]> git.ipfire.org Git - thirdparty/krb5.git/commitdiff
projects / thirdparty / krb5.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2e333c5)
Change the krb5_keyblocks in the libkrb5 auth context to krb5_keys,
authorGreg Hudson <ghudson@mit.edu>
Thu, 8 Oct 2009 14:39:24 +0000 (14:39 +0000)
committerGreg Hudson <ghudson@mit.edu>
Thu, 8 Oct 2009 14:39:24 +0000 (14:39 +0000)
and use krb5_k functions to encrypt and decrypt with them.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/enc-perf@22870 dc483132-0cff-0310-8789-dd5450dbe970

15 files changed:
src/include/k5-int.h patch | blob | blame | history
src/lib/krb5/krb/auth_con.c patch | blob | blame | history
src/lib/krb5/krb/auth_con.h patch | blob | blame | history
src/lib/krb5/krb/enc_helper.c patch | blob | blame | history
src/lib/krb5/krb/mk_cred.c patch | blob | blame | history
src/lib/krb5/krb/mk_priv.c patch | blob | blame | history
src/lib/krb5/krb/mk_rep.c patch | blob | blame | history
src/lib/krb5/krb/mk_req_ext.c patch | blob | blame | history
src/lib/krb5/krb/mk_safe.c patch | blob | blame | history
src/lib/krb5/krb/rd_cred.c patch | blob | blame | history
src/lib/krb5/krb/rd_priv.c patch | blob | blame | history
src/lib/krb5/krb/rd_rep.c patch | blob | blame | history
src/lib/krb5/krb/rd_req_dec.c patch | blob | blame | history
src/lib/krb5/krb/rd_safe.c patch | blob | blame | history
src/lib/krb5/krb/ser_actx.c patch | blob | blame | history

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index f30ac9b5e278b924448f30dadeba80ee26bddf44..22824c156c5b42041ad938840590a80e103b47e7 100644 (file)
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -871,6 +871,11 @@ krb5_error_code krb5_encrypt_helper
                krb5_keyusage keyusage, const krb5_data *plain,
                krb5_enc_data *cipher);
 
+krb5_error_code krb5_encrypt_keyhelper
+(krb5_context context, krb5_key key,
+               krb5_keyusage keyusage, const krb5_data *plain,
+               krb5_enc_data *cipher);
+
 /*
  * End "los-proto.h"
  */
diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c
index 41a2578e0a8afdb643678d18fadf5f2bde66ee67..a3e1935704d753500f9613667c4a780768cb6d90 100644 (file)
--- a/src/lib/krb5/krb/auth_con.c
+++ b/src/lib/krb5/krb/auth_con.c
@@ -56,12 +56,12 @@ krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context)
        krb5_free_address(context, auth_context->remote_port);
     if (auth_context->authentp) 
        krb5_free_authenticator(context, auth_context->authentp);
-    if (auth_context->keyblock) 
-       krb5_free_keyblock(context, auth_context->keyblock);
+    if (auth_context->key)
+       krb5_k_free_key(context, auth_context->key);
     if (auth_context->send_subkey) 
-       krb5_free_keyblock(context, auth_context->send_subkey);
+       krb5_k_free_key(context, auth_context->send_subkey);
     if (auth_context->recv_subkey) 
-       krb5_free_keyblock(context, auth_context->recv_subkey);
+       krb5_k_free_key(context, auth_context->recv_subkey);
     if (auth_context->rcache)
        krb5_rc_close(context, auth_context->rcache);
     if (auth_context->permitted_etypes)
@@ -158,16 +158,16 @@ krb5_auth_con_setports(krb5_context context, krb5_auth_context auth_context, krb
 krb5_error_code KRB5_CALLCONV
 krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock)
 {
-    if (auth_context->keyblock)
-       krb5_free_keyblock(context, auth_context->keyblock);
-    return(krb5_copy_keyblock(context, keyblock, &(auth_context->keyblock)));
+    if (auth_context->key)
+       krb5_k_free_key(context, auth_context->key);
+    return(krb5_k_create_key(context, keyblock, &(auth_context->key)));
 }
 
 krb5_error_code KRB5_CALLCONV
 krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock)
 {
-    if (auth_context->keyblock)
-       return krb5_copy_keyblock(context, auth_context->keyblock, keyblock);
+    if (auth_context->key)
+       return krb5_k_key_keyblock(context, auth_context->key, keyblock);
     *keyblock = NULL;
     return 0;
 }
@@ -188,10 +188,10 @@ krb5_error_code KRB5_CALLCONV
 krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock)
 {
     if (ac->send_subkey != NULL)
-       krb5_free_keyblock(ctx, ac->send_subkey);
+       krb5_k_free_key(ctx, ac->send_subkey);
     ac->send_subkey = NULL;
     if (keyblock !=NULL)
-       return krb5_copy_keyblock(ctx, keyblock, &ac->send_subkey);
+       return krb5_k_create_key(ctx, keyblock, &ac->send_subkey);
     else
        return 0;
 }
@@ -200,10 +200,10 @@ krb5_error_code KRB5_CALLCONV
 krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock)
 {
     if (ac->recv_subkey != NULL)
-       krb5_free_keyblock(ctx, ac->recv_subkey);
+       krb5_k_free_key(ctx, ac->recv_subkey);
     ac->recv_subkey = NULL;
     if (keyblock != NULL)
-       return krb5_copy_keyblock(ctx, keyblock, &ac->recv_subkey);
+       return krb5_k_create_key(ctx, keyblock, &ac->recv_subkey);
     else
        return 0;
 }
@@ -212,7 +212,7 @@ krb5_error_code KRB5_CALLCONV
 krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock)
 {
     if (ac->send_subkey != NULL)
-       return krb5_copy_keyblock(ctx, ac->send_subkey, keyblock);
+       return krb5_k_key_keyblock(ctx, ac->send_subkey, keyblock);
     *keyblock = NULL;
     return 0;
 }
@@ -221,7 +221,7 @@ krb5_error_code KRB5_CALLCONV
 krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock)
 {
     if (ac->recv_subkey != NULL)
-       return krb5_copy_keyblock(ctx, ac->recv_subkey, keyblock);
+       return krb5_k_key_keyblock(ctx, ac->recv_subkey, keyblock);
     *keyblock = NULL;
     return 0;
 }
@@ -266,12 +266,13 @@ krb5_error_code KRB5_CALLCONV
 krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context)
 {
     krb5_error_code ret;
+    krb5_enctype enctype;
 
