2 * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "gsskrb5_locl.h"
37 * copy the addresses from `input_chan_bindings' (if any) to
38 * the auth context `ac'
42 set_addresses (krb5_context context
,
44 const gss_channel_bindings_t input_chan_bindings
)
46 /* Port numbers are expected to be in application_data.value,
47 * initator's port first */
49 krb5_address initiator_addr
, acceptor_addr
;
52 if (input_chan_bindings
== GSS_C_NO_CHANNEL_BINDINGS
53 || input_chan_bindings
->application_data
.length
!=
54 2 * sizeof(ac
->local_port
))
57 memset(&initiator_addr
, 0, sizeof(initiator_addr
));
58 memset(&acceptor_addr
, 0, sizeof(acceptor_addr
));
61 *(int16_t *) input_chan_bindings
->application_data
.value
;
64 *((int16_t *) input_chan_bindings
->application_data
.value
+ 1);
66 kret
= _gsskrb5i_address_to_krb5addr(context
,
67 input_chan_bindings
->acceptor_addrtype
,
68 &input_chan_bindings
->acceptor_address
,
74 kret
= _gsskrb5i_address_to_krb5addr(context
,
75 input_chan_bindings
->initiator_addrtype
,
76 &input_chan_bindings
->initiator_address
,
80 krb5_free_address (context
, &acceptor_addr
);
84 kret
= krb5_auth_con_setaddrs(context
,
86 &initiator_addr
, /* local address */
87 &acceptor_addr
); /* remote address */
89 krb5_free_address (context
, &initiator_addr
);
90 krb5_free_address (context
, &acceptor_addr
);
93 free(input_chan_bindings
->application_data
.value
);
94 input_chan_bindings
->application_data
.value
= NULL
;
95 input_chan_bindings
->application_data
.length
= 0;
103 OM_uint32
* minor_status
,
104 gss_ctx_id_t
* context_handle
,
105 krb5_context context
,
106 const gss_channel_bindings_t input_chan_bindings
,
107 enum gss_ctx_id_t_state state
)
109 krb5_error_code kret
;
112 *context_handle
= NULL
;
114 ctx
= malloc(sizeof(*ctx
));
116 *minor_status
= ENOMEM
;
117 return GSS_S_FAILURE
;
119 ctx
->auth_context
= NULL
;
120 ctx
->deleg_auth_context
= NULL
;
128 ctx
->service_keyblock
= NULL
;
130 krb5_data_zero(&ctx
->fwd_data
);
131 ctx
->lifetime
= GSS_C_INDEFINITE
;
134 HEIMDAL_MUTEX_init(&ctx
->ctx_id_mutex
);
136 kret
= krb5_auth_con_init (context
, &ctx
->auth_context
);
138 *minor_status
= kret
;
139 HEIMDAL_MUTEX_destroy(&ctx
->ctx_id_mutex
);
140 return GSS_S_FAILURE
;
143 kret
= krb5_auth_con_init (context
, &ctx
->deleg_auth_context
);
145 *minor_status
= kret
;
146 krb5_auth_con_free(context
, ctx
->auth_context
);
147 HEIMDAL_MUTEX_destroy(&ctx
->ctx_id_mutex
);
148 return GSS_S_FAILURE
;
151 kret
= set_addresses(context
, ctx
->auth_context
, input_chan_bindings
);
153 *minor_status
= kret
;
155 krb5_auth_con_free(context
, ctx
->auth_context
);
156 krb5_auth_con_free(context
, ctx
->deleg_auth_context
);
158 HEIMDAL_MUTEX_destroy(&ctx
->ctx_id_mutex
);
160 return GSS_S_BAD_BINDINGS
;
163 kret
= set_addresses(context
, ctx
->deleg_auth_context
, input_chan_bindings
);
165 *minor_status
= kret
;
167 krb5_auth_con_free(context
, ctx
->auth_context
);
168 krb5_auth_con_free(context
, ctx
->deleg_auth_context
);
170 HEIMDAL_MUTEX_destroy(&ctx
->ctx_id_mutex
);
172 return GSS_S_BAD_BINDINGS
;
176 * We need a sequence number
179 krb5_auth_con_addflags(context
,
181 KRB5_AUTH_CONTEXT_DO_SEQUENCE
|
182 KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED
,
186 * We need a sequence number
189 krb5_auth_con_addflags(context
,
190 ctx
->deleg_auth_context
,
191 KRB5_AUTH_CONTEXT_DO_SEQUENCE
|
192 KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED
,
195 *context_handle
= (gss_ctx_id_t
)ctx
;
197 return GSS_S_COMPLETE
;
203 OM_uint32
* minor_status
,
204 krb5_context context
,
