From b73baa42ef9da49025de4865d64435a22d7541e8 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Sat, 11 Jul 2020 16:23:54 +1000 Subject: [PATCH] gssapi/krb5: make PADDING buffer optional in GSS IOV API RFC 4121/4757 don't require padding as they operate as stream ciphers. Make the PADDING buffer optional when using these encryption types with gss_wrap_iov() and gss_unwrap_iov(). --- lib/gssapi/krb5/arcfour.c | 15 +++++++++------ lib/gssapi/krb5/cfx.c | 19 +++++++++++++------ 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c index d88ec4cdd..2721abbc8 100644 --- a/lib/gssapi/krb5/arcfour.c +++ b/lib/gssapi/krb5/arcfour.c @@ -880,7 +880,8 @@ _gssapi_wrap_iov_length_arcfour(OM_uint32 *minor_status, } } - major_status = _gk_verify_buffers(minor_status, ctx, header, padding, trailer); + major_status = _gk_verify_buffers(minor_status, ctx, header, + padding, trailer, FALSE); if (major_status != GSS_S_COMPLETE) { return major_status; } @@ -937,7 +938,8 @@ _gssapi_wrap_iov_arcfour(OM_uint32 *minor_status, padding = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING); trailer = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER); - major_status = _gk_verify_buffers(minor_status, ctx, header, padding, trailer); + major_status = _gk_verify_buffers(minor_status, ctx, header, + padding, trailer, FALSE); if (major_status != GSS_S_COMPLETE) { return major_status; } @@ -1181,10 +1183,11 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status, /* Check if the packet is correct */ major_status = _gk_verify_buffers(minor_status, - ctx, - header, - padding, - trailer); + ctx, + header, + padding, + trailer, + FALSE); /* behaves as stream cipher */ if (major_status != GSS_S_COMPLETE) { return major_status; } diff --git a/lib/gssapi/krb5/cfx.c b/lib/gssapi/krb5/cfx.c index 29fecca86..8a85c98fa 100644 --- a/lib/gssapi/krb5/cfx.c +++ b/lib/gssapi/krb5/cfx.c @@ -239,7 +239,8 @@ _gk_verify_buffers(OM_uint32 *minor_status, const gsskrb5_ctx ctx, const gss_iov_buffer_desc *header, const gss_iov_buffer_desc *padding, - const gss_iov_buffer_desc *trailer) + const gss_iov_buffer_desc *trailer, + int block_cipher) { if (header == NULL) { *minor_status = EINVAL; @@ -260,9 +261,12 @@ _gk_verify_buffers(OM_uint32 *minor_status, } } else { /* - * In non-DCE style mode we require having a padding buffer + * In non-DCE style mode we require having a padding buffer for + * encryption types that do not behave as stream ciphers. This + * check is superfluous for now, as only RC4 and RFC4121 enctypes + * are presently implemented for the IOV APIs; be defensive. */ - if (padding == NULL) { + if (block_cipher && padding == NULL) { *minor_status = EINVAL; return GSS_S_FAILURE; } @@ -306,7 +310,8 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, trailer = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER); - major_status = _gk_verify_buffers(minor_status, ctx, header, padding, trailer); + major_status = _gk_verify_buffers(minor_status, ctx, header, + padding, trailer, FALSE); if (major_status != GSS_S_COMPLETE) { return major_status; } @@ -747,7 +752,8 @@ _gssapi_unwrap_cfx_iov(OM_uint32 *minor_status, trailer = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER); - major_status = _gk_verify_buffers(minor_status, ctx, header, padding, trailer); + major_status = _gk_verify_buffers(minor_status, ctx, header, + padding, trailer, FALSE); if (major_status != GSS_S_COMPLETE) { return major_status; } @@ -1069,7 +1075,8 @@ _gssapi_wrap_iov_length_cfx(OM_uint32 *minor_status, } } - major_status = _gk_verify_buffers(minor_status, ctx, header, padding, trailer); + major_status = _gk_verify_buffers(minor_status, ctx, header, + padding, trailer, FALSE); if (major_status != GSS_S_COMPLETE) { return major_status; }