oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

use the krb5_crypto directly, skipping some per packet calculation, make cfx handling simpler

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24067 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2008-12-11 04:52:10 +00:00
parent 7c4ee0b0e2
commit 9586101a49
10 changed files with 145 additions and 196 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
lib/gssapi/krb5/accept_sec_context.c
View File

@@ -74,8 +74,9 @@ _gsskrb5_register_acceptor_identity (const char *identity)
} }
void void
_gsskrb5i_is_cfx(gsskrb5_ctx ctx, int acceptor) _gsskrb5i_is_cfx(krb5_context context, gsskrb5_ctx ctx, int acceptor)
{ {
krb5_error_code ret;
krb5_keyblock *key; krb5_keyblock *key;
if (acceptor) { if (acceptor) {
@@ -112,6 +113,9 @@ _gsskrb5i_is_cfx(gsskrb5_ctx ctx, int acceptor)
ctx->more_flags |= ACCEPTOR_SUBKEY; ctx->more_flags |= ACCEPTOR_SUBKEY;
break; break;
} }
if (ctx->crypto)
krb5_crypto_destroy(context, ctx->crypto);
ret = krb5_crypto_init(context, key, 0, &ctx->crypto);
} }
@@ -208,7 +212,7 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status,
ctx->auth_context, ctx->auth_context,
&seq_number); &seq_number);
_gsskrb5i_is_cfx(ctx, 1); _gsskrb5i_is_cfx(context, ctx, 1);
is_cfx = (ctx->more_flags & IS_CFX); is_cfx = (ctx->more_flags & IS_CFX);
ret = _gssapi_msg_order_create(minor_status, ret = _gssapi_msg_order_create(minor_status,
@@ -525,7 +529,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
krb5_data outbuf; krb5_data outbuf;
int use_subkey = 0; int use_subkey = 0;
_gsskrb5i_is_cfx(ctx, 1); _gsskrb5i_is_cfx(context, ctx, 1);
is_cfx = (ctx->more_flags & IS_CFX); is_cfx = (ctx->more_flags & IS_CFX);
if (is_cfx || (ap_options & AP_OPTS_USE_SUBKEY)) { if (is_cfx || (ap_options & AP_OPTS_USE_SUBKEY)) {