207 gss_const_name_t target_name
,
210 OM_uint32
* time_rec
)
213 krb5_error_code kret
;
214 krb5_creds this_cred
;
215 OM_uint32 lifetime_rec
;
218 krb5_free_principal(context
, ctx
->target
);
222 krb5_free_creds(context
, ctx
->kcred
);
226 ret
= _gsskrb5_canon_name(minor_status
, context
, use_dns
,
227 ctx
->source
, target_name
, &ctx
->target
);
231 memset(&this_cred
, 0, sizeof(this_cred
));
232 this_cred
.client
= ctx
->source
;
233 this_cred
.server
= ctx
->target
;
235 if (time_req
&& time_req
!= GSS_C_INDEFINITE
) {
238 krb5_timeofday (context
, &ts
);
239 this_cred
.times
.endtime
= ts
+ time_req
;
241 this_cred
.times
.endtime
= 0;
244 this_cred
.session
.keytype
= KEYTYPE_NULL
;
246 kret
= krb5_get_credentials(context
,
252 *minor_status
= kret
;
253 return GSS_S_FAILURE
;
256 ctx
->lifetime
= ctx
->kcred
->times
.endtime
;
258 ret
= _gsskrb5_lifetime_left(minor_status
, context
,
259 ctx
->lifetime
, &lifetime_rec
);
262 if (lifetime_rec
== 0) {
264 return GSS_S_CONTEXT_EXPIRED
;
267 if (time_rec
) *time_rec
= lifetime_rec
;
269 return GSS_S_COMPLETE
;
273 gsskrb5_initiator_ready(
274 OM_uint32
* minor_status
,
276 krb5_context context
)
281 OM_uint32 flags
= ctx
->flags
;
283 krb5_free_creds(context
, ctx
->kcred
);
286 if (ctx
->more_flags
& CLOSE_CCACHE
)
287 krb5_cc_close(context
, ctx
->ccache
);
290 krb5_auth_con_getremoteseqnumber (context
, ctx
->auth_context
, &seq_number
);
292 _gsskrb5i_is_cfx(context
, ctx
, 0);
293 is_cfx
= (ctx
->more_flags
& IS_CFX
);
295 ret
= _gssapi_msg_order_create(minor_status
,
297 _gssapi_msg_order_f(flags
),
298 seq_number
, 0, is_cfx
);
301 ctx
->state
= INITIATOR_READY
;
302 ctx
->more_flags
|= OPEN
;
304 return GSS_S_COMPLETE
;
308 * handle delegated creds in init-sec-context
312 do_delegation (krb5_context context
,
313 krb5_auth_context ac
,
316 krb5_const_principal name
,
322 KDCOptions fwd_flags
;
323 krb5_error_code kret
;
325 memset (&creds
, 0, sizeof(creds
));
326 krb5_data_zero (fwd_data
);
328 kret
= krb5_cc_get_principal(context
, ccache
, &creds
.client
);
332 kret
= krb5_make_principal(context
,
341 creds
.times
.endtime
= 0;
343 memset(&fwd_flags
, 0, sizeof(fwd_flags
));
344 fwd_flags
.forwarded
= 1;
345 fwd_flags
.forwardable
= 1;
347 if ( /*target_name->name.name_type != KRB5_NT_SRV_HST ||*/
348 name
->name
.name_string
.len
< 2)
351 kret
= krb5_get_forwarded_creds(context
,
354 KDCOptions2int(fwd_flags
),
355 name
->name
.name_string
.val
[1],
366 krb5_free_principal(context
, creds
.client
);
368 krb5_free_principal(context
, creds
.server
);
372 * first stage of init-sec-context
377 (OM_uint32
* minor_status
,
380 krb5_context context
,
381 gss_const_name_t name
,
382 const gss_OID mech_type
,
385 const gss_buffer_t input_token
,
386 gss_OID
* actual_mech_type
,
387 gss_buffer_t output_token
,
388 OM_uint32
* ret_flags
,
392 OM_uint32 ret
= GSS_S_FAILURE
;
393 krb5_error_code kret
;
396 OM_uint32 lifetime_rec
;
399 krb5_data_zero(&outbuf
);
400 krb5_data_zero(&fwd_data
);
404 if (actual_mech_type
)
405 *actual_mech_type
= GSS_KRB5_MECHANISM
;
408 kret
= krb5_cc_default (context
, &ctx
->ccache
);
410 *minor_status
= kret
;
414 ctx
->more_flags
|= CLOSE_CCACHE
;
416 ctx
->ccache
= cred
->ccache
;
418 kret
= krb5_cc_get_principal (context
, ctx
->ccache
, &ctx
->source
);
420 *minor_status
= kret
;
426 * This is hideous glue for (NFS) clients that wants to limit the
427 * available enctypes to what it can support (encryption in
428 * kernel). If there is no enctypes selected for this credential,
429 * reset it to the default set of enctypes.
