I’m trying to write a Kerberos GSSAPI decryption support analyzer. Currently krb5_init_context() is called to get a krb5_context inside KRB
analyzer. I think it’s a good thing to share the context among all the components that need to call KRB5 API.
Is there any mechanism to do so? Or should I just call krb5_init_context() in main.cc and export the context via a new .h file?
Can you elaborate why? Because I think the opposite: a context per
connection/analyzer makes sense as those are logically distinct units
that should have their own state instead of sharing a global state.
The context returned by krb5_init_context() is a library context, not
session/connection context. I was a little nervous to do multiple
library initializations in a single process.
Performance impact. I had quickly read the source of krb5_init_context(),
most work it does is irrelevant to us as a passive analyzer, such as setting
security policy (allow weak encryption or not, etc.) according to KRB
configuration files, seeding random number generator, adding entropy to
random number generator, initializing mutex.
But now I’d rather not bother to move the call out of KRB analyzer. Since:
From my practice it seems OK to do multiple KRB library initializations.
The performance impact is very limited. Currently 1 context for all KRB
analyzer instances and it will not be a big deal to add one for all new
support analyzer instances.
Song
------------------ Original ------------------