diff --git a/lib/gssapi/8003.c b/lib/gssapi/8003.c index d7d90e24a..891ef6cb5 100644 --- a/lib/gssapi/8003.c +++ b/lib/gssapi/8003.c @@ -86,27 +86,35 @@ hash_input_chan_bindings (const gss_channel_bindings_t b, return 0; } -krb5_error_code +/* + * create a checksum over the chanel bindings in + * `input_chan_bindings', `flags' and `fwd_data' and return it in + * `result' + */ + +OM_uint32 gssapi_krb5_create_8003_checksum ( + OM_uint32 *minor_status, const gss_channel_bindings_t input_chan_bindings, OM_uint32 flags, - krb5_data *fwd_data, + const krb5_data *fwd_data, Checksum *result) { u_char *p; /* * see rfc1964 (section 1.1.1 (Initial Token), and the checksum value - * field's format) - */ + * field's format) */ result->cksumtype = 0x8003; if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) result->checksum.length = 24 + 4 + fwd_data->length; else result->checksum.length = 24; result->checksum.data = malloc (result->checksum.length); - if (result->checksum.data == NULL) - return ENOMEM; + if (result->checksum.data == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } p = result->checksum.data; encode_om_uint32 (16, p); @@ -139,18 +147,21 @@ gssapi_krb5_create_8003_checksum ( memcpy(p, (unsigned char *) fwd_data->data, fwd_data->length); p += fwd_data->length; - - if (p - (u_char *)result->checksum.data != result->checksum.length) - abort(); } - - return 0; + + return GSS_S_COMPLETE; } -krb5_error_code +/* + * verify the checksum in `cksum' over `input_chan_bindings' + * returning `flags' and `fwd_data' + */ + +OM_uint32 gssapi_krb5_verify_8003_checksum( + OM_uint32 *minor_status, const gss_channel_bindings_t input_chan_bindings, - Checksum *cksum, + const Checksum *cksum, OM_uint32 *flags, krb5_data *fwd_data) { @@ -160,21 +171,29 @@ gssapi_krb5_verify_8003_checksum( int DlgOpt; /* XXX should handle checksums > 24 bytes */ - if(cksum->cksumtype != 0x8003) + if(cksum->cksumtype != 0x8003) { + *minor_status = 0; return GSS_S_BAD_BINDINGS; + } p = cksum->checksum.data; decode_om_uint32(p, &length); - if(length != sizeof(hash)) - return GSS_S_BAD_BINDINGS;; + if(length != sizeof(hash)) { + *minor_status = 0; + return GSS_S_BAD_BINDINGS; + } p += 4; if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) { - if(hash_input_chan_bindings(input_chan_bindings, hash) != 0) + if(hash_input_chan_bindings(input_chan_bindings, hash) != 0) { + *minor_status = 0; return GSS_S_BAD_BINDINGS; - if(memcmp(hash, p, sizeof(hash)) != 0) + } + if(memcmp(hash, p, sizeof(hash)) != 0) { + *minor_status = 0; return GSS_S_BAD_BINDINGS; + } } p += sizeof(hash); @@ -186,18 +205,22 @@ gssapi_krb5_verify_8003_checksum( p += 4; DlgOpt = (p[0] << 0) | (p[1] << 8 ); - if (DlgOpt != 1) - return GSS_S_BAD_BINDINGS; + if (DlgOpt != 1) { + *minor_status = 0; + return GSS_S_BAD_BINDINGS; + } p += 2; fwd_data->length = (p[0] << 0) | (p[1] << 8); fwd_data->data = malloc(fwd_data->length); - if (fwd_data->data == NULL) - return ENOMEM; + if (fwd_data->data == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } p += 2; memcpy(fwd_data->data, p, fwd_data->length); } - return 0; + return GSS_S_COMPLETE; } diff --git a/lib/gssapi/accept_sec_context.c b/lib/gssapi/accept_sec_context.c index 4435afb85..8f1f6fdbc 100644 --- a/lib/gssapi/accept_sec_context.c +++ b/lib/gssapi/accept_sec_context.c @@ -115,6 +115,7 @@ gss_accept_sec_context &(*context_handle)->auth_context); if (kret) { ret = GSS_S_FAILURE; + *minor_status = kret; gssapi_krb5_set_error_string (); goto failure; } @@ -146,6 +147,7 @@ gss_accept_sec_context if (kret) { gssapi_krb5_set_error_string (); ret = GSS_S_BAD_BINDINGS; + *minor_status = kret; goto failure; } @@ -157,6 +159,7 @@ gss_accept_sec_context krb5_free_address (gssapi_krb5_context, &acceptor_addr); gssapi_krb5_set_error_string (); ret = GSS_S_BAD_BINDINGS; + *minor_status = kret; goto failure; } @@ -177,6 +180,7 @@ gss_accept_sec_context if (kret) { gssapi_krb5_set_error_string (); ret = GSS_S_BAD_BINDINGS; + *minor_status = kret; goto failure; } } @@ -199,10 +203,8 @@ gss_accept_sec_context input_token_buffer, &indata, "\x01\x00"); - if (ret) { - kret = *minor_status; + if (ret) goto failure; - } if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) { if (gssapi_krb5_keytab != NULL) { @@ -222,6 +224,7 @@ gss_accept_sec_context &ticket); if (kret) { ret = GSS_S_FAILURE; + *minor_status = kret; gssapi_krb5_set_error_string (); goto failure; } @@ -231,6 +234,7 @@ gss_accept_sec_context &(*context_handle)->source); if (kret) { ret = GSS_S_FAILURE; + *minor_status = kret; gssapi_krb5_set_error_string (); goto failure; } @@ -240,6 +244,7 @@ gss_accept_sec_context &(*context_handle)->target); if (kret) { ret = GSS_S_FAILURE; + *minor_status = kret; gssapi_krb5_set_error_string (); goto failure; } @@ -250,6 +255,7 @@ gss_accept_sec_context src_name); if (kret) { ret = GSS_S_FAILURE; + *minor_status = kret; gssapi_krb5_set_error_string (); goto failure; } @@ -263,19 +269,19 @@ gss_accept_sec_context &authenticator); if(kret) { ret = GSS_S_FAILURE; + *minor_status = kret; gssapi_krb5_set_error_string (); goto failure; } - ret = gssapi_krb5_verify_8003_checksum(input_chan_bindings, + ret = gssapi_krb5_verify_8003_checksum(minor_status, + input_chan_bindings, authenticator->cksum, &flags, &fwd_data); krb5_free_authenticator(gssapi_krb5_context, &authenticator); - if (ret) { - kret = 0; + if (ret) goto failure; - } } if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) { @@ -289,12 +295,12 @@ gss_accept_sec_context if ((*delegated_cred_handle = calloc(1, sizeof(**delegated_cred_handle))) == NULL) { ret = GSS_S_FAILURE; - kret = ENOMEM; + *minor_status = ENOMEM; krb5_set_error_string(gssapi_krb5_context, "out of memory"); gssapi_krb5_set_error_string(); goto failure; } - if ((kret = gss_duplicate_name(minor_status, ticket->client, + if ((ret = gss_duplicate_name(minor_status, ticket->client, &(*delegated_cred_handle)->principal)) != 0) { flags &= ~GSS_C_DELEG_FLAG; free(*delegated_cred_handle); @@ -313,16 +319,12 @@ gss_accept_sec_context (*delegated_cred_handle)->mechanisms == NULL) { ret = gss_create_empty_oid_set(minor_status, &(*delegated_cred_handle)->mechanisms); - if (ret) { - kret = *minor_status; + if (ret) goto failure; - } ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, &(*delegated_cred_handle)->mechanisms); - if (ret) { - kret = *minor_status; + if (ret) goto failure; - } } if (kret) { @@ -373,6 +375,7 @@ end_fwd: &outbuf); if (kret) { ret = GSS_S_FAILURE; + *minor_status = kret; gssapi_krb5_set_error_string (); goto failure; } @@ -381,10 +384,8 @@ end_fwd: output_token, "\x02\x00"); krb5_data_free (&outbuf); - if (ret) { - kret = *minor_status; + if (ret) goto failure; - } } else { output_token->length = 0; } @@ -417,6 +418,5 @@ failure: *src_name = NULL; } *context_handle = GSS_C_NO_CONTEXT; - *minor_status = kret; return ret; } diff --git a/lib/gssapi/gssapi_locl.h b/lib/gssapi/gssapi_locl.h index e955513c5..9035b8be9 100644 --- a/lib/gssapi/gssapi_locl.h +++ b/lib/gssapi/gssapi_locl.h @@ -50,17 +50,19 @@ extern krb5_keytab gssapi_krb5_keytab; krb5_error_code gssapi_krb5_init (void); -krb5_error_code +OM_uint32 gssapi_krb5_create_8003_checksum ( + OM_uint32 *minor_status, const gss_channel_bindings_t input_chan_bindings, OM_uint32 flags, - krb5_data *fwd_data, + const krb5_data *fwd_data, Checksum *result); -krb5_error_code +OM_uint32 gssapi_krb5_verify_8003_checksum ( + OM_uint32 *minor_status, const gss_channel_bindings_t input_chan_bindings, - Checksum *cksum, + const Checksum *cksum, OM_uint32 *flags, krb5_data *fwd_data); diff --git a/lib/gssapi/init_sec_context.c b/lib/gssapi/init_sec_context.c index 136a63416..acaf8f192 100644 --- a/lib/gssapi/init_sec_context.c +++ b/lib/gssapi/init_sec_context.c @@ -344,17 +344,14 @@ init_auth (*context_handle)->flags = flags; (*context_handle)->more_flags = LOCAL; - kret = gssapi_krb5_create_8003_checksum (input_chan_bindings, - flags, - &fwd_data, - &cksum); + ret = gssapi_krb5_create_8003_checksum (minor_status, + input_chan_bindings, + flags, + &fwd_data, + &cksum); krb5_data_free (&fwd_data); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; + if (ret) goto failure; - } #if 1 enctype = (*context_handle)->auth_context->keyblock->keytype; diff --git a/lib/gssapi/krb5/8003.c b/lib/gssapi/krb5/8003.c index d7d90e24a..891ef6cb5 100644 --- a/lib/gssapi/krb5/8003.c +++ b/lib/gssapi/krb5/8003.c @@ -86,27 +86,35 @@ hash_input_chan_bindings (const gss_channel_bindings_t b, return 0; } -krb5_error_code +/* + * create a checksum over the chanel bindings in + * `input_chan_bindings', `flags' and `fwd_data' and return it in + * `result' + */ + +OM_uint32 gssapi_krb5_create_8003_checksum ( + OM_uint32 *minor_status, const gss_channel_bindings_t input_chan_bindings, OM_uint32 flags, - krb5_data *fwd_data, + const krb5_data *fwd_data, Checksum *result) { u_char *p; /* * see rfc1964 (section 1.1.1 (Initial Token), and the checksum value - * field's format) - */ + * field's format) */ result->cksumtype = 0x8003; if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) result->checksum.length = 24 + 4 + fwd_data->length; else result->checksum.length = 24; result->checksum.data = malloc (result->checksum.length); - if (result->checksum.data == NULL) - return ENOMEM; + if (result->checksum.data == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } p = result->checksum.data; encode_om_uint32 (16, p); @@ -139,18 +147,21 @@ gssapi_krb5_create_8003_checksum ( memcpy(p, (unsigned char *) fwd_data->data, fwd_data->length); p += fwd_data->length; - - if (p - (u_char *)result->checksum.data != result->checksum.length) - abort(); } - - return 0; + + return GSS_S_COMPLETE; } -krb5_error_code +/* + * verify the checksum in `cksum' over `input_chan_bindings' + * returning `flags' and `fwd_data' + */ + +OM_uint32 gssapi_krb5_verify_8003_checksum( + OM_uint32 *minor_status, const gss_channel_bindings_t