diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c index 787a8d3d2..02780b621 100644 --- a/lib/gssapi/krb5/arcfour.c +++ b/lib/gssapi/krb5/arcfour.c @@ -740,15 +740,15 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, return GSS_S_BAD_MIC; } + if (conf_state) + *conf_state = conf_flag; + HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); omret = _gssapi_msg_order_check(context_handle->order, seq_number); HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); if (omret) return omret; - if (conf_state) - *conf_state = conf_flag; - *minor_status = 0; return GSS_S_COMPLETE; } @@ -1375,6 +1375,10 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status, } } + if (pconf_state) { + *pconf_state = conf_state; + } + HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); ret = _gssapi_msg_order_check(ctx->order, seq_number); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); @@ -1382,10 +1386,6 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status, return ret; } - if (pconf_state) { - *pconf_state = conf_state; - } - *minor_status = 0; return GSS_S_COMPLETE; } diff --git a/lib/gssapi/krb5/cfx.c b/lib/gssapi/krb5/cfx.c index cb9ea773b..af50292c2 100644 --- a/lib/gssapi/krb5/cfx.c +++ b/lib/gssapi/krb5/cfx.c @@ -748,7 +748,7 @@ _gssapi_unwrap_cfx_iov(OM_uint32 *minor_status, gss_iov_buffer_desc *header, *trailer, *padding; gss_cfx_wrap_token token, ttoken; u_char token_flags; - krb5_error_code ret; + krb5_error_code ret, seq_err; unsigned usage; uint16_t ec, rrc; krb5_crypto_iov *data = NULL; @@ -818,17 +818,16 @@ _gssapi_unwrap_cfx_iov(OM_uint32 *minor_status, if (seq_number_hi) { /* no support for 64-bit sequence numbers */ *minor_status = ERANGE; - return GSS_S_UNSEQ_TOKEN; + return GSS_S_FAILURE | GSS_S_UNSEQ_TOKEN; } HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - ret = _gssapi_msg_order_check(ctx->order, seq_number_lo); - if (ret != 0) { - *minor_status = 0; - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - return ret; - } + seq_err = _gssapi_msg_order_check(ctx->order, seq_number_lo); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + if (seq_err == GSS_S_FAILURE) { + *minor_status = 0; + return seq_err; + } /* * Decrypt and/or verify checksum @@ -1025,7 +1024,7 @@ _gssapi_unwrap_cfx_iov(OM_uint32 *minor_status, free(data); *minor_status = 0; - return GSS_S_COMPLETE; + return GSS_S_COMPLETE | seq_err; failure: if (data) @@ -1401,7 +1400,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, { gss_cfx_wrap_token token; u_char token_flags; - krb5_error_code ret; + krb5_error_code ret, seq_err; unsigned usage; krb5_data data; uint16_t ec, rrc; @@ -1459,18 +1458,16 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, if (seq_number_hi) { /* no support for 64-bit sequence numbers */ *minor_status = ERANGE; - return GSS_S_UNSEQ_TOKEN; + return GSS_S_FAILURE | GSS_S_UNSEQ_TOKEN; } HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - ret = _gssapi_msg_order_check(ctx->order, seq_number_lo); - if (ret != 0) { - *minor_status = 0; - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - _gsskrb5_release_buffer(minor_status, output_message_buffer); - return ret; - } + seq_err = _gssapi_msg_order_check(ctx->order, seq_number_lo); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + if (seq_err == GSS_S_FAILURE) { + *minor_status = 0; + return seq_err; + } /* * Decrypt and/or verify checksum @@ -1594,7 +1591,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, } *minor_status = 0; - return GSS_S_COMPLETE; + return GSS_S_COMPLETE | seq_err; } OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, @@ -1690,7 +1687,7 