* or implied warranty.
*/
+/*
+ * Message protection services: unwrap with scatter-gather API.
+ */
+
#include "gssapiP_eap.h"
/*
gss_iov_buffer_t header;
gss_iov_buffer_t padding;
gss_iov_buffer_t trailer;
- unsigned char acceptorFlag;
+ unsigned char flags;
unsigned char *ptr = NULL;
int keyUsage;
size_t rrc, ec;
assert(header != NULL);
padding = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING);
- if (padding != NULL && padding->buffer.length != 0)
+ if (padding != NULL && padding->buffer.length != 0) {
+ *minor = GSSEAP_BAD_PADDING_IOV;
return GSS_S_DEFECTIVE_TOKEN;
+ }
trailer = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
- acceptorFlag = CTX_IS_INITIATOR(ctx) ? TOK_FLAG_SENDER_IS_ACCEPTOR : 0;
- keyUsage = (toktype == TOK_TYPE_WRAP
- ? (!CTX_IS_INITIATOR(ctx)
+ flags = rfc4121Flags(ctx, TRUE);
+
+ if (toktype == TOK_TYPE_WRAP) {
+ keyUsage = !CTX_IS_INITIATOR(ctx)
? KEY_USAGE_INITIATOR_SEAL
- : KEY_USAGE_ACCEPTOR_SEAL)
- : (!CTX_IS_INITIATOR(ctx)
+ : KEY_USAGE_ACCEPTOR_SEAL;
+ } else {
+ keyUsage = !CTX_IS_INITIATOR(ctx)
? KEY_USAGE_INITIATOR_SIGN
- : KEY_USAGE_ACCEPTOR_SIGN));
+ : KEY_USAGE_ACCEPTOR_SIGN;
+ }
gssEapIovMessageLength(iov, iov_count, &dataLen, &assocDataLen);
ptr = (unsigned char *)header->buffer.value;
if (header->buffer.length < 16) {
- *minor = 0;
+ *minor = GSSEAP_TOK_TRUNC;
return GSS_S_DEFECTIVE_TOKEN;
}
- if ((ptr[2] & TOK_FLAG_SENDER_IS_ACCEPTOR) != acceptorFlag) {
- return GSS_S_BAD_SIG;
- }
-
- if (ptr[2] & TOK_FLAG_ACCEPTOR_SUBKEY) {
+ if ((ptr[2] & flags) != flags) {
+ *minor = GSSEAP_BAD_DIRECTION;
return GSS_S_BAD_SIG;
}
|| althdr[2] != ptr[2]
|| althdr[3] != ptr[3]
|| memcmp(althdr + 8, ptr + 8, 8) != 0) {
- *minor = 0;
+ *minor = GSSEAP_BAD_WRAP_TOKEN;
return GSS_S_BAD_SIG;
}
} else {
store_uint16_be(0, ptr + 4);
store_uint16_be(0, ptr + 6);
- code = gssEapVerify(krbContext, 0, rrc,
+ code = gssEapVerify(krbContext, ctx->checksumType, rrc,
&ctx->rfc3961Key, keyUsage,
iov, iov_count, &valid);
if (code != 0 || valid == FALSE) {
}
}
- code = sequenceCheck(&ctx->seqState, seqnum);
+ code = sequenceCheck(minor, &ctx->seqState, seqnum);
} else if (toktype == TOK_TYPE_MIC) {
- if (load_uint16_be(ptr) != TOK_TYPE_MIC)
+ if (load_uint16_be(ptr) != toktype)
goto defective;
verify_mic_1:
goto defective;
seqnum = load_uint64_be(ptr + 8);
- code = gssEapVerify(krbContext, 0, 0,
+ code = gssEapVerify(krbContext, ctx->checksumType, 0,
&ctx->rfc3961Key, keyUsage,
iov, iov_count, &valid);
if (code != 0 || valid == FALSE) {
*minor = code;
return GSS_S_BAD_SIG;
}
- code = sequenceCheck(&ctx->seqState, seqnum);
+ code = sequenceCheck(minor, &ctx->seqState, seqnum);
} else if (toktype == TOK_TYPE_DELETE_CONTEXT) {
if (load_uint16_be(ptr) != TOK_TYPE_DELETE_CONTEXT)
goto defective;
return code;
defective:
- *minor = 0;
+ *minor = GSSEAP_BAD_WRAP_TOKEN;
return GSS_S_DEFECTIVE_TOKEN;
}
assert(toktype == TOK_TYPE_WRAP);
- if (toktype != TOK_TYPE_WRAP || (ctx->gssFlags & GSS_C_DCE_STYLE)) {
- code = EINVAL;
+ if (toktype != TOK_TYPE_WRAP) {
+ code = GSSEAP_WRONG_TOK_ID;
goto cleanup;
}
if (type == GSS_IOV_BUFFER_TYPE_DATA) {
if (data != NULL) {
/* only a single DATA buffer can appear */
- code = EINVAL;
+ code = GSSEAP_BAD_STREAM_IOV;
goto cleanup;
}
if (data == NULL) {
/* a single DATA buffer must be present */
- code = EINVAL;
+ code = GSSEAP_BAD_STREAM_IOV;
goto cleanup;
}
}
/* IOV: -----------0-------------+---1---+--2--+----------------3--------------*/
- /* Old: GSS-Header | Conf | Data | Pad | */
/* CFX: GSS-Header | Kerb-Header | Data | | EC | E(Header) | Kerb-Trailer */
/* GSS: -------GSS-HEADER--------+-DATA--+-PAD-+----------GSS-TRAILER----------*/
if (stream->buffer.length < theader->buffer.length +
tpadding->buffer.length +
ttrailer->buffer.length) {
- code = KRB5_BAD_MSIZE;
major = GSS_S_DEFECTIVE_TOKEN;
+ code = GSSEAP_TOK_TRUNC;
goto cleanup;
}
{
OM_uint32 major;
- if (!CTX_IS_ESTABLISHED(ctx))
- return GSS_S_NO_CONTEXT;
-
- if (ctx->encryptionType == ENCTYPE_NULL)
+ if (ctx->encryptionType == ENCTYPE_NULL) {
+ *minor = GSSEAP_KEY_UNAVAILABLE;
return GSS_S_UNAVAILABLE;
+ }
if (gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_STREAM) != NULL) {
major = unwrapStream(minor, ctx, conf_state, qop_state,
gss_iov_buffer_desc *iov,
int iov_count)
{
- return gssEapUnwrapOrVerifyMIC(minor, ctx, conf_state, qop_state,
- iov, iov_count, TOK_TYPE_WRAP);
+ OM_uint32 major;
+
+ if (ctx == GSS_C_NO_CONTEXT) {
+ *minor = EINVAL;
+ return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT;
+ }
+
+ *minor = 0;
+
+ GSSEAP_MUTEX_LOCK(&ctx->mutex);
+
+ if (!CTX_IS_ESTABLISHED(ctx)) {
+ major = GSS_S_NO_CONTEXT;
+ *minor = GSSEAP_CONTEXT_INCOMPLETE;
+ goto cleanup;
+ }
+
+ major = gssEapUnwrapOrVerifyMIC(minor, ctx, conf_state, qop_state,
+ iov, iov_count, TOK_TYPE_WRAP);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+cleanup:
+ GSSEAP_MUTEX_UNLOCK(&ctx->mutex);
+
+ return major;
}
projects / mech_eap.orig / blobdiff