219
lib/gssapi/krb5/cfx.c
View File

@@ -96,49 +96,47 @@ _gsskrb5cfx_wrap_length_cfx(krb5_context context,
return 0; return 0;
} }
krb5_error_code OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
_gsskrb5cfx_max_wrap_length_cfx(krb5_context context, const gsskrb5_ctx ctx,
krb5_crypto crypto, krb5_context context,
int conf_req_flag, int conf_req_flag,
size_t input_length, gss_qop_t qop_req,
OM_uint32 *output_length) OM_uint32 req_output_size,
OM_uint32 *max_input_size)
{ {
krb5_error_code ret; krb5_error_code ret;
*output_length = 0; *max_input_size = 0;
/* 16-byte header is always first */ /* 16-byte header is always first */
if (input_length < 16) if (req_output_size < 16)
return 0; return 0;
input_length -= 16; req_output_size -= 16;
if (conf_req_flag) { if (conf_req_flag) {
size_t wrapped_size, sz; size_t wrapped_size, sz;
wrapped_size = input_length + 1; wrapped_size = req_output_size + 1;
do { do {
wrapped_size--; wrapped_size--;
sz = krb5_get_wrapped_length(context, sz = krb5_get_wrapped_length(context,
crypto, wrapped_size); ctx->crypto, wrapped_size);
} while (wrapped_size && sz > input_length); } while (wrapped_size && sz > req_output_size);
if (wrapped_size == 0) { if (wrapped_size == 0)
*output_length = 0;
return 0; return 0;
}
/* inner header */ /* inner header */
if (wrapped_size < 16) { if (wrapped_size < 16)
*output_length = 0;
return 0; return 0;
}
wrapped_size -= 16; wrapped_size -= 16;
*output_length = wrapped_size; *max_input_size = wrapped_size;
} else { } else {
krb5_cksumtype type; krb5_cksumtype type;
size_t cksumsize; size_t cksumsize;
ret = krb5_crypto_get_checksum_type(context, crypto, &type); ret = krb5_crypto_get_checksum_type(context, ctx->crypto, &type);
if (ret) if (ret)
return ret; return ret;
@@ -146,48 +144,16 @@ _gsskrb5cfx_max_wrap_length_cfx(krb5_context context,
if (ret) if (ret)
return ret; return ret;
if (input_length < cksumsize) if (req_output_size < cksumsize)
return 0; return 0;
/* Checksum is concatenated with data */ /* Checksum is concatenated with data */
*output_length = input_length - cksumsize; *max_input_size = req_output_size - cksumsize;
} }
return 0; return 0;
} }
OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
int conf_req_flag,
gss_qop_t qop_req,
OM_uint32 req_output_size,
OM_uint32 *max_input_size,
krb5_keyblock *key)
{
krb5_error_code ret;
krb5_crypto crypto;
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret != 0) {
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = _gsskrb5cfx_max_wrap_length_cfx(context, crypto, conf_req_flag,
req_output_size, max_input_size);
if (ret != 0) {
*minor_status = ret;
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
krb5_crypto_destroy(context, crypto);
return GSS_S_COMPLETE;
}
/* /*
* Rotate "rrc" bytes to the front or back * Rotate "rrc" bytes to the front or back
*/ */
@@ -233,16 +199,14 @@ rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate)
} }
OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status, OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle, const gsskrb5_ctx ctx,
krb5_context context, krb5_context context,
int conf_req_flag, int conf_req_flag,
gss_qop_t qop_req, gss_qop_t qop_req,
const gss_buffer_t input_message_buffer, const gss_buffer_t input_message_buffer,
int *conf_state, int *conf_state,
gss_buffer_t output_message_buffer, gss_buffer_t output_message_buffer)
krb5_keyblock *key)
{ {
krb5_crypto crypto;
gss_cfx_wrap_token token; gss_cfx_wrap_token token;
krb5_error_code ret; krb5_error_code ret;
unsigned usage; unsigned usage;
@@ -252,19 +216,12 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
int32_t seq_number; int32_t seq_number;
u_char *p; u_char *p;
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret != 0) {
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = _gsskrb5cfx_wrap_length_cfx(context, ret = _gsskrb5cfx_wrap_length_cfx(context,
crypto, conf_req_flag, ctx->crypto, conf_req_flag,
input_message_buffer->length, input_message_buffer->length,
&wrapped_len, &cksumsize, &padlength); &wrapped_len, &cksumsize, &padlength);
if (ret != 0) { if (ret != 0) {
*minor_status = ret; *minor_status = ret;
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE; return GSS_S_FAILURE;
} }
@@ -275,7 +232,6 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
output_message_buffer->value = malloc(output_message_buffer->length); output_message_buffer->value = malloc(output_message_buffer->length);
if (output_message_buffer->value == NULL) { if (output_message_buffer->value == NULL) {
*minor_status = ENOMEM; *minor_status = ENOMEM;
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE; return GSS_S_FAILURE;
} }
@@ -285,9 +241,9 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
token->TOK_ID[1] = 0x04; token->TOK_ID[1] = 0x04;
token->Flags = 0; token->Flags = 0;
token->Filler = 0xFF; token->Filler = 0xFF;
if ((context_handle->more_flags & LOCAL) == 0) if ((ctx->more_flags & LOCAL) == 0)
token->Flags |= CFXSentByAcceptor; token->Flags |= CFXSentByAcceptor;
if (context_handle->more_flags & ACCEPTOR_SUBKEY) if (ctx->more_flags & ACCEPTOR_SUBKEY)
token->Flags |= CFXAcceptorSubkey; token->Flags |= CFXAcceptorSubkey;
if (conf_req_flag) { if (conf_req_flag) {
/* /*
@@ -324,16 +280,16 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
token->RRC[0] = 0; token->RRC[0] = 0;
token->RRC[1] = 0; token->RRC[1] = 0;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber(context, krb5_auth_con_getlocalseqnumber(context,
context_handle->auth_context, ctx->auth_context,
&seq_number); &seq_number);
_gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]); _gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]);
_gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]); _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
krb5_auth_con_setlocalseqnumber(context, krb5_auth_con_setlocalseqnumber(context,
context_handle->auth_context, ctx->auth_context,
++seq_number); ++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
/* /*
* If confidentiality is requested, the token header is * If confidentiality is requested, the token header is
@@ -344,7 +300,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
* calculated over the plaintext concatenated with the * calculated over the plaintext concatenated with the
* token header. * token header.
*/ */
if (context_handle->more_flags & LOCAL) { if (ctx->more_flags & LOCAL) {
usage = KRB5_KU_USAGE_INITIATOR_SEAL; usage = KRB5_KU_USAGE_INITIATOR_SEAL;
} else { } else {
usage = KRB5_KU_USAGE_ACCEPTOR_SEAL; usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;
@@ -365,14 +321,13 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
memcpy(p + input_message_buffer->length + padlength, memcpy(p + input_message_buffer->length + padlength,
token, sizeof(*token)); token, sizeof(*token));
ret = krb5_encrypt(context, crypto, ret = krb5_encrypt(context, ctx->crypto,
usage, p, usage, p,
input_message_buffer->length + padlength + input_message_buffer->length + padlength +
sizeof(*token), sizeof(*token),
&cipher); &cipher);
if (ret != 0) { if (ret != 0) {
*minor_status = ret; *minor_status = ret;
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer); _gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_FAILURE; return GSS_S_FAILURE;
} }
@@ -383,7 +338,6 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE); ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE);
if (ret != 0) { if (ret != 0) {
*minor_status = ret; *minor_status = ret;
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer); _gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_FAILURE; return GSS_S_FAILURE;
} }
@@ -396,21 +350,19 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
buf = malloc(input_message_buffer->length + sizeof(*token)); buf = malloc(input_message_buffer->length + sizeof(*token));
if (buf == NULL) { if (buf == NULL) {
*minor_status = ENOMEM; *minor_status = ENOMEM;
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer); _gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_FAILURE; return GSS_S_FAILURE;
} }
memcpy(buf, input_message_buffer->value, input_message_buffer->length); memcpy(buf, input_message_buffer->value, input_message_buffer->length);
memcpy(buf + input_message_buffer->length, token, sizeof(*token)); memcpy(buf + input_message_buffer->length, token, sizeof(*token));
ret = krb5_create_checksum(context, crypto, ret = krb5_create_checksum(context, ctx->crypto,
usage, 0, buf, usage, 0, buf,
input_message_buffer->length + input_message_buffer->length +
sizeof(*token), sizeof(*token),
&cksum); &cksum);
if (ret != 0) { if (ret != 0) {
*minor_status = ret; *minor_status = ret;
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer); _gsskrb5_release_buffer(minor_status, output_message_buffer);
free(buf); free(buf);
return GSS_S_FAILURE; return GSS_S_FAILURE;
@@ -433,7 +385,6 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
input_message_buffer->length + cksum.checksum.length, rrc, FALSE); input_message_buffer->length + cksum.checksum.length, rrc, FALSE);
if (ret != 0) { if (ret != 0) {
*minor_status = ret; *minor_status = ret;
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer); _gsskrb5_release_buffer(minor_status, output_message_buffer);
free_Checksum(&cksum); free_Checksum(&cksum);
return GSS_S_FAILURE; return GSS_S_FAILURE;
@@ -441,8 +392,6 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
free_Checksum(&cksum); free_Checksum(&cksum);
} }
krb5_crypto_destroy(context, crypto);
if (conf_state != NULL) { if (conf_state != NULL) {
*conf_state = conf_req_flag; *conf_state = conf_req_flag;
} }
@@ -452,15 +401,13 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
} }
OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status, OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle, const gsskrb5_ctx ctx,
krb5_context context, krb5_context context,
const gss_buffer_t input_message_buffer, const gss_buffer_t input_message_buffer,
gss_buffer_t output_message_buffer, gss_buffer_t output_message_buffer,
int *conf_state, int *conf_state,
gss_qop_t *qop_state, gss_qop_t *qop_state)
krb5_keyblock *key)
{ {
krb5_crypto crypto;
gss_cfx_wrap_token token; gss_cfx_wrap_token token;
u_char token_flags; u_char token_flags;
krb5_error_code ret; krb5_error_code ret;
@@ -490,11 +437,11 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
(CFXSentByAcceptor | CFXSealed | CFXAcceptorSubkey); (CFXSentByAcceptor | CFXSealed | CFXAcceptorSubkey);
if (token_flags & CFXSentByAcceptor) { if (token_flags & CFXSentByAcceptor) {
if ((context_handle->more_flags & LOCAL) == 0) if ((ctx->more_flags & LOCAL) == 0)
return GSS_S_DEFECTIVE_TOKEN; return GSS_S_DEFECTIVE_TOKEN;
} }
if (context_handle->more_flags & ACCEPTOR_SUBKEY) { if (ctx->more_flags & ACCEPTOR_SUBKEY) {
if ((token_flags & CFXAcceptorSubkey) == 0) if ((token_flags & CFXAcceptorSubkey) == 0)
return GSS_S_DEFECTIVE_TOKEN; return GSS_S_DEFECTIVE_TOKEN;
} else { } else {
@@ -524,26 +471,21 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
return GSS_S_UNSEQ_TOKEN; return GSS_S_UNSEQ_TOKEN;
} }
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo); ret = _gssapi_msg_order_check(ctx->order, seq_number_lo);
