Document and check init_creds context requirement

To ensure that the same clpreauth plugin modules and moddata pointers
are used for each step of an initial creds operation, the caller must
use the same library context for krb5_init_creds_init(),
krb5_init_creds_step(), and krb5_init_creds_free().  Document and
enforce this requirement.

ticket: 7877

diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index c192dc797ea377b3a828be68f3d0708d37cf7bfb..4be51160f447751fbc1a5658b767b0f37be4629f 100644 (file)
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -7308,6 +7308,9 @@ typedef struct _krb5_init_creds_context *krb5_init_creds_context;
  *
  * @param [in] context          Library context
  * @param [in] ctx              Initial credentials context
+ *
+ * @a context must be the same as the one passed to krb5_init_creds_init() for
+ * this initial credentials context.
  */
 void KRB5_CALLCONV
 krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx);
@@ -7322,6 +7325,9 @@ krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx);
  * krb5_init_creds_init().  On successful return, the credentials can be
  * retrieved with krb5_init_creds_get_creds().
  *
+ * @a context must be the same as the one passed to krb5_init_creds_init() for
+ * this initial credentials context.
+ *
  * @retval 0 Success; otherwise - Kerberos error codes
  */
 krb5_error_code KRB5_CALLCONV
@@ -7372,6 +7378,10 @@ krb5_init_creds_get_error(krb5_context context, krb5_init_creds_context ctx,
  * This function creates a new context for acquiring initial credentials.  Use
  * krb5_init_creds_free() to free @a ctx when it is no longer needed.
  *
+ * Any subsequent calls to krb5_init_creds_step(), krb5_init_creds_get(), or
+ * krb5_init_creds_free() for this initial credentials context must use the
+ * same @a context argument as the one passed to this function.
+ *
  * @retval 0 Success; otherwise - Kerberos error codes
  */
 krb5_error_code KRB5_CALLCONV
@@ -7421,6 +7431,9 @@ krb5_init_creds_set_keytab(krb5_context context, krb5_init_creds_context ctx,
  * transmit the next request using TCP rather than UDP.  If this function
  * returns any other error, the initial credential exchange has failed.
  *
+ * @a context must be the same as the one passed to krb5_init_creds_init() for
+ * this initial credentials context.
+ *
  * @retval 0 Success; otherwise - Kerberos error codes
  */
 krb5_error_code KRB5_CALLCONV

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index e422a049163b6aeb2f1027d24e945d897cc6bf57..3f6a3bfbb798ed11af2b54e0823b0cc6047b36b2 100644 (file)
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1685,7 +1685,7 @@ krb5_init_creds_step(krb5_context context,
                      krb5_data *realm,
                      unsigned int *flags)
 {
-    krb5_error_code code = 0, code2;
+    krb5_error_code code, code2;
 
     *flags = 0;
 
@@ -1698,6 +1698,10 @@ krb5_init_creds_step(krb5_context context,
     if (ctx->complete)
         return EINVAL;
 
+    code = k5_preauth_check_context(context, ctx);
+    if (code)
+        return code;
+
     if (in->length != 0) {
         code = init_creds_step_reply(context, ctx, in);
         if (code == KRB5KRB_ERR_RESPONSE_TOO_BIG) {

diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h
index c506253f1af05997c0b6b7e1bc6bc1bf9f48c9e7..40955ba4a89d7d3cee0f7f9e127203ec9d799b41 100644 (file)
--- a/src/lib/krb5/krb/int-proto.h
+++ b/src/lib/krb5/krb/int-proto.h
@@ -210,6 +210,9 @@ void
 k5_preauth_request_context_fini(krb5_context context,
                                 krb5_init_creds_context ctx);
 
+krb5_error_code
+k5_preauth_check_context(krb5_context context, krb5_init_creds_context ctx);
+
 krb5_error_code
 k5_response_items_new(k5_response_items **ri_out);
 

diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index 9a178f4e3a6d10b9072d6d8928265a238d633c13..9c5d6eaa984720f994399c39c4537446c1f74541 100644 (file)
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -296,6 +296,19 @@ k5_preauth_request_context_fini(krb5_context context,
     ctx->preauth_reqctx = NULL;
 }
 
+krb5_error_code
+k5_preauth_check_context(krb5_context context, krb5_init_creds_context ctx)
+{
+    krb5_preauth_req_context reqctx = ctx->preauth_reqctx;
+
+    if (reqctx != NULL && reqctx->orig_context != context) {
+        k5_setmsg(context, EINVAL,
+                  _("krb5_init_creds calls must use same library context"));
+        return EINVAL;
+    }
+    return 0;
+}
+
 /* Return 1 if pa_type is a real preauthentication mechanism according to the
  * module h.  Return 0 if it is not. */
 static int