oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

use the krb5_crypto directly, skipping some per packet calculation, make cfx handling simpler

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24067 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2008-12-11 04:52:10 +00:00
parent 7c4ee0b0e2
commit 9586101a49
10 changed files with 145 additions and 196 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
lib/gssapi/krb5/accept_sec_context.c
View File

@@ -74,8 +74,9 @@ _gsskrb5_register_acceptor_identity (const char *identity)
}
void
_gsskrb5i_is_cfx(gsskrb5_ctx ctx, int acceptor)
_gsskrb5i_is_cfx(krb5_context context, gsskrb5_ctx ctx, int acceptor)
{
krb5_error_code ret;
krb5_keyblock *key;
if (acceptor) {
@@ -112,6 +113,9 @@ _gsskrb5i_is_cfx(gsskrb5_ctx ctx, int acceptor)
ctx->more_flags |= ACCEPTOR_SUBKEY;
break;
}
if (ctx->crypto)
krb5_crypto_destroy(context, ctx->crypto);
ret = krb5_crypto_init(context, key, 0, &ctx->crypto);
}
@@ -208,7 +212,7 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status,
ctx->auth_context,
&seq_number);
_gsskrb5i_is_cfx(ctx, 1);
_gsskrb5i_is_cfx(context, ctx, 1);
is_cfx = (ctx->more_flags & IS_CFX);
ret = _gssapi_msg_order_create(minor_status,
@@ -525,7 +529,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
krb5_data outbuf;
int use_subkey = 0;
_gsskrb5i_is_cfx(ctx, 1);
_gsskrb5i_is_cfx(context, ctx, 1);
is_cfx = (ctx->more_flags & IS_CFX);
if (is_cfx || (ap_options & AP_OPTS_USE_SUBKEY)) {

