin->length;
@@ -244,8 +254,13 @@ derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out,
 	int keylength;
 	void *enc;
 	krb5_keyblock kin, kout;  /* must send krb5_keyblock, not lucid! */
-#ifdef HAVE_HEIMDAL
+#if defined(HAVE_HEIMDAL) || HAVE_KRB5INT_DERIVE_KEY
 	krb5_context kcontext;
+#endif
+#if HAVE_KRB5INT_DERIVE_KEY
+	krb5_key key_in, key_out;
+#endif
+#ifdef HAVE_HEIMDAL
 	krb5_keyblock *outkey;
 #endif
 
@@ -303,12 +318,35 @@ derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out,
 	((char *)(datain.data))[4] = (char) extra;
 
 #ifdef HAVE_KRB5
+#if HAVE_KRB5INT_DERIVE_KEY
+	code = krb5_init_context(&kcontext);
+	if (code) {
+		free(out->data);
+		out->data = NULL;
+		goto out;
+	}
+	code = krb5_k_create_key(kcontext, &kin, &key_in);
+	if (code) {
+		free(out->data);
+		out->data = NULL;
+		goto out;
+	}
+	code = krb5_k_create_key(kcontext, &kout, &key_out);
+	if (code) {
+		free(out->data);
+		out->data = NULL;
+		goto out;
+	}
+	code = krb5int_derive_key(enc, key_in, &key_out, &datain,
+				  DERIVE_RFC3961);
+#else  /* !HAVE_KRB5INT_DERIVE_KEY */
 	code = krb5_derive_key(enc, &kin, &kout, &datain);
-#else
+#endif	/* HAVE_KRB5INT_DERIVE_KEY */
+#else	/* !defined(HAVE_KRB5) */
 	if ((code = krb5_init_context(&kcontext))) {
 	}
 	code = krb5_derive_key(kcontext, &kin, in->type, constant_data, K5CLENGTH, &outkey);
-#endif
+#endif	/* defined(HAVE_KRB5) */
 	if (code) {
 		free(out->data);
 		out->data = NULL;
@@ -316,14 +354,17 @@ derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out,
 	}
 #ifdef HAVE_KRB5
 	key_krb5_to_lucid(&kout, out);
-#else
+#if HAVE_KRB5INT_DERIVE_KEY
+	krb5_free_context(kcontext);
+#endif	/* HAVE_KRB5INT_DERIVE_KEY */
+#else	/* !defined(HAVE_KRB5) */
 	key_krb5_to_lucid(outkey, out);
 	krb5_free_keyblock(kcontext, outkey);
 	krb5_free_context(kcontext);
-#endif
+#endif	/* defined(HAVE_KRB5) */
 
   out:
-  	if (code)
+	if (code)
 		printerr(0, "ERROR: %s: returning error %d (%s)\n",
 			 __FUNCTION__, code, error_message(code));
 	return (code);
@@ -389,7 +430,7 @@ prepare_krb5_rfc4121_buffer(gss_krb5_lucid_context_v1_t *lctx,
 	if (WRITE_BYTES(&p, end, lctx->send_seq)) goto out_err;
 
 	/* Protocol 0 here implies DES3 or RC4 */
-	printerr(2, "%s: protocol %d\n", __FUNCTION__, lctx->protocol);
+	printerr(3, "protocol %d\n", lctx->protocol);
 	if (lctx->protocol == 0) {
 		enctype = lctx->rfc1964_kd.ctx_key.type;
 #ifdef HAVE_HEIMDAL
@@ -417,8 +458,8 @@ prepare_krb5_rfc4121_buffer(gss_krb5_lucid_context_v1_t *lctx,
 		}
 		numkeys = 3;
 	}
-	printerr(2, "%s: serializing %d keys with enctype %d and size %d\n",
-		 __FUNCTION__, numkeys, enctype, keysize);
+	printerr(3, "serializing %d keys with enctype %d and size %d\n",
+		 numkeys, enctype, keysize);
 	if (WRITE_BYTES(&p, end, enctype)) goto out_err;
 	if (WRITE_BYTES(&p, end, keysize)) goto out_err;
 	if (WRITE_BYTES(&p, end, numkeys)) goto out_err;
@@ -542,7 +583,7 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf)
 	gss_krb5_lucid_context_v1_t *lctx = 0;
 	int retcode = 0;
 
-	printerr(2, "DEBUG: %s: lucid version!\n", __FUNCTION__);
+	printerr(3, "lucid version!\n");
 	maj_stat = gss_export_lucid_sec_context(&min_stat, &ctx,
 						1, &return_ctx);
 	if (maj_stat != GSS_S_COMPLETE) {