From 21f2ebf2ff5daf0876fa3ee98b06eadef58a4e99 Mon Sep 17 00:00:00 2001
From: Philipp Eder <philipp.eder@greenbone.net>
Date: Mon, 3 Feb 2025 14:50:14 +0000
Subject: [PATCH] Fix: add documentation why things are stored as a global
 variable

---
 nasl/nasl_krb5.c | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/nasl/nasl_krb5.c b/nasl/nasl_krb5.c
index 2c0363173..f1e0f39ce 100644
--- a/nasl/nasl_krb5.c
+++ b/nasl/nasl_krb5.c
@@ -26,7 +26,27 @@
     }                                                                     \
   while (0)
 
-OKrb5ErrorCode last_okrb5_result;
+// Is used for krb5_is_success, krb5_is_failure which allows the script author
+// to verify if the last called krb5 function failed or not. This is strictly
+// speaking a safety net for incorrect usage as most krb5 functions return
+// the error code.
+static OKrb5ErrorCode last_okrb5_result;
+
+// cached_gss_context is used on cases that require an already existing session.
+// NASL does currently not have the concept of a pointer nor struct so we need
+// to store it as a global variable.
+// 
+// We use one context per run, this means that per run (target + oid) there is
+// only on credential allowed making it safe to be cached in that fashion.
+static struct OKrb5GSSContext *cached_gss_context = NULL;
+
+// Is used for `krb5_gss_update_context_out` and is essential a 
+// cache for the data from `krb5_gss_update_context`. 
+static struct OKrb5Slice *to_application = NULL;
+
+// Is used for `krb5_gss_update_context_needs_more` which indicates to the
+// script author that `krb5_gss_update_context` is not satisfied yet. 
+static bool gss_update_context_more = false;
 
 #define SET_SLICE_FROM_LEX_OR_ENV(lexic, slice, name, env_name)            \
   do                                                                       \
@@ -51,6 +71,7 @@ OKrb5ErrorCode last_okrb5_result;
     }                                                                  \
   while (0)
 
+
 static OKrb5Credential
 build_krb5_credential (lex_ctxt *lexic)
 {
@@ -219,9 +240,6 @@ nasl_okrb5_is_failure (lex_ctxt *lexic)
   return retc;
 }
 
-// We use one context per run, this means that per run (target + oid) there is
-// only on credential allowed.
-struct OKrb5GSSContext *cached_gss_context = NULL;
 
 tree_cell *
 nasl_okrb5_gss_init (lex_ctxt *lexic)
@@ -263,8 +281,6 @@ nasl_okrb5_gss_prepare_context (lex_ctxt *lexic)
   return retc;
 }
 
-struct OKrb5Slice *to_application = NULL;
-bool gss_update_context_more = false;
 
 tree_cell *
 nasl_okrb5_gss_update_context (lex_ctxt *lexic)