219
lib/gssapi/krb5/cfx.c
View File

@@ -96,49 +96,47 @@ _gsskrb5cfx_wrap_length_cfx(krb5_context context,
return 0;
}
krb5_error_code
_gsskrb5cfx_max_wrap_length_cfx(krb5_context context,
krb5_crypto crypto,
OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
const gsskrb5_ctx ctx,
krb5_context context,
int conf_req_flag,
size_t input_length,
OM_uint32 *output_length)
gss_qop_t qop_req,
OM_uint32 req_output_size,
OM_uint32 *max_input_size)
{
krb5_error_code ret;
*output_length = 0;
*max_input_size = 0;
/* 16-byte header is always first */
if (input_length < 16)
if (req_output_size < 16)
return 0;
input_length -= 16;
req_output_size -= 16;
if (conf_req_flag) {
size_t wrapped_size, sz;
wrapped_size = input_length + 1;
wrapped_size = req_output_size + 1;
do {
wrapped_size--;
sz = krb5_get_wrapped_length(context,
crypto, wrapped_size);
} while (wrapped_size && sz > input_length);
if (wrapped_size == 0) {
*output_length = 0;
ctx->crypto, wrapped_size);
} while (wrapped_size && sz > req_output_size);
if (wrapped_size == 0)
return 0;
}
/* inner header */
if (wrapped_size < 16) {
*output_length = 0;
if (wrapped_size < 16)
return 0;
}
wrapped_size -= 16;
*output_length = wrapped_size;
*max_input_size = wrapped_size;
} else {
krb5_cksumtype type;
size_t cksumsize;
ret = krb5_crypto_get_checksum_type(context, crypto, &type);
ret = krb5_crypto_get_checksum_type(context, ctx->crypto, &type);
if (ret)
return ret;
@@ -146,48 +144,16 @@ _gsskrb5cfx_max_wrap_length_cfx(krb5_context context,
if (ret)
return ret;
if (input_length < cksumsize)
if (req_output_size < cksumsize)
return 0;
/* Checksum is concatenated with data */
*output_length = input_length - cksumsize;
*max_input_size = req_output_size - cksumsize;
}
return 0;
}
OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
int conf_req_flag,
gss_qop_t qop_req,
OM_uint32 req_output_size,
OM_uint32 *max_input_size,
krb5_keyblock *key)
{
krb5_error_code ret;
krb5_crypto crypto;
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret != 0) {
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = _gsskrb5cfx_max_wrap_length_cfx(context, crypto, conf_req_flag,
req_output_size, max_input_size);
if (ret != 0) {
*minor_status = ret;
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
krb5_crypto_destroy(context, crypto);
return GSS_S_COMPLETE;
}
/*
* Rotate "rrc" bytes to the front or back
*/
@@ -233,16 +199,14 @@ rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate)
}
OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
const gsskrb5_ctx ctx,
krb5_context context,
int conf_req_flag,
gss_qop_t qop_req,
const gss_buffer_t input_message_buffer,
int *conf_state,
gss_buffer_t output_message_buffer,
krb5_keyblock *key)
gss_buffer_t output_message_buffer)
{
krb5_crypto crypto;
gss_cfx_wrap_token token;
krb5_error_code ret;
unsigned usage;
@@ -252,19 +216,12 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
int32_t seq_number;
u_char *p;
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret != 0) {
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = _gsskrb5cfx_wrap_length_cfx(context,
crypto, conf_req_flag,
ctx->crypto, conf_req_flag,
input_message_buffer->length,
&wrapped_len, &cksumsize, &padlength);
if (ret != 0) {
*minor_status = ret;
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
@@ -275,7 +232,6 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
output_message_buffer->value = malloc(output_message_buffer->length);
if (output_message_buffer->value == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
@@ -285,9 +241,9 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
token->TOK_ID[1] = 0x04;
token->Flags = 0;
token->Filler = 0xFF;
if ((context_handle->more_flags & LOCAL) == 0)
if ((ctx->more_flags & LOCAL) == 0)
token->Flags |= CFXSentByAcceptor;
if (context_handle->more_flags & ACCEPTOR_SUBKEY)
if (ctx->more_flags & ACCEPTOR_SUBKEY)
token->Flags |= CFXAcceptorSubkey;
if (conf_req_flag) {
/*
@@ -324,16 +280,16 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
token->RRC[0] = 0;
token->RRC[1] = 0;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber(context,
context_handle->auth_context,
ctx->auth_context,
&seq_number);
_gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]);
_gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
krb5_auth_con_setlocalseqnumber(context,
context_handle->auth_context,
ctx->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
/*
* If confidentiality is requested, the token header is
@@ -344,7 +300,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
* calculated over the plaintext concatenated with the
* token header.
*/
if (context_handle->more_flags & LOCAL) {
if (ctx->more_flags & LOCAL) {
usage = KRB5_KU_USAGE_INITIATOR_SEAL;
} else {
usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;
@@ -365,14 +321,13 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
memcpy(p + input_message_buffer->length + padlength,
