oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

(gssapi_krb5_verify_8003_checksum, gssapi_krb5_create_8003_checksum): make more consistent by always returning an gssapi error and setting minor status. update callers

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@10588 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Assar Westerlund
2001-08-29 02:21:09 +00:00
parent 67813438a7
commit 28d9223040
8 changed files with 154 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
lib/gssapi/8003.c
View File

@@ -86,27 +86,35 @@ hash_input_chan_bindings (const gss_channel_bindings_t b,
return 0;
}
krb5_error_code
/*
* create a checksum over the chanel bindings in
* `input_chan_bindings', `flags' and `fwd_data' and return it in
* `result'
*/
OM_uint32
gssapi_krb5_create_8003_checksum (
OM_uint32 *minor_status,
const gss_channel_bindings_t input_chan_bindings,
OM_uint32 flags,
krb5_data *fwd_data,
const krb5_data *fwd_data,
Checksum *result)
{
u_char *p;
/*
* see rfc1964 (section 1.1.1 (Initial Token), and the checksum value
* field's format)
*/
* field's format) */
result->cksumtype = 0x8003;
if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG))
result->checksum.length = 24 + 4 + fwd_data->length;
else
result->checksum.length = 24;
result->checksum.data = malloc (result->checksum.length);
if (result->checksum.data == NULL)
return ENOMEM;
if (result->checksum.data == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
p = result->checksum.data;
encode_om_uint32 (16, p);
@@ -139,18 +147,21 @@ gssapi_krb5_create_8003_checksum (
memcpy(p, (unsigned char *) fwd_data->data, fwd_data->length);
p += fwd_data->length;
if (p - (u_char *)result->checksum.data != result->checksum.length)
abort();
}
return 0;
return GSS_S_COMPLETE;
}
krb5_error_code
/*
* verify the checksum in `cksum' over `input_chan_bindings'
* returning `flags' and `fwd_data'
*/
OM_uint32
gssapi_krb5_verify_8003_checksum(
OM_uint32 *minor_status,
const gss_channel_bindings_t input_chan_bindings,
Checksum *cksum,
const Checksum *cksum,
OM_uint32 *flags,
krb5_data *fwd_data)
{
@@ -160,21 +171,29 @@ gssapi_krb5_verify_8003_checksum(
int DlgOpt;
/* XXX should handle checksums > 24 bytes */
if(cksum->cksumtype != 0x8003)
if(cksum->cksumtype != 0x8003) {
*minor_status = 0;
return GSS_S_BAD_BINDINGS;
}
p = cksum->checksum.data;
decode_om_uint32(p, &length);
if(length != sizeof(hash))
return GSS_S_BAD_BINDINGS;;
if(length != sizeof(hash)) {
*minor_status = 0;
return GSS_S_BAD_BINDINGS;
}
p += 4;
if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) {
if(hash_input_chan_bindings(input_chan_bindings, hash) != 0)
if(hash_input_chan_bindings(input_chan_bindings, hash) != 0) {
*minor_status = 0;
return GSS_S_BAD_BINDINGS;
if(memcmp(hash, p, sizeof(hash)) != 0)
}
if(memcmp(hash, p, sizeof(hash)) != 0) {
*minor_status = 0;
return GSS_S_BAD_BINDINGS;
}
}
p += sizeof(hash);
@@ -186,18 +205,22 @@ gssapi_krb5_verify_8003_checksum(
p += 4;
DlgOpt = (p[0] << 0) | (p[1] << 8 );
if (DlgOpt != 1)
return GSS_S_BAD_BINDINGS;
if (DlgOpt != 1) {
*minor_status = 0;
return GSS_S_BAD_BINDINGS;
}
p += 2;
fwd_data->length = (p[0] << 0) | (p[1] << 8);
fwd_data->data = malloc(fwd_data->length);
if (fwd_data->data == NULL)
return ENOMEM;
if (fwd_data->data == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
p += 2;
memcpy(fwd_data->data, p, fwd_data->length);
}
return 0;
return GSS_S_COMPLETE;
}