-    if (auth_context->keyblock) {
+    if (auth_context->key) {
        size_t blocksize;
 
-       if ((ret = krb5_c_block_size(context, auth_context->keyblock->enctype,
-                                   &blocksize)))
+       enctype = krb5_k_key_enctype(context, auth_context->key);
+       if ((ret = krb5_c_block_size(context, enctype, &blocksize)))
            return(ret);
        if ((auth_context->i_vector = (krb5_pointer)calloc(1,blocksize))) {
            return 0;
diff --git a/src/lib/krb5/krb/auth_con.h b/src/lib/krb5/krb/auth_con.h
index be63bedbf44eca00bef4540d1bbdd34f182f4316..8c3e4a2a3ac26fd38777a42414441ac6d9378def 100644 (file)
--- a/src/lib/krb5/krb/auth_con.h
+++ b/src/lib/krb5/krb/auth_con.h
@@ -8,9 +8,9 @@ struct _krb5_auth_context {
     krb5_address      *        remote_port;
     krb5_address      *        local_addr;
     krb5_address      *        local_port;
-    krb5_keyblock     * keyblock;
-    krb5_keyblock     * send_subkey;
-    krb5_keyblock     * recv_subkey;
+    krb5_key            key;
+    krb5_key            send_subkey;
+    krb5_key            recv_subkey;
 
     krb5_int32         auth_context_flags;
     krb5_ui_4          remote_seq_number;
diff --git a/src/lib/krb5/krb/enc_helper.c b/src/lib/krb5/krb/enc_helper.c
index 63e3495da5ca79e7d449e4830d41e6b9bf6e184d..0e14d8ccf46616580dd4cdc3a7a657970f1565c8 100644 (file)
--- a/src/lib/krb5/krb/enc_helper.c
+++ b/src/lib/krb5/krb/enc_helper.c
@@ -48,3 +48,28 @@ krb5_encrypt_helper(krb5_context context, const krb5_keyblock *key, krb5_keyusag
     return(ret);
 }
        
+krb5_error_code
+krb5_encrypt_keyhelper(krb5_context context, krb5_key key, krb5_keyusage usage,
+                      const krb5_data *plain, krb5_enc_data *cipher)
+{
+    krb5_enctype enctype;
+    krb5_error_code ret;
+    size_t enclen;
+
+    enctype = krb5_k_key_enctype(context, key);
+    ret = krb5_c_encrypt_length(context, enctype, plain->length, &enclen);
+    if (ret != 0)
+       return ret;
+
+    cipher->ciphertext.length = enclen;
+    cipher->ciphertext.data = malloc(enclen);
+    if (cipher->ciphertext.data == NULL)
+       return ENOMEM;
+    ret = krb5_k_encrypt(context, key, usage, 0, plain, cipher);
+    if (ret) {
+       free(cipher->ciphertext.data);
+       cipher->ciphertext.data = NULL;
+    }
+
+    return ret;
+}
diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c
index f17a1485830a1bf8ec2d9347554661d9d9e87553..6ce0e354e5d9b5ec52d0f425d335a934bd92c650 100644 (file)
--- a/src/lib/krb5/krb/mk_cred.c
+++ b/src/lib/krb5/krb/mk_cred.c
@@ -22,7 +22,7 @@
  */
 static krb5_error_code 
 encrypt_credencpart(krb5_context context, krb5_cred_enc_part *pcredpart,
-                   krb5_keyblock *pkeyblock, krb5_enc_data *pencdata)
+                   krb5_key pkey, krb5_enc_data *pencdata)
 {
     krb5_error_code      retval;
     krb5_data          * scratch;
@@ -35,7 +35,7 @@ encrypt_credencpart(krb5_context context, krb5_cred_enc_part *pcredpart,
      * If the keyblock is NULL, just copy the data from the encoded
      * data to the ciphertext area.
      */
-    if (pkeyblock == NULL) {
+    if (pkey == NULL) {
            pencdata->ciphertext.data = scratch->data;
            pencdata->ciphertext.length = scratch->length;
            free(scratch);
@@ -43,9 +43,9 @@ encrypt_credencpart(krb5_context context, krb5_cred_enc_part *pcredpart,
     }
 
     /* call the encryption routine */
-    retval = krb5_encrypt_helper(context, pkeyblock,
-                                KRB5_KEYUSAGE_KRB_CRED_ENCPART,
-                                scratch, pencdata);
+    retval = krb5_encrypt_keyhelper(context, pkey,
+                                   KRB5_KEYUSAGE_KRB_CRED_ENCPART,
+                                   scratch, pencdata);
 
     if (retval) {
        memset(pencdata->ciphertext.data, 0, pencdata->ciphertext.length);
@@ -65,7 +65,7 @@ encrypt_credencpart(krb5_context context, krb5_cred_enc_part *pcredpart,
 static krb5_error_code
 krb5_mk_ncred_basic(krb5_context context,
                    krb5_creds **ppcreds, krb5_int32 nppcreds,
-                   krb5_keyblock *keyblock, krb5_replay_data *replaydata,
+                   krb5_key key, krb5_replay_data *replaydata,
                    krb5_address *local_addr, krb5_address *remote_addr,
                    krb5_cred *pcred)
 {
@@ -134,8 +134,7 @@ krb5_mk_ncred_basic(krb5_context context,
     pcred->tickets[i] = NULL;
 
     /* encrypt the credential encrypted part */
-    retval = encrypt_credencpart(context, &credenc, keyblock,
-                                &pcred->enc_part);
+    retval = encrypt_credencpart(context, &credenc, key, &pcred->enc_part);
 
 cleanup:
     krb5_free_cred_enc_part(context, &credenc);
@@ -158,7 +157,7 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context,
     krb5_address remote_fulladdr;
     krb5_address local_fulladdr;
     krb5_error_code    retval;
-    krb5_keyblock       * keyblock;
+    krb5_key           key;
     krb5_replay_data    replaydata;
     krb5_cred           * pcred;
     krb5_int32         ncred;
@@ -188,8 +187,8 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context,
     }
 