token, sizeof(*token));
ret = krb5_encrypt(context, crypto,
ret = krb5_encrypt(context, ctx->crypto,
usage, p,
input_message_buffer->length + padlength +
sizeof(*token),
&cipher);
if (ret != 0) {
*minor_status = ret;
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_FAILURE;
}
@@ -383,7 +338,6 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE);
if (ret != 0) {
*minor_status = ret;
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_FAILURE;
}
@@ -396,21 +350,19 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
buf = malloc(input_message_buffer->length + sizeof(*token));
if (buf == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_FAILURE;
}
memcpy(buf, input_message_buffer->value, input_message_buffer->length);
memcpy(buf + input_message_buffer->length, token, sizeof(*token));
ret = krb5_create_checksum(context, crypto,
ret = krb5_create_checksum(context, ctx->crypto,
usage, 0, buf,
input_message_buffer->length +
sizeof(*token),
&cksum);
if (ret != 0) {
*minor_status = ret;
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
free(buf);
return GSS_S_FAILURE;
@@ -433,7 +385,6 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
input_message_buffer->length + cksum.checksum.length, rrc, FALSE);
if (ret != 0) {
*minor_status = ret;
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
free_Checksum(&cksum);
return GSS_S_FAILURE;
@@ -441,8 +392,6 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
free_Checksum(&cksum);
}
krb5_crypto_destroy(context, crypto);
if (conf_state != NULL) {
*conf_state = conf_req_flag;
}
@@ -452,15 +401,13 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
}
OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
const gsskrb5_ctx ctx,
krb5_context context,
const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer,
int *conf_state,
gss_qop_t *qop_state,
krb5_keyblock *key)
gss_qop_t *qop_state)
{
krb5_crypto crypto;
gss_cfx_wrap_token token;
u_char token_flags;
krb5_error_code ret;
@@ -490,11 +437,11 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
(CFXSentByAcceptor | CFXSealed | CFXAcceptorSubkey);
if (token_flags & CFXSentByAcceptor) {
if ((context_handle->more_flags & LOCAL) == 0)
if ((ctx->more_flags & LOCAL) == 0)
return GSS_S_DEFECTIVE_TOKEN;
}
if (context_handle->more_flags & ACCEPTOR_SUBKEY) {
if (ctx->more_flags & ACCEPTOR_SUBKEY) {
if ((token_flags & CFXAcceptorSubkey) == 0)
return GSS_S_DEFECTIVE_TOKEN;
} else {
@@ -524,26 +471,21 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
return GSS_S_UNSEQ_TOKEN;
}
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = _gssapi_msg_order_check(ctx->order, seq_number_lo);
if (ret != 0) {
*minor_status = 0;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return ret;
}
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
/*
* Decrypt and/or verify checksum
*/
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret != 0) {
*minor_status = ret;
return GSS_S_FAILURE;
}
if (context_handle->more_flags & LOCAL) {
if (ctx->more_flags & LOCAL) {
usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;
} else {
usage = KRB5_KU_USAGE_INITIATOR_SEAL;
@@ -556,22 +498,19 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/* Rotate by RRC; bogus to do this in-place XXX */
*minor_status = rrc_rotate(p, len, rrc, TRUE);
if (*minor_status != 0) {
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
if (token_flags & CFXSealed) {
ret = krb5_decrypt(context, crypto, usage,
ret = krb5_decrypt(context, ctx->crypto, usage,
p, len, &data);
if (ret != 0) {
*minor_status = ret;
krb5_crypto_destroy(context, crypto);
return GSS_S_BAD_MIC;
}
/* Check that there is room for the pad and token header */
if (data.length < ec + sizeof(*token)) {
krb5_crypto_destroy(context, crypto);
krb5_data_free(&data);
return GSS_S_DEFECTIVE_TOKEN;
}
@@ -584,7 +523,6 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/* Check the integrity of the header */
if (memcmp(p, token, sizeof(*token)) != 0) {
krb5_crypto_destroy(context, crypto);
krb5_data_free(&data);
return GSS_S_BAD_MIC;
}
@@ -596,10 +534,10 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/* Determine checksum type */
ret = krb5_crypto_get_checksum_type(context,
crypto, &cksum.cksumtype);
ctx->crypto,
&cksum.cksumtype);
if (ret != 0) {
*minor_status = ret;
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
@@ -608,7 +546,6 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/* Check we have at least as much data as the checksum */
if (len < cksum.checksum.length) {
*minor_status = ERANGE;
krb5_crypto_destroy(context, crypto);
return GSS_S_BAD_MIC;
}
@@ -620,7 +557,6 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
output_message_buffer->value = malloc(len + sizeof(*token));
if (output_message_buffer->value == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
@@ -637,21 +573,18 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