if (ret != 0) { if (ret != 0) {
*minor_status = 0; *minor_status = 0;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
_gsskrb5_release_buffer(minor_status, output_message_buffer); _gsskrb5_release_buffer(minor_status, output_message_buffer);
return ret; return ret;
} }
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
/* /*
* Decrypt and/or verify checksum * Decrypt and/or verify checksum
*/ */
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret != 0) {
*minor_status = ret;
return GSS_S_FAILURE;
}
if (context_handle->more_flags & LOCAL) { if (ctx->more_flags & LOCAL) {
usage = KRB5_KU_USAGE_ACCEPTOR_SEAL; usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;
} else { } else {
usage = KRB5_KU_USAGE_INITIATOR_SEAL; usage = KRB5_KU_USAGE_INITIATOR_SEAL;
@@ -556,22 +498,19 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/* Rotate by RRC; bogus to do this in-place XXX */ /* Rotate by RRC; bogus to do this in-place XXX */
*minor_status = rrc_rotate(p, len, rrc, TRUE); *minor_status = rrc_rotate(p, len, rrc, TRUE);
if (*minor_status != 0) { if (*minor_status != 0) {
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE; return GSS_S_FAILURE;
} }
if (token_flags & CFXSealed) { if (token_flags & CFXSealed) {
ret = krb5_decrypt(context, crypto, usage, ret = krb5_decrypt(context, ctx->crypto, usage,
p, len, &data); p, len, &data);
if (ret != 0) { if (ret != 0) {
*minor_status = ret; *minor_status = ret;
krb5_crypto_destroy(context, crypto);
return GSS_S_BAD_MIC; return GSS_S_BAD_MIC;
} }
/* Check that there is room for the pad and token header */ /* Check that there is room for the pad and token header */
if (data.length < ec + sizeof(*token)) { if (data.length < ec + sizeof(*token)) {
krb5_crypto_destroy(context, crypto);
krb5_data_free(&data); krb5_data_free(&data);
return GSS_S_DEFECTIVE_TOKEN; return GSS_S_DEFECTIVE_TOKEN;
} }
@@ -584,7 +523,6 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/* Check the integrity of the header */ /* Check the integrity of the header */
if (memcmp(p, token, sizeof(*token)) != 0) { if (memcmp(p, token, sizeof(*token)) != 0) {
krb5_crypto_destroy(context, crypto);
krb5_data_free(&data); krb5_data_free(&data);
return GSS_S_BAD_MIC; return GSS_S_BAD_MIC;
} }
@@ -596,10 +534,10 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/* Determine checksum type */ /* Determine checksum type */
ret = krb5_crypto_get_checksum_type(context, ret = krb5_crypto_get_checksum_type(context,
crypto, &cksum.cksumtype); ctx->crypto,
&cksum.cksumtype);
if (ret != 0) { if (ret != 0) {
*minor_status = ret; *minor_status = ret;
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE; return GSS_S_FAILURE;
} }
@@ -608,7 +546,6 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
/* Check we have at least as much data as the checksum */ /* Check we have at least as much data as the checksum */
if (len < cksum.checksum.length) { if (len < cksum.checksum.length) {
*minor_status = ERANGE; *minor_status = ERANGE;
krb5_crypto_destroy(context, crypto);
return GSS_S_BAD_MIC; return GSS_S_BAD_MIC;
} }
@@ -620,7 +557,6 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
output_message_buffer->value = malloc(len + sizeof(*token)); output_message_buffer->value = malloc(len + sizeof(*token));
if (output_message_buffer->value == NULL) { if (output_message_buffer->value == NULL) {
*minor_status = ENOMEM; *minor_status = ENOMEM;
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE; return GSS_S_FAILURE;
} }
@@ -637,21 +573,18 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
token->RRC[0] = 0; token->RRC[0] = 0;
token->RRC[1] = 0; token->RRC[1] = 0;
ret = krb5_verify_checksum(context, crypto, ret = krb5_verify_checksum(context, ctx->crypto,
usage, usage,
output_message_buffer->value, output_message_buffer->value,
len + sizeof(*token), len + sizeof(*token),
&cksum); &cksum);
if (ret != 0) { if (ret != 0) {
*minor_status = ret; *minor_status = ret;
krb5_crypto_destroy(context, crypto);
_gsskrb5_release_buffer(minor_status, output_message_buffer); _gsskrb5_release_buffer(minor_status, output_message_buffer);
return GSS_S_BAD_MIC; return GSS_S_BAD_MIC;
} }
} }
krb5_crypto_destroy(context, crypto);
if (qop_state != NULL) { if (qop_state != NULL) {
*qop_state = GSS_C_QOP_DEFAULT; *qop_state = GSS_C_QOP_DEFAULT;
} }
@@ -661,14 +594,12 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
} }
OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status, OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle, const gsskrb5_ctx ctx,
krb5_context context, krb5_context context,
gss_qop_t qop_req, gss_qop_t qop_req,
const gss_buffer_t message_buffer, const gss_buffer_t message_buffer,
gss_buffer_t message_token, gss_buffer_t message_token)
krb5_keyblock *key)
{ {
krb5_crypto crypto;
gss_cfx_mic_token token; gss_cfx_mic_token token;
krb5_error_code ret; krb5_error_code ret;
unsigned usage; unsigned usage;
@@ -677,17 +608,10 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
size_t len; size_t len;
int32_t seq_number; int32_t seq_number;
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret != 0) {
*minor_status = ret;
return GSS_S_FAILURE;
}
len = message_buffer->length + sizeof(*token); len = message_buffer->length + sizeof(*token);
buf = malloc(len); buf = malloc(len);
if (buf == NULL) { if (buf == NULL) {
*minor_status = ENOMEM; *minor_status = ENOMEM;
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE; return GSS_S_FAILURE;
} }
@@ -697,38 +621,36 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
token->TOK_ID[0] = 0x04; token->TOK_ID[0] = 0x04;
