LU-2384 kerberos: Support for MIT-kerberos >=1.8.X is broken

[fs/lustre-release.git] / lustre / utils / gss / context_lucid.c

diff --git a/lustre/utils/gss/context_lucid.c b/lustre/utils/gss/context_lucid.c
index 6c5e672..f64f49b 100644 (file)
--- a/lustre/utils/gss/context_lucid.c
+++ b/lustre/utils/gss/context_lucid.c
@@ -208,7 +208,15 @@ extern void krb5int_enc_arcfour;
 extern void krb5int_enc_des3;
 extern void krb5int_enc_aes128;
 extern void krb5int_enc_aes256;
-extern int krb5_derive_key();
+#if HAVE_KRB5INT_DERIVE_KEY
+/* Taken from crypto_int.h */
+enum deriv_alg {
+       DERIVE_RFC3961,         /* RFC 3961 section 5.1 */
+#ifdef CAMELLIA
+       DERIVE_SP800_108_CMAC,  /* NIST SP 800-108 with CMAC as PRF */
+#endif
+};
+#endif  /* HAVE_KRB5INT_DERIVE_KEY */
 
 static void
 key_lucid_to_krb5(const gss_krb5_lucid_key_t *lin, krb5_keyblock *kout)
@@ -257,8 +265,13 @@ derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out,
        int keylength;
        void *enc;
        krb5_keyblock kin, kout;  /* must send krb5_keyblock, not lucid! */
-#ifdef HAVE_HEIMDAL
+#if defined(HAVE_HEIMDAL) || HAVE_KRB5INT_DERIVE_KEY
        krb5_context kcontext;
+#endif
+#if HAVE_KRB5INT_DERIVE_KEY
+       krb5_key key_in, key_out;
+#endif
+#ifdef HAVE_HEIMDAL
        krb5_keyblock *outkey;
 #endif
 
@@ -316,12 +329,35 @@ derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out,
        ((char *)(datain.data))[4] = (char) extra;
 
 #ifdef HAVE_KRB5
+#if HAVE_KRB5INT_DERIVE_KEY
+       code = krb5_init_context(&kcontext);
+       if (code) {
+               free(out->data);
+               out->data = NULL;
+               goto out;
+       }
+       code = krb5_k_create_key(kcontext, &kin, &key_in);
+       if (code) {
+               free(out->data);
+               out->data = NULL;
+               goto out;
+       }
+       code = krb5_k_create_key(kcontext, &kout, &key_out);
+       if (code) {
+               free(out->data);
+               out->data = NULL;
+               goto out;
+       }
+       code = krb5int_derive_key(enc, key_in, &key_out, &datain,
+                                 DERIVE_RFC3961);
+#else  /* !HAVE_KRB5INT_DERIVE_KEY */
        code = krb5_derive_key(enc, &kin, &kout, &datain);
-#else
+#endif /* HAVE_KRB5INT_DERIVE_KEY */
+#else  /* !defined(HAVE_KRB5) */
        if ((code = krb5_init_context(&kcontext))) {
        }
        code = krb5_derive_key(kcontext, &kin, in->type, constant_data, K5CLENGTH, &outkey);
-#endif
+#endif /* defined(HAVE_KRB5) */
        if (code) {
                free(out->data);
                out->data = NULL;
@@ -329,14 +365,17 @@ derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out,
        }
 #ifdef HAVE_KRB5
        key_krb5_to_lucid(&kout, out);
-#else
+#if HAVE_KRB5INT_DERIVE_KEY
+       krb5_free_context(kcontext);
+#endif /* HAVE_KRB5INT_DERIVE_KEY */
+#else  /* !defined(HAVE_KRB5) */
        key_krb5_to_lucid(outkey, out);
        krb5_free_keyblock(kcontext, outkey);
        krb5_free_context(kcontext);
-#endif
+#endif /* defined(HAVE_KRB5) */
 
   out:
-       if (code)
+       if (code)
                printerr(0, "ERROR: %s: returning error %d (%s)\n",
                         __FUNCTION__, code, error_message(code));
        return (code);