432 krb5_enctype
*enctypes
= NULL
;
434 if (cred
&& cred
->enctypes
)
435 enctypes
= cred
->enctypes
;
436 krb5_set_default_in_tkt_etypes(context
, enctypes
);
439 /* canon name if needed for client + target realm */
440 kret
= krb5_cc_get_config(context
, ctx
->ccache
, NULL
,
441 "realm-config", &outbuf
);
443 /* XXX 2 is no server canon */
444 if (outbuf
.length
< 1 || ((((unsigned char *)outbuf
.data
)[0]) & 2))
446 krb5_data_free(&outbuf
);
450 * First we try w/o dns, hope that the KDC have register alias
451 * (and referrals if cross realm) for this principal. If that
452 * fails and if we are allowed to using this realm try again with
453 * DNS canonicalizion.
455 ret
= gsskrb5_get_creds(minor_status
, context
, ctx
->ccache
,
456 ctx
, name
, 0, time_req
,
458 if (ret
&& allow_dns
)
459 ret
= gsskrb5_get_creds(minor_status
, context
, ctx
->ccache
,
460 ctx
, name
, 1, time_req
,
465 ctx
->lifetime
= ctx
->kcred
->times
.endtime
;
467 ret
= _gss_DES3_get_mic_compat(minor_status
, ctx
, context
);
471 ret
= _gsskrb5_lifetime_left(minor_status
,
478 if (lifetime_rec
== 0) {
480 ret
= GSS_S_CONTEXT_EXPIRED
;
484 krb5_auth_con_setkey(context
,
486 &ctx
->kcred
->session
);
488 kret
= krb5_auth_con_generatelocalsubkey(context
,
490 &ctx
->kcred
->session
);
492 *minor_status
= kret
;
497 return GSS_S_COMPLETE
;
500 if (ctx
->ccache
&& (ctx
->more_flags
& CLOSE_CCACHE
))
501 krb5_cc_close(context
, ctx
->ccache
);
510 (OM_uint32
* minor_status
,
513 krb5_context context
,
515 const gss_channel_bindings_t input_chan_bindings
,
516 const gss_buffer_t input_token
,
517 gss_OID
* actual_mech_type
,
518 gss_buffer_t output_token
,
519 OM_uint32
* ret_flags
,
523 OM_uint32 ret
= GSS_S_FAILURE
;
524 krb5_error_code kret
;
525 krb5_flags ap_options
;
528 krb5_data authenticator
;
530 krb5_enctype enctype
;
531 krb5_data fwd_data
, timedata
;
532 int32_t offset
= 0, oldoffset
= 0;
535 krb5_data_zero(&outbuf
);
536 krb5_data_zero(&fwd_data
);
541 * If the credential doesn't have ok-as-delegate, check if there
542 * is a realm setting and use that.