token->TOK_ID[1] = 0x04; token->TOK_ID[1] = 0x04;
token->Flags = 0; token->Flags = 0;
if ((context_handle->more_flags & LOCAL) == 0) if ((ctx->more_flags & LOCAL) == 0)
token->Flags |= CFXSentByAcceptor; token->Flags |= CFXSentByAcceptor;
if (context_handle->more_flags & ACCEPTOR_SUBKEY) if (ctx->more_flags & ACCEPTOR_SUBKEY)
token->Flags |= CFXAcceptorSubkey; token->Flags |= CFXAcceptorSubkey;
memset(token->Filler, 0xFF, 5); memset(token->Filler, 0xFF, 5);
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
krb5_auth_con_getlocalseqnumber(context, krb5_auth_con_getlocalseqnumber(context,
context_handle->auth_context, ctx->auth_context,
&seq_number); &seq_number);
_gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]); _gsskrb5_encode_be_om_uint32(0, &token->SND_SEQ[0]);
_gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]); _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
krb5_auth_con_setlocalseqnumber(context, krb5_auth_con_setlocalseqnumber(context,
context_handle->auth_context, ctx->auth_context,
++seq_number); ++seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
if (context_handle->more_flags & LOCAL) { if (ctx->more_flags & LOCAL) {
usage = KRB5_KU_USAGE_INITIATOR_SIGN; usage = KRB5_KU_USAGE_INITIATOR_SIGN;
} else { } else {
usage = KRB5_KU_USAGE_ACCEPTOR_SIGN; usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;
} }
ret = krb5_create_checksum(context, crypto, ret = krb5_create_checksum(context, ctx->crypto,
usage, 0, buf, len, &cksum); usage, 0, buf, len, &cksum);
if (ret != 0) { if (ret != 0) {
*minor_status = ret; *minor_status = ret;
krb5_crypto_destroy(context, crypto);
free(buf); free(buf);
return GSS_S_FAILURE; return GSS_S_FAILURE;
} }
krb5_crypto_destroy(context, crypto);
/* Determine MIC length */ /* Determine MIC length */
message_token->length = sizeof(*token) + cksum.checksum.length; message_token->length = sizeof(*token) + cksum.checksum.length;
@@ -753,14 +675,12 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
} }
OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status, OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle, const gsskrb5_ctx ctx,
krb5_context context, krb5_context context,
const gss_buffer_t message_buffer, const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer, const gss_buffer_t token_buffer,
gss_qop_t *qop_state, gss_qop_t *qop_state)
krb5_keyblock *key)
{ {
krb5_crypto crypto;
gss_cfx_mic_token token; gss_cfx_mic_token token;
u_char token_flags; u_char token_flags;
krb5_error_code ret; krb5_error_code ret;
@@ -787,10 +707,10 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
token_flags = token->Flags & (CFXSentByAcceptor | CFXAcceptorSubkey); token_flags = token->Flags & (CFXSentByAcceptor | CFXAcceptorSubkey);
if (token_flags & CFXSentByAcceptor) { if (token_flags & CFXSentByAcceptor) {
if ((context_handle->more_flags & LOCAL) == 0) if ((ctx->more_flags & LOCAL) == 0)
return GSS_S_DEFECTIVE_TOKEN; return GSS_S_DEFECTIVE_TOKEN;
} }
if (context_handle->more_flags & ACCEPTOR_SUBKEY) { if (ctx->more_flags & ACCEPTOR_SUBKEY) {
if ((token_flags & CFXAcceptorSubkey) == 0) if ((token_flags & CFXAcceptorSubkey) == 0)
return GSS_S_DEFECTIVE_TOKEN; return GSS_S_DEFECTIVE_TOKEN;
} else { } else {
@@ -812,36 +732,29 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
return GSS_S_UNSEQ_TOKEN; return GSS_S_UNSEQ_TOKEN;
} }
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo); ret = _gssapi_msg_order_check(ctx->order, seq_number_lo);
if (ret != 0) { if (ret != 0) {
*minor_status = 0; *minor_status = 0;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return ret; return ret;
} }
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
/* /*
* Verify checksum * Verify checksum
*/ */
ret = krb5_crypto_init(context, key, 0, &crypto); ret = krb5_crypto_get_checksum_type(context, ctx->crypto,
if (ret != 0) {
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_crypto_get_checksum_type(context, crypto,
&cksum.cksumtype); &cksum.cksumtype);
if (ret != 0) { if (ret != 0) {
*minor_status = ret; *minor_status = ret;
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE; return GSS_S_FAILURE;
} }
cksum.checksum.data = p + sizeof(*token); cksum.checksum.data = p + sizeof(*token);
cksum.checksum.length = token_buffer->length - sizeof(*token); cksum.checksum.length = token_buffer->length - sizeof(*token);
if (context_handle->more_flags & LOCAL) { if (ctx->more_flags & LOCAL) {
usage = KRB5_KU_USAGE_ACCEPTOR_SIGN; usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;
} else { } else {
usage = KRB5_KU_USAGE_INITIATOR_SIGN; usage = KRB5_KU_USAGE_INITIATOR_SIGN;
@@ -850,18 +763,16 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
buf = malloc(message_buffer->length + sizeof(*token)); buf = malloc(message_buffer->length + sizeof(*token));
if (buf == NULL) { if (buf == NULL) {
*minor_status = ENOMEM; *minor_status = ENOMEM;
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE; return GSS_S_FAILURE;
} }
memcpy(buf, message_buffer->value, message_buffer->length); memcpy(buf, message_buffer->value, message_buffer->length);
memcpy(buf + message_buffer->length, token, sizeof(*token)); memcpy(buf + message_buffer->length, token, sizeof(*token));
ret = krb5_verify_checksum(context, crypto, ret = krb5_verify_checksum(context, ctx->crypto,
usage, usage,
buf, buf,
sizeof(*token) + message_buffer->length, sizeof(*token) + message_buffer->length,
&cksum); &cksum);
krb5_crypto_destroy(context, crypto);
if (ret != 0) { if (ret != 0) {
*minor_status = ret; *minor_status = ret;
free(buf); free(buf);