input_chan_bindings, - Checksum *cksum, + const Checksum *cksum, OM_uint32 *flags, krb5_data *fwd_data) { @@ -160,21 +171,29 @@ gssapi_krb5_verify_8003_checksum( int DlgOpt; /* XXX should handle checksums > 24 bytes */ - if(cksum->cksumtype != 0x8003) + if(cksum->cksumtype != 0x8003) { + *minor_status = 0; return GSS_S_BAD_BINDINGS; + } p = cksum->checksum.data; decode_om_uint32(p, &length); - if(length != sizeof(hash)) - return GSS_S_BAD_BINDINGS;; + if(length != sizeof(hash)) { + *minor_status = 0; + return GSS_S_BAD_BINDINGS; + } p += 4; if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) { - if(hash_input_chan_bindings(input_chan_bindings, hash) != 0) + if(hash_input_chan_bindings(input_chan_bindings, hash) != 0) { + *minor_status = 0; return GSS_S_BAD_BINDINGS; - if(memcmp(hash, p, sizeof(hash)) != 0) + } + if(memcmp(hash, p, sizeof(hash)) != 0) { + *minor_status = 0; return GSS_S_BAD_BINDINGS; + } } p += sizeof(hash); @@ -186,18 +205,22 @@ gssapi_krb5_verify_8003_checksum( p += 4; DlgOpt = (p[0] << 0) | (p[1] << 8 ); - if (DlgOpt != 1) - return GSS_S_BAD_BINDINGS; + if (DlgOpt != 1) { + *minor_status = 0; + return GSS_S_BAD_BINDINGS; + } p += 2; fwd_data->length = (p[0] << 0) | (p[1] << 8); fwd_data->data = malloc(fwd_data->length); - if (fwd_data->data == NULL) - return ENOMEM; + if (fwd_data->data == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } p += 2; memcpy(fwd_data->data, p, fwd_data->length); } - return 0; + return GSS_S_COMPLETE; } diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c index 4435afb85..8f1f6fdbc 100644 --- a/lib/gssapi/krb5/accept_sec_context.c +++ b/lib/gssapi/krb5/accept_sec_context.c @@ -115,6 +115,7 @@ gss_accept_sec_context &(*context_handle)->auth_context); if (kret) { ret = GSS_S_FAILURE; + *minor_status = kret; gssapi_krb5_set_error_string (); goto failure; } @@ -146,6 +147,7 @@ gss_accept_sec_context if (kret) { gssapi_krb5_set_error_string (); ret = GSS_S_BAD_BINDINGS; + *minor_status = kret; goto failure; } @@ -157,6 +159,7 @@ gss_accept_sec_context krb5_free_address (gssapi_krb5_context, &acceptor_addr); gssapi_krb5_set_error_string (); ret = GSS_S_BAD_BINDINGS; + *minor_status = kret; goto failure; } @@ -177,6 +180,7 @@ gss_accept_sec_context if (kret) { gssapi_krb5_set_error_string (); ret = GSS_S_BAD_BINDINGS; + *minor_status = kret; goto failure; } } @@ -199,10 +203,8 @@ gss_accept_sec_context input_token_buffer, &indata, "\x01\x00"); - if (ret) { - kret = *minor_status; + if (ret) goto failure; - } if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) { if (gssapi_krb5_keytab != NULL) { @@ -222,6 +224,7 @@ gss_accept_sec_context &ticket); if (kret) { ret = GSS_S_FAILURE; + *minor_status = kret; gssapi_krb5_set_error_string (); goto failure; } @@ -231,6 +234,7 @@ gss_accept_sec_context &(*context_handle)->source); if (kret) { ret = GSS_S_FAILURE; + *minor_status = kret; gssapi_krb5_set_error_string (); goto failure; } @@ -240,6 +244,7 @@ gss_accept_sec_context &(*context_handle)->target); if (kret) { ret = GSS_S_FAILURE; + *minor_status = kret; gssapi_krb5_set_error_string (); goto failure; } @@ -250,6 +255,7 @@ gss_accept_sec_context src_name); if (kret) { ret = GSS_S_FAILURE; + *minor_status = kret; gssapi_krb5_set_error_string (); goto failure; } @@ -263,19 +269,19 @@ gss_accept_sec_context &authenticator); if(kret) { ret = GSS_S_FAILURE; + *minor_status = kret; gssapi_krb5_set_error_string (); goto failure; } - ret = gssapi_krb5_verify_8003_checksum(input_chan_bindings, + ret = gssapi_krb5_verify_8003_checksum(minor_status, + input_chan_bindings, authenticator->cksum, &flags, &fwd_data); krb5_free_authenticator(gssapi_krb5_context, &authenticator); - if (ret) { - kret = 0; + if (ret) goto failure; - } } if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) { @@ -289,12 +295,12 @@ gss_accept_sec_context if ((*delegated_cred_handle = calloc(1, sizeof(**delegated_cred_handle))) == NULL) { ret = GSS_S_FAILURE; - kret = ENOMEM; + *minor_status = ENOMEM; krb5_set_error_string(gssapi_krb5_context, "out of memory"); gssapi_krb5_set_error_string(); goto failure; } - if ((kret = gss_duplicate_name(minor_status, ticket->client, + if ((ret = gss_duplicate_name(minor_status, ticket->client, &(*delegated_cred_handle)->principal)) != 0) { flags &= ~GSS_C_DELEG_FLAG; free(*delegated_cred_handle); @@ -313,16 +319,12 @@ gss_accept_sec_context (*delegated_cred_handle)->mechanisms == NULL) { ret = gss_create_empty_oid_set(minor_status, &(*delegated_cred_handle)->mechanisms); - if (ret) { - kret = *minor_status; + if (ret) goto failure; - } ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, &(*delegated_cred_handle)->mechanisms); - if (ret) { - kret = *minor_status; + if (ret) goto failure; - } } if (kret) { @@ -373,6 +375,7 @@ end_fwd: &outbuf); if (kret) { ret = GSS_S_FAILURE; + *minor_status = kret; gssapi_krb5_set_error_string (); goto failure; } @@ -381,10 +384,8 @@ end_fwd: output_token, "\x02\x00"); krb5_data_free (&outbuf); - if (ret) { - kret = *minor_status; + if (ret) goto failure; - } } else { output_token->length = 0; } @@ -417,6 +418,5 @@ failure: *src_name = NULL; } *context_handle = GSS_C_NO_CONTEXT; - *minor_status = kret; return ret; } diff --git a/lib/gssapi/krb5/gssapi_locl.h b/lib/gssapi/krb5/gssapi_locl.h index e955513c5..9035b8be9 100644 --- a/lib/gssapi/krb5/gssapi_locl.h +++ b/lib/gssapi/krb5/gssapi_locl.h @@ -50,17 +50,19 @@ extern krb5_keytab gssapi_krb5_keytab; krb5_error_code gssapi_krb5_init (void); -krb5_error_code +OM_uint32 gssapi_krb5_create_8003_checksum ( + OM_uint32 *minor_status, const gss_channel_bindings_t input_chan_bindings, OM_uint32 flags, - krb5_data *fwd_data, + const krb5_data *fwd_data, Checksum *result); -krb5_error_code +OM_uint32 gssapi_krb5_verify_8003_checksum ( + OM_uint32 *minor_status, const gss_channel_bindings_t input_chan_bindings, - Checksum *cksum, + const Checksum *cksum, OM_uint32 *flags, krb5_data *fwd_data); diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c index 136a63416..acaf8f192 100644 --- a/lib/gssapi/krb5/init_sec_context.c +++ b/lib/gssapi/krb5/init_sec_context.c @@ -344,17 +344,14 @@ init_auth (*context_handle)->flags = flags; (*context_handle)->more_flags = LOCAL; - kret = gssapi_krb5_create_8003_checksum (input_chan_bindings, - flags, - &fwd_data, - &cksum); + ret = gssapi_krb5_create_8003_checksum (minor_status, + input_chan_bindings, + flags, + &fwd_data, + &cksum); krb5_data_free (&fwd_data); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; + if (ret) goto failure; - } #if 1 enctype = (*context_handle)->auth_context->keyblock->keytype;