38
lib/gssapi/accept_sec_context.c
View File

@@ -115,6 +115,7 @@ gss_accept_sec_context
&(*context_handle)->auth_context);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -146,6 +147,7 @@ gss_accept_sec_context
if (kret) {
gssapi_krb5_set_error_string ();
ret = GSS_S_BAD_BINDINGS;
*minor_status = kret;
goto failure;
}
@@ -157,6 +159,7 @@ gss_accept_sec_context
krb5_free_address (gssapi_krb5_context, &acceptor_addr);
gssapi_krb5_set_error_string ();
ret = GSS_S_BAD_BINDINGS;
*minor_status = kret;
goto failure;
}
@@ -177,6 +180,7 @@ gss_accept_sec_context
if (kret) {
gssapi_krb5_set_error_string ();
ret = GSS_S_BAD_BINDINGS;
*minor_status = kret;
goto failure;
}
}
@@ -199,10 +203,8 @@ gss_accept_sec_context
input_token_buffer,
&indata,
"\x01\x00");
if (ret) {
kret = *minor_status;
if (ret)
goto failure;
}
if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
if (gssapi_krb5_keytab != NULL) {
@@ -222,6 +224,7 @@ gss_accept_sec_context
&ticket);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -231,6 +234,7 @@ gss_accept_sec_context
&(*context_handle)->source);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -240,6 +244,7 @@ gss_accept_sec_context
&(*context_handle)->target);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -250,6 +255,7 @@ gss_accept_sec_context
src_name);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -263,19 +269,19 @@ gss_accept_sec_context
&authenticator);
if(kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
ret = gssapi_krb5_verify_8003_checksum(input_chan_bindings,
ret = gssapi_krb5_verify_8003_checksum(minor_status,
input_chan_bindings,
authenticator->cksum,
&flags,
&fwd_data);
krb5_free_authenticator(gssapi_krb5_context, &authenticator);
if (ret) {
kret = 0;
if (ret)
goto failure;
}
}
if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) {
@@ -289,12 +295,12 @@ gss_accept_sec_context
if ((*delegated_cred_handle =
calloc(1, sizeof(**delegated_cred_handle))) == NULL) {
ret = GSS_S_FAILURE;
kret = ENOMEM;
*minor_status = ENOMEM;
krb5_set_error_string(gssapi_krb5_context, "out of memory");
gssapi_krb5_set_error_string();
goto failure;
}
if ((kret = gss_duplicate_name(minor_status, ticket->client,
if ((ret = gss_duplicate_name(minor_status, ticket->client,
&(*delegated_cred_handle)->principal)) != 0) {
flags &= ~GSS_C_DELEG_FLAG;
free(*delegated_cred_handle);
@@ -313,16 +319,12 @@ gss_accept_sec_context
(*delegated_cred_handle)->mechanisms == NULL) {
ret = gss_create_empty_oid_set(minor_status,
&(*delegated_cred_handle)->mechanisms);
if (ret) {
kret = *minor_status;
if (ret)
goto failure;
}
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&(*delegated_cred_handle)->mechanisms);
if (ret) {
kret = *minor_status;
if (ret)
goto failure;
}
}
if (kret) {
@@ -373,6 +375,7 @@ end_fwd:
&outbuf);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -381,10 +384,8 @@ end_fwd:
output_token,
"\x02\x00");
krb5_data_free (&outbuf);
if (ret) {
kret = *minor_status;
if (ret)
goto failure;
}
} else {
output_token->length = 0;
}
@@ -417,6 +418,5 @@ failure:
*src_name = NULL;
}
*context_handle = GSS_C_NO_CONTEXT;
*minor_status = kret;
return ret;
}

10
lib/gssapi/gssapi_locl.h
View File

@@ -50,17 +50,19 @@ extern krb5_keytab gssapi_krb5_keytab;
krb5_error_code gssapi_krb5_init (void);
krb5_error_code
OM_uint32
gssapi_krb5_create_8003_checksum (
OM_uint32 *minor_status,
const gss_channel_bindings_t input_chan_bindings,
OM_uint32 flags,
krb5_data *fwd_data,
const krb5_data *fwd_data,
Checksum *result);
krb5_error_code
OM_uint32
gssapi_krb5_verify_8003_checksum (
OM_uint32 *minor_status,
const gss_channel_bindings_t input_chan_bindings,
Checksum *cksum,
const Checksum *cksum,
OM_uint32 *flags,
krb5_data *fwd_data);

15
lib/gssapi/init_sec_context.c
View File

@@ -344,17 +344,14 @@ init_auth
(*context_handle)->flags = flags;
(*context_handle)->more_flags = LOCAL;
kret = gssapi_krb5_create_8003_checksum (input_chan_bindings,
flags,
&fwd_data,
&cksum);
ret = gssapi_krb5_create_8003_checksum (minor_status,
input_chan_bindings,
flags,
&fwd_data,
&cksum);
krb5_data_free (&fwd_data);
if (kret) {
gssapi_krb5_set_error_string ();
*minor_status = kret;
ret = GSS_S_FAILURE;
if (ret)
goto failure;
}
#if 1
enctype = (*context_handle)->auth_context->keyblock->keytype;