2
lib/gssapi/krb5/delete_sec_context.c
View File

@@ -74,6 +74,8 @@ _gsskrb5_delete_sec_context(OM_uint32 * minor_status,
if (ctx->service_keyblock) if (ctx->service_keyblock)
krb5_free_keyblock (context, ctx->service_keyblock); krb5_free_keyblock (context, ctx->service_keyblock);
krb5_data_free(&ctx->fwd_data); krb5_data_free(&ctx->fwd_data);
if (ctx->crypto)
krb5_crypto_destroy(context, ctx->crypto);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);

7
lib/gssapi/krb5/get_mic.c
View File

@@ -282,6 +282,10 @@ OM_uint32 _gsskrb5_get_mic
OM_uint32 ret; OM_uint32 ret;
krb5_keytype keytype; krb5_keytype keytype;
if (ctx->more_flags & IS_CFX)
return _gssapi_mic_cfx (minor_status, ctx, context, qop_req,
message_buffer, message_token);
GSSAPI_KRB5_INIT (&context); GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
@@ -308,8 +312,7 @@ OM_uint32 _gsskrb5_get_mic
message_buffer, message_token, key); message_buffer, message_token, key);
break; break;
default : default :
ret = _gssapi_mic_cfx (minor_status, ctx, context, qop_req, abort();
message_buffer, message_token, key);
break; break;
} }
krb5_free_keyblock (context, key); krb5_free_keyblock (context, key);

3
lib/gssapi/krb5/gsskrb5_locl.h
View File

@@ -54,7 +54,7 @@
struct gss_msg_order; struct gss_msg_order;
typedef struct { typedef struct gsskrb5_ctx {
struct krb5_auth_context_data *auth_context; struct krb5_auth_context_data *auth_context;
krb5_principal source, target; krb5_principal source, target;
#define IS_DCE_STYLE(ctx) (((ctx)->flags & GSS_C_DCE_STYLE) != 0) #define IS_DCE_STYLE(ctx) (((ctx)->flags & GSS_C_DCE_STYLE) != 0)
@@ -86,6 +86,7 @@ typedef struct {
struct gss_msg_order *order; struct gss_msg_order *order;
krb5_keyblock *service_keyblock; krb5_keyblock *service_keyblock;
krb5_data fwd_data; krb5_data fwd_data;
krb5_crypto crypto;
} *gsskrb5_ctx; } *gsskrb5_ctx;
typedef struct { typedef struct {