     /* Get keyblock */
-    if ((keyblock = auth_context->send_subkey) == NULL) 
-       keyblock = auth_context->keyblock;
+    if ((key = auth_context->send_subkey) == NULL)
+       key = auth_context->key;
 
     /* Get replay info */
     if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
@@ -246,7 +245,7 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context,
     }
 
     /* Setup creds structure */
-    if ((retval = krb5_mk_ncred_basic(context, ppcreds, ncred, keyblock,
+    if ((retval = krb5_mk_ncred_basic(context, ppcreds, ncred, key,
                                      &replaydata, plocal_fulladdr, 
                                      premote_fulladdr, pcred))) {
        goto error;
diff --git a/src/lib/krb5/krb/mk_priv.c b/src/lib/krb5/krb/mk_priv.c
index 30ffec3e191f9ee9b3557fd6896ccbbbd72dd0bc..824bfd507c660efa7fdd69195479d77ca191194b 100644 (file)
--- a/src/lib/krb5/krb/mk_priv.c
+++ b/src/lib/krb5/krb/mk_priv.c
@@ -33,10 +33,11 @@
 
 static krb5_error_code
 krb5_mk_priv_basic(krb5_context context, const krb5_data *userdata,
-                  const krb5_keyblock *keyblock, krb5_replay_data *replaydata,
+                  krb5_key key, krb5_replay_data *replaydata,
                   krb5_address *local_addr, krb5_address *remote_addr,
                   krb5_pointer i_vector, krb5_data *outbuf)
 {
+    krb5_enctype       enctype = krb5_k_key_enctype(context, key);
     krb5_error_code    retval;
     krb5_priv          privmsg;
     krb5_priv_enc_part         privmsg_enc_part;
@@ -44,7 +45,7 @@ krb5_mk_priv_basic(krb5_context context, const krb5_data *userdata,
     size_t             blocksize, enclen;
 
     privmsg.enc_part.kvno = 0; /* XXX allow user-set? */
-    privmsg.enc_part.enctype = keyblock->enctype; 
+    privmsg.enc_part.enctype = enctype;
 
     privmsg_enc_part.user_data = *userdata;
     privmsg_enc_part.s_address = local_addr;
@@ -60,7 +61,7 @@ krb5_mk_priv_basic(krb5_context context, const krb5_data *userdata,
        return retval;
 
     /* put together an eblock for this encryption */
-    if ((retval = krb5_c_encrypt_length(context, keyblock->enctype,
+    if ((retval = krb5_c_encrypt_length(context, enctype,
                                        scratch1->length, &enclen)))
        goto clean_scratch;
 
@@ -73,15 +74,14 @@ krb5_mk_priv_basic(krb5_context context, const krb5_data *userdata,
 
     /* call the encryption routine */
     if (i_vector) {
-       if ((retval = krb5_c_block_size(context, keyblock->enctype,
-                                       &blocksize)))
+       if ((retval = krb5_c_block_size(context, enctype, &blocksize)))
            goto clean_encpart;
 
        ivdata.length = blocksize;
        ivdata.data = i_vector;
     }
 
-    if ((retval = krb5_c_encrypt(context, keyblock,
+    if ((retval = krb5_k_encrypt(context, key,
                                 KRB5_KEYUSAGE_KRB_PRIV_ENCPART,
                                 i_vector?&ivdata:0,
                                 scratch1, &privmsg.enc_part)))
@@ -115,15 +115,15 @@ krb5_mk_priv(krb5_context context, krb5_auth_context auth_context,
             krb5_replay_data *outdata)
 {
     krb5_error_code      retval;
-    krb5_keyblock       * keyblock;
+    krb5_key              key;
     krb5_replay_data      replaydata;
 
     /* Clear replaydata block */
     memset(&replaydata, 0, sizeof(krb5_replay_data));
 
     /* Get keyblock */
-    if ((keyblock = auth_context->send_subkey) == NULL)
-       keyblock = auth_context->keyblock;
+    if ((key = auth_context->send_subkey) == NULL)
+       key = auth_context->key;
 
     /* Get replay info */
     if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
@@ -192,7 +192,7 @@ krb5_mk_priv(krb5_context context, krb5_auth_context auth_context,
        }
     }
 
-    if ((retval = krb5_mk_priv_basic(context, userdata, keyblock, &replaydata, 
+    if ((retval = krb5_mk_priv_basic(context, userdata, key, &replaydata,
                                     plocal_fulladdr, premote_fulladdr,
                                     auth_context->i_vector, outbuf))) {
        CLEANUP_DONE();
diff --git a/src/lib/krb5/krb/mk_rep.c b/src/lib/krb5/krb/mk_rep.c
index 29155b6e11c8ac5ab8674cd830e9c852f2e6d750..a4dbc467f49d3b8ff89e5cfdc2ab0be1447fb15e 100644 (file)
--- a/src/lib/krb5/krb/mk_rep.c
+++ b/src/lib/krb5/krb/mk_rep.c
@@ -80,7 +80,8 @@ k5_mk_rep(krb5_context context, krb5_auth_context auth_context,
     if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) ||
        (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
        (auth_context->local_seq_number == 0)) {
-       if ((retval = krb5_generate_seq_number(context, auth_context->keyblock,
+       if ((retval = krb5_generate_seq_number(context,
+                                              &auth_context->key->keyblock,
                                               &auth_context->local_seq_number)))
             return(retval);
     }
@@ -98,11 +99,11 @@ k5_mk_rep(krb5_context context, krb5_auth_context auth_context,
        assert(auth_context->negotiated_etype != ENCTYPE_NULL);
 
        retval = krb5int_generate_and_save_subkey (context, auth_context,
-                                                  auth_context->keyblock,
+                                                  &auth_context->key->keyblock,
                                                   auth_context->negotiated_etype);
        if (retval)
            return retval;
-       repl.subkey = auth_context->send_subkey;
+       repl.subkey = &auth_context->send_subkey->keyblock;
     } else
        repl.subkey = auth_context->authentp->subkey;
 