token->RRC[0] = 0;
token->RRC[1] = 0;
ret = krb5_verify_checksum(context, crypto,
ret = krb5_verify_checksum(context, ctx->crypto,
usage,
output_message_buffer->value,
len + sizeof(*token),
&cksum);
if (ret != 0) {
*minor_status = ret;
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_BAD_MIC;
}
}
krb5_crypto_destroy(context, crypto);
if (qop_state != NULL) {
*qop_state = GSS_C_QOP_DEFAULT;
}
@@ -661,14 +594,12 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
}
OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
const gsskrb5_ctx ctx,
krb5_context context,
gss_qop_t qop_req,
const gss_buffer_t message_buffer,
gss_buffer_t message_token,
krb5_keyblock *key)
gss_buffer_t message_token)
{
krb5_crypto crypto;
gss_cfx_mic_token token;
krb5_error_code ret;
unsigned usage;
@@ -677,17 +608,10 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
size_t len;
int32_t seq_number;
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret != 0) {
*minor_status = ret;
return GSS_S_FAILURE;
}
len = message_buffer->length + sizeof(*token);
buf = malloc(len);
if (buf == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
@@ -697,38 +621,36 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
token->TOK_ID[0] = 0x04;
token->TOK_ID[1] = 0x04;
token->Flags = 0;
if ((context_handle->more_flags & LOCAL) == 0)
if ((ctx->more_flags & LOCAL) == 0)
token->Flags |= CFXSentByAcceptor;
if (context_handle->more_flags & ACCEPTOR_SUBKEY)
if (ctx->more_flags & ACCEPTOR_SUBKEY)
token->Flags |= CFXAcceptorSubkey;
memset(token->Filler, 0xFF, 5);
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber(context,
context_handle->auth_context,
ctx->auth_context,
&seq_number);
_gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]);
_gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
krb5_auth_con_setlocalseqnumber(context,
context_handle->auth_context,
ctx->auth_context,
++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
if (context_handle->more_flags & LOCAL) {
if (ctx->more_flags & LOCAL) {
usage = KRB5_KU_USAGE_INITIATOR_SIGN;
} else {
usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;
}
ret = krb5_create_checksum(context, crypto,
ret = krb5_create_checksum(context, ctx->crypto,
usage, 0, buf, len, &cksum);
if (ret != 0) {
*minor_status = ret;
krb5_crypto_destroy(context, crypto);
free(buf);
return GSS_S_FAILURE;
}
krb5_crypto_destroy(context, crypto);
/* Determine MIC length */
message_token->length = sizeof(*token) + cksum.checksum.length;
@@ -753,14 +675,12 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
}
OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
const gsskrb5_ctx ctx,
krb5_context context,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t *qop_state,
krb5_keyblock *key)
gss_qop_t *qop_state)
{
krb5_crypto crypto;
gss_cfx_mic_token token;
u_char token_flags;
krb5_error_code ret;
@@ -787,10 +707,10 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
token_flags = token->Flags & (CFXSentByAcceptor | CFXAcceptorSubkey);
if (token_flags & CFXSentByAcceptor) {
if ((context_handle->more_flags & LOCAL) == 0)
if ((ctx->more_flags & LOCAL) == 0)
return GSS_S_DEFECTIVE_TOKEN;
}
if (context_handle->more_flags & ACCEPTOR_SUBKEY) {
if (ctx->more_flags & ACCEPTOR_SUBKEY) {
if ((token_flags & CFXAcceptorSubkey) == 0)
return GSS_S_DEFECTIVE_TOKEN;
} else {
@@ -812,36 +732,29 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
return GSS_S_UNSEQ_TOKEN;
}
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = _gssapi_msg_order_check(ctx->order, seq_number_lo);
if (ret != 0) {
*minor_status = 0;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return ret;
}
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
/*
* Verify checksum
*/
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret != 0) {
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_crypto_get_checksum_type(context, crypto,
ret = krb5_crypto_get_checksum_type(context, ctx->crypto,
&cksum.cksumtype);
if (ret != 0) {
*minor_status = ret;
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
cksum.checksum.data = p + sizeof(*token);
cksum.checksum.length = token_buffer->length - sizeof(*token);
if (context_handle->more_flags & LOCAL) {
if (ctx->more_flags & LOCAL) {
usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;
} else {
usage = KRB5_KU_USAGE_INITIATOR_SIGN;
@@ -850,18 +763,16 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
buf = malloc(message_buffer->length + sizeof(*token));
if (buf == NULL) {
*minor_status = ENOMEM;
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
memcpy(buf, message_buffer->value, message_buffer->length);
memcpy(buf + message_buffer->length, token, sizeof(*token));
ret = krb5_verify_checksum(context, crypto,
ret = krb5_verify_checksum(context, ctx->crypto,
usage,
buf,
sizeof(*token) + message_buffer->length,
&cksum);
krb5_crypto_destroy(context, crypto);
if (ret != 0) {
*minor_status = ret;
free(buf);

