gsskrb5: fix ec and padding handling in _gssapi_unwrap_cfx_iov()
metze Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This commit is contained in:
Stefan Metzmacher
committed by
Love Hornquist Astrand
Love Hornquist Astrand
parent
76f0fb9170
commit
560cb0c132
@@ -710,7 +710,7 @@ _gssapi_unwrap_cfx_iov(OM_uint32 *minor_status,
|
|||||||
int iov_count)
|
int iov_count)
|
||||||
{
|
{
|
||||||
OM_uint32 seq_number_lo, seq_number_hi, major_status, junk;
|
OM_uint32 seq_number_lo, seq_number_hi, major_status, junk;
|
||||||
gss_iov_buffer_desc *header, *trailer;
|
gss_iov_buffer_desc *header, *trailer, *padding;
|
||||||
gss_cfx_wrap_token token, ttoken;
|
gss_cfx_wrap_token token, ttoken;
|
||||||
u_char token_flags;
|
u_char token_flags;
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
@@ -730,8 +730,19 @@ _gssapi_unwrap_cfx_iov(OM_uint32 *minor_status,
|
|||||||
if (header->buffer.length < sizeof(*token)) /* we check exact below */
|
if (header->buffer.length < sizeof(*token)) /* we check exact below */
|
||||||
return GSS_S_DEFECTIVE_TOKEN;
|
return GSS_S_DEFECTIVE_TOKEN;
|
||||||
|
|
||||||
|
padding = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING);
|
||||||
|
if (padding != NULL && padding->buffer.length != 0) {
|
||||||
|
*minor_status = EINVAL;
|
||||||
|
return GSS_S_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
trailer = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
|
trailer = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
|
||||||
|
|
||||||
|
major_status = _gk_verify_buffers(minor_status, ctx, header, padding, trailer);
|
||||||
|
if (major_status != GSS_S_COMPLETE) {
|
||||||
|
return major_status;
|
||||||
|
}
|
||||||
|
|
||||||
token = (gss_cfx_wrap_token)header->buffer.value;
|
token = (gss_cfx_wrap_token)header->buffer.value;
|
||||||
|
|
||||||
if (token->TOK_ID[0] != 0x05 || token->TOK_ID[1] != 0x04)
|
if (token->TOK_ID[0] != 0x05 || token->TOK_ID[1] != 0x04)
|
||||||
@@ -813,14 +824,16 @@ _gssapi_unwrap_cfx_iov(OM_uint32 *minor_status,
|
|||||||
size_t gsstsize = k5tsize + sizeof(*token);
|
size_t gsstsize = k5tsize + sizeof(*token);
|
||||||
size_t gsshsize = k5hsize + sizeof(*token);
|
size_t gsshsize = k5hsize + sizeof(*token);
|
||||||
|
|
||||||
if (IS_DCE_STYLE(ctx))
|
|
||||||
gsstsize += ec;
|
|
||||||
gsshsize += gsstsize;
|
|
||||||
|
|
||||||
if (rrc != gsstsize) {
|
if (rrc != gsstsize) {
|
||||||
major_status = GSS_S_DEFECTIVE_TOKEN;
|
major_status = GSS_S_DEFECTIVE_TOKEN;
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (IS_DCE_STYLE(ctx))
|
||||||
|
gsstsize += ec;
|
||||||
|
|
||||||
|
gsshsize += gsstsize;
|
||||||
|
|
||||||
if (header->buffer.length != gsshsize) {
|
if (header->buffer.length != gsshsize) {
|
||||||
major_status = GSS_S_DEFECTIVE_TOKEN;
|
major_status = GSS_S_DEFECTIVE_TOKEN;
|
||||||
goto failure;
|
goto failure;
|
||||||
@@ -847,7 +860,6 @@ _gssapi_unwrap_cfx_iov(OM_uint32 *minor_status,
|
|||||||
for (j = 0; j < iov_count; i++, j++) {
|
for (j = 0; j < iov_count; i++, j++) {
|
||||||
switch (GSS_IOV_BUFFER_TYPE(iov[j].type)) {
|
switch (GSS_IOV_BUFFER_TYPE(iov[j].type)) {
|
||||||
case GSS_IOV_BUFFER_TYPE_DATA:
|
case GSS_IOV_BUFFER_TYPE_DATA:
|
||||||
case GSS_IOV_BUFFER_TYPE_PADDING:
|
|
||||||
data[i].flags = KRB5_CRYPTO_TYPE_DATA;
|
data[i].flags = KRB5_CRYPTO_TYPE_DATA;
|
||||||
break;
|
break;
|
||||||
case GSS_IOV_BUFFER_TYPE_SIGN_ONLY:
|
case GSS_IOV_BUFFER_TYPE_SIGN_ONLY:
|
||||||
@@ -865,17 +877,20 @@ _gssapi_unwrap_cfx_iov(OM_uint32 *minor_status,
|
|||||||
DCE mode). Copy in header into E"header"
|
DCE mode). Copy in header into E"header"
|
||||||
*/
|
*/
|
||||||
data[i].flags = KRB5_CRYPTO_TYPE_DATA;
|
data[i].flags = KRB5_CRYPTO_TYPE_DATA;
|
||||||
if (trailer)
|