69
lib/gssapi/krb5/8003.c
View File

@@ -86,27 +86,35 @@ hash_input_chan_bindings (const gss_channel_bindings_t b,
return 0;
}
krb5_error_code
/*
* create a checksum over the chanel bindings in
* `input_chan_bindings', `flags' and `fwd_data' and return it in
* `result'
*/
OM_uint32
gssapi_krb5_create_8003_checksum (
OM_uint32 *minor_status,
const gss_channel_bindings_t input_chan_bindings,
OM_uint32 flags,
krb5_data *fwd_data,
const krb5_data *fwd_data,
Checksum *result)
{
u_char *p;
/*
* see rfc1964 (section 1.1.1 (Initial Token), and the checksum value
* field's format)
*/
* field's format) */
result->cksumtype = 0x8003;
if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG))
result->checksum.length = 24 + 4 + fwd_data->length;
else
result->checksum.length = 24;
result->checksum.data = malloc (result->checksum.length);
if (result->checksum.data == NULL)
return ENOMEM;
if (result->checksum.data == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
p = result->checksum.data;
encode_om_uint32 (16, p);
@@ -139,18 +147,21 @@ gssapi_krb5_create_8003_checksum (
memcpy(p, (unsigned char *) fwd_data->data, fwd_data->length);
p += fwd_data->length;
if (p - (u_char *)result->checksum.data != result->checksum.length)
abort();
}
return 0;
return GSS_S_COMPLETE;
}
krb5_error_code
/*
* verify the checksum in `cksum' over `input_chan_bindings'
* returning `flags' and `fwd_data'
*/
OM_uint32
gssapi_krb5_verify_8003_checksum(
OM_uint32 *minor_status,
const gss_channel_bindings_t input_chan_bindings,
Checksum *cksum,
const Checksum *cksum,
OM_uint32 *flags,
krb5_data *fwd_data)
{
@@ -160,21 +171,29 @@ gssapi_krb5_verify_8003_checksum(
int DlgOpt;
/* XXX should handle checksums > 24 bytes */
if(cksum->cksumtype != 0x8003)
if(cksum->cksumtype != 0x8003) {
*minor_status = 0;
return GSS_S_BAD_BINDINGS;
}
p = cksum->checksum.data;
decode_om_uint32(p, &length);
if(length != sizeof(hash))
return GSS_S_BAD_BINDINGS;;
if(length != sizeof(hash)) {
*minor_status = 0;
return GSS_S_BAD_BINDINGS;
}
p += 4;
if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) {
if(hash_input_chan_bindings(input_chan_bindings, hash) != 0)
if(hash_input_chan_bindings(input_chan_bindings, hash) != 0) {
*minor_status = 0;
return GSS_S_BAD_BINDINGS;
if(memcmp(hash, p, sizeof(hash)) != 0)
}
if(memcmp(hash, p, sizeof(hash)) != 0) {
*minor_status = 0;
return GSS_S_BAD_BINDINGS;
}
}
p += sizeof(hash);
@@ -186,18 +205,22 @@ gssapi_krb5_verify_8003_checksum(
p += 4;
DlgOpt = (p[0] << 0) | (p[1] << 8 );
if (DlgOpt != 1)
return GSS_S_BAD_BINDINGS;
if (DlgOpt != 1) {
*minor_status = 0;
return GSS_S_BAD_BINDINGS;
}
p += 2;
fwd_data->length = (p[0] << 0) | (p[1] << 8);
fwd_data->data = malloc(fwd_data->length);
if (fwd_data->data == NULL)
return ENOMEM;
if (fwd_data->data == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
p += 2;
memcpy(fwd_data->data, p, fwd_data->length);
}
return 0;
return GSS_S_COMPLETE;
}