2
lib/gssapi/krb5/delete_sec_context.c
View File

@@ -74,6 +74,8 @@ _gsskrb5_delete_sec_context(OM_uint32 * minor_status,
if (ctx->service_keyblock)
krb5_free_keyblock (context, ctx->service_keyblock);
krb5_data_free(&ctx->fwd_data);
if (ctx->crypto)
krb5_crypto_destroy(context, ctx->crypto);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);

7
lib/gssapi/krb5/get_mic.c
View File

@@ -282,6 +282,10 @@ OM_uint32 _gsskrb5_get_mic
OM_uint32 ret;
krb5_keytype keytype;
if (ctx->more_flags & IS_CFX)
return _gssapi_mic_cfx (minor_status, ctx, context, qop_req,
message_buffer, message_token);
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
@@ -308,8 +312,7 @@ OM_uint32 _gsskrb5_get_mic
message_buffer, message_token, key);
break;
default :
ret = _gssapi_mic_cfx (minor_status, ctx, context, qop_req,
message_buffer, message_token, key);
abort();
break;
}
krb5_free_keyblock (context, key);

3
lib/gssapi/krb5/gsskrb5_locl.h
View File

@@ -54,7 +54,7 @@
struct gss_msg_order;
typedef struct {
typedef struct gsskrb5_ctx {
struct krb5_auth_context_data *auth_context;
krb5_principal source, target;
#define IS_DCE_STYLE(ctx) (((ctx)->flags & GSS_C_DCE_STYLE) != 0)
@@ -86,6 +86,7 @@ typedef struct {
struct gss_msg_order *order;
krb5_keyblock *service_keyblock;
krb5_data fwd_data;
krb5_crypto crypto;
} *gsskrb5_ctx;
typedef struct {

3
lib/gssapi/krb5/init_sec_context.c
View File

@@ -131,6 +131,7 @@ _gsskrb5_create_ctx(
krb5_data_zero(&ctx->fwd_data);
ctx->lifetime = GSS_C_INDEFINITE;
ctx->order = NULL;
ctx->crypto = NULL;
HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex);
kret = krb5_auth_con_init (context, &ctx->auth_context);
@@ -257,7 +258,7 @@ gsskrb5_initiator_ready(
krb5_auth_getremoteseqnumber (context, ctx->auth_context, &seq_number);
_gsskrb5i_is_cfx(ctx, 0);
_gsskrb5i_is_cfx(context, ctx, 0);
is_cfx = (ctx->more_flags & IS_CFX);
ret = _gssapi_msg_order_create(minor_status,

38
lib/gssapi/krb5/test_cfx.c
View File

@@ -54,17 +54,23 @@ test_range(const struct range *r, int integ,
{
krb5_error_code ret;
size_t size, rsize;
struct gsskrb5_ctx ctx;
for (size = r->lower; size < r->upper; size++) {
OM_uint32 max_wrap_size;
size_t cksumsize;
uint16_t padsize;
OM_uint32 minor;
OM_uint32 max_wrap_size;
ret = _gsskrb5cfx_max_wrap_length_cfx(context,
crypto,
integ,
size,
&max_wrap_size);
ctx.crypto = crypto;
ret = _gssapi_wrap_size_cfx(&minor,
&ctx,
context,
integ,
0,
size,
&max_wrap_size);
if (ret)
krb5_errx(context, 1, "_gsskrb5cfx_max_wrap_length_cfx: %d", ret);
if (max_wrap_size == 0)
@@ -94,12 +100,20 @@ test_special(krb5_context context, krb5_crypto crypto,
OM_uint32 max_wrap_size;
size_t cksumsize;
uint16_t padsize;
struct gsskrb5_ctx ctx;
OM_uint32 minor;
ret = _gsskrb5cfx_max_wrap_length_cfx(context,
crypto,
integ,
testsize,
&max_wrap_size);
ctx.crypto = crypto;
ret = _gssapi_wrap_size_cfx(&minor,
&ctx,
context,
integ,
0,
testsize,
&max_wrap_size);
if (ret)
krb5_errx(context, 1, "_gsskrb5cfx_max_wrap_length_cfx: %d", ret);
if (ret)
krb5_errx(context, 1, "_gsskrb5cfx_max_wrap_length_cfx: %d", ret);
@@ -145,7 +159,7 @@ main(int argc, char **argv)
test_special(context, crypto, 1, 60);
test_special(context, crypto, 0, 60);
for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) {
test_range(&tests[i], 1, context, crypto);
test_range(&tests[i], 0, context, crypto);