@@ -115,9 +116,9 @@ k5_mk_rep(krb5_context context, krb5_auth_context auth_context,
     if ((retval = encode_krb5_ap_rep_enc_part(&repl, &scratch)))
        return retval;
 
-    if ((retval = krb5_encrypt_helper(context, auth_context->keyblock,
-                                     KRB5_KEYUSAGE_AP_REP_ENCPART,
-                                     scratch, &reply.enc_part)))
+    if ((retval = krb5_encrypt_keyhelper(context, auth_context->key,
+                                        KRB5_KEYUSAGE_AP_REP_ENCPART,
+                                        scratch, &reply.enc_part)))
        goto cleanup_scratch;
 
     if (!(retval = encode_krb5_ap_rep(&reply, &toutbuf))) {
diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c
index 64eafe3628503361a9ea9b8843cbe02d572a7aeb..3b1c93f22c91b8b5905be0bfa430f9298ab1db76 100644 (file)
--- a/src/lib/krb5/krb/mk_req_ext.c
+++ b/src/lib/krb5/krb/mk_req_ext.c
@@ -73,7 +73,7 @@ make_etype_list(krb5_context context,
 static krb5_error_code 
 krb5_generate_authenticator (krb5_context,
                                       krb5_authenticator *, krb5_principal,
-                                      krb5_checksum *, krb5_keyblock *,
+                                      krb5_checksum *, krb5_key,
                                       krb5_ui_4, krb5_authdata **,
                                       krb5_enctype *desired_etypes,
                                       krb5_enctype tkt_enctype);
@@ -93,6 +93,7 @@ krb5int_generate_and_save_subkey (krb5_context context,
     } rnd_data;
     krb5_data d;
     krb5_error_code retval;
+    krb5_keyblock *kb = NULL;
 
     if (krb5_crypto_us_timeofday(&rnd_data.sec, &rnd_data.usec) == 0) {
        d.length = sizeof(rnd_data);
@@ -100,22 +101,23 @@ krb5int_generate_and_save_subkey (krb5_context context,
        krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TIMING, &d);
     }
 
-    if (auth_context->send_subkey)
-       krb5_free_keyblock(context, auth_context->send_subkey);
-    if ((retval = krb5_generate_subkey_extended(context, keyblock, enctype,
-                                               &auth_context->send_subkey)))
+    retval = krb5_generate_subkey_extended(context, keyblock, enctype, &kb);
+    if (retval)
        return retval;
+    retval = krb5_auth_con_setsendsubkey(context, auth_context, kb);
+    if (retval)
+       goto cleanup;
+    retval = krb5_auth_con_setrecvsubkey(context, auth_context, kb);
+    if (retval)
+       goto cleanup;
 
-    if (auth_context->recv_subkey)
-       krb5_free_keyblock(context, auth_context->recv_subkey);
-    retval = krb5_copy_keyblock(context, auth_context->send_subkey,
-                               &auth_context->recv_subkey);
+cleanup:
     if (retval) {
-       krb5_free_keyblock(context, auth_context->send_subkey);
-       auth_context->send_subkey = NULL;
-       return retval;
+       (void) krb5_auth_con_setsendsubkey(context, auth_context, NULL);
+       (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL);
     }
-    return 0;
+    krb5_free_keyblock(context, kb);
+    return retval;
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -159,14 +161,14 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
        *auth_context = new_auth_context;
     }
 
-    if ((*auth_context)->keyblock != NULL) {
-       krb5_free_keyblock(context, (*auth_context)->keyblock);
-       (*auth_context)->keyblock = NULL;
+    if ((*auth_context)->key != NULL) {
+       krb5_k_free_key(context, (*auth_context)->key);
+       (*auth_context)->key = NULL;
     }
 
     /* set auth context keyblock */
-    if ((retval = krb5_copy_keyblock(context, &in_creds->keyblock, 
-                                    &((*auth_context)->keyblock))))
+    if ((retval = krb5_k_create_key(context, &in_creds->keyblock,
+                                   &((*auth_context)->key))))
        goto cleanup;
 
     /* generate seq number if needed */
@@ -205,16 +207,18 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
            checksum.length = in_data->length;
            checksum.contents = (krb5_octet *) in_data->data;
        } else {
+           krb5_enctype enctype = krb5_k_key_enctype(context,
+                                                     (*auth_context)->key);
            krb5_cksumtype cksumtype;
-           retval = krb5int_c_mandatory_cksumtype(context, (*auth_context)->keyblock->enctype,
+           retval = krb5int_c_mandatory_cksumtype(context, enctype,
                                                   &cksumtype);
            if (retval)
                goto cleanup_cksum;
            if ((*auth_context)->req_cksumtype)
                cksumtype = (*auth_context)->req_cksumtype;
-           if ((retval = krb5_c_make_checksum(context, 
+           if ((retval = krb5_k_make_checksum(context,
                                               cksumtype,
-                                              (*auth_context)->keyblock,
+                                              (*auth_context)->key,
                                               KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM,
                                               in_data, &checksum)))
                goto cleanup_cksum;
@@ -297,7 +301,7 @@ cleanup:
 static krb5_error_code
 krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent,
                            krb5_principal client, krb5_checksum *cksum,
-                           krb5_keyblock *key, krb5_ui_4 seq_number,
+                           krb5_key key, krb5_ui_4 seq_number,
                            krb5_authdata **authorization,
                            krb5_enctype *desired_etypes,
                            krb5_enctype tkt_enctype)
@@ -307,7 +311,7 @@ krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent,
     authent->client = client;
     authent->checksum = cksum;
     if (key) {
-       retval = krb5_copy_keyblock(context, key, &authent->subkey);
+       retval = krb5_k_key_keyblock(context, key, &authent->subkey);
        if (retval)
            return retval;
     } else
diff --git a/src/lib/krb5/krb/mk_safe.c b/src/lib/krb5/krb/mk_safe.c
index 23358b957f821304169a27ee7dcf0a2dfb3b437a..f3bfde390eae6dc65123ebefaedcb6d796d21ebd 100644 (file)
--- a/src/lib/krb5/krb/mk_safe.c
+++ b/src/lib/krb5/krb/mk_safe.c
@@ -48,7 +48,7 @@
 */
 static krb5_error_code
 krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata,
-                  const krb5_keyblock *keyblock, krb5_replay_data *replaydata,
+                  krb5_key key, krb5_replay_data *replaydata,
                   krb5_address *local_addr, krb5_address *remote_addr,
                   krb5_cksumtype sumtype, krb5_data *outbuf)
 {
@@ -88,7 +88,7 @@ krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata,
     if ((retval = encode_krb5_safe(&safemsg, &scratch1)))
        return retval;
 