38
lib/gssapi/krb5/accept_sec_context.c
View File

@@ -115,6 +115,7 @@ gss_accept_sec_context
&(*context_handle)->auth_context);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -146,6 +147,7 @@ gss_accept_sec_context
if (kret) {
gssapi_krb5_set_error_string ();
ret = GSS_S_BAD_BINDINGS;
*minor_status = kret;
goto failure;
}
@@ -157,6 +159,7 @@ gss_accept_sec_context
krb5_free_address (gssapi_krb5_context, &acceptor_addr);
gssapi_krb5_set_error_string ();
ret = GSS_S_BAD_BINDINGS;
*minor_status = kret;
goto failure;
}
@@ -177,6 +180,7 @@ gss_accept_sec_context
if (kret) {
gssapi_krb5_set_error_string ();
ret = GSS_S_BAD_BINDINGS;
*minor_status = kret;
goto failure;
}
}
@@ -199,10 +203,8 @@ gss_accept_sec_context
input_token_buffer,
&indata,
"\x01\x00");
if (ret) {
kret = *minor_status;
if (ret)
goto failure;
}
if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
if (gssapi_krb5_keytab != NULL) {
@@ -222,6 +224,7 @@ gss_accept_sec_context
&ticket);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -231,6 +234,7 @@ gss_accept_sec_context
&(*context_handle)->source);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -240,6 +244,7 @@ gss_accept_sec_context
&(*context_handle)->target);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -250,6 +255,7 @@ gss_accept_sec_context
src_name);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -263,19 +269,19 @@ gss_accept_sec_context
&authenticator);
if(kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
ret = gssapi_krb5_verify_8003_checksum(input_chan_bindings,
ret = gssapi_krb5_verify_8003_checksum(minor_status,
input_chan_bindings,
authenticator->cksum,
&flags,
&fwd_data);
krb5_free_authenticator(gssapi_krb5_context, &authenticator);
if (ret) {
kret = 0;
if (ret)
goto failure;
}
}
if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) {
@@ -289,12 +295,12 @@ gss_accept_sec_context
if ((*delegated_cred_handle =
calloc(1, sizeof(**delegated_cred_handle))) == NULL) {
ret = GSS_S_FAILURE;
kret = ENOMEM;
*minor_status = ENOMEM;
krb5_set_error_string(gssapi_krb5_context, "out of memory");
gssapi_krb5_set_error_string();
goto failure;
}
if ((kret = gss_duplicate_name(minor_status, ticket->client,
if ((ret = gss_duplicate_name(minor_status, ticket->client,
&(*delegated_cred_handle)->principal)) != 0) {
flags &= ~GSS_C_DELEG_FLAG;
free(*delegated_cred_handle);
@@ -313,16 +319,12 @@ gss_accept_sec_context
(*delegated_cred_handle)->mechanisms == NULL) {
ret = gss_create_empty_oid_set(minor_status,
&(*delegated_cred_handle)->mechanisms);
if (ret) {
kret = *minor_status;
if (ret)
goto failure;
}
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&(*delegated_cred_handle)->mechanisms);
if (ret) {
kret = *minor_status;
if (ret)
goto failure;
}
}
if (kret) {
@@ -373,6 +375,7 @@ end_fwd:
&outbuf);
if (kret) {
ret = GSS_S_FAILURE;
*minor_status = kret;
gssapi_krb5_set_error_string ();
goto failure;
}
@@ -381,10 +384,8 @@ end_fwd:
output_token,
"\x02\x00");
krb5_data_free (&outbuf);
if (ret) {
kret = *minor_status;
if (ret)
goto failure;
}
} else {
output_token->length = 0;
}
@@ -417,6 +418,5 @@ failure:
*src_name = NULL;
}
*context_handle = GSS_C_NO_CONTEXT;
*minor_status = kret;
return ret;
}

10
lib/gssapi/krb5/gssapi_locl.h
View File

@@ -50,17 +50,19 @@ extern krb5_keytab gssapi_krb5_keytab;
krb5_error_code gssapi_krb5_init (void);
krb5_error_code
OM_uint32
gssapi_krb5_create_8003_checksum (
OM_uint32 *minor_status,
const gss_channel_bindings_t input_chan_bindings,
OM_uint32 flags,
krb5_data *fwd_data,
const krb5_data *fwd_data,
Checksum *result);
krb5_error_code
OM_uint32
gssapi_krb5_verify_8003_checksum (
OM_uint32 *minor_status,
const gss_channel_bindings_t input_chan_bindings,
Checksum *cksum,
const Checksum *cksum,
OM_uint32 *flags,
krb5_data *fwd_data);

15
lib/gssapi/krb5/init_sec_context.c
View File

@@ -344,17 +344,14 @@ init_auth
(*context_handle)->flags = flags;
(*context_handle)->more_flags = LOCAL;
kret = gssapi_krb5_create_8003_checksum (input_chan_bindings,
flags,
&fwd_data,
&cksum);
ret = gssapi_krb5_create_8003_checksum (minor_status,
input_chan_bindings,
flags,
&fwd_data,
&cksum);
krb5_data_free (&fwd_data);
if (kret) {
gssapi_krb5_set_error_string ();
*minor_status = kret;
ret = GSS_S_FAILURE;
if (ret)
goto failure;
}
#if 1
enctype = (*context_handle)->auth_context->keyblock->keytype;