544 if (!ctx
->kcred
->flags
.b
.ok_as_delegate
) {
547 ret
= krb5_cc_get_config(context
, ctx
->ccache
, NULL
,
548 "realm-config", &data
);
550 /* XXX 1 is use ok-as-delegate */
551 if (data
.length
< 1 || ((((unsigned char *)data
.data
)[0]) & 1) == 0)
552 req_flags
&= ~(GSS_C_DELEG_FLAG
|GSS_C_DELEG_POLICY_FLAG
);
553 krb5_data_free(&data
);
559 /* if we used GSS_C_DELEG_POLICY_FLAG, trust KDC */
560 if ((req_flags
& GSS_C_DELEG_POLICY_FLAG
)
561 && ctx
->kcred
->flags
.b
.ok_as_delegate
)
562 flagmask
|= GSS_C_DELEG_FLAG
| GSS_C_DELEG_POLICY_FLAG
;
563 /* if there still is a GSS_C_DELEG_FLAG, use that */
564 if (req_flags
& GSS_C_DELEG_FLAG
)
565 flagmask
|= GSS_C_DELEG_FLAG
;
570 if (flagmask
& GSS_C_DELEG_FLAG
) {
571 do_delegation (context
,
572 ctx
->deleg_auth_context
,
573 ctx
->ccache
, ctx
->kcred
, ctx
->target
,
574 &fwd_data
, flagmask
, &flags
);
577 if (req_flags
& GSS_C_MUTUAL_FLAG
) {
578 flags
|= GSS_C_MUTUAL_FLAG
;
579 ap_options
|= AP_OPTS_MUTUAL_REQUIRED
;
582 if (req_flags
& GSS_C_REPLAY_FLAG
)
583 flags
|= GSS_C_REPLAY_FLAG
;
584 if (req_flags
& GSS_C_SEQUENCE_FLAG
)
585 flags
|= GSS_C_SEQUENCE_FLAG
;
587 if (req_flags
& GSS_C_ANON_FLAG
)
590 if (req_flags
& GSS_C_DCE_STYLE
) {
591 /* GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG */
592 flags
|= GSS_C_DCE_STYLE
| GSS_C_MUTUAL_FLAG
;
593 ap_options
|= AP_OPTS_MUTUAL_REQUIRED
;
595 if (req_flags
& GSS_C_IDENTIFY_FLAG
)
596 flags
|= GSS_C_IDENTIFY_FLAG
;
597 if (req_flags
& GSS_C_EXTENDED_ERROR_FLAG
)
598 flags
|= GSS_C_EXTENDED_ERROR_FLAG
;
600 if (req_flags
& GSS_C_CONF_FLAG
) {
601 flags
|= GSS_C_CONF_FLAG
;
603 if (req_flags
& GSS_C_INTEG_FLAG
) {
604 flags
|= GSS_C_INTEG_FLAG
;
606 if (cred
== NULL
|| !(cred
->cred_flags
& GSS_CF_NO_CI_FLAGS
)) {
607 flags
|= GSS_C_CONF_FLAG
;
608 flags
|= GSS_C_INTEG_FLAG
;
610 flags
|= GSS_C_TRANS_FLAG
;
615 ctx
->more_flags
|= LOCAL
;
617 ret
= _gsskrb5_create_8003_checksum (minor_status
,
622 krb5_data_free (&fwd_data
);
626 enctype
= ctx
->auth_context
->keyblock
->keytype
;
628 ret
= krb5_cc_get_config(context
, ctx
->ccache
, ctx
->target
,
629 "time-offset", &timedata
);
631 if (timedata
.length
== 4) {
632 const u_char
*p
= timedata
.data
;
633 offset
= (p
[0] <<24) | (p
[1] << 16) | (p
[2] << 8) | (p
[3] << 0);
635 krb5_data_free(&timedata
);
639 krb5_get_kdc_sec_offset (context
, &oldoffset
, NULL
);
640 krb5_set_kdc_sec_offset (context
, offset
, -1);
643 kret
= _krb5_build_authenticator(context
,
649 KRB5_KU_AP_REQ_AUTH
);
653 krb5_set_kdc_sec_offset (context
, oldoffset
, -1);
654 *minor_status
= kret
;
659 kret
= krb5_build_ap_req (context
,
666 krb5_set_kdc_sec_offset (context
, oldoffset
, -1);
668 *minor_status
= kret
;
673 if (flags
& GSS_C_DCE_STYLE
) {
674 output_token
->value
= outbuf
.data
;
675 output_token
->length
= outbuf
.length
;
677 ret
= _gsskrb5_encapsulate (minor_status
