move krb5_init_context out of


I’m trying to write a Kerberos GSSAPI decryption support analyzer. Currently krb5_init_context() is called to get a krb5_context inside KRB
analyzer. I think it’s a good thing to share the context among all the components that need to call KRB5 API.

Is there any mechanism to do so? Or should I just call krb5_init_context() in and export the context via a new .h file?

Best regards,

Can you elaborate why? Because I think the opposite: a context per
connection/analyzer makes sense as those are logically distinct units
that should have their own state instead of sharing a global state.

- Jon

My concerns were:

  1. The context returned by krb5_init_context() is a library context, not
    session/connection context. I was a little nervous to do multiple
    library initializations in a single process.

  2. Performance impact. I had quickly read the source of krb5_init_context(),
    most work it does is irrelevant to us as a passive analyzer, such as setting
    security policy (allow weak encryption or not, etc.) according to KRB
    configuration files, seeding random number generator, adding entropy to
    random number generator, initializing mutex.

But now I’d rather not bother to move the call out of KRB analyzer. Since:

  1. From my practice it seems OK to do multiple KRB library initializations.

  2. The performance impact is very limited. Currently 1 context for all KRB
    analyzer instances and it will not be a big deal to add one for all new
    support analyzer instances.

------------------ Original ------------------