3
lib/gssapi/krb5/init_sec_context.c
View File

@@ -131,6 +131,7 @@ _gsskrb5_create_ctx(
krb5_data_zero(&ctx->fwd_data); krb5_data_zero(&ctx->fwd_data);
ctx->lifetime = GSS_C_INDEFINITE; ctx->lifetime = GSS_C_INDEFINITE;
ctx->order = NULL; ctx->order = NULL;
ctx->crypto = NULL;
HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex); HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex);
kret = krb5_auth_con_init (context, &ctx->auth_context); kret = krb5_auth_con_init (context, &ctx->auth_context);
@@ -257,7 +258,7 @@ gsskrb5_initiator_ready(
krb5_auth_getremoteseqnumber (context, ctx->auth_context, &seq_number); krb5_auth_getremoteseqnumber (context, ctx->auth_context, &seq_number);
_gsskrb5i_is_cfx(ctx, 0); _gsskrb5i_is_cfx(context, ctx, 0);
is_cfx = (ctx->more_flags & IS_CFX); is_cfx = (ctx->more_flags & IS_CFX);
ret = _gssapi_msg_order_create(minor_status, ret = _gssapi_msg_order_create(minor_status,

38
lib/gssapi/krb5/test_cfx.c
View File

@@ -54,17 +54,23 @@ test_range(const struct range *r, int integ,
{ {
krb5_error_code ret; krb5_error_code ret;
size_t size, rsize; size_t size, rsize;
struct gsskrb5_ctx ctx;
for (size = r->lower; size < r->upper; size++) { for (size = r->lower; size < r->upper; size++) {
OM_uint32 max_wrap_size;
size_t cksumsize; size_t cksumsize;
uint16_t padsize; uint16_t padsize;
OM_uint32 minor;
OM_uint32 max_wrap_size;
ret = _gsskrb5cfx_max_wrap_length_cfx(context, ctx.crypto = crypto;
crypto,
integ, ret = _gssapi_wrap_size_cfx(&minor,
size, &ctx,
&max_wrap_size); context,
integ,
0,
size,
&max_wrap_size);
if (ret) if (ret)
krb5_errx(context, 1, "_gsskrb5cfx_max_wrap_length_cfx: %d", ret); krb5_errx(context, 1, "_gsskrb5cfx_max_wrap_length_cfx: %d", ret);
if (max_wrap_size == 0) if (max_wrap_size == 0)
@@ -94,12 +100,20 @@ test_special(krb5_context context, krb5_crypto crypto,
OM_uint32 max_wrap_size; OM_uint32 max_wrap_size;
size_t cksumsize; size_t cksumsize;
uint16_t padsize; uint16_t padsize;
struct gsskrb5_ctx ctx;
OM_uint32 minor;
ret = _gsskrb5cfx_max_wrap_length_cfx(context, ctx.crypto = crypto;
crypto,
integ, ret = _gssapi_wrap_size_cfx(&minor,
testsize, &ctx,
&max_wrap_size); context,
integ,
0,
testsize,
&max_wrap_size);
if (ret)
krb5_errx(context, 1, "_gsskrb5cfx_max_wrap_length_cfx: %d", ret);
if (ret) if (ret)
krb5_errx(context, 1, "_gsskrb5cfx_max_wrap_length_cfx: %d", ret); krb5_errx(context, 1, "_gsskrb5cfx_max_wrap_length_cfx: %d", ret);
@@ -145,7 +159,7 @@ main(int argc, char **argv)
test_special(context, crypto, 1, 60); test_special(context, crypto, 1, 60);
test_special(context, crypto, 0, 60); test_special(context, crypto, 0, 60);
for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) { for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) {
test_range(&tests[i], 1, context, crypto); test_range(&tests[i], 1, context, crypto);
test_range(&tests[i], 0, context, crypto); test_range(&tests[i], 0, context, crypto);

13
lib/gssapi/krb5/unwrap.c
View File

@@ -369,11 +369,16 @@ OM_uint32 _gsskrb5_unwrap
output_message_buffer->value = NULL; output_message_buffer->value = NULL;
output_message_buffer->length = 0; output_message_buffer->length = 0;
if (qop_state != NULL)
*qop_state = GSS_C_QOP_DEFAULT;
if (ctx->more_flags & IS_CFX)
return _gssapi_unwrap_cfx (minor_status, ctx, context,
input_message_buffer, output_message_buffer,
conf_state, qop_state);
GSSAPI_KRB5_INIT (&context); GSSAPI_KRB5_INIT (&context);
if (qop_state != NULL)
*qop_state = GSS_C_QOP_DEFAULT;
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = _gsskrb5i_get_token_key(ctx, context, &key); ret = _gsskrb5i_get_token_key(ctx, context, &key);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
@@ -403,9 +408,7 @@ OM_uint32 _gsskrb5_unwrap
conf_state, qop_state, key); conf_state, qop_state, key);
break; break;
default : default :
ret = _gssapi_unwrap_cfx (minor_status, ctx, context, abort();
input_message_buffer, output_message_buffer,
conf_state, qop_state, key);
break; break;
} }
krb5_free_keyblock (context, key); krb5_free_keyblock (context, key);