if (trailer) {
|
||||||
data[i].data.data = trailer->buffer.value;
|
data[i].data.data = trailer->buffer.value;
|
||||||
else
|
} else {
|
||||||
data[i].data.data = ((uint8_t *)header->buffer.value) + header->buffer.length - k5hsize - k5tsize - sizeof(*token);
|
data[i].data.data = ((uint8_t *)header->buffer.value) +
|
||||||
data[i].data.length = sizeof(*token);
|
header->buffer.length - k5hsize - k5tsize - ec- sizeof(*token);
|
||||||
ttoken = (gss_cfx_wrap_token)data[i].data.data;
|
}
|
||||||
|
|
||||||
|
data[i].data.length = ec + sizeof(*token);
|
||||||
|
ttoken = (gss_cfx_wrap_token)(((uint8_t *)data[i].data.data) + ec);
|
||||||
i++;
|
i++;
|
||||||
|
|
||||||
/* Kerberos trailer comes after the gss trailer */
|
/* Kerberos trailer comes after the gss trailer */
|
||||||
data[i].flags = KRB5_CRYPTO_TYPE_TRAILER;
|
data[i].flags = KRB5_CRYPTO_TYPE_TRAILER;
|
||||||
data[i].data.data = ((uint8_t *)data[i-1].data.data) + sizeof(*token);
|
data[i].data.data = ((uint8_t *)data[i-1].data.data) + ec + sizeof(*token);
|
||||||
data[i].data.length = k5tsize;
|
data[i].data.length = k5tsize;
|
||||||
i++;
|
i++;
|
||||||
|
|
||||||
@@ -895,6 +910,9 @@ _gssapi_unwrap_cfx_iov(OM_uint32 *minor_status,
|
|||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
size_t gsstsize = ec;
|
||||||
|
size_t gsshsize = sizeof(*token);
|
||||||
|
|
||||||
/* Check RRC */
|
/* Check RRC */
|
||||||
if (rrc != 0) {
|
if (rrc != 0) {
|
||||||
*minor_status = EINVAL;
|
*minor_status = EINVAL;
|
||||||
@@ -903,21 +921,21 @@ _gssapi_unwrap_cfx_iov(OM_uint32 *minor_status,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (trailer == NULL) {
|
if (trailer == NULL) {
|
||||||
*minor_status = EINVAL;
|
gsshsize += gsstsize;
|
||||||
major_status = GSS_S_FAILURE;
|
gsstsize = 0;
|
||||||
|
} else if (trailer->buffer.length != gsstsize) {
|
||||||
|
major_status = GSS_S_DEFECTIVE_TOKEN;
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (trailer->buffer.length != ec) {
|
if (header->buffer.length != gsshsize) {
|
||||||
*minor_status = EINVAL;
|
major_status = GSS_S_DEFECTIVE_TOKEN;
|
||||||
major_status = GSS_S_FAILURE;
|
|
||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
|
|
||||||
for (i = 0; i < iov_count; i++) {
|
for (i = 0; i < iov_count; i++) {
|
||||||
switch (GSS_IOV_BUFFER_TYPE(iov[i].type)) {
|
switch (GSS_IOV_BUFFER_TYPE(iov[i].type)) {
|
||||||
case GSS_IOV_BUFFER_TYPE_DATA:
|
case GSS_IOV_BUFFER_TYPE_DATA:
|
||||||
case GSS_IOV_BUFFER_TYPE_PADDING:
|
|
||||||
data[i].flags = KRB5_CRYPTO_TYPE_DATA;
|
data[i].flags = KRB5_CRYPTO_TYPE_DATA;
|
||||||
break;
|
break;
|
||||||
case GSS_IOV_BUFFER_TYPE_SIGN_ONLY:
|
case GSS_IOV_BUFFER_TYPE_SIGN_ONLY:
|
||||||
@@ -933,12 +951,17 @@ _gssapi_unwrap_cfx_iov(OM_uint32 *minor_status,
|
|||||||
|
|
||||||
data[i].flags = KRB5_CRYPTO_TYPE_DATA;
|
data[i].flags = KRB5_CRYPTO_TYPE_DATA;
|
||||||
data[i].data.data = header->buffer.value;
|
data[i].data.data = header->buffer.value;
|
||||||
data[i].data.length = header->buffer.length;
|
data[i].data.length = sizeof(*token);
|
||||||
i++;
|
i++;
|
||||||
|
|
||||||
data[i].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
|
data[i].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
|
||||||
data[i].data.data = trailer->buffer.value;
|
if (trailer) {
|
||||||
data[i].data.length = trailer->buffer.length;
|
data[i].data.data = trailer->buffer.value;
|
||||||
|
} else {
|
||||||
|
data[i].data.data = (uint8_t *)header->buffer.value +
|
||||||
|
sizeof(*token);
|
||||||
|
}
|
||||||
|
data[i].data.length = ec;
|
||||||
i++;
|
i++;
|
||||||
|
|
||||||
token = (gss_cfx_wrap_token)header->buffer.value;
|
token = (gss_cfx_wrap_token)header->buffer.value;
|
||||||
|
|||||||
Reference in New Issue
Block a user