, &outbuf
, output_token
,
678 (u_char
*)(intptr_t)"\x01\x00",
680 krb5_data_free (&outbuf
);
685 free_Checksum(&cksum
);
687 if (flags
& GSS_C_MUTUAL_FLAG
) {
688 ctx
->state
= INITIATOR_WAIT_FOR_MUTAL
;
689 return GSS_S_CONTINUE_NEEDED
;
692 return gsskrb5_initiator_ready(minor_status
, ctx
, context
);
694 if (ctx
->ccache
&& (ctx
->more_flags
& CLOSE_CCACHE
))
695 krb5_cc_close(context
, ctx
->ccache
);
701 static krb5_error_code
702 handle_error_packet(krb5_context context
,
706 krb5_error_code kret
;
709 kret
= krb5_rd_error(context
, &indata
, &error
);
711 kret
= krb5_error_from_rd_error(context
, &error
, NULL
);
713 /* save the time skrew for this host */
714 if (kret
== KRB5KRB_AP_ERR_SKEW
) {
717 int32_t t
= error
.stime
- time(NULL
);
719 p
[0] = (t
>> 24) & 0xFF;
720 p
[1] = (t
>> 16) & 0xFF;
721 p
[2] = (t
>> 8) & 0xFF;
722 p
[3] = (t
>> 0) & 0xFF;
725 timedata
.length
= sizeof(p
);
727 krb5_cc_set_config(context
, ctx
->ccache
, ctx
->target
,
728 "time-offset", &timedata
);
730 if ((ctx
->more_flags
& RETRIED
) == 0)
731 ctx
->state
= INITIATOR_RESTART
;
732 ctx
->more_flags
|= RETRIED
;
734 free_KRB_ERROR (&error
);
742 (OM_uint32
* minor_status
,
744 krb5_context context
,
745 const gss_OID mech_type
,
748 const gss_channel_bindings_t input_chan_bindings
,
749 const gss_buffer_t input_token
,
750 gss_OID
* actual_mech_type
,
751 gss_buffer_t output_token
,
752 OM_uint32
* ret_flags
,
757 krb5_error_code kret
;
759 krb5_ap_rep_enc_part
*repl
;
761 output_token
->length
= 0;
762 output_token
->value
= NULL
;
764 if (actual_mech_type
)
765 *actual_mech_type
= GSS_KRB5_MECHANISM
;
767 if (IS_DCE_STYLE(ctx
)) {
768 /* There is no OID wrapping. */
769 indata
.length
= input_token
->length
;
770 indata
.data
= input_token
->value
;
771 kret
= krb5_rd_rep(context
,
776 ret
= _gsskrb5_decapsulate(minor_status
,
781 if (ret
== GSS_S_COMPLETE
) {
782 *minor_status
= handle_error_packet(context
, ctx
, indata
);
784 *minor_status
= kret
;
786 return GSS_S_FAILURE
;
789 ret
= _gsskrb5_decapsulate (minor_status
,
794 if (ret
== GSS_S_DEFECTIVE_TOKEN
) {
795 /* check if there is an error token sent instead */
796 ret
= _gsskrb5_decapsulate (minor_status
,
801 if (ret
== GSS_S_COMPLETE
) {
802 *minor_status
= handle_error_packet(context
, ctx
, indata
);
803 return GSS_S_FAILURE
;
806 kret
= krb5_rd_rep (context
,
811 *minor_status
= kret
;
812 return GSS_S_FAILURE
;
816 krb5_free_ap_rep_enc_part (context
,
821 ret
= _gsskrb5_lifetime_left(minor_status
,
826 ret
= GSS_S_COMPLETE
;
829 *ret_flags
= ctx
->flags
;
831 if (req_flags
& GSS_C_DCE_STYLE
) {
832 int32_t local_seq
, remote_seq
;
836 * So DCE_STYLE is strange. The client echos the seq number
837 * that the server used in the server's mk_rep in its own
838 * mk_rep(). After when done, it resets to it's own seq number
839 * for the gss_wrap calls.