25
lib/gssapi/krb5/verify_mic.c
View File

@@ -266,7 +266,7 @@ retry:
OM_uint32 OM_uint32
_gsskrb5_verify_mic_internal _gsskrb5_verify_mic_internal
(OM_uint32 * minor_status, (OM_uint32 * minor_status,
const gsskrb5_ctx context_handle, const gsskrb5_ctx ctx,
krb5_context context, krb5_context context,
const gss_buffer_t message_buffer, const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer, const gss_buffer_t token_buffer,
@@ -278,9 +278,14 @@ _gsskrb5_verify_mic_internal
OM_uint32 ret; OM_uint32 ret;
krb5_keytype keytype; krb5_keytype keytype;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); if (ctx->more_flags & IS_CFX)
ret = _gsskrb5i_get_token_key(context_handle, context, &key); return _gssapi_verify_mic_cfx (minor_status, ctx,
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); context, message_buffer, token_buffer,
qop_state);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = _gsskrb5i_get_token_key(ctx, context, &key);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
if (ret) { if (ret) {
*minor_status = ret; *minor_status = ret;
return GSS_S_FAILURE; return GSS_S_FAILURE;
@@ -289,28 +294,24 @@ _gsskrb5_verify_mic_internal
krb5_enctype_to_keytype (context, key->keytype, &keytype); krb5_enctype_to_keytype (context, key->keytype, &keytype);
switch (keytype) { switch (keytype) {
case KEYTYPE_DES : case KEYTYPE_DES :
ret = verify_mic_des (minor_status, context_handle, context, ret = verify_mic_des (minor_status, ctx, context,
message_buffer, token_buffer, qop_state, key, message_buffer, token_buffer, qop_state, key,
type); type);
break; break;
case KEYTYPE_DES3 : case KEYTYPE_DES3 :
ret = verify_mic_des3 (minor_status, context_handle, context, ret = verify_mic_des3 (minor_status, ctx, context,
message_buffer, token_buffer, qop_state, key, message_buffer, token_buffer, qop_state, key,
type); type);
break; break;
case KEYTYPE_ARCFOUR : case KEYTYPE_ARCFOUR :
case KEYTYPE_ARCFOUR_56 : case KEYTYPE_ARCFOUR_56 :
ret = _gssapi_verify_mic_arcfour (minor_status, context_handle, ret = _gssapi_verify_mic_arcfour (minor_status, ctx,
context, context,
message_buffer, token_buffer, message_buffer, token_buffer,
qop_state, key, type); qop_state, key, type);
break; break;
default : default :
ret = _gssapi_verify_mic_cfx (minor_status, context_handle, abort();
context,
message_buffer, token_buffer, qop_state,
key);
break;
} }
krb5_free_keyblock (context, key); krb5_free_keyblock (context, key);

21
lib/gssapi/krb5/wrap.c
View File

@@ -152,6 +152,11 @@ _gsskrb5_wrap_size_limit (
krb5_keytype keytype; krb5_keytype keytype;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
if (ctx->more_flags & IS_CFX)
return _gssapi_wrap_size_cfx(minor_status, ctx, context,
conf_req_flag, qop_req,
req_output_size, max_input_size);
GSSAPI_KRB5_INIT (&context); GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
@@ -177,9 +182,7 @@ _gsskrb5_wrap_size_limit (
ret = sub_wrap_size(req_output_size, max_input_size, 8, 34); ret = sub_wrap_size(req_output_size, max_input_size, 8, 34);
break; break;
default : default :
ret = _gssapi_wrap_size_cfx(minor_status, ctx, context, abort();
conf_req_flag, qop_req,
req_output_size, max_input_size, key);
break; break;
} }
krb5_free_keyblock (context, key); krb5_free_keyblock (context, key);
@@ -512,6 +515,14 @@ OM_uint32 _gsskrb5_wrap
krb5_keytype keytype; krb5_keytype keytype;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle; const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
output_message_buffer->value = NULL;
output_message_buffer->length = 0;
if (ctx->more_flags & IS_CFX)
return _gssapi_wrap_cfx (minor_status, ctx, context, conf_req_flag,
qop_req, input_message_buffer, conf_state,
output_message_buffer);
GSSAPI_KRB5_INIT (&context); GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
@@ -541,9 +552,7 @@ OM_uint32 _gsskrb5_wrap
output_message_buffer, key); output_message_buffer, key);
break; break;
default : default :
ret = _gssapi_wrap_cfx (minor_status, ctx, context, conf_req_flag, abort();
qop_req, input_message_buffer, conf_state,
output_message_buffer, key);
break; break;
} }
krb5_free_keyblock (context, key); krb5_free_keyblock (context, key);