13
lib/gssapi/krb5/unwrap.c
View File

@@ -369,11 +369,16 @@ OM_uint32 _gsskrb5_unwrap
output_message_buffer->value = NULL;
output_message_buffer->length = 0;
if (qop_state != NULL)
*qop_state = GSS_C_QOP_DEFAULT;
if (ctx->more_flags & IS_CFX)
return _gssapi_unwrap_cfx (minor_status, ctx, context,
input_message_buffer, output_message_buffer,
conf_state, qop_state);
GSSAPI_KRB5_INIT (&context);
if (qop_state != NULL)
*qop_state = GSS_C_QOP_DEFAULT;
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = _gsskrb5i_get_token_key(ctx, context, &key);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
@@ -403,9 +408,7 @@ OM_uint32 _gsskrb5_unwrap
conf_state, qop_state, key);
break;
default :
ret = _gssapi_unwrap_cfx (minor_status, ctx, context,
input_message_buffer, output_message_buffer,
conf_state, qop_state, key);
abort();
break;
}
krb5_free_keyblock (context, key);

25
lib/gssapi/krb5/verify_mic.c
View File

@@ -266,7 +266,7 @@ retry:
OM_uint32
_gsskrb5_verify_mic_internal
(OM_uint32 * minor_status,
const gsskrb5_ctx context_handle,
const gsskrb5_ctx ctx,
krb5_context context,
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
@@ -278,9 +278,14 @@ _gsskrb5_verify_mic_internal
OM_uint32 ret;
krb5_keytype keytype;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
ret = _gsskrb5i_get_token_key(context_handle, context, &key);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
if (ctx->more_flags & IS_CFX)
return _gssapi_verify_mic_cfx (minor_status, ctx,
context, message_buffer, token_buffer,
qop_state);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = _gsskrb5i_get_token_key(ctx, context, &key);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
@@ -289,28 +294,24 @@ _gsskrb5_verify_mic_internal
krb5_enctype_to_keytype (context, key->keytype, &keytype);
switch (keytype) {
case KEYTYPE_DES :
ret = verify_mic_des (minor_status, context_handle, context,
ret = verify_mic_des (minor_status, ctx, context,
message_buffer, token_buffer, qop_state, key,
type);
break;
case KEYTYPE_DES3 :
ret = verify_mic_des3 (minor_status, context_handle, context,
ret = verify_mic_des3 (minor_status, ctx, context,
message_buffer, token_buffer, qop_state, key,
type);
break;
case KEYTYPE_ARCFOUR :
case KEYTYPE_ARCFOUR_56 :
ret = _gssapi_verify_mic_arcfour (minor_status, context_handle,
ret = _gssapi_verify_mic_arcfour (minor_status, ctx,
context,
message_buffer, token_buffer,
qop_state, key, type);
break;
default :
ret = _gssapi_verify_mic_cfx (minor_status, context_handle,
context,
message_buffer, token_buffer, qop_state,
key);
break;
abort();
}
krb5_free_keyblock (context, key);

21
lib/gssapi/krb5/wrap.c
View File

@@ -152,6 +152,11 @@ _gsskrb5_wrap_size_limit (
krb5_keytype keytype;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
if (ctx->more_flags & IS_CFX)
return _gssapi_wrap_size_cfx(minor_status, ctx, context,
conf_req_flag, qop_req,
req_output_size, max_input_size);
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
@@ -177,9 +182,7 @@ _gsskrb5_wrap_size_limit (
ret = sub_wrap_size(req_output_size, max_input_size, 8, 34);
break;
default :
ret = _gssapi_wrap_size_cfx(minor_status, ctx, context,
conf_req_flag, qop_req,
req_output_size, max_input_size, key);
abort();
break;
}
krb5_free_keyblock (context, key);
@@ -512,6 +515,14 @@ OM_uint32 _gsskrb5_wrap
krb5_keytype keytype;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
output_message_buffer->value = NULL;
output_message_buffer->length = 0;
if (ctx->more_flags & IS_CFX)
return _gssapi_wrap_cfx (minor_status, ctx, context, conf_req_flag,
qop_req, input_message_buffer, conf_state,
output_message_buffer);
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
@@ -541,9 +552,7 @@ OM_uint32 _gsskrb5_wrap
output_message_buffer, key);
break;
default :
ret = _gssapi_wrap_cfx (minor_status, ctx, context, conf_req_flag,
qop_req, input_message_buffer, conf_state,
output_message_buffer, key);
abort();
break;
}
krb5_free_keyblock (context, key);