-    if ((retval = krb5_c_make_checksum(context, sumtype, keyblock,
+    if ((retval = krb5_k_make_checksum(context, sumtype, key,
                                       KRB5_KEYUSAGE_KRB_SAFE_CKSUM,
                                       scratch1, &safe_checksum)))
        goto cleanup_checksum;
@@ -115,15 +115,15 @@ krb5_mk_safe(krb5_context context, krb5_auth_context auth_context,
             krb5_replay_data *outdata)
 {
     krb5_error_code      retval;
-    krb5_keyblock       * keyblock;
+    krb5_key              key;
     krb5_replay_data      replaydata;
 
     /* Clear replaydata block */
     memset(&replaydata, 0, sizeof(krb5_replay_data));
 
-    /* Get keyblock */
-    if ((keyblock = auth_context->send_subkey) == NULL)
-       keyblock = auth_context->keyblock;
+    /* Get key */
+    if ((key = auth_context->send_subkey) == NULL)
+       key = auth_context->key;
 
     /* Get replay info */
     if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
@@ -195,10 +195,11 @@ krb5_mk_safe(krb5_context context, krb5_auth_context auth_context,
     }
 
     {
+       krb5_enctype enctype = krb5_k_key_enctype(context, key);
        unsigned int nsumtypes;
        unsigned int i;
        krb5_cksumtype *sumtypes;
-       retval = krb5_c_keyed_checksum_types (context, keyblock->enctype,
+       retval = krb5_c_keyed_checksum_types (context, enctype,
                                              &nsumtypes, &sumtypes);
        if (retval) {
            CLEANUP_DONE ();
@@ -218,7 +219,7 @@ krb5_mk_safe(krb5_context context, krb5_auth_context auth_context,
        sumtype = sumtypes[i];
        krb5_free_cksumtypes (context, sumtypes);
     }
-    if ((retval = krb5_mk_safe_basic(context, userdata, keyblock, &replaydata, 
+    if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata,
                                     plocal_fulladdr, premote_fulladdr,
                                     sumtype, outbuf))) {
        CLEANUP_DONE();
diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c
index 48637450dc56433b78173a814e0324bbe1c0a5fd..a5d00dc4eae8b21a1a9b21d3fa7d6a17a3b454dd 100644 (file)
--- a/src/lib/krb5/krb/rd_cred.c
+++ b/src/lib/krb5/krb/rd_cred.c
@@ -13,7 +13,7 @@
  */
 static krb5_error_code 
 decrypt_credencdata(krb5_context context, krb5_cred *pcred,
-                   krb5_keyblock *pkeyblock, krb5_cred_enc_part *pcredenc)
+                   krb5_key pkey, krb5_cred_enc_part *pcredenc)
 {
     krb5_cred_enc_part  * ppart = NULL;
     krb5_error_code      retval;
@@ -23,8 +23,8 @@ decrypt_credencdata(krb5_context context, krb5_cred *pcred,
     if (!(scratch.data = (char *)malloc(scratch.length))) 
        return ENOMEM;
 
-    if (pkeyblock != NULL) {
-       if ((retval = krb5_c_decrypt(context, pkeyblock,
+    if (pkey != NULL) {
+       if ((retval = krb5_k_decrypt(context, pkey,
                                     KRB5_KEYUSAGE_KRB_CRED_ENCPART, 0,
                                     &pcred->enc_part, &scratch)))
            goto cleanup;
@@ -53,7 +53,7 @@ cleanup:
 
 static krb5_error_code 
 krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata,
-                  krb5_keyblock *pkeyblock, krb5_replay_data *replaydata,
+                  krb5_key pkey, krb5_replay_data *replaydata,
                   krb5_creds ***pppcreds)
 {
     krb5_error_code       retval;
@@ -68,7 +68,7 @@ krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata,
 
     memset(&encpart, 0, sizeof(encpart));
 
-    if ((retval = decrypt_credencdata(context, pcred, pkeyblock, &encpart)))
+    if ((retval = decrypt_credencdata(context, pcred, pkey, &encpart)))
        goto cleanup_cred;
 
 
@@ -167,12 +167,12 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context,
             krb5_replay_data *outdata)
 {
     krb5_error_code       retval;
-    krb5_keyblock       * keyblock;
+    krb5_key              key;
     krb5_replay_data      replaydata;
 
-    /* Get keyblock */
-    if ((keyblock = auth_context->recv_subkey) == NULL)
-       keyblock = auth_context->keyblock;
+    /* Get key */
+    if ((key = auth_context->recv_subkey) == NULL)
+       key = auth_context->key;
 
     if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
       (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
@@ -186,14 +186,14 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context,
 
 
     /*
-     * If decrypting with the first keyblock we try fails, perhaps the
+     * If decrypting with the first key we try fails, perhaps the
      * credentials are stored in the session key so try decrypting with
      * that.
      */
-    if ((retval = krb5_rd_cred_basic(context, pcreddata, keyblock,
+    if ((retval = krb5_rd_cred_basic(context, pcreddata, key,
                                     &replaydata, pppcreds))) {
        if ((retval = krb5_rd_cred_basic(context, pcreddata,
-                                        auth_context->keyblock,
+                                        auth_context->key,
                                         &replaydata, pppcreds))) {
            return retval;
        }
diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c
index eaeaed894b0dd2e7af16f3969d4ebb615a0c2dad..9b84ad87ae8b1ff2344f26e7caf87b53c64c30ad 100644 (file)
--- a/src/lib/krb5/krb/rd_priv.c
+++ b/src/lib/krb5/krb/rd_priv.c
@@ -54,8 +54,7 @@ Returns system errors, integrity errors.
 
