projects
/
mech_eap.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Use AD-KDCIssued to protect RADIUS authdata. Cleanup.
[mech_eap.git]
/
unwrap_iov.c
diff --git
a/unwrap_iov.c
b/unwrap_iov.c
index
d10f71c
..
ee2790d
100644
(file)
--- a/
unwrap_iov.c
+++ b/
unwrap_iov.c
@@
-73,7
+73,7
@@
unwrapToken(OM_uint32 *minor,
gss_iov_buffer_t header;
gss_iov_buffer_t padding;
gss_iov_buffer_t trailer;
gss_iov_buffer_t header;
gss_iov_buffer_t padding;
gss_iov_buffer_t trailer;
- unsigned char
acceptorFlag
;
+ unsigned char
flags
;
unsigned char *ptr = NULL;
int keyUsage;
size_t rrc, ec;
unsigned char *ptr = NULL;
int keyUsage;
size_t rrc, ec;
@@
-99,31
+99,27
@@
unwrapToken(OM_uint32 *minor,
trailer = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
trailer = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
- acceptorFlag = CTX_IS_INITIATOR(ctx) ? TOK_FLAG_SENDER_IS_ACCEPTOR : 0;
- keyUsage = (toktype == TOK_TYPE_WRAP
- ? (!CTX_IS_INITIATOR(ctx)
+ flags = rfc4121Flags(ctx, TRUE);
+
+ if (toktype == TOK_TYPE_WRAP) {
+ keyUsage = !CTX_IS_INITIATOR(ctx)
? KEY_USAGE_INITIATOR_SEAL
? KEY_USAGE_INITIATOR_SEAL
- : KEY_USAGE_ACCEPTOR_SEAL)
- : (!CTX_IS_INITIATOR(ctx)
+ : KEY_USAGE_ACCEPTOR_SEAL;
+ } else {
+ keyUsage = !CTX_IS_INITIATOR(ctx)
? KEY_USAGE_INITIATOR_SIGN
? KEY_USAGE_INITIATOR_SIGN
- : KEY_USAGE_ACCEPTOR_SIGN));
+ : KEY_USAGE_ACCEPTOR_SIGN;
+ }
gssEapIovMessageLength(iov, iov_count, &dataLen, &assocDataLen);
ptr = (unsigned char *)header->buffer.value;
gssEapIovMessageLength(iov, iov_count, &dataLen, &assocDataLen);
ptr = (unsigned char *)header->buffer.value;
- if (header->buffer.length < 16) {
- *minor = 0;
+ if (header->buffer.length < 16)
return GSS_S_DEFECTIVE_TOKEN;
return GSS_S_DEFECTIVE_TOKEN;
- }
- if ((ptr[2] &
TOK_FLAG_SENDER_IS_ACCEPTOR) != acceptorFlag) {
+ if ((ptr[2] &
flags) != flags)
return GSS_S_BAD_SIG;
return GSS_S_BAD_SIG;
- }
-
- if (ptr[2] & TOK_FLAG_ACCEPTOR_SUBKEY) {
- return GSS_S_BAD_SIG;
- }
if (toktype == TOK_TYPE_WRAP) {
unsigned int krbTrailerLen;
if (toktype == TOK_TYPE_WRAP) {
unsigned int krbTrailerLen;
@@
-200,7
+196,7
@@
unwrapToken(OM_uint32 *minor,
store_uint16_be(0, ptr + 4);
store_uint16_be(0, ptr + 6);
store_uint16_be(0, ptr + 4);
store_uint16_be(0, ptr + 6);
- code = gssEapVerify(krbContext,
0
, rrc,
+ code = gssEapVerify(krbContext,
ctx->checksumType
, rrc,
&ctx->rfc3961Key, keyUsage,
iov, iov_count, &valid);
if (code != 0 || valid == FALSE) {
&ctx->rfc3961Key, keyUsage,
iov, iov_count, &valid);
if (code != 0 || valid == FALSE) {
@@
-209,9
+205,9
@@
unwrapToken(OM_uint32 *minor,
}
}
}
}
- code = sequenceCheck(&ctx->seqState, seqnum);
+ code = sequenceCheck(
minor,
&ctx->seqState, seqnum);
} else if (toktype == TOK_TYPE_MIC) {
} else if (toktype == TOK_TYPE_MIC) {
- if (load_uint16_be(ptr) !=
TOK_TYPE_MIC
)
+ if (load_uint16_be(ptr) !=
toktype
)
goto defective;
verify_mic_1:
goto defective;
verify_mic_1:
@@
-219,14
+215,14
@@
unwrapToken(OM_uint32 *minor,
goto defective;
seqnum = load_uint64_be(ptr + 8);
goto defective;
seqnum = load_uint64_be(ptr + 8);
- code = gssEapVerify(krbContext,
0
, 0,
+ code = gssEapVerify(krbContext,
ctx->checksumType
, 0,
&ctx->rfc3961Key, keyUsage,
iov, iov_count, &valid);
if (code != 0 || valid == FALSE) {
*minor = code;
return GSS_S_BAD_SIG;
}
&ctx->rfc3961Key, keyUsage,
iov, iov_count, &valid);
if (code != 0 || valid == FALSE) {
*minor = code;
return GSS_S_BAD_SIG;
}
- code = sequenceCheck(&ctx->seqState, seqnum);
+ code = sequenceCheck(
minor,
&ctx->seqState, seqnum);
} else if (toktype == TOK_TYPE_DELETE_CONTEXT) {
if (load_uint16_be(ptr) != TOK_TYPE_DELETE_CONTEXT)
goto defective;
} else if (toktype == TOK_TYPE_DELETE_CONTEXT) {
if (load_uint16_be(ptr) != TOK_TYPE_DELETE_CONTEXT)
goto defective;
@@
-467,9
+463,6
@@
gssEapUnwrapOrVerifyMIC(OM_uint32 *minor,
{
OM_uint32 major;
{
OM_uint32 major;
- if (!CTX_IS_ESTABLISHED(ctx))
- return GSS_S_NO_CONTEXT;
-
if (ctx->encryptionType == ENCTYPE_NULL)
return GSS_S_UNAVAILABLE;
if (ctx->encryptionType == ENCTYPE_NULL)
return GSS_S_UNAVAILABLE;
@@
-492,6
+485,9
@@
gss_unwrap_iov(OM_uint32 *minor,
gss_iov_buffer_desc *iov,
int iov_count)
{
gss_iov_buffer_desc *iov,
int iov_count)
{
+ if (!CTX_IS_ESTABLISHED(ctx))
+ return GSS_S_NO_CONTEXT;
+
return gssEapUnwrapOrVerifyMIC(minor, ctx, conf_state, qop_state,
iov, iov_count, TOK_TYPE_WRAP);
}
return gssEapUnwrapOrVerifyMIC(minor, ctx, conf_state, qop_state,
iov, iov_count, TOK_TYPE_WRAP);
}