From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 9 Jan 2017 16:44:29 +0000 (-0500)
Subject: Document and check init_creds context requirement
X-Git-Tag: krb5-1.16-beta1~156
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F593%2Fhead;p=thirdparty%2Fkrb5.git

Document and check init_creds context requirement

To ensure that the same clpreauth plugin modules and moddata pointers
are used for each step of an initial creds operation, the caller must
use the same library context for krb5_init_creds_init(),
krb5_init_creds_step(), and krb5_init_creds_free().  Document and
enforce this requirement.

ticket: 7877
---

diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index c192dc797e..4be51160f4 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -7308,6 +7308,9 @@ typedef struct _krb5_init_creds_context *krb5_init_creds_context;
  *
  * @param [in] context          Library context
  * @param [in] ctx              Initial credentials context
+ *
+ * @a context must be the same as the one passed to krb5_init_creds_init() for
+ * this initial credentials context.
  */
 void KRB5_CALLCONV
 krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx);
@@ -7322,6 +7325,9 @@ krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx);
  * krb5_init_creds_init().  On successful return, the credentials can be
  * retrieved with krb5_init_creds_get_creds().
  *
+ * @a context must be the same as the one passed to krb5_init_creds_init() for
+ * this initial credentials context.
+ *
  * @retval 0 Success; otherwise - Kerberos error codes
  */
 krb5_error_code KRB5_CALLCONV
@@ -7372,6 +7378,10 @@ krb5_init_creds_get_error(krb5_context context, krb5_init_creds_context ctx,
  * This function creates a new context for acquiring initial credentials.  Use
  * krb5_init_creds_free() to free @a ctx when it is no longer needed.
  *
+ * Any subsequent calls to krb5_init_creds_step(), krb5_init_creds_get(), or
+ * krb5_init_creds_free() for this initial credentials context must use the
+ * same @a context argument as the one passed to this function.
+ *
  * @retval 0 Success; otherwise - Kerberos error codes
  */
 krb5_error_code KRB5_CALLCONV
@@ -7421,6 +7431,9 @@ krb5_init_creds_set_keytab(krb5_context context, krb5_init_creds_context ctx,
  * transmit the next request using TCP rather than UDP.  If this function
  * returns any other error, the initial credential exchange has failed.
  *
+ * @a context must be the same as the one passed to krb5_init_creds_init() for
+ * this initial credentials context.
+ *
  * @retval 0 Success; otherwise - Kerberos error codes
  */
 krb5_error_code KRB5_CALLCONV
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index e422a04916..3f6a3bfbb7 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1685,7 +1685,7 @@ krb5_init_creds_step(krb5_context context,
                      krb5_data *realm,
                      unsigned int *flags)
 {
-    krb5_error_code code = 0, code2;
+    krb5_error_code code, code2;
 
     *flags = 0;
 
@@ -1698,6 +1698,10 @@ krb5_init_creds_step(krb5_context context,
     if (ctx->complete)
         return EINVAL;
 
+    code = k5_preauth_check_context(context, ctx);
+    if (code)
+        return code;
+
     if (in->length != 0) {
         code = init_creds_step_reply(context, ctx, in);
         if (code == KRB5KRB_ERR_RESPONSE_TOO_BIG) {
diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h
index c506253f1a..40955ba4a8 100644
--- a/src/lib/krb5/krb/int-proto.h
+++ b/src/lib/krb5/krb/int-proto.h
@@ -210,6 +210,9 @@ void
 k5_preauth_request_context_fini(krb5_context context,
                                 krb5_init_creds_context ctx);
 
+krb5_error_code
+k5_preauth_check_context(krb5_context context, krb5_init_creds_context ctx);
+
 krb5_error_code
 k5_response_items_new(k5_response_items **ri_out);
 
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index 9a178f4e3a..9c5d6eaa98 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -296,6 +296,19 @@ k5_preauth_request_context_fini(krb5_context context,
     ctx->preauth_reqctx = NULL;
 }
 
+krb5_error_code
+k5_preauth_check_context(krb5_context context, krb5_init_creds_context ctx)
+{
+    krb5_preauth_req_context reqctx = ctx->preauth_reqctx;
+
+    if (reqctx != NULL && reqctx->orig_context != context) {
+        k5_setmsg(context, EINVAL,
+                  _("krb5_init_creds calls must use same library context"));
+        return EINVAL;
+    }
+    return 0;
+}
+
 /* Return 1 if pa_type is a real preauthentication mechanism according to the
  * module h.  Return 0 if it is not. */
 static int