 static krb5_error_code
 krb5_rd_priv_basic(krb5_context context, const krb5_data *inbuf,
-                  const krb5_keyblock *keyblock,
-                  const krb5_address *local_addr,
+                  const krb5_key key, const krb5_address *local_addr,
                   const krb5_address *remote_addr, krb5_pointer i_vector,
                   krb5_replay_data *replaydata, krb5_data *outbuf)
 {
@@ -65,6 +64,7 @@ krb5_rd_priv_basic(krb5_context context, const krb5_data *inbuf,
     krb5_priv_enc_part  * privmsg_enc_part;
     size_t               blocksize;
     krb5_data            ivdata;
+    krb5_enctype         enctype;
 
     if (!krb5_is_krb_priv(inbuf))
        return KRB5KRB_AP_ERR_MSG_TYPE;
@@ -74,8 +74,8 @@ krb5_rd_priv_basic(krb5_context context, const krb5_data *inbuf,
        return retval;
     
     if (i_vector) {
-       if ((retval = krb5_c_block_size(context, keyblock->enctype,
-                                       &blocksize)))
+       enctype = krb5_k_key_enctype(context, key);
+       if ((retval = krb5_c_block_size(context, enctype, &blocksize)))
            goto cleanup_privmsg;
 
        ivdata.length = blocksize;
@@ -88,7 +88,7 @@ krb5_rd_priv_basic(krb5_context context, const krb5_data *inbuf,
        goto cleanup_privmsg;
     }
 
-    if ((retval = krb5_c_decrypt(context, keyblock,
+    if ((retval = krb5_k_decrypt(context, key,
                                 KRB5_KEYUSAGE_KRB_PRIV_ENCPART, 
                                 i_vector?&ivdata:0,
                                 &privmsg->enc_part, &scratch)))
@@ -156,12 +156,12 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context,
             krb5_replay_data *outdata)
 {
     krb5_error_code      retval;
-    krb5_keyblock       * keyblock;
+    krb5_key              key;
     krb5_replay_data     replaydata;
 
-    /* Get keyblock */
-    if ((keyblock = auth_context->recv_subkey) == NULL)
-       keyblock = auth_context->keyblock;
+    /* Get key */
+    if ((key = auth_context->recv_subkey) == NULL)
+       key = auth_context->key;
 
     if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
       (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
@@ -213,7 +213,7 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context,
     }
 
     memset(&replaydata, 0, sizeof(replaydata));
-    if ((retval = krb5_rd_priv_basic(context, inbuf, keyblock,
+    if ((retval = krb5_rd_priv_basic(context, inbuf, key,
                                     plocal_fulladdr,
                                     premote_fulladdr,
                                     auth_context->i_vector,
diff --git a/src/lib/krb5/krb/rd_rep.c b/src/lib/krb5/krb/rd_rep.c
index 1e3c145263abcb10c7ae0eb11cc090c9f345c490..6e9cb08088195e50dd006c0f2364640e18376170 100644 (file)
--- a/src/lib/krb5/krb/rd_rep.c
+++ b/src/lib/krb5/krb/rd_rep.c
@@ -95,7 +95,7 @@ krb5_rd_rep(krb5_context context, krb5_auth_context auth_context,
        goto clean_scratch;
     }
 
-    retval = krb5_c_decrypt(context, auth_context->keyblock,
+    retval = krb5_k_decrypt(context, auth_context->key,
                            KRB5_KEYUSAGE_AP_REP_ENCPART, 0,
                            &reply->enc_part, &scratch);
     if (retval)
@@ -115,23 +115,14 @@ krb5_rd_rep(krb5_context context, krb5_auth_context auth_context,
 
     /* Set auth subkey. */
     if (enc->subkey) {
-       if (auth_context->recv_subkey) {
-           krb5_free_keyblock(context, auth_context->recv_subkey);
-           auth_context->recv_subkey = NULL;
-       }
-       retval = krb5_copy_keyblock(context, enc->subkey,
-                                   &auth_context->recv_subkey);
+       retval = krb5_auth_con_setrecvsubkey(context, auth_context,
+                                            enc->subkey);
        if (retval)
            goto clean_scratch;
-       if (auth_context->send_subkey) {
-           krb5_free_keyblock(context, auth_context->send_subkey);
-           auth_context->send_subkey = NULL;
-       }
-       retval = krb5_copy_keyblock(context, enc->subkey,
-                                   &auth_context->send_subkey);
+       retval = krb5_auth_con_setsendsubkey(context, auth_context,
+                                            enc->subkey);
        if (retval) {
-           krb5_free_keyblock(context, auth_context->send_subkey);
-           auth_context->send_subkey = NULL;
+           (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL);
            goto clean_scratch;
        }
        /* Not used for anything yet. */
@@ -178,7 +169,7 @@ krb5_rd_rep_dce(krb5_context context, krb5_auth_context auth_context,
        return(ENOMEM);
     }
 
-    if ((retval = krb5_c_decrypt(context, auth_context->keyblock,
+    if ((retval = krb5_k_decrypt(context, auth_context->key,
                                 KRB5_KEYUSAGE_AP_REP_ENCPART, 0,
                                 &reply->enc_part, &scratch)))
        goto clean_scratch;
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
index c618be1eea9ab82fc9f93d2f570d2bb31059e636..cb4b8cc0b48af4e908e76c60708621c22a8eae2d 100644 (file)
--- a/src/lib/krb5/krb/rd_req_dec.c
+++ b/src/lib/krb5/krb/rd_req_dec.c
@@ -227,12 +227,13 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
        do we need special processing here ?    */
 
     /* decrypt the ticket */
-    if ((*auth_context)->keyblock) { /* User to User authentication */
-       if ((retval = krb5_decrypt_tkt_part(context, (*auth_context)->keyblock,
+    if ((*auth_context)->key) { /* User to User authentication */
+       if ((retval = krb5_decrypt_tkt_part(context,
+                                           &(*auth_context)->key->keyblock,
                                            req->ticket)))
            goto cleanup;
-       krb5_free_keyblock(context, (*auth_context)->keyblock);
-       (*auth_context)->keyblock = NULL;
+       krb5_k_free_key(context, (*auth_context)->key);
+       (*auth_context)->key = NULL;
     } else {
        if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, server, keytab)))
            goto cleanup;
@@ -459,14 +460,14 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
 