842 krb5_auth_con_getremoteseqnumber(context
, ctx
->auth_context
, &remote_seq
);
843 krb5_auth_con_getlocalseqnumber(context
, ctx
->auth_context
, &local_seq
);
844 krb5_auth_con_setlocalseqnumber(context
, ctx
->auth_context
, remote_seq
);
846 kret
= krb5_mk_rep(context
, ctx
->auth_context
, &outbuf
);
848 *minor_status
= kret
;
849 return GSS_S_FAILURE
;
852 /* reset local seq number */
853 krb5_auth_con_setlocalseqnumber(context
, ctx
->auth_context
, local_seq
);
855 output_token
->length
= outbuf
.length
;
856 output_token
->value
= outbuf
.data
;
859 return gsskrb5_initiator_ready(minor_status
, ctx
, context
);
863 * gss_init_sec_context
866 OM_uint32 GSSAPI_CALLCONV _gsskrb5_init_sec_context
867 (OM_uint32
* minor_status
,
868 gss_const_cred_id_t cred_handle
,
869 gss_ctx_id_t
* context_handle
,
870 gss_const_name_t target_name
,
871 const gss_OID mech_type
,
874 const gss_channel_bindings_t input_chan_bindings
,
875 const gss_buffer_t input_token
,
876 gss_OID
* actual_mech_type
,
877 gss_buffer_t output_token
,
878 OM_uint32
* ret_flags
,
882 krb5_context context
;
883 gsskrb5_cred cred
= (gsskrb5_cred
)cred_handle
;
887 GSSAPI_KRB5_INIT (&context
);
889 output_token
->length
= 0;
890 output_token
->value
= NULL
;
892 if (context_handle
== NULL
) {
894 return GSS_S_FAILURE
| GSS_S_CALL_BAD_STRUCTURE
;
902 if (target_name
== GSS_C_NO_NAME
) {
903 if (actual_mech_type
)
904 *actual_mech_type
= GSS_C_NO_OID
;
906 return GSS_S_BAD_NAME
;
909 if (mech_type
!= GSS_C_NO_OID
&&
910 !gss_oid_equal(mech_type
, GSS_KRB5_MECHANISM
))
911 return GSS_S_BAD_MECH
;
913 if (input_token
== GSS_C_NO_BUFFER
|| input_token
->length
== 0) {
916 if (*context_handle
!= GSS_C_NO_CONTEXT
) {
918 return GSS_S_FAILURE
| GSS_S_CALL_BAD_STRUCTURE
;
921 ret1
= _gsskrb5_create_ctx(minor_status
,
930 if (*context_handle
== GSS_C_NO_CONTEXT
) {
932 return GSS_S_FAILURE
| GSS_S_CALL_BAD_STRUCTURE
;
935 ctx
= (gsskrb5_ctx
) *context_handle
;
937 HEIMDAL_MUTEX_lock(&ctx
->ctx_id_mutex
);
940 switch (ctx
->state
) {
941 case INITIATOR_START
:
942 ret
= init_auth(minor_status
,
955 if (ret
!= GSS_S_COMPLETE
)
958 case INITIATOR_RESTART
:
959 ret
= init_auth_restart(minor_status
,
971 case INITIATOR_WAIT_FOR_MUTAL
:
972 ret
= repl_mutual(minor_status
,
984 if (ctx
->state
== INITIATOR_RESTART
)
987 case INITIATOR_READY
:
989 * If we get there, the caller have called
990 * gss_init_sec_context() one time too many.
992 _gsskrb5_set_status(EINVAL
, "init_sec_context "
993 "called one time too many");
994 *minor_status
= EINVAL
;
995 ret
= GSS_S_BAD_STATUS
;
998 _gsskrb5_set_status(EINVAL
, "init_sec_context "
999 "invalid state %d for client",
1001 *minor_status
= EINVAL
;
1002 ret
= GSS_S_BAD_STATUS
;
1005 HEIMDAL_MUTEX_unlock(&ctx
->ctx_id_mutex
);
1007 /* destroy context in case of error */
1008 if (GSS_ERROR(ret
)) {
1010 _gsskrb5_delete_sec_context(&min2
, context_handle
, GSS_C_NO_BUFFER
);