Use AD-KDCIssued to protect RADIUS authdata. Cleanup.

[mech_eap.orig] / wrap_iov.c

diff --git a/wrap_iov.c b/wrap_iov.c
index 6f53365..ae43ef9 100644 (file)
--- a/wrap_iov.c
+++ b/wrap_iov.c
@@ -55,6 +55,27 @@
 
 #include "gssapiP_eap.h"
 
+unsigned char
+rfc4121Flags(gss_ctx_id_t ctx, int receiving)
+{
+    unsigned char flags;
+    int isAcceptor;
+
+    isAcceptor = !CTX_IS_INITIATOR(ctx);
+    if (receiving)
+        isAcceptor = !isAcceptor;
+
+    flags = 0;
+    if (isAcceptor)
+        flags |= TOK_FLAG_SENDER_IS_ACCEPTOR;
+
+    if ((ctx->flags & CTX_FLAG_KRB_REAUTH_GSS) &&
+        (ctx->gssFlags & GSS_C_MUTUAL_FLAG))
+        flags |= TOK_FLAG_ACCEPTOR_SUBKEY;
+
+    return flags;
+}
+
 OM_uint32
 gssEapWrapOrGetMIC(OM_uint32 *minor,
                    gss_ctx_id_t ctx,
@@ -68,7 +89,7 @@ gssEapWrapOrGetMIC(OM_uint32 *minor,
     gss_iov_buffer_t header;
     gss_iov_buffer_t padding;
     gss_iov_buffer_t trailer;
-    unsigned char acceptorFlag;
+    unsigned char flags;
     unsigned char *outbuf = NULL;
     unsigned char *tbuf = NULL;
     int keyUsage;
@@ -77,22 +98,22 @@ gssEapWrapOrGetMIC(OM_uint32 *minor,
     size_t dataLen, assocDataLen;
     krb5_context krbContext;
 
-    if (!CTX_IS_ESTABLISHED(ctx))
-        return GSS_S_NO_CONTEXT;
-
     if (ctx->encryptionType == ENCTYPE_NULL)
         return GSS_S_UNAVAILABLE;
 
     GSSEAP_KRB_INIT(&krbContext);
 
-    acceptorFlag = CTX_IS_INITIATOR(ctx) ? 0 : TOK_FLAG_SENDER_IS_ACCEPTOR;
-    keyUsage = ((toktype == TOK_TYPE_WRAP)
-                ? (CTX_IS_INITIATOR(ctx)
+    flags = rfc4121Flags(ctx, FALSE);
+
+    if (toktype == TOK_TYPE_WRAP) {
+        keyUsage = CTX_IS_INITIATOR(ctx)
                    ? KEY_USAGE_INITIATOR_SEAL
-                   : KEY_USAGE_ACCEPTOR_SEAL)
-                : (CTX_IS_INITIATOR(ctx)
+                   : KEY_USAGE_ACCEPTOR_SEAL;
+    } else {
+        keyUsage = CTX_IS_INITIATOR(ctx)
                    ? KEY_USAGE_INITIATOR_SIGN
-                   : KEY_USAGE_ACCEPTOR_SIGN));
+                   : KEY_USAGE_ACCEPTOR_SIGN;
+    }
 
     gssEapIovMessageLength(iov, iov_count, &dataLen, &assocDataLen);
 
@@ -170,9 +191,8 @@ gssEapWrapOrGetMIC(OM_uint32 *minor,
         /* TOK_ID */
         store_uint16_be((uint16_t)toktype, outbuf);
         /* flags */
-        outbuf[2] = (acceptorFlag
-                     | (conf_req_flag ? TOK_FLAG_WRAP_CONFIDENTIAL : 0)
-                     | (0 ? TOK_FLAG_ACCEPTOR_SUBKEY : 0));
+        outbuf[2] = flags
+                     | (conf_req_flag ? TOK_FLAG_WRAP_CONFIDENTIAL : 0);
         /* filler */
         outbuf[3] = 0xFF;
         /* EC */
@@ -244,8 +264,7 @@ gssEapWrapOrGetMIC(OM_uint32 *minor,
         /* TOK_ID */
         store_uint16_be((uint16_t)toktype, outbuf);
         /* flags */
-        outbuf[2] = (acceptorFlag
-                     | (0 ? TOK_FLAG_ACCEPTOR_SUBKEY : 0));
+        outbuf[2] = flags;
         /* filler */
         outbuf[3] = 0xFF;
         if (toktype == TOK_TYPE_WRAP) {
@@ -263,7 +282,7 @@ gssEapWrapOrGetMIC(OM_uint32 *minor,
         }
         store_uint64_be(ctx->sendSeq, outbuf + 8);
 
-        code = gssEapSign(krbContext, 0, /* 0 == pick from crypto */
+        code = gssEapSign(krbContext, ctx->checksumType,
                           rrc, &ctx->rfc3961Key, keyUsage,
                           iov, iov_count);
         if (code != 0)
@@ -307,6 +326,9 @@ gss_wrap_iov(OM_uint32 *minor,
              gss_iov_buffer_desc *iov,
              int iov_count)
 {
+    if (!CTX_IS_ESTABLISHED(ctx))
+        return GSS_S_NO_CONTEXT;
+
     return gssEapWrapOrGetMIC(minor, ctx, conf_req_flag, conf_state,
-                             iov, iov_count, TOK_TYPE_WRAP);
+                              iov, iov_count, TOK_TYPE_WRAP);
 }