X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=unwrap_iov.c;h=ee2790daddce0bed4869c8d4b925eca8e0322258;hb=31355119edb3a282ab302c05e33e23430af67603;hp=d10f71c01797598b4b7d5ced41916b14ef67ac64;hpb=8d5242de8807f650fd9634fad250bf3d0d8dbbb2;p=mech_eap.git diff --git a/unwrap_iov.c b/unwrap_iov.c index d10f71c..ee2790d 100644 --- a/unwrap_iov.c +++ b/unwrap_iov.c @@ -73,7 +73,7 @@ unwrapToken(OM_uint32 *minor, gss_iov_buffer_t header; gss_iov_buffer_t padding; gss_iov_buffer_t trailer; - unsigned char acceptorFlag; + unsigned char flags; unsigned char *ptr = NULL; int keyUsage; size_t rrc, ec; @@ -99,31 +99,27 @@ unwrapToken(OM_uint32 *minor, trailer = gssEapLocateIov(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER); - acceptorFlag = CTX_IS_INITIATOR(ctx) ? TOK_FLAG_SENDER_IS_ACCEPTOR : 0; - keyUsage = (toktype == TOK_TYPE_WRAP - ? (!CTX_IS_INITIATOR(ctx) + flags = rfc4121Flags(ctx, TRUE); + + if (toktype == TOK_TYPE_WRAP) { + keyUsage = !CTX_IS_INITIATOR(ctx) ? KEY_USAGE_INITIATOR_SEAL - : KEY_USAGE_ACCEPTOR_SEAL) - : (!CTX_IS_INITIATOR(ctx) + : KEY_USAGE_ACCEPTOR_SEAL; + } else { + keyUsage = !CTX_IS_INITIATOR(ctx) ? KEY_USAGE_INITIATOR_SIGN - : KEY_USAGE_ACCEPTOR_SIGN)); + : KEY_USAGE_ACCEPTOR_SIGN; + } gssEapIovMessageLength(iov, iov_count, &dataLen, &assocDataLen); ptr = (unsigned char *)header->buffer.value; - if (header->buffer.length < 16) { - *minor = 0; + if (header->buffer.length < 16) return GSS_S_DEFECTIVE_TOKEN; - } - if ((ptr[2] & TOK_FLAG_SENDER_IS_ACCEPTOR) != acceptorFlag) { + if ((ptr[2] & flags) != flags) return GSS_S_BAD_SIG; - } - - if (ptr[2] & TOK_FLAG_ACCEPTOR_SUBKEY) { - return GSS_S_BAD_SIG; - } if (toktype == TOK_TYPE_WRAP) { unsigned int krbTrailerLen; @@ -200,7 +196,7 @@ unwrapToken(OM_uint32 *minor, store_uint16_be(0, ptr + 4); store_uint16_be(0, ptr + 6); - code = gssEapVerify(krbContext, 0, rrc, + code = gssEapVerify(krbContext, ctx->checksumType, rrc, &ctx->rfc3961Key, keyUsage, iov, iov_count, &valid); if (code != 0 || valid == FALSE) { @@ -209,9 +205,9 @@ unwrapToken(OM_uint32 *minor, } } - code = sequenceCheck(&ctx->seqState, seqnum); + code = sequenceCheck(minor, &ctx->seqState, seqnum); } else if (toktype == TOK_TYPE_MIC) { - if (load_uint16_be(ptr) != TOK_TYPE_MIC) + if (load_uint16_be(ptr) != toktype) goto defective; verify_mic_1: @@ -219,14 +215,14 @@ unwrapToken(OM_uint32 *minor, goto defective; seqnum = load_uint64_be(ptr + 8); - code = gssEapVerify(krbContext, 0, 0, + code = gssEapVerify(krbContext, ctx->checksumType, 0, &ctx->rfc3961Key, keyUsage, iov, iov_count, &valid); if (code != 0 || valid == FALSE) { *minor = code; return GSS_S_BAD_SIG; } - code = sequenceCheck(&ctx->seqState, seqnum); + code = sequenceCheck(minor, &ctx->seqState, seqnum); } else if (toktype == TOK_TYPE_DELETE_CONTEXT) { if (load_uint16_be(ptr) != TOK_TYPE_DELETE_CONTEXT) goto defective; @@ -467,9 +463,6 @@ gssEapUnwrapOrVerifyMIC(OM_uint32 *minor, { OM_uint32 major; - if (!CTX_IS_ESTABLISHED(ctx)) - return GSS_S_NO_CONTEXT; - if (ctx->encryptionType == ENCTYPE_NULL) return GSS_S_UNAVAILABLE; @@ -492,6 +485,9 @@ gss_unwrap_iov(OM_uint32 *minor, gss_iov_buffer_desc *iov, int iov_count) { + if (!CTX_IS_ESTABLISHED(ctx)) + return GSS_S_NO_CONTEXT; + return gssEapUnwrapOrVerifyMIC(minor, ctx, conf_state, qop_state, iov, iov_count, TOK_TYPE_WRAP); }