     (*auth_context)->remote_seq_number = (*auth_context)->authentp->seq_number;
     if ((*auth_context)->authentp->subkey) {
-       if ((retval = krb5_copy_keyblock(context,
-                                        (*auth_context)->authentp->subkey,
-                                        &((*auth_context)->recv_subkey))))
+       if ((retval = krb5_k_create_key(context,
+                                       (*auth_context)->authentp->subkey,
+                                       &((*auth_context)->recv_subkey))))
            goto cleanup;
-       retval = krb5_copy_keyblock(context, (*auth_context)->authentp->subkey,
-                                   &((*auth_context)->send_subkey));
+       retval = krb5_k_create_key(context, (*auth_context)->authentp->subkey,
+                                  &((*auth_context)->send_subkey));
        if (retval) {
-           krb5_free_keyblock(context, (*auth_context)->recv_subkey);
+           krb5_k_free_key(context, (*auth_context)->recv_subkey);
            (*auth_context)->recv_subkey = NULL;
            goto cleanup;
        }
@@ -475,8 +476,8 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
        (*auth_context)->send_subkey = 0;
     }
 
-    if ((retval = krb5_copy_keyblock(context, req->ticket->enc_part2->session,
-                                    &((*auth_context)->keyblock))))
+    if ((retval = krb5_k_create_key(context, req->ticket->enc_part2->session,
+                                   &((*auth_context)->key))))
        goto cleanup;
 
     debug_log_authz_data("ticket", req->ticket->enc_part2->authorization_data);
@@ -499,7 +500,8 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
        *ap_req_options = req->ap_options & AP_OPTS_WIRE_MASK;
        if (rfc4537_etypes_len != 0)
            *ap_req_options |= AP_OPTS_ETYPE_NEGOTIATION;
-       if ((*auth_context)->negotiated_etype != (*auth_context)->keyblock->enctype)
+       if ((*auth_context)->negotiated_etype !=
+           krb5_k_key_enctype(context, (*auth_context)->key))
            *ap_req_options |= AP_OPTS_USE_SUBKEY;
     }
 
diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c
index 989c22242794026467befaf60ed7280eb317a269..68c13317c51e69d4774ea3b73e81713741774f98 100644 (file)
--- a/src/lib/krb5/krb/rd_safe.c
+++ b/src/lib/krb5/krb/rd_safe.c
@@ -46,7 +46,7 @@
  */
 static krb5_error_code
 krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf,
-                  const krb5_keyblock *keyblock,
+                  krb5_key key,
                   const krb5_address *recv_addr,
                   const krb5_address *sender_addr,
                   krb5_replay_data *replaydata, krb5_data *outbuf)
@@ -124,7 +124,7 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf,
     if (retval)
        goto cleanup;
 
-    retval = krb5_c_verify_checksum(context, keyblock,
+    retval = krb5_k_verify_checksum(context, key,
                                    KRB5_KEYUSAGE_KRB_SAFE_CKSUM,
                                    scratch, his_cksum, &valid);
 
@@ -136,7 +136,7 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf,
         * Checksum over only the KRB-SAFE-BODY, like RFC 1510 says, in
         * case someone actually implements it correctly.
         */
-       retval = krb5_c_verify_checksum(context, keyblock,
+       retval = krb5_k_verify_checksum(context, key,
                                        KRB5_KEYUSAGE_KRB_SAFE_CKSUM,
                                        &safe_body, his_cksum, &valid);
        if (!valid) {
@@ -164,7 +164,7 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context,
             krb5_replay_data *outdata)
 {
     krb5_error_code      retval;
-    krb5_keyblock      * keyblock;
+    krb5_key             key;
     krb5_replay_data     replaydata;
 
     if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
@@ -180,9 +180,9 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context,
     if (!auth_context->remote_addr)
        return KRB5_REMOTE_ADDR_REQUIRED;
 
-    /* Get keyblock */
-    if ((keyblock = auth_context->recv_subkey) == NULL)
-       keyblock = auth_context->keyblock;
+    /* Get key */
+    if ((key = auth_context->recv_subkey) == NULL)
+       key = auth_context->key;
 
 {
     krb5_address * premote_fulladdr;
@@ -220,7 +220,7 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context,
     }
 
     memset(&replaydata, 0, sizeof(replaydata));
-    if ((retval = krb5_rd_safe_basic(context, inbuf, keyblock,
+    if ((retval = krb5_rd_safe_basic(context, inbuf, key,
                                     plocal_fulladdr, premote_fulladdr,
                                     &replaydata, outbuf))) {
        CLEANUP_DONE();
diff --git a/src/lib/krb5/krb/ser_actx.c b/src/lib/krb5/krb/ser_actx.c
index 347b300f55f5aa7044facd001e81a89b3d46eb7e..30ad09d0301474439ce66b188748219c83bb36c7 100644 (file)
--- a/src/lib/krb5/krb/ser_actx.c
+++ b/src/lib/krb5/krb/ser_actx.c
@@ -75,6 +75,7 @@ krb5_auth_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
     krb5_error_code    kret;
     krb5_auth_context  auth_context;
     size_t             required;
+    krb5_enctype       enctype;
 
     /*
      * krb5_auth_context requires at minimum:
@@ -92,9 +93,9 @@ krb5_auth_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
        kret = 0;
 
        /* Calculate size required by i_vector - ptooey */
-       if (auth_context->i_vector && auth_context->keyblock) {
-           kret = krb5_c_block_size(kcontext, auth_context->keyblock->enctype,
-                                    &required);
+       if (auth_context->i_vector && auth_context->key) {
+           enctype = krb5_k_key_enctype(kcontext, auth_context->key);
+           kret = krb5_c_block_size(kcontext, enctype, &required);
        } else {
            required = 0;
        }
@@ -141,11 +142,11 @@ krb5_auth_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
                required += sizeof(krb5_int32);
        }
 