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, { gss_cfx_mic_token token; u_char token_flags; - krb5_error_code ret; + krb5_error_code ret, seq_err; unsigned usage; OM_uint32 seq_number_lo, seq_number_hi; u_char *buf, *p; @@ -1736,17 +1733,16 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, _gss_mg_decode_be_uint32(&token->SND_SEQ[4], &seq_number_lo); if (seq_number_hi) { *minor_status = ERANGE; - return GSS_S_UNSEQ_TOKEN; + return GSS_S_UNSEQ_TOKEN | GSS_S_FAILURE; } HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); - ret = _gssapi_msg_order_check(ctx->order, seq_number_lo); - if (ret != 0) { - *minor_status = 0; - HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); - return ret; - } + seq_err = _gssapi_msg_order_check(ctx->order, seq_number_lo); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); + if (seq_err == GSS_S_FAILURE) { + *minor_status = 0; + return seq_err; + } /* * Verify checksum @@ -1793,5 +1789,5 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, *qop_state = GSS_C_QOP_DEFAULT; } - return GSS_S_COMPLETE; + return GSS_S_COMPLETE | seq_err; } diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c index 1eea68eac..9e45fbd27 100644 --- a/lib/gssapi/krb5/unwrap.c +++ b/lib/gssapi/krb5/unwrap.c @@ -57,7 +57,7 @@ unwrap_des size_t i; uint32_t seq_number; size_t padlength; - OM_uint32 ret; + OM_uint32 ret, seq_err; int cstate; int cmp; int token_len; @@ -175,10 +175,10 @@ unwrap_des return GSS_S_BAD_MIC; } - ret = _gssapi_msg_order_check(context_handle->order, seq_number); - if (ret) { + seq_err = _gssapi_msg_order_check(context_handle->order, seq_number); + if (seq_err == GSS_S_FAILURE) { HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return ret; + return seq_err; } HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); @@ -194,7 +194,7 @@ unwrap_des memcpy (output_message_buffer->value, p + 24, output_message_buffer->length); - return GSS_S_COMPLETE; + return GSS_S_COMPLETE | seq_err; } #endif @@ -217,7 +217,7 @@ unwrap_des3 u_char cksum[20]; uint32_t seq_number; size_t padlength; - OM_uint32 ret; + OM_uint32 ret, seq_err; int cstate; krb5_crypto crypto; Checksum csum; @@ -349,11 +349,11 @@ unwrap_des3 return GSS_S_BAD_MIC; } - ret = _gssapi_msg_order_check(context_handle->order, seq_number); - if (ret) { + seq_err = _gssapi_msg_order_check(context_handle->order, seq_number); + if (seq_err == GSS_S_FAILURE) { *minor_status = 0; HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); - return ret; + return seq_err; } HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); @@ -396,7 +396,7 @@ unwrap_des3 memcpy (output_message_buffer->value, p + 36, output_message_buffer->length); - return GSS_S_COMPLETE; + return GSS_S_COMPLETE | seq_err; } OM_uint32 GSSAPI_CALLCONV _gsskrb5_unwrap diff --git a/lib/gssapi/krb5/verify_mic.c b/lib/gssapi/krb5/verify_mic.c index 4a776c809..3b97a9059 100644 --- a/lib/gssapi/krb5/verify_mic.c +++ b/lib/gssapi/krb5/verify_mic.c @@ -148,7 +148,7 @@ verify_mic_des3 u_char *p; u_char *seq; uint32_t seq_number; - OM_uint32 ret; + OM_uint32 ret, seq_err; krb5_crypto crypto; krb5_data seq_data; int cmp, docompat; @@ -226,8 +226,8 @@ retry: return GSS_S_BAD_MIC; } - ret = _gssapi_msg_order_check(context_handle->order, seq_number); - if (ret) { + seq_err = _gssapi_msg_order_check(context_handle->order, seq_number); + if (seq_err == GSS_S_FAILURE) { krb5_crypto_destroy (context, crypto); *minor_status = 0; HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); @@ -269,7 +269,7 @@ retry: HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); krb5_crypto_destroy (context, crypto); - return GSS_S_COMPLETE; + return GSS_S_COMPLETE | seq_err; } OM_uint32