-       /* Calculate size required by keyblock, if appropriate */
-       if (!kret && auth_context->keyblock) {
+       /* Calculate size required by key, if appropriate */
+       if (!kret && auth_context->key) {
            kret = krb5_size_opaque(kcontext,
-                                   KV5M_KEYBLOCK,
-                                   (krb5_pointer) auth_context->keyblock,
+                                   KV5M_KEYBLOCK, (krb5_pointer)
+                                   &auth_context->key->keyblock,
                                    &required);
            if (!kret)
                required += sizeof(krb5_int32);
@@ -154,8 +155,8 @@ krb5_auth_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
        /* Calculate size required by send_subkey, if appropriate */
        if (!kret && auth_context->send_subkey) {
            kret = krb5_size_opaque(kcontext,
-                                   KV5M_KEYBLOCK,
-                                   (krb5_pointer) auth_context->send_subkey,
+                                   KV5M_KEYBLOCK, (krb5_pointer)
+                                   &auth_context->send_subkey->keyblock,
                                    &required);
            if (!kret)
                required += sizeof(krb5_int32);
@@ -164,8 +165,8 @@ krb5_auth_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
        /* Calculate size required by recv_subkey, if appropriate */
        if (!kret && auth_context->recv_subkey) {
            kret = krb5_size_opaque(kcontext,
-                                   KV5M_KEYBLOCK,
-                                   (krb5_pointer) auth_context->recv_subkey,
+                                   KV5M_KEYBLOCK, (krb5_pointer)
+                                   &auth_context->recv_subkey->keyblock,
                                    &required);
            if (!kret)
                required += sizeof(krb5_int32);
@@ -197,6 +198,7 @@ krb5_auth_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octe
     size_t             remain;
     size_t              obuf;
     krb5_int32         obuf32;
+    krb5_enctype       enctype;
 
     required = 0;
     bp = *buffer;
@@ -224,9 +226,8 @@ krb5_auth_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octe
 
            /* Now figure out the number of bytes for i_vector and write it */
            if (auth_context->i_vector) {
-               kret = krb5_c_block_size(kcontext,
-                                        auth_context->keyblock->enctype,
-                                        &obuf);
+               enctype = krb5_k_key_enctype(kcontext, auth_context->key);
+               kret = krb5_c_block_size(kcontext, enctype, &obuf);
            } else {
                obuf = 0;
            }
@@ -289,12 +290,12 @@ krb5_auth_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octe
            }
 
            /* Now handle keyblock, if appropriate */
-           if (!kret && auth_context->keyblock) {
+           if (!kret && auth_context->key) {
                (void) krb5_ser_pack_int32(TOKEN_KEYBLOCK, &bp, &remain);
                kret = krb5_externalize_opaque(kcontext,
                                               KV5M_KEYBLOCK,
                                               (krb5_pointer)
-                                              auth_context->keyblock,
+                                              &auth_context->key->keyblock,
                                               &bp,
                                               &remain);
            }
@@ -304,8 +305,8 @@ krb5_auth_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octe
                (void) krb5_ser_pack_int32(TOKEN_LSKBLOCK, &bp, &remain);
                kret = krb5_externalize_opaque(kcontext,
                                               KV5M_KEYBLOCK,
-                                              (krb5_pointer)
-                                              auth_context->send_subkey,
+                                              (krb5_pointer) &auth_context->
+                                              send_subkey->keyblock,
                                               &bp,
                                               &remain);
            }
@@ -315,8 +316,8 @@ krb5_auth_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octe
                (void) krb5_ser_pack_int32(TOKEN_RSKBLOCK, &bp, &remain);
                kret = krb5_externalize_opaque(kcontext,
                                               KV5M_KEYBLOCK,
-                                              (krb5_pointer)
-                                              auth_context->recv_subkey,
+                                              (krb5_pointer) &auth_context->
+                                              recv_subkey->keyblock,
                                               &bp,
                                               &remain);
            }
@@ -345,6 +346,22 @@ krb5_auth_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octe
     return(kret);
 }
 \f
+/* Internalize a keyblock and convert it to a key. */
+static krb5_error_code
+intern_key(krb5_context ctx, krb5_key *key, krb5_octet **bp, size_t *sp)
+{
+    krb5_keyblock *keyblock;
+    krb5_error_code ret;
+
+    ret = krb5_internalize_opaque(ctx, KV5M_KEYBLOCK,
+                                 (krb5_pointer *) &keyblock, bp, sp);
+    if (ret != 0)
+       return ret;
+    ret = krb5_k_create_key(ctx, keyblock, key);
+    krb5_free_keyblock(ctx, keyblock);
+    return ret;
+}
+
 /*
  * krb5_auth_context_internalize()     - Internalize the krb5_auth_context.
  */
@@ -464,37 +481,29 @@ krb5_auth_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_oc
 
            /* This is the keyblock */
            if (!kret && (tag == TOKEN_KEYBLOCK)) {
-               if (!(kret = krb5_internalize_opaque(kcontext,
-                                                    KV5M_KEYBLOCK,
-                                                    (krb5_pointer *)
-                                                    &auth_context->keyblock,
-                                                    &bp,
-                                                    &remain)))
+               if (!(kret = intern_key(kcontext,
+                                       &auth_context->key,
+                                       &bp,
+                                       &remain)))
                    kret = krb5_ser_unpack_int32(&tag, &bp, &remain);
            }
 
            /* This is the send_subkey */
            if (!kret && (tag == TOKEN_LSKBLOCK)) {
-               if (!(kret = krb5_internalize_opaque(kcontext,
-                                                    KV5M_KEYBLOCK,
-                                                    (krb5_pointer *)
-                                                    &auth_context->
-                                                    send_subkey,
-                                                    &bp,
-                                                    &remain)))
+               if (!(kret = intern_key(kcontext,
+                                       &auth_context->send_subkey,
+                                       &bp,
+                                       &remain)))
                    kret = krb5_ser_unpack_int32(&tag, &bp, &remain);
            }
 
            /* This is the recv_subkey */
            if (!kret) {
                if (tag == TOKEN_RSKBLOCK) {
-                   kret = krb5_internalize_opaque(kcontext,
-                                                  KV5M_KEYBLOCK,
-                                                  (krb5_pointer *)
-                                                  &auth_context->
-                                                  recv_subkey,
-                                                  &bp,
-                                                  &remain);
+                   kret = intern_key(kcontext,
+                                     &auth_context->recv_subkey,
+                                     &bp,
+                                     &remain);
                }
                else {
                    /*
Mirror of https://github